Installation Instructions

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesCLOUD-MANAGED NETWORK ACCESS CONTROL (NAC)

131

132

133

134

135

136

137

138

139

140

Table Of Contents

A3 Installation and Usage Guide
No Registration VLAN Version
Table of Contents
Introduction
- Overview
- Major Features of A3
Deployment Modes
- Overview
- Layer 2 Hybrid Out-of-Band Deployment
- Layer 3 Across a Routed Network
- Layer 3 Hybrid Out-of-Band Deployment
- Inline Deployment
Enforcement Modes
- Firewall Enforcement
- WebAuth Enforcement
- RADIUS Enforcement
- WebAuth (ACL) Enforcement
Installation
- Equipment Requirements
  - VMware VSphere Hypervisor
  - Microsoft Windows Server 2019
- Extreme Networks Requirements
- Download the Software
- A3 Installation on VMware ESXi
  - Network Interfaces
  - Instantiation
- A3 Installation on Windows Server 2019 Hyper-V
  - Network Interfaces
  - A3 must be attached to an “External” type of virtual switch. An external virtual switch binds to the physical network adapter so that the virtual machine can access a physical network.Installation
Network Topology
- Connectivity and Security
- Enforcement Devices
- Infrastructure Devices
- Layer 3 Topology
Clustering
- Cluster Installation
- Cluster Operation
- Restarting Services
- Graceful Shutdown and Restart
- Cluster Backup and Recovery
Table of Addresses and VLANs
- Network Implementation
Initial A3 Configuration
- Setup IP Addresses
- Domain and Time Zone
- Alerting
- Change Admin Password
- A3 Server Certificate
ExtremeCloud IQ Setup
- MAC Authentication
- 802.1X Authentication
Authentication Methods
- External Authentication Sources
- Internal Authentication Sources
- Exclusive Authentication Sources
- Billing Authentication Sources
- 802.1X
- EAP and X.509 Certificates
  - EAP Methods
- Social Login Authentication Technology
A3 Configuration Flow
- Overview
- Guest Access Configuration Example
  - ExtremeCloud IQ Configuration
  - A3 Configuration
- 802.1X Configuration Example
  - ExtremeCloud IQ Configuration
  - A3 Configuration
Certificates and PKI
- Overview
  - Public and Private Keys
  - Public Key Infrastructure
- A3 Certificate Usage
Portal Modules
- Connection Profile Settings
- Type of Portal Modules
  - Source by Options
  - Templates
- Example 1: Reorder Choices
- Example 2: Two Factor Authentication
Security Events and Scan Engines
- Fingerbank
- Scan Engines
- Security Events
  - Event Triggers
  - Event Actions
- Built-in and Sample Events
Provisioning
- Mobile Device Managers
Firewall Integration
- Barracuda
  - A3 Configuration
  - Verification
- Checkpoint
  - Setting up the Checkpoint Firewall
  - A3 Configuration
- FortiGate
  - Setting up FortiGate Firewall
  - A3 Configuration
- JSON-RPC
  - A3 Configuration
- Palo Alto
Use Case 1: Guest Access with Captive Web Portal
- Roles
- Authentication Sources
- Devices
- Connection Profile
- Testing
  - SMS Test
  - Use Case 1 Complete
Use Case 2: Active Directory Authentication
- Active Directory Domain Join
- Roles
- Authentication Sources
- Devices
- Connection Profile
- Testing Active Directory
Use Case 3: Local User Authentication
- User Manager
- Local User Authentication
- Create a Local User
- Testing Local User Authentication
  - Use Case 3 Example Complete
Use Case 4: Sponsored Access
- Authentication Sources
  - Active Directory Source
  - Sponsor Source
- Connection Profile
- Testing Sponsored Access
  - Verifying Operation
  - Use Case 4 Example Complete
Use Case 5: EAP-TLS Authentication
- EAP-TLS Authentication Source
- Connection Profile
  - Corporate Profile
  - Guest Profile
- Testing EAP-TLS
  - Use Case 5 Example Complete
Use Case 6: Guest Access with External Captive Web Portal
- ExtremeCloud IQ Configuration
  - Network Policy
- A3 Configuration
  - Devices
  - Connection Profile
- Testing E-CWP Access
  - Null Authentication Test
  - Use Case 6 Complete
Use Case 7: Headless IoT Devices
- Automatic Registration Security Event
- Manual Use of Security Event
  - Use Case 7 Complete
Use Case 8: Eduroam
- Overview
- ExtremeCloud IQ Configuration
- A3 Configuration
Advanced Topics
- Best Deployment Practices
- Administrative Access
- Creating Dynamic Reports
  - Examples
    - View of the authentication log
    - View of opened security events
- Performance Enhancements
A3 Troubleshooting
- Administration
- The Auditing Tab
- Getting Started
  - Clients Don’t See Captive Web Portal
    - Basic Issues
    - VLAN Setup is Incorrect
- Authentication Issues
- Post-Authentication Issues
  - Clients Assigned to Incorrect Role
  - Authenticated Clients Can’t Access Internet or Local Sites
- Cluster Problems
Glossary
Index

Administrative Access Advanced Topics

Part Number: A3 Installation and Usage Guide Community 132

Paravirtualization

Under certain heavy I/O load from multiple VMs, paravirtualization can cause A3 VMs to

slow by a factor of 20%. Beneficially, however, paravirtualization improves stability and

performance reliability and linearity.

Snapshots

VM snapshots affect the performance of running VMs. Copy-on-write snapshots have a

further detrimental affect, since two disk accesses are performed for each application

write operation. It is desirable, therefore, to disable snapshotting of A3 VMs.

If snapshots are used, only VM disks should be snapshot and not the RAM. Memory

snapshots will introduce extended latency in A3 operation.

Administrative Access

Although a single administrator is defined at A3 installation, lesser administrative access

can be given to other A3 administrators. The admin access roles are used in

Authentication Sources under Administrative Rules. See the example below; a larger scale

example is included in Use Case 3: Local User Authentication.

1. Navigate to Configuration > System Configuration > Admin Access.

2. The built-in roles are listed below. These can be used as-is:

• ALL: provides the user with all the admin roles without any exception

• ALL_PF_ONLY: provides the user with all the admin roles related to the A3

deployment (excludes switch login rights)

• Node Manager: provides the user the ability to manage the nodes

• User Manager: provides the user the ability to manage other users

• Security Event Manager: provides the user the ability to manage the security

events (trigger, open, close) for the nodes

3. Otherwise a new role can be defined, select .

4. Fill in the form as per the following table:

Creating Dynamic Reports

Using the /usr/local/pf/conf/report.conf configuration file, you can define reports that

create SQL queries to view tables in the A3 database. These reports will appear under the

Reports > Dynamic Reports menu of the A3 GUI.

Field Usage Example

Name Name for the type of administrator, not the

name of the administrator.

User admin

Description A further description Can administer user

entries

Actions Which actions this type of admin can perform. Select all the actions

under Users.