Scribd
Upload
425 views42 pages

ExtremeControl With WiNG 5.8

How to use ExtremeControl with Wing software

Uploaded by

manelnabo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
425 views42 pages

ExtremeControl With WiNG 5.8

How to use ExtremeControl with Wing software

Uploaded by

manelnabo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 42

ExtremeControl with ExtremeWireless WiNG

Abstract: This document covers implementation of ExtremeWireless WiNG in ExtremeControl.


The enforcement to the wireless controller is done via Wireless Client Roles that are
dynamically applied on the wireless controller after a Filter-ID is returned from Access Control.
The Wireless Client Role can enforce Application Rules, IPv6 Rules, IPv4 Rules, and MAC
Rules. Web redirection is done via a custom RADIUS attribute that sends the redirection URL.
Note that this guide only provides guidance on the configuration of the wireless controller to
integrate with Access Control and does not cover implementation of Access Control
functionalities.

Published: November 2016

Extreme Networks, Inc.


145 Rio Robles
San Jose, California 95134
Phone / +1 408.579.2800
Toll-free / +1 888.257.3000
www.extremenetworks.com

©2016 Extreme Networks, Inc. All rights reserved.


Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All
other names are the property of their respective owners. All other registered trademarks, trademarks, and service marks are property of their respective owners. For
additional information on Extreme Networks trademarks, see www.extremenetworks.com/company/legal/trademarks.
ExtremeControl with ExtremeWireless WiNG 5.8

Contents

Pre-Requisites and Limitations ........................................................................................... 3


Overview ............................................................................................................................... 3
Part 1 – Configuring the Wireless Controller to Authenticate to Access Control ............ 5
Step 1 – Configure SNMP .......................................................................................................................... 5
Step 2 – Configure RADIUS ....................................................................................................................... 7
Step 3 – Configure Roles and Firewall Rules ............................................................................................ 11
Application Policies ............................................................................................................................. 11
IPv4 Firewall Policies .......................................................................................................................... 13
Wireless Client Role ............................................................................................................................ 14
Assign the Roles Profiles .................................................................................................................... 18

Step 4 – Captive Portal Configuration........................................................................................................ 19


Step 5 – Create the Wireless Networks ..................................................................................................... 23
Part 2 – Configuring ExtremeControl .................................................................................. 27
Step 1 – Create an SNMP Profile for WiNG .............................................................................................. 27
Step 2 – Add the Wireless Controller to ExtremeControl.......................................................................... 29
Step 3 – Configure Rules, Roles and Policy Mappings ............................................................................ 32
Part 3 – Validation ................................................................................................................ 35
Appendix A: Creating RFC 3576 Configurations ................................................................ 38
Revision History ................................................................................................................... 42

Initial

© Extreme Networks, Inc. All rights reserved. 2


ExtremeControl with ExtremeWireless WiNG 5.8

Pre-Requisites and Limitations


 Extreme ExtremeManagement 7.0.5.12 or later.
 Extreme Access Control 7.0.5.12 or later.
 WiNG Firmware version 5.8.4.0-34R or later. A fully licensed controller with an
Advanced Security license should be used. A VX9000-DEMO will not work.
 There is currently no common wired and wireless policy management with
ExtremeWireless WiNG. User access is manually created on the wireless controller.
 ExtremeAnalytics can be configured in an Overlay mode on a network that runs
ExtremeWireless WiNG. There is currently no integrated mode available on WiNG.
 ExtremeManagement does not currently provide heat maps, location, or area based
access control when using ExtremeWireless WiNG.
 ExtremeManagement does not currently report wireless RF stats, or MU History
reporting when using ExtremeWireless WiNG

Overview
This section provides a brief overview of the traffic flow and RADIUS authentication. The
figure below shows the components in use and how authentication flows through the
solution.

Figure 1. Authentication Packet Flow

© Extreme Networks, Inc. All rights reserved. 3


ExtremeControl with ExtremeWireless WiNG 5.8

1. As the device connects to the wireless SSID, either MAC-based authentication or


802.1X authentication will occur.
2. The wireless controller will send a RADIUS request destined to the Access Control
Engine for authentication.
3. The Access Control Engine will authenticate the RADIUS request per its
configuration. It will pass back RADIUS attributes that the wireless controller can
interpret.
4. The wireless controller will match the attributes to a Wireless Client Role and enforce
the corresponding Firewall rules or application policies.

Note
In addition to the steps created in this guide, it is also recommended to have IP helper addresses
pointed to the Access Control Engine and SNMP Read-Only credentials configured on the router
which Access Control can query to assist with IP resolution.

© Extreme Networks, Inc. All rights reserved. 4


ExtremeControl with ExtremeWireless WiNG 5.8

Part 1 – Configuring the Wireless Controller to Authenticate


to Access Control
The configuration of the ExtremeWireless WiNG controller to authenticate to Access Control
consists of five parts.

1. Configure SNMP to manage the wireless controller.


2. Configure the RADIUS settings to authenticate against the Access Control Engine.
3. Configure the Wireless Client Roles that will be assigned from Access Control.
4. Configure the Captive Portal on the wireless controller.
5. Configure the SSID for authentication against Access Control.

Step 1 – Configure SNMP


In order for ExtremeManagement to manage a wireless controller, SNMP needs to be
configured. Ideally SNMPv3 is used due to its security and efficiency compared to SNMPv1
or SNMPv2.

SNMP configuration is accomplished by logging into the wireless controller and navigating
to Management tab under Configuration. In the Management Policy section select the
the management policy in use and select Edit:

© Extreme Networks, Inc. All rights reserved. 5


ExtremeControl with ExtremeWireless WiNG 5.8

In the management policy, select the SNMP tab. Ensure that SNMPv3 is enabled. Then
select the SNMPv3 Users and verify the settings so that they can be used when configuring
Access Control. If desired, change the password from the default, Once complete, if any
changes were made, select OK followed by a Commit.

© Extreme Networks, Inc. All rights reserved. 6


ExtremeControl with ExtremeWireless WiNG 5.8

Step 2 – Configure RADIUS


In order for the wireless controller to authenticate against Access Control, the Access
Control Engine needs to be configured as a RADIUS server in the wireless controller with
some specific settings enabled. To accomplish this, navigate to the Network tab under
Configuration. Then select the AAA Policy section. Select the Add button to create a new
AAA policy. Name the new policy and select Continue.

In the RADIUS Authentication tab, select the Add button to create a new RADIUS Server.

© Extreme Networks, Inc. All rights reserved. 7


ExtremeControl with ExtremeWireless WiNG 5.8

In the Authentication Server window, use the following settings in addition to the defaults
that are populated. Select OK and then Exit when the settings are complete.

 Host: <Access Control Engine IP Address>

 Secret: ETS_TAG_SHARED_SECRET

 Request Proxy Mode: Through Wireless Controller

© Extreme Networks, Inc. All rights reserved. 8


ExtremeControl with ExtremeWireless WiNG 5.8

Select the RADIUS Accounting tab and add a RADIUS Accounting Server. Use the default
settings with the exception for the Host IP, Secret, and Request Proxy Mode as with the
Authentication Server. Select OK and Exit when the settings are complete.

© Extreme Networks, Inc. All rights reserved. 9


ExtremeControl with ExtremeWireless WiNG 5.8

Finally, select the Settings tab of the AAA policy. In this screen, a few items need to be
adjusted. Once completed, select the OK button followed by Exit and then Commit.

 In the RADIUS Accounting section, change the Accounting Packet Type to


Start/Interim/Stop.
 In the RADIUS Address Format section, change Attributes to All.
 In the Access Request Attributes section, enable the Cisco VSA Audit Session Id
option and the Add Framed IP Address option.

Once completed, select the OK button followed by Exit and then Commit.

© Extreme Networks, Inc. All rights reserved. 10


ExtremeControl with ExtremeWireless WiNG 5.8

Step 3 – Configure Roles and Firewall Rules


Differing levels of access to users and devices can be assigned based on a rules engine
running on Access Control. These levels of access are defined by Wireless Client Roles in
the wireless controller. The Roles allow for a mapping of a VLAN ID, Application Policies,
IPv6 Firewall Rules, IPv4 Firewall Rules, and MAC-Based Firewall Rules. For the purposes
of this document, Application Policies and IPv4 Firewall rules will be shown.

Application Policies
An application policy can be created to control layer 7 applications such as streaming video
applications, social media, and peer to peer applications. To create such policies, navigate
to the Network tab under Configuration. Then select the Application Policy section. Select
the Add button to create a new Application Policy.

© Extreme Networks, Inc. All rights reserved. 11


ExtremeControl with ExtremeWireless WiNG 5.8

Name the new application policy and create the types of Application Policy Rules that are
desired. Each Application Policy Rule can be added by creating new rows. Once the rules
are created, select OK and Exit. Commit the changes when complete.

© Extreme Networks, Inc. All rights reserved. 12


ExtremeControl with ExtremeWireless WiNG 5.8

IPv4 Firewall Policies


To create the desired IPv4 Firewall rules, navigate to the Security tab under
Configuration. Then select expand the IP Firewall tree and select the IPv4 ACL section. In
this section, IP Firewall Policies can be created for use in the Wireless Client Roles. To
create a new policy, select the Add button.

In the new IP Firewall Policy, assign a name that can be used for the Wireless Client Role.
Create individual ACL rules that will be assigned to match the desired level of access. The
rules can be re-ordered with drag-and-drop if desired. Once complete, select the OK button
followed by Exit. Then select the Commit button.

© Extreme Networks, Inc. All rights reserved. 13


ExtremeControl with ExtremeWireless WiNG 5.8

Note

Currently a bug exists in WiNG 5.8.4 where the IP Firewall Policy can be created that contains a
space but If it does contain a space, the firewall policy will not be applied. This is targeted to be
fixed in WiNG 5.8.6.

Wireless Client Role


To create the role that will be assigned by Access Control, navigate to the Security tab
under Configuration. Then select the Wireless Client Roles section. In this section, role
policies can be created. In most networks, only one policy will be created with multiple roles
within the policy. To create a new policy, select the Add button.

Name the role policy, then press OK. Next, select the Roles tab to start creating the roles.

© Extreme Networks, Inc. All rights reserved. 14


ExtremeControl with ExtremeWireless WiNG 5.8

In the new Role, enter a name and select OK. In the Match Expressions field, change the
Group Configuration to create an Exact match of the name of the Filter-Id that will be
received from Access Control. For instance, if the Guest Access role is being sent back, the
matching configuration should match the screenshot below. Also note that for different roles,
the Role Precedence needs to be different. Once that is set, select the Firewall Rules tab
to assign the access.

© Extreme Networks, Inc. All rights reserved. 15


ExtremeControl with ExtremeWireless WiNG 5.8

In the Firewall Rules tab, the previously created Application Policy and IP ACL rules can be
be assigned as well as a VLAN override if desired. Once the firewall rules are complete,
select the OK button followed by Exit.

© Extreme Networks, Inc. All rights reserved. 16


ExtremeControl with ExtremeWireless WiNG 5.8

Repeat this process for any additional roles that need to be created. Commit the changes
once complete.

© Extreme Networks, Inc. All rights reserved. 17


ExtremeControl with ExtremeWireless WiNG 5.8

Assign the Roles Profiles


The last step to enable the Roles is to assign it to a Device or Profile. If Application Policies
are also being used the DPI engine needs to be enabled. Accomplish this by navigating to
the Profiles tab under Configuration. Select the Profile that needs to be modified and
expand the Security section of the profile. In the Settings section, select the Wireless
Client Role that was created from the dropdown list. Select OK to save the setting then
select the Application Visibility (AVC) section.

In the Application Visibilty (AVC) section, enable the checkbox for Enable dpi and select
OK followed by Exit and

© Extreme Networks, Inc. All rights reserved. 18


ExtremeControl with ExtremeWireless WiNG 5.8

Step 4 – Captive Portal Configuration


ExtremeWireless WiNG can use a centralized external captive portal for authentication and
registration. The captive portal configuration also needs to include a DNS whitelist of
websites that a client is allowed to go to while still in the captive state. The captive portal
URL is dynamically assigned from Access Control via a RADIUS attribute when a client
needs to be redirected.

To create the captive portal configuration, select the Services section of Configuration.
Then select the Captive Portals section. Select Add to create a new configuration.

© Extreme Networks, Inc. All rights reserved. 19


ExtremeControl with ExtremeWireless WiNG 5.8

In the new Captive Portal policy, select Centralized Controller for the Captive Portal Server
Mode. In the Captive Portal Server Host field, specify a non-existant server host where the
web request would typically be sent. In the Access field, select No authentication required
for the Access Type. Press OK to save the new Policy.

While still in the newly created Captive Portal Policy, scroll down to DNS Whitelist and
select the Add button.

© Extreme Networks, Inc. All rights reserved. 20


ExtremeControl with ExtremeWireless WiNG 5.8

Create entries in the DNS whitelist for both the IP address and hostname of the Access
Control Engines used on the network. Once added, select the OK and Exit buttons.

In the Captive Portal Policy, select the newly created DNS Whitelist from the dropdown
menu and then select OK followed by Commit.

© Extreme Networks, Inc. All rights reserved. 21


ExtremeControl with ExtremeWireless WiNG 5.8

The final step is to assign the new Captive Portal policy to the Device Profiles in use. To do
this, select the Profiles tab under Configuration and then navigate to the profile to be
modified. Select the Services tab of the profile and then select the checkbox next to the new
Captive Portal Policy. Once complete, select the OK button followed by Commit.

© Extreme Networks, Inc. All rights reserved. 22


ExtremeControl with ExtremeWireless WiNG 5.8

Step 5 – Create the Wireless Networks


The last part of the configuration of the wireless controller is the mapping of all of the
settings to a wireless network. Navigate to the Wireless tab of Configuration and select
the Wireless LANs section. Select the Add button to create a new wireless network.

In the new WLAN screen, create the basic configurations required such as the SSID name,
Bridging Mode and VLAN Assignment. Then enable the Allow RADIUS Override
checkbox and select the OK button.

© Extreme Networks, Inc. All rights reserved. 23


ExtremeControl with ExtremeWireless WiNG 5.8

Next, navigate to the Security section of the WLAN. If using 802.1X select EAP. Otherwise,
select MAC for the authentication type. Once the authentication type is set, select the AAA
Policy that was created from the drop down list. Next, select the checkboxes next to
Captive Portal Enable and Captive Portal if Primary Authentication Fails. From the
Captive Portal Policy drop down list select the previously created Captive Portal Policy. If
the encryption methods need to be set for the SSID type, scroll further down the page and
select the appropriate settings for the type of SSID. Select the OK button to continue.

Next, select the Accounting section of the WLAN. Select the checkbox for Enable RADIUS
Accounting and ensure that the AAA Policy previously created is selected. Select the OK
button to continue.

© Extreme Networks, Inc. All rights reserved. 24


ExtremeControl with ExtremeWireless WiNG 5.8

The last configuration step for the WLAN is in the Advanced section. Select the checkbox
next to RADIUS Dynamic Authorization and then select OK followed by Exit. Then
Commit the configuration.

The last configuration step for the Wireless Network is to assign it to the AP Radios.
Navigate to the appropriate Profile and expand the Interface section to select the Radio.
Select a radio and then the Edit button.

© Extreme Networks, Inc. All rights reserved. 25


ExtremeControl with ExtremeWireless WiNG 5.8

In the Radios window, select the WLAN Mapping / Mesh Mapping tab. Select the newly
created WLAN and then the arrow to map it to the radio. Select the OK button followed by
Exit and repeat the process for any additional radios.

© Extreme Networks, Inc. All rights reserved. 26


ExtremeControl with ExtremeWireless WiNG 5.8

Part 2 – Configuring ExtremeControl


In this section, the WiNG wireless controller will be added to Extreme Access Control as a
switch so that clients can be authenticated and controlled.

Note
This section assumes that the Access Control Engine is already configured and added to Access
Control. It also assumes that Guest Registration is already enabled.

Step 1 – Create an SNMP Profile for WiNG


In ExtremeManagement, select the Profiles tab under Administration. Select the Add
button for SNMP Credentials. Create new SNMP credentials that correlate with the
credentials configured in the wireless controller.

© Extreme Networks, Inc. All rights reserved. 27


ExtremeControl with ExtremeWireless WiNG 5.8

Next, select CLI Credentials in the Profiles tab and create a new CLI configuration to access
the WiNG Controller in the event that scripts are used in ExtremeManagement. If no scripts
are going to be used, this step can be skipped.

With the SNMP Credentials and CLI Credentials configured, create a Profile to map them
together. Ensure that the SNMP settings are configured for AuthPriv for the SNMP Read,
Write, and Max Access.

© Extreme Networks, Inc. All rights reserved. 28


ExtremeControl with ExtremeWireless WiNG 5.8

Step 2 – Add the Wireless Controller to ExtremeControl


Select the Access Control tab of Control followed by the Default Access Control Engine
Group. In the group configuration, select the Switches tab and then select the Add
Switches button.

In the Add Switches dialog, if the wireless controller hasn’t been added to
ExtremeManagement yet, select the Add Device button to add the IP address of the
wireless controller and the SNMP Profile to use for communication.

© Extreme Networks, Inc. All rights reserved. 29


ExtremeControl with ExtremeWireless WiNG 5.8

Once the wireless controller is added to ExtremeManagement, select the wireless controller
from the device list. Some configurations of the dialog are automatically populated. Select
the Access Control Engine from the Primary Engine drop down list. If there is more than
one Access Control Engine, do the same for the Secondary Engine. Set the RADIUS
Attributes to Send to Filter-Id & Custom Attribute and then set the Policy Domain to Do
Not Set.

Due to a bug in ExtremeManagement 7.0.5, the RADIUS Accounting setting cannot be


configured if the device is set to Manual RADIUS Configuration. To work around this,
temporarily, set the Auth. Access Type to Network Access to make the RADIUS
Accounting field editable. Enable the RADIUS Accounting setting.

© Extreme Networks, Inc. All rights reserved. 30


ExtremeControl with ExtremeWireless WiNG 5.8

Once RADIUS Accounting is enabled, change the Auth. Access Type back to Manual
RADIUS Configuration then select the Advanced Settings button.

In the Advanced Switch Settings dialog, the Reauthentication Type must be modified.
From the drop down list select RFC3576 - ExtremeWireless WiNG. If the setting is not
currently available, see Appendix A to create the Reauthentication Configuration.

© Extreme Networks, Inc. All rights reserved. 31


ExtremeControl with ExtremeWireless WiNG 5.8

The final settings should look similar to the below image. Once complete, press the Save
button.

Step 3 – Configure Rules, Roles and Policy Mappings


The last step to configuring ExtremeControl is to create and modify the Accept Policies for
various Rules. Since ExtemeWireless WiNG controllers use a Filter-ID to pass back
Wireless Client roles, most of the configuration is already done. However, for roles that
require redirection to the captive portal, an additional VSA must be added. This will typically
be used in the Unregistered Role, Quarantine Role and Assessing Role. This example
shown will be for the Unregistered Role, however it can be re-used for any role that needs
redirection.

© Extreme Networks, Inc. All rights reserved. 32


ExtremeControl with ExtremeWireless WiNG 5.8

Select the Rules section in the Access Control Configuration. Find the Unregistered rule
and then select the Unregistered Accept policy.

In the Edit Policy Mapping dialog, there is a field available for Custom 1. The following
attribute format should be used to instruct the controller to redirect to the Access Control
Engine:

 Custom 1: cisco-avpair=url-redirect=http://<AccessControlEngineIP>:80/main

For example, if the Access Control Engine IP address is 10.120.85.81, the attribute is:

 Custom 1: cisco-avpair=url-redirect=http://10.120.85.81:80/main

If HTTPS and a fully qualified domain name are used on the Access Control Engine, the
attribute is:

 Custom 1: cisco-avpair=url-redirect=https://eac-engine-poc.cse.ets.com:443/main

© Extreme Networks, Inc. All rights reserved. 33


ExtremeControl with ExtremeWireless WiNG 5.8

Once the configuration for each Accept Policy is complete, Enforce to the Access Control
Engines.

© Extreme Networks, Inc. All rights reserved. 34


ExtremeControl with ExtremeWireless WiNG 5.8

Part 3 – Validation
Validation of the configuration is completed by connecting a device to the SSID that was
created and verifying that network connectivity is established. Opening a web page on the
client should redirect to the captive portal provided by the Access Control Engine. Once the
registration is complete and the user selects the Complete Registration button, the user
will be seamlessly moved to a new role.

© Extreme Networks, Inc. All rights reserved. 35


ExtremeControl with ExtremeWireless WiNG 5.8

When looking at ExtremeControl, the end system information should also be populated with
detailed end system information.

When looking at the End-System Details for a device that has not yet gone through
registration, the RADIUS attributes that were configured should be shown.

© Extreme Networks, Inc. All rights reserved. 36


ExtremeControl with ExtremeWireless WiNG 5.8

In the End System Events for the device, the audit trail of the states and access assigned
will be shown.

In the wireless controller, the role application can be verified by locating the wireless client
and selecting the Details. The role will be displayed in the window.

© Extreme Networks, Inc. All rights reserved. 37


ExtremeControl with ExtremeWireless WiNG 5.8

Appendix A: Creating RFC 3576 Configurations


In the case where the RFC 3576 reauthentication configuration is not available, it will need
to be manually created via the NAC Manager java client. To open the client, navigate to the
Legacy section of the Control tab and select NAC Manager.

Once in NAC Manager, right-click on the All Access Control Engines group and select
Appliance Settings  Reauthentication.

© Extreme Networks, Inc. All rights reserved. 38


ExtremeControl with ExtremeWireless WiNG 5.8

Select the Add button to create a new Switch Reauthentication Configuration.

In the new Switch Reauthentication Configuration window, select Manage RFC 3576
Configurations.

© Extreme Networks, Inc. All rights reserved. 39


ExtremeControl with ExtremeWireless WiNG 5.8

Select the Add button to create a new RFC 3576 Configuration.

Use the following settings in the new RFC 3576 Configuration and then press OK to save
the configuration.

Configuration Name: ExtremeWireless WiNG


MAC Format: XX-XX-XX-XX-XX-XX
Destination Port: 3799
Supports CoA: Disabled

Note
Due to a bug in the current WiNG 5.8.4, CoA cannot be used to seamlessly transition the user
between states. Instead, the Supports Change of Authorization checkbox should be disabled so
that Disconnect Messages are used. This is targeted to be fixed in WiNG 5.8.6.

Additional Attributes

Acct-Session-Id: Enabled
Custom Attributes: Cisco Wired Reauthenticate Host

© Extreme Networks, Inc. All rights reserved. 40


ExtremeControl with ExtremeWireless WiNG 5.8

Press OK to save the RFC 3576 Configurations. If the sysObjectId of the wireless controller
is known, it can be mapped to the reauthentication configuration in the window below.
Otherwise select Cancel and the configuration can be statically mapped in the Advanced
Settings of the Add Switch dialog when adding the wireless controller to Access Control.
Enforce the configuration once complete.

© Extreme Networks, Inc. All rights reserved. 41


ExtremeControl with ExtremeWireless WiNG 5.8

Revision History

Date Revision Changes Made Author


11/1/16 1.0 Initial Release T. Marcotte

11/18/16 1.1 Minor edit regarding CoA. T. Marcotte

© Extreme Networks, Inc. All rights reserved. 42

You might also like