Configuration

Overview

The figure below illustrates the general layout and suggested configuration order of ExtremeCloud IQ and A3 elements.

Either five or seven steps are required to configure ExtremeCloud IQ and A3 for authentication. You will need to perform seven steps if AD (Active Directory) lookups are required, and you may also need to configure other devices. Use the following steps:

1. ExtremeCloud IQ Network Policy: define the network SSID and the actions to be performed based on A3 role identification.
2. A3 Roles: define distinct role names for categorizing clients.
3. A3 Domains: define A3 domains only when you need AD or LDAP domains to identify users. Domains and domain controllers are identified in this step.
4. A3 Realms: define realms to dictate which network regions apply.
5. A3 Authentication Sources: define the ways in which users are authenticated and assigned to roles.
6. A3 Devices: define the manner in which access points and switches will receive A3 information.
7. A3 Connection Profiles: tie ExtremeCloud IQ network policy to authentication sources.

Guest Access Configuration Example

This example uses an Extreme Networks AP connected to an A3 server to allow guest access. When used in a configuration that uses a registration VLAN (see Deployment Modes) guest access uses a connection to VLAN 10 in the internal network. When used in a non-registration VLAN configuration, guess access allows access to the internet, but not internal networks. The four authentication methods in this example are supported by the captive web portal hosted on the A3 server:

1. Null (no user authentication, presents the user with an Acceptable Use Policy)
2. SMS message
3. Email message
4. Google authentication (only available when used with a registration VLAN)

Using a Registration VLAN

The configured elements are pictured below.

The colors in this illustration correlate configured items. Text on a colored background designates configured items that are used in multiple elements. Black text indicates a setting name.

Using Firewall Rules

The configured elements are pictured below.

ExtremeCloud IQ Configuration

Configure the following AP SSID items for this example in ExtremeCloud IQ:

1. MAC Authentication: Clients are authorized based on their MAC address.
2. User Access Settings:
   1. Registration VLAN: specifies that when the AP receives the guest RADIUS attribute from A3, it will connect the client to VLAN 10. A default user profile (not shown in the illustration) ensures that the client remains in the registration VLAN until moved by authentication or security events.
   2. No registration VLAN: a default user profile is defined that limits access by guests during the registration process using firewall rules. A guest user profile specifies that when the access point receives the guest RADIUS attribute from A3 it will connect the client to the internet, but not to any internal networks.

A3 Configuration

Four elements are required for this guest access scenario:

• Roles: the names of roles that clients will assume, in this case the A3GuestRole.
• Authentication sources: the authentication sources that are used in this example are null, sms, email, and Google (registration VLAN only). Each source has a set of authentication rules that indicate the conditions under which the authentication succeeds and what actions to perform when it does. In this example, the client satisfies authentication through the captive web portal; no conditions are set in the authentication source. All four sources have the same action: to assign the A3GuestRole to the client. The role is used in the Devices element.
• Devices: the device configuration ties the roles to the returned RADIUS attribute returned. The IP address of the AP indicates which device is to be contacted with the role assignment. To map the A3GuestRole to the guest RADIUS attribute, Role by Device Role is used.
• Connection Profiles: the connection profile establishes a correspondence between the AP SSID and the authentication sources that can be used within that SSID.

802.1X Configuration Example

This role-based access example uses an Extreme Networks AP connected to an A3 server which is in turn connected to an AD server. User credentials are matched against AD entries. Clients whose users are in the Sales group are attached to VLAN 10 in the internal network and those in the Marketing group are attached to VLAN 8. The configured elements are pictured below.

The colors in this illustration correlate configured items. Text on a colored background designates configured items that are used in multiple elements. Black text indicates a setting name, and red text indicates an element name that is not used elsewhere.

ExtremeCloud IQ Configuration

Configure the following AP-related items for this example:

1. Enterprise Authentication: clients are authorized utilizing 802.1X with EAP. Certificates and shared secrets have been omitted from this example.
2. User Access Settings: these settings specify that when the AP receives the sales RADIUS attribute from A3, it connects the client to VLAN 10. Similarly, the mktg attribute is mapped to VLAN 8. A default user profile (not shown in this illustration) ensures that the client remains in the registration VLAN until moved by either authentication or security events.

A3 Configuration

Configure the following five elements for this user access example:

1. Roles: define the role names that clients will assume, in this case A3SalesRole and A3MktgRole.
2. Domain: define an AD domain named MyDomain. Map two realms (null and default) to this domain.
3. Authentication Source: configure a single, local AD source named LocalADSource. This source is associated with the Local AD server through associated realms. Configure two authentication rules to locate the client's credentials in the CN=Sales or CN=Marketing section of the CN=Users tree in AD. In both cases, the action associated with the authentication rules assigns the A3SalesRole and A3MktgRole, respectively.
4. Devices: configure devices to tie the roles to the RADIUS attribute returned to each device, based on the IP address of each device. Select Role by Device Role to map the A3SalesRole to the sales RADIUS attribute and the A3MktgRole to the mktg attribute.
5. Connection Profile: configure a connection profile to create a correspondence between the AP SSID and the authentication sources that can be used within that SSID.