A3 Online Help

Two tabs are available for the definition of network devices:

Menu path: Configuration > Policies and Access Control > Network Devices.

Devices - adds individual or sets of devices, choosing a type from device groups.
Device Groups - pre-defines settings for use in network device definitions.

Devices and device groups have six tabs in common:

Definition - basic device characteristics
Roles - how A3 roles are translated into RADIUS attributes
RADIUS - RADIUS shared secret that devices use to communicate to A3 and vice-versa
SNMP - community and private strings that enable SNMP communications between A3 and the device as well as other SNMP settings
CLI - command-line interface definitions
Web Services - web service interface definitions

An additional tab is present in Device Groups:

Members - associates devices with the device groups.

Devices

Network devices define the enforcement devices to be used and which roles will be authorized by those devices. See Configuration for a description of where network devices fit in the overall scheme. Refer to Rolesfor a description of A3 roles.

If an existing device has been edited, the INVALIDATE CACHE button can be used to erase any A3 settings that can have been changed, before selecting SAVE.

A device can be added to the list either through the clone icon

button or the new device icon

button. In the latter case, an existing device group must be selected. Device Groups make it easy to add a device by predefining the device's characteristics. When adding a new device with the New Device button, all list of the existing device groups will be presented; choose default for no group, Aerohive_AP for an Extreme NetworksAP, or another group that has been defined. Six tabs are used to define all device characteristics:

Field	Usage	Example
IP Address / MAC Address / Range (CIDR)	Defines the particular device(s). Multiple devices can be defined in a single entry by using CIDR format: x.x.x.x/#.	10.14.16.0/24
Description	A description of the device. A consistent naming convention is useful while searching.	HQ-flr2-NE-AP
Type	The type of the device. You can choose from a long list of known devices or leave the entry with its Default (Generic) setting.	Aerohive AP
Mode	One of: Production - the default. Normal operation with VLAN changes. Testing - log files are maintained by no VLAN changes are made. Registration - all MAC addresses seen on the device's ports are registered, by no VLAN changes are made.	Production
Device Group	Select from one of the existing device groups. If the selection is changed, the device definition should be saved and re-opened to see the default values from device group. Two device groups are predefined: default - listed as None. Not related to a particular device group. Aerohive AP - characteristics associated with most Extreme Networks access points.	Aerohive AP
Deauthentication Method	The communications method by which the device will be deauthenticated. One of: Telnet SSH SNMP RADIUS HTTP HTTPS	RADIUS
Use CoA	If enabled (Y), a RADIUS change of authority (CoA) request is sent from A3 to the access network device for a session when a session must change state. If default, the setting from the device group will be used. If disabled (N), A3 will send a RADIUS disconnect message instead.
CLI Access Enabled	If enabled (Y), the device will be allowed to use A3 as a RADIUS server via CLI access. If default, the setting from the device group will be used.
External Portal Enforcement	If enabled (Y), A3 is used as an external portal. If default, the setting from the device group will be used. WARNING: if this option is enabled, filter_id will no longer be an option for the Role by Device Role selection.
VoIP	If enabled (Y), VoIP will be detected and handled by A3. If default, the setting from the device group will be used.
VoIPLLDPDetect	If VoIP is enabled and this option is enabled (Y), VoIP will be detected through the use of the LLDP protocol. If default, the setting from the device group will be used.
VoIPCDPDetect	If VoIP is enabled and this option is enabled (Y), VoIP will be detected through the use of the CDP protocol. If default, the setting from the device group will be used.
VoIPDHCPDetect	If VoIP is enabled and this option is enabled (Y), VoIP will be detected through the use of the DHCP protocol. If default, the setting from the device group will be used.
Dynamic Uplinks	Dynamically lookup Uplinks
Uplinks
Controller IP Address	The IP address of an AP controller, to be used for deauthentication requests.
Disconnect Port	The port to send RADIUS disconnect requests to if not the default port 1812.
CoA Port	The port to send RADIUS CoA requests to if not the default port 1812.

The choices in the Roles tab relate to how A3 communicates its role enforcement intent with the enforcement device - most often an access point or switch. In each case, the defined roles are statically listed beside method-dependent values.

As an example, if Role by Device Role is selected and the enforcement device is an Extreme Networks AP. If the entry for the guest role is guest, then A3 will send a RADIUS message to the AP with filter_id set to guest. The AP would have previously been programmed to assign a particular VLAN to users when it receives a RADIUS attribute of guest.

One or more "role by" settings can be used simultaneously. The fields in the Roles tab of a device entry are:

The fields in the SNMP tab of a device entry are shown below. Depending on the SNMP version, some values can not be required:

Field	Usage	Example
Role by VLAN ID	If enabled, A3 roles are enforced by VLAN assignment. For Fabric attached devices, the VLAN ID can be defined with the syntax VLAN-ID=<VLAN ID>:ISID-NSI-ID=<ISID/NSI ID>.
Role by Device Role	If enabled, A3 roles are enforced by RADIUS role assignment.
Role by access list	If enabled, A3 roles are enforced by access list assignment.
Role by Web Auth URL	If enabled, A3 roles are enforced by access to a CWP page.

Field	Usage	Example
Secret Passphrase	The shared RADIUS secret between the device and A3.	password

Field	Usage	Example
Version	The SNMP version in use. One of v1, v2c, or v3.	Default (1)
Community Read	The name of the read-only community.	public
Community Write	The name of the read/write community.	private
Engine ID	Used when remote SNMP agents are used in SNMP v3.	0
User Name Read	The name of the community used to read user names.	readUser
Auth Protocol Read	The protocol used to read authentication information.	MD5
Auth Password Read	The name of the community used to read authentication passwords.	authpwdread
Priv Protocol Read	The protocol used to read privilege information.	DES
Priv Password Read	The name of the community used to read privilege information.	privpwdread
User Name Write	The name of the community used to write user name information.	writeUser
Auth Protocol Write	The protocol used to write authentication information.	MD5
Auth Password Write	The name of the community used to write authentication passwords.	authpwdwrite
Priv Protocol Write	The protocol used to write privilege information.	DES
Priv Password Write	The name of the community used to write privilege information.	privpwdwrite
Version Trap	The SNMP trap version to use. One of v1, v2c, or v3.	v1
Community Trap	The name of the trap community.	public
User Name Trap	The name of the community used to read traps.	readTrap
Auth Protocol Trap	The protocol used to write authentication information.	MD5
Auth Password Trap	The name of the community used in authentication password traps.	authpwdread
Priv Protocol Trap	The protocol used in privilege information traps.	DES
Priv Password Trap	The name of the community used in privilege information traps.	privpwdread.
Maximum MAC addresses	The maximum number of MAC addresses retried from a port.	20
Sleep interval	The sleep interval, in seconds, between queries of MAC addresses.	2

This tab is used if CLI Access Enabled is checked in the Definition tab. The fields in the CLI tab of a device entry are:

Field	Usage	Example
Transport	The means by which command lines are transported. One of Telnet (default), or SSH.	Telnet
Username	The login user name for CLI access.	root
Password	The password for CLI access.	password
Enable Password	The password used to get into privileged executive mode on the network device.	secret

This tab is used if Role by Web Auth URL is checked in the Roles tab. The fields in the RADIUS tab of a device entry are:

Field	Usage	Example
Transport	The means by which the web server is accessed. One of http (default) or https.	https
Username	The login user name for Web access.	root
Password	The password for Web access.	password

Network devices groups define the characteristics of devices, for use in defining network devices. A new group can be added with the new device group icon

button.

Field	Usage
Page number	← 1 →. Use the left and right arrows to advance or regress the page number. The "1" can be used to return to the first page of the display.
Table of devices groups	The table of device groups is shown at the bottom of the page. The Identifier, Description, Type, and Mode are described in Adding a Device. A defined device group can be edited by selecting its identifier. Each device includes a CLONE and DELETE button: CLONE - starts the addition of a new device group as a copy of the row. DELETE - deletes the device entry.
ADD DEVICE GROUP	Adds a new device group.
IMPORT FROM CSV	Device groups can be imported in bulk from a comma separated values (CSV) file. A dialog box allows you to choose the file name and the particular separator used: one of comma, semicolon, colon, or tab. The ordered values in each line of that file are: Description Device group name The first line of the file is skipped.

The members tab lists those devices that are part of this device group. An existing device can be added to the group through the use of the add new member icon

button. A group member can be deleted from the group by clicking the delete icon

button.