A3 Online Help

Menu path: Configuration > Policies and Access Control >Connection Profiles .

Connection profiles tie access point SSIDs together with Authentication Sourcesthe captive portal to be used, filters and provisioning. The listing of connection profiles includes two unique items:

Status - either enabled and locked (), or enabled () or Disabled ().
Preview - button used to preview CWP contents.

Three tabs are used in definition connection profiles:

Settings - general settings
Captive Portal - captive portal definition
Files - files used to create the CWP

The preview icon button can be used to preview the CWP that users will see for this connection profile.

Settings

The fields on the setting page are:


Field	Usage	Example
Profile Name	The name of the profile. The name can only use alphanumeric characters, dashes, period, and underscores.	Guest_registration
Profile Description	An optional description of the profile.	Used for visitors
Enable Profile	This option is only visible when a new profile is created. Indicates whether the connection profile is to be used or not.
Root Portal Module	The root of the CWP display. Portal modules are listed and defined in Configuration>Advanced Access Configuration>Portal Modules (Portal Modules).	Default portal policy
Active Preregistration	This activates preregistration on the connection profile. Instead of applying access control to the currently connected device, a local account created during preregistration is used. Note that this disables the on-site registration for this connection profile. The authentication sources on the connection profile must have Create local account enabled.
Automatically Register Clients	This activates automatic registration of clients for the profile. If 802.1X authentication is used clients will not be shown a captive portal and RADIUS authentication credentials will be used to register the device. If the type of connection is MAC authentication, the authentication source will be used to compute a role and access duration.
Reuse 802.1X Credentials	This option emulates single sign-on (SSO) when the captive portal is presented after a successful 802.1X connection. The 802.1X credentials are reused on the portal to match an authentication. As a security precaution, this option will only reuse 802.1X credentials if there is an authentication source matching the provided realm. For example, if a user presents 802.1X credentials with a domain part (username@domain or domain\username), the domain part needs to be configured as a realm and an authentication source needs to be configured for that realm. If a domain component is not used in the 802.1X credentials, only the null realm will be match if an authentication source is configured for it.
802.1X Recompute Role from Portal	If enabled, A3 will not use the role initially computed on the portal, but will instead use the dot1x username to recompute the role.
802.1x Unset on Unmatch	If enabled, the role of the device will be unset if no authentication source returns a role.
Enable DPSK	This enables the Dynamic Pre-shared Key (DPSK) feature on this connection profile. The RADIUS server will provide the PSK key to use to connect on an SSID.
Default PSK Key	The default PSK when Enable DPSK is set.
Automatically Deregister Clients on Accounting Stop	If set, A3 will deregister a device if it receives an RADIUS accounting stop message.
VLAN Pool Technique	The algorithm used to calculate the VLAN in a VLAN pool. One of username_hash or round_robin.	username_hash
Filters	See the Filters section below.
Filter
Advanced Filter
Sources	Authentication sources are added to the connection profile. Select a source from the drop-down list for the first source. Add others using the sign next to an existing source. Sources are evaluated in order; they can be moved by hovering over a source number and moving the symbol that displays up to the correct position.	sms, email, sponsor, null
Billing Tiers	Specific billing tiers to be used with Billing Authentication Sources
Provisioners	Provisioners to be used upon successful authentication.
Scanners	Conformance scanners to be used before completing authentication.
Device registration	Self Service Portal setting that can restrict role based on operating system.

Filters

Connection profile filters restrict the application of a profile to specific network and device values. There are three fields related to filters:

Filters - one of any or all, indicating if only one of the items in the Filter List must match (any), or all of the items in the list are required (all).
Filter List - a lost of filter conditions to be matched.
Advanced Filter - an alternative filter that handles complex logic of filter conditions.

Filter List

The possible filter items are:


Filter Name	Options		Example
Connection Sub Type	AKA AirFortress-EAP Arcot-Systems-EAP Base CRYPTOCard Cisco-LEAP Cisco-MS-CHAPv2 Cogent-Biomentric-EAP DSS-Unilateral Defender-Toke DeviceConnect-EAP DynamID EAP-3Com-Wireless EAP-AKA2 EAP-Actiontec-Wireless EAP-EVEv1 EAP-FAST EAP-GPSK EAP-HTTP-Digest EAP-IKEv2 EAP-Link EAP-MOBAC EAP-MSCHAP-V2 EAP-PAX EAP-PSK EAP-PWD EAP-SAKE EAP-SPEKE	EAP-TLS EAP-TTLS Generic-Token-Card Identity KEA KEA-Validate MAKE MD5-Challenge MS-AUthentication-TLV MS-CHAP-V2 MS-EAP-Authentication Microsoft-MS-CHAPv2 NAK Nokia-IP-Smart-Card None Notification One-Time-Password PEAP RSA-Public-Key RSA-SecurID-EAP Remote-Access-Service Rob-EAP SIM SRP-SHA1 SecurID-EAP SecuriSuite-EAP SentriNET VALUE Zonelabs	EAP-FAST
Connection Type	Wireless-802.11-NoEAP Ethernet-Web-Auth SNMP-Traps Inline	Ethernet-EAP Ethernet-NoEAP Wireless-Web-Auth Wireless-802.11-EAP	Wireless-802.11-EAP
Network	A network in CIDR format or an IP address		192.168.1.0/24
Client Role	One of the defines Roles.		guest
Port	A switch port number of the format <SwitchID>-<port>
Realm	One of the defined realms in Domains and Realms.		LOCAL
SSID	The name of an access point SSID. As you enter characters into this field, a search will begin over defined SSIDs. A new one can be defined at that time.		Company-Guests
Device	One of the defined Network Devices .		Corp AP
Device Group	One of the defined device groups in Network Devices .		Extreme Networks APs
Device MAC Address	A device's MAC address.		11:22:33:44:55:66
Device Port	The device's port number.		4
Tenant	The tenant's number		2
Time Period	The current time is within a time period expressed as described here. For example, working hours can be expressed as wd {Mon-Fri} hr {9am-5pm}.		wd {Mon-Fri} hr {9am-5pm}
URL	The URL of the captive portal path used by the client.		http://a3.example.com/register#bob
FQDN	The FQDN of the captive portal path used by the client.		a3-external.example.com
VLAN	VLAN during authentication.		10

Advanced Filter

An expression involving terms separated by the following operators:

&& - and
|| - or
!= - is not equal
== - equal
() - grouping

The following attributes are available to use in advanced filters:


Database Attributes from a Previous Connection	Attributes from the Current Connection
autoreg status bypass_vlan bandwidth_balance regdate bypass_role device_class device_type device_version device_score pid machine_account category mac last_arp lastskip last_dhcp user_agent computername dhcp_fingerprint detect_date voip notes time_balance sessionid dhcp_vendor unregdate fingerbank_info.device_name fingerbank_info.device_fq fingerbank_info.device_hierarchy_names fingerbank_info.device_hierarcy_ids fingerbank_info.score fingerbank_info.version fingerbank_info.mobile	connection_sub_type connection_type switch port vlan ssid dot1x_username realm machine_account

For example,

machine_account != "" && connection_type == Wireless-802.11-EAP - matches machine authentication on a secure wireless SSID.
node_info.machine_account != "" && ssid == Secure - matches a device performed a machine authentication in a previous connection and connected on the SSID named Secure.
node_info.machine_account == NULL - matches a device that never did a machine authentication.

Captive Portal

The theory behind CWP modules is described in Captive Web Portal. The fields in the captive portal page are:


Field	Usage	Example
Logo	The file used for the logo displayed at the top of the CWP page. A new logo page can be uploaded using the button. The location of the file is shown in this field when the upload is completed.	/common/logo.vertical.fullColor
Redirection URL	The default URL to redirect to on completion of registration. This is overridden by a per-security event redirect URL.	https://www.extremenetworks.com
Force Redirection URL	If enabled, the user is redirect to the Redirection URL defined above. If disable, the user is allowed to access their originally intended page.
Block Interval	The number of times that a user can retry a login, SMS, or SMS PIN request is defined below. Block Interval indicates how long a user will have to wait until attempting to reauthenticate after having exceeded any of the limits. Expressed as a number of time units from seconds to years.	10 minutes
SMS PIN Retry Limit	The maximum number of times a user can retry a SMS PIN before having to request another PIN. A value of 0 disables the limit.	0
SMS Request Retry Limit	The maximum number of times a user can request a SMS PIN. A value of 0 disables the limit.	0
Login Attempt Limit	Limit the number of login attempts. A value of 0 disables the limit.	0
Allow access to Registration Portal when Registered	This enables already registered users to be able to re-register their device by first accessing the status page and then accessing the portal. This is useful to allow users to extend their access even though they are already registered and to manage which devices are registered within their limits. Billing options use this option.
Network Logout	If enabled, users can access the network logout page (http://undefined/networklogoff) in order to terminate their network access and switch their device back to unregistered.
Network Logout Popup	If Network Logout is enabled and this option is enabled, a log off popup will be presented at the end of the registration process.
Languages	Enables a list of languages that the user can choose from during authentication.	en_US

Files

The files tab lists all of the pages associated with the connection profile and CWP. Each connection profile includes its own copy of files. Editing one profile's files will not affect any other profile.

Folders can be expanded and collapsed by selecting them.

Pages are edited by selecting the page in the list. Pages can be viewed, copied, or reverted using the three icons to the right of the list.

The follow pages are most often customized:

aup_text.html - the acceptable use policy page displayed to users when logging in for guest access and in other cases.
sms/validate.html - the prompt for SMS PIN.

The editor provides the following controls:

editor controls


Control	Usage
Insert variable	At run-time will insert the value of a variable. The variable choices are: logo username user_agent last_switch last_port last_vlan last_connection_type last_ssid
</>	Toggles between a simple text display and a display of the underlying HTML source.
B U I	Character effects: bold, underline, italics, and strikethrough.
	Removes a color effect from the current text selection.
	Sets the text color for the current selection.
	Sets the background text color for the current selection.
	Places the selected paragraph into a highlighted box.
	Changes the font size of the selected text. No visibile indication is shown in the editor.
	Creates or removes an unordered (bulleted) list for the selected lines.
	Creates or removes an ordered (numbered) list for the selected lines.
	Sets the alignment for the selected text to left, center, or right respectively.
	Creates or deletes a link to an external file. The following parameters are required to create a link: Text - the text to be displayed for the link. Insert link - the <href> to the external location. Open mode - one of _self (replace the frame contents), _blank (a new blank page), _top (replace the full body of the current window), or _parent (replace parent frame).
	Inserts a table of a selected size.