Enforcement Modes

Several deployment modes can be used with A3, as discussed in Deployment Modes. The deployment mode dictates which enforcement mode can be used.

The enforcement modes available with A3 are listed below. A3 is normally used with VLAN and RADIUS enforcement modes, which are the most common forms of deployment with modern equipment.

• VLAN Enforcement Mode
• Firewall Enforcement Mode
• WebAuth Enforcement Mode
• WebAuth (ACL) Enforcement Mode
• RADIUS Enforcement Mode

See the discussion on the use of registration VLANs vs. access firewalls in Deployment Modes. This enforcement mode uses a management VLAN.

VLAN enforcement mode is shown in the image below.

In this mode, when new clients attempt normal network traffic, they are blocked by A3. The client goes through the registration process with A3, which assigns a VLAN to the client and grants network access.

A3 must be used as the DNS server and can be used as the DHCP server and default gateway for both the registration and isolation VLANs.

In this configuration, clients can only communicate with the A3 server until they have been authenticated and registered with A3, at which point they can access to the general network. The A3 software, with its included RADIUS server, acts as the secure access server, using information from the supporting databases and networking devices to enable or deny client access. Even enabled clients can be further restricted by VLANs, firewall rules, and QoS settings orchestrated by A3.

See the discussion on the use of registration VLANs vs. access firewalls in Deployment Modes. This enforcement mode does not use a management VLAN.

In this Layer 3 mode, new clients attempting to first associate with a network are restricted by their access device via firewall rules. The firewall rules enable access to the A3 server and the local DHCP and DNS servers, but redirects any web (HTTP or HTTPS) traffic to A3’s CWP.

The client steps through the registration process with A3, which provides the access device information used to assign a new set of firewall rules or VLAN to the client that implement appropriate network access.

In this configuration, clients are restricted to communication with the A3 server until they have been registered and authenticated in A3, at which point they can access to the general network. The A3 software, with its included RADIUS server, is used to authenticate clients. A3 serves as the secure access server using information from the supporting databases and networking devices to enable or deny clients access. Clients allowed access can be further restricted by VLAN, firewall rules, and QoS settings orchestrated by A3.

Firewall enforcement is used for all of the use cases in this guide.

WebAuth enforcement mode is shown in the image below.

In this mode, the registration process uses A3 as an external captive web portal. The client authenticates through the portal, where A3 indicates success or failure, and assigns a new VLAN. Several restrictions apply when used with Extreme Networks equipment:

1. The external captive web portal is set up as an access policy in ExtremeCloud IQ. This process is described in the A3 Installation and Usage manual.
2. Only a single ExtremeCloud IQ access policy is applied.
3. Some of the external Authentication Sources can not work.
4. Role by VLAN ID must be used in Policies and Access Control > Network Devices roles.

WebAuth (ACL) mode is illustrated in the graph below.

In this mode, the switch ACLs (access control lists) restrict initial traffic through the switch and redirect the client to A3 for CWP-based authentication. If the authentication is successful, A3 writes new ACLs to the switch that enable appropriate traffic based on the client's role.

RADIUS enforcement mode is shown in the image below.

In this mode, A3 acts as a RADIUS server with and can optionally be used as a captive web portal. A3 returns roles or VLANs via RADIUS attributes, which the switch uses to enable or restrict access.