Deployment Modes

There are several modes of deploying A3 within a network. The deployment mode often dictates the type of Enforcement Modes possible.

Two classes of deployment are used with A3 depending on how unregistered clients are isolated prior to authentication:

• Isolation through a registration VLAN. Unregistered clients are associated with a unique VLAN that is not routed beyond the network that connects A3 to access devices. When working with a registration VLAN, two deployments are generally used:
  • Layer 2 Hybrid Out-of-Band Deployment - connects access devices to A3 within a single Layer 2 network.
  • Layer 3 Across a Routed Network Deployment - connects a remote Layer 2 set of access devices to an A3 via Layer 3 connections.
• Isolation through firewall rules. Unregistered clients are restricted from accessing the general network by firewall rules enforced in the access device. All authentication required devices are connected through Layer 3 networks. A single deployment mode is used:
  • Layer 3 Hybrid Out-of-Band Deployment

This type of deployment requires the use of a registration VLAN. Layer 2 hybrid OOB (out-of-band) deployments require that all of the elements involved in network access control be connected through Layer 2 networks. This means that VLANs must be pushed from the core to the access networks, which can be an issue for larger network deployments. A Layer 3 Across a Routed Network deployment model can be a better choice in that case.

This deployment mode allows for complete, fine-grained network control and scales better than inline deployment mode. To ensure correct IP and VLAN assignments, A3 must receive all client DHCP and DNS requests sent from networking devices. In Layer 2 deployments, this is accomplished by connecting the A3 server to the access point via a switch. A3 receives DHCP requests and responds with an IP address on the local registration or isolation network. A3 also responds with its own IP address as the DNS server and the default gateway.

This deployment mode is shown in the figure below. An Extreme Networks AP is used in this figure, but an access switch or other intelligent network device can be used.

This deployment model can be used with VLAN, Web Auth, and RADIUS enforcement as described in Enforcement Modes.

This type of deployment requires the use of a registration VLAN on each of the Layer 2 networks connected to the A3 server(s).

In a Layer 3 deployment A3 can be hosted in a data center. Clients and their access devices can be located remote from A3 so long as latency between clients and the A3 servers is under 5-ms. VPN access is required between sites to ensure security. This is the most common deployment model for A3.

This deployment mode is shown in the figure below. An Extreme Networks access point is used in this figure, but an access switch or other intelligent network device can be used.

This deployment model can be used with VLAN, Web Auth, and RADIUS enforcement as described in Enforcement Modes.

DHCP requests on the local registration or isolation network are forwarded to the A3 server on a remote network using a DHCP relay agent. Although DHCP relay agents can be enabled on an access point or access switch, best practice is to run it on an initial member of the larger Layer 3 network. The relay agent receives Layer 2 DHCP requests, encapsulates them in Layer 3 packets and transmits them using the L3/VPN network to A3.

The basic steps for using A3 in a routed configuration are:

1. In Configuration > Network Configuration > Interfaces add a routed network for the Registration and Isolation interfaces. The routed network should correspond to the addresses in the registration or isolation network, using an address on the registration or isolation network as the gateway. The router to which A3 is connected should also have an interface on the registration network.
2. Set up a DHCP relay on the L3 switch/router connected to A3 for all registration, isolation, and user networks or VLANs to use a DHCP server.
   1. If the L3 switch/router is an Extreme Networks router, a Windows server should be used as the DHCP server.
3. Configure multiple firewall rules on the access point or access switch to strictly limit client access to A3 and required services:
   1. Enable DHCP, DNS, HTTP, and HTTPS protocols to access the Registration and Isolation interfaces.
   2. Enable access to the URLs associated with any of the external services needed for external Authentication Sources or for Provisioning.
   3. Enable DHCP access to the DHCP servers.
   4. Enable HTTP and HTTPS to access A3.
   5. Deny all access to local networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
   6. Enable all other access.

This type of deployment does not use a registration VLAN.

Layer 3 hybrid OOB (out-of-band) deployments are a new means of connecting authenticating clients. As opposed to earlier techniques a registration VLAN is not required and Layer 2 connectivity between clients and A3 is likewise not required. The A3 server and access point or switches need only have Layer 3 connectivity.

This deployment mode is shown in the figure below. An Extreme Networks AP is used in this figure, but an access switch or other intelligent network device can be used. This deployment model can be used with VLAN, Web Auth, and RADIUS enforcement as described in Enforcement Modes.