Configuring a AAA Network

To create a AAA network associated to a Pass-thru External RADIUS Accept Policy. Take the following steps:

On ExtremeCloud IQ Controller :

Use the IP address of the Access Control Engine—that is, the Network Access Control (NAC) server—as the primary RADIUS server.

  1. Configure a RADIUS server for AAA authentication.
    • Log in to ExtremeCloud IQ Controller and go to Onboard > AAA > Radius Server and add a new RADIUS server.
    • Configure the following parameters:
      Radius Server IP Address
      Add the Access Control Engine IP address.
      Shared Secret
      Provide the Access Control Engine Shared Secret.
      Note

      Note

      To find the Shared Secret of the Access Control Engine, log in to ExtremeCloud IQ Site Engine and go to:

      Control > Access Control > Configuration > Global and Engine Settings > Engine Settings.

  2. Create a new network.
    Configure the following parameters:
    Auth Type
    WPA2 Enterprise w/ RADIUS
    Authentication Method
    RADIUS
    Primary RADIUS
    IP Address of the External NAC added in Step 1.
    Default Auth Role
    Select a role other than Enterprise User.
    Default VLAN
    Select a Default VLAN. B@AP VLAN ID
    Note

    Note

    Both B@AP and B@AC are supported for NAC.
  3. Select Save.
  4. Create a policy rule.
    Go to Onboard > Rules and configure the following parameters:
    Location Group
    Network: <name of your network>
    Accept Policy
    • To configure a Default Auth Role Policy, select Use Default Auth Role.
    • To configure a Pass-Through External RADIUS Accept Policy, select Pass Through External RADIUS.
  5. Select Save.

On ExtremeCloud IQ Site Engine:

  1. Go to Control > Access Control > Configuration > Configurations > Default > Rules
  2. Edit the rule you created on ExtremeCloud IQ Controller here.
    Configure the following parameters:
    Authentication Method
    802.1x
    End-System Group
    Any
  3. Select Save and enforce the Access Control Engine.

On ExtremeCloud IQ Controller:

  1. Assign the network created previously and its Default Auth Role to a site and save.
    • Go to Configure > Sites and select a site.
    • Select the Device Groups tab and select a device group.
    • Beside the Profile field, select to edit the device group profile.
    • Go to the Networks tab and select the configured network.
    • Go to the Roles tab and select the configured Default Auth Role.

Associate clients to the SSID of the Network, when prompted for the username and password, use the username and password created with the New User. The external NAC server matches the rule you created under New Rule and upon successful authentication sends an Access-Accept and a Filter-ID Enterprise User. The ExtremeCloud IQ Controller Access Control engine applies the Enterprise User Role instead of the Default Auth Role that was configured under Network Settings.

Note

Note

The Enterprise User role must exist on ExtremeCloud IQ Controller and must be assigned to the same device group as the client in order to be applied.
9039252-01 Rev. AA