Configuring an MBA Network

Use this procedure to create the MBA network associated to a Pass-thru External RADIUS accept policy.

  1. Configure a RADIUS server for AAA authentication.
    • Log in to ExtremeCloud IQ Controller and go to Onboard > AAA > Radius Server and add a new RADIUS server.
    • Configure the following parameters:
      Radius Server IP Address
      Add the Access Control Engine (NAC server) IP address.
      Shared Secret
      Provide the Access Control Engine Shared Secret.
      Note

      Note

      To find the Shared Secret of the Access Control Engine, log in to ExtremeCloud IQ Site Engine and go to:

      Control > Access Control > Configuration > Global and Engine Settings > Engine Settings.

  2. Create a new network.
    • Enable MAC-based authentication (MBA) and choose an appropriate MBA Timeout Role.
    • Clear the Authenticate Locally for MAC check box.
    • Choose RADIUS as the Authentication Method and select the Access Control Engine added in Step 1 as the Primary RADIUS.
    • Select a Default VLAN.
    • Click Save.
  3. Add a new rule.
    • From ExtremeCloud IQ Controller, navigate to Onboard > Rules.
    • Click Add.
    • In the Location Group drop-down menu, select Network: <name of your network>.
    • From the Accept Policy field:
      • To configure a Default Auth Role Policy: select Use Default Auth Role.
      • To configure a Pass-thru External RADIUS Accept Policy: select Pass Through External RADIUS.
    • Save the rule.
  4. Assign the network created previously and its Default Auth Role to a site and save. Take the following steps:
    • Go to Configure > Sites and select a site.
    • Click the Device Groups tab and select a device group.
    • Beside the Profile field, click to edit the device group profile.
    • Go to the Networks tab and select the configured network.
    • Go to the Roles tab and select the configured Default Auth Role.
Finally, associate clients to the SSID of the network. The Access-Request is sent to the ExtremeCloud IQ Site Engine Access Control Engine. The Access Control Engine matches the MAC address of the user with one of the MAC addresses in the End-System Group (that was created earlier) and sends an Access-Accept with a Filter-ID Enterprise User. The ExtremeCloud IQ Controller applies the Enterprise User Role instead of the Default Auth Role that was configured under Network Settings.
Note

Note

The Enterprise User role must exist on ExtremeCloud IQ Controller and must be assigned to the same device group as the client in order to be applied.
9039252-01 Rev. AA