Universal ZTNA Wired Guidelines

Universal ZTNA supports Fabric Engine/VOSS and Switch Engine/EXOS Network Operating Systems (NOSs). Universal ZTNA supports the minimum versions of the following products:

Switch Engine 32.7.1
Fabric Engine 9.0.2

There are three management options:

Managed Mode
Locally Managed Mode
Third-party Mode

Managed Mode

Supported NOS: Switch Engine. Switches are onboarded directly using Manage your Devices.

ExtremeCloud IQ manages switch configuration. Use Configure a Switch for Instant Secure Port in ExtremeCloud IQ to provision the following components on the switch:

Certificate for RadSec communication
RADIUS/RadSec configuration to the cloud RadSec server or locally deployed RadSec proxy
802.1X or MAC authentication

Universal ZTNA updates the policy configuration on the switch, including static policy roles and rules, based on the provisioned network policy.

Locally Managed Mode

Supported NOS: Switch Engine and Fabric Engine. Switches are onboarded using Manage your Devices Locally.

ExtremeCloud IQ does not configure switches in local managed mode. In local managed mode, based on the provisioned network policy, Universal ZTNA provisions policy on the switch using dynamic ACLs (dACL) conveyed using RADIUS vendor-specific attributes (VSAs) during the authentication process.

Users configure the following components manually:

Certificate for RadSec communication
RADIUS/RadSec configuration to the cloud RadSec server
802.1X or MAC authentication, along with supporting feature sets, depending on the deployment model

Third-party Mode

Universal ZTNA provisions policy on the switch using dynamic ACLs (dACL) conveyed using RADIUS vendor-specific attributes (VSAs) during the authentication process. Third-party or non-ExtremeCloud IQ devices are onboarded through Network Resources.

Users configure the following components manually:

Certificate for RadSec communication
RADIUS/RadSec configuration to the cloud RadSec server
802.1X or MAC authentication, along with supporting feature sets, depending on the deployment model
Cloned and modified Extreme, Cisco, HP, and Aruba templates or newly created vendor-specific RADIUS templates. For more information, Manage RADIUS Templates.
SSIDs for wireless devices. For more information see Manage SSIDs.
Network devices. For more information, see Add a Network Device.

Configuration Details for Fabric Engine and Switch Engine

To configure Fabric Engine, select Fabric Engine Locally Managed Sample Configuration.
To configure Switch Engine, select Switch Engine Locally Managed Sample Configuration.

Fabric Engine and Switch Engine Reference Guides