Home > GUI > Configuration > Standard Wireless Network Settings
Logo

Standard Wireless Network Settings

Standard Wireless Network Settings

View, add, and modify a standard (non-guest access) wireless network (SSID) on this page. Configure an SSID for a private client group.

Navigation

Navigate using the tab icons. Hover over an icon to see the name of the tab.

Configure > Network Policies > policy_name  > Wireless Networks > Add > All other Networks (standard)

or

Configure > Network Policies > policy_name  > Wireless Networks > wireless_network_name

About Wireless Network Settings

A network policy can include one or more wireless networks, also often referred to as SSIDs. A wireless network SSID is an alphanumeric string that identifies a set of authentication and encryption services that wireless clients and access point devices use when communicating with each other. Learn how to configure an SSID to direct how wireless devices process traffic for wireless clients. This Help topic covers the following wireless network configuration tasks:

This topic describes how to configure a standard wireless network. To configure a Guest Access wireless network, see Guest Access Wireless Network Settings.

Standard Wireless Network Settings

To configure a new standard wireless network, navigate to Configure > Network Policy > policy_name > Wireless Networks. Select ADD and select All other Networks (standard) from the drop-down. On the Wireless Network page, configure the following settings, and then select Save when you are finished.

Name (SSID): Enter a name for the wireless network SSID. ExtremeCloud IQ and IQ Engine use this name to group all the settings related to this wireless network, such as required and optional data rates, DoS (denial of service) policies, MAC filters, and the broadcast SSID. The name can contain up to 32 characters without spaces.

Broadcast Name: Enter a broadcast name for this wireless network, or accept the one automatically derived from the SSID name. This broadcast name is what clients discover from beacons and probe responses. The broadcast name can contain up to 32 characters with or without spaces.

To prevent clients from seeing the broadcast name, activate Hide SSID (stealth mode), as described in Wireless Network Optional Settings.

Broadcast SSID Using: Select one or both of the following:

WiFi0 Radio (2.4 GHz or 5 GHz): Broadcast the SSID on the WiFi0 radio in either the 2.4 GHz or 5 GHz band based on the configuration of the WiFi0 radio.

WiFi1 Radio (5 GHz only): Broadcast the SSID on the WiFi1 radio operating in the 5 GHz band. More...Most Extreme Networks devices generally have two radios—radio 1, which is bound to the WiFi0 wireless interface, and radio 2, which is bound to WiFi1. Radio 1 (WiFi0) generally operates in the 2.4 GHz band—but can also operate in the 5 GHz band on some models—and radio 2 (WiFi1) operates in the 5 GHz band.Mapping an SSID to both types of radio is a good approach if the devices need to interoperate with some wireless clients that only support 802.11n/b/g and others that only support 802.11ac/n/a. In this case, both of the wifi radio interfaces—wifi0 and wifi1—must be in access mode or dual mode. If hive members need to support wireless backhaul communications with each other and you want both interfaces to provide client access, then one of the wireless interfaces must be in dual mode so that it provides both access and backhaul links.

SSID Usage – SSID Authentication

Note

Note

Client mode radios (see AP Client Mode Settings) only use PSK or Open SSID authentication. Do not use any other form of authentication for client mode AP radios.

In the SSID Authentication subtab, use one of the following types of access security methods:

Note

Note

(ExtremeCloud IQ Connect does not support PPSK.

Alternatively, you can choose MAC Authentication and continue with "SSID Usage – MAC Authentication" to use MAC authentication with an external RADIUS server or a RADIUS server running on an Extreme Networks device.

Note

Note

ExtremeCloud IQ uses Private Pre-Shared Key authentication as the default, as indicated by the gold color of that button. Authentication options differ between ExtremeCloud IQ and ExtremeCloud IQ Connect, and SSID options change depending on the authentication method you select.

Enterprise-802.1X

In the SSID Authentication section, select Enterprise-802.1X. This option requires users to authenticate themselves by entering a user name and password, which are checked against a RADIUS authentication server.

Select the required Key Management and Encryption Method options from their respective drop-down menus or leave them at their default values.

More about Enterprise-802.1X Authentication

Enterprise-802.1X uses a centralized RADIUS authentication server to store user accounts (name, password, and optional RADIUS attributes) and to generate and distribute master keys to supplicants (wireless clients) and pairwise master keys to authenticators (usually Extreme Networks APs or other managed devices). Authenticators and clients use the keys from the RADIUS server to generate the keys they use to secure traffic between one another.

When connecting through an 802.1X (Enterprise) SSID, the user enters a user name and password when prompted to log in. The Extreme Networks device (acting as a RADIUS authenticator) forwards the login credentials to a RADIUS authentication server, which checks its database. If the password matches the password in the database, the authentication attempt is successful. If not, the authentication attempt fails. In either case, the RADIUS server responds to the Extreme Networks RADIUS authenticator, which in turn forwards the response to the wireless client. Assuming that the user authenticated successfully, his or her wireless client can now access the wireless network.

The Wi-Fi Alliance created WPA (Wi-Fi Protected Access) before the IEEE 802.11i amendment was ratified in 2004. WPA allowed Wi-Fi vendors to offer a more secure option than WEP.

After the IEEE 802.11i amendment was ratified, the Wi-Fi Alliance created WPA2 to support the ratified amendment. WPA2 supports a superset of WPA and includes support of PMK (pairwise master key) caching and preauthentication to accelerate roaming from one access point to another.

In January 2018, the Wi-Fi Alliance announced WPA3 as a replacement for WPA2. WPA3 uses 192-bit encryption for WPA3-Enterprise mode. WPA3 also replaces PSK exchanges with simultaneous authentication of equals (SAE) as defined in IEEE 802.11-2016. SAE never exposes the passphrase, making it impossible for a hacker to find the passphrase using brute-force dictionary attacks.

See External RADIUS Server Settings to view, add, select, modify, and delete RADIUS server objects.

Modify Default 802.1X Settings

Key Management: When using IEEE 802.1X authentication with a RADIUS authentication server, you can choose one of the following key management options:

WPA3-802.1X uses 192-bit encryption and which uses simultaneous authentication of equals (SAE) instead of PSK exchanges. If all the wireless clients support WPA3, it is a better choice than WPA2.

WPA2-802.1X to support PMK caching and preauthentication (WPA does not support these). If the wireless clients support WPA2, it is the better choice over WPA, and is the default.

WPA-802.1X WPA does not support PMK caching or preauthentication. However, if you know that all the clients that are going to use this SSID were released before IEEE 802.11i was ratified in 2004 and only support WPA (not WPA2), this option allows the Extreme Networks devices to support them.

Choose Auto-(WPA or WPA2) 802.1X to negotiate the use of WPA2 or WPA with clients based on which version they support.

Note

Note

When a RADIUS server is used for authentication, the wireless client (referred to as the supplicant) and Extreme Networks device (the authenticator) communicate with each other using a form of EAP (Extensible Authentication Protocol) called EAPOL (Extensible Authentication Protocol over LAN). The Extreme Networks device and RADIUS authentication server communicate with each other using RADIUS, encapsulating EAP messages within RADIUS packet payloads.

Encryption Method (WPA or WPA2 only): Choose the method for encrypting traffic: CCMP (AES), TKIP, or—when Auto-(WPA or WPA2)-EAP (802.1X) is chosen for key management—AUTO-TKIP OR CCMP (AES).

CCMP (Counter Mode-Cipher Block Chaining Message Authentication Code Protocol) is a security protocol that uses AES (Advanced Encryption Standard) encryption. CCMP provides message integrity by combining counter mode with CBC (cipher block chaining) to produce a MAC (message authentication code). For details, see RFC 3610, "Counter with CBC-MAC (CCM)".

TKIP (Temporal Key Integrity Protocol) was created to correct security problems in WEP so that WEP-enabled clients could upgrade to a stronger security protocol. TKIP uses RC4 encryption, includes a method for changing keys on a per-packet basis, and provides message integrity checking.

Although TKIP provides strong security, CCMP(AES) is generally considered to be stronger than TKIP.

Note

Note

When the SSID access method is 802.1X, the authentication method, which is not configurable and is not shown in the GUI, must be EAP (802.1X).

Enable Captive Web Portal: Select ON to enable a captive web portal for this wireless network. Then in the left navigation bar, under Captive Web Portal, select CWP to add a new captive web portal. For more information about captive web portals, see "Captive Web Portal".

RADIUS Server: See "RADIUS Server Settings" to view, add, select, modify, and delete RADIUS server objects.

RADIUS Server: In the left navigation bar, under RADIUS Server Group, select Add RADIUS Server Group. See RADIUS Server Settings to view, add, select, modify, and delete wireless network (SSID)-specific RADIUS objects. See External RADIUS Server Settings to view, add, select, modify, and delete external RADIUS common objects.

Additional Settings: Select the arrow next to the Additional Settings heading to display additional settings you can apply to your wireless network, such as availability restrictions, authentication timeout options, and customized filters. See "Additional Settings".

Personal PSK

In the SSID Authentication section select Personal PSK. This option requires all users to authenticate themselves by entering the same pre-shared key.

Select the required Key Management, Encryption Method, and Key Type entries from their respective drop-down menus or leave them at their default values, and enter a required value in the Key Value text box.

More about Personal PSK Authentication

Extreme Networks has also introduced an alternate approach that combines the advantages of Enterprise -802.1X and Personal (PSK) without the disadvantages of either: "Private Pre-Shared Key".

The Wi-Fi Alliance created WPA (Wi-Fi Protected Access) before the IEEE 802.11i amendment was ratified in 2004. WPA allowed Wi-Fi vendors to offer a more secure option than WEP.

After the IEEE 802.11i amendment was ratified, the Wi-Fi Alliance created WPA2 to support the ratified amendment. WPA2 supports a superset of WPA and includes support of PMK (pairwise master key) caching and preauthentication to accelerate roaming from one access point to another.

In January 2018, the Wi-Fi Alliance announced WPA3 as a replacement for WPA2. WPA3 uses 128-bit encryption for WPA3-Personal mode. WPA3 also replaces PSK exchanges with simultaneous authentication of equals (SAE) as defined in IEEE 802.11-2016. SAE never exposes the passphrase, making it impossible for a hacker to find the passphrase using brute-force dictionary attacks.

Modify Default Personal Settings

Key Management: When using personal WPA/WPA2/WPA3 authentication, you can choose one of the following key management options:

Choose WPA3 (SAE) to negotiate using WPA3 with clients. WPA3 (SAE) is the default setting. If all the wireless clients support WPA3, it is a better choice than WPA2.

Choose WPA2-(WPA2 Personal)-PSK to use WPA2 for key management. WPA2 supports PMK caching and preauthentication whereas WPA does not (default).

Choose WPA-(WPA or Auto)-PSK) to use WPA for key management. WPA does not support PMK caching or preauthentication. However, if you know that all the clients that are going to use this SSID were released before IEEE 802.11i was ratified and support WPA (not WPA2), this option allows the Extreme Networks device to support them.

Choose Auto-(WPA or WPA2)-PSK to negotiate the use of WPA2 or WPA with clients based on which version they support.

Encryption Method (WPA or WPA2 only): Choose the method for encrypting traffic: CCMP (AES), TKIP, or—when Auto-(WPA or WPA2)-PSK is chosen for key management—Auto-TKIP or CCMP (AES).

Note

Note

When the wireless network (SSID) is configured for WPA3 (SAE), the encryption method is always set to 128-bit encryption.

CCMP (Counter Mode-Cipher Block Chaining Message Authentication Code Protocol) is a security protocol that uses AES (Advanced Encryption Standard) encryption. CCMP provides message integrity by combining counter mode with CBC (cipher block chaining) to produce a MAC (message authentication code). For details, see RFC 3610, "Counter with CBC-MAC (CCM)". Default for WPA2-(WPA2 Personal)-PSK and WPA-(WPA or Auto)-PSK.

TKIP (Temporal Key Integrity Protocol) was created to correct security problems in WEP so that WEP-enabled clients could upgrade to a stronger security protocol. TKIP uses RC4 encryption, includes a method for changing keys on a per-packet basis, and provides message integrity checking.

Although TKIP provides strong security, CCMP (AES) is generally considered to be the stronger of the two.

Note

Note

When the SSID access method is Pre-Shared Key, the authentication method must be Open. This is not configurable and is not shown. The client and access point authenticate themselves to each other using the same key.

SAE Group (WPA3 only): Select ECC to enable elliptic curve cryptography, which requires lower processing power from IoT devices. Select FFC to enable finite field cryptography, which is a traditional cryptography method. Select All to enable both ECC and FFC cryptography.

Transition Mode (WPA3 only): Select On or Off to enable or disable WPA3-Personal transition mode. Transition mode allows a gradual migration to a WPA3-Personal network while still allowing WPA2-Personal devices to connect. (The full benefits of WPA3-Personal are fully realized only when the network is in WPA3-only mode.)

Key Type (WPA or WPA2 only): To define the key value with ASCII characters, choose ASCII Key (default). To define the key value with hexadecimal digits, choose Hex Key.

Key Value: Enter the preshared key. If the key type is ASCII, it can be from 8 to 63 ASCII characters long. If the key type is hexadecimal, the key can be up to 64 hexadecimal digits long. To ensure the accuracy of the key, re-enter it in the Confirm Key field. You can select the Show Password check box to see that Pre-Shared Key strings that you are typing.

Anti-logging Threshold (WPA3 only): Enter a number in the text box to have the wireless network block authentication requests after the selected number of failed attempts, which limits the effectiveness of brute-force attacks. Default = 5 attempts.

Enable Captive Web Portal: .Select ON to enable a captive web portal for this wireless network. Then in the left navigation bar, under Captive Web Portal, select CWP to add a new captive web portal. For more information about captive web portals, see "Captive Web Portal".

Private Pre-Shared Key

In the SSID Authentication section select Private Pre-Shared Key. A PPSK is a unique preshared key assigned to a user rather than to an SSID. With this approach, you can assign different PPSKs and user profiles to different users on the same SSID. If a user is no longer permitted to use the WLAN or a wireless client becomes lost, stolen, or compromised, you can revoke just that user's PSK without having to reconfigure the PSKs on all the other clients.

Select the required Key Management and Encryption Method entries from their respective drop-down menus or leave them at their default values.

Note

Note

ExtremeCloud IQ Connect does not support Private Pre-Shared Keys.

Set the maximum number of clients per private PSK: Enter the maximum number of simultaneous clients allowed for each private PSK user, from 1 through 15, or 0 for an unlimited number.

Note

Note

Setting the maximum number of clients per private PSK in the user group to a custom (non-zero) value overrides this setting in the SSID.

Set the MAC binding numbers per private PSK: Manually binding MAC addresses to PPSKs is tedious and error-prone. When you enable this option, an Extreme Networks AP functions as a PPSK server and automatically binds MAC addresses to private PSKs. When the first client authenticates with a PPSK, the PPSK server creates an internal MAC address-to-PPSK binding list for it. If a second client authenticates with the same PPSK, the server automatically binds its MAC address to the PPSK and adds it to the list—if allowed by the configuration. You can configure a PPSK server to bind up to five MAC addresses to one PPSK so a user can submit the same PPSK for all his or her smart phones, tablets, PCs, and other clients.

Choose a PPSK Server: Choose an Extreme Networks AP from the list to define it as a PPSK server. A PPSK server stores all the PPSK users, binds multiple client MAC addresses to a PPSK, and automatically updates and tracks PPSK-to-MAC address bindings. It must be an AP that is at the site to which you want to apply this network policy. Extreme Networks APs (PPSK authenticators) at the same site contact this server when checking and requesting a binding of a user-submitted PPSK to the MAC address of the user's client.

Note

Note

Only APs that you previously configured with static network settings appear in the PPSK server list.

Private Client Group Options (default = disabled): Enable to assign private client groups (see Classification Rules Overview) to be used in the wireless network (SSID). Each network policy can have only one key-based private client group (PCG) wireless network (SSID), one AP-based PCG SSID, and any number of non-PCG SSIDs. See Add User Groups for instructions on assigning PCG options to a user group.

When you have enabled private client groups for this SSID, select one of the following private client group options, as required:

 AP-Based: AP-based PCG uses unique users and shared keys. This mode supports common shared devices within personal network spaces. It also requires room assignments for AP anchoring and traffic tunneling. (See Add User Groups).

 Key-Based: Key-based PCG requires that the entire group of devices use one password. Key-based PCG does not need room assignments, and no traffic tunneling is used on anchor APs. (See Add User Groups).

Note

Note

Because a network policy can only have one key-based and one AP-based PCG at a time, if you have one SSID with key-based PCG enabled, you will not be allowed to enable key-based PCG in another SSID in the same network policy.

Modify Default Private Pre-Shared Key Settings

Key Management: When using Private Pre-Shared Keys for authentication, you can choose one of the following key management options:

Choose Auto-(WPA/WPA2/WPA3)-PSK to negotiate the use of WPA2 or WPA with clients based on which version they support.

Choose WPA-(WPA or Auto)-PSK) to use WPA for key management. WPA does not support PMK caching or preauthentication. However, if you know that all the clients that are going to use this SSID were released before IEEE 802.11i was ratified and support WPA (not WPA2), this option allows the Extreme Networks device to support them.

Choose WPA2-(WPA2 Personal)-PSK to use WPA2 for key management. WPA2 supports PMK caching and preauthentication whereas WPA does not.

Encryption Method: Choose the method for encrypting traffic: CCMP (AES), TKIP, or—when Auto-(WPA/WPA2/WPA3)-PSK is chosen for key management—Auto-TKIP or CCMP (AES).

CCMP (Counter Mode-Cipher Block Chaining Message Authentication Code Protocol) is a security protocol that uses AES (Advanced Encryption Standard) encryption. CCMP provides message integrity by combining counter mode with CBC (cipher block chaining) to produce a MAC (message authentication code). For details, see RFC 3610, "Counter with CBC-MAC (CCM)".

TKIP (Temporal Key Integrity Protocol) was created to correct security problems in WEP so that WEP-enabled clients could upgrade to a stronger security protocol. TKIP uses RC4 encryption, includes a method for changing keys on a per-packet basis, and provides message integrity checking.

Although TKIP provides strong security, CCMP (AES) is generally considered to be the stronger of the two.

Note

Note

When the SSID access method is Private Pre-Shared Key, the authentication method must be Open. This is not configurable and is not shown. The client and access point authenticate themselves to each other by the fact that they both possess the same key.

When PCG configuration is selected, two major traffic filtering options are made available. Thee first two options can be selected independently, and are not associated with multicast filtering:

Enable Broadcast Filtering: when selected, broadcast frames are not propagated beyond the current PCG domain.

Enable Multicast Filtering: When selected, multicast frames are not propagated beyond the current PCG domain.

Enable MDNS (multicast DNS) Filtering - when applied, multicast DNS frames are not forwarded outside the PCG domain.

Enable SSDP (Simple Service Discovery Protocol) - when enabled, SSDP frames are not forwarded outside of the PCG domain.

When multicast filtering is selected, both mDNS and SSDP filtering are auto-selected and grayed out. If multicast filter is not selected, mDNS and SSDP filtering may be independently selected. This capability is solely dependent upon site requirements.

WEP

In the SSID Authentication section, select WEP. WEP (Wired Equivalent Privacy) is an early security algorithm introduced in the IEEE 802.11 standard. Extreme Networks supports both WEP 802.1X and WEP. The distinction between the two types of WEP depends on their key management methods. WEP 802.1X has a means for refreshing keys dynamically, whereas WEP requires keys to be changed manually. Because of the effort involved in entering the keys manually on clients, WEP is only suitable for a relatively small number of clients.

Note

Note

The IEEE 802.11 standard introduced WEP as a means for protecting authorized users of a WLAN from casual eavesdropping. Although WEP can deter casual eavesdropping, it cannot withstand more serious attacks. More secure replacements for WEP are WPA and WPA2, and Extreme encourages the use of these stronger security mechanisms whenever possible. However, if your SSID must accept legacy clients that only support WEP, its use is preferable to no security at all.

To use WEP as the access security method:

WEP: (select)

By default, a WEP SSID uses the following default settings for SSID access security:

Key Management: WEP

Encryption Method: WEP 104

Authentication Method: Open

Key Type: ASCII Key

Default Key: Key Value 1

Key Value 1, 2, 3, 4: Enter a 13-character ASCII string for the keys with ID 1, 2, 3, and 4. To see the text string that you type, select Show Password.

Modify Default WEP Settings

Key Management: Choose WEP. For information about the WEP 802.1X option, see "WEP 802.1X" below.

Encryption Method: Choose either WEP 104 or WEP 40. The difference between the two options is the length of the keys used for encryption. A WEP-104 key uses a 104-bit shared secret, and a WEP-40 key uses a 40-bit shared secret, which are derived from the values you enter in the Key Value fields. Generally, a longer key is more secure than a shorter one.

Note

Note

Because WEP keys include a 24-bit IV (initialization vector), some wireless clients might refer to them as "128-bit WEP keys" (104-bit preshared secret + 24-bit IV) and "64-bit WEP keys" (40-bit preshared secret + 24-bit IV). Despite the different names, the keys described as WEP104 and WEP40 on ExtremeCloud IQ are equivalent to keys described as 128-bit and 64-bit keys on clients.

If you chose WEP 104 as the encryption method and ASCII Key as the key type, enter a 13-character ASCII string in the Key Type fields. If you chose WEP 104 and Hex Key, enter a 26-digit hexadecimal string.

If you chose WEP 40 as the encryption method and ASCII Key as the key type, enter a 5-character ASCII string in the Key Type fields. If you chose WEP 40 and Hex Key, enter a 10-digit hexadecimal string.

Authentication Method: Choose either Open or Shared. If you apply open authentication, the Extreme Networks device accepts any client without challenging it. If you apply shared authentication, the Extreme Networks device sends a random plaintext string to the client. The client encrypts the string and sends it back. The Extreme Networks device decrypts it and compares the string with the one it sent. If they match, the client has authenticated itself by proving it possesses the same shared encryption key as the Extreme Networks device.

Note

Note

The shared authentication method is susceptible to attack. An attacker can capture both the plaintext string that the Extreme Networks device sends and the ciphertext string that the client sends and use them to figure out how to pass the authentication check.

Key Type: Choose either ASCII Key to enter the key values in ASCII (American Standard Code for Information Interchange) characters, or Hex Key to enter the key values in hexadecimal digits (0-9, A-F).

Default Key: Specify the key that you want the Extreme Networks device to use to encrypt the data it sends. The default key value for the default key is 1. You can change this to key values 2, 3, or 4. When the Extreme Networks device encrypts data with its default key, it includes the key ID number in the IV header that WEP adds to the 802.11 frame header. The recipient can then locate the key with the same ID number and use it to decrypt that data. Similarly, when a client encrypts data with its default key, it includes the key ID number in the IV header so that the Extreme Networks device can then locate a matching key to decrypt that data. The client can use the same default key as the Extreme Networks device when it encrypts data, or it can use one of the other three keys, and the device will still be able to decrypt it by using the key ID number to locate the matching key.

Note

Note

When entering WEP keys on wireless clients, make sure that those keys are in the same order as the matching keys on the Extreme Networks device. For clients that store keys numbered 1, 2, 3, 4 or keys numbered 0, 1, 2, 3, the keys in the first, second, third, and fourth positions—regardless of their numbers—must correspond with the keys at the same positions on Extreme Networks devices. For example, the key in the first position numbered either 1 or 0 on a client must match the key in the first position (key value 1) on an Extreme Networks device.

To use WEP 802.1X as the access security method configure the following:

WEP: (select)

Key Management: Choose WEP 802.1X. When you choose this option as a key management method, the available fields in the SSID Authentication section change. The following option replaces the manually configurable Key Value fields:

Encryption Method: Choose either WEP 104 or WEP 40. The difference between the two options is the length (104-bit or 40-bit) of the keys used for encryption. The shared secrets are derived from the values you enter in the Key Value fields. Generally, a longer key is more secure than a shorter one.

Note

Note

Because WEP keys include a 24-bit IV (initialization vector), some wireless clients might refer to them as "128-bit WEP keys" (104-bit preshared secret + 24-bit IV) and "64-bit WEP keys" (40-bit preshared secret + 24-bit IV). Despite the different names, the keys described as WEP 104 and WEP 40 on ExtremeCloud IQ are equivalent to keys described as 128-bit and 64-bit keys on clients.

Open

In the SSID Authentication section, select Open. This option provides neither authentication nor encryption for traffic in the SSID. However, you can assign a captive web portal to the SSID to control network access.

Captive Web Portal

For networks using SSID Authentication (Enterprise-802.1X), Personal , Private Pre-Shared Key, or Open), or MAC Authentication, a captive web portal is a way to control network access. This method requires users to register before assigning them user profile settings that allow them network access beyond the Extreme Networks device with which they associated.

Enable a Default Captive Web Portal

To use a captive web portal, set Enable Captive Web Portal to ON.

Select the check box next to the registration type you want to use.

Depending on the type of SSID authentication, there might be several or only one type available, as shown in this table.

  PSK Private PSK 802.1X WEP 802.1X Open

User authentication

+

-

-

+

-

+

Self-registration

+

-

-

+

-

+

User authentication or self-registration

+

-

-

+

-

+

Private PSK self-issuance

-

-

-

-

-

+

Use policy acceptance

+

+

+

+

+

+

Cloud captive web portal (Social Login or Request a PIN)

-

-

-

-

-

+

To configure a new captive web portal, in the left navigation bar, under Captive Web Portal, select CWP, or select Add, and then continue with Captive Web Portal.

After you configure a captive web portal, apply it as the default for this SSID:

Choose Select next to Default Captive Web Portal.

In the Select CWPs dialog box, select the check box next to the captive web portal you want to use, and then choose Select.

Use Separate Captive Web Portals for Different Clients

In addition to the default captive web portal, ExtremeCloud IQ SSIDs can use other captive web portals for different clients based on device classification and classification rules. This is particularly useful if you have deployments at multiple sites and want a single network policy to apply to all of them but with different captive web portals for different locations. To use separate captive web portals, complete the following:

In the Captive Web Portal section of the SSID page, select Use a different captive web portal for various clients. Add or select different captive web portals to this list, as required.

Each captive web portal you add here must have a classification rule. Choose Select a Classification Rule to select an existing rule and then select Link, or select Add a Classification Rule to create a new rule from the Classification Rule page. See Network Policy Classification Rules .

SSID Usage – MAC Authentication

MAC authentication works by checking a client MAC address against a RADIUS server. The RADIUS server, or an external database with which the RADIUS server communicates, must have an entry with the client MAC address as both user name and password. If the client MAC address matches the entry, it is authenticated, and the AP allows it to access the network as determined by the user profile.

MAC authentication can provide an additional or sole means of authentication. If an SSID employs MAC authentication with another type of access control—PPSK, PSK, or a captive web portal—MAC authentication occurs first. If it is successful, the AP continues with the rest of the authentication procedure. Otherwise, the authentication process stops, the AP denies network access to the client, and the AP disassociates the client. If you enable MAC authentication and use an open SSID, then MAC authentication becomes the sole means of access control.

When a client with an 802.1X supplicant attempts to connect the network, the supplicant responds to the EAP identity requests and uses EAP/802.1X to provide a user name and password to the authenticator. However, when a client without a RADIUS supplicant attempts to connect to the network, the RADIUS server tries MAC authentication, which is also referred to as MAB (MAC authentication bypass). If there is an entry with a matching MAC address, the client is permitted access to the network. Otherwise, access is denied.

After you select the MAC Authentication tab, enable MAC authentication to use client MAC addresses for client authentication.

Authentication Protocol: Choose PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), or MS CHAP V2 (for users on an Active Directory server) to determine how the AP forwards authentication requests from users to an external RADIUS or Active Directory server. If you choose PAP, the AP sends an unencrypted password to the RADIUS server. If you choose CHAP or MS CHAP V2, the AP sends the RADIUS or Active Directory authentication server the result of an operation it performs on the password, instead of the password itself. The authentication server performs the same operation, and then compares the two results to check if they match.

Continue with "Set a Default RADIUS Server Group" and "SSID Usage – SSID Authentication", and "Additional Settings".

RADIUS Authentication

RADIUS authentication is used for Enterprise-802.1X SSIDs, MAC authentication, and captive web portals that require user authentication. For all these forms of user authentication, Extreme Networks APs can use their built-in RADIUS servers, external RADIUS servers, Extreme Networks RADIUS proxy servers, or any combination of these three.

In addition, with Enterprise 802.1X SSIDs and captive web portals with user authentication, you also have the choice of using the cloud-based ExtremeCloud IQ authentication service. This service can support far more RADIUS users than individual APs can store and is commonly accessible from multiple locations, making it ideal for institutions with a large number of permanent users who frequently move among various sites. Another advantage that storing RADIUS users in the cloud offers is that you can add, modify, and delete users and user groups without needing to update your Extreme Networks RADIUS servers. External RADIUS servers also offer these benefits; however, if you do not already have a RADIUS infrastructure set up, the ExtremeCloud IQ authentication service offers a simple alternative.

See RADIUS Server Settings to view, add, select, modify, and delete wireless network (SSID)-specific RADIUS objects. See External RADIUS Server Settings to view, add, select, modify, and delete external RADIUS common objects.

Set a Default RADIUS Server Group

A default RADIUS server group, which can include up to four RADIUS servers, is the one that Extreme Networks devices use for RADIUS lookups unless there is a device classification rule directing them to a different group based on their location. The servers in the group can be external RADIUS server, Extreme Networks RADIUS servers, Extreme Networks proxy servers, or a combination of these three types. For more information on configuring RADIUS server groups and RADIUS servers, see External RADIUS Server Settings.

To create a new default RADIUS server group:

  1. Select + next to Default RADIUS Server Group in the Authenticate via RADIUS Server section.
  1. On the Configure RADIUS Server Group page, enter a Name and an optional Description for the RADIUS server group.
  2. Define new RADIUS servers or select previously defined ones, add them to the group (there can be up to four servers in a group).
  3. Select Save.

Optional Settings

In the Configure RADIUS Server Group dialog box, select the check box for a RADIUS server, then select . In the optional settings dialog box, configure optional settings that control how a IQ Engine device acting as a RADIUS authenticator—or NAS (network access server)—communicates with one or more RADIUS authentication servers, RADIUS proxy servers, and accounting servers. You can configure the following optional settings:

Retry Interval: Set the interval that the device waits before retrying a previously unresponsive primary RADIUS server. The device retries the primary server after the interval elapses even if the current backup server is responding. The default interval is 600 seconds (10 minutes). You can change this from 60 seconds (1 minute) to 100,000,000 seconds (a very long time). Although commas are included here to improve readability of the large number "100,000,000", you cannot enter commas in this field; that is, "100,000,000" must be entered as "100000000".

Accounting Interim Update Interval: Set the interval for sending RADIUS accounting updates to report the status and cumulative length of client sessions. The default interval for sending RADIUS accounting updates is 600 seconds (10 minutes). You can change the interval from 10 seconds to 100,000,000 seconds. Note that although commas are included to improve readability here, you cannot enter commas in this field.

Extreme Networks APs report updated DHCP-snooped IP addresses of associated clients to the RADIUS server asynchronously, or as soon as the information is available. These updates are in addition to those set by default or you set.

Permit Dynamic Change of Authorization Messages (RFC 3576): To allow devices acting as RADIUS authenticators to accept unsolicited disconnect and CoA (Change of Authorization) messages from a RADIUS authentication server, such as GuestManager, you can enable the dynamic authorization extension provided in RFC 3576, Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS). "Disconnect" messages terminate a user's session immediately, and CoA messages modify session authorization attributes such as VLANs and user profile IDs.

Select the check box to enable the device to accept unsolicited messages from the RADIUS authentication server. Clear the check box to disable it. By default this option is disabled.

Inject Operator-Name Attribute: Select to include the Operator-Name attribute within the Access-Request and Accounting-Request message that your Extreme Networks RADIUS authenticators send to your RADIUS authentication server. The value of this attribute is the domain name suffix of the Extreme Networks authenticator, which is usually assigned by DHCP, and helps to identify the source of the authentication requests. Providing source information like this can aid in troubleshooting authentication problems.

Select Save when you are finished.

For more information, see the following:

External RADIUS server: External RADIUS Server Settings

Extreme Networks RADIUS server: AAA Server Settings

Extreme Networks RADIUS proxy: Extreme RADIUS Proxy Servers

Note

Note

ExtremeCloud IQ Connect only supports external RADIUS servers.

Select or Copy a RADIUS Server Group

To select an existing default RADIUS server group:

Select next to Default RADIUS Server Group in the Authenticate via RADIUS Server section.

Select a RADIUS Server Group from the list and then choose Select.This becomes the default RADIUS server group in the Authenticate via RADIUS Server section.

To copy an existing default RADIUS server group:

Select next to Default RADIUS Server Group in the Authenticate via RADIUS Server section.

In the RADIUS Server Groups dialog box, select an existing group and then select Copy.

Enter a new default RADIUS server group name in the Save As text box and then select Save. This new group becomes the default RADIUS server group for the SSID.

User Groups

Extreme Networks supports user groups for PPSK (Private Pre-Shared Key) users and RADIUS users.

You can store PPSK users in one of two places: in a central location in the ExtremeCloud IQ Authentication Service database or distributed among on Extreme Networks APs along the network edge. In either case, create PPSK user groups in the User Groups section of an SSID.

If you store some PPSK users in groups in the cloud database and others on Extreme Networks devices, as default behavior, the devices will attempt to authenticate users by checking their local databases first before checking the cloud database. However, you can change their behavior so that devices check both databases simultaneously. To do this, use the supplemental CLI to append the following command to the configuration:

security-object <string> security private-psk both parallel

where <string> is the name of the security object for the SSID with local and cloud-based PPSK user groups.

Note

Note

Extreme Networks APs running IQ Engine 6.5r3 or later support this command.

Or you can configure RADIUS user groups in one of two places in the ExtremeCloud IQ UI depending on where you intend to store the RADIUS users:

Create RADIUS user groups in the User Groups section of an SSID when you want to store them in the ExtremeCloud IQ Authentication Service cloud database.

Create RADIUS user groups in Configure > Users > User Groups > Add and then reference them in AAA server profiles that you apply to APs configured as RADIUS servers when you want to store users there. See "RADIUS Authentication".)

The third option for RADIUS users is to store them in external RADIUS, Active Directory, or OpenLDAP user databases. In this case, you configure RADIUS user groups on those external systems.

Add a User Group

In the User Groups section, select Add, or in the left navigation bar, under User Group, select Add User Group, and use one of the following procedures depending on the user authentication type (PPSK or RADIUS) and, for PPSK users, where they are stored:

PPSK users stored in the cloud: Enter a user group name and choose CLOUD for Password DB Location. PPSK is automatically chosen for Password Type.

PPSK users stored on APs: Enter a user group name and choose LOCAL for Password DB Location. PPSK is automatically chosen for Password Type.

RADIUS users stored in the cloud: Enter a user group name, CLOUD and RADIUS are automatically chosen for Password DB Location and Password Type.

If traffic filtering is configured, this behavior may be applied to any PCG group by selecting Apply PCG Filter.

Configure the other user group parameters as explained in Add User Groups and then select Save.

After adding or selecting user groups, you can add users individually or in bulk.

To add individual users to a group, select Add in the # of Users column, configuring the user as described in User Accounts, and then select Save.

To add users in bulk (up to 1000), save the SSID and navigate to Configure > Users > Users > Bulk Create. Choose the user group you just created and add the number of users you want, as explained in Multiple User Accounts (Bulk Create).

Select or Copy a User Group

Select an existing user group from the drop-down . In the User Group dialog box you will see a set of user groups appropriate for the SSID authentication type: PPSK or 802.1X with RADIUS users store in the ExtremeCloud IQ Authentication Service cloud database. Select the check box for one or more user groups, and then choose Select.

Note

Note

For AP-Based Private Client Groups, select an AP-based user group name. For Key-Based Private Client Groups, select a key-based user group name.

Copy a User Group

From the drop-down,( ) select a user group, and then select Copy. Enter a new name for the copied user group, and then select Save. This copies the parameters of the original user group but does not copy any user accounts. The new user group will be empty.

Add users individually or in bulk to the new user group:

To add individual users, select Add in the # of Users column, configure the user as described in User Accounts, and then select Save.

To add users in bulk (up to 1000), save the SSID and navigate to Configure > Users > Users > Bulk Create. Choose the new user group you just saved and add the number of users you want, as explained in Multiple User Accounts (Bulk Create).

User Access Settings

Whether your SSID is using SSID authentication (see "SSID Usage – SSID Authentication") or MAC authentication (see "SSID Usage – MAC Authentication"), it requires that the user access parameters be defined for each user profile. ExtremeCloud IQ has one default user profile for regular users and one default user profile for guest users. The default user profiles cannot be modified. For more information on user profiles, see User Profile Settings.

You can add more user profiles (each with unique firewall policies, VLANs, QoS, and traffic tunneling) as required.

Select an Existing User Profile

In the Default User Profile part of the User Access Settings section, select . Inthe Select Default User Profile dialog box, select the required user profile, and then choose Select. On the SSID page, select Save.

Create a New User Profile

In the Default User Profile part of the User Access Settings section, select . In the Create User Profile window, enter a User Profile Name and use the Connect to VLAN to select a VLAN for the user profile. Configure your other user profile firewall policies, QoS, traffic tunneling, and other parameters as required. Select Save.

Continue with "Additional Settings" .

Additional Settings

(ExtremeCloud IQ only.) Configure the SSID Availability Schedule, Advanced Access Security Controls, and Optional Settings parameters as required:

SSID Availability Schedule: Select the check box to Restrict the availability of this SSID to selected schedules to enable SSID schedules. Then, select Customize to go to the Select SSID Availability Schedule dialog box, and to limit the SSID availability to an admin-defined schedule. See User Profile SSID Availability Schedules.

Advanced Access Security Controls: Select Customize to go to the Advanced Access Security Settings dialog box, and to configure the 802.11w and authentication timeout options. See Advanced Wireless Access Security Settings.

Optional Settings: Select Customize to configure radios and rates, DoS prevention, and other settings. Continue with Wireless Network Optional Settings.

Client Monitor: Enable to have Extreme Networks devices detect client issues, and report client connection activities and faults to ExtremeCloud IQ. See Wireless Network Additional Settings.

On the SSID page, select Save.

After saving your changes, configure all required Switch Settings and Additional Settings.

Select Deploy Policy. On the Deploy Policy page, continue with Deploy a Network Policy.

For more information on SSIDs, see the following Help topics:

Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.