Classification Rules Overview

Overview

ExtremeCloud IQ supports multiple classification rules for its DNS servers, VLANs, RADIUS servers, device templates, and user groups, and also supports private client groups (PCGs).

• For instance, a company can select Device Location rules and assign different DNS and RADIUS servers, and different time zones to different physical locations. (See "Device Location Details" below.)
• Cloud Config Groups (CCGs) allow the company to create user passwords which restrict access to private and personal network devices.
• The company can use IP Address classification rules to associate user groups so they can communicate using their own private networks.
• IP Subnet classification rules can be used by the company to support multiple user-group private networks.
• Companies can also use IP Range classification rules for multiple user-group private networks.

Note

See Network Policy Classification Rules to add network-policy-specific classification rules in the network policy workflow. See Classification Rules to add a new common-object classification rule.

Private Client Group Types and Limitations

When Private Client Groups (PCGs) are enabled, they can be designated as using one of two main operating modes.

• AP-based PCG uses unique user and shared keys. This mode supports common shared devices within personal network spaces. It also requires room assignments for AP anchoring and traffic tunneling.
• Key-based PCG requires that one password be used by the entire group of devices. Key-based PCG does not need room assignments, and no traffic tunneling is used on anchor-based APs.
• A PCG can also be used to support both AP-based and key-based modes, with some restrictions.

A key-based PCG requires the associated wireless network (SSID) use PPSK (Private Pre-Shared Key) access security SSID authentication and Local password database location (see Standard Wireless Network Settings and Guest Access Wireless Network Settings).

Key-based PCGs also require associated user group to use PPSK access security and Local password database location (see Add User Groups).

Note

Each network policy can have only one AP-based PCG wireless network (SSID), one key-based PCG SSID, and any number of non-PCG SSIDs. See Standard Wireless Network Settings or Guest Access Wireless Network Settings for instructions on assigning PCG options to a wireless network (SSID).

Note

Once you select the PCG operating mode for a network policy (see Standard Wireless Network Settings or Guest Access Wireless Network Settings), you cannot change your selection, because the different modes create non-transferrable passwords.

Hardware PCG Considerations

AP150W Ethernet ports can be assigned to a specific key-based or AP-based PCG. (In AP-based PCG, the Ethernet ports were considered shared ports not individual user ports.)

Device Location Details

After you have created your network policy and added Extreme Networks devices to your topology map, you might want to classify the common objects (such as DNS servers and VLANs) that are associated with your devices and network policy. For details on how to add devices, see ML Insights Network 360 Plan.

Device classification eases the workload for the network admin. In organizations with managed devices that span several locations, device classification gives you the flexibility to create and group common objects by location. As a result, you spend less time configuring multiple network policies and objects to achieve your configuration goals. You create only one network policy, configure your object profiles, and then apply the object profiles to devices that are governed by classification rules.

Before you begin configuring your devices using classification by location, you must first understand the following concepts:

Note

Objects used for classification can be first created in the Configure > Common Objects management window, but we recommend that you configure them within the network policy configuration workflow so that you can apply any classification rules.

• An object profile consists of a default object and the subsequent classification objects created in the object profile.
• Classification objects can be DNS servers, VLANs, RADIUS servers, and device templates.

• A classification rule is applied to a set of devices owned by clients or users in the network topology map.

For example, the Acme Corporation has two campus locations (San Jose and Sunnyvale) that require different classification rules and assigned DNS servers based on their business location and needs. Without device classification, you must create multiple network policies to deploy the necessary DNS server assignments; whereas, using device classification by location requires a single network policy only.