ExtremeCloud IQ Site Engine Integration

Endpoint Tracking integrates with ExtremeCloud IQ Site Engine ExtremeConnect and ExtremeControl modules. The ExtremeConnect module offers API integration with third party products, such as VMware or Mircrosoft HyperV, from which VM endpoint information is extracted and automatically converted into usable policies for use in the ExtremeControl module, which acts as a RADIUS server for authorizing Endpoint Tracking MACs.

The following diagram illustrates an example of ExtremeCloud IQ Site Engine interaction with a switch for Endpoint Tracking:

RADIUS Server Attributes

The RADIUS attributes to configure in either standard or custom ExtremeCloud IQ Site Engine RADIUS profiles for Endpoint Tracking depend on your deployment and traffic type:

For tagged traffic, if the RADIUS server provides both the VLAN ID and I-SID value, use only the FA-VLAN-ISID attribute.
For tagged traffic, if the RADIUS server provides only the VLAN ID (and you are therefore using an I-SID offset value), use only the Tunnel-Private-Group-ID attribute.
For untagged traffic, if the RADIUS server provides both the VLAN ID and I-SID value, use the FA-VLAN-ISID and Egress-VLANID or Egress-VLAN-name attributes.
For untagged traffic, if the RADIUS server provides only the VLAN ID (and you are therefore using an I-SID offset value), use the Tunnel-Private-Group-ID and Egress-VLANID or Egress-VLAN-name attributes.
Use the Session-Timeout attribute to override the default timeout period of 24 hours, which is amount of time, in seconds, between a MAC address authentication and the deletion of that MAC address from the Endpoint Tracking binding table.

All other RADIUS attributes are ignored.

Managing Binding Updates using RADIUS Change-of-Authorization

Endpoint Tracking uses RADIUS RFC 5176 Change-of-Authorization (CoA) functionality to enable forced VLAN:ISID binding updates.

For example, when a VLAN segment is changed on a VM that resides on a previously authenticated switch, that VM requires a new VLAN:ISID binding to reflect the new VLAN segment. Because the switch has previously been authenticated, you must force a new authentication request to update the binding information.

Using ExtremeControl, you can manually push a reauthentication request for the VM MAC. This action sends a disconnect-request from the RADIUS server to the switch, which deletes the old binding. When the switch detects the VM again, a new RADIUS authentication request is sent from the switch to the RADIUS server, resulting in updated binding information upon sucessful authentication.

For more information about RADIUS Dynamic Session Change Support (RFC 5176), see RFC 5176 — Dynamic Session Change.