Extreme Management Center or ExtremeCloud IQ - Site Engine Integration

Endpoint Tracking integrates with Extreme Management Center or ExtremeCloud IQ - Site Engine ExtremeConnect and ExtremeControl modules. The ExtremeConnect module offers API integration with third party products, such as VMware or Mircrosoft HyperV, from which VM endpoint information is extracted and automatically converted into usable policies for use in the ExtremeControl module, which acts as a RADIUS server for authorizing Endpoint Tracking MACs.

The following diagram illustrates an example of Extreme Management Center or ExtremeCloud IQ - Site Engine interaction with a switch for Endpoint Tracking:

Click to expand in new window
Extreme Management Center or ExtremeCloud IQ - Site Engine Endpoint Tracking Interaction Example

RADIUS Server Attributes

The RADIUS attributes to configure in either standard or custom Extreme Management Center or ExtremeCloud IQ - Site Engine RADIUS profiles for Endpoint Tracking depend on your deployment and traffic type:

All other RADIUS attributes are ignored.

Managing Binding Updates using RADIUS Change-of-Authorization

Endpoint Tracking uses RADIUS RFC 5176 Change-of-Authorization (CoA) functionality to enable forced VLAN:ISID binding updates.

For example, when a VLAN segment is changed on a VM that resides on a previously authenticated switch, that VM requires a new VLAN:ISID binding to reflect the new VLAN segment. Because the switch has previously been authenticated, you must force a new authentication request to update the binding information.

Using ExtremeControl, you can manually push a reauthentication request for the VM MAC. This action sends a disconnect-request from the RADIUS server to the switch, which deletes the old binding. When the switch detects the VM again, a new RADIUS authentication request is sent from the switch to the RADIUS server, resulting in updated binding information upon sucessful authentication.

For more information about RADIUS Dynamic Session Change Support (RFC 5176), see RFC 5176 — Dynamic Session Change.