Use these settings to control how administrators authenticate and how they access the devices they manage. You can configure global and device-level settings. For example, you can enable or disable the reset button and console port, enable or disable proxy ARP requests and replies, allow APs and routers to forward broadcasts and multicasts between SSIDs, and a variety of other options such as adjusting LED brightness, and setting temperature alarms.
For the steps to create management options, see Add Management Options.
The forwarding engine controls the type of traffic being forwarded between interfaces, between GRE tunnels, and sets logging features.
| Setting | Description |
|---|---|
| Forwarding Engine Control | |
| GRE Tunneling Selective Multicast Forwarding | Select one of the following options:
ExtremeCloud IQ devices can selectively block or allow broadcast and multicast traffic through GRE tunnels to reduce traffic congestion. You can filter using a blocked list that blocks the forwarding of all broadcast and multicast traffic through GRE tunnels (or blocks all except to a few select destinations) or using a allowed list that allows all broadcast and multicast traffic through GRE tunnels (or allows all except to a few destinations). |
| Exception IP List | Add an entry (destination IP Address and Netmask) to the Exception IP List. Type the values. |
| Service Control | |
| Limit MAC Sessions per Station | Select Limit MAC Sessions per Station to enable the
feature, and then type the maximum number of (Layer 2 sessions) that
can be created to or from a station. By default, devices do not enforce MAC or IP session limits per station. By default, devices do not enforce IP session limits per station. |
| Limit IP Sessions per Station | Select Limit IP Sessions per Station to
enable the feature, and type the maximum number of sessions per
station. This feature enables a device to monitor the TCP MSS (maximum segment size) option in TCP SYN and SYN-ACK messages for traffic that the device is going to pass through GRE tunnels (for Layer 3 roaming and static identity-based tunnels) and GRE-over-IPsec tunnels (for IPsec VPN tunnels). The device can then notify the sender to adjust the TCP MSS value if it exceeds a maximum threshold. |
| Enable TCP Maximum Segment Size | Select Enable TCP Maximum Segment Size to
enable the feature, and then type the maximum segment size. When establishing a TCP connection, neither end is aware of the packet processing done by network forwarding equipment in between. For example, if a device has to send traffic through an IPsec VPN tunnel, then it adds a GRE header, IPsec header, and possibly a UDP header for NAT-Traversal to each packet. Since the additional headers expand packet size, the device is forced to fragment them, which increases packet processing and slows down throughput. To avoid fragmentation, the device can adjust the MSS (maximum segment size) value inside the initial SYN packet to allow room for the additional headers. The default thresholds are 1414 bytes for GRE tunnels and 1336 bytes for GRE-over-IPsec tunnels and are based on encapsulation overhead of the corresponding tunnel type and the maximum transmission unit (MTU) for the mgt0 interface, which is 1500 bytes by default. If you change the MTU and use "auto" for the TCP MSS option, the device automatically readjusts the TCP MSS thresholds.) |
| ARP Shield | Enable ARP Shield to prevent Man-In-the-Middle attacks by client devices attempting to impersonate critical network resources on the network such as a network gateway or DNS server through an ARP poisoning attack. ARP Shield should not be used if any clients on the network are assigned static IP addresses. ARP Shield is disabled by default and may only be enabled only on access points running IQ Engine 6.8.1 and above. Enabling ARP Shield is not be enforced on access points running IQ Engine 6.5, switches, routers, or Virtual Gateway appliances. |
| DHCP Shield | Disable DHCP Shield to turn off the built-in ability for IQ Engine to prevent attached clients from impersonating a DHCP server. In the default enabled state, connected clients are blocked from responding to DHCP server discovery or IP lease requests. When disabled, connected clients can respond to DHCP discovery or IP lease requests. DHCP Shield is enabled by default on access points running IQ Engine 6.8.1 and above. Disabling DHCP Shield results in no changes to access points running IQ Engine 6.5, switches, routers, or Virtual Gateway appliances. |
| Proxy ARP | Proxy ARP requests enable learning MAC addresses and proxy replies to ARP requests. By default, this option is enabled and a device proxies all ARP requests and replies that traverse it. However, there might be occasions, such as when you need to diagnose a network issue, when you want to allow the ARP requests and replies between wireless clients and network devices such as the default gateway to flow directly across the device without proxying them. |
| Disable Inter-SSID Flooding | Select Disable Inter-SSID Flooding to prohibit a device from forwarding traffic that it receives from clients in one SSID to clients associated with the same device in another SSID. Instead, such traffic must first cross the device from an interface in access mode to an interface in backhaul mode. From there, the traffic might pass through an internal firewall that performs deep-packet inspection, URL filtering, or antivirus checking, and other operations, before sending the traffic back across the device to reach the clients in the destination SSID. |
| Disable WebUI Without Disabling CWP | Select Disable WebUI Without Disabling CWP to disable the local web user interface on a device to improve system security without disabling the associated captive web portal. |
| Enable legacy HTTP redirect | Select to enable redirects to legacy HTTP
sites. Note: Extreme Networks recommends HTTPS
for best security. This option is provided for legacy clients,
for which HTTPS is not suitable.
|
| Global Logging Options for Firewall Policies | |
| Log | Select the corresponding check boxes to enable the generation of
logs for the following scenarios:
|
| Drop | Select the corresponding check boxes to enable the generation of
logs for the following scenarios:
|
Use the settings in this section to adjust various device-level functions, including device health alarm thresholds, VoIP features, and client OS detection types. Miscellaneous settings cover reset, console, PoE, and data collection features.
| Setting | Description |
|---|---|
| LED Brightness | Set the device status LED brightness level. Select an option from the menu: Bright, Soft, Dim, or Off. |
| Temperature Alarm Threshold | Specify the ambient temperature threshold that triggers an alarm. |
| Fans Underspeed Alarm Threshold | Specify the minimum RPM operating speed for fans. Speeds below this value trigger an alarm. |
| Call Admission Control | Use the toggle to enable or disable Call Admission Control. If enabled, devices monitor VoIP traffic to determine if there is enough available airtime for new VoIP calls. |
| Airtime per Second | Set the amount of airtime reserved for VoIP traffic. Decreasing
the amount of reserved airtime for VoIP traffic frees more airtime
for traffic other than VoIP. This can be useful if there are only a
few VoIP users on the WLAN. For a high number of VoIP users,
increase the amount of reserved airtime. Type a value in
microseconds. By default, a device reserves 500 milliseconds of airtime per second for all VoIP calls. You can change the reserved airtime per second for VoIP from 100 to 1000 milliseconds per second. |
| Guaranteed Airtime for Roaming Clients | Set the percentage of airtime that a device reserves on the
access interface for receiving VoIP calls from roaming clients. Type
a value as a percentage (%). By default, a device guarantees 20% of the reserved VoIP airtime for VoIP calls from roaming clients. You can change the percent of guaranteed airtime for roaming clients from 0% to 100%. Consider lowering the percent if VoIP users rarely roam, and raising the setting if roaming often occurs. Because VoIP traffic from a roaming client belongs to an existing session, the device to which the client roams always accepts it. If there is not enough airtime available in the guaranteed roaming reserve, the device deducts available airtime from the relevant user profile. |
| OS Detection | Enable devices to detect the OS of client devices based on a
combination of DHCP option 55 contents and the contents of the HTTP
headers. Set the toggle to ON. The following
detection methods are available:
|
| Disable Reset Button | Disable the reset button on the front panel of the chassis to prevent non-administrators from using it to reset the device to its default settings or to a bootstrap configuration. Select the check box. |
| Disable Console Port | Disable the functionality of the console port on a device to
block all administrative access through that port. Select the check
box. Disabling the console port on a device that is deployed in a publicly accessibly location is a good security precaution. Disabling the console port means that all administrative access must flow over the network, and if there are any connectivity issues with the network or if the device is configured to use only DHCP to get an IP address and cannot get its network settings from a DHCP server, attempts to log in to the device fail. Note: Disabling the console port means that all administrative access
must flow over the network, and if there are any connectivity
issues with the network or if the device—if configured to use
only DHCP to get an IP address—cannot get its network settings
from a DHCP server, you will not be able to log into the
device.
|
| Enable Smart PoE | Enable the Smart PoE feature. Select the check box. Smart PoE lets an AP230, AP320 or AP340 adjust power consumption automatically based on the current power supply. The AP230 and AP320 support PoE on the ETH0 interface. The AP340 supports PoE on both its ETH0 or ETH1 interfaces, and can simultaneously draw power through either one or both. Using Smart PoE, an AP can detect if there are power injectors connected to one or both of its Ethernet ports and how many watts are available for each PoE channel. The AP uses this information to manage its internal use of power resources based on the currently available power level as follows:
Note: When using
smart PoE, the maximum power consumption setting must be set to
No
limitation (the default). Manually setting the
PoE maximum power consumption level to anything else overrides
smart PoE and essentially disables it.
|
| Enable PCI Wireless Control Data Collection | Enable this feature to collect data about MAC DoS, IP DoS, and MAC filter violations in PCI compliance reports. Select the check box. |
| Accept ICMP Redirect Message | Enable this feature to accept ICMP redirect messages from routers
on their subnet. Select the check box. By default, devices reject ICMP redirects because crafted ICMP redirect messages can be maliciously used to cause a victim host to send traffic to an attacker's host or even back to the victim itself, which is what occurs during a WinFreeze attack. However, if you believe that your network is safe from such threats and you want multiple routers on the local subnet to be able to update the routing table on devices, enable this option. |
| Report client information gathered from captive web portals | Enable this feature to require devices to forward client information (such as name and email address) to ExtremeCloud IQ, where the information is logged as an event. Select the check box. |
| Hostname in Beacon | Activate iBeacon for or APs that have internal iBeacon
transmitters and that belong to a network policy. Slide the toggle
to ON. To use this setting, you must first define the iBeacon service in the associated network policy and then turn it on via the Device Management page. |
Authentication settings specify the database location for storing administrator accounts, and control authentication for administrators.
| Setting | Description |
|---|---|
| Extreme Networks Device Admin Authentication | Specify the location of the database storing administrator
accounts with which the AP authenticates administrators when they
log in. Choose one of the following options:
If one or more RADIUS servers are already in place, for
convenience and security, you can keep all the accounts there
and configure the AP to look up administrators on those servers.
Note: Be careful about using the RADIUS option. If all the
AP admin accounts are on a RADIUS server and the device
cannot connect to it, attempts by administrators to log in
to the device fail.
If there is no central RADIUS server containing a user database, or if you prefer to keep the admin accounts locally on the AP, select Local. To use accounts located on an external RADIUS server and locally on the device, select Both. In this case, the device authenticates administrators by first checking accounts on the external RADIUS servers specified in the RADIUS profile, and then by checking accounts stored on the local database second. |
| Private PSK Server Auto-Save Interval | Type the length of time that a device acting as a private PSK server automatically saves its list of private PSK-to-client MAC address bindings to flash memory. Depending on how frequently the server is binding private PSKs to client MAC addresses, you can make the interval as short as 60 seconds or as long as 3600 seconds (1 hour). |
| MAC Address Format | Define the MAC Address Format:
Some servers only accept MAC addresses in a particular format. These parameters control MAC authentication for local users on an Extreme Networks RADIUS server. For example, if you set case sensitivity as lower case and store local users with upper case MAC addresses for their user names and passwords, MAC authentication checks fail. By default, a device formats MAC addresses using lower case without any delimiter; for example: 0016cF8d55bc. You can reformat this address by making the following selections: Colon, no delimiter, upper case: 0016CF8D55BC Colon, two-delimiter, upper case: 0016:CF8D:55BC Colon, five-delimiter, upper case: 00:16:CF:8D:55:BC Dash, five-delimiter, upper case: 00-16-CF-8D-55-BC Dot, five-delimiter, upper case: 00.16.CF.8D.55.BC |