Configure a Router Template

About this task

A router template is a diagram of the physical ports for a specific Extreme Networks router model and allows you to assign port types to the device ports. A port type defines how the ports assigned to it will function. You can add one or more templates for the router models to which the network policy applies. To use more than one template for the same router model, you must use classification rules to distinguish which template to apply to which device. You can select a previously defined template to use as is, or copy it and modify the settings in the copy to customize it for a particular policy. When you modify a device template that is used in multiple network policies, your changes are applied to that template everywhere. If you do not want to change the template in other network policies, make a copy, save it with a different name, and modify the new template for use in a single policy.

Procedure

  1. Select ADD and choose the appropriate device template your model.
  2. In the device template, assign ports with the connection types that you want them to provide: access, 802.1Q, and WAN.
  3. Enter a template name.
  4. To assign an existing port type:
    1. Highlight one or more ports in the router template, and then select Assign > Choose Existing.
    2. Select the type you want for the selected port or ports:
      • Access port: for a port connected to an individual host
      • WAN port: for a port connected to the WAN
      • Trunk port: for a port connected to a forwarding device such as an AP and switch that supports multiple VLANs
  5. To create a new port type, select Assign > Create New and enter the following in the New Port Type section:
    1. Enter a port type name.
    2. Enter an optional description.
    3. Toggle the Port Status ON to enable the port, or OFF to disable it.
    4. For Port Usage, select Access Port for ports connected to individual hosts, Trunk Port (802.1Q VLAN Tagging) for ports providing network access through forwarding devices such as APs and switches that support multiple VLANs, or WAN Port for a port acting as a backup WAN interface.
    5. Configure parameters for the port type you selected.
  6. For Access Port:
    1. For Port Usage Settings, select one of four possibilities for authentication:
      • No user authentication and no MAC authentication. This is the default and is common for sites where you know all connections will come from trusted devices so no authentication is necessary. An employee home offices is one example.
      • User authentication for clients with a RADIUS supplicant running on them but no MAC authentication. Use this option to authenticate users before allowing network access, if you know that permitted devices will have a RADIUS supplicant running on them, and if your infrastructure is set up for RADIUS user authentication.
      • MAC authentication for clients without a RADIUS supplicant but no user authentication. Use this option to control network access when you know that permitted devices connecting to the port will not have a RADIUS supplicant and your RADIUS infrastructure is set up to authenticate them by MAC address.
      • User authentication for clients with a RADIUS supplicant or MAC authentication for clients without. This option is useful for situations where you cannot know in advance if a device connected to the access port will have a RADIUS supplicant, perhaps when users at different branch sites connect devices with different RADIUS capabilities to the port.
    2. For Wired Connectivity, Toggle OFF to enable clients to connect to the port without requiring user authentication, and ON to enable user authentication through EAP/802.1X and RADIUS.
    3. Configure a default RADIUS server group and, if you want different APs to use different RADIUS servers based on their location, select Apply RADIUS server groups to devices via classification and select or configure additional RADIUS server groups.
      See Configure RADIUS Server Settings for more information about RADIUS server settings.
    4. For MAC Authentication, toggle OFF to allow clients to connect to the port without requiring MAC authentication, and ON to enable device authentication using the MAC address as both user name and password.
      When a client without a RADIUS supplicant connects, the RADIUS server tries MAC authentication, also referred to as MAB (MAC authentication bypass).
    5. For Authentication Protocol, choose PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), or MS CHAP V2 (Microsoft CHAP Version 2), depending on which protocol the RADIUS authentication server supports.

      If you are using an Extreme Networks RADIUS server, use the default choice: PAP. For an external RADIUS authentication server, choose the protocol that it supports. The Extreme Networks device functioning as the RADIUS authenticator uses the chosen protocol to authenticate communications between itself and the RADIUS server when submitting client credentials (MAC address) for authentication.

      If you already enabled User Authentication on the Wired Connectivity tab and configured one or more RADIUS server groups for it, those servers will also perform MAC authentication. If you enable only MAC authentication on the access port, then you must define a default RADIUS server group and optionally other groups via classification.

    6. For Multiple Clients, select Allow multiple clients connected to the same port on the same VLAN.
      Only the first device needs to authenticate successfully for all others to connect as well.
    7. For Primary authentication using, when both Wired Connectivity and MAC Authentication are enabled, this option enables you to control which authentication method is attempted first.
      For example, if you select Primary authentication using 802.1X, the RADIUS authentication server first attempts to prompt the client for a user name and password. If the client has a RADIUS supplicant, it must submit a valid user and password to pass authentication. If the client does not have a RADIUS supplicant, the RADIUS server then tries to authenticate the client using the MAC address as both user name and password. If one of the authentication methods succeeds, the client is allowed on the network. If neither succeeds, the client is denied network access. To change the authentication sequence so that MAC authentication is attempted first, select Primary authentication using MAC.
  7. For User Access Settings:
    1. For Default User Profile, set the user profile that you want the router to apply by default to users connecting to the port.
    2. Either select and choose an existing user profile, or select the plus sign and create a new one.
      See Add a User Profile for more information about creating user profiles.
    3. Select Apply a different user profile to various clients and user groups and add one or more user profiles for different categories of users that you expect to make wired connections to the access port.

      If a single device, such as a printer, is always connected to this port, leave the check box cleared and just apply the default user profile for infrastructure devices like printers. If you expect different types of users, such as employees, consultants, and visiting VIPs, to use the port as needed to connect their computers to the network, then select the check box and set up classification rules to govern when to apply different user profiles.

    4. For Traffic Filter Management, select which management and diagnostic services—SSH, Telnet, Ping, and SNMP—to enable access to the mgt0 interface through the access port.
  8. Configure the following settings for Trunk Ports connected to network forwarding devices such as switches and APs that support multiple VLANs on trunk ports:
    1. For VLAN Object, set the native (untagged) VLAN and all VLANs that you want the port to support.
      • Native VLAN: The native (untagged) VLAN is the VLAN assigned to frames that do not have any 802.1Q VLAN tags in their headers. By default, Extreme Networks devices use VLAN 1 as the native VLAN.
      • Allowed VLANs: Enter the VLANs—including the native VLAN—that you want the trunk port to enable. You can list the VLANs individually, separated by commas, or as a range of VLANs using a hyphen. Alternatively, you can enter the word all to support all existing VLANs previously configured in the network policy. When you enter all, the router allows all VLANs configured in the network policy, not all VLANs from 1 to 4094.
    2. For Traffic Filter Management, select which management and diagnostic services—SSH, Telnet, Ping, and SNMP—to enable access to the mgt0 interface through the trunk port.
  9. For WAN Ports, because the ETH0 and USB ports are always enabled as WAN links, they must be set as primary, backup1, backup2, or backup3, therefore, you can set one or more Ethernet ports as WAN links.
  10. Port Types In Use provides an overview of the port settings and configuration options available from the port settings tabs:
    • Port Details: View information about the interfaces on the router, add or modify the port type assigned to each interface, and modify the WAN priority settings.
    • Port Settings: Displays the physical interface names, and allows you to select the transmission types and speeds.
    • PSE: Choose the PSE (power sourcing equipment) power settings for the router to provide to PDs (powered devices) through the ETH1 and ETH2 ports.