Configure CWA on ExtremeControl

Configure CWA to integrate with an ExtremeControl server.

  1. On the ExtremeControl server, create a policy mapping for the ExtremeCloud IQ Controller network:
    • Map the policy to the ExtremeCloud IQ Controller network name.
    • Provide the redirection rule that you created on ExtremeCloud IQ Controller as the Filter ID value.
    • Provide the Redirection URL as the Cisco RADIUS attribute value pair (AVP). For example: cisco-avpair=url-redirect=http://10.47.1.15:80/
      Note

      Note

      Do not include query parameters in the url-redirect. The following AVP is not valid: cisco-avpair=url-redirect=http://10.47.1.15:80/?a=123, where ?a=123 is a query parameter.
  2. From the ExtremeControl server, go to Configuration > Profiles > Policy Mapping.
    The rules engine assigns the policy Unregistered to the redirection and assigns the policy Enterprise User when authenticated by the captive portal.
  3. Create a new mapping for the Unregistered policy.
    Click to expand in new window
    Redirect Policy Mapping on ExtremeControl — Unregistered Policy
    Redirect Policy Mapping on ExtremeControl for an Unregistered user.
    • Location — Specify the CWA network name that you configured in ExtremeCloud IQ Controller.
    • Filter — Specify the redirection rule that you configured on ExtremeCloud IQ Controller.
    • Custom — Specify the AVP: cisco-avpair=url-redirect=http://10.47.1.15:80/
    Verify the attributes specified by Filter and Custom 3 by editing the switch profile that corresponds to ExtremeCloud IQ Controller.
    Click to expand in new window
    Switch RADIUS Attribute Configuration — Advanced Settings
    RADIUS Attribute Configuration for a switch associated with ExtremeCloud IQ Controller.
  4. Create a policy mapping for Enterprise User.

    You can use the default ExtremeCloud IQ Controller allow roles. For example the default Enterprise User, or you can configure your own role. Here our configured Enterprise User role includes the AH-Allow rule. Map the Enterprise User role to ExtremeControl.

    Click to expand in new window
    Allow Policy Mapping on ExtremeControl — Enterprise User
    Allow Policy Mapping on ExtremeControl for an Enterprise User.
    • Location — Specify the CWA network name that you configured in ExtremeCloud IQ Controller.
    • Filter — Specify the allow policy rule that you configured on ExtremeCloud IQ Controller.
  5. Assign both the allow policy role and the redirect policy role to the site configuration Profile on ExtremeCloud IQ Controller.
    1. Go to Sites and select the site.
    2. Select Device Groups and select the device group.
    3. Select Profile and edit the configuration Profile.
    4. Select Roles and select the following roles:
      • NAC_WEBAUTH-REDIRECT
      • Enterprise User
9038115-00 Rev. AA