You can create a AAA Policy that can be referenced through a WLAN Service, bypassing
the local Network Access Control on ExtremeCloud IQ
Controller.
Note
AAA
Policy can only be configured for WLAN Networks requiring MACAUTH, External
Captive Portal, or EAP.
To configure a AAA network policy:
Go to Configure > Networks > WLANs and select a network.
AAA Policy is displayed for
WLAN Networks that require authentication or authorization. The value
Local Onboarding refers to RADIUS requests that are
directed through the ExtremeCloud IQ
Controller. Local Onboarding is the
default value for WLAN Networks configured for Internal Captive Portal.
Select an Auth Type.
The AAA Policy field displays.
From the AAA Policy field,
select to add a new policy, or select to edit a policy.
Centralized Web
Authentication AAA Policy — ExtremeControl
Configure the following
parameters:
Name
Policy name.
Authentication Protocol
Authentication
protocol type for the RADIUS server (PAP, CHAP, MS-CHAP, or
MSCHAP2).
NAS IP Address
IP address of the
Network Access Server (NAS).
NAS ID
A RADIUS attribute
that identifies the client to a RADIUS server. The NAS-Identifier
can be used instead of an IP address to identify the client.
Call Station ID
Identifies a group of access points. The Call Station ID is often
configured in a large network using an external NAC or RADIUS
server. Possible values are:
Wired
MAC: SSID
BSSID (APs supported on a Centralized
site only)
Site
Name
Site
Name: Device Group Name
AP Serial
Number
Note
Call
Station ID allows for Zone authentication
with a Centralized site.
Site
Campus
Site
Region
Site
City
Accounting Type
Determines when the
appliance generates the accounting request. Valid values are:
Start-Interim-Stop — Start record after successful login by
the wireless device, interim record, and an accounting stop
record based on session termination.
Start-Stop —
Start record after successful login by the wireless device
user and an accounting stop record based on session
termination.
The appliance sends the accounting requests to a remote
RADIUS server.
Wait for client IP before starting accounting procedure
By default, the
Accounting Start record is generated when the client is
authenticated. Enable this setting to generate the Accounting Start
record when the client acquires a non local IP address. Use this
option for captive portals, which use RADIUS Accounting to learn of
the client IP address before providing the landing page.
Accounting Interim Interval
The number of seconds
(60-3600) between each interim update for a specific session.
Default value is 60.
RADIUS Authentication Servers Mode
Select the availability behavior for RADIUS
servers. Valid values are: Failover or Load
Balance.
AAA Policy supports the ability to load balance
RADIUS requests across target servers in a load-balancing pool.
(A minimum of two servers is required.) Each client
authentication session begins and ends on a single RADIUS
server. The ExtremeCloud IQ
Controller validates that each server can be
reached and logs an alert when a server in the pool is
unreachable. The server pool is readjusted based on the status
of each server in the pool.
Note
Configure one
server for both Accounting and Authentication
purposes.
When this setting is set to Failover, a RADIUS request is sent to one
server at a time:
The
RADIUS request is sent to the Primary server (based on
the RADIUS server order in the AAA policy).
When the
Primary server is not accessible, the request is sent to
the second server (the Failover server).
When the
Primary server is accessible, the request is
automatically sent to the Primary server instead of the
Failover server.
Note
The
RADIUS Status message (RFC 5997) indicates if the
RADIUS server is accessible.
When this setting is set to Load
Balance, a RADIUS request is sent in round robin
fashion:
When a
RADIUS server is not accessible, ExtremeCloud IQ
Controller
stops sending requests to that server.
When a
server is accessible, the server is added to the pool of
servers.
Note
The
RADIUS Status message (RFC 5997) indicates if the
RADIUS server is accessible.
Include Framed IP
Select this option to include the FRAMED-IP attribute value
pair in the RADIUS ACCESS-REQ message. You can include the user
IP address in the RADIUS ACCESS-REQ through the FRAMED-IP
attribute. This can extend user access reporting capabilities.
Framed IP is supported by External Captive Portal only.
Centralized Web Authentication does not support Framed
IP.
Report NAS Location
Sends Network Access
Server (NAS) Location per the RFC5580 Out of Band agreement. After a
NAS Location change, the new NAS Location is reported in the next
RADIUS Request or RADIUS Accounting message.
Note
Mid-session
requests and the Initial Server Request for Location as
described in RFC5580 are not supported.
The following
additional attributes (AVP) used by RFC5580 are supported:
LOCATION-INFO
LOCATION-DATA
Note
Site Location details are reported in
LOCATION-DATA. For more information on Site Location
information, see the ExtremeCloud IQ Controller User Guide.
BASIC-LOCATION-POLICY-RULES
OPERATOR-NAME (Described below)
Operator Name
RADIUS attribute
comprised of the operator namespace identifier and the operator
name. The combination of operator name and namespace identifier
uniquely identifies the owner of an access network. The Operator
Name cannot exceed 253 bytes. Valid values are:
Tadig —
Three-character Country Code followed by a two- character
alphanumeric operator ID
Realm —
Registered Domain Name of Operator
E212 — Mobile Country Code or Mobile Network Code
OneCC —
Three-character Country Code followed by 1-6 uppercase ITU
Carrier Codes
None
RADIUS Authentication Servers
To add RADIUS servers
for authentication, select Add.
You can configure up to four RADIUS servers for authentication.
We have the
CWA server configured.
RADIUS Accounting Servers
To add RADIUS servers
for accounting, select Add.
You can configure up to four RADIUS servers for accounting.
to add a new policy, or select 
to edit a policy.
