ExtremeCloud IQ Controller Deployment Guide Version 10.10.01
>
Deploying ExtremeCloud IQ-SE as an External Captive Portal
> Adding ExtremeCloud IQ Controller as a Switch to ExtremeCloud IQ - Site Engine
Published June 01, 2024
Search this document
Print this page
Email this page
View PDF
Previous
Next
Preface
Conventions
Text Conventions
Documentation and Training
Send Feedback
Help and Support
AP Regulatory Information
Deploy ExtremeCloud IQ Controller
VE6120K, VE6125K Virtual Appliances
VE6120H Virtual Appliance
VE6120,VE6125 Virtual Appliance
Appliances for Universal Compute Platforms
Supported Appliance Specifications
Discovery and Registration
Discovery Process for APs and Adapters in a Centralized Site
Discovering Centralized Site APs and Adapters
Switch Discovery Process
Discovering Switches
Switch Discovery in an Availability Pair
Sites
Device Groups
Configuring DHCP, NPS, and DNS Services
DHCP Service Configuration
Configuring DHCP on Windows Server 2012 R2
Add a New DHCP Scope
Create New DHCP Options
Creating Option 78
Configure DHCP Server Options
Configuring Vendor Class on Windows Server 2012 R2
Configuring Option 43
Configuring Server Options
Configuring DHCP on a Red Hat Linux Server
Configuring DHCP Option 43 on a Linux Server
Configuring the ExtremeCloud IQ Controller as an NPS Client
NPS Service Configuration
Add a New Network Policy
Create Condition: Client IPv4 Addresses
Create Condition: Windows Groups
DNS Service Configuration
Configuring DNS for Wireless AP Discovery
Configuring DNS on a Linux Server
Configure ExtremeCloud IQ Controller for Local DHCP Management
Add a Physical Interface
Local DHCP Settings
Centralized Site with an Internal Captive Portal
Adding a Centralized Site with Device Group
Configuring an Internal Captive Portal
Specifying B@AC Network Topology
Configuring a Captive Portal Network
Working with Internal Captive Portal Engine Rules
Editing Device Group Profile for Network and Role
Creating Adoption Rules
Centralized Site with a AAA Network
Configuring a AAA Network
Creating an Engine Rule
Creating a Policy Role
Applying a AAA Network and Role to the Device Group
Mesh Point Network Configuration
Mesh Point Network Settings
Configure Device Groups for Mesh Point
Advanced Configuration Profile and Mesh Device Settings
Configure Transparent Bridge
Configuring an External NAC Server for MBA and AAA Authentication
Configuring the External NAC Server
Network with Default Auth Role
Configuring an MBA Network
Configuring a AAA Network
Network with Pass-Through External RADIUS
Configuring an MBA Network
Configuring a AAA Network
Manage RADIUS Servers for User Authentication
RADIUS Settings
Advanced RADIUS Settings
Configure a Pass Through Rule
External Captive Portal on a Third-Party Server
Firewall Friendly External Captive Portal Flow of Events
FF-ECP on ExtremeCloud IQ Controller
Configure the Firewall
Configure an External Captive Portal
Understand Processing Performed by the ECP
The Redirection URL Sent from ExtremeCloud IQ Controller
Verify the Signed Request
Compose the Login or Splash Screen Page
Approve the Client
Signing the Redirection to ExtremeCloud IQ Controller
Case 1: When a RADIUS Server Authenticates the Client
Case 2: When the ECP is the Final Authority
Access Control Rules for Admin Portal Access
Configure Access Control Group
Default Access Control Groups
Configure Admin Access Policy Role
Configure Access Control Rule
Default Access Control Rules
Define Rule Precedence
Centralized Web Authorization
CWA with ISE Deployment
AAA Policy Network Configuration — ISE
AAA Policy Settings for CWA
RADIUS Settings
CWA Network Settings — ISE
CWA Policy Redirection Role — ISE
CWA Server Configuration — ISE
Configure Authorization Policy on Cisco® ISE Server
CWA with ExtremeControl Deployment
Configure AAA Policy — ExtremeControl
CWA Network Settings - ExtremeControl
CWA Policy Redirection Role — ExtremeControl
CWA Server Configuration — ExtremeControl
Configure CWA on ExtremeControl
NAI Routing and Dynamic Discovery
AAA Policy Settings for NAI Routing
Configure a Regular Expression Realm
Deploying ExtremeCloud IQ-SE as an External Captive Portal
Configuring an External Captive Portal Network
Editing the Configuration Profile for Network and Roles
ExtremeCloud IQ Controller Default Pass-Through Rule
Adding ExtremeCloud IQ Controller as a Switch to ExtremeCloud IQ - Site Engine
Editing the Unregistered Policy on ExtremeCloud IQ - Site Engine
Editing the ExtremeCloud IQ - Site Engine Profile for Policy and Location-Based Services
Deploying an ExtremeGuest External Captive Portal
Configure an ExtremeGuest Server
Configure an ExtremeGuest Captive Portal Network
Configuration Settings on ExtremeGuest
Deploying Client Bridge
AP Client Bridge
Configure Client Bridge
Deploying an Availability Pair
Replace a Controller in an Availability Pair
Deploying an Availability Pair with Extreme AirDefense
Deployment Procedure
Configuring the Centralized Site with an AP3915 Profile
Configuring AirDefense
Deploying an Availability Pair and External Captive Portal
Deployment Procedure
Configuring External Captive Portal Network
Editing the Device Group Profile for ECP Network
Integration with ExtremeCloud IQ
Deploy Universal APs
Onboarding Universal APs — ExtremeCloud IQ
Enhanced Discovery
Local Onboarding — Manual Entry
Local Onboarding— Import CSV file
Onboard a Controller to ExtremeCloud IQ
Access the Controller UI from ExtremeCloud IQ
PHP External Captive Portal, Controller‘s Firewall Friendly API
net-auth.php
login.php
common_utilities.php
crypt_aws_s4.php
ffecp-config.php
Adding
ExtremeCloud IQ Controller
as a Switch to
ExtremeCloud IQ - Site Engine
From
ExtremeCloud IQ - Site Engine
, add a device profile for
ExtremeCloud IQ Controller
.
To open the
Add Profile
window, go to
Administration
>
Profiles
>
Add
.
Provide the
Profile Name
and
SNMP Version
and settings.
Select the
CLI Credentials
field and configure the CLI credentials.
Adding an Extreme Management Center Profile
Note
You must add the
ExtremeCloud IQ Controller
password three times. Add the same password to the following fields:
Login Password
Enable Password
Configuration Password
Add the switch to
Network Devices
.
Select
Network
>
Devices
.
Right click
World
or the appropriate site object.
Select
Add Device
Add
ExtremeCloud IQ Controller
as a device in
ExtremeCloud IQ - Site Engine
Enter The IP address of
ExtremeCloud IQ Controller
.
Select the profile that you created.
Select
OK
.
Add the switch to your
Access Control Engine
.
Select
Control
>
Access Control
>
Engines
. From the All Engines panel, select the Engine.
Select
Switches
>
Add
.
From the
Devices
tree, select the newly added device.
Add Switch -
ExtremeCloud IQ Controller
Configure
ExtremeCloud IQ Controller
switch attributes:
Switch Type:
Layer 2 Out-Of-Band
Primary Engine: Select the Access Control Engine that you set as the RADIUS server for the network on the
ExtremeCloud IQ Controller
.
Secondary Engine (if appropriate for your configuration)
Edit Auth Access Type:
Manual RADIUS Configuration
Select the drop-down for
RADIUS Attributes to Send
and select
New
.
Insert the following into the new attributes schema:
Filter-Id=%POLICY_NAME% Login-LAT-Port=%LOGIN_LAT_PORT% Service-Type=%MGMT_SERV_TYPE%
New RADIUS Attribute for
ExtremeCloud IQ Controller
Save the new attribute Schema as
RADIUS attribute to send
.
Set RADIUS accounting to
Enabled
.
ExtremeCloud IQ Controller
Switch Device Settings
Select
Save
.
Enforce the changes.
From the Engine Groups, right-click the IP address of
ExtremeCloud IQ Controller
. Then, select
Enforce
.
Enforce Changes
