This document is intended for SEs and partners that are familiar with ExtremeCloud IQ Controller and ExtremeControl (the authentication feature of ExtremeCloud IQ Site Engine). Only the primary touchpoints between these products are covered.
The following prerequisite configuration is assumed:
This document assumes the following firmware and software versions.
A brief summary of the interactions between ExtremeCloud IQ Controller and ExtremeControl can be broken down into the following steps:
Administrator Access Type
Attribute set to mgmt=su.The first step to configuring ExtremeCloud IQ Controller is to configure a AAA policy, then add the RADIUS server to the Authentication Order.
Configure ExtremeControl as a designated RADIUS server
From ExtremeCloud IQ Controller, go to .
Note
When viewing content online, you can zoom in on screen shots to view them better.Configure the RADIUS server settings
Add a RADIUS authentication server that points to ExtremeControl.
RADIUS server IP address: Accept the default port settings.
Shared Secret: This is the default shared secret used by Xcontrol. This setting can be used for testing and proof of concept. For a real deployment, it is expected that the shared secret will be changed from the defaults. Save the settings.
Add RADIUS Server to Authentication Order
Go to .
Under Authentication Order, select Add to add the RADIUS option.
Authentication Order
Order the servers as Local first and RADIUS second until the configuration has been tested in order to avoid getting locked out of ExtremeCloud IQ Controller management interface due to bad configuration.
RADIUS Server
To add the properties of the RADIUS server, under RADIUS Servers, select Add and select IP Address to display a list of available RADIUS servers.
Enter the NAS IP, NAS ID details and set the authentication method to MS-CHAPv2.
Save these settings.
Note
Do not test the configuration until you have configured ExtremeControl to handle the management access login requests from ExtremeCloud IQ Controller.From ExtremeControl, carry out the following overall process:
Configure AAA Authentication Rule
To handle the Management Login Access, a AAA authentication rule with
Authentication Type Management is needed.
From ExtremeControl main screen, go to .
If the AAA authentication rules are not visible, change the view to Advanced: Right-click Default and select Make Advanced.
ExtremeControl authenticates administrators against a directory service such as Microsoft Active Directory.
Create a new rule with Authentication Type set to Management Login.
Change the Authentication
Method to LDAP
Authentication. The LDAP Authentication Type should show as NTLM
Authentication with the supported RADIUS types.
Note
If using multiple LDAP servers, enableFall-through if Authentication
Fails option to authenticate against the next AAA authentication rule in
case the first AAA authentication rule results in an authentication failure or the
directory service is unreachable. Select the LDAP policy from the LDAP Configuration drop-down menu.
Select Save to save all changes made to the AAA Authentication Rule.
Create an LDAP User Group
In order for Access Control engine to find users in the Microsoft Active Directory, an LDAP user group with a memberOf attribute lookup can be used. This LDAP user group is later used as one of the match conditions in the Access Control rule engine.
To create a new LDAP user group, select the Group Editor and select User Groups tab.
Add a new User Group, name it Administrator, and change Type to LDAP User Group.
To define the user group attributes, select Attribute Lookup and then select the available LDAP configuration from the drop-down menu.
On the next screen, search for a valid username to retrieve LDAP information for this user.
Select the memberOf parameter as the key attribute.
Select Save to complete the User Group settings.
Edit Default Administrator Policy Role
Go to and select the Administrator profile.
Scroll-down and change the Access permission to Administrator.
Save the settings.
Note
This predefined profile is already set up to enable Super User access for management, if used.
Create a New Rule
Create a new Access Control rule so that ExtremeControl can assess the incoming administrative login requests.
Go to the tab.
Select Add to add a new rule.
Set Authentication
Method to Management Login and User Group to the
Administrator group you created earlier.
Select Administrator NAC Profile in the Actions section. This profile returns the default Administrator policy role which has its Access permissions set to Administrator.
Save the settings to return to the Rules screen.
If working with multiple rules to handle authentication for different User or Device Groups, make sure to move the rules UP or Down based on the rule precedence.
Finally, select Enforce to enforce the configuration.
To test the configuration, log into the ExtremeCloud IQ Controller using the local admin account and go to . Select Test to test the login credentials.
If the test is successful, you can change the order of Authentication Mode to RADIUS first and Local second. This is to ensure that if the RADIUS server is not reachable, administrators can still access ExtremeCloud IQ Controller using the local admin user account.
Go to the event log under to verify the new RADIUS authenticated user with Administrator access permissions is mapped to the internal admin user role.
