Configuring RADIUS Authenticated Management Access

This document is intended for SEs and partners that are familiar with ExtremeCloud IQ Controller and ExtremeControl (the authentication feature of ExtremeCloud IQ Site Engine). Only the primary touchpoints between these products are covered.

The following prerequisite configuration is assumed:

This document assumes the following firmware and software versions.


A brief summary of the interactions between ExtremeCloud IQ Controller and ExtremeControl can be broken down into the following steps:

  1. The Administrator attempts to log into ExtremeCloud IQ Controller with previously configured login credentials using his/her login credentials, RADIUS authentication occurs.
  2. ExtremeCloud IQ Controller sends a RADIUS request to ExtremeControl for administrative login access.
  3. ExtremeControl performs and LDAP lookup, authenticates and authorizes the RADIUS request as per its configuration and passes back a RADIUS ACCEPT message: Filter-id set to Administrator Access Type Attribute set to mgmt=su.
  4. ExtremeCloud IQ Controller allows the administrator to login.

ExtremeCloud IQ Controller Configuration

The first step to configuring ExtremeCloud IQ Controller is to configure a AAA policy, then add the RADIUS server to the Authentication Order.

  1. Configure ExtremeControl as a designated RADIUS server

    From ExtremeCloud IQ Controller, go to Onboard > AAA Policy > Add.

    Default AAA Configuration


    When viewing content online, you can zoom in on screen shots to view them better.
  2. Configure the RADIUS server settings

    Add a RADIUS authentication server that points to ExtremeControl.

    RADIUS server IP address: Accept the default port settings.

    Shared Secret: This is the default shared secret used by Xcontrol. This setting can be used for testing and proof of concept. For a real deployment, it is expected that the shared secret will be changed from the defaults. Save the settings.

    RADIUS server settings
  3. Add RADIUS Server to Authentication Order

    1. Go to Administration > Accounts > RADIUS.

    2. Under Authentication Order, select Add to add the RADIUS option.

    3. Authentication Order

      Order the servers as Local first and RADIUS second until the configuration has been tested in order to avoid getting locked out of ExtremeCloud IQ Controller management interface due to bad configuration.

    4. RADIUS Server

      To add the properties of the RADIUS server, under RADIUS Servers, select Add and select IP Address to display a list of available RADIUS servers.

      Enter the NAS IP, NAS ID details and set the authentication method to MS-CHAPv2.

    5. Save these settings.

    Add RADIUS Server to Authentication Order


    Do not test the configuration until you have configured ExtremeControl to handle the management access login requests from ExtremeCloud IQ Controller.

ExtremeControl Configuration

From ExtremeControl, carry out the following overall process:

  1. Configure AAA Authentication Rule

    To handle the Management Login Access, a AAA authentication rule with Authentication Type Management is needed.

    1. From ExtremeControl main screen, go to Access Control > AAA > Default.

    2. If the AAA authentication rules are not visible, change the view to Advanced: Right-click Default and select Make Advanced.

    Change the AAA authentication view to Advanced
  2. ExtremeControl authenticates administrators against a directory service such as Microsoft Active Directory.

    1. Create a new rule with Authentication Type set to Management Login.

    2. Change the Authentication Method to LDAP Authentication. The LDAP Authentication Type should show as NTLM Authentication with the supported RADIUS types.



      If using multiple LDAP servers, enable Fall-through if Authentication Fails option to authenticate against the next AAA authentication rule in case the first AAA authentication rule results in an authentication failure or the directory service is unreachable.
    3. Select the LDAP policy from the LDAP Configuration drop-down menu.

    4. Select Save to save all changes made to the AAA Authentication Rule.

    Edit user to authentication mapping
  3. Create an LDAP User Group

    In order for Access Control engine to find users in the Microsoft Active Directory, an LDAP user group with a memberOf attribute lookup can be used. This LDAP user group is later used as one of the match conditions in the Access Control rule engine.

    1. To create a new LDAP user group, select the Group Editor and select User Groups tab.

    2. Add a new User Group, name it Administrator, and change Type to LDAP User Group.

    3. To define the user group attributes, select Attribute Lookup and then select the available LDAP configuration from the drop-down menu.

    Select LDAP Configuration for Attribute lookup
    1. On the next screen, search for a valid username to retrieve LDAP information for this user.

    2. Select the memberOf parameter as the key attribute.

    3. Select Save to complete the User Group settings.

    Search for a valid username
  4. Edit Default Administrator Policy Role

    1. Go to Configuration > Profiles > Policy Mappings > Default and select the Administrator profile.

    2. Scroll-down and change the Access permission to Administrator.

    3. Save the settings.



    This predefined profile is already set up to enable Super User access for management, if used.
    Edit Default Administrator Policy Role
  5. Create a New Rule

    Create a new Access Control rule so that ExtremeControl can assess the incoming administrative login requests.

    1. Go to the Configuration > Default > Rules tab.

    2. Select Add to add a new rule.

    3. Set Authentication Method to Management Login and User Group to the Administrator group you created earlier.

    Create a new Access Control rule
    1. Select Administrator NAC Profile in the Actions section. This profile returns the default Administrator policy role which has its Access permissions set to Administrator.

    2. Save the settings to return to the Rules screen.

    3. If working with multiple rules to handle authentication for different User or Device Groups, make sure to move the rules UP or Down based on the rule precedence.

    4. Finally, select Enforce to enforce the configuration.

    Access control engine enforce

Testing and Validation

  1. To test the configuration, log into the ExtremeCloud IQ Controller using the local admin account and go to Administration > Accounts > RADIUS. Select Test to test the login credentials.

    Test RADIUS server
  2. If the test is successful, you can change the order of Authentication Mode to RADIUS first and Local second. This is to ensure that if the RADIUS server is not reachable, administrators can still access ExtremeCloud IQ Controller using the local admin user account.

  3. Go to the event log under Tools > Logs > Events to verify the new RADIUS authenticated user with Administrator access permissions is mapped to the internal admin user role.

    Event log