Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

Configure Network Services

When you register devices for the first time, you use the configuration wizard to edit the default network (Staff). If you want to set up your own networks or make changes at any time, use this procedure.
Note

Note

A maximum of 16 enabled SSIDs (eight per radio) can be assigned to a site.

For example, If you want to allow a completely open network, replace the default policy with a policy that allows traffic. You can use the predefined Allow All policy or create a more restrictive policy (the latter is recommended).

  1. Select Configure > Networks from the menu.
    The Networks list displays.
  2. To add a new network, select Add. Alternatively, select an existing network, and then select Configure Network.
  3. Edit the fields.
    Click to expand in new window
    Configure Network
    GUID-AFFD9722-3280-4DDC-825D-036A3BFEE052-low.png
    Network Name Enter any unique, user-friendly value that makes sense for your business. Example: Staff
    SSID Enter a character string to identify the network. 32 characters maximum. Upper and lowercase allowed. Example: PermanentStaff
    Status Choose an option:
    Enabled This option turns on the network and leaves it on until you manually disable or delete it.
    Disabled Disabling an network shuts off the service but does not delete it.
    Schedule Scheduling lets you define specific periods when a service will be active.
    AuthType Define the authorization type. You must edit the privacy settings for WEP, WPAv2PSK, and WPA2 Enterprise w/ RADIUS.
    Open Anyone can associate with the AP. This authorization type has no encryption and can use the Default Unauth role only.
    WEP We do not recommend or endorse using WEP encryption due to the security flaws that are inherent with WEP. Access is allowed to any client that knows the pre-shared WEP key. WEP-64 uses a 40 bit key concatenated with a 24-bit initialization vector (IV) to form the RC4 traffic key. WEP 64 is a less robust encryption scheme than WEP 128 (containing a shorter WEP algorithm for a hacker to potentially duplicate), but networks that require more security are at risk from a WEP flaw. WEP-128 uses a 104 bit key which is concatenated with a 24- bit initialization vector (IV) to form the RC4 traffic key. WEP 128 provides a more robust encryption algorithm than WEP 64 by requiring a longer key length and pass key.
    WPAv2 with PSK Access is allowed to any client that knows the pre-shared key. If MAC-based authentication (MBA) is also enabled, you can assign different roles to different devices with PSK. If MBA is not enabled, then devices with PSK use the Default Unauth role only. (TKIP encryption is available as an option with WPAv2 with PSK, but TKIP cannot be configured on its own. We do not recommend or endorse using TKIP due to the security flaws that are inherent with TKIP.)
    WPA2 Enterprise w/ RADIUS Supports 802.1x authentication with a RADIUS server, using AES encryption. All 802.1x protocols are supported. (TKIP-CCMP encryption is available as an option with WPAv2 Enterprise w/ RADIUS, but TKIP-CCMP cannot be configured on its own. We do not recommend or endorse using TKIP-CCMP due to the security flaws that are inherent with TKIP-CCMP.)
    MAC-based Authentication Select this option to enable MAC-based authentication with a RADIUS server, which restricts network access to specific devices by MAC address.
    MBA Timeout Role (For ExtremeWireless APs only) Select the role that will be assigned to a wireless client during MAC-based authentication (MBA) if the RADIUS server access request times out. If no MBA Timeout Role is selected, then a RADIUS server timeout is treated like an Access-Reject, which prevents the client from accessing the network. If a moderately restrictive role is set (one allowing internet access but no local access), then clients can continue to function when the RADIUS server is unavailable.
  4. If you enabled WPA2 Enterprise w/ RADIUS or MAC-based Authentication as the Auth Type, the Configure RADIUS Servers field displays. Select Configure and configure the fields in the Configure RADIUS Servers dialog.
    Click to expand in new window
    RADIUS Server Configuration
    GUID-787F184D-6D62-479F-815C-B7DEECB257B2-low.png
    Auth Type Set the authentication protocol type for the RADIUS server (PAP, CHAP, MS-CHAP, or MS-CHAP2).
    IP Address Enter a valid IP address for the RADIUS server. A primary IP address is required, and a secondary IP address is optional.
    Shared Secret Enter the password that will be used between ExtremeCloud and the RADIUS server. If you are using a secondary IP address, you must provide a password for that IP address also.
  5. (Optional) To enable a captive portal, select an option from the drop-down list. To use the built-in captive portal feature, select Cloud. To use a third-party or external captive portal, select Other. (If you have not yet configured the captive portal go to How to Configure a Captive Portal and then return to this page to assign the portal to the network.) You can also enable the option to redirect the user to the original destination upon a successful login.
    If you selected Cloud or Other, the Walled Garden DNS Whitelist button displays.
  6. (Optional) To enable a walled garden with the captive portal, select Walled Garden DNS Whitelist. Enter the Fully Qualified Domain Name (FQDN) names that you want to whitelist in the Walled Garden DNS Whitelist dialog. FQDNs can be full names (www.companyname.com) or partial names (companyname.com).

    Partial FQDN matching is based on case sensitive suffix matching. For example, companyname.com will match companyname.com, www.companyname.com, xyz-abc.companyname.com or anything that ends with companyname.com.

    Note

    Note

    Select GUID-C273F83D-DB0E-4D7A-BE63-DD0B75FE8CAD-low.png to delete an FQDN.
    These FQDNs are applied to the Unauth role assigned to the user, giving the user walled garden access to the specified FQDNs before they are authenticated.
  7. Configure the default roles. Select GUID-A0473562-B7CA-4A8B-A250-A6B65935AC73-low.png to create a new role or select GUID-8165B5C2-DE95-4E21-885A-564BBC1A5461-low.png to edit an existing role. (You can also delete roles by selecting GUID-C273F83D-DB0E-4D7A-BE63-DD0B75FE8CAD-low.png.)
    Default Unauth Role Displays when the captive portal option is set to Other. Define a non-authenticated role that covers all traffic from devices that have not yet authenticated with the captive portal. Create a role with at least one rule that redirects at least some HTTP traffic (port 80, 8080, 443) to the captive portal web page. The role must allow DHCP and DNS traffic also. The role can allow other traffic. (This redirection is independent of the network's Authentication Type.) Only policies with redirection display in the drop-down list for this field.
    Default Auth Role Displays when an external captive portal is enabled. Define an authenticated role.
    Default Role Displays when captive portal is not enabled or when the Cloud captive portal is enabled. Define the access control role. This role is mandatory and covers all traffic from authenticated devices. The role filters network packets, either disallowing them or boosting the priority. Open, WPAv2PSK, and WPA2 Enterprise w/ RADIUS can use the Default Role, which is useful for simple deployments.
  8. Create a new default VLAN or edit an existing VLAN. (You can delete unused VLANs.)
    Note

    Note

    If you are assigning an ExtremeCloud-created captive portal to a network that does not yet have an IP subnet to it, a pop-up IP Subnet dialog opens. You must provide an IP subnet for the captive portal to work.
    Default VLAN The default VLAN is the VLAN on which the client traffic is placed by the AP if the policy assigned to the client does not explicitly place the client's traffic on a specific VLAN. In addition to the VLAN ID, the destination VLAN can be marked Untagged. (Complex deployments can attach to different VLANs simultaneously, but only one VLAN can be untagged.) Multicast filters can also be configured to control multicast forwarding to the wireless network. To edit multicast filters and the IP subnet, select GUID-A0473562-B7CA-4A8B-A250-A6B65935AC73-low.png or GUID-8165B5C2-DE95-4E21-885A-564BBC1A5461-low.png and then select Advanced.
  9. (Optional) Specify the aggregate network bandwidth limit for the aggregate WLAN traffic on a per radio basis. Enabling this option prevents guest WLAN users from using more air time allowed by the WLAN rate limit. The allowed aggregate bandwidth limit is 128 - 2,500 Kbps. However, if you select GUID-45F6C870-F369-451B-A91B-7F9CAB61374A-low.png, you can set the Class of Service to use an existing CoS, which makes the aggregate bandwidth unlimited, or configure CoS advanced settings for the priority, ToS/DSCP and mask.
  10. (Optional) On the Configure Network page, select Advanced to configure advanced settings, such as admission control.
  11. On the Configure Network page, select Save.
If you have created a new network (wireless SSID), you must then add the network to a site to start providing services to the wireless devices in that site.
Published September 2019prev | next

Email this topicEmail this topic

Print this pagePrint this page