ExtremeControl

Configuration → ExtremeControl

Starting with this release, ExtremeGuest can be deployed as the external captive portal server handling guest registration and authentication for wired users of ExtremeControl NAC deployments in conjunction with Extreme EXOS switches.

ExtremeGuest can now handle RADIUS authentication requests from wired-guest users connected to ExtremeControl managed switches. Where, ExtremeControl acts as the proxy between the switch and ExtremeGuest. It receives the clients' RADIUS request, includes a VSA (Vendor Specific Attribute) attribute in the RADIUS request and forwards it to ExtremeGuest. The VSA attribute indicates that the RADIUS request is proxied through ExtremeControl. Communication between ExtremeGuest and ExtremeControl is through REST APIs.

Use the ExtremeControl API Settings screen to configure the credentials and shared secret required for ExtremeGuest to authenticate with ExtremeControl.

Note

Note

ExtremeControl - ExtremeGuest integration is mandatory to enable this functionality. You will also need to make pre-configurations on the ExtremeGuest server. For detailed information on both, please refer to the "ExtremeGuest_6.0.0_HOW-TO_Deploy_with_ExtremeControl" guide available at https://extremenetworks.com/documentation.
Pre-configurations:
Following configurations are prerequisites for this feature to work:
  1. ExtremeControl with ExtremeGuest integration completed.
  2. On the ExtremeGuest UI configure the following settings:
    1. Add Network.
      Click to expand in new window
      GUID-54908326-9936-4456-895F-032E101C6B9B-low.png
      Note

      Note

      The network name should be the same as the captive portal name configured on ExtremeControl.
      Note

      Note

      For information on adding a network, see Networks.
    2. Add a Site.
      Click to expand in new window
      GUID-BFF0703C-1D5C-413A-85FD-D7A72201F70D-low.png
      Note

      Note

      Add the site in which the wired-switch is deployed. The Site Name should match the name of the site to which the EXOS, wired-switch is mapped.
      Note

      Note

      For information on adding a site, see Sites.
    3. Add ExtremeControl managed switch to the device list:
      Click to expand in new window
      GUID-7E9B8626-F755-4965-8070-B9E7695D14F4-low.png
      Note

      Note

      Select the Wired checkbox to populate the Model drop-down menu with the supported wired switches. For information on adding a device, see Devices.
    4. Create a AAA authorization policy. This is optional, as you can use the default AAA Authorization policy. See screenshot below:
      Click to expand in new window
      GUID-27F13764-E05F-42D8-A72D-37A4A4B0C3AA-low.png
      Note

      Note

      Create authorization profiles for the wired-guest users (unregistered and registered) connected to ExtremeControl managed switches. Alternately, you can use following two default, system-provided authorization policies: UnregisteredPolicy and GuestAccessPolicy.

      Ensure that the Role (filter-id) value configured in the authorization policy (customized or default) matches the Policy Role names configured on ExtremeControl.

      Authorization profiles define access rules, such as rate-limiting, session timeout, block time, application policies, etc. After configuring the authorization profile, apply it to a user group. For information on creating AAA Authorization policy, see Adding AAA Authorization.

    5. Create a AAA user group. This is optional, as you can use the default AAA Group. See screenshot below:
      Click to expand in new window
      GUID-C71DD0DF-3467-4B10-8624-B506E038F3C2-low.png

      Ensure the authorization policy, created in the previous step is applied to the group (customized or default).

      Note

      Note

      This is the group to which the authenticated wired guest user will be added. Ensure that the group name is same as the group name specified in the ExtremeControl AAA group configuration context. For information on creating a AAA group, see Adding AAA Groups.
    6. Create a AAA NAS configuration pointing to the ExtremeControl host's network/IP address. Ensure that the AAA NAS is configured to handle RADIUS authentication and accounting requests from the ExtremeControl managed switch.
      Click to expand in new window
      GUID-E57106FF-3CA1-4541-A2DD-FD28531407D0-low.png
      Note

      Note

      For information on configuring AAA NAS parameters, see Adding AAA NAS.
  3. Add On-boarding Policy and Rules to enable wired/wireless guest registration when they join a hotspot network.
    Note

    Note

    On-boarding enables hotspot network providers to collect client information, send client passcodes and set up external approval for guest access using rules and policies. For information on creating a On-boarding Policy and Rules, see Onboarding Policy and Onboarding Rules.
  4. Add splash templates. These are the captive portal web pages (landing, registration, welcome, etc.) served to the wired-client.
    Click to expand in new window
    GUID-61C2272A-BC74-4CDA-ABC0-9B3D69ADA723-low.png

Once the above configurations are in place, configure the ExtremeControl API Settings. This consists of the ExtremeControl management user account credentials and shared secret. This enables ExtremeGuest server to post REST requests to ExtremeControl on successful registration of the wired-guest client.

  1. Go to Configuration → ExtremeControl.
    The ExtremeControl API Settings window displays.
    Click to expand in new window
    ExtremeControl API Settings Window
    GUID-10519F2D-8EBD-4C2B-B483-DAB8B0B1E7D2-low.png
  2. In the Username field enter user name of the ExtremeControl user.
  3. In the Password field, configure the password associated with the above specified username.
  4. In the Secret field, enter the pre-configured shared secret.
    Note

    Note

    This value should be the same as the RADIUS server shared secret configured in the AAA policy context on ExtremeControl.
  5. Click Save to save your changes.
    Click Reset to revert to original settings.