Starting with this release, ExtremeGuest can be deployed as the external captive portal server handling guest registration and authentication for wired users of ExtremeControl NAC deployments in conjunction with Extreme EXOS switches.
ExtremeGuest can now handle RADIUS authentication requests from wired-guest users connected to ExtremeControl managed switches. Where, ExtremeControl acts as the proxy between the switch and ExtremeGuest. It receives the clients' RADIUS request, includes a VSA (Vendor Specific Attribute) attribute in the RADIUS request and forwards it to ExtremeGuest. The VSA attribute indicates that the RADIUS request is proxied through ExtremeControl. Communication between ExtremeGuest and ExtremeControl is through REST APIs.
Use the ExtremeControl API Settings screen to configure the credentials and shared secret required for ExtremeGuest to authenticate with ExtremeControl.
Note
ExtremeControl - ExtremeGuest integration is mandatory to enable this functionality. You will also need to make pre-configurations on the ExtremeGuest server. For detailed information on both, please refer to the "ExtremeGuest_6.0.0_HOW-TO_Deploy_with_ExtremeControl" guide available at https://extremenetworks.com/documentation.Note
The network name should be the same as the captive portal name configured on ExtremeControl.Note
Add the site in which the wired-switch is deployed. The Site Name should match the name of the site to which the EXOS, wired-switch is mapped.Note
Select the Wired checkbox to populate the Model drop-down menu with the supported wired switches. For information on adding a device, see Devices.Note
Create authorization profiles for the wired-guest users (unregistered and registered) connected to ExtremeControl managed switches. Alternately, you can use following two default, system-provided authorization policies: UnregisteredPolicy and GuestAccessPolicy.Ensure that the Role (filter-id) value configured in the authorization policy (customized or default) matches the Policy Role names configured on ExtremeControl.
Authorization profiles define access rules, such as rate-limiting, session timeout, block time, application policies, etc. After configuring the authorization profile, apply it to a user group. For information on creating AAA Authorization policy, see Adding AAA Authorization.
Ensure the authorization policy, created in the previous step is applied to the group (customized or default).
Note
This is the group to which the authenticated wired guest user will be added. Ensure that the group name is same as the group name specified in the ExtremeControl AAA group configuration context. For information on creating a AAA group, see Adding AAA Groups.Note
On-boarding enables hotspot network providers to collect client information, send client passcodes and set up external approval for guest access using rules and policies. For information on creating a On-boarding Policy and Rules, see Onboarding Policy and Onboarding Rules.Once the above configurations are in place, configure the ExtremeControl API Settings. This consists of the ExtremeControl management user account credentials and shared secret. This enables ExtremeGuest server to post REST requests to ExtremeControl on successful registration of the wired-guest client.
Note
This value should be the same as the RADIUS server shared secret configured in the AAA policy context on ExtremeControl.