Collecting Information for the Installation

Before installing and configuring your wireless network, consider the following and write down key information that you will need for the process:

  • Will the controller be managed remotely via a management, data, or wireless interface? By default, the controller cannot be managed over its data plane or wireless interface. These capabilities must be enabled explicitly using the controller's user interface.
  • If the controller will be managed over the management port, will IPv4 or IPv6 be used?
  • For availability services determine the following:
    • WLAN services. Which wireless LAN services will be offered by the controller?
    • Privacy settings. Do the WLAN Services require WEP, WPA-PSK, or WPA2 privacy settings?
    • Authorization. Will MAC or MAC-based authorization be required prior to gaining access to the network?
    • Authentication. Determine the mechanism that is required for users to access each WLAN Service: None, Captive Portal (internal, external, Guest Portal), AAA/RADIUS (Remote Authentication Dial In User Service)/Certificate? RADIUS requires connectivity to an infrastructure RADIUS server.
    • The controller's location on the network.
    • The segments that the controllers need to connect to.
    • The routed or bridged segments that will deliver user traffic.
    • The VLANs that the controllers need to connect to.
    • The switch ports that provide the VLANs that controllers need to connect to?
    • How wireless services map or make use of the available network segments.
    • The restrictions that the users will be subject to when accessing the network?
  • Controller deployment.
    • Is more than a single controller going to be deployed? If multiple controllers are deployed, are the controllers deployed in availability pairs?
    • Are controllers going to be deployed as part of a mobility domain? A mobility domain is a collection of controllers that collaborate to allow stations to roam seamlessly between the APs of different member controllers.
  • Time synchronization. If controllers will be time synchronized, to what source will they be synchronized?
  • Controller logs. Will controller logs be remotely aggregated using syslog? If syslog is used, determine the syslog server.
  • AP deployment. Will APs be deployed on the same segment or several segments away from the controller‘s network point?
  • AP discovery. Which discovery mechanism will be used to register an AP to the controller: SLP, DNS, multicast, or static listing?
  • Controller interfaces. Which controller interfaces will be defined to allow AP registration?

Use the following table to document all the pertinent information about the ExtremeWireless Appliance before starting the installation process.

Some of the information listed in the table may not be relevant to your network configuration. Only record the information that is pertinent to your network configuration.

Click to expand in new window

Information Gathering Table

Configuration Data Description Your Entry
VNS (Virtual Networks Services)/WLAN Service and Role (Policy) creation and dependencies
  • Service types the system is expected to provide
  • Controller services
  • Topologies made up of VLANs and port assignments with the corresponding switch ports
  • Policies that will be bound to topologies
  • Classes of Service
  • WLAN Service and wireless user credentials authentication
  • Creation of VNS that binds WLAN service to roles (policies)
  • A tagged VLAN (Virtual LAN) for each bridge in the controller, along with a network port on which the VLAN is assigned
  • A virtual subnet on the controller for each VNS:

    Topology type of bridged@controller, routed, or bridged@AP Policy for network point of attachment: user network access policy, filtering at the controller or also at the AP

    Whether bandwidth restrictions are imposed on users

    WLAN Service: type of SSID, advertised SSID by APs representing the service, AP radios corresponding to band that will advertise the service, method of authentication, wireless security method, and QoS (Quality of Service)

    VNS: WLAN service the VNS represents, Default Non-Auth Policy, Default Auth Policy, VNS mapping between the WLAN service and default policies, method of AP controller discovery

 
Accessing the ExtremeWireless Appliance for the first time
  • Factory default IP address of the ExtremeWireless Appliance – The factory default IP address is https://192.168.10.1:5825. You must type this IP address in the address bar of your web browser when you access the ExtremeWireless Appliance for the first time.
  • Unused IP address in the 192.168.10.0/24 subnet – This IP address must be assigned to the Ethernet port of your laptop computer, for the initial provisioning only. You can use any IP address from 192.168.10.2 to 192.168.10.254.
  • Login Information – The login information is as follows:
    • User Name: admin
    • Password: abc123

      After you have logged in, change the default user name and password.

 
System Settings
  • Hostname – Specifies the name of the ExtremeWireless Appliance.
  • Domain – Specifies the IP domain name of the enterprise network.
  • Primary DNS – The primary DNS server used by the network.
  • Secondary DNS – The secondary DNS server used by the network.
 
Hardware information MAC Address – MAC address of the ExtremeWireless Appliance‘s management port.  
License Key A license key is provided by redeeming an entitlement voucher on the Extreme Networks website by selecting the Extreme Networks Activation Key link at page: www.extremenetworks.com/support/. Enter the license key for system activation, capacity upgrades, or feature enablement. For more information about ExtremeWireless licensing, see Step 6. Apply the Activation License Key.  
Data Ports Physical Topology
  • IP address – IP address of the physical Ethernet port.
  • Subnet mask – Subnet mask for the IP address, which separates the network portion from the host portion of the address (typically 255.255.255.0).
  • MTU – The maximum transmission unit or maximum packet size for this port. The default setting is 1500. If you change this setting, and are using OSPF, you must make sure that the MTU of each port in the OSPF link matches.
  • Function – The port‘s function.
  • Third-party AP Port – A port to which the third-party AP is connected.
  • Router Port – A port that connects to an upstream, next-hop router in the network.
  • VLAN ID – The ID of the VLAN to which the AP is connected.
 
Static Routing

Static IP address – The static IP address that is assigned to the ExtremeWireless Appliance when it is configured for static routing.

Configurable physical properties:
 
OSPF Routing

Routed VNS – if you are planning to deploy a routed VNS, you may need to enable OSPF on the controller. The OSPF option applies only to routed VNS.

  • Router ID – The router ID is its own IP address.
  • Area ID of OSPF – ID of OSPF‘s area. 0.0.0.0. is the main area in OSPF.
  • OSPF Authentication Password – If you select Authentication type as Password, you will need to provide a password.
 
DHCP service not hosted by controller

Bridge traffic locally at AP – IP assignment is not applicable; all traffic for users in that VNS will be directly bridged by the AP at the local network point of attachment; disabled by default.

Local server – The ExtremeWireless Appliance's local DHCP server is used for managing IP address allocation:
  • Domain Name – The external enterprise domain name server to be used
  • Lease default – The default time limit which dictates how long a wireless device can keep the DHCP server assigned IP address
  • DNS servers – The IP Address of the Domain Name servers to be used
  • WINS – The IP address if the DHCP server uses Windows Internet Naming Service (WINS)
  • Enable DLS DHCP Option – An application that provides configuration management and software deployment and licensing for optiPoint WL2 phones, if you expect optiPoint WL2 wireless phone traffic on the VNS.
  • Gateway – The ExtremeWireless Appliance‘s own IP address in the topology, which is the default gateway for the topology
  • Address Range – The range from which the IP address is distributed across the network.

    Address range from – The start IP address of the range.

    Address range to – The end IP address of the range.

    DHCP Address exclusion – IP addresses to be excluded from this range

  • Broadcast Address – Automatically populates automatically based on the Gateway IP address and subnet mask of the VNS
Use Relay – The ExtremeWireless Appliance forwards DHCP requests to an external DHCP server on the enterprise network:
  • DHCP servers – IP address of the DHCP server to which DHCP discover and request messages are forwarded for clients on this VNS
 
Gateway for installing DHCP service

Gateway – Determine the gateway device for the DHCP service.

  • For a physical topology or bridged@AC, the specified gateway must be a connecting device on the same segment.
  • For a routed topology, the segment is owned by the controller. The controller's interface on the segment is defined as the default gateway (option3) for the segment.
 
Domain name for devices on this network segment Domain name – Your organization‘s domain name.  
RADIUS Server‘s IP address IP address – The IP address of the RADIUS server.  
SLP DA‘s IP address

Hexadecimal values of SLP DA‘s IP address – The Wireless APs use the SLP DA to discover the ExtremeWireless Appliance.

The mobility agents use the SLP DA to discover the mobility manager.

SLP-DA is configured in hexadecimal on the target DHCP server (this element is not provisioned on the controller). The value is configured in relation to option 78 on the segment definitions of the DHCP server that provides the IP addresses of the APs or that the controller can query to determine the selected SLP-DA service in the network. This provisioning is done per such segment.

 
Internet Protocol configuration for DNS service server
  • Static IP address – The DNS server‘s static IP address.
  • Subnet Mask – Subnet mask of the DNS server‘s static IP address.
  • Gateway – The DNS server‘s gateway.
  • ISP‘s IP address – Your ISP‘s (Internet Service Provider) IP address.
  • IP addressExtremeWireless Appliance‘s IP address.
 
Port information for installing IAS on the server
  • Authentication Port ExtremeWireless Appliance‘s port number used to access the IAS service.
  • Accounting Port – Type the ExtremeWireless Appliance‘s port number that is used to access the accounting service.

The values must match what you define in the Acc & Acct tab.

 
Wireless AP properties
  • ExtremeWireless Appliance‘s Port #ExtremeWireless Appliance‘s Ethernet port to which the Wireless AP is connected.
  • Country – The country where the Wireless AP operates.
  • Serial # – A unique identifier that is assigned during the manufacturing process of the Wireless APs. When an AP discovers and registers with a controller, its name defaults to its serial number, therefore tracking the serial number for an AP helps identify the specific device, so as to ensure proper configuration of location dependent settings.
  • Hardware version – The current version of the Wireless AP hardware.
  • Application version – The current version of the Wireless AP software.
  • VLAN ID – The ID of the VLAN on which the Wireless AP operates.
 
Next Hop Routing for Routed VNS

An optional configuration element that allows the customer to define an explicit next hop router via which all the segment's traffic should be forwarded. If left unspecified, the traffic is forwarded in accordance to the system's routing table.

  • Next hop IP address – The next-hop IP identifies the target device to which all VNS (user traffic) is forwarded. Next-hop definition supersedes any other possible definition in the routing table.
  • OSPF routing cost – The OSPF cost value provides a relative cost indication to allow upstream routers to calculate whether or not to use the ExtremeWireless Appliance as a better fit, or lowest cost path to reach the devices in a particular network. The higher the cost, the less likely that the ExtremeWireless Appliance is chosen as a route for traffic, unless that ExtremeWireless Appliance is the only possible route for that traffic.
 
VLAN Information for Bridge Traffic Locally at EWC topology

VLAN ID – The VLAN ID to which traffic on the topology is bridged. Wireless users referring to this topology become a natural extension of the VLAN/segment. Traffic from the wireless is tagged with the corresponding ID when bridging to the core.

Port – The name of the L2 port to which the VLAN is mapped.

Interface IP address – The interface‘s IP address.

Mask – The subnet mask of the topology.

The interface IP address and mask are not required if the controller and AP do not provide L3 services (such as a Captive Portal web page) on the topology/VLAN and are not managed on the VLAN.

L3 interface presence is required for several operations such as:
  • If topology is to be used to support internal captive portal or guest portal authentication for wireless users. The configuration is optional for external captive topology is to provide DHCP service (local or relay) to the VLAN (includes wireless and wired users)
  • If the topology is to offer access to management functions (SSH, SNMP, HTTPS) via wired or wireless users.
  • If the topology is to offer AP registration.
L3 interface presence is not required if the topology is:
  • Only expected to provide straight bridging of wireless traffic
  • The topology is serviced by WLAN services that don't require authentication (NONE) or that use EAP (AAA) authentication
  • The DHCP server is provided by the infrastructure (VLAN).
 
VLAN ID for Bridge traffic locally at AP topology VLAN ID – The VLAN ID to which traffic is bridged directly at AP. The AP tags traffic for users associated with this topology to the specified VLAN ID. The VLAN must be configured/trunked on the switch port to which the AP is connected.  
Captive Portal

Will this network segment have a captive portal service? If so, which type of captive portal will be deployed:

  • An external captive portal which is a web server provided by another host in the network that authenticates stations and tells the controller whether the station is authenticated and which policy to apply to it.
  • A Guest Portal captive portal. The controller serves the Guest Portal login page to unauthenticated stations. Station accounts are defined directly on the controller through an interface designed for non-technical users.
  • A Guest-Splash Screen Portal. The controller serves a splash screen web page to unauthenticated users. Users are not considered authenticated until they click a button on the page to acknowledge terms and conditions on the splash screen page. Users are not required to provide a user ID and password to login.
  • Internal Captive Portal. The controller serves the login page on an internal captive portal to unauthenticated stations. The controller collects user IDs and passwords from stations attempting to access the network and forwards them to a configured RADIUS server for authentication.
 
Authentication and Accounting information for captive portal configuration
  • Port – Used to access the RADIUS server. The default for authentication is 1812 and for accounting is 1813.
  • # of Retries – The number of times the ExtremeWireless Appliance attempts to access the RADIUS server.
  • Timeout – The maximum time for which ExtremeWireless Appliancereless Appliance waits for a response from the RADIUS server before making a re-attempt.
  • NAS Identifier – A RADIUS attribute that identifies the controller to the RADIUS server for purposes of a specific WLAN service. This is optional.
 
Internal Captive Portal, Guest Portal, and Guest splash screen portal settings information
  • Login Page layout – The controller provides a default login page for each internal captive portal, guest portal and guest splash screen portal it serves. The controller contains a web page layout editor that allows the administrator to fully customize the login page with custom layouts, graphics and styles.
  • Replace Gateway IP with FQDN – By default the controller explicitly encodes the IP address of the corresponding topology (From Non-auth Policy defined by the WLAN service). However, in some cases it is preferable to provide the user with a Fully Qualified Domain Name (FQDN). Ensure that the DNS server is configured to map the corresponding name to the topology's IP address.
  • Default Redirection URL – By default, once the authentication completes, the user is redirected back to the initial web site that was intercepted for redirection to authentication. The customer can provide an explicit override URL to which the user is redirected upon successful authentication.
 
External Captive Portal (ECP) Type Select the type of captive portal configuration to provide authentication services for the WLAN Service:
  • No captive portal
  • Internal captive portal – Controller provides the web server that operates as the authentication portal. The controller is also responsible for the credential's verification with a specified RADIUS server.
  • External captive portal – You provide the web server that hosts the authentication website. This option provides the most flexible approach in terms of customization of the authentication service. Web server interfaces provide alternate methods of user authentication, such as payment systems. Or, provide the web service but rely on the controller to perform the credential authentication via RADIUS.
  • Internal Guest Portal Splash Screen
  • Internal Guest Portal
 
Shared Secret Password for external captive portal configuration

ECP privacy – Whether to require traffic sent between the controller and the external captive portal host to be encrypted and if so with MD5 (Message-Digest algorithm 5) or AES.

Password – When using ECP, define a Shared Secret (password) that can be used to perform MD5 encryption of sensitive information on the exchange between the authentication server and the controller (such as during credentials exchange for authentication). This password encrypts the information exchanged between the ExtremeWireless Appliancereless Appliance and the external captive portal server.

 
MAC-based authentication information See authentication and accounting information.  
Exception Filter Rules information

IP/Port - By default, all controller interfaces, including those represented by physical topologies and virtual topologies with L3 presence, are protected by a set of rules that restrict the type of traffic allowed access to management plane functions. The default set of rules allows only services that are explicitly of use to the controller's operations.

This set of rules protects the controllers management plane from inadvertent access to lower level functions and provides an effective DoS protection layer. This set of rules however can be augmented or altogether overridden (not recommended) so that additional services may be exposed or restricted. For example, the default method to allow access to management services is to explicitly enable the “Allow Management” property for the topology. Doing so however automatically augments the exception filter rule set to allow administration HTTPS (5825), SSH (22) or SNMP services. An alternate method to enabling such a checkbox would be to manually add the corresponding set of rules for each interested service to the exception rule set. That way you may elect to enable only a subset of the services or to disable access to one of the services the checkbox enabled.