Reset Search
 

 

Article

How to configure ExtremeCloud Appliance to support RFC 3580 for VLAN Assignment

« Go Back

Information

 
TitleHow to configure ExtremeCloud Appliance to support RFC 3580 for VLAN Assignment
Objective
How to configure XCA to support RFC 3580 for VLAN Assignment.
Environment
  • XCA
  • Extreme Cloud Appliance
  • Firmware  04.36.01.0097 and higher
  • RFC 3580
  • RADIUS Filter-ID attribute
  • RADIUS Tunnel-Private-Group-ID attribute
  • 802.1x
  • CoA
  • Change of Authentication
  • DAS
  • 3799

 
Procedure
Required Configured Elements:
  • RADIUS server configured to return RADIUS attributes
  • Add RADIUS server under 'Accounts' on XCA
  • Network on XCA configured for RADIUS authentication
  • VLAN(s) created on XCA
  • Policy created on XCA that references required VLAN(s)
  • Rule created on XCA with a location of the SSID in use and an accept policy of 'Pass Through External RADIUS' 
  • Network and Policy applied to Site/Device Profile 
In this example the required configuration will be made to place a client in VLAN 10 based on a RADIUS Tunnel-Private-Group-ID attribute.

**Important: 
  • The RADIUS Tunnel-Private-Group-ID attribute will override the assigned VLAN but currently CANNOT be used to dynamically configure Policy.
  • The Tunnel-Private-Group-ID will override the VLAN but not the policy therefore the policy will not change for the client on XCA.
  • If Policy needs to be dynamically set a Filter-ID needs to be configured on the RADIUS server policy with the required policy name set to the attribute value.
  • If sending back a filter-ID from the RADIUS server the VLAN ID can be set at the role level and therefore it is not required to have Tunnel-Private-Group-ID configured/returned from the RADIUS server.


Add RADIUS server under 'Accounts' on XCA
  1. Click 'Administration>Accounts>RADIUS'
  2. Under RADIUS Servers click 'ADD'
  3. Select RADIUS server from dropdown menu
  4. Enter in NAS IP Address (IP address of the management Physical interface of the XCA)
  5. Click 'SAVE'
Add RADIUS server under 'Accounts' on XCA


Create a Network
  1. Click 'Configure>Networks>ADD'
  2. Configure Network Name
  3. Configure SSID 
  4. Set Status to Enabled
  5. Chose Auth Type 'WPA2 Enterprise w/RADIUS'
  6. Chose Authentication Method 'RADIUS'
  7. Select Primary RADIUS server
  8. Optionally Configure Seconday RADIUS server
  9. Select Default Auth Role (will typically set to Deny Access)
  10. Select Default VLAN (In this case we will be using previously created 'VLAN _3' however the VLAN will be set later dynamically via the RADIUS Tunnel-Private-Group-ID attribute)
  11. Click 'SAVE' 
Configure Network


Configure VLAN
  1. Click 'Configure>Policy>VLANs>ADD'
  2. Name the VLAN
  3. Set the Mode
  4. Set the VLAN ID and specify tagged or untagged (default is untagged, in this example VLAN 10 tagged is being used)
  5. Click 'SAVE'
Create VLAN

Create/Configure a Policy Role
  1. Click 'Configure>Policy>Roles>ADD'
  2. Name the Role
  3. Set the Default Action (Allow or Deny)
  4. Select the VLAN previously created in VLAN ID dropdown menu or leave as Use Default VLAN of Network
  5. Optionally configure any L2,L3,L4,L7 rules
  6. Click 'SAVE'
Create Role


Create a Rule
  1. Click 'OnBoard>Rules>ADD'
  2. Name the Rule
  3. Make sure 'Rule Enabled' is checked
  4. Under Condition>Location Group select the previously created Network [SSID:Network]
  5. Under Action>Accept Policy select 'Pass Through External RADIUS'
  6. Click 'SAVE'
Create Rule

Rule should look similar to the screenshot below:

Example of Rule

Assign Network and Policy to Site/Device Profile
  1. Click 'Configure>Sites>[choose a site]>Device Groups'
  2. Chose an existing Device group or create one
  3. Click on the edit button for 'Profile'
  4. Under 'Networks' check the network that was previously created
  5. Under Roles check the role that was previously created.
  6. Click 'SAVE'

End Results:
  • At this point your end clients should be provided the specified Role configured in either the Network config Default VLAN or the Role config VLAN ID if configured.
  • VLAN will be assigned will be based off of RADIUS Tunnel-Private-Group-ID attribute

**Important: 
  • The RADIUS Tunnel-Private-Group-ID attribute will override the assigned VLAN but currently CANNOT be used to dynamically configure Policy.
  • The Tunnel-Private-Group-ID will override the VLAN but not the policy therefore the policy will not change for the client on XCA.
  • If policy needs to be dynamically set a Filter-ID needs to be configured on the RADIUS server with the required policy name set to the attribute value.
  • If sending back a filter-ID from the RADIUS server the VLAN ID can be set at the role level and therefore it is not required to have Tunnel-Private-Group-ID configured/returned from the RADIUS server.




 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255