Reset Search
 

 

Article

HOW TO Configure Guest & IoT Manager (GIM) in Extreme Control (NAC) for EAP-TTLS Authentication

« Go Back

Information

 
TitleHOW TO Configure Guest & IoT Manager (GIM) in Extreme Control (NAC) for EAP-TTLS Authentication
Objective
Successfully configure Guest & IoT Manager (GIM) for EAP-TTLS authentication in new or existing Extreme Control (NAC) deployments.
Environment
  • Extreme Guest & Iot Manager (GIM)
  • Extreme Control (NAC)
  • All Software Releases
Procedure
Create a Location Group for use with Rules to isolate requests originating from GIM only:
  1. Log into XMC.
  2. Navigate to Control -> Access Control -> Group Editor -> All Groups -> Location Groups
  3. Click Add.
  4. Type a Name for the group, ex. GIM_LOCATION.
  5. Type a Description for the group, ex. "Requests originating from GIM".
  6. Click Create.
  7. Click Add.
  8. [optional] Type a description for "Entry Description."
  9. Select "List" from Switches pulldown.
  10. Type the IP address of the GIM appliance.
  11. Select "Any" from the Interface pulldown.
  12. Click Add.
  13. Click Save.

Create a User Group for use with Rules to isolate Anonymous outer-layer authentications from GIM only:
  1. Log into XMC.
  2. Navigate to Control -> Access Control -> Group Editor -> All Groups -> User Groups
  3. Click Add.
  4. Type a Name for the group, ex. GIM_ANONYMOUS.
  5. Type a Description for the group, ex. "GIM anonymous bypass".
  6. Select Type "User: Username".
  7. Click Create.
  8. Click Add.
  9. Type "Anonymous" for Username.
  10. [optional] Type a description for "Entry Description."
  11. Click Add.
  12. Click Save.

Create the two Rules necessary to authenticate GIM EAP-TTLS outer Anonymous and inner tunnel user authentications:
  1. Log into XMC.
  2. Navigate to Control -> Access Control -> Configurations -> <NAC_config_profile> -> Rules.
  3. Click Add.
  4. Type a Name for the GIM inner-layer rule, ex. "GIM inner".
  5. Select "Management Login" from Authentication Method pulldown.
  6. Select the configured Location Group (ex. GIM_LOCATION) from the Location Group pulldown.
  7. Select any profile that allows traffic (ex. Default NAC Profile).
  8. Click Save.
  9. Click Add.
  10. Type a Name for the GIM outer-layer rule, ex. "GIM outer" or "GIM anonymous".
  11. Select "Management Login" from Authentication Method pulldown.
  12. Select the configured User Group (ex. GIM_ANONYMOUS) from the User Group pulldown.
  13. Select the configured Location Group (ex. GIM_LOCATION) from the Location Group pulldown.
  14. Select any profile that allows traffic (ex. Default NAC Profile).
  15. Click Save.

Following the above, enforce the changes on the NAC appliances to take effect.
Additional notes
Guest & IoT Manager (GIM) uses EAP-TTLS for authentication of provisioners, both local and LDAP-based. Proper Rules must be provisioned to process EAP-TTLS requests originating from GIM.

This article assumes Extreme Control (NAC) has already been properly configured for LDAP authentication.
This article assumes that Guest & IoT Manager (GIM) Onboarding Templates have been properly configured for Associated LDAP Group matching (Onboarding Template -> Advanced tab).

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255