A3 Installation and Usage Guide No Registration VLAN Version This document is the Installation and Configuration Guide for the A3 system. It includes installation and usage instructions for A3 version 4.0.0 or later. There are two versions of this manual, one using a registration VLAN and one with no registration VLAN. This is the version for no registration VLAN. Further detailed usage instruction is included in the online help that accompanies the A3 administrative GUI.
Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Major Features of A3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Deployment Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Cluster Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Cluster Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 Restarting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exclusive Authentication Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Billing Authentication Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 AuthorizeNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Mirapay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 PayPal . . . . . . . . .
Rapid7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 Rapid7 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 Rapid7 A3 User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 A3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Connection Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Connection Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 Testing E-CWP Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 Null Authentication Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 Use Case 6 Complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 Use Case 7: Headless IoT Devices . .
Internet Explorer Cannot Display the A3 Admin Page . . . . . . . . . . . . . . . . . . . . . .143 Changes Don’t Take Effect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 The Auditing Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 Clients Don’t See Captive Web Portal . . . . .
Introduction Overview A3 provides complete functionality for securing, managing and controlling all devices on your access network – from standard wired and wireless clients, to IoT and BYOD clients. A3 is a mature software system for NAC (Network Access Control) used to control network access for client and IoT devices. It includes a captive portal for registration and remediation, centralized management for wireless and wired networks, and 802.1X support.
Major Features of A3 Introduction 802.1X Support 802.1X authentication is supported through the embedded FreeRADIUS software module. Permanent Registration A3 automatically determines which client devices have been registered and optionally allows them continued network access without re-authentication. Such registrations can be automatically ended, for example at the end of a school term.
Deployment Modes Overview There are several modes of deploying A3 within a network. The deployment mode often dictates the type of A3 Enforcement Modes possible. Two classes of deployment are used with A3 depending on how unregistered clients are isolated prior to authentication: • • Isolation through a registration VLAN. Unregistered clients are associated with a unique VLAN that is not routed beyond the network that connects A3 to access devices.
Layer 3 Across a Routed Network Deployment Modes deployment model may be used with VLAN, Web Auth, and RADIUS enforcement as described in Enforcement Modes. Wireless client Access point Access switch L3 switch/router Uses DHCP, DNS, HTTP and HTTPS DHCP, DNS RADIUS Management VLAN Guest VLAN Reg/ISO VLANs Logical A3 HTTP/HTTPS Layer 3 Across a Routed Network This deployment mode allows for complete, fine-grained network control and scales better than Layer 2 Hybrid Out-of-Band Deployment mode.
Layer 3 Hybrid Out-of-Band Deployment Deployment Modes 1. Define routed networks for interfaces in A3. 2. Setup up a DHCP relay on the L3 switch/router connected to A3. 3. Configure firewall rules on the access point or access switch to limit client access to A3 and required services. An example of a Layer 3 configuration is available in the Initial A3 Configuration chapter.
Inline Deployment Deployment Modes Inline Deployment In an inline deployment A3 acts as the router that connects devices to the enterprise's internal networks and the internet. An inline deployment is shown below. Access point Wireless client A3 Uses DHCP, DNS, HTTP and HTTPS Management Access Registration All devices connect through the A3 server. Unregistered devices connect to A3, which assigns an IP address. Web traffic is directed to the internal CWP while all other traffic is blocked.
Enforcement Modes A3 may be used with a number of enforcement mechanisms to implement network access control. The techniques describe here are: • Firewall Enforcement - using access device firewall rules clients use A3’s embedded web portal or other authentication mechanisms. Clients are assigned to distinct networks by the access device. • WebAuth Enforcement - clients use a captive web portal hosted by A3, a switch or other device.
RADIUS Enforcement Enforcement Modes In this mode, the registration process uses A3 as an E-CWP. The client authenticates through the portal, where A3 indicates success or failure, and assigns a new VLAN. Several restrictions apply when used with Extreme Networks equipment: 1. 2. 3. 4. The E-CWP is set up in an access policy in ExtremeCloud IQ. This process is described in the Use Case 6: Guest Access with External Captive Web Portal. Only a single ExtremeCloud IQ access policy is applied.
WebAuth (ACL) Enforcement Enforcement Modes WebAuth (ACL) Enforcement WebAuth (ACL) enforcement is illustrated in the figure below. In this mode, the switch ACLs (access control lists) restrict initial traffic through the switch and redirect the client to A3 for authentication using a captive web portal. If the authentication is successful A3, writes new ACLs to the switch that allow appropriate traffic based on the client's role.
Installation Equipment Requirements A computer system that meets the following requirements is needed to install and operate A3. VMware VSphere Hypervisor VMware VSphere Hypervisor (ESXi) may be used with an x86-based host. ESXi requirements include a host: 1. Running ESXi version 6.0 or higher 2. 4 or more cores 3. 16GB or more RAM 4. 250GB or more storage Administrative access to an ESXi host is also required.
Download the Software Installation Download the Software An OVA file with the A3 software and Linux operating system is available through the Extreme Networks Support Portal. Search for “A3”. Versions of A3 will be highlighted by a symbol. A3 Installation on VMware ESXi Note the ESXi resource requirement detailed in Equipment Requirements. The ESXi web management interface is used to initialize a virtual machine and start A3. vSphere-based operation is similar, but not covered here.
A3 Installation on VMware ESXi Installation 7. Click Next to review your settings. 8. Click Finish to start the installation. 9. When the installation is finished, you can navigate to your A3 virtual machine under Virtual Machines to view the VM settings. 10. Click the black box to open the browser console window. If the display appears as below, then A3 has not been assigned a DHCP address from your network and you must set up A3’s basic networking yourself. a.
A3 Installation on Windows Server 2019 Hyper-V Installation 11. The display should appear as below. Note the address shown in that window. This is the IP address assigned to the A3 instance by DHCP from your assigned server or manually in step 10. This will be changed during initial configuration. A3 Installation on Windows Server 2019 Hyper-V Note the Hyper-V resource requirement detailed in Equipment Requirements. The Hyper-V Manager is used to install A3.
A3 Installation on Windows Server 2019 Hyper-V Installation 14. In the Choose Folder to Store Virtual Hard Disks step, select the Browse... button and navigate to a folder to hold the disks. For example, c:\tmp\hyper-v\disks\. 15. Select Next >. 16. In the Completing Import Wizard step, review the settings. 17. Select Finish. 18. The Hyper-V Manager will import the image. 19. When complete, the virtual machine will appear on the main Hyper-V Manager display. 20. Select Edit Disk... from the Actions panel.
A3 Installation on Windows Server 2019 Hyper-V Installation 48. Back in the main Hyper-V Manager window, right-click on the A3-HYPERV machine and select Connect... 49. In the A3-HYPERV on ... - Virtual Machine Connection window, select Start from the Action menu. 50. The A3 instance will start. 51. If the display appears as below, then A3 has not been assigned a DHCP address from your network and you must set up A3’s basic networking yourself. a.
A3 Installation on Windows Server 2019 Hyper-V Installation 52. The display should appear as below. Note the address shown in that window. This is the IP address assigned to the A3 instance by DHCP from your assigned server or manually in step 10. This will be changed during initial configuration.
Network Topology Connectivity and Security A3 interfaces with many connectivity and security devices, as shown below. The pictured components are: Part Number: 1. Clients - networked devices, including computers, phones, tables, and headless IoT (Internet of Things) devices. Clients access an organization’s networks through the access network. 2. Access network - one or more devices that serve to connect clients to networks.
Enforcement Devices Network Topology 5. Firewall - firewalls control connections between networks. They can be used to limit client access to parts of the internal network through VLAN assignment, IP address restriction, or other means. A3 can send user identity information to firewalls to implement single sign-on. 6. Cloud control (ExtremeCloud IQ) - cloud-based control of network devices has become the gold standard for network administration.
Infrastructure Devices Network Topology Infrastructure Devices Several other infrastructure devices are critical components of an A3-based system: • Switches. Switches connect the various network components. Unmanaged switches can be used to connect A3 to other network components, but managed switches are preferred. A managed switch can be used to isolate clients on the registration and isolation networks from any elements that they should not be accessing. • Routers. Routers connect networks together.
Layer 3 Topology Network Topology 3 connectivity. Following authentication, one or more other VLANs or firewall rule sets may be used to provide appropriate client access. A3 contains the web-based captive web portal and RADIUS server used during authentication. The client accesses these services using Layer 3 (IP) addressing.
Clustering A3 clusters provide load balancing and failover. There are some basic rules when using A3 clustering: • Servers that form a cluster should always be installed using odd numbers, that is 3, 5, 7. • Servers should not be installed on the same platform. Where possible they should use separate independent power sources and be connected to separate switches. • Servers must all be on the same LAN segment (layer 2 connectivity).
Cluster Operation Clustering Cluster Operation During normal operation network devices send their RADIUS requests to the VIP address of the cluster. The acting A3 master distributes the requests to one of the members. If a cluster member fails, the master stops using that member and sends an alert to the administrator. If the cluster master fails, one of the other members is automatically elected as the new master.
Table of Addresses and VLANs There are many components involved in a robust A3 implementation. Components are characterized by network names, real and virtual IP addresses, netmasks, gateways, VLANs, passwords, and configurations. A3 and many of the other components require configuration by IP addresses rather than symbolic names. Ensure that none of the permanent addresses used are covered by a DHCP range.
Network Implementation VLANs Table of Addresses and Network Implementation Refer to the following figures when referencing the Addresses and VLANs and Other Values tables. Separate figures are provided for Layer 2 and Layer 3 network topologies.
Network Implementation VLANs Table of Addresses and Refer to the following figures when referencing the Addresses and VLANs and Other Values tables. Separate figures are provided for Layer 2 and Layer 3 network topologies.
Network Implementation VLANs Table of Addresses and Table 1: Addresses and VLANs Key Usage A Address of the A3 server instance. The A3 server must be assigned to the management VLAN. This address is initially assigned by DHCP or manually during installation and initial configuration. The VIP address (B) is normally used for A3 administration, unless a cluster is in place and the specific server must be accessed. Virtual IP address of the A3 cluster.
Initial A3 Configuration Setup IP Addresses The initial configuration of A3 sets up some basic networking and naming parameters. In most cases, this guide uses tables and descriptive text to describe configuration. Two different Quick Start Guide performs the same functions, for registration VLAN and no registration VLAN configurations. Here are the steps for initial A3 configuration. 1. Get started. Access A3 with a browser using the URL obtained from the last step of Installation.
Domain and Time Zone Initial A3 Configuration 9. Link to Cloud. (Highly suggested) The next screen links your A3 instance with ExtremeCloud IQ for configuration and monitoring. Extreme Networks strongly suggests that an account be established and linked to the A3 instance. Beginning with A3 version 4.0.0, licenses are distributed from you cloud account. The use of NAC entitlements is mandatory for all production environments.
Alerting Initial A3 Configuration Services must be individually restarted on each member of a cluster. Restarting services will disable authentication for a period of time. 5. Press Save. If you have changed the host name or added a domain name, a warning message will prompt you to restart the haproxy-portal service. Press Save again after haproxy-portal has restarted. 6. DNS setup (external configuration). Add an A record for the A3 VIP address to the network’s DNS service.
A3 Server Certificate Initial A3 Configuration If the Active Directory should ever fail, it will be impossible for the administrator to login. To provide a backup A3 in the form of an Admin user in the Users tab of the GUI. The password was automatically generated, but can and should be changed at this juncture: 1. Navigate to Users. 2. Select Admin 3. Select the Password tab. 4. Enter a new password in the Password field. The same password used during installation might make it easier to remember.
ExtremeCloud IQ Setup This chapter covers two common configuration of ExtremeCloud IQ for use with A3. Other access devices are configured in similar ways, especially intelligent access points and access controllers. The two configurations covered in this chapter are: • MAC Authentication • 802.1X Authentication This discussion assumes that ExtremeCloud IQ account discussed in Extreme Networks Requirements has been used to log in to ExtremeCloud IQ.
MAC Authentication ExtremeCloud IQ Setup Authentication 1. Open Unsecured. Since the SSID will be used for guest access, select . Clients will not need to enter any credentials to associate with the SSID, nor will any 802.1x credentials be transmitted. Open unsecured also means that data is not encrypted over the air, which is suitable for guest access but not sensitive employee data. 2. MAC Authentication. Select the MAC Authentication tab and enable MAC Authentication. 3. RADIUS Server.
MAC Authentication ExtremeCloud IQ Setup d. Similarly define additional rules as per the table below in the order indicated. Services Source IP DHCP-Client, any DHCP-Server, DNS HTTP, HTTPS any any any e. Destination IP Action any Permit any any Redirect Deny Set the Redirecting URL to https://A3-Main.example.com/Aerohive::AP. This invokes A3 when a registering user attempts to reach any web page. 5. Select to save the new user profile. 1.
MAC Authentication ExtremeCloud IQ Setup 3. Enter the name Isolation-Rule in the Name field, click the RADIUS Attribute. symbol, and select 4. Note that 11_Filter-Id has been preselected. Fill in the Attribute Values field with isolation (g). It is important that the value be entered in this way, since the field is case sensitive and it must match an entry we will make in A3. Click OK and then SAVE. 5. Under Assignment Description click the . button to expand both descriptions.
802.1X Authentication ExtremeCloud IQ Setup 802.1X Authentication The instructions in this section of the guide explain how to set up ExtremeCloud IQ for 802.1X authentication for use in employee access to a Wi-Fi network. ExtremeCloud IQ will be used to program the access point used in this Active Directory example. There are four major steps: 1. Network Policy. The A3-Corp (a) SSID is defined. 2. Authentication. Enterprise authentication is selected. 3. User Profiles.
802.1X Authentication ExtremeCloud IQ Setup c. NOTE: do not change the Server Type Authentication or Accounting ports from 1812 and 1813, respectively. Fill in the Extreme Networks A3 Server dialog: i. Name as A3-RADIUS. Description as desired. ii. IP/Host Name: use the sign to add the A3 VIP address 10.150.1.254 (B) as the Host Name and IP Address. iii. Shared Secret as 8AB7tHkP (b). This is used to hash and unhash information exchanged with the A3 server. iv. Click SAVE Extreme Networks A3. v. 3.
802.1X Authentication ExtremeCloud IQ Setup b. Enter the name A3-Sales-Rule in the Name field, click the + symbol, and select RADIUS Attribute. c. Note that 11_Filter-Id has been preselected. Fill in the Attribute Values field with sales (h). It is important that the value be entered in this way, since the field is case sensitive and it must match an entry we will make in A3. Click OK and then SAVE. d.
Authentication Methods A3 using a number of technologies to authenticate users. Its authentication methods are divided in four broad categories: • External Authentication Sources • Internal Authentication Sources • Exclusive Authentication Sources • Billing Authentication Sources Description of authentication technologies is included at the end of the chapter. This chapter also discusses: • 802.1X • EAP and X.
External Authentication Sources Authentication Methods • Social login - any of a number of social media sites are used to authenticate the client. Social media technology is described in Social Login Authentication Technology. Clients are directed to log in to the social media site if they have not already done so. Their authentication information is returned to A3. The A3 administrator must pre-configure access on the social media site to obtain several security parameters.
External Authentication Sources Authentication Methods 1. Create an App; the URI for the Callback URL field should be https:/// oauth2/callback, where should be the A3's CWP, or other location if it is hosted elsewhere. This same value is entered into the Portal URL field in A3. This should be the same name as found in Configuration > System Configuration > General. 2. The Github API site will provide the App ID and App Secret fields.
External Authentication Sources Authentication Methods 2. The LinkedIn API site will provide the App ID and App Secret fields OpenID API Registration The OpenID API registration is located at http://openid.net/connect along with information on how to create your own host or get one from a provider. 1. Create your App; the URI for the Portal URL field should be https:/// oauth2/callback, where should be the A3's CWP, or other location if it is hosted elsewhere.
Internal Authentication Sources Authentication Methods Internal Authentication Sources Internal authentication sources are methods for which the organization deploying A3 has control. Only internal authentication sources may be used for 802.1x/EAP authentication. The sources that are available are: Part Number: • Active Directory (AD) / LDAP - uses an LDAP compatible directory, including Window’s Active Directory, for identity and group information.
Exclusive Authentication Sources Authentication Methods Exclusive Authentication Sources When used, exclusive authentication sources must be the only authentication source used in a connection profile. Several authentication sources are included in the exclusive category: • AdminProxy - an authentication mechanism used in Microsoft systems for administrator single sign-on. • Blackhole - an authentication mechanism that denies authentication for the client.
Billing Authentication Sources Authentication Methods PayPal Use the following guidelines to create a Sandbox account: 1. Registration for use of the PayPal authentication API is located at https:// developer.PayPal.com/. 2. Click Accounts in the Sandbox menu. 3. Create an account that has the type Personal and one that has the type Business. 4. Go back to Accounts and expand the Business account, then click Profile. 5. Change the password and make a note of it. 6.
802.1X Authentication Methods 802.1X RBAC (Role-based Access Control) authenticates users and their devices with information provided by device-resident supplicant software. This information is matched against internal databases such as AD. 802.1X protocols define the way in which the components talk to each other. A variety of encryption techniques are used to ensure the security of 802.1X protocol messages, including the EAP (Extensible Access Protocol). EAP variants are covered in EAP and X.
EAP and X.509 Certificates Authentication Methods • Generic APs: APs may require the use of a separate Wi-Fi controller that performs authentication in addition to AP control. • Enterprise switches: An advanced wired network switch can also be an authenticator. Authentication Servers Depending on the type of authentication you use, a number of servers may be involved. At a minimum they include: • A3: the A3 server acts as a proxy for access to the other authentication servers.
EAP and X.509 Certificates Authentication Methods • Server Certificate: uniquely identifies the RADIUS server as an authorized part of an entity. Server certificates also provide the public key used to encrypt communications with the authentication server. Clients request this certificate as part of an EAP exchange to ensure that they are talking to the correct server. The server certificate is signed by a Root CA (Certificate Authority), described below.
Social Login Authentication Technology Authentication Methods Social Login Authentication Technology A3 works with a number of social media web sites using the OAuth2 protocol defined in RFP 6749 - The OAuth 2.0 Authorization Framework. These social media sites include Facebook, Github, Google, Instagram, Kickbox, Linkedin, OpenID, Pinterest, Twilio, Twitter, and WindowsLive.
Social Login Authentication Technology Authentication Methods Key Usage Example Assignment 4 Access Token Request. A3 requests an access token that is used to retrieve the user's information. • API URL • API Token Path: A sub-location within the API URL used for token access • API ID 5 6 7 Access Token Grant. The response to the access token request containing the access token. Access Token. A3 presents the access token along with a request for user information. User Information.
A3 Configuration Flow Overview There are seven key elements to a working A3 authentication configuration. The figure below illustrates the general layout and suggested configuration order of ExtremeCloud IQ and A3 elements. ExtremeCloud IQ Configuration A3 Configuration 2 Roles 1 SSID 3 Domains 4 Realms 5 Authentication Sources 6 Devices 7 = Dependency Connection Profiles Either five or seven steps are required to configure ExtremeCloud IQ and A3 for authentication.
Guest Access Configuration Example A3 Configuration Flow Guest Access Configuration Example This example uses an Extreme Networks AP connected to an A3 server to allow guest access to the internet, but not internal networks. The authentication methods in this example are supported by the captive web portal hosted on the A3 server: 1. Null (no user authentication, presents the user with an Acceptable Use Policy) 2. SMS message 3. Email message The configured elements are pictured below.
802.1X Configuration Example A3 Configuration Flow those in the Marketing group are attached to VLAN 8. The configured elements are pictured below.
802.1X Configuration Example Part Number: A3 Configuration Flow 4. Devices. Configure devices to tie the roles to the RADIUS attribute returned to each device, based on the IP address of each device. Select Role by Device Role to map the A3SalesRole to the sales RADIUS attribute and the A3MktgRole to the mktg attribute. 5. Connection Profile.
Certificates and PKI Overview Certificates are blocks of data used as part of a network communications technique that ensures authentication and encryption of data. Certificates are issued and signed by CAs (certificate authorities). A list of well-known and trusted CAs is often included in operating system releases. The list below, for example, is from a Windows 10 system: Other CAs can be created that are trusted by these CAs, or other CAs.
Overview Certificates and PKI Public and Private Keys Public and private keys are associated with certificates. Keys are blocks of data, usually 2048 bits or longer in length. They can be generated by CAs, and are always generated in pairs. The intent is that private keys are kept on the client machine in a secure repository, while public keys are attached to certificates.
A3 Certificate Usage Certificates and PKI A3 Certificate Usage It is a very good idea to do this before creating a cluster. A restart is required after certificates are installed in order to make them effective. A3 uses two types of certificates: • SSL/HTTPS certificate. This type of certificate is issued for the A3 host and offered to clients connecting to its web services: A3 administration, client registration, and A3 sponsor approval. • RADIUS certificate.
A3 Certificate Usage Certificates and PKI Use the following steps to obtain a Let’s Encrypt certificate: Services must be individually restarted on each member of a cluster. Restarting services will disable authentication for a period of time. 1. Navigate to Configuration > System Configuration > SSL Certificates. 2. Select 3. Select the HTTPS tab. 4. Ensure that Use Let’s Encrypt is enabled. 5. Enter the externally accessible FQDN of the A3 VIP (A3-Main(c).example.
A3 Certificate Usage Certificates and PKI • Certificate Authority Web Enrollment with all required features. • Online Responder with all required features • Network Device Enrollment Service The following steps can be used to setup A3 for use with an MS AD CS for EAP-TLS authentication. 1. Navigate to System Configuration > SSL Certificates > RADIUS. 2. Select 3. Enter appropriate values for your organization: .
A3 Certificate Usage Part Number: Certificates and PKI b. Log in with your administrator credentials for the certificate server. c. Select Request a certificate. d. Select advanced certificate request. e. Paste the previously copied CSR from the clipboard, select Web Server from the list of Certificate Templates, and press Submit>.
A3 Certificate Usage Certificates and PKI f. Choose Base 64 encoded and select Download certificate. g. h. 7. Services must be individually restarted on each member of a cluster. Restarting services will disable authentication for a period of time. Part Number: Find the downloaded file in your operating system and rename it to a3-cert.pem. The MS CA is also used to install the certificate for the CA itself. Continuing from the previous step: a. Select certificate.
A3 Certificate Usage Certificates and PKI 13. Select . 14. Restart all A3 services by navigating to Status > Services and selecting . PKI Provider A PKI provider must be defined to interface with the MS AD CA. 1. Navigate to Configuration > Advanced Access Configuration > PKI Providers. 2. Select 3. Fill in the form as suggested below. > SCEP PKI. Field Usage PKI Provider Name URL A name for the provider The URL for the SCEP service for the PKI Provider. The URL must end in a forward slash.
A3 Certificate Usage Certificates and PKI Field Usage EAP Type The EAP type to be used with the SSID. This should be left blank for no EAP. Note that this field will not appear until Security Type is set to WPA2. The name of the PKI provider to be used by the provisioner. PKI Provider 4. Part Number: Select Example EAP-TLS MSPKI .
Portal Modules A3’s CWP (captive web portal) is used to authenticate users and their devices to the network through a set of web pages. The captive web portal may be customized for each Connection Profile. There are two principal locations where the captive web portal is specified: in Configuration > Policies and Access Control > Connection Profiles and in Configuration > Advanced Access Configuration > Portal Modules.
Connection Profile Settings Portal Modules Connection Profile Settings Two particular settings are significant: • Root Portal Module: the name of a root module in the Portal Module configuration. This refers to the top of the tree for the Connection Profiles. • Logo: the name of the file in the file system where the organization's logo is found. The logo file is displayed at the top of most authentication pages.
Type of Portal Modules Portal Modules • default_provisioning_policy - a module intended to provide provisioning actions for clients. The operation(s) performed are defined in Actions associated with the module. In the default case, there are no Actions defined, so this is just a place holder. • Choice. Allows clients to choose between selected chained, authentication, and provisioning modules. The order of modules in the list dictates the order of the modules as presented to clients.
Type of Portal Modules Portal Modules • • • Internal sources: ADSource, EAPTLSSource, HtpasswordSource, HTTPSource, LDAPSource, PotdSource, RADIUSSource, and SAMLSource • External sources: EmailSource, NullSource, SMSSource, and SponsorEmailSource • Social login sources: OAuthSource (all of the following), FacebookSource, GithubSource, GoogleSource, InstagramSource, KerberosSource, KickboxSource, LinkedInSource, OpenIDSource, PinterestSource, TwilioSource, TwitterSource, WindowsLiveSource • Autho
Example 1: Reorder Choices Portal Modules As a side note, the authentication type shown to a registering client is dictated by the Description field for the portal module. For example, the Description field for the null portal module is initially configured as Null Source. A more user friendly setting might be Free Wi-Fi.
Example 1: Reorder Choices Portal Modules The organization of modules to accomplish this can be envisioned as below. Use the following steps to accomplish the desired layout. 1. The authentication type shown to a registering client is dictated by the Description field for the portal module. Part Number: Defining portal modules from the bottom up, first define a new Anonymous authentication choice module by cloning the default_guest_policy: a.
Example 1: Reorder Choices Portal Modules f. 2. Select . Create a Register module by cloning the Anonymous module, with the following changes: Field Usage Setting Name Name of the module Description Further description Sources by Class A list of possible sources, by class, used in the order specified. See Source by Options for a list. 3. Create new login portal module by cloning the default_login_policy. a. Select Username/password login from the Login category. b.
Example 2: Two Factor Authentication Portal Modules d. 5. Select . Create a new Root module to tie to the Connection Profile. a. Select b. Fill in the page with the following contents: . Field Usage Name Description Modules c. Select Name of the module Further description The modules to use, in order. Setting GuestRoot Guest Root GuestRegistration . 6. Navigate to Configuration > Policies and Access Control > Connection Profiles. 7. Select the Guest_Profile profile from the list. 8.
Example 2: Two Factor Authentication Portal Modules 3. Create a new Root module to tie to the Connection Profile. a. Select . b. Fill in the page with the following contents: Field Usage Name Description Modules c. The default login policy checks all configured databases (local/LDAP). Part Number: Select Name of the module Further description The modules to use, in order. Setting Custom_Root Custom Root Module default_login_policy SMS_Module . 4.
Security Events and Scan Engines In pre-V3.0 versions of A3 security events were known as violations. Security events are configured by accessing Configuration > Compliance > Security Events. Security events can detect and handle a wide variety of normal and abnormal conditions.
Scan Engines Engines Security Events and Scan • DHCP Vendors - DHCP software vendors and versions • DHCPv6 Fingerprints - known combinations of DHCPv6 options used by clients • DHCPv6 Enterprises - known DHCPv6 enterprises (like DHCP vendors) • MAC Vendors - known MAC vendors, by OUI (organizationally unique identifier) • User Agents - user agent strings sent from the browser used by the client • Combinations - user defined combinations of Fingerprint specifications • Client Change Detection
Scan Engines Engines Security Events and Scan It is important to get the correct scan config ID and NBE report format ID to populate the parameters in the A3 configuration file. The easiest way to get these IDs is by downloading both of the scan configuration and report format from the OpenVAS web UI and retrieve the IDs in the filenames. For example report-format-f5c2a364-47d2-4700-b21d-0a7693daddab.xml gives report format ID f5c2a364-47d2-4700-b21d-0a7693daddab. A3 imposes the following requirements: 1.
Scan Engines Engines Security Events and Scan A3 Configuration Scan Engine Definition Configure a new scan engine for Rapid7: 1. Navigate to Configuration > Compliance > Scan Engines. 2. Click 3. Fill in the following fields: and select Rapid7. Field Name Host Name or IP Address User Name Password Verify Host Name Roles OS Scan Before Registration Scan on Registration Scan After Registration Value Rapid7 Rapid7ServerIP User name defined in Rapid7 A3 User. Password defined in Rapid7 A3 User.
Scan Engines Engines Security Events and Scan Microsoft WMI (Windows Management Instrumentation) WMI can be used on Windows-based PCs that have been joined to the domain to scan for violations and suspect conditions. A3’s interface connects any violations found to security events. WMI must be enabled on each windows device with a GPO (global policy object) in Active Directory. Multiple steps are required to use WMI A3 for each security event.
Security Events Engines Security Events and Scan Security Events The key components of a security event are: • Event Triggers - controls when a security event is invoked • Event Actions - what to do when the event is triggered Event Triggers A security event can use multiple individual triggers, any of which can occur. Each trigger has four components: client, client profiling, data usage, and event. For example, specifies four possible conditions, any of which can invoke the event.
Built-in and Sample Events Engines Security Events and Scan Execute Scripts must be downloaded to each cluster member using root access. Contact support for assistance.
Built-in and Sample Events Engines Security Events and Scan OpenVAS Description OpenVAS Scan Trigger Action Required to be Useful Any of a number of OpenVAS vio- Client is placed back into the Registration OpenVAS scan engine lations. network and an email is sent to the admin- definition. istrator. WMI Related Description Telnet Scan Trigger WMI event Remote Desktop Scan WMI event Part Number: Action Client is placed into the Isolation network and an email is sent to the administrator.
Built-in and Sample Events Engines Security Events and Scan Device Isolation Policy Description Trigger Action MAC Vendor isolation Any device with MAC OID of 29. example Refer to Configuration > Compliance > Devices for a description. Ancient OS isolation Three old versions of Windows, example plus two device numbers. MAC isolation example Devices that have a MAC address starting with 01:23:45 Bandwidth Limit exam- More than 20GB within a month.
Built-in and Sample Events Engines Security Events and Scan Suspicious Behavior or Conditions Description Rogue DHCP Trigger Action Rogue DHCP request. Client is placed into the Isolation network and an email is sent to the administrator. Connection transport Client changed their connection Client is placed into the Isolation network change type. E.g. wired to wireless. and an email is sent to the administrator.
Provisioning Provisioning plays an important part in proper client configuration. Provisioners are executed as part of Connection Profile operation as part of the authentication process. Provisioners deliver configuration information to clients or verify a device's management status with third-party MDM (mobile device management) solutions. On-device agents deliver wireless network settings to client devices. The required functions are built into iOS-based Apple devices.
Mobile Device Managers Provisioning • Accept: accepts client (filtering on role and OS) without any further provisioning • Deny: denies clients based on role and OS • Interfaces: connect to third party provisioners and MDMs • Roles: the list of all possible roles. Each provisioner has an optional set of roles to use as a filter. Client roles are set as part of authentication as described in Configuration > Policies and Access Control > Authentication Sources.
Mobile Device Managers Provisioning 3. 4. b. Select App registrations. c. Select New registration. On the Register an application form, enter: a. A3, or some other name, in the Name field. b. Select Accounts in this organizational directory only (company name). c. Select Done. On the following form entitled with the Name from above: a. Copy the following that will be used to configure A3: Application (client) ID, Directory (tenant) ID, and Object ID. b. Select Certificates & secrets. c.
Mobile Device Managers Provisioning 3. b. Note the client key and client secret. c. Obtain an install URL by clicking +Devices, then Enable Metadefender Endpoint client on another device, then Download or send link for guest Metadefender Endpoint clients. d. Note the URL at the bottom of the screen. Generate an OAuth2 access and refresh token: a. Access the web page at https://gears.opswat.com/o/oauth/ authorize?client_id=&response_type=code&redirect_uri=http:// 10.150.1.
Firewall Integration A3’s firewall integration informs firewalls which client is using a particular IP address. This information can be used by the firewall to apply per-user or per-role policies, effectively establishing single-signon.
Checkpoint Firewall Integration Verification SSH to the Barracuda NG system and type the command: acpfctrl auth show The response should be similar to: [root@baracudafw:~]# acpfctrl auth show 1 entries 172.20.20.152/0 origin=A3 service=A3 user=Jdoe Checkpoint Setting up the Checkpoint Firewall Enable Identity Awareness To enable Identity Awareness on the Checkpoint Security Gateway: 1. Navigate to the SmartDashboard. 2. From the Network Objects tree, expand the Check Point branch. 3.
FortiGate Firewall Integration Configure RADIUS Accounting 1. In the Check Point Gateway Window > Identity Awareness panel, click Settings to the right of the RADIUS Accounting option. 2.
FortiGate Firewall Integration 2. Fill in the form as per the following: Field Value Name Type RADIUS Attribute Value 3. RSSO_group RADIUS Single Sing-On (RSSO) Employee (to match the A3 Role) Click OK. Configure the Endpoint Attribute Change the endpoint attribute to User-Name via CLI: config user radius edit RSSO_agent set rsso-endpoint-attribute User-Name end Activate Account Listening 1. Navigate to System > Network > Interfaces. 2. Select the interface that will communicate with A3. 3.
JSON-RPC Firewall Integration JSON-RPC The JSONRPC module shipped with A3 is a generic firewall SSO module for use with Linux or BSD firewalls that do not ship by default with a vendor-specific SSO interface. A simple JSON-RPC server written in Python that is compatible with this specification and creates ipsets based on the SSO information provided by A3 can be found at https:// github.com/tribut/ipset-rpcd.
Palo Alto Firewall Integration Palo Alto The integration between A3 and a Palo Alto Networks firewalls requires the use of PANOS 6.0 or higher on the Palo Alto firewall. This section describes how to set up A3 to communicate the identity of authenticated clients with a Palo Alto Networks firewall. This allows the Palo Alto Networks firewall to create identity-based security rules instead of subnet/VLAN/host-based rules.
Palo Alto Firewall Integration A3 Configuration Assuming that the host name of the Palo Alto firewall is pafw, and the name of the default realm is default, configure the A3 SSO definition as per the following instructions: 1. Generate the token (secret or key) using the following URL: https://pafw/api/ ?type=keygen&user=[xmlapiaccount]&password=[password], where [xmlapiaccount] and [password] are as defined in Create PA XML API User Account. 2. Navigate to Configuration > Integration > Firewall SSO.
Use Case 1: Guest Access with Captive Web Portal This use case implements guest authentication using most of A3’s external authentication sources (see External Authentication Sources): • Null - no identification is required. • Email - the client enters their email address, which A3 uses to send a message. The message that the client receives includes a link that will complete the authentication. This form of authentication requires that Alerting be set up during Initial A3 Configuration.
Roles with Captive Web Portal Use Case 1: Guest Access Roles Roles are accessed through the following steps: 1. Select Configuration > Policies and Access Control > Roles. 2. The list of predefined roles is shown. Verify that the guest role is visible. All of the authentication sources in this use case will use the guest role. Authentication Sources Null Inspect the null authentication source. 1. Select Authentication Source from the list on the left, below Roles. 2.
Devices with Captive Web Portal Use Case 1: Guest Access Devices Device configuration is next: 1. Click Devices beneath Network Devices. The list of predefined entries is displayed. 2. A device for an access point must be defined. Click the New Device drop down control and then select Aerohive_AP. 3. In the New Device form: a. Enter the IP address of your access point 10.150.1.19 (C) or an entire subnet using CIDR format in the IP Address/MAC Address/Range (CIDR) field. b. Enter a Description. c.
Testing with Captive Web Portal Use Case 1: Guest Access Testing If any Apple devices are used in the test, make sure to use a full browser for authentication, as opposed to Apple’s Captive Network Assistant (CNA). To test the A3 and ExtremeCloud IQ configurations for SMS authentication, use a laptop, smart phone, or tablet to connect to the A3-Guest (a) SSID. Depending on your configuration, your default browser might automatically open with a reference to the URL https://A3-Main(c).example.
Testing with Captive Web Portal Use Case 1: Guest Access SMS Test A screen that asks you for your phone number and choice of mobile carrier. When Continue is selected, A3 sends an email to the mobile number for the carrier. The mobile number will receive an SMS with a PIN. The PIN is then entered into the web page, followed by Continue. A success page is displayed with a progress bar letting you know that internet access is being enabled.
Testing with Captive Web Portal Use Case 1: Guest Access If you click the MAC Address for the row (00:08:ca:e1:da:21 in this case), you can see the status of the node associated with the client device. The Owner will be the phone number used to obtain the PIN, the Status will be registered and the Role will be guest. Use Case 1 Complete This completes the External Authentication example.
Use Case 2: Active Directory Authentication This use case describes differentiated authentication based on Active Directory information. Users in marketing and sales security groups in the organization’s Active Directory are assigned to user profiles that allow them access to potentially different network resources. Users in neither group will be assigned to a third VLAN associated with all other employees. Alerting must be configured for this use case. See Alerting.
Active Directory Domain Join tory Authentication Use Case 2: Active Direc- Active Directory Domain Follow these steps to add the A3 server to your Active Directory domain: 1. Select Configuration > Policies and Access Control > Active Directory Domains. 2. Select . 3. Enter the information as shown below, based on the information gathered earlier: Field Identifier Workgroup DNS Name of the Domain Active Directory Server DNS Server(s) Organizational Unit 4. 5. 6. Value CorpActive example example.com 10.
Roles tory Authentication Use Case 2: Active Direc- Roles Roles are accessed through the following steps: 1. Select Configuration > Policies and Access Control > Roles. 2. Select 3. Create a Sales role by entering Sales into the Name field. Click SAVE. 4. Repeat the last step for the Marketing and Employee roles. . Authentication Sources The next steps involve creation of the CorpAD authentication source. 1. Select Configuration > Policies and Access Control > Authentication Source. 2.
Devices tory Authentication Use Case 2: Active Direc- 6. Click the plus sign to the right of Sales (Sales department members). Repeat for the Marketing role: Field Value Name Description Conditions Actions Marketing Marketing department members memberOf--equals--CN=Marketing,CN=Users,DC=EXAMPLE,DC=COM Role--Marketing, Access Duration--1day. 7.
Connection Profile tory Authentication Use Case 2: Active Direc- Connection Profile The connection profile ties together the access point’s SSID with authentication sources. To define a new profile: 1. Select Configuration > Connection Profiles, and then click . 2. Fill in a Profile Name as Corp_Conn and Profile Description as desired. 3. Check Automatically Register Clients. This ensures the device is registered to A3 and allowed to connect to the 802.1X-secured SSID. 4. Uncheck 802.
Testing Active Directory tory Authentication Use Case 2: Active Direc- 1. Connect to the A3-Corp (c) SSID and enter credentials for jstaff, who is an employee but not a member of either the Sales or Marketing AD security groups: 2. After the successful connection, look at the properties for the WiFi connection: 3. If you intend to retest with the same client, then you need to ask A3 to forget the device registration as per the instructions above. 4.
Testing Active Directory tory Authentication Use Case 2: Active Direc- 7. Connect to the A3-Corp (c) SSID and enter credentials for mmarketing, who is a member of the Marketing AD group: 8. After the successful connection, look at the properties for the WiFi connection: Note that the address assigned is from the Marketing User Profile configured in ExtremeCloud IQ.
Testing Active Directory tory Authentication Use Case 2: Active Direc- If you click the + sign next to Accept for any entry and select the RADIUS tab, you can see the RADIUS messages exchanged between A3 to the access point. Use Case 2 Example Complete This completes the Active Directory Authentication example for A3.
Use Case 3: Local User Authentication Alerting must be configured for this use case. See Alerting. Another guest access alternative is referred to as local user, in which credentials are predefined and stored within A3.
Local User Authentication Authentication Use Case 3: Local User Field Value Matches Conditions Actions 7. All memberOf--equals--CN=Marketing,CN=Users,DC=EXAMPLE,DC=COM Access level--User Manager Click Save. Local User Authentication The final step adds the local authentication source to the Guest connection profile: 1. Navigate to Configuration > Policies and Access Control > Connection Profiles. 2. If a Guest connection profile does not exist, then create one as described in Connection Profile.
Testing Local User Authentication Authentication Use Case 3: Local User Testing Local User Authentication If a client has previously been authenticated, the client must be unregistered in the A3 GUI: Clients must be unregistered between tests as per the instructions to right. 1. Select Configuration > Clients. 2. Click on the line corresponding to the client. The client should show a status. 3. Make the following changes to the entry: 4. a. Owner to default. b. Status to Unregistered. c.
Use Case 4: Sponsored Access This use case involves guest access requiring employee approval. The flow in this scenario is: 1. A client connects to the registration network, A3-Guest (a), for example. 2. The client accepts a standard acceptable use policy. 3. The client enters: 4. Alerting must be configured for this use case. See Alerting. a. Their own email address. b. The email address of the employee/sponsor. A3 will check that the sponsor is approved or not. A3 sends an email to the sponsor.
Connection Profile Access Use Case 4: Sponsored 4. Add a Sponsor rule that matches Sponsor group membership in Active Directory. The members of the Sponsor group must have valid email addresses in their mail attributes. Field Name Description Conditions Sponsor Employees who can sponsor access memberOf--equals--CN=Sponsors, CN=Users,DC=EXAMPLE,DC=COM Mark as Sponsor Actions 5. Click Value to save the authentication source.
Testing Sponsored Access Access Use Case 4: Sponsored To test the A3 and ExtremeCloud IQ configurations for sponsored access, use a laptop, smart phone, or tablet to connect to the A3-Guest (a) SSID. 1. Depending on the configuration of the guest connection profile, the user will be offered an additional choice for registration. 2. After selecting Sponsor-based registration, the client will be asked for their email address as well as that of their sponsor. 3.
Testing Sponsored Access Access Use Case 4: Sponsored 5. Clicking the link invokes an administrative login for A3. 6. Upon successful login, the client will be granted access. The client will also receive an email to the same effect. Verifying Operation In addition to successful authentication and network access, you can use A3’s auditing function to check on the status of the authentication. Select AUDITING from the top menu bar. Items are displayed in reverse order.
Use Case 5: EAP-TLS Authentication This case utilizes RADIUS certificates to perform EAP-TLS authentication between Windows clients and A3. The installation of RADIUS certificates on A3 is discussed in RADIUS Certificate. This use case assumes that PKI Provider and Provisioner setup has been performed. EAP-TLS Authentication Source A new EAP-TLS authentication source is defined to match all organization members.
Connection Profile Authentication Use Case 5: EAP-TLS Connection Profile This section assumes that the configuration associated with Use Case 2: Active Directory Authentication has been performed. The Corp_Conn and Guest_Profile should be modified as per the directions below. Corporate Profile 1. Navigate to Configuration > Policies and Access Control > Connection Profile. 2. Select the Corp_Conn profile. 3. Enable 802.1X Recompute Role from Portal.
Testing EAP-TLS Authentication Use Case 5: EAP-TLS The client first connects to the A3-Guest SSID. Part Number: 1. After connecting to the guest SSID, the client is offered several choices, depending on the configuration of the Guest_Profile connection profile. User name/password login is selected. 2. The client must agree to acceptable usage policy and is then offered a user name/ password form. Domain-specific credentials must be entered. 3.
Testing EAP-TLS Authentication Use Case 5: EAP-TLS 5. The a3-windows-agent.exe file is downloaded. Locate and execute the file. Since the client is only connected to the registration network, any security scanners that require internet access may complain. This can be avoided through configuration of Passthrough Domains in Configuration > Network Configuration > Fencing. For the purpose of this example, any warning should be overridden. The agent prompts the client to configure the certificate.
Use Case 6: Guest Access with External Captive Web Portal The requirement to extend registration and isolation VLANs out to each edge of a network may be inconvenient for an organization. An alternative authentication technique is available that uses an E-CWP (external captive web portal), which simplifies network configuration.
A3 Configuration with External Captive Web Portal Use Case 6: Guest Access Field Usage Setting Authentication Settings Defines the RADIUS server connection to Authenticate via RADIUS Server A3. User Access Settings Sets up the Default User Profile with the single VLAN that will be used while the client is registering. 6. Do not press SAVE yet. 7.
Testing E-CWP Access with External Captive Web Portal Use Case 6: Guest Access Connection Profile The connection profile ties together the access point’s SSID with authentication sources. To define a new profile: 1. Select Configuration > Connection Profiles 2. Select New Connection Profile. 3. Fill in the page as per the table: Field Profile Name Filter Sources Usage Setting The name of the connection profile.
Testing E-CWP Access with External Captive Web Portal Use Case 6: Guest Access 2. If an external web site, such as extremenetworks.com, is referenced in a new browser tab that another authentication challenge is issued. This verifies that the client is completely isolated from the organization’s network. Each of the alternatives can be selected for testing.
Use Case 7: Headless IoT Devices Devices that do not have any means of performing interactive authentication are often referred to as headless or IoT (internet of things) devices. They must be registered by other means. Two options exist to manually register headless client devices: 1. Manual: a. Login as an administrator. b. Navigate to Clients > Search. c. To define a single device found in the client list. d. e. i. The device can be located by its Fingerprint identification and/or MAC address.
Automatic Registration Security Event Devices Use Case 7: Headless IoT Field Usage Example User Access Settings: Allow user profiles assign- On ment using RADIUS attributes in addition to three tunnel RADIUS attributes. User Access Settings: Add User Profile User Profile Name = iot VLAN 2 (Guest VLAN) Assignment: RADIUS attribute = iot Role. Any role can be used in conjunction with IoT ExtremeCloud IQ access settings. Device.
Manual Use of Security Event Devices Use Case 7: Headless IoT Manual Use of Security Event If a headless IoT device is not currently in the Fingerprint database or was otherwise missed by the security event trigger, the security event can still be used 1. Select Clients 2. Find and select the device in the client list. 3. Select the Security Events tab. 4. Select Automatic registration of IoT devices in the drop-down at the bottom of the form. 5. Select .
Use Case 8: Eduroam Eduroam (education roaming) is a secure, world-wide federated roaming access service used by the international research and education community. Eduroam allows students, researchers, and staff from participating institutions to obtain internet connectivity across campus and when visiting other participating institutions. Further information on eduroam is available at http://www.eduroam.org/. Eduroam is a global example of realm-based authentication.
ExtremeCloud IQ Configuration Use Case 8: Eduroam Local Users Eduroam users who are associated with the institution local to your A3 can use the eduroam SSID for internet access. When they do so, the access point connects to A3 via RADIUS on port 11812 (1812 is the normal RADIUS port). This port lets A3 know that eduroam authentication is to be applied. Based on configuration of the eduroam-based authentication source, A3 decides whether the user is in the local realm or not.
A3 Configuration Use Case 8: Eduroam Local Domain and Realm If not already defined, both an Active Directory domain and realm that refers to the domain must be defined. The domain will be named ExampleUAD and the realm will be named exampleu.edu. Active Directory Domain 1. Navigate to Configuration > Policies and Access Control > Active Directory Domains. 2. Select 3. Fill in the form with the values below. .
A3 Configuration Use Case 8: Eduroam Local Authentication Source A local AD authentication source must be defined that references the LocalRealm just defined. The authentication source will be named LocalADAuth. 1. Select Configuration > Policies and Access Control > Authentication Source. 2. Inside the Internal Sources box, click 3.
A3 Configuration Use Case 8: Eduroam 3. Fill in the form as shown below: Field Value Name Description Server 1 Address Eduroam Server 1 Port Server 2 Address User Name Attribute RADIUS Shared Secret Local Realms eduroamAS Eduroam authentication 1.2.3.4 1812 2.3.4.5 1812 Value supplied by eduroam. exampleu.edu 4. Click Authentication Rules at the bottom of the page. 5.
A3 Configuration Use Case 8: Eduroam Field Automatically Register Clients 802.1X Recompute Role from Portal Filters Sources 3. Click Value On Off Filters all SSID -- eduroam Realm -- eduroam eduroamAS . Use Case 8 Complete This completes the Eduroam use case.
Advanced Topics Best Deployment Practices A3’s database is a distributed database, requiring high performance and low latency to operate correctly. This section discusses best deployment practices to ensure latency and stability. Memory and vSwap VMware vSwap should be turned off for A3. vSwap may cause latency as a cluster member attempts to swap memory.
Administrative Access Advanced Topics Paravirtualization Under certain heavy I/O load from multiple VMs, paravirtualization can cause A3 VMs to slow by a factor of 20%. Beneficially, however, paravirtualization improves stability and performance reliability and linearity. Snapshots VM snapshots affect the performance of running VMs. Copy-on-write snapshots have a further detrimental affect, since two disk accesses are performed for each application write operation.
Creating Dynamic Reports Advanced Topics In order to configure a report, you need to edit /usr/local/pf/conf/report.conf and add a section that defines your report. Then execute the command: /usr/local/pf/bin/pfcmd configreload hard. The following attributes are available to define your report: Field Usage Determines what type of report this is. Setting type=built-in will cause this report to appear under Other reports in the A3 GUI.
Creating Dynamic Reports Advanced Topics Notes: 1. The operators IS and <> should be replaced by = and !=, respectively. 2. You should always prefix the fields with the table name and a dot (e.g. node.mac, locationlog.role) so that they are not ambiguous. Although your query may work with a single table, it will not if you decide to add joins that contain column name(s) that are the same as the base table.
Performance Enhancements Advanced Topics locationlog entries. Removing those conditions would lead to duplicate entries being shown since the report would reflect all the historical locationlog entries. [open_security_events] description=Open security events # The table to search from base_table=security_event # The columns to select columns=security_event.vid as "Security event ID", security_event.mac as "MAC Address", class.description as "Security event description", node.
Performance Enhancements Advanced Topics IP helpers are the simplest and best solution for production networks that already use IP helpers. To use this feature on Extreme Networks Access Points, set the secondary DHCP server to A3’s management VIP address (B). To use this feature on other equipment, add A3’s management VIP address as the last ip-helper-address statement in your network equipment.
Performance Enhancements Advanced Topics 4. Start the sensor: /usr/local/bin/udp_reflector -s pcap0:67 -d 10.150.1.254(B):767 -b 25000 & DHCP traffic should now be reflected on the A3 server. Active Directory Integration A complete active directory integration requires that A3 be kept aware of deleted, disabled, and locked accounts. This allows A3 to disconnect a user whose account has been deleted, disabled, or locked.
Performance Enhancements Advanced Topics 2. Create the scheduled task based on an event ID in Start > Run > Taskschd.msc, Task Scheduler > Task Scheduler Library > Event Viewer Task > Create Task. Settings: Field General Usage Name: A3-Unreg_node-for-deleted-account Check: Run whether user is logged on or not Check: Run with highest privileges Triggers > New A further Begin on the task: On an event Log: Security Source: Microsoft Windows security auditing.
Performance Enhancements Advanced Topics Disabled Account 1. Create the script unreg_node_disabled_account.ps1 on the Windows Server with the following content. Make sure to change @IP_A3 to the IP address of your A3 server. The user name and password must match the credentials defined in the A3 administrative interface under Configuration > Integration > Web Services.
Performance Enhancements Advanced Topics 2. Create the scheduled task based on an event ID in Start > Run > Taskschd.msc, Task Scheduler > Task Scheduler Library > Event Viewer Task > Create Task. Settings: Field General Usage Name: A3-Unreg_node-for-disabled-account Check: Run whether user is logged on or not Check: Run with highest privileges Triggers > New Begin on the task: On an event Log: Security Source: Microsoft Windows security auditing.
Performance Enhancements Advanced Topics Locked Account 1. Create the script unreg_node_locked_account.ps1 on the Windows Server with the following content. Make sure to change @IP_A3 to the IP address of your A3 server. The user name and password must match the credentials defined in the A3 administrative interface under Configuration > Integration > Web Services.
Performance Enhancements Advanced Topics 2. Create the scheduled task based on an event ID in Start > Run > Taskschd.msc. Task Scheduler > Task Scheduler Library > Event Viewer Task > Create Task. Settings: Field General Usage Name: A3-Unreg_node-for-locked-account Check: Run whether user is logged on or not Check: Run with highest privileges Triggers > New Begin on the task: On an event Log: Security Source: Microsoft Windows security auditing.
A3 Troubleshooting This chapter discusses the means by which A3 problems can be diagnosed. This chapter assumes that troubleshooting will be performed by IT professionals with experience in network diagnostics and A3 administration. All navigation and settings used in this chapter refer to the A3 administrative interface unless otherwise specified. Administration Unable to Run A3 Administration 1. Check the URL for A3 administration using the VIP address. For example: https:// 10.150.1.254:1443 (B).
The Auditing Tab A3 Troubleshooting The Auditing Tab The Auditing tab and RADIUS Debug feature A3 are two of the most valuable troubleshooting tools. Since they are used in most troubleshooting techniques, they are described here and referenced where used. 1. 2. Use the Auditing page to determine if the AP and A3 are communicating correctly and what information A3 is returning to the AP. Select Auditing > RADIUS Audit Logs. a.
Getting Started A3 Troubleshooting 4. Check that the SSID is used in the Connection Profile and that the profile uses external authentication sources. 5. Check in ExtremeCloud IQ that the AP has been set up with a default user profile that uses the registration VLAN. 6. Check that the client’s IP address is in the range associated with the registration VLAN by using ipconfig on the client. 7.
Authentication Issues A3 Troubleshooting Authentication Issues Clients No Longer See CWP 1. Recall that if a client has already been authenticated that the authentication must be cleared from A3. Use the following steps: a. Navigate to Configuration > Clients. b. Double click on the line corresponding to the client. The client should show a status. c. Make the following changes to the entry: i. Owner to default. ii. Status to Unregistered. iii. Role to No Role. d. Select Save.
Post-Authentication Issues A3 Troubleshooting Some Clients Cannot Join with Active Directory Authentication 1. In a cluster configuration, each A3 member must individually perform a JOIN operation with the Active Directory. Make sure that this is the case by using the Join/ Rejoin button on the Configuration > Active Directory Domains page. Remember that you’ll need administrative credentials to complete the operation. 2. Recheck domain setup. a.
Cluster Problems A3 Troubleshooting 7. c. Check that Role by Device Role is exclusively selected. d. Check that the role name filled into the form matches exactly (including case) that defined in ExtremeCloud IQ. e. The ExtremeCloud IQ setting is located in the Wireless Network’s User Profile settings under Assignment Rules. The Type field should be RADIUS Attribute and the Value should match that used in A3. Use the Auditing tab as described in The Auditing Tab.
Glossary Term 1X 802.1X Definition See 802.1X. The IEEE 802.1X standard defines how to provide authentication for devices trying to connect with other devices on LANs or wireless LANs.
Glossary Term Definition -B- BaracudaNG billing authentication billing module billing tier Blackhole See firewall. Authentication after paying for service with a payment provider, such as Paypal. A captive portal module that is used to perform billing operations as part of the client authentication process. A level of usage for billing purposes. For example, Gold, Silver, and Bronze tiers that provide lower bandwidth at each step. An authentication mechanism that denies authentication for the client.
Glossary Term DHCP Definition See dynamic host control protocol. DHCP Option82 A DHCP option that allows a controller to act as a DHCP relay agent to prevent DHCP clients requests from untrusted sources. DHCP relay agent A software component that accepts and forwards DHCP requests via layer 3 messages to a remote DHCP server. distinguished name A DN is also a fully qualified path of names that trace the entry back to the root of an LDAP/AD tree. DN See distinguished name. DNS See domain name service.
Glossary Term Facebook filter engine Fingerbank fingerprint firewall FortiGate Definition See social login. An A3 file that is used to process information from VLAN, RADIUS, Apache, DHCP, DNS, and devices. A shared database of DHCP fingerprints that identify devices. In Fingerbank, a specification of the DHCP-specific options handled by a device - which can be used to identify the device type, vendor, or model.
Glossary Term Definition layer 2 layer 3 A layer in the OSI network stack that utilizes local network communications using MAC addresses. A level in the OSI network stack where communications occur based on IP addresses across multiple networks. LDAP See lightweight directory access protocol lightweight directory access A protocol that provides access to hierarchically organized data bases such as Active Directory. protocol LinkedIn See social login.
Glossary Term Definition Palo Alto parking passthrough password of the day See firewall. See device parking. The ability to allow certain internet address to pass through A3 for the process of authentication. An authentication technique that generates a password on a regular basis. The password is sent to the administrator who distributes it to users. PayPal See billing authentication. PEAP See protected extensible authentication protocol.
Glossary Term Definition -S- sAMAccountName SAML authentication scanner SCEP security event The user login name contained in AD/LDAP directories. A standard protocol for web browser single sign-on using secure tokens. Software used to check computers or networks for vulnerabilities. A protocol used for enrollment and other PKI operations. Any of a set of programmed exceptions, including scanner-found vulnerabilities, network irregularities, and over usage. SentinelOne A scanner supported by A3.
Glossary Term Definition -V- vCenter violation VLAN VMware vCenter Server is advanced server management software that provides a centralized platform for controlling VMware vSphere environments. A deprecated term for security events. A group of devices on one or more LANs that are configured to communicate as if they were attached to the same wire, when in fact they can be located on a number of different LAN segments. -WWatchGuard Web Auth See firewall.
Index Numerics 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . .46 Authenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Configuration Example. . . . . . . . . . . . . . . . . . . . . . . . . .51 Supplicants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 A A3 cluster virtual IP address. . . . . . . . . . . . . . . . . . . . . . . . . .
Index B Barracuda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 Billing Authentication Sources . . . . . . . . . . . . . . . . . . . . . . . .43 AuthorizeNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Mirapay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 PayPal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Stripe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index Enforcement Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Enforcement Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 RADIUS Enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . .8 WebAuth (ACL) Enforcement. . . . . . . . . . . . . . . . . . . . . .9 Equipment Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Exclusive Authentication Sources . . . . . . . . . . . . . . . . . . . . .43 AdminProxy . . . . . . . . . . .
Index Google. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Google Oauth2 Authentication Test . . . . . . . . . . . . . . . . . . . .98 Guest Access Configuration Example. . . . . . . . . . . . . . . . . . .51 Guest Access with Captive Web Portal . . . . . . . . . . . . . . . . .93 Guest Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 guest role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index K Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Kickbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 L Layer 2 or Layer 3? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Layer 2 Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Layer 3 Across a Routed Network . . . . . . . . . . . . . . . . . . . . . .4 Layer 3 Topology. . . . . . . . . . . . . . . . . . . . . .
Index P Palo Alto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 Password of the Day. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 PayPal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Pinterest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54, 55 PKI Providers . . . . . . . . . . . . .
Index SMS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 Authentication Source . . . . . . . . . . . . . . . . . . . . . . . . . .38 Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97 Social Login Clickatell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Facebook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Github. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index Headless IoT Devices. . . . . . . . . . . . . . . . . . . . . . . . . .122 User Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 V vCenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 virtual Ethernet interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . .11 W WebAuth (ACL) Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . .9 WindowsLive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
