Installation Instructions

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesCLOUD-MANAGED NETWORK ACCESS CONTROL (NAC)

100

Table Of Contents

A3 Installation and Usage Guide
No Registration VLAN Version
Table of Contents
Introduction
- Overview
- Major Features of A3
Deployment Modes
- Overview
- Layer 2 Hybrid Out-of-Band Deployment
- Layer 3 Across a Routed Network
- Layer 3 Hybrid Out-of-Band Deployment
- Inline Deployment
Enforcement Modes
- Firewall Enforcement
- WebAuth Enforcement
- RADIUS Enforcement
- WebAuth (ACL) Enforcement
Installation
- Equipment Requirements
  - VMware VSphere Hypervisor
  - Microsoft Windows Server 2019
- Extreme Networks Requirements
- Download the Software
- A3 Installation on VMware ESXi
  - Network Interfaces
  - Instantiation
- A3 Installation on Windows Server 2019 Hyper-V
  - Network Interfaces
  - A3 must be attached to an “External” type of virtual switch. An external virtual switch binds to the physical network adapter so that the virtual machine can access a physical network.Installation
Network Topology
- Connectivity and Security
- Enforcement Devices
- Infrastructure Devices
- Layer 3 Topology
Clustering
- Cluster Installation
- Cluster Operation
- Restarting Services
- Graceful Shutdown and Restart
- Cluster Backup and Recovery
Table of Addresses and VLANs
- Network Implementation
Initial A3 Configuration
- Setup IP Addresses
- Domain and Time Zone
- Alerting
- Change Admin Password
- A3 Server Certificate
ExtremeCloud IQ Setup
- MAC Authentication
- 802.1X Authentication
Authentication Methods
- External Authentication Sources
- Internal Authentication Sources
- Exclusive Authentication Sources
- Billing Authentication Sources
- 802.1X
- EAP and X.509 Certificates
  - EAP Methods
- Social Login Authentication Technology
A3 Configuration Flow
- Overview
- Guest Access Configuration Example
  - ExtremeCloud IQ Configuration
  - A3 Configuration
- 802.1X Configuration Example
  - ExtremeCloud IQ Configuration
  - A3 Configuration
Certificates and PKI
- Overview
  - Public and Private Keys
  - Public Key Infrastructure
- A3 Certificate Usage
Portal Modules
- Connection Profile Settings
- Type of Portal Modules
  - Source by Options
  - Templates
- Example 1: Reorder Choices
- Example 2: Two Factor Authentication
Security Events and Scan Engines
- Fingerbank
- Scan Engines
- Security Events
  - Event Triggers
  - Event Actions
- Built-in and Sample Events
Provisioning
- Mobile Device Managers
Firewall Integration
- Barracuda
  - A3 Configuration
  - Verification
- Checkpoint
  - Setting up the Checkpoint Firewall
  - A3 Configuration
- FortiGate
  - Setting up FortiGate Firewall
  - A3 Configuration
- JSON-RPC
  - A3 Configuration
- Palo Alto
Use Case 1: Guest Access with Captive Web Portal
- Roles
- Authentication Sources
- Devices
- Connection Profile
- Testing
  - SMS Test
  - Use Case 1 Complete
Use Case 2: Active Directory Authentication
- Active Directory Domain Join
- Roles
- Authentication Sources
- Devices
- Connection Profile
- Testing Active Directory
Use Case 3: Local User Authentication
- User Manager
- Local User Authentication
- Create a Local User
- Testing Local User Authentication
  - Use Case 3 Example Complete
Use Case 4: Sponsored Access
- Authentication Sources
  - Active Directory Source
  - Sponsor Source
- Connection Profile
- Testing Sponsored Access
  - Verifying Operation
  - Use Case 4 Example Complete
Use Case 5: EAP-TLS Authentication
- EAP-TLS Authentication Source
- Connection Profile
  - Corporate Profile
  - Guest Profile
- Testing EAP-TLS
  - Use Case 5 Example Complete
Use Case 6: Guest Access with External Captive Web Portal
- ExtremeCloud IQ Configuration
  - Network Policy
- A3 Configuration
  - Devices
  - Connection Profile
- Testing E-CWP Access
  - Null Authentication Test
  - Use Case 6 Complete
Use Case 7: Headless IoT Devices
- Automatic Registration Security Event
- Manual Use of Security Event
  - Use Case 7 Complete
Use Case 8: Eduroam
- Overview
- ExtremeCloud IQ Configuration
- A3 Configuration
Advanced Topics
- Best Deployment Practices
- Administrative Access
- Creating Dynamic Reports
  - Examples
    - View of the authentication log
    - View of opened security events
- Performance Enhancements
A3 Troubleshooting
- Administration
- The Auditing Tab
- Getting Started
  - Clients Don’t See Captive Web Portal
    - Basic Issues
    - VLAN Setup is Incorrect
- Authentication Issues
- Post-Authentication Issues
  - Clients Assigned to Incorrect Role
  - Authenticated Clients Can’t Access Internet or Local Sites
- Cluster Problems
Glossary
Index

Palo Alto Firewall Integration

Part Number: A3 Installation and Usage Guide Community 91

Palo Alto

This section describes how to set up A3 to communicate the identity of authenticated

clients with a Palo Alto Networks firewall. This allows the Palo Alto Networks firewall to

create identity-based security rules instead of subnet/VLAN/host-based rules. The

network is then able to assign and enforce security policy based on the identity of the user,

no matter what device they use.

Setting up the Palo Alto Networks Firewall

In order to create user-based firewall policies, the firewall must be enabled to connect to

the domain using LDAP, and set up WMI authentication. The firewall can be set up

according to the documentation at https://www.paloaltonetworks.com/documentation/81/

pan-os/pan-os/user-id/enable-user-id.

Create PA API XML Role

A security best practice is to not use the default admin account to generate the token, but

rather to create a separate local account on the firewall. First define a role to assign to the

new local account.

1. Log on to the management interface of the Palo Alto Firewall.

2. Select Device > Admin Roles > Add.

3. Set the name to SSO_Role or something similar.

4. Disable all rights in the Web UI tab.

5. Enable all features in the XML API tab.

6. Select OK.

7. Save and Commit the configuration.

Create PA XML API User Account

1. Log on to the management interface of the Palo Alto Firewall.

2. Select Device > Administrator > Add.

3. Fill in the following fields:

4. Select OK.

5. Save and Commit the configuration.

The integration between

A3 and a Palo Alto

Networks firewalls

requires the use of

PANOS 6.0 or higher on

the Palo Alto firewall.

Field Value

Name xmluser

Password ********

Confirm Password ********

Administrator Type Role Based

Profile SSO_Role