Integrating SecureW2 with ExtremeControl RADIUS

Integrating SecureW2 with ExtremeControl RADIUS

By integrating with existing RADIUS infrastructure, SecureW2’s wireless solutions can be integrated within hours, not days. The security benefits of a WPA2-Enterprise network with certificate-based authentication are experienced upfront, and certificates can be configured for uses such as SSL inspection, VPN, and wired security, and much more. The setup below will demonstrate how to integrate with an existing RADIUS to authenticate x.509 certificates for secure Wi-Fi access.

To complete this setup, you will need to have configured:

  • An ExtremeControl RADIUS Server
  • A SecureW2 Network Profile
  • An Identity Provider


Configuring ExtremeControl for Identity Lookup

  1. On the Extreme dashboard, select Control > Access Control > Configurations > Default > Rules
  2. Click Add to add a new rule

Creating and configuring the Rule settings

  1. Enable the Rule Enabled option
  2. Navigate to Conditions > User Group
  3. From the drop-down menu, select New
    • Enter a Name and Description
    • Select Type as User: LDAP User Group
    • Click Create
  4. In the next window, select Match Mode as Any
  5. Under LDAP User Group Entry Editor, enter the following values:
    • Enter Attribute Name as userAccountControl
    • Enter Attribute Value as 512
    • From the drop-down menu, select the LDAP Server configured
  6. Click Update

Creating and configuring the User Group settings


Configuring ExtremeControl with AAA SecureW2 CRL

  1. Select Control > Access Control > AAA
  2. Click Add

Configuring the network to authenticate against the SecureW2 CRLs

  1. Enable Advanced Configuration and add a name for your reference
  2. De-select the option Authenticate Requests Locally for
  3. Click on Update Trusted Authorities to open the Update AAA Trusted Certificate Authorities window
  4. In the Drop files here or click to browse section, the SecureW2 Root and Intermediate certificates need to be selected
  5. Select the Use CRLs option
  6. Click on Add and enter the Base CRL of SecureW2 Root certificate
    • Repeat this step and enter the Base CRL of SecureW2 Intermediate certificate
    • If you want to allow your Extreme Access Control to authenticate end-users when the Extreme Access Control is unable to reach the SecureW2 servers to validate the status of user-certificates, enable the option Allow expired CRLs to be used when checking CRLs
  7. Click Ok

Displaying the selected SecureW2 CRLs

  1. Under Authentication Rules, click Add to open the Edit user to Authentication Mapping window and enter the following values
    • Set Authentication Type as 802.1X
    • Set Authentication Method as LDAP Authentication
    • Set LDAP configuration as your LDAP server that is already configured
  2. Click Ok
  3. Click Save
  4. Map the newly configured AAA configuration to be pushed to the Extreme Access Control

Configuring the Authentication Mapping settings


Concluding Thoughts

Network users can now seamlessly self-onboard their devices for a WPA2-Enterprise network. Once they are assigned certificates, the security risks of data breaches and credential theft drop dramatically.  Additionally, network administrators can take full advantage of the network visibility enhancements, such as tying each user and device to a connection, or remotely diagnosing connection issues. So if you’d like to try out SecureW2, or have any questions about how we integrate with ExtremeControl, drop us a line! We are happy to introduce a network professional with an ExtremeControl expert to facilitate a free trial and show how easy it can be to deploy certificate-based authentication.

ExtremeControl and Extreme Networks are either registered trademarks or trademarks of Extreme Networks in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.