Integrating SecureW2 with Extreme Networks

Integrating SecureW2 with Extreme Networks

Prerequisites and Limitations

  • A SecureW2 Network Profile configured for EAP-TLS
  • An ExtremeCloud Appliance (ECA)
  • An Extreme Access Point compatible with ECA (this guide uses a AP3915i)

Integrating SecureW2 with Extreme Cloud Appliance

Configuring the SecureW2 RADIUS

  1. From the left-hand side pane, navigate to ONBOARD > AAA

Navigating to the AAA policy

  1. Under RADIUS Servers, click the Add button on the Default AAA Configuration page

Select and add the SecureW2 RADIUS server

  1. Configure the following parameters for the SecureW2 RADIUS server
    • RADIUS Server IP address <SecureW2 RADIUS IP Address>
    • Authorization Client UDP Port <SecureW2 RADIUS Port>
    • Shared Secret <SecureW2 RADIUS Shared Secret>
  2. Click on the Save button on the top right-hand side

Finishing configuring the RADIUS server

 

Configuring the Captive Portal on ECA

  1. Navigate to Networks > Add

Navigating to add the Captive Portal link

  1. Configure the following parameters:
    • Network Name – Example: Onboard
    • SSID – Enter a character string to identify the wireless network
    • Status – Enable the network service
    • Auth Type – Open
    • Enable Captive Portal – Check this option to enable captive portal support
    • Captive Portal Type – Select External
    • ECP URL – URL address of the SecureW2 network profile
    • Walled Garden Rules – Click Walled Garden Rules to configure policy rules for the external captive portal
    • Click on L3,L4 Rules (IP and Port) Rules(0 Rules) > New
    • Create entries to allow end-user devices to reach SecureW2 servers, Google Play Store, and for disabling CNA browsers
      • For a full list of resources to allow in the Walled Garden, please refer to the SecureW2 JoinNow Configuration Guide in the Management Portal

Completing the configuration of Walled Garden rules

  1. Click Save

 

Configure the Secure SSID on ECA

  1. Navigate to Networks > Add

Navigating to the secure SSID

  1. Configure the following parameters:
    • Network Name – Example: SecureSSID
    • SSID – Enter a character string to identify the wireless network
    • Status – Enable the network service
    • Auth Type – WPA2 Enterprise w/ RADIUS
    • Authentication Method – RADIUS
    • Primary RADIUS – SecureW2 RADIUS IP Address added earlier
    • Backup RADIUS – Other SecureW2 RADIUS IP Address added earlier
    • Default Auth Role – Select Enterprise User
    • Default VLAN – Select a VLAN
  2. Click Save

Configuring the parameters of the secure SSID

 

Assigning the Configured Networks to a Site

  1. Go to the Sites tab and select the preferred site that is already configured
  2. Click Configure Site
  3. Click the Device Groups tab and select a device group
  4. Click on the Profile field to edit the device group profile
  5. Go to the Networks tab and select the configured network
  6. Go to the Roles tab and select the previously configured roles
  7. Click Ok > Save

Assigning the fully configured network to the site

Finalizing the configuration of the network to the site

 

Integrating SecureW2 with Extreme Wing Access Points

To complete this configuration, you must already have configured:

  • Extreme ExtremeManagement
  • Extreme Access Control
  • A fully licensed controller with an Advanced Security license

 

Configuring the Wireless Controller to Authenticate with the SecureW2 RADIUS

  1. Configure the RADIUS settings to authenticate against the SecureW2 RADIUS
  2. Configure the Captive Portal on the wireless controller
  3. Configure the SSID for authentication against Access Control

 

Configuring the SecureW2 RADIUS

  1. Navigate to the Network tab under Configuration
  2. Select the AAA Policy section
  3. Click the Add button to create a new AAA policy

Adding the AAA Policy

  1. Name the new policy and click Continue
  2. In the RADIUS Authentication tab, click the Add button to create a new RADIUS Server

Adding the RADIUS server

  1. In the Authentication Server window, update the following settings in addition to populating the default values
    • Host <SecureW2 RADIUS IP Address>
    • Port <SecureW2 RADIUS Port>
    • Secret <SecureW2 RADIUS Shared Secret>
    • Request Proxy Mode Through Wireless Controller

Populating the settings of the RADIUS server

 

Configuring the Captive Portal

  1. Navigate to Configuration > Services
  2. Select the Captive Portals section
  3. Click Add to create a new configuration

Adding the captive portal policy to the network

  1. In the new Captive Portal Policy, select Centralized Controller for the Captive Portal Server Mode
  2. In the Captive Portal Server Host field, specify a non-existent server host where the web request would typically be sent
  3. In the Access field, select No authentication required as the Access Type
  4. Click Ok to save the new policy

Configure the settings of the captive portal and save

  1. While still in the newly created Captive Portal Policy, scroll down to the DNS Whitelist and click the Add button

Create entries in the DNS Whitelist

  1. Create entries in the DNS Whitelist for both the IP address and hostname of the SecureW2 servers used on the network

Adding entries from the DNS Whitelist to the captive portal policy

  1. Click Ok > Exit

Configuring the captive portal policy

  1. In the Captive Portal Policy, select the newly created DNS Whitelist from the dropdown menu
  2. Click Ok and then click Commit
    • The final step is to assign the new Captive Portal Policy to the Device Profiles in use
  3. Navigate to Configuration > Profiles, then navigate to the profile to be modified
  4. Select the Services tab of the profile, then select the checkbox next to the new Captive Portal Policy
  5. Click Ok > Commit

Finalize the configuration of the captive portal policy

Extreme is either registered trademarks or trademarks of Extreme Networks in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.