AeroHive(Extreme)-Integration Document

1 - Secure Wireless

Scenario: A wireless device connects to an SSID configured 802.1X authentication method. After authentication, client device will be transferred to compliant vlan and assigned a compliant acl. These 2 of items are combined in one item called Compliant User Profile (Compliant-UP)

IP Objects / HostNames
Define Vlan
Define IP Firewall Polices
Define User Profile
Define Radius Server
Define Network Policy (SSID and Authentication Method)
Access Profile and Rules on Cloud NAC Dashboard
Device model: Aerohive 230

1.1 - Define IP Objects / HostNames

Click on Configure -> Common Objects -> Basic -> IP Objects Hostnames:

Create the following objects:

Opswat1: console.metaccess-b.opswat.com
Opswat2: nac-b.opswat.com
Opswat3: gears.opswat.com
myweblogon: portal.myweblogon.com#Please ensure that your client can resolve this domain to the IP address of NAC Edge.

1.2 - Define VLAN

Click on Configure ->Common Objects -> Basic -> Vlan -> Click "+" to add new vlan. In this scenario, we will simply create 2 vlan and named them as Compliant-Vlan and Quarantine-Vlan

1.3 - Define IP Firewall Policies

Click on Configure -> Common Objects -> Security -> IP Firewall Polices

Create 2 simple ACL set : Compliant-ACL and Quarantine-ACL

1.4 - Define User Profile

Click on Configure -> Common Objects -> Policy -> User Profiles -> Click "+" to create new user profiles

Create pairs of user profile : Compliant-UP and Quaratine-UP

The Quaratine-UP will be used in Open Wireless case, but we need to pre-define it here.

1.5 - Define RADIUS SERVER

Click on Configure -> Common Objects -> Authentication -> External Radius Servers

Create Radius Server

1.6 - Define Network Policy (SSID and Authentication Methods)

Click on Configure -> Network Policies -> "+"

Define name of network policy and click Next

In the Wirless configuration section, click + to add new Wireless Networks

Create new Wireless Network and select pre-define External Radius Server

Enable Dynamic Change of Authorization Messages (RFC 3576)

Click "Radius Server Group" - > Choose "Gear" Icon -> Check on "Permit Dynamic Change Of Authorization Messages -> Save Radius Setting"

Configure User Access Settings

Select the pre-defined objects were created in the previous sections. In this setting we need to create "Assigment Rules" to map "Radius Attribute"

1.7 - Access Profile and Rule on Cloud NAC Dashboard

In this scenario, when a client device accesses the SSID for the first time, the end-user must provide valid credentials. Upon successful authentication, the client device will be assigned the Compliant-UP (see section 1.4).

In case we want to return ACL, we can use Filter-ID := "Name of ACL" which predefined in ExtremeIQ Dashboard.

Create AccessProfile2728 and Rule

1.8 - Check Log RADIUS

We can see the client devicice was assigned the "Filter-Id" = "sc_compliant_acl". Wireless Controller will map "sc_compliant_acl" with "compliant-vlan" and "compliant-acl" to client mac address.

2 - Open Wireless

Scenario: A wireless device connects to an open SSID (no Layer 2 PSK required). This SSID is associated with a quarantine VLAN (Quarantine-UP). In this VLAN, all traffic is redirected to the NAC Edge IP address, except for DHCP and DNS traffic. When a wireless device connects, it is presented with a Cloud NAC Portal where the user must enter their credentials. Once authentication is successful, the device is reassigned to a new VLAN with access to the internet.

Ensure that the prerequisite configurations in sections 1.1, 1.2, 1.3, 1.4, 1.5, and 1.6 are completed before proceeding with this section. In this section we simply need to configure :

.Open SSID on ExtremeIQ Cloud

.Access Profile and Rule on Cloud NAC