ExtremeCloud IQ- Site Engine & Extreme Management Center

 XMC control configuration easy mode

Wikedeye's profile image
Wikedeye posted 10-03-2019 19:42
My organization purchased XMC for k12 license and I am having some issues with getting everything configured. I have the management, analytics and control servers running, but I am finding it difficult to find good instructions for getting control working properly. I am not a complete idiot, but I also am not really as experienced with setting up these types of environments. Can anyone recommend a guide that explains how to set up all the parts and pieces needed to be able to view/monitor end user computers. I have my entire network infrastructure in the management console (switches, routers, firewall). I have partially setup the analytics side, but I am still learning all about that. Do I actually need control to view end user systems?
Joshua Puusep's profile image
Joshua Puusep
Hello,

Control is going to have all of the end system info in regards to authentication and device fingerprinting, etc. Analytics is more about flow statistics. You can find the user guides on the Control product page below. note that you will have to login to the extreme portal in order to access these.

https://extremeportal.force.com/ExtrProductDetail?id=01t80000003UxOFAA0
James A's profile image
James A
There used to be a very comprehensive guide (several hundred pages) about setting up XMC, XCA, switches and so on, based around a K12 environment, but after extensive googling I can't find it.
Tomasz's profile image
Tomasz
Hi Wikedeye,

Try to walk through ExtremeControl docs here:
https://www.extremenetworks.com/support/documentation/product-type/software/

I'll try to make this short for you, if anything needs more clarification just let us know or try to use the above resource.

Firstly add your managed devices to XMC with appropriate access (SSH, SNMPv3 most likely) profile. Among these devices there are your authenticating devices (RADIUS clients). Also Extreme Access Control should be there after initial appliance setup.
Once they are added and reachable, you can move to Control section of the XMC GUI.

Over there you have several things to consider:
  • AAA Config - over there you precise LDAP connection or RADIUS server or Local credentials repository (or all), in advanced view you can specify rules to determine what type of background check should occur against a certain device that tries to enter the network,
  • Policy Mappings - those are objects that store information about all possible RADIUS attributes that might be sent to any of your edge devices (e.g. Filter-ID with policy name, VLAN ID via RFC 3580 compliant attributes, script name and so on). Those will be used by NAC to pick relevant attributes to a device that is dealing with authentication request (e.g. Extreme switch might like to get policy name and VLAN ID, Cisco switch might like to pick VLAN ID and ACL number etc. from this bucket),
  • NAC Profiles - those are about selecting a proper Policy Mapping (called just 'Policy' over there) for accepted authentication and failsafe (if NAC can't reach backend AAA). Besides, second part is about posture assessment that we may skip right now,
  • Groups - those are criteria that you can use in the end to decide how to authorize an authenticated end-system: e.g. user groups (usernames or LDAP attributes or RADIUS attributes received from the backend RADIUS), end-system groups (MACs, MAC OUIs, IPs, subnets, hostnames), location groups (IPs, SSIDs, switch ports, ...) etc.
  • Rules - NAC Rules is the thing that binds all together; they allow you to determine, based on authentication method and the groups, what NAC Profile should be assigned to the device. Thus, what Policy Mapping should be applied.
On the other hand you have to provide information about your access switches. So you add them in NAC engine configuration ('Switches' tab) and among all you have to take care of picking the valid attributes to send. Those will be taken from the relevant Policy Mapping upon end-system authentication so the switch gets what it supports. Besides, remember of course about pointing to EAC as RADIUS server from your access device perspective. If it's an EXOS switch for example, EAC will do it for you when you Enforce the EAC configuration.

If anything needs more clarification just let us know. I could also find some spare time to support you with a remote session next week.

Hope that helps,
Tomasz
James A's profile image
James A
Bill Handler's profile image
Bill Handler
Working with a qualified partner is advantageous in setting up XMC/Control/Analytics.

End-System Licensing can get to be expensive, so Analytics an Control especially in a K12 environment, where you may need additional licensing beyond what is included in the XMC-K12 bundle, so it may be worth speaking with your Extreme Sales rep or a qualified Extreme Partner to help guide you to the best solution for your environment.

Thanks,

Bill