Extreme Control as External RADIUS in Cloud IQ
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-22-2022 04:21 AM
Hello,
I understand that it is possible to create a network policy in Cloud IQ for Wireless which can use External RADIUS server for authentication (Extreme A3, NPS, Extreme Control). Do the APs (AP3705C) which are onboarded in the cloud also need to be added under Access-Control>Switches? If so what RADIUS Attributes should they use?
Thanks,
Rob
I understand that it is possible to create a network policy in Cloud IQ for Wireless which can use External RADIUS server for authentication (Extreme A3, NPS, Extreme Control). Do the APs (AP3705C) which are onboarded in the cloud also need to be added under Access-Control>Switches? If so what RADIUS Attributes should they use?
Thanks,
Rob
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-02-2022 12:57 AM
I registered on the developer site and have been able to generate a token. I updated the script, saved it and re-ran the workflow but it fails.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-02-2022 12:56 AM
I think I need to update the script first...
###################################################################
# Update the Bearer Token, client secret, client-id,
# redirect-uri, and ownerid in the curl_cmd variable to
# match your developer credentials, bearer token from
# XIQ, and VIQ ID.
# Developer credentials: https://developer.aerohive.com/
# Bearer Token: XIQ Interface/Global Settings/ API Token Management
# VIQ ID: From the XIQ interface "About" menu option
###################################################################
curl_cmd = 'curl -s -k --header "Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"'
curl_cmd = curl_cmd + ' --header "X-AH-API-CLIENT-SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"'
curl_cmd = curl_cmd + ' --header "X-AH-API-CLIENT-ID: xxxxxxxx"'
curl_cmd = curl_cmd + ' --header "X-AH-API-CLIENT-REDIRECT-URI: https://x.x.x.x"'
curl_cmd = curl_cmd + ' https://va2.extremecloudiq.com/xapi/v1/monitor/devices{?ownerId=xxxxxx}'
I've found the ownerId and REDIRECT-URI address (my XIQ-SE) but struggling to find the CLIENT-ID and complete
###################################################################
# Update the Bearer Token, client secret, client-id,
# redirect-uri, and ownerid in the curl_cmd variable to
# match your developer credentials, bearer token from
# XIQ, and VIQ ID.
# Developer credentials: https://developer.aerohive.com/
# Bearer Token: XIQ Interface/Global Settings/ API Token Management
# VIQ ID: From the XIQ interface "About" menu option
###################################################################
curl_cmd = 'curl -s -k --header "Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"'
curl_cmd = curl_cmd + ' --header "X-AH-API-CLIENT-SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"'
curl_cmd = curl_cmd + ' --header "X-AH-API-CLIENT-ID: xxxxxxxx"'
curl_cmd = curl_cmd + ' --header "X-AH-API-CLIENT-REDIRECT-URI: https://x.x.x.x"'
curl_cmd = curl_cmd + ' https://va2.extremecloudiq.com/xapi/v1/monitor/devices{?ownerId=xxxxxx}'
I've found the ownerId and REDIRECT-URI address (my XIQ-SE) but struggling to find the CLIENT-ID and complete
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-02-2022 12:56 AM
I have used the document and managed to get an XIQ WAP to interact with the Access-Control engine. I created three SSIDs and all three worked (for PPSK, Open and Secure).
One thing that failed in my setup was the Workflow to Import the XIQ APs. When I ran it it said it succeeded very quickly as if it did not run through all of the tasks. No APs were added to XIQ-SE and no APs were added to Access-Control.
The output for the workflow showed an error:
Script Name: Process New XIQ Devices_Extract_All_Devices_from_XIQ
Date and Time: 2022-02-24T16:19:51.443
XIQ-SE User: netsight
XIQ-SE User Domain:
IP:
code: GatewayErrorCode.CLIENT_VERIFICATION_FAILED
message: Client Credential verification failed.
rawMessage: XCKCKzThhF
status: 401
I imported the workflow and appeared to succeed but nothing happened. Any ideas?
Thanks
Rob
One thing that failed in my setup was the Workflow to Import the XIQ APs. When I ran it it said it succeeded very quickly as if it did not run through all of the tasks. No APs were added to XIQ-SE and no APs were added to Access-Control.
The output for the workflow showed an error:
Script Name: Process New XIQ Devices_Extract_All_Devices_from_XIQ
Date and Time: 2022-02-24T16:19:51.443
XIQ-SE User: netsight
XIQ-SE User Domain:
IP:
code: GatewayErrorCode.CLIENT_VERIFICATION_FAILED
message: Client Credential verification failed.
rawMessage: XCKCKzThhF
status: 401
I imported the workflow and appeared to succeed but nothing happened. Any ideas?
Thanks
Rob
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-02-2022 12:56 AM
Update... I have found this document to answer quite a few of the questions I had so I will try this out.
https://documentation.extremenetworks.com/ExtremeCloudIQ/HowTo/ExtremeControl_for_XIQ-SE_and_XIQ_APs...
These are the sort of guides we all find useful and give great guidance with examples which are easy to follow and apply. It would be difficult to know what to do otherwise.
https://documentation.extremenetworks.com/ExtremeCloudIQ/HowTo/ExtremeControl_for_XIQ-SE_and_XIQ_APs...
These are the sort of guides we all find useful and give great guidance with examples which are easy to follow and apply. It would be difficult to know what to do otherwise.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-02-2022 12:56 AM
Hi Sam,
I have a customer that already has Cloud IQ APs and they are using PSK which has been compromised. They would like a more secure solution where they can assign VLANs for different user types. So, yes I want to use a network policy which uses the Extreme Access Control virtual appliance which is in a secure location at the customer's HQ. EAC and XIQ-SE are able to onboard to Cloud IQ as well as the APs.
Am I right that the APs need to be imported from XIQ into XIQ-SE so that they can be added to Access-Control>Switches? The APs that onboard to the cloud could be in any global location, so missing some facts about how Cloud based APs can use on premise Extreme NAC (not A3) as RADIUS Server using network policy in XIQ.
How is the AP configured under Access-Control>Switches? There is a list of different choices of RADIUS Attributes to Send in the device configuration, what should it be?
Not using Extreme A3.
Extreme Access Control could have local users or integrate with AD database.
Requirement is for 802.1X.
Thanks,
Rob
I have a customer that already has Cloud IQ APs and they are using PSK which has been compromised. They would like a more secure solution where they can assign VLANs for different user types. So, yes I want to use a network policy which uses the Extreme Access Control virtual appliance which is in a secure location at the customer's HQ. EAC and XIQ-SE are able to onboard to Cloud IQ as well as the APs.
Am I right that the APs need to be imported from XIQ into XIQ-SE so that they can be added to Access-Control>Switches? The APs that onboard to the cloud could be in any global location, so missing some facts about how Cloud based APs can use on premise Extreme NAC (not A3) as RADIUS Server using network policy in XIQ.
How is the AP configured under Access-Control>Switches? There is a list of different choices of RADIUS Attributes to Send in the device configuration, what should it be?
Not using Extreme A3.
Extreme Access Control could have local users or integrate with AD database.
Requirement is for 802.1X.
Thanks,
Rob
