Extreme Networks

froggy · ‎09-24-2021

Hello,

We will be replacing our current wireless infrastructure with extreme products (for wireless controllers we will be using XCC, extreme XMC, and a couple of extreme engines for NAC). We are trying to come up with a solution to allows our staff to connect to one of our ssids with their personal devices for internet access only not internal access. We are currently allowing them to user their AD account to connect to our secure wlan and we have a rule that puts them on the outside vlan for internet access only if they use their account to connect. I know we can keep using the same method where if they use their AD account to connect it puts them outside and also limit who can connect but We are looking into using the captive portal - authenticated users options instead to possibly use their work email to get a verification code to connect after being sponsored. We will like to have one public ssid for our guests with captive portal - which we have configured already and we want another ssid with captive portal for our staff and have a way for us to either allow or reject their request and also have a way to monitor the accounts that connect to this ssid. The only document i could find with instructions is for extremecloud IQ.

Ovais_Qayyum · ‎09-24-2021

Hi,

This sounds like a Guest Registration with either OTP or Sponsored Access use case. There are a couple of ways you can achieve this:

1- In first method, users will connect to a Guest SSID, they see a splash portal with registration form, one of the fields in the registration form can be email address which is mandatory. The same splash page also have a list of sponsors, user will select one of the sponsors. The sponsor gets a network access request email with a link that allows them to either Allow/Deny the request.

2- The second method is similar to the first one except instead of selecting a sponsor on the registration portal, users will provide their mobile/email (whichever is set to be the preferred way of delivering the OTP), submit the request and receive the unique OTP code via SMS/Email. Use the OTP to log into the network.

Configuration:

Assuming that you have XCC already added into the NAC, if not, please add it to the XMC and NAC.

1- Allow External Captive Portal on the SSID, point to your NAC IP/FQDN (this is where the splash page is hosted), set AAA policy and point both radius authentication and accounting servers to the NAC, make sure the “Shared secret” matches the one on the NAC, NAC uses a default shared secret of “ETS_TAG_SHARED_SECRET”.

9b71326360114ee5ae12c67f2a37f313_3d558ed2-c6b9-40a7-9c40-441e88b9ddcb.png

2- On the NAC, enable Captive Portal by following below instructions:

In Extreme Management center click Control --> Access Control --> Configuration --> Captive Portals --> Default
Click on "Website Configuration
Enable desired portal
The system will automatically configure an "Unregistered" rule as a catch all and necessary rules for proper captive portal authentication.

9b71326360114ee5ae12c67f2a37f313_eba6c212-d401-47cd-be08-de967a9ce44f.png

3- To enable Sponsored Login, Navigate to Guest Registration page and configure it as follows. Fill in the Admin Sponsor Email accordingly. The Sponsor Email Field provides few diff. options, choose the one that fits your needs. Specify the email IDs of the sponsors in the Predefined Sponsors text box. Make sure to Save and Enforce for the changes to take effect.

9b71326360114ee5ae12c67f2a37f313_341ce202-63ff-4bd0-88d8-0ef31a54a73a.png

4- On the XCC, make sure the AP Profile in Device Group has “Unregistered” and “Guest Access” roles are selected.

9b71326360114ee5ae12c67f2a37f313_1591b4cf-44d0-410d-af8c-2e3e2a90fb79.png

You can find user details in the NAC “End Systems” tab, this information includes user data such as name. email address etc. and can be downloaded in CSV file format.

Let me know how it goes.

Regards,

Ovais

Extreme Networks

wireless BYOD web portal configuration

wireless BYOD web portal configuration