AAA Server Settings
Configure AAA server settings for an Extreme Networks RADIUS server.
About AAA Servers
Extreme Networks devices can serve as RADIUS authentication servers and respond to 802.1X requests from other Extreme Networks devices acting as RADIUS authenticators. The Extreme Networks RADIUS server can store user accounts locally or check user login credentials against user accounts stored externally on the following user database servers: Active Directory, or LDAP (lightweight directory access protocol) servers.
You can view, clone, and delete existing Extreme Networks device AAA server profiles in "AAA Server Profiles".
- Before you can save an AAA server profile that uses an (Extreme Networks database), you must designate at least one Extreme Networks device as a RADIUS server by adding it to a RADIUS server group profile.
Configure an Extreme Device AAA Server Profile
Before you can configure an AAA server profile, you must have a network policy with an SSID with Enterprise (WPA/WPA2 802.1X) access security, and a default RADIUS server group. From the Select Extreme Devices to configure as RADIUS Servers window, continue with this section. On the AAA Server Profile page, complete the following two entries in shown below.
Name: Enter a descriptive name for the AAA server profile. The name can contain up to 32 alpha-numerical characters and cannot have spaces.
Description: Enter an optional description, which can contain up to 64 characters, including spaces.
Active Directory: Select to enable an Extreme Networks RADIUS server to interoperate with an Active Directory server.
LDAP Server: Select to direct user account look-ups to one or more LDAP servers.
User Group Attribute: Enter a descriptive name for the attribute group. The name can contain up to 32 characters without spaces.
After you have created an Active Directory (AD) AAA server profile and added a descriptive name for the attribute group, continue with the following sections.
Select an AD Server: Select and AD server from the drop-down list of configured AD servers.
Configure Active Directory: Select Add. In the Configure Active Directory dialog box, enter the following information:
Name: Enter a descriptive name for the Active Directory profile. The name can be up to 32 alphanumeric characters long and cannot have spaces.
Domain: Enter the Windows domain name to which the RADIUS authentication server and Active Directory server both belong, including parent domains, such as .com, .net, .org, and so on; for example, aerohive.com. The domain name can be up to 64 characters long.
Auto: is the default AD type setting, and it allows Active Directory and ExtremeCloud IQ to automatically supply the Active Directory Server and the base distinguished name parameters.
Manual: is the alternative AD type setting, and requires you to enter the following:
Active Directory Server: From the drop-down list, choose a previously-defined IP object or host name for the AD server that contains the user accounts you want the RADIUS authentication server to authenticate. If you do not see the one that you need listed, select New and enter an IP object or host name. Alternatively, you can select to perform the same function. Enter the IP address or host name of the server in the Active Directory Server field. You can also enter an IPv6 address. When you do so, ExtremeCloud IQ automatically creates a corresponding IP object or host name. Optionally, select an existing server and select to change its settings.
BaseDN: Enter the base distinguished name, or the starting point for directory server searches, and the point in the directory tree structure under which the server stores user accounts in its database.
Short Domain Name: Enter a name with one to 64 characters. This is equivalent to domain name.
Realm: The realm name corresponds to the user account location, which is often the same as the domain name. Although the realm name can be the same as the domain name, this is not always true. For example, authentication for a domain might be divided into multiple realms. One user might authenticate to the engineering.extreme.com realm and another to the marketing.extreme.com, both of which are within the extreme.com domain.
Computer OU: Set the OU (organizational unit) where the Extreme Networks RADIUS server has privileges to add itself as a computer in the domain or leave it blank. The default is the Computers OU. The host names of Extreme Networks RADIUS servers stored in the computer OU on the Active Directory server cannot be longer than 256 characters and cannot contain underscores. Note: by default, the RADIUS server attempts to add itself into "Computers" unless you specify a computer-ou here. Because you might not want to give a device access to the Computers container, you can create your own OU and give the device user permissions to create computers (that is, to add itself) to the specified OU. For example, the computer OU might be "wireless/APs".
Enable TLS Encryption: Select the check box to enable TLS (Transport Layer Security) to encrypt the user look-up requests that the Extreme Networks RADIUS server sends to the Active Directory server. Clear the check box to disable TLS encryption and send the look-up requests in plain text. Select Next to save your settings.
In the Configure Devices window add, select, and modify a DNS server to work with the Extreme Networks device AD server. Select Next to configure the selected device with the saved AD server settings.
In the Configure Join Credentials panel, enter the following domain administrator credentials: Domain Admin (1-32 characters), and Password (1-64 characters).
Select Save the credentials for later user... to allow the Extreme Networks RADIUS server to join the domain automatically without administrator intervention.
Select Next to save your changes here, select Save again to save all of your changes. Continue with "Additional Device AAA Server Settings".
After you have created an LDAP Server AAA server profile and added a descriptive name for the attribute group, configure the following in the next section.
- Before you can save a device AAA server profile that uses an Extreme Networks database, you must designate at least one device as a RADIUS server by adding it to a RADIUS server group profile.
Select an LDAP server from the drop-down list of existing LDAP servers, or select Add to add a new LDAP server. To add a new server, configure the following settings:
Name: Enter a name for the LDAP server. The name can contain up to 32 alphanumeric characters and cannot have spaces.
IP Address: Enter an IPv4 or IPv6 address for the LDAP server.
Host Name: Enter a host name for the LDAP server. The name can contain up to 42 alphanumeric characters and cannot have spaces. Select Save. .
In the LDAP Server window, enter the following:
Description: Enter an optional description, which can contain up to 64 characters, including spaces.
RADIUS User Base DN: Enter the RADIUS user base distinguished name, or the starting point for directory server searches, such as cn=visitors, and the point in the directory tree structure under which the server stores user accounts in its database.
- ExtremeCloud IQ supports up to 2000 users per user group. For more than 2000 users, separate the users into different user groups.
Bind DN Name: Enter the LDAP client distinguished name to be used during the bind (authentication) part of an LDAP session, such as cn=users, cn=students, dc=aerohive, dc=southamerica, ou=student, and ou=school. The name can be up to 256 characters long, including spaces.
Bind DN Password: Enter the LDAP client distinguished name password to be used during the bind (authentication) part of an LDAP session. The password can contain up to 64 characters, including spaces.
Select LDAP or LAPDS (secure LDAP) for the required communication protocol.
Enter any required Filter Attribute (default = cn) for LDAP sessions to use when searching elements below the baseObject.
Strip realm name from filter: Enable or disable removing the realm, which is commonly appended to a user's user name and delimited with an '@' sign, from the filter. Default is enabled.
Destination Port: Enter the port to use for the LDAP destination, from 1 to 65535. Default = (LDAP. default = 389. LDAPS. default = 636.)
TLS Authentication/Encryption: Enable or disable Transport Layer Security authentication and encryption. (LDAP. default = disabled. LDAPS. default = enabled.)
If you have enabled TLS Authentication/Encryption, enter and select the following:
CA Certificate File: Select the default certification authority digital certificate type: Default-CWPCert.pem, Default-Server_cert.pem, or Default_CA.pem.
LDAP Client Certificate: Select the default LDAP client digital certificate type:Default-CWPCert.pem, Default-Server_cert.pem, or Default_CA.pem.
Client Key File: Select the default client key digital certificate type:Default-CWPCert.pem, Default-Server_key.pem, or Default_key.pem.
Key File Password: Enter the client key file password. The password can be up to 64 characters long, including spaces.
Verify Server: Choose how often the Extreme Networks device checks the relationship between a certificate and its server: Try (on first authorization or authentication), Never, or Demand (as required, on demand).
When you are finished, select Save.
After you have saved your LDAP server changes, continue with "Additional Device AAA Server Settings".
After you have changed and saved your Active Directory or LDAP server changes, continue with the following steps:
In the AAA Server Profile window, make the following If external user database servers are unresponsive selections:
Retry the previously unresponsive primary server after ___ Seconds: Enter an unresponsive primary server retry time. Default = 600 seconds.
Time to user local cache if none of the external servers are reachable ___ Seconds: Enter a time for the Extreme Networks device to switch to the local cache if the external servers are unavailable. Default = 300 seconds.
Try the next backup server after ___ Seconds: Enter a time for the device to switch to the next backup server if the previous server is unavailable. Default = 30 seconds.
Enable Caching of Credentials: Enable or disable local caching of credentials. (Caching credentials allows for better performance and higher availability by reducing the dependence on RADIUS servers across high-latency WAN links.)
Retain Cache for ___ Seconds: If you have enabled local caching of credentials, enter the time for the device to keep those credentials. Default = 86400 seconds.
Local Database: Enable or disable the local device database. Enabling a local database allows an Extreme Networks device to support authentication for local user groups.
Before you can save a complete Extreme Networks device AAA server profile that uses a local Extreme Networks database, you must associate at least one RADIUS user group to the AAA profile. For information about how to create a local RADIUS user group, see "User Groups" and "Add User Groups" .
If you have enabled the local device database, then select one or more existing local RADIUS user groups from the drop-down list, and then choose Select.
On the AAA Server Profile page, select Save.
Copyright © Extreme Networks, Inc. 6480 Via Del Oro, San Jose CA, 95119 USA