WiNG-5 9 1-Training-V1 0

WiNG 5.9.
1 Update
©2017 Extreme Networks, Inc. All rights reserved

WiNG 5.9.1 Release
▪ Agenda
Release Overview: Part 2 - Services:

▪ General Release Information ▪ Bonjour Gateway Enhancements
▪ New AP Platforms
Part 3 – Radio Features:
Part 0 – WiNG Scalability ▪ Dynamic Mesh for AP7562 (a.k.a Rail Mesh)
▪ VX9000 Scaling ▪ Aeroscout support for 802.11ac APs
▪ RF Domain Manager Scaling
▪ VX9000 Elastic Storage Support Part 4 - Guest Access:
▪ ExtremeGuest – Wired Captive Portal
Part 1 - Management: ▪ ExtremeGuest – Tunneled MAC Authentication
▪ Virtual Controller Enhancements – Heterogeneous
AP Management

WiNG 5.9.1
Supported Platforms

General Release Information
▪ Controllers Supported in WiNG 5.9.1
Data Center
Capacity & Applications
VX 9000 - Virtualized
Branch / Small Campus Campus Adoption Capacity = 25,600
NX 5500 NX 75X0 NX 96X0

Adoption Capacity = 512 Adoption Capacity = 2,048 Adoption Capacity = 10,240
RFS 4010 RFS 6000 (EOS) NX 95X0 (EOS)

Adoption Capacity = 144 Adoption Capacity = 256 Adoption Capacity = 10,240
Performance
General Release Information
▪ Access Point Supported in WiNG 5.9.1
Indoor Outdoor
802.11n 802.11ac 802.11n 802.11ac
AP8432 AP8163
AP81XX (EOS) AP8533 AP7161 (EOS in EU
High Tier AP7562
AP8232 (EOS) and US, ASIA EOS Oct
2017)
AP7532
AP6532 (EOS) AP6562 (EOS Oct
Mid Tier AP7522 AP7662
2017)
AP7632
AP7502 (EOS Oct

2017)
AP6521 (EOS)
AP7612
Value Tier AP6522 (EOS Oct
2017)
AP7602
AP7622
WiNG 5.9.1
New APs

ExtremeWireless WiNG Family Portfolio
Active Service Delivery Outdoor
$1095 - $1395 $1295 - $1595
New APs Performance + Value
Mid-Market $595 - $795
$495-$695
Value Tier
$295 - $395
7562i/e
8533
7532i/e 8433
7522i/e
7612
7622/7602 7632i/e
2x2:2 Wave 2, IP67
Int / Ext antenna, GPS
4x4:4 wave 2, BLE
AP-7532 3x3:3 Wave 1
AP-7612 2x2:2 Wave AP-7522 2x2:2 Wave 1 IOT ready 8432 3x3:3 wave 1, IP67
2, Wallplate 2x2:2 wave 2, BLE General use, high Tri-Radio 8533 Outdoor
General use, high product performance
7622/7602 margin Façade antenna option
24x7 dedicated security
1x1:1 2.4 GHz/5 GHz, or Optimized antenna WiFi Location aware M12 connector option
2x2: 2.4 GHz or 5 GHz 7632 High ambient-T Train certified
BT security scan
Low cost 11ac, BLE Vehicle modem mount
One AP per hotel room Markets: Mid-market Retail, Markets: Mid-market Retail, Markets: Tier-1 Retail, Tier-1
Markets: Hotel, Small retail, Hotels, warehouse, enterprise warehouse, enterprise Markets: Ports, Mining,
T&L
warehouse Logistics, Transport
7 ©2017 Extreme Networks, Inc. All rights reserved

EWW AP 7612 – Wall Wedge Wave 2
▪ 802.11ac 2x2:2 MU-MIMO - HT20/40/80 MHz

▪ Bluetooth Low Energy (BLE) v4.2
▪ Operating Temp: 32° F to 104° F/ 0° C to 40° C AP 7662
8.5” x 8.5”
▪ Weight: .6 lbs/0.27kg
▪ Size: 6.1" x 4.4" x 1.2", 155mm x 112mm x 30mm
▪ 2x IEEE 802.3 Gigabit Ethernet auto-sensing, PoE-Out on GE2
▪ TxPWR 2.4GHz: 20dBm 2 Chains; 5GHz: 20dBm 2 Chains
▪ Internal Antenna: 2.4 GHz Band; 5.4dBi; 5GHz Band, 8.5dBi
▪ PoE-out: 802.3af When the Input Power is 802.3at.
▪ Poe-Out is only Available When the Inut Power is PoE
▪ PoE: 802.3af, 802.3at
Ordering Info: Replaces AP-7502

(37101) AP-7612-680B30-US EOS announcement Oct 2017 Small Retail Hospitality
(37102) AP-7612-680B30-WR SMB
©2017 Extreme Networks, Inc.

©2017
All rights
Extreme
reserved
Networks, Inc. All rights reserved
EWW AP 7612
▪ Ordering, Pricing, Availability
Part U SC A N LA TA M EM EA List A PA C
Product N am e Product N am e
N um ber List Price List Price Price List Price
80 2.11ac W allplate W edge M U -M IM O ,2x2:2,D ual radio,

3710 1 A P-7612-680 B 30 -U S $395 $395 $415 $435
internal antenna,D om ain: U nited States,Puerto R ico
80 2.11ac W allpate W edge M U -M IM O ,2x2:2,D ual radio,

3710 2 A P-7612-680 B 30 -W R internal antenna,D om ain: C anada,C olom bia,EM EA ,R est of $395 $395 $415 $435
W orld
Part
Product N am e General Availability:
N um ber
37215 PW R 12V D C ,2A ,2.5m m x 5.5m m connector
10/25/2017, Software: WiNG 5.9.1
(37101) AP-7612-680B30-US
(37102) AP-7612-680B30-WR
Note: All EMEA countries order WR

EWW AP 7632 – Indoor Wave 2
▪ AP 7632 cannibalize AP 7522
Extended Temperature
for warehousing
▪ 802.11ac 2x2:2 MU-MIMO - HT20/40/80 MHz ▪ 802.11ac 2x2:2 MU-MIMO - HT20/40/80 MHz
▪ Bluetooth Low Energy (BLE) v4.2, & IEEE 802.15.4 compliant ▪ BLE v4.2, and IEEE 802.15.4 compliant
▪ Operating Temp: 32° F to 104° F/ 0° C to 40° C ▪ Operating Temp: -4° F to 140° F/ -20° C to 60° C
▪ Weight: 14.2 oz/0.4 kg ▪ Weight: 24.7 oz, 0.7 kg
▪ Size: 6.3 in diameter x 1.7 in ,161 mm diameter x 48.5 mm, ▪ Size: 6.9 in x 5.0in x 1.2 in, 175 mm x 128 mm x 26.9 mm
▪ 1x IEEE 802.3 Gigabit Ethernet auto-sensing
▪ Console Port: RJ45 ▪ 1x IEEE 802.3 Gigabit Ethernet auto-sensing
▪ Plenum-rated housing (UL2043) - via Ceiling mount ▪ Console Port: RJ45
▪ TxPWR 1 TX: 2.4GHz : 23dBm; 5GHz: 23dBm ▪ Plenum-rated housing (UL2043)
▪ TxPWR 2 TX: 2.4GHz : 26dBm; 5GHz: 26dBm ▪ TxPWR 1 TX 2.4GHz: 20dBm; 5GHz: 20dBm
▪ Internal Antenna: 4dBi - 2.4 GHz band; 6 dBi - 5GHz band, BTLE ▪ TxPWR 2 TX 2.4GHz: 23dBm; 5GHz: 23dBm
– 3 dBi ▪ 3x RP SMAs: 2 dual band ports (diplex antennas), 1 BTLE
▪ PoE: 802.3af ▪ USB 2.0
▪ PoE: 802.3af, 802.3at (needed for USB only)
(37111) AP-7632-680B30-US (37113) AP-7632-680B40-US

Transportation Manufacturing
(37112) AP-7632-680B30-WR (37114) AP-7632-680B40-WR Logistics
Retail Hospitality
EWW AP 7632
Part U SC A N LA TA M EM EA List A PA C
N um ber List Price List Price Price List Price General Availability:
W iN G 80 2.11ac Indoor W ave 2,M U -M IM O A ccess Point,
37111 A P-7632-680 B 30 -U S 2x2:2,D ual R adio 80 2.11ac/abgn,internal antenna $495 $495 $520 $545 10/31/2017
D om ain: U nited States,Puerto R ico WiNG 5.9.1
37112 A P-7632-680 B 30 -W R 2x2:2,D ual R adio 80 2.11ac/abgn,internal antenna $495 $495 $520 $545
D om ain: C anada,C olom bia,EM EA ,R est of W orld

37113 A P-7632-680 B 40 -U S 2x2:2,D ual R adio 80 2.11ac/abgn,external antenna $695 $695 $730 $765
D om ain: U nited States,Puerto R ico
37114 A P-7632-680 B 40 -W R 2x2:2,D ual R adio 80 2.11ac/abgn,external antenna $695 $695 $730 $765
D om ain: C anada,C olom bia,EM EA ,R est of W orld
A ccessories Part N um ber Product D escription
W iN G bracket 37201 M ounting Plate for Indoor A Ps (included in A P Box) - only order for spares
U niversalM ounting Kit KT-135628-01 U niversalM ounting Kit for EW LA N A Ps (com patiblity w ith legacy installs) Mounting Options
Flat M etalW iN G Bracket 37210 Flat M etalIndoor Bracket (new bracket see Q IG )
Option A:
Beam C lip BRKT-000147A -01 A P 7532,A P 7522 BEA M C LIP (com patiblity w ith legacy installs) Mounting Plate ships in the Box
Bracket A dapters BRKT-000167A -01 A P-7532-7522 Bracket A dapter W allM ount (legacy installs)
AP backward compatibly WiNG mounting gear
- Universal Mounting Kit
W S-M BI-D C M TR01 D rop C eiling M ulti-T RailBracket.A ccom m odates 9/16", - Beam Clip
D rop C eiling M ulti-Tbar 30518 15/16" and 1.5" w ide T-bars (need to rem ove the M oum ting plate included
in box)
Option B:
W allm ount 30516 W S-M BI-W A LL04 (need to rem ove the M oum ting plate included in box)
- remove the mounting plate in box
PoE m id-span injector A P-PSBIA S-2P2-A FR IEEE802.3af G igaBit PO E injector - Wall Mount - WS-MBI-WALL04 – wall mount
A P-PSBIA S-2P3-A TR 802.3at G b PoE Injector
- Drop Ceiling - WS-MBI-DCMTR01
PoE m id-span injector
Pow er Supply,w allbrick 37215 PW R 12V D C ,2A ,2.5m m x 5.5m m connector
EWW AP 7662 – Outdoor Wave 2
▪ Replaces AP 6562, EOS announcement Oct 2017
AP 7662
8.5” x 8.5”
▪ 802.11ac 2x2:2 MU-MIMO - HT20/40/80 MHz ▪ 802.11ac 2x2:2 MU-MIMO - HT20/40/80 MHz
▪ Bluetooth Low Energy (BLE) v4.2 & IEEE 802.15.4 compliant ▪ Bluetooth Low Energy (BLE) v4.2 and IEEEWave
802.15.42compliant
with IOT Expansion
▪ Operating Temp:-40° F to 158° F/ -40° C to 70° C ▪ Operating Temp:
▪ Weight: 2.4 lbs/ 1.1 kg ▪ Weight: 2.8 lbs/ 1.3 kg
▪ Size:8.6" x 7.1" x 2.7" - 218 mm x 180 mm x 69mm ▪ Size: 8.6" x 7.8" x 2.7" - 218 mm x 198 mm x 69mm
▪ 2x IEEE 802.3 Gigabit Ethernet auto-sensing ▪ 2x IEEE 802.3 Gigabit Ethernet auto-sensing
▪ TxPWR 1 TX 2.4GHz: 23dBm; 5GHz: 23dBm ▪ TxPWR 1 TX 2.4GHz: 20dBm; 5GHz: 20dBm
▪ TxPWR 2 TX 2.4GHz: 26dBm; 5GHz: 26dBm ▪ TxPWR 2 TX 2.4GHz: 23dBm; 5GHz: 23dBm
▪ Internal Antenna: 4.3 dBi - 2.4 GHz band; 5.3 dBi - 5GHz band, 3 dBi - BTLE ▪ External Antennas:
▪ IP67 ▪ Five N-Type connectors, (2) 2.4 GHz, (2) 5 GHz, 1 BTLE
▪ Internal GPS ▪ IP67
▪ PoE: 802.3at ▪ Internal GPS
▪ PoE: 802.3at
Ordering Info:
Ordering Info:
(37121) AP-7662-680B30-US
(37123) AP-7662-680B40-US
(37122) AP-7662-680B30-WR Transportation Manufacturing
(37124) AP-7662-680B40-WR
Retail Hospitality Logistics

EWW AP 7662
Part
U SC A N LA TA M EM EA List A PA C General Availability:
N um ber List Price List Price Price List Price
11/24/2017
W iN G 80 2.11ac O utdoor W ave 2,M U -M IM O A ccess
37121 A P-7662-680 B 30 -U S Point,2x2:2,D ual R adio 80 2.11ac/abgn,internal $1,295 $1,295 $1,360 $1,425
Software: WiNG 5.9.1.1
antenna, D om ain: U nited States,Puerto R ico (37121) AP-7662-680B30-US
W iN G 80 2.11ac O utdoor W ave 2,M U -M IM O A ccess (37122) AP-7662-680B30-WR
Point,2x2:2,D ual R adio 80 2.11ac/abgn,internal
37122 A P-7662-680 B 30 -W R $1,295 $1,295 $1,360 $1,425
antenna D om ain:C anada,C olom bia,EM EA ,R est of
W orld 12/8/2017
Software: WiNG 5.9.1.2
37123 A P-7662-680 B 40 -U S Point,2x2:2,D ual R adio 80 2.11ac/abgn,internal $1,295 $1,295 $1,360 $1,425 (37123) AP-7662-680B40-US
antenna, D om ain: U nited States,Puerto R ico (37124) AP-7662-680B40-WR
37124 A P-7662-680 B 40 -W R Point,2x2:2,D ual R adio 80 2.11ac/abgn,external $1,295 $1,295 $1,360 $1,425
antenna D om ain: C anada,EM EA ,R est of W orld
Mounting Options
Option A:
▪ Pole Mount WS-MBO-POLE01
▪ Wall Mount – WS-MBO-H01
A ccessories Part N um ber Product D escription
▪ 10” Extension Arm (30514) – needs pole
H -Type M ounting B racket 30 519 W S-M B O -H 0 1 H -Type M tg B rkt (used for ceiling or w allm ount)
▪ Mounting bracket (30514)
Pole M ountim g B racket 30 520 W S-M B O -PO LE0 1 Pole M tg B rkt (used for m ounting on pole)
10 " Extenstion A rm 30 514 W S-M B O -A R T0 1 2 A xis Ext.M tg B kt
Legacy M ount K it K T-14740 7-0 1
Option B:
O U TD O O R A P M O U N TIN G H A R D W A R E K IT (can use existing W iN G M ounting hardw are)
Existing Extension A rm K T-150 173-0 1 O U TD O O R A P 12 IN EX T A R M FO R M N TG K IT
Legacy WiNG mounting gear
PoE O utdoor injector,U S A P-PSB IA S-7161-U S O U TD O O R PO E IN JEC TO R U S ▪ Pole – KT-147407-01
PoE O utdoor injector,W W A P-PSB IA S-7161-W W O U TD O O R PO E IN JEC TO R R O W ▪ Extension Mt – KT-150173-01 - needs pole
Legacy Pole M ount K T-153143-0 1 O U TD O O R PO E M O U N TIN G K IT ▪ Mounting bracket (KT-147407-01)

EOS and Replacement EWW APs
▪ EOS Announcement Oct 2017 – Last Ship dates March 2018
7632i/e
AP-6522 (/E)
7662i/e
AP-6562 (/E)
7612
AP-7502 (/E)
New APs - Caveats
▪ Features NOT supported in 5.9.1
Following features are NOT supported for 7612 | 7632 | 7662 in the 5.9.1 release:
▪ BTLE radio
▪ Cisco Phones with WMM
▪ Sensor (both dedicated and RadioShare)
▪ Client Bridge
▪ MeshConnex
▪ MU-MIMO
▪ Tx Beamforming
▪ RSSI Feed API
▪ PPPOE
▪ L2oGRE tunnels
▪ VRRP
▪ OSPF
▪ NSight sensor (AP Test, Advanced Spectrum Analysis)
▪ WeChat integration

WiNG 5.9.1
Part 0 – WiNG Scalability

WiNG 5.9.1 – WiNG Scaling
▪ Scaling increase
256
▪ WiNG 5.9.1 increased RF Domain Manger scaling for controller-
less sites from 128 to 256 APs, only if RF Domain Manager is
AP8432, AP8533 or AP7632. Maximum number of clients per RF
Domain is 4,096 (statistics aggregation) 128
▪ WiNG 5.9.1 increased VX9000 adoption capacity from 10,240 to 25K

25,600 Access Points. Max number of RF Domains is still 10,000.
10K
▪ VX9000 Elastic Storage Support
▪ VX9000 ISO file on 5.9.0.1 and 5.9.1.0 has been updated to support Elastic Storage
(Logical Volume Group). This allows to expand the hard disk size of the VM instance
after the VX is installed.
– Allows to easily expand storage on as-needed basis for storage hungry services like NSight
and ExtremeGuest
– Allows to expand both primary (max 2 TB in size) and secondary storage (allows disk size
>2TB)
– Allows to dynamically increase storage by adding new drives (up to 5 per instance)

▪ VX9000 Elastic Storage Support
▪ Caveats
– No backward compatibility for upgrades. New VX9000 installation is required.
– no downgrade below 5.9.0.1.
– Supported Hypervisors: VMWare ESXi, MS Hyper-V.
– Not supported on XenServer and Amazon EC2

▪ VX9000 Elastic Storage Support – Management (CLI Only)
▪ Logical Volume Group Management:

vx9000-2#show virtual-machine volume-group status
-----------------------------------------
Logical Volume: lv1
-----------------------------------------
STATUS : available
SIZE : 13.02 GiB
VOLUME GROUP : vg0
PHYSICAL VOLUMES :
vda10 : 13.02 GiB
-----------------------------------------
vx9000-2#virtual-machine volume-group ?
add-drive Add drive to volume group
replace-drive Replace drive in volume group
resize-drive Resize [increase] physical drive in volume group
resize-volume-group Resize [increase] volume group
When adding / replacing / resing drives the following naming is used:

xd* where:
x – drive prefix (typically s** or xv**)
* - drive index from **a to **e
Example: to edit first drive in ESXi use name sda. To edit second drive use sdb, etc.

WiNG 5.9.1
Part 1 – Management

Virtual Controller Enhancements –
Heterogeneous AP Management

WiNG 5.9.1 – Virtual Controller Enhancements
▪ Heterogeneous VC Management
▪ WiNG 5.9.1 continues to enhance Virtual Controller functionality
▪ Adds support to mix different AP families under one VC AP.
▪ In combination with Dynamic VC feature introduced in 5.9.0 provides a robust highly

available controller-less solution for small deployments or for multi-site multi-tenanted
service provider deployments.
▪ Enterprise UI has new Wizard added for simplified configuration of “Dynamic Virtual
Controller”.
▪ For older APs / low tier APs VC rules are the same as pre-5.9.1 – same AP model
management only.

▪ VC AP Mix options
High Tier APs can manage themselves, and any lower tier APs
High Tier
8533 8432
7562 7662
Mid Tier
7532
7632
7522
Must switch AP to Enterprise UI for HetVC
Value Tier 7602 7622 7612

▪ Heterogeneous VC Management
▪ Supported mix of APs:

Managed Access Points
VC Type AP7522 AP7612
AP7602
AP8533 AP8432 AP7532 AP7632
AP7622
AP7562 AP7662
AP8533
AP8432     
AP7632
AP7662     
AP7522
AP7532     
AP7562
Access Points not mentioned in the table above use old VC rules – same AP model management only!

▪ New Dynamic Virtual Controller Wizard!

▪ Heterogeneous VC management – Firmware Upgrades
▪ For simplified Access Point image upload, upload from local PC is now supported
instead of remote TFTP/FTP/SFTP server.
▪ Since Access Points have smaller flash space than controllers, firmware upgrade
procedure in mixed environments has to be planned carefully:
– Same family APs have the same firmware image:
AP Type Image Name, Image Size and Available Flash space
AP8533 cedar.img, image size ~35MB, available flash space – 84MB
AP8432 cypress.img, image size ~35MB, available flash space – 84MB
AP7632 | AP7662 willow.img, image size ~36MB, available flash space – 84MB
AP7612 poplar.img, image size ~27MB
AP7522 | AP7532 | AP7562 birch.img, image size ~38MB, available flash space – 84MB
AP7602 | AP7622 aspen.img, image size ~25MB

▪ Virtual Controller Adopted AP Upgrade – Image Upload via local PC

▪ Virtual Controller Adopted AP Upgrade – Image Upload via local PC

▪ Virtual Controller Upgrade
1
2 3
5 6
4

▪ Virtual Controller Adopted AP Upgrade

WiNG 5.9.1
Part 2 – Services

Bonjour Gateway Enhancement

WiNG 5.9.1 – Services
▪ Bonjour Gateway Discovery Enhancements - Overview
Bonjour Gateway in WiNG today allows to limit type of bonjour services can be discovered and advertised back to
wireless clients, like AirPlay vs AirPrint vs AirTunes etc.
Challenge:
▪ In large enterprise environments with hundreds of bonjour servers available in the same network it becomes
impossible for the end-users to select the right server and for the admin to limit which servers a user is allowed
to use based on his/her location.
▪ Use-Case Example:
– Limit access to certain print servers based on AP location, i.e. Marketing vs Sales vs Engineering
– Limit access to certain media servers for screen sharing based on the Meeting room ID / Floor number
Solution:
▪ Wing 5.9.1 solves this problem by introducing a feature to limit discovered services not only based
on service type, but also based on server name.
▪ Use-Case Example:
– Allow access to Media servers using AirPlay if name contains Marketing-Share*
– Allow access to Print Servers using AirPrint located on the second floor if server name contains FL2*

WiNG 5.9.1 – Services
▪ Bonjour Gateway Discovery Enhancements - Configuration
▪ Bonjour Server needs to follow certain naming convention to define its location:
vx9k##show bonjour services on ap8533-0709C4
----------------------------------------------------------------------------------------------------------------------------- --------------------
SERVICE_NAME INSTANCE_NAME IP:PORT VLAN-ID VLAN_TYPE EXPIRY
----------------------------------------------------------------------------------------------------------------------------- --------------------
_airplay._tcp.local RFD1-FL2-MediaServer._airplay._tcp.local 192.168.7.79:7000 7 Local Tue Aug 29 14:55:33 2017
_raop._tcp.local 38364e226e5f@RFD1-FL2-MediaServer._raop._tcp.local 192.168.7.79:7000 7 Local Tue Aug 29 14:55:33 2017
----------------------------------------------------------------------------------------------------------------------------- --------------------
▪ Bonjour Discovery policy limits AirPlay service discovery to instances containing “FL2” in their name:
▪ Instance Name can be Aliased (String Alias is used, like $PRINT-SERVER) for large scale deployments. Aliases can
be defined under RF Domain, Profile or Device level

WiNG 5.9.1
Part 3 – Radio Features

Dynamic MeshConnex for AP7562

WiNG 5.9.1 – Radio Features
▪ Dynamic MeshConnex - Overview
Dynamic MeshConnex:
▪ Designed specifically to address challenges in rail deployments to interconnect multiple train cars
independently of the train orientation
– Train can change configuration. Train cars can be exchanged between trains
– Train can change orientation.
– Generic Mesh solutions tend to be more static and require a lot of manual tweaking and intervention.
Dynamic MCX provides two path selection methods are supported:

▪ Auto-MiNT
– Allows a Mesh Point to automatically configure itself to a Root or Non-Root Mesh Point
– One AP in the brain car will be set as Cost Root as “closest” AP to the controller
– Other APs will dynamically select Root / Non-Root role based on the link cost to the controller
▪ Auto-Proximity
– All APs are Non-Roots
– Neighboring APs are forming bound pairs between train cars, while ignoring wired peers within the same
train car

Dynamic MeshConnex – Auto MINT:

Dynamic MeshConnex – Auto Proximity:

▪ Dynamic MeshConnex - Considerations
▪ Auto-MINT requires one AP in the brain car to be configured as a “cost Root”.

– Requires more configuration and is less dynamic than auto proximity.
▪ Auto-Proximity uses the same AP profile across the whole trainset(s) and dynamically
adjusts based on trainset configuration and orientation
– APs/Antennas need to be mounted with overlapping coverage between peers in different
train cars, with little to no signal overlap within the same train car.
– Hysteresis thresholds should be used to only allow closest neighbors to form mesh pair
based on RSSI level, sustained RSSI over time, SNR delta. This will prevent accidental ping-
pong at train stations where multiple trains are docked close to each other!

Aeroscout support
for 802.11ac Access Points

▪ Aeroscount Support - Overview
▪ Aeroscout RTLS is supported since 5.4.2 on legacy 802.11n platforms.
▪ WiNG 5.9.1 adds support for Broadcom based 802.11ac Access Points: AP7522,
AP7532, AP7562, AP8432, AP8533.
▪ WiNG AP is forwarding Aeroscout Multicast tag info to the Aeroscout RTLS engine. Each
radio is scanning on the operating channel
▪ Additionally, WiNG 5.9.1 allows to define Aeroscout engine IP address and Port number.
Previously Aeroscout engine needed to have all IP addresses of APs listed to let them
know where to forward data.

▪ Aeroscount Support – Configuration Web UI
▪ Enabled / Disabled per radio at Profile or Device Override level

▪ AP needs to have an IP address to be able to forward data
▪ Configuration  {AP Profile}  Interface  Radios  Radio <1|2>

▪ Aeroscount Support – Configuration CLI
▪ Enabled / Disabled per radio at Profile or Device Override level

▪ AP needs to have an IP address to be able to forward data
controller#conf
Enter configuration commands, one per line. End with CNTL/Z.
controller(config)#profile anyap GENERIC-PROFILE
controller(config-profile-GENERIC-PROILE)#interface radio <1|2>
controller(config-profile-GENERIC-PROILE-if-radioX)#aeroscout forward ip <AS engine IP> port <port>
controller(config-profile-GENERIC-PROILE-if-radioX)#aeroscout mac <MAC to be forwarded, default is 01-0C-CC-00-00-00>
controller(config-profile-GENERIC-PROILE-if-radioX)#commit write

WiNG 5.9.1
Part 4 – Guest Access

ExtremeGuest –
Wired Captive Portal & Tunneled MAC
Authentication

WiNG 5.9.1 Guest Access
▪ ExtremeGuest – Wired Captive Portal Deployment Overview
▪ Centralized ExtremeGuest with Wired Captive Portal:
▪ Can be deployed as an overlay solution with 3rd party

Wireless LAN and/or WiNG
▪ Can be used as a Captive Portal solution for both
Wired & Wireless clients Internet
▪ Requires WiNG Controller acting as capture &

redirection device for the Guest VLAN
– WiNG device (e.g. NX7500) is installed in between the
guest router/firewall to snoop wireless/wired client
DMZ
traffic
▪ ExtremeGuest server hosts splash pages RADIUS communication
▪ WiNG 5.9.1. adds an option to perform MAC Auth for Guest VLAN (MINT / L2TPv3
tunnel or directly switched)
HTTPS POST
clients behind MINT or L2TPv3 tunnels
Capture & Redirection
Hotspot Server / Splash Pages

Wired / Wireless Client

▪ ExtremeGuest – Device Registration Flow – Wired Captive Portal
1.G uest U ser is connected to an O PEN SSID attached to the G uest V LA N .A P can
be W iN G or any 3rd party A P.
2.G uest U ser traffic is snooped by the W iN G device that does M A C

authentication against Extrem eG uest server,such as an N X 750 0.W iN G device is
installed in betw een the w ired infrastructure and R outer/Firew allfor the G uest
V LA N (directly sw itches or extended via L2TPv3 / M IN T).
CP R A D IU S

▪ ExtremeGuest – Device Registration Flow – Wired Captive Portal – Contd.
3.If guest device is new ,M A C A uth w illfailand guest w illbe redirected by the
W iN G device to Extrem eG uest hosted Splash Page
H TTP(S)
R edirect CP
H TTP(S) G ET
registration.htm l

4.A fter guest registration is com pleted (either using form or any SocialM edia
A uthentication),guest device is added to Extrem eG uest database and access to
the internet is allow ed
Success!R edirect to
W elcom e Page CP
5.Sam e flow applies for W ired C lients as w ell!

4.A fter guest registration is com pleted (either using form or any SocialM edia
A uthentication),guest device is added to Extrem eG uest database and access to
the internet is allow ed
Success!R edirect to
W elcom e Page CP
5.Sam e flow applies for W ired C lients as w ell!

▪ ExtremeGuest – Wired Captive Portal Configuration Steps
▪ Step 1 – Deploy single ExtremeGuest server
▪ Start the database process:

extremeguest-server#self
extremeguest-server(config-device-00-0C-29-17-99-B2)#use database-policy default
extremeguest-server(config-device-00-0C-29-17-99-B2)#ntp server pool.ntp.org
extremeguest-server(config-device-00-0C-29-17-99-B2)#commit write
[OK]
extremeguest-server(config-device-00-0C-29-17-99-B2)#end
▪ Verify
extremeguest-server#show database status
--------------------------------------------------------------------------------
MEMBER STATE ONLINE TIME
--------------------------------------------------------------------------------
localhost PRIMARY 0 days 0 hours 1 min 11 sec
--------------------------------------------------------------------------------
Authentication: Disabled Authentication User: None
--------------------------------------------------------------------------------
[*] indicates this device.

▪ Step 1 – Deploy single ExtremeGuest server – contd.
▪ Start the ExtremeGuest server:

extremeguest-server(config-device-00-0C-29-17-99-B2)#eguest-server
[OK]
▪ Verify:
extremeguest-server#show eguest status
-----------------------------------
pid process
-----------------------------------
2817 gmd
2927 acct_server
2940 regserver
2986 guest_manager
3130 acct_server
3136 acct_server-helper
21425 guest_manager
27266 radiusd

▪ Step 1 – Deploy single ExtremeGuest server – contd.

▪ Assign ExtremeGuest licenses:
extremeguest-server(config-device-00-0C-29-17-99-B2)#license EGUEST-DEV <paste license key obtained from the licensing portal
here>
▪ Verify:
extremeguest-server#show licenses
Serial Number : 1E150A63850635FC
Device Licenses:
AP-LICENSE
String :
Value : 0
Borrowed : 0
Total : 0
Used : 0
AAP-LICENSE
String : VX-DEFAULT-64AAP-LICENSE
Value : 64
Borrowed : 0
Total : 64
Used : 0
ADVANCED-SECURITY
String : DEFAULT-ADV-SEC-LICENSE
EGUEST-DEV
String : c87deb7553ebbb25e76a1c85001fe4f5f4fd18e508d6610751086370718a5c3da631a19b85584c74
Value : 128

▪ Step 2 – Integrate WiNG Wired CP device with ExtremeGuest
▪ Synchronize configuration between WiNG Wired CP device and ExtremeGuest server:

nx7500-1#conf
nx7500-1(config)#profile nx7500 Wired-CP
nx7500-1(config-profile-Controllers)#eguest-server 1 host <ExtremeGuest IP address | FQDN>
nx7500-1(config-profile-Controllers)#no controller adoption
nx7500-1(config-profile-Controllers)#commit write
▪ Create AAA Policy pointing to the ExtremeGuest server:

nx7500-1#conf
nx7500-1(config)#aaa-policy ExtremeGuest
nx7500-1(config-aaa-policy-ExtremeGuest)#authentication server 1 host <ExtremeGuest IP | FQDN> secret 0 <RADIUS secret>
nx7500-1(config-aaa-policy-ExtremeGuest)#accounting server 1 host <ExtremeGuest IP | FQDN> secret 0 <RADIUS secret>
nx7500-1(config-aaa-policy-ExtremeGuest)#accounting type start-interim-stop
nx7500-1(config-aaa-policy-ExtremeGuest)#accounting interim interval 60
nx7500-1(config-aaa-policy-ExtremeGuest)#commit write

▪ Step 2 – Integrate WiNG with ExtremeGuest - contd
▪ Create Captive Portal policy with external redirection to ExtremeGuest
nx7500-1#conf
nx7500-1(config)#captive-portal ExtremeGuest
nx7500-1(config-captive-portal-ExtremeGuest)#server host <virtual FQDN>
nx7500-1(config-captive-portal-ExtremeGuest)#use aaa-policy ExtremeGuest
nx7500-1(config-captive-portal-ExtremeGuest)#accounting radius
nx7500-1(config-captive-portal-ExtremeGuest)#webpage-location external
nx7500-1(config-captive-portal-ExtremeGuest)#webpage external welcome http://www.extremenetworks.com
nx7500-1(config-captive-portal-ExtremeGuest)#webpage external fail http://eguest.wingguestaccess.com/splash/templates/eguest-wired/fail.html
nx7500-1(config-captive-portal-ExtremeGuest)#webpage external acknowledgement http://eguest.wingguestaccess.com/splash/templates/eguest -
wired/acknowledgement.html
nx7500-1(config-captive-portal-ExtremeGuest)#webpage external registration http://eguest.wingguestaccess.com/splash/templates/eguest -
wired/registration.html?oauth-config=default&mac=WING_TAG_CLIENT_MAC&wlan=hostname-vlan-X&rfd=WING_TAG_RF_DOMAIN&cps=1&regtype=device
nx7500-1(config-captive-portal-ExtremeGuest)#commit write
▪ Login / Registration page URL must follow this format:

http(s)://{ExtremeGuest_real_FQDN}/splash/templates/{Splash_Template_Name}/registration.html?oauth-
config=default&mac=WING_TAG_CLIENT_MAC&wlan=hostname-vlan-X&rfd=WING_TAG_RF_DOMAIN&cps=1&regtype={device|device-otp|user}
hostname-vlan-X:
hostname = hostname of the wired WiNG device doing captive portal redirection. In cluster use “location” name under RF Domain.
X = vlan ID used for captive portal unauthenticated clients
Example: nx7500-1-vlan-7

▪ Step 2 – Integrate WiNG with ExtremeGuest - contd

▪ Create DNS Whitelist to allow communication with ExtremeGuest server
– Mandatory configuration is marked in purple
nx7500-1#conf
nx7500-1(config)#dns-whitelist ExtremeGuest
nx7500-1(config-dns-whitelist-ExtremeGuest)#permit <IP or FQDN of ExtremeGuest server>
nx7500-1(config-dns-whitelist-ExtremeGuest)#exit
nx7500-1(config)#captive-portal ExtremeGuest
nx7500-1(config-captive-portal-ExtremeGuest)#use dns-whitelist ExtremeGuest
nx7500-1(config-captive-portal-ExtremeGuest)#commit write

▪ Step 2.5 – Enable MAC Auth + Captive Portal fallback on the Extended VLAN
▪ Add Bridge VLAN on the NX device, enable MAC Auth with Captive Portal Fallback, enable L2TPv3 concentrator
nx7500-1#conf
nx7500-1(config)#profile nx7500 DMZ-NX7510
nx7500-1(config-profile-DMZ-NX7510)#bridge vlan 7
nx7500-1(config-profile DMZ-NX7510-bridge-vlan-7)#mac-auth
nx7500-1(config-profile DMZ-NX7510-bridge-vlan-7)#use captive-portal ExtremeGuest
nx7500-1(config-profile DMZ-NX7510-bridge-vlan-7)#captive-portal-enforcement fallback
nx7500-1(config-profile DMZ-NX7510-bridge-vlan-7)#l2-tunnel-broadcast-optimization
nx7500-1(config-profile DMZ-NX7510-bridge-vlan-7)#exit
nx7500-1(config-profile-DMZ-NX7510)#mac-auth use aaa-policy ExtremeGuest
nx7500-1(config-profile-DMZ-NX7510)#l2tpv3 tunnel GUEST
nx7500-1(config-profile DMZ-NX7510-l2tpv3-tunnel-GUEST)#peer 1 hostname any router-id any
nx7500-1(config-profile DMZ-NX7510-l2tpv3-tunnel-GUEST)#session GUEST pseudowire-id 7 traffic-source vlan 7
nx7500-1(config-profile DMZ-NX7510-l2tpv3-tunnel-GUEST)#commit write
▪ Enable L2TPv3 client from the AP / WiNG controller or any 3rd party device compliant with RFC:
ap7632-1 (config)#profile ap7632 remote-a

ap7632-1(config-profile-remote-ap)#l2tpv3 tunnel GUEST
ap7632-1(config-profile-remote-ap-l2tpv3-tunnel-GUEST)#peer 1 ip-address <IP of L2TPv3 concentrator, i.e. NX> router-id any hostname any
ap7632-1(config-profile-remote-ap-l2tpv3-tunnel-GUEST)#session GUEST pseudowire-id 7 traffic-source vlan 7
ap7632-1(config-profile-remote-ap-l2tpv3-tunnel-GUEST)#establishment-criteria rf-domain-manager
ap7632-1(config-profile-remote-ap-l2tpv3-tunnel-GUEST)#exit
ap7632-1(config-profile-remote-ap)#bridge vlan 7
ap7632-1(config-profile-remote-ap-bridge-vlan-7)#bridging-mode tunnel
ap7632-1(config-profile-remote-ap-bridge-vlan-7)#commit write

▪ Step 2.6 – Enable MAC Auth + Captive Portal fallback on the Wired Ports
▪ Enable MAC Auth with Captive Portal Fallback on the “guest” ports as required:
nx7500-1#conf
nx7500-1(config)#profile nx7500 DMZ-NX7510
nx7500-1(config-profile-DMZ-NX7510)#interface ge7
nx7500-1(config-profile DMZ-NX7510-if-ge7)#mac-auth
nx7500-1(config-profile DMZ-NX7510-if-ge7)#captive-portal-enforcement fallback
nx7500-1(config-profile DMZ-NX7510-if-ge7)#exit
nx7500-1(config-profile-DMZ-NX7510)#commit write

▪ Step 3 – Configure ExtremeGuest server

▪ Login to ExtremeGuest UI @ https://<ExtremeGuest IP>/eguest-ui/
Configuration > AAA > Authorization > New

▪ Step 3 – Configure ExtremeGuest server – contd.

Configuration > AAA > Group > New
Group Name should be EQUAL to “wlan=” query tag value sent to the ExtremeGuest during client redirection, e.g.:
http://eguest.wingguestaccess.com/splash/templates/eguest-wired/registration.html?oauth-config=default&mac=WING_TAG_CLIENT_MAC&wlan=nx7500-1-vlan-
7&rfd=WING_TAG_RF_DOMAIN&cps=1&regtype=device

▪ Step 3 – Configure ExtremeGuest server – contd.

Configuration > AAA > Networks > New

▪ Step 4 – How to get default Splash Page templates?

▪ SSH/HTTPS to ExtremeGuest server:
vx9000-1799B2#dir flash:/eguest/default_splash_templates/
Directory of flash:/eguest/default_splash_templates/
def_spl_tem_accept_n_connect_w_Fb_GPlus.tar
def_spl_tem_accept_n_connect.tar
def_spl_tem_accept_n_connect_w_Fbci_Fb_GPlus_In_Inst.tar
def_spl_tem_accept_n_connect_w_terms_link.tar
def_spl_tem_reg_form_n_Fb_GPlus_In_n_login.tar
def_spl_tem_reg_form_n_Fb_GPlus_In_n_login_w_forgot_passc
ode.tar
def_spl_tem_accept_n_connect_w_email.tar
def_spl_tem_reg_form_n_Fb_GPlus_In.tar
▪ Copy any template to external TFTP / FTP / SFTP:

ExtremeGuest#copy flash:/eguest/default_splash_templates/{template_name}.tar
{s|t}ftp://<username>:<password>@<server_address>/<path>/

▪ Step 5 – Upload Splash Pages template in TAR package

Configuration > Splash Template

▪ Step 6 – Install Splash Page Template to the ExtremeGuest server

Configuration > Splash Template

▪ Step 7 – Allow Social Media Authentication via ExtremeGuest
▪ With any registration type it is possible to enable Social Media Login on the captive portal
using Facebook / Facebook CheckIn / Google+ / Instagram / LinkedIn
▪ Social Media authentication / public profile pull is done by the ExtremeGuest server (using
PHP SDK)
▪ Social media App IDs needs to be added to the splash page template before template is uploaded
to the ExtremeGuest, as well as Social configuration on ExtremeGuest UI.
▪ No need for bypass captive-portal-detection, as PHP SDK works within the same page
– Warning: Google+ will detect mini browser via User Agent and will NOT allow authentication, unless full
browser is used.

▪ ExtremeGuest – Social Media Authentication – Creating Facebook Application
▪ https://developer.facebook.com


Must be the same as DNS name pointing to ExtremeGuest server!

http(s)://{ExtremeGuest_real_FQDN}/splash/templates/social_signin.php?captive-
portal={Splash_Template_Name}&provider=facebook

▪ ExtremeGuest – Social Media Authentication – Creating Google+ Client ID
▪ https://console.developers.google.com
Credentials > Create Credentials > OAuth Client ID > Web Application :
portal={Splash_Template_Name}&provider=google&hauth.done=Google

▪ ExtremeGuest – Social Media Authentication – Creating Google+ Client ID
Library > Social APIs > Google+ API:

▪ ExtremeGuest – Social Media Authentication – Creating Instagram Client
▪ https://www.instagram.com/developer/
Manage Clients > Register New Client:
Must be the same as DNS name pointing

to ExtremeGuest server!

▪ ExtremeGuest – Social Media Authentication – Creating Instagram Client
portal={Splash_Template_Name}&provider=instagram&hauth.start=Instagram

▪ ExtremeGuest – Social Media Authentication – Creating LinkedIn Application
▪ https://www.linkedin.com/developer/apps/
Create Application:
portal={Splash_Template_Name}&provider=linked_in

▪ ExtremeGuest – Social Media Authentication – Redirect URIs for ExtremeGuest Centralized Hotspot Server
▪ Instagram:
portal={Splash_Template_Name}&provider=instagram&hauth.start=Instagram
▪ Facebook
portal={Splash_Template_Name}&provider=facebook
▪ LinkedIn:
portal={Splash_Template_Name}&provider=linked_in
▪ Google+:
portal={Splash_Template_Name}&provider=google&hauth.done=Google

▪ ExtremeGuest – Social Media Authentication – DNS Whitelist
▪ Required DNS Whitelist Configuration on NX Wired Captive Portal:

FACEBOOK:
connect.facebook.net
facebook.com suffix
fbstatic-a.akamaihd.net
fbcdn.net suffix
GOOGLE+:
accounts.google.com
apis.google.com
content.googleapis.com
oauth.googleusercontent.com
ssl.gstatic.com
LINKEDIN:
linkedin.com suffix
static.licdn.com
INSTAGRAM:
instagram.com suffix
instagramstatic-a.akamaihd.net suffix
▪ ExtremeGuest – Social Media Authentication – Splash Page Template Edit
▪ To enable Social Media Authentication add App IDs to the social_config.php file
in the root template directory. Example:
<?php
$providers_list = array (
"Facebook" => array (
"enabled" => true,
"keys" => array ("id" => “{APP-ID}", "secret" => “{APP-SECRET}"),
"scope" => "email, public_profile",
"trustForwarded" => true
),
"Google" => array (
"enabled" => true,
"scope" => "https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/plus.me
https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"
),
"Linked_In" => array (
"enabled" => true,
),
"Instagram" => array(
"enabled" => true,
"keys" => array("key" => “{APP-ID}","id" => “{APP-ID}","secret" => “{APP-SECRET}")),
);
$debug_mode = true;
?>

▪ ExtremeGuest – Social Media Authentication
▪ Same App IDs should be added to ExtremeGuest UI for public profile

information pull:

▪ ExtremeGuest – Social Media Authentication – Splash Page Template Edit
▪ Registration/Login page will have buttons pointing to the individual Social Media
providers in the social_config.php. Example:
<div class="footer">
<ul class="intro-social-buttons">
<span class="tooltip">
<input type="button" class="facebook-button" onClick="redirectTo('facebook')" />
<span class="tooltiptext">Facebook</span></span>
<input type="button" class="google-button" onClick="redirectTo('google')" />
<span class="tooltiptext">Google+</span></span>
<input type="button" class="instagram-button" onClick="redirectTo('instagram')" />
<span class="tooltiptext">Instagram</span></span>
<input type="button" class="linkedin-button" onClick="redirectTo('linked_in')" />
<span class="tooltiptext">LinkedIn</span></span>
</ul>
function redirectTo(provider) {
if (php_helper)
hrefstr = window.location.protocol + "//" + php_helper + ":880/social_signin.php";
else
hrefstr = "../social_signin.php";
window.location.href = hrefstr + '?captive-portal=' + cpname + '&provider=' + provider;

}v

Thank You
WWW.EXTREMENETWORKS.COM

WiNG-5 9 1-Training-V1 0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WiNG-5 9 1-Training-V1 0

Uploaded by

Copyright:

Available Formats

WiNG 5.9.

©2017 Extreme Networks, Inc. All rights reserved

Release Overview: Part 2 - Services:

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

NX 5500 NX 75X0 NX 96X0

RFS 4010 RFS 6000 (EOS) NX 95X0 (EOS)

802.11n 802.11ac 802.11n 802.11ac

AP7502 (EOS Oct

©2017 Extreme Networks, Inc. All rights reserved

7 ©2017 Extreme Networks, Inc. All rights reserved

▪ 802.11ac 2x2:2 MU-MIMO - HT20/40/80 MHz

Ordering Info: Replaces AP-7502

©2017 Extreme Networks, Inc.

80 2.11ac W allplate W edge M U -M IM O ,2x2:2,D ual radio,

80 2.11ac W allpate W edge M U -M IM O ,2x2:2,D ual radio,

Note: All EMEA countries order WR

©2017 Extreme Networks, Inc. All rights reserved

(37111) AP-7632-680B30-US (37113) AP-7632-680B40-US

W iN G 80 2.11ac Indoor W ave 2,M U -M IM O A ccess Point,

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

▪ WiNG 5.9.1 increased VX9000 adoption capacity from 10,240 to 25K

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

▪ Logical Volume Group Management:

When adding / replacing / resing drives the following naming is used:

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

▪ WiNG 5.9.1 continues to enhance Virtual Controller functionality

▪ Adds support to mix different AP families under one VC AP.

▪ In combination with Dynamic VC feature introduced in 5.9.0 provides a robust highly

©2017 Extreme Networks, Inc. All rights reserved

Value Tier 7602 7622 7612

©2017 Extreme Networks, Inc. All rights reserved

▪ Supported mix of APs:

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

AP7612 poplar.img, image size ~27MB

AP7602 | AP7622 aspen.img, image size ~25MB

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

_raop._tcp.local 38364e226e5f@RFD1-FL2-MediaServer._raop._tcp.local 192.168.7.79:7000 7 Local Tue Aug 29 14:55:33 2017

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

Dynamic MCX provides two path selection methods are supported:

©2017 Extreme Networks, Inc. All rights reserved

Dynamic MeshConnex – Auto MINT:

©2017 Extreme Networks, Inc. All rights reserved

Dynamic MeshConnex – Auto Proximity:

©2017 Extreme Networks, Inc. All rights reserved

▪ Auto-MINT requires one AP in the brain car to be configured as a “cost Root”.

©2017 Extreme Networks, Inc. All rights reserved