Professional Documents
Culture Documents
9 Update
Data Center
Capacity & Applications
VX 9000 - Virtualized
Branch / Small Campus Campus Adoption Capacity = 10,240
Performance
©2017 Extreme Networks, Inc. All rights reserved
General Release Information
▪ Access Point Supported in WiNG 5.9.0
Indoor Outdoor
▪ WiNG 5.9 DPI engine has been upgraded for the supported platforms:
– Application classification mechanisms for DNS-based flows have been
improved
– Application categories have been added/removed (see next slide)
– Some applications changed their categories, mainly filetransfer ->
sharehosting
– Number of application signatures have been increased (from ~600 to 1864)
!
profile anyap anyap
use enterprise-ui
...
interface radio3
interface up1
interface ge1
interface ge2
interface vlan1
ip address dhcp
ip dhcp client request options all
interface pppoe1
use event-system-policy radar
use firewall-policy default
virtual-controller auto
virtual-controller management-interface ip address 172.16.51.254/24
virtual-controller management-interface vlan 1
rf-domain-manager capable
service pm sys-restart
memory-profile adopted
router ospf
!
▪ Configuration UI:
Description Set the user account lockout configuration for the system
<role> - configure the lockout parameters for management user role: device-provisioning-admin, helpdesk, monitor, network-admin, security-
admin, superuser, system-admin, vendor-admin, web-user-admin
Parameters
<# of failed attempts> 1-100, number of consecutive bad passwords allowed.
<time> - 0-600, time in minutes to lockout the user, 0 means the user is locked out forever
▪ New Events:
▪ WiNG sensor functionality on the Access Points have been enhanced to support sending
data to the ExtremeLocation server (launch August 2017)
– Location RSSI data is being transmitted over a WebSocket connection
– Location Update interval and scan channel list is controlled by WiNG configuration
– Data inside the WebSocket are compressed and secured
– Supported on all AP platforms that support RadioShare and/or Dedicated Sensor functionality
– Supported on AP7522 / AP7532 / AP7562 / AP8432 / AP8533
WebSocket
▪ Message Header:
Type Subtype Sensor MAC Total Length
1 Byte 1 Byte
6 Bytes 4 Bytes
0=rssi-info 5=default-subtype
– Sensor Policy
– Configuration > Wireless > Sensor Policy > Add
– RF Domain
Configuration > RF Domains > Sensor
▪ WiNG 5.9 expands Site Level Alarms to provide location-level visibility into
potential problems:
Site – DHCP Failure When a set % of APs at a site report DHCP failures
Site – DNS Failure When a set % of APs at a site report DNS failures
Site – High DNS RTT When a set % of APs at a site report high DNS round trip time
Site – High DHCP RTT When a set % of APs at a site report high DHCP round trip time
Site – High App TCP RTT When a set % of APs at a site report high TCP Application round trip time
Site – Low SNR on <2.4GHz | 5GHz> When a set % of APs at a site report low SNR per band
Site – Low RSSI on <2.4GHz | 5GHz> When a set % of APs at a site report low RSSI per band
▪ WiNG 5.9 expands Site Level Alarms to provide location-level visibility into
potential problems:
Site – High Retries on <2.4GHz | 5GHz> When a set % of APs at a site report high retry rate per band
Site – 802.11 EAP Auth Failure When a set % of APs at a site report EAP authentication failures
Site – 802.11 EAP Server Timeout When a set % of APs at a site report RADIUS server timeout failures
Site – 802.11 EAP Client Timeout When a set % of APs at a site report EAP Client timeout failures
▪ WiNG 5.9 expands Site Level Alarms to provide location-level visibility into
potential problems:
Site – Max Client Capacity on Radio Exceeded When a set % of APs at a site report max client limit reached per radio
Site – Max Client Capacity on AP Exceeded When a set % of APs at a site report max client limit reached per AP
Site – Low Client Count on <2.4GHz | 5GHz> When a set % of APs at a site report low number of connected clients per band
Site – High CPU Utilization When a set % of APs/Controllers at a site report high CPU utilization
Site – Low Memory When a set % of APs/Controllers at a site report low available RAM
Site – Low Disk Space When a set % of APs/Controllers at a site report low available disk/flash space
AP AP AP
RFDM
AP AP
Registration / Guest Analytics server Centralized Hotspot and Guest Analytics server
• Hotspot Server is hosted by WiNG APs or • Splash Pages are centrally hosted by the
Controllers ExtremeGuest server
• Splash Pages are hosted on the WiNG Devices • Captive portal redirection is done by the WiNG
or @ the external Web server device (wired or wireless captive portal)
• ExtremeGuest provides registration, RADIUS • Used for overlay guest access deployments
authentication and accounting, guest analytics, (needs WiNG device for wired guest vlan snoop
splash page distribution and redirection)
• Same Captive Portal configuration on WiNG
AP AP AP
RFDM
AP AP
Internet
functionality
HTTPS POST RADIUS communication
MiNT (Data & Control) Guest User Traffic
▪ ExtremeGuest with Distributed Captive Portal and DMZ Controller (Tunneled Traffic to DMZ):
AP AP AP
RFDM
AP AP
AP AP AP AP AP AP
AP AP AP AP AP AP
HTTPS POST
1 MAC Auth
Wireless Client AP
2 RADIUS
AP
2a Redirect to
Registration.html
2b Allow Access
Wireless Client AP Wireless Client AP
Send passcode to
4a Email/SMS Gateway
SMS / Email Gateway
RADIUS
6a Verify Passcode
AP
▪ Verify:
extremeguest-server#show database status
--------------------------------------------------------------------------------
MEMBER STATE ONLINE TIME
--------------------------------------------------------------------------------
localhost PRIMARY 0 days 0 hours 1 min 11 sec
--------------------------------------------------------------------------------
Authentication: Disabled Authentication User: None
--------------------------------------------------------------------------------
[*] indicates this device.
▪ Verify:
extremeguest-server#show eguest status
-----------------------------------
pid process
-----------------------------------
2817 gmd
2927 acct_server
2940 regserver
2986 guest_manager
3130 acct_server
3136 acct_server-helper
21425 guest_manager
27266 radiusd
▪ Verify:
extremeguest-server#show licenses
Serial Number : 1E150A63850635FC
Device Licenses:
AP-LICENSE
String :
Value : 0
Borrowed : 0
Total : 0
Used : 0
AAP-LICENSE
String : VX-DEFAULT-64AAP-LICENSE
Value : 64
Borrowed : 0
Total : 64
Used : 0
ADVANCED-SECURITY
String : DEFAULT-ADV-SEC-LICENSE
EGUEST-DEV
String : c87deb7553ebbb25e76a1c85001fe4f5f4fd18e508d6610751086370718a5c3da631a19b85584c74
Value ©2017 :Extreme
128 Networks, Inc. All rights reserved
WiNG 5.9.0 Guest Access
▪ ExtremeGuest – Configuration Steps
controller#conf
Enter configuration commands, one per line. End with CNTL/Z.
controller(config)#captive-portal ExtremeGuest
controller(config-captive-portal-ExtremeGuest)#server host <virtual FQDN>
controller(config-captive-portal-ExtremeGuest)#use aaa-policy ExtremeGuest
controller(config-captive-portal-ExtremeGuest)#accounting radius
controller(config-captive-portal-ExtremeGuest)#commit write
controller#conf
Enter configuration commands, one per line. End with CNTL/Z.
controller(config)#captive-portal ExtremeGuest
controller(config-captive-portal-ExtremeGuest)#server host <virtual FQDN>
controller(config-captive-portal-ExtremeGuest)#use aaa-policy ExtremeGuest
controller(config-captive-portal-ExtremeGuest)#accounting radius
controller(config-captive-portal-ExtremeGuest)#webpage-location advanced
controller(config-captive-portal-ExtremeGuest)#webpage-auto-upload
controller(config-captive-portal-ExtremeGuest)#commit write
controller#conf
Enter configuration commands, one per line. End with CNTL/Z.
controller(config)#dns-whitelist ExtremeGuest
controller(config-dns-whitelist-ExtremeGuest)#permit <IP or FQDN of ExtremeGuest server>
controller(config-dns-whitelist-ExtremeGuest)#commit write
http(s)://{ExtremeGuest_real_FQDN}/splash/templates/{Splash_Template_Name}/registration.html?oauth-
config=default&mac=WING-
TAG_CLIENT_MAC&wlan=WING_TAG_WLAN_SSID&rfd=WING_TAG_RF_DOMAIN&cps=1®typpe={device|device-otp}
controller#conf
Enter configuration commands, one per line. End with CNTL/Z.
controller(config)#wlan ExtremeGuest
controller(config-wlan-ExtremeGuest)#use aaa-policy ExtremeGuest
controller(config-wlan-ExtremeGuest)#vlan 10
controller(config-wlan-ExtremeGuest)#captive-portal-enforcement fall-back
controller(config-wlan-ExtremeGuest)#authentication-type mac
controller(config-wlan-ExtremeGuest)#use captive-portal ExtremeGuest
controller(config-wlan-ExtremeGuest)#registration external follow-aaa send-mode https
controller(config-wlan-ExtremeGuest)#registration {device | device-otp | user} group-name {ExtremeGuestGroup}
controller(config-wlan-ExtremeGuest)#radius dynamic-authorization
controller(config-wlan-ExtremeGuest)#radius vlan-assignment
controller(config-wlan-ExtremeGuest)#accounting radius
controller(config-wlan-ExtremeGuest)#accounting wait-client-ip
controller(config-wlan-ExtremeGuest)#commit write
controller#conf
Enter configuration commands, one per line. End with CNTL/Z.
controller(config)#profile anyap STORE-AP
controller(config-profile-STORE-AP)#interface radio 1
controller(config-profile-STORE-AP-if-radio1)#wlan ExtremeGuest
controller(config-profile-STORE-AP-if-radio1)#interface radio 2
controller(config-profile-STORE-AP-if-radio2)#wlan ExtremeGuest
controller(config-profile-STORE-AP-if-radio2)#..
controller(config-profile-STORE-AP)#use captive-portal server ExtremeGuest
controller(config-profile-STORE-AP)#interface ge1
controller(config-profile-STORE-AP-if-ge1)#switchport trunk allowed vlan add 10
controller(config-profile-STORE-AP)#commit write
▪ How it works?
– ExtremeGuest is reusing existing WiNG captive portal page upload mechanism to deliver a set
of splash pages to the AP / Controller
– Requires all pages and content to be archived into a single .tar package (use IZarc on Windows
to create a tar)
– ExtremeGuest makes an HTTPS request to the WiNG controller to distribute the pages
▪ Caveats
– Requires all pages and content to be archived into a single .tar package (use IZarc on
Windows)
– Requires “override-wlan <WLAN_name> template test” to be added to the RF Domain with APs,
as well as NOC controller.
– Management Tree must be configured on WiNG (/Country/City/Region/ etc)
▪ With any registration type it is possible to enable Social Media Login on the
captive portal
▪ With WiNG 5.9 there two main methods of achieving this:
– Internally in WiNG Captive Portal (Facebook / Google+ using Javascript SDK)
▪ Nothing new since the original 5.8.0 release
▪ Requires “bypass captive-portal-detection” enabled, which suppresses default captive portal pop up on
mobile devices
▪ Configuration is done in WiNG
– Centrally on ExtremeGuest server (Facebook / Google+, Instagram, LinkedIn using PHP
SDK)
▪ Social media App IDs needs to be added to the splash page template before template is
uploaded to the ExtremeGuest, as well as Social configuration on ExtremeGuest UI.
▪ No need for bypass captive-portal-detection, as PHP SDK works within the same page
– Warning: Google+ will detect mini browser via User Agent and will NOT allow authentication, unless
full browser is used.
▪ For legacy low NAND platforms (AP6532, AP6521, AP6522) new php-helper is required to
proxy php code via controller or bigger RFDM
▪ https://developer.facebook.com
▪ https://developer.facebook.com
▪ https://console.developers.google.com
Credentials > Create Credentials > OAuth Client ID > Web Application :
▪ https://console.developers.google.com
Library > Social APIs > Google+ API:
▪ https://www.instagram.com/developer/
▪ Manage Clients > Register New Client:
▪ https://www.instagram.com/developer/
▪ Manage Clients > Register New Client:
▪ https://www.linkedin.com/developer/apps/
▪ Create Application:
▪ Instagram:
http(s)://{CP_FQDN}:{880 or 444}/social_signin.php?captive-
portal={CP_Policy_Name}&provider=instagram&hauth.start=Instagram
▪ LinkedIn:
http(s)://{CP_FQDN}:{880 or 444}/social_signin.php?captive-
portal={CP_Policy_Name}&provider=linked_in
▪ Google+:
http(s)://{CP_FQDN}:{880 or 444}/social_signin.php?captive-
portal={CP_Policy_Name}&provider=google&hauth.done=Google
▪ Instagram:
http(s)://{ExtremeGuest_real_FQDN}/splash/templates/social_signin.php?captive-
portal={Splash_Template_Name}&provider=instagram&hauth.start=Instagram
▪ LinkedIn:
http(s)://{ExtremeGuest_real_FQDN}/splash/templates/social_signin.php?captive-
portal={Splash_Template_Name}&provider=linked_in
▪ Google+:
http(s)://{ExtremeGuest_real_FQDN}/splash/templates/social_signin.php?captive-
portal={Splash_Template_Name}&provider=google&hauth.done=Google
GOOGLE+:
accounts.google.com
apis.google.com
content.googleapis.com
oauth.googleusercontent.com
ssl.gstatic.com
LINKEDIN:
linkedin.com suffix
static.licdn.com
INSTAGRAM:
instagram.com suffix
instagramstatic-a.akamaihd.net suffix
©2017 Extreme Networks, Inc. All rights reserved
WiNG 5.9.0 Guest Access
▪ ExtremeGuest – Social Media Authentication – Splash Page Template Edit
<div class="footer">
<ul class="intro-social-buttons">
<span class="tooltip">
<input type="button" class="facebook-button" onClick="redirectTo('facebook')" />
<span class="tooltiptext">Facebook</span></span>
<span class="tooltip">
<input type="button" class="google-button" onClick="redirectTo('google')" />
<span class="tooltiptext">Google+</span></span>
<span class="tooltip">
<input type="button" class="instagram-button" onClick="redirectTo('instagram')" />
<span class="tooltiptext">Instagram</span></span>
<span class="tooltip">
<input type="button" class="linkedin-button" onClick="redirectTo('linked_in')" />
<span class="tooltiptext">LinkedIn</span></span>
</ul>
function redirectTo(provider) {
if (php_helper)
hrefstr = window.location.protocol + "//" + php_helper + ":880/social_signin.php";
else
hrefstr = "../social_signin.php";
Captive-portal EGuest
...
server mode self
server host captive.wingsecure.com
php-helper controller socialguest.extremenetworks.com
webpage-location advanced
...
▪ How it works?
– Wireless Client (Guest User) is getting registered to a Group
– Authorization Profile is assigned to a group defining:
▪ VLAN
▪ Allowed SSID
▪ Rate Limit (from / to air per client)
▪ Inactivity Timeout
▪ Session Timeout
▪ Block Period after Session Timeout
▪ Application Policy Name (Requires Application Policy to be mapped under RADIUS Application Policy)
▪ User Role (required Role Based Firewall enabled with specific role)
▪ Time / Day of the Week Access Rules
1 Registration
Wireless Client
4 Policy Enforcement
AP Wireless Client
4 Policy Enforcement
AP Wireless Client
▪ CoA must be enabled for Application control and dynamic disconnect & block time
enforcement:
debug cfgd eguest Enabled ExtremeGuest related traces (like configuration updates)
Debug splash page template push issues from ExtremeGuest to WiNG
debug cfgd captive-portal-page-upload
Controller
WWW.EXTREMENETWORKS.COM