WiNG 5.9 Training v1

WiNG 5.
9 Update
©2017 Extreme Networks, Inc. All rights reserved

WiNG 5.9.0 Release
▪ Agenda
Release Overview: Part 3 - NSight enhancements:

▪ General Release Information ▪ Report Builder Filter Support
▪ DPI Engine Upgrade
Part 4 - Guest Access:
Part 1 - Management: ▪ ExtremeGuest
▪ Virtual Controller Enhancements
▪ Management User Lockout Policy
Part 2 - Location Services:

▪ ExtremeLocation sensor

WiNG 5.9
Supported Platforms

General Release Information
▪ Controllers Supported in WiNG 5.9.0
Data Center
Capacity & Applications
VX 9000 - Virtualized
Branch / Small Campus Campus Adoption Capacity = 10,240
NX 5500 NX 75X0 NX 96X0

Adoption Capacity = 512 Adoption Capacity = 2,048 Adoption Capacity = 10,240
RFS 4010 RFS 6000 (EOS) NX 95X0 (EOS)

Adoption Capacity = 144 Adoption Capacity = 256 Adoption Capacity = 10,240
Performance
▪ Access Point Supported in WiNG 5.9.0
Indoor Outdoor
802.11n 802.11ac 802.11n 802.11ac
High Tier AP81XX (EOS) AP8432 AP8163 AP7562

AP7161 (EOS) AP8533 AP7161 (EOS in EU
AP7131 AP8232 (EOS) and US)
AP8222
Mid Tier AP6532 (EOS) AP7532 AP6562
AP650 AP7522
Value Tier AP6511 AP7502

AP6521 (EOS)
AP6522
ES6510

▪ DPI Engine upgrade
▪ WiNG 5.9 DPI engine has been upgraded for the supported platforms:
– Application classification mechanisms for DNS-based flows have been
improved
– Application categories have been added/removed (see next slide)
– Some applications changed their categories, mainly filetransfer ->
sharehosting
– Number of application signatures have been increased (from ~600 to 1864)

▪ DPI Engine upgrade
▪ Removed application categories in WiNG 5.9.0:

– Standard
– Video
– Audio
– Antivirus Update
▪ New application categories in WiNG 5.9.0:
– ecommerce
– sharehosting
– deprecated

WiNG 5.9
Part 1 - Management

Virtual Controller Enhancements

WiNG 5.9 – Virtual Controller Enhancements
▪ Same AP Family management
▪ WiNG 5.9 introduces support to manage same AP family from a Virtual

Controller AP (VC). This is applicable for AP7522, AP7532, AP7562
▪ Common AP family management is achieved using ANYAP profile
▪ AP7522/AP7532/AP7562 use the same firmware image, hence device

upgrade functionality stays the same
– Supported in Enterprise UI only on enterprise WING

– “use enterprise-ui” configuration is now available for anyap profile.
– Heterogeneous AP management is planned for 5.9.1*

▪ VC UI adds support for multiple profiles:

▪ Profiles can be assigned using auto-provisioning policy:

▪ Virtual Controller integration with NSight
▪ WiNG 5.9 adds support for VC integration into NSight

▪ NSight server should be in standalone mode
▪ RF Domain name must be renamed from the Flex UI or CLI:

▪ Dynamic Virtual Controller
▪ WiNG 5.9 adds support for

– dynamic VC election and failover (Auto Election of VC)
– dynamic management IP address for the VC
▪ Virtual Controller can be automatically elected based on the RF Domain

Manager election process (lowest MiNT-ID or highest model)
▪ Once Virtual Controller is elected, it will install virtual management IP

address as secondary address and send GARP update to the network
▪ Provides VC redundancy and failover mechanism

▪ Dynamic Virtual Controller - Configuration
▪ Dynamic VC can be configured only on the AP Profile:

▪ Dynamic VC configuration CLI:
!
profile anyap anyap
use enterprise-ui
...
interface radio3
interface up1
interface ge1
interface ge2
interface vlan1
ip address dhcp
ip dhcp client request options all
interface pppoe1
use event-system-policy radar
use firewall-policy default
virtual-controller auto
virtual-controller management-interface ip address 172.16.51.254/24
virtual-controller management-interface vlan 1
rf-domain-manager capable
service pm sys-restart
memory-profile adopted
router ospf
!

▪ Dynamic VC management IP address verification CLI:
7532-EXTR-BRQ-1#show ip interface brief

-------------------------------------------------------------------------------
INTERFACE IP-ADDRESS/MASK TYPE STATUS PROTOCOL
-------------------------------------------------------------------------------
vlan1 172.16.51.150/24(DHCP) primary UP up
vlan1 172.16.51.254/24 secondary UP up
-------------------------------------------------------------------------------
Note: VC election priority can be controller by increasing

rf-domain-manager priority under device override

▪ Dynamic VC mint link:
8533-EXTR-BRQ-1#show mint links details

1 mint links on 75.9A.2E.10:
link vlan-1 at level 1, 3 adjacencies, DIS 75.9A.2E.AB:
cost 10, hello-interval 4, adj-hold-time 13
created: by DynVC
adjacency with 75.5C.42.CB, state UP (18 hours), last hello 1 seconds ago
adjacency with 75.5C.43.52, state UP (18 hours), last hello 0 seconds ago
adjacency with 75.9A.2E.AB, state UP (18 hours), last hello 1 seconds ago
Note: VC election priority can be controller by increasing

rf-domain-manager priority under device override

Management User Lockout

WiNG 5.9 – Management User Lockout
▪ Management User Lockout - Overview
▪ WiNG 5.9 adds support management user lockout rules to prevent

brute-force or dictionary attacks against user accounts
▪ User lockout can be enforced per management user role (superuser,

helpdesk, monitor etc)
▪ After user lockout is triggered new event “login-lockout” is generated
▪ After user lockout timer is expired, another event “login-unlocked” will be

sent.

▪ Management User Lockout – Configuration
▪ Configuration UI:

▪ Management User Lockout – Configuration
▪ Configuration CLI (management policy context):
Passwd-retry role <role> max-fail <# of failed attempts> lockout-time <time>

Privilege Level Networl-admin or higher
Description Set the user account lockout configuration for the system
<role> - configure the lockout parameters for management user role: device-provisioning-admin, helpdesk, monitor, network-admin, security-
admin, superuser, system-admin, vendor-admin, web-user-admin
Parameters
<# of failed attempts> 1-100, number of consecutive bad passwords allowed.
<time> - 0-600, time in minutes to lockout the user, 0 means the user is locked out forever

▪ Management User Lockout – Events
▪ New Events:

WiNG 5.9.0
Part 2 – Location Services

ExtremeLocation Sensor

WiNG 5.9 ExtremeLocation Sensor
▪ Overview
▪ WiNG sensor functionality on the Access Points have been enhanced to support sending
data to the ExtremeLocation server (launch August 2017)
– Location RSSI data is being transmitted over a WebSocket connection
– Location Update interval and scan channel list is controlled by WiNG configuration
– Data inside the WebSocket are compressed and secured
– Supported on all AP platforms that support RadioShare and/or Dedicated Sensor functionality
– Supported on AP7522 / AP7532 / AP7562 / AP8432 / AP8533
WebSocket

▪ Packet Format
▪ Message Header:
Type Subtype Sensor MAC Total Length
1 Byte 1 Byte
6 Bytes 4 Bytes
0=rssi-info 5=default-subtype
▪ RSSI Info Header (type = 0):

Number of Stations Flags Record Size
2 Bytes 2 Bytes 4 Bytes
▪ Station (Client) Header:
Station MAC Frequency BSSID SSID Type 1 Value 1

6 Bytes 2 Bytes 6 Bytes 32 Bytes 2 Bytes 2 Bytes

▪ Configuration – Flex UI
▪ There are three items needed to enable ExtremeLocation sensor:

– Sensor Policy
▪ Responsible to specify frequency of locationing updates from each sensor (1-60
seconds) based on location granularity requirements
▪ Set channel list for dedicated sensor radios and dwell time and channel width for
each channel
▪ Should be assigned to the RF Domain
– Location-Server address under RF Domain
– Sensor Radio configuration on the AP Profile
▪ Dedicated Sensor (rf-mode sensor)
▪ Radioshare Sensor
– Off-channel-scan can be optionally enabled

– Sensor Policy
– Configuration > Wireless > Sensor Policy > Add

– RF Domain
Configuration > RF Domains > Sensor

– Radio Interface (AP Profile context) – RadioShare Config (on-channel-scan)

Configuration > Profiles > {AP Profile Name} > Interface > Radios

– Radio Interface (AP Profile context) – RadioShare Config (+ off-channel-scan)


– Radio Interface (AP Profile context) – Dedicated Sensor Config


▪ RSSI Scan Duration Interval, a.k.a Location Granularity Interval.

Recommended settings:
– Presence detection – 60 seconds
– Region/Category locationing – 10 seconds
– Positioning – 1 second
▪ Caveat:
– While ExtremeLocation and ADSP coexistence is supported, only WIPS is supported
when ExtremeLocation sensor is enabled. Sending locationing data to both ADSP
and ExtremeLocation is not supported.
▪ Troubleshooting:
Enable debugging on the sensor (AP):
debug wipsd LOCN Dbg1

WiNG 5.9.0
Part 3 – NSight Enhancements

WiNG 5.9.0 NSight Enhancements
▪ Report Builder Filters - Overview
▪ WiNG 5.8.6 added report builder to the NSight server

▪ WiNG 5.9 adds filter support for report objects, like WLAN, Band, Time Period,
Scope
▪ Available when creating or editing a report template

▪ New Site Level Alarms - Overview
▪ WiNG 5.9 expands Site Level Alarms to provide location-level visibility into
potential problems:
Alarm Type Description
Site – DHCP Failure When a set % of APs at a site report DHCP failures
Site – DNS Failure When a set % of APs at a site report DNS failures
Site – High DNS RTT When a set % of APs at a site report high DNS round trip time
Site – High DHCP RTT When a set % of APs at a site report high DHCP round trip time
Site – High App TCP RTT When a set % of APs at a site report high TCP Application round trip time
Site – Low SNR on <2.4GHz | 5GHz> When a set % of APs at a site report low SNR per band
Site – Low RSSI on <2.4GHz | 5GHz> When a set % of APs at a site report low RSSI per band

potential problems:
Site – High Retries on <2.4GHz | 5GHz> When a set % of APs at a site report high retry rate per band
Site – High Channel Utilization on <2.4GHz |

When a set % of APs at a site report high channel utilization per band
5GHz>
Site – Low Transmit Data Rate on <2.4GHz | When a set % of APs at a site report low transmit data rate (AP to Client) per
5GHz> band
Site – Low Receive Data Rate on <2.4GHz | When a set % of APs at a site report low receive data rate (Client to AP) per
5GHz> band
Site – 802.11 EAP Auth Failure When a set % of APs at a site report EAP authentication failures
Site – 802.11 EAP Server Timeout When a set % of APs at a site report RADIUS server timeout failures
Site – 802.11 EAP Client Timeout When a set % of APs at a site report EAP Client timeout failures

potential problems:
Site – Max Client Capacity on Radio Exceeded When a set % of APs at a site report max client limit reached per radio
Site – Max Client Capacity on WLAN

When a set % of APs at a site report max client limit reached per WLAN
Exceeded
Site – Max Client Capacity on AP Exceeded When a set % of APs at a site report max client limit reached per AP
Site – Low Client Count on <2.4GHz | 5GHz> When a set % of APs at a site report low number of connected clients per band
Site – High CPU Utilization When a set % of APs/Controllers at a site report high CPU utilization
Site – Low Memory When a set % of APs/Controllers at a site report low available RAM
Site – Low Disk Space When a set % of APs/Controllers at a site report low available disk/flash space

WiNG 5.9.0
Part 4 – Guest Access

WiNG 5.9.0 Guest Access
▪ ExtremeGuest - Overview
▪ ExtremeGuest is a guest access solution that

provides:
– Guest Self Registration
– Guest Analytics (dwell time, demographics, social,
walk-in trends, device fingerprinting)
– Reporting Internet
– Custom Dashboards
– RADIUS Authentication & Accounting
– Guest Security Profiling (guest roles, block period,
application control, rate limiting)
– Social Media Auth
– Voucher Based Logins
– Headless Device Onboarding
– Multi-tenant access AP
RFDM
AP AP AP
RFDM
AP AP
– Centralized Captive Portal troubleshooting tools

▪ Supports the same deployment model as
AP AP AP AP AP AP
standalone NSight (standalone, replica set, split UI) AP AP AP AP AP AP
▪ ExtremeGuest server can be installed on VX9000

only (NX9600 supported as demo-only) HTTPS POST RADIUS communication
▪ Scales up to 10 Million user records MiNT Guest User Traffic
▪ Licensed per AP (perpetual) Captive Portal server

▪ ExtremeGuest – Use Cases
▪ ExtremeGuest can be deployed in two modes:
Registration / Guest Analytics server Centralized Hotspot and Guest Analytics server
• Hotspot Server is hosted by WiNG APs or • Splash Pages are centrally hosted by the
Controllers ExtremeGuest server
• Splash Pages are hosted on the WiNG Devices • Captive portal redirection is done by the WiNG
or @ the external Web server device (wired or wireless captive portal)
• ExtremeGuest provides registration, RADIUS • Used for overlay guest access deployments
authentication and accounting, guest analytics, (needs WiNG device for wired guest vlan snoop
splash page distribution and redirection)
• Same Captive Portal configuration on WiNG

▪ ExtremeGuest – Deployment Examples
▪ ExtremeGuest with Distributed Captive Portal @AP:
▪ Guest Traffic is locally bridged by

the APs
Internet
▪ Each Site has local internet
connection
▪ Full guest isolation and security at
the edge
▪ Captive Portal server and splash
RFDM RFDM
pages are hosted by the APs AP AP AP AP AP AP
▪ Splash Pages are distributed by the AP AP AP AP AP AP
ExtremeGuest server to the APs AP AP AP AP AP AP
▪ ExtremeGuest provides guest

HTTPS POST RADIUS communication
analytics and registration MiNT Guest User Traffic
functionality Captive Portal server

▪ ExtremeGuest with Centralized Captive Portal @Controller (Tunneled Traffic):
▪ Guest Traffic is tunneled to the

centralized Controllers in the NOC
via MINT
▪ Useful when internet connection is
available only in the main DC
pages are hosted by the centralized
controllers AP
RFDM
AP AP AP
RFDM
AP AP
Internet
▪ ExtremeGuest provides guest AP AP AP AP AP AP
analytics and registration AP AP AP AP AP AP
functionality
HTTPS POST RADIUS communication
MiNT (Data & Control) Guest User Traffic
Captive Portal server

▪ ExtremeGuest with Distributed Captive Portal and DMZ Controller (Tunneled Traffic to DMZ):
▪ Guest Traffic is tunneled to DMZ

Access Controllers via L2TPv3 Internet
▪ Guest Traffic is fully isolated from

corporate
DMZ
pages are hosted on the APs
▪ ExtremeGuest provides guest
analytics and registration
functionality AP
RFDM
AP AP AP
RFDM
AP AP
AP AP AP AP AP AP
AP AP AP AP AP AP
HTTPS POST Database communication
MiNT (Management) RADIUS communication (Proxied via RFDM)
Captive Portal server Guest User Traffic (L2TPv3 tunnel)

▪ Centralized ExtremeGuest with Wired Captive Portal:
▪ Can be deployed as an overlay

solution with 3rd party Wireless
LAN
Internet
▪ Can be deployed as Captive Portal
solution for both Wired & Wireless
clients
▪ Requires WiNG Controller acting
DMZ
as capture & redirection device for
the Guest VLAN
RADIUS communication
▪ ExtremeGuest hosts splash pages Guest VLAN
HTTPS POST
Capture & Redirection
Hotspot Server / Splash Pages

Wired / Wireless Client

▪ ExtremeGuest – Device Registration Flow
1 MAC Auth
Wireless Client AP
2 RADIUS
AP
2a Redirect to
Registration.html
2b Allow Access
Wireless Client AP Wireless Client AP
Submit Registration Data

3a (HTTPS)
AP
Assign User Role, VLAN,

4a Allow Access Rate Limit, Application
Wireless Client
Policy, Session Time, Block
AP
Period
▪ ExtremeGuest – Device Registration with SMS/Email Validation
Submit Registration Data

3a (HTTPS)
AP
Send passcode to
4a Email/SMS Gateway
SMS / Email Gateway
5a Login using email/mobile and received

passcode
Wireless Client
AP
RADIUS
6a Verify Passcode
AP
Assign User Role, VLAN,

Rate Limit, Application
Policy, Session Time, Block
7a Allow Access
Wireless Client AP
Period
▪ ExtremeGuest – Configuration Steps
▪ Step 1 – Deploy single ExtremeGuest server
▪ Start the database process:

extremeguest-server#self
Enter configuration commands, one per line. End with CNTL/Z.
extremeguest-server(config-device-00-0C-29-17-99-B2)#use database-policy default
extremeguest-server(config-device-00-0C-29-17-99-B2)#ntp server pool.ntp.org
extremeguest-server(config-device-00-0C-29-17-99-B2)#commit write
[OK]
extremeguest-server(config-device-00-0C-29-17-99-B2)#end
▪ Verify:
extremeguest-server#show database status
--------------------------------------------------------------------------------
MEMBER STATE ONLINE TIME
--------------------------------------------------------------------------------
localhost PRIMARY 0 days 0 hours 1 min 11 sec
--------------------------------------------------------------------------------
Authentication: Disabled Authentication User: None
--------------------------------------------------------------------------------
[*] indicates this device.

▪ Step 1 – Deploy single ExtremeGuest server - contd
▪ Start the ExtremeGuest server:

extremeguest-server(config-device-00-0C-29-17-99-B2)#eguest-server
[OK]
▪ Verify:
extremeguest-server#show eguest status
-----------------------------------
pid process
-----------------------------------
2817 gmd
2927 acct_server
2940 regserver
2986 guest_manager
3130 acct_server
3136 acct_server-helper
21425 guest_manager
27266 radiusd

▪ Step 1 – Deploy single ExtremeGuest server - contd

▪ Assign ExtremeGuest licenses:
extremeguest-server(config-device-00-0C-29-17-99-B2)#license EGUEST-DEV <paste license key obtained from the
licensing portal here>
▪ Verify:
extremeguest-server#show licenses
Serial Number : 1E150A63850635FC
Device Licenses:
AP-LICENSE
String :
Value : 0
Borrowed : 0
Total : 0
Used : 0
AAP-LICENSE
String : VX-DEFAULT-64AAP-LICENSE
Value : 64
Borrowed : 0
Total : 64
Used : 0
ADVANCED-SECURITY
String : DEFAULT-ADV-SEC-LICENSE
EGUEST-DEV
String : c87deb7553ebbb25e76a1c85001fe4f5f4fd18e508d6610751086370718a5c3da631a19b85584c74
Value ©2017 :Extreme
128 Networks, Inc. All rights reserved
▪ Step 2 – Integrate WiNG with ExtremeGuest

▪ Synchronize configuration between WiNG controller and ExtremeGuest server:
controller#conf
controller(config)#profile vx9000 Controllers
controller(config-profile-Controllers)#eguest-server 1 host <ExtremeGuest IP address | FQDN>
controller(config-profile-Controllers)#commit write
▪ Create AAA Policy pointing to the ExtremeGuest server:

controller#conf
controller(config)#aaa-policy ExtremeGuest
controller(config-aaa-policy-ExtremeGuest)#authentication server 1 host <ExtremeGuest IP | FQDN> secret
0 <RADIUS secret>
controller(config-aaa-policy-ExtremeGuest)#accounting server 1 host <ExtremeGuest IP | FQDN> secret 0
<RADIUS secret>
controller(config-aaa-policy-ExtremeGuest)#accounting type start-interim-stop
controller(config-aaa-policy-ExtremeGuest)#accounting interim interval 60
controller(config-aaa-policy-ExtremeGuest)#commit write

▪ ExtremeGuest – Configuration Steps – Use-Case #1a: Distributed Captive Portal Deployment with INTERNAL Splash Pages
▪ Step 2 – Integrate WiNG with ExtremeGuest - contd

▪ Create Captive Portal policy with desired configuration
– Mandatory configuration is marked in red
controller#conf
controller(config)#captive-portal ExtremeGuest
controller(config-captive-portal-ExtremeGuest)#server host <virtual FQDN>
controller(config-captive-portal-ExtremeGuest)#use aaa-policy ExtremeGuest
controller(config-captive-portal-ExtremeGuest)#accounting radius
controller(config-captive-portal-ExtremeGuest)#commit write

▪ ExtremeGuest – Configuration Steps – Use-Case #1b: Distributed Captive Portal Deployment with Advanced Splash Pages

controller#conf
controller(config-captive-portal-ExtremeGuest)#webpage-location advanced
controller(config-captive-portal-ExtremeGuest)#webpage-auto-upload

▪ ExtremeGuest – Configuration Steps – Use-Case #2: ExtremeGuest as Centralized Hotspot Server

▪ Create DNS Whitelist to allow communication with ExtremeGuest server
controller#conf
controller(config)#dns-whitelist ExtremeGuest
controller(config-dns-whitelist-ExtremeGuest)#permit <IP or FQDN of ExtremeGuest server>
controller(config-dns-whitelist-ExtremeGuest)#commit write

▪ ExtremeGuest – Configuration Steps – Use-Case #2: ExtremeGuest as Centralized Hotspot Server

controller#conf
controller(config-captive-portal-ExtremeGuest)#use dns-whitelist ExtremeGuest
controller(config-captive-portal-ExtremeGuest)#webpage-location external
controller(config-captive-portal-ExtremeGuest)#webpage external registration
http://eguest.extrbrno.local/splash/templates/SocialAll/registration.html?oauth-config=default&mac=WING-
TAG_CLIENT_MAC&wlan=WING_TAG_WLAN_SSID&rfd=WING_TAG_RF_DOMAIN&cps=1&regtyppe=device
controller(config-captive-portal-ExtremeGuest)#webpage external welcome http://www.extremenetworks.com
controller(config-captive-portal-ExtremeGuest)#webpage external fail
http://eguest.extrbrno.local/splash/templates/SocialAll/fail.html
http(s)://{ExtremeGuest_real_FQDN}/splash/templates/{Splash_Template_Name}/registration.html?oauth-
config=default&mac=WING-
TAG_CLIENT_MAC&wlan=WING_TAG_WLAN_SSID&rfd=WING_TAG_RF_DOMAIN&cps=1&regtyppe={device|device-otp}


▪ Create Guest Wireless LAN
controller#conf
controller(config)#wlan ExtremeGuest
controller(config-wlan-ExtremeGuest)#use aaa-policy ExtremeGuest
controller(config-wlan-ExtremeGuest)#vlan 10
controller(config-wlan-ExtremeGuest)#captive-portal-enforcement fall-back
controller(config-wlan-ExtremeGuest)#authentication-type mac
controller(config-wlan-ExtremeGuest)#use captive-portal ExtremeGuest
controller(config-wlan-ExtremeGuest)#registration external follow-aaa send-mode https
controller(config-wlan-ExtremeGuest)#registration {device | device-otp | user} group-name {ExtremeGuestGroup}
controller(config-wlan-ExtremeGuest)#radius dynamic-authorization
controller(config-wlan-ExtremeGuest)#radius vlan-assignment
controller(config-wlan-ExtremeGuest)#accounting radius
controller(config-wlan-ExtremeGuest)#accounting wait-client-ip
controller(config-wlan-ExtremeGuest)#commit write


▪ Assign Wireless LAN and Captive Portal server to the AP Profile. Add
Guest VLANs to the GE1 port
controller#conf
controller(config)#profile anyap STORE-AP
controller(config-profile-STORE-AP)#interface radio 1
controller(config-profile-STORE-AP-if-radio1)#wlan ExtremeGuest
controller(config-profile-STORE-AP-if-radio1)#interface radio 2
controller(config-profile-STORE-AP-if-radio2)#wlan ExtremeGuest
controller(config-profile-STORE-AP-if-radio2)#..
controller(config-profile-STORE-AP)#use captive-portal server ExtremeGuest
controller(config-profile-STORE-AP)#interface ge1
controller(config-profile-STORE-AP-if-ge1)#switchport trunk allowed vlan add 10
controller(config-profile-STORE-AP)#commit write

▪ Step 3 – Configure ExtremeGuest server

▪ Login to ExtremeGuest UI @ https://<ExtremeGuest IP>/eguest-ui/
Configuration > AAA > Authorization > New

▪ Step 3 – Configure ExtremeGuest server – contd.

Configuration > AAA > Group > New

▪ Step 3 – Configure ExtremeGuest server – contd.

Configuration > AAA > Networks > New

▪ ExtremeGuest – SMS / Email Notifications
▪ Whenever “device-otp” registration is enabled ExtremeGuest will need to have

access to Email/SMS Gateway to send a generated passcode to the user
Send passcode to SMS / Email Gateway

Email/SMS Gateway
▪ Supported SMS Gateways

– Clickatell (old HTTP Communicator API and new Platform API)
– Any other SMS Gateway via SMTP API (SMS over SMTP)
▪ Supported Email Gateway security:
– Anonymous (SMTP Relay)
– SSL
– StartTLS
▪ ExtremeGuest allows specifying different SMS/Email gateways per Site/ per WLAN
– Notification Policy – specifies SMS / Email gateways configuration
– Notification Rules – specifies which Policy to use based on WLAN / Location

▪ ExtremeGuest – SMS / Email Notifications Configuration
▪ Step 1 – Configure Notification Policy
Configuration > Notification > Policy > +
Note: the following TAGs are supported to

simplify SMS/Email message generation:
GM_NAME – username
GM_MOBILE – mobile phone number
GM_PASSCODE – generated passcode
▪ Step 1 – Configure Notification Policy – contd.
Configuration > Notification > Policy > +

▪ Step 1 – Configure Notification Policy – contd.
Configuration > Notification > Policy > Add


▪ Step 2 – Configure Notification Rules
Configuration > Notification > Rules > +

▪ Step 3 – Set Registration Type to Device-OTP or User on WING

Configuration > Wireless > Wireless LANs > {Guest WLAN Name} > Edit

▪ ExtremeGuest – Centralized Splash Page Distribution
▪ ExtremeGuest server provides a method for centralized splash page distribution

based on WLAN and Location
– Allows to have custom splash templates with different languages based on country (e.g.
Europe) or region (FR vs EN Canada)
– Custom page templates per WLAN
▪ How it works?
– ExtremeGuest is reusing existing WiNG captive portal page upload mechanism to deliver a set
of splash pages to the AP / Controller
– Requires all pages and content to be archived into a single .tar package (use IZarc on Windows
to create a tar)
– ExtremeGuest makes an HTTPS request to the WiNG controller to distribute the pages

▪ ExtremeGuest – Centralized Splash Page Distribution
▪ Caveats
– Requires all pages and content to be archived into a single .tar package (use IZarc on
Windows)
– Requires “override-wlan <WLAN_name> template test” to be added to the RF Domain with APs,
as well as NOC controller.
– Management Tree must be configured on WiNG (/Country/City/Region/ etc)

▪ ExtremeGuest – Configuration Steps – Use-case #1b: Distributed Captive Portal with Advanced Splash Pages
▪ Step 5 – Push Splash Page Template to required locations

Configuration > Splash Template
Note*: Management Tree must be configured on WiNG

Note**: override-wlan <WLAN> template test must be added all RF Domains before initial push
▪ ExtremeGuest – Configuration Steps – Use-case #2: ExtremeGuest as Centralized Hotspot Server
▪ Step 4 – Upload Splash Page Template


▪ ExtremeGuest – Configuration Steps – Use-case #1b: Distributed Captive Portal with Advanced Splash Pages
▪ Step 4 – Upload Splash Pages template in TAR package


▪ ExtremeGuest – Configuration Steps – Use-case #2: ExtremeGuest as Centralized Hotspot Server
▪ Step 5 – Install Splash Page Template to the ExtremeGuest server


▪ ExtremeGuest – Social Media Authentication
▪ With any registration type it is possible to enable Social Media Login on the
captive portal
▪ With WiNG 5.9 there two main methods of achieving this:
– Internally in WiNG Captive Portal (Facebook / Google+ using Javascript SDK)
▪ Nothing new since the original 5.8.0 release
▪ Requires “bypass captive-portal-detection” enabled, which suppresses default captive portal pop up on
mobile devices
▪ Configuration is done in WiNG
– Centrally on ExtremeGuest server (Facebook / Google+, Instagram, LinkedIn using PHP
SDK)
▪ Social media App IDs needs to be added to the splash page template before template is
uploaded to the ExtremeGuest, as well as Social configuration on ExtremeGuest UI.
▪ No need for bypass captive-portal-detection, as PHP SDK works within the same page
– Warning: Google+ will detect mini browser via User Agent and will NOT allow authentication, unless
full browser is used.
▪ For legacy low NAND platforms (AP6532, AP6521, AP6522) new php-helper is required to
proxy php code via controller or bigger RFDM

▪ ExtremeGuest – Social Media Authentication – Facebook Application
▪ https://developer.facebook.com

▪ ExtremeGuest – Social Media Authentication – Facebook Application
▪ https://developer.facebook.com

▪ ExtremeGuest – Social Media Authentication – Google+ Application
▪ https://console.developers.google.com
Credentials > Create Credentials > OAuth Client ID > Web Application :

▪ ExtremeGuest – Social Media Authentication – Google+ Application
▪ https://console.developers.google.com
Library > Social APIs > Google+ API:

▪ ExtremeGuest – Social Media Authentication – Instagram Application
▪ https://www.instagram.com/developer/
▪ Manage Clients > Register New Client:

▪ ExtremeGuest – Social Media Authentication – Instagram Application
▪ https://www.instagram.com/developer/
▪ Manage Clients > Register New Client:

▪ ExtremeGuest – Social Media Authentication – LinkedIn Application
▪ https://www.linkedin.com/developer/apps/
▪ Create Application:

▪ ExtremeGuest – Social Media Authentication – Redirect URIs for Distributed Captive Portal
▪ Instagram:
http(s)://{CP_FQDN}:{880 or 444}/social_signin.php?captive-
portal={CP_Policy_Name}&provider=instagram&hauth.start=Instagram
▪ LinkedIn:
portal={CP_Policy_Name}&provider=linked_in
▪ Google+:
portal={CP_Policy_Name}&provider=google&hauth.done=Google

▪ ExtremeGuest – Social Media Authentication – Redirect URIs for ExtremeGuest Centralized Hotspot Server
▪ Instagram:
http(s)://{ExtremeGuest_real_FQDN}/splash/templates/social_signin.php?captive-
portal={Splash_Template_Name}&provider=instagram&hauth.start=Instagram
▪ LinkedIn:
portal={Splash_Template_Name}&provider=linked_in
▪ Google+:
portal={Splash_Template_Name}&provider=google&hauth.done=Google

▪ ExtremeGuest – Social Media Authentication – DNS Whitelist
▪ Required DNS Whitelist Configuration:

FACEBOOK:
connect.facebook.net
facebook.com suffix
fbstatic-a.akamaihd.net
fbcdn.net suffix
GOOGLE+:
accounts.google.com
apis.google.com
content.googleapis.com
oauth.googleusercontent.com
ssl.gstatic.com
LINKEDIN:
linkedin.com suffix
static.licdn.com
INSTAGRAM:
instagram.com suffix
instagramstatic-a.akamaihd.net suffix
▪ ExtremeGuest – Social Media Authentication – Splash Page Template Edit
▪ To enable Social Media Authentication add App IDs to the

social_config.php file in the root directory. Example:
<?php
$providers_list = array (
"Facebook" => array (
"enabled" => true,
"keys" => array ("id" => “{APP-ID}", "secret" => “{APP-SECRET}"),
"scope" => "email, public_profile",
"trustForwarded" => true
),
"Google" => array (
"enabled" => true,
"scope" => "https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/plus.me
https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"
),
"Linked_In" => array (
"enabled" => true,
),
"Instagram" => array(
"enabled" => true,
"keys" => array("key" => “{APP-ID}","id" => “{APP-ID}","secret" => “{APP-SECRET}")),
);
$debug_mode = true;
?>

▪ Same App IDs should be added to ExtremeGuest UI for public profile

information pulling:

▪ Registration/Login page will have buttons pointing to the individual

Social Media providers in the social_config.php. Example:
<div class="footer">
<ul class="intro-social-buttons">
<span class="tooltip">
<input type="button" class="facebook-button" onClick="redirectTo('facebook')" />
<span class="tooltiptext">Facebook</span></span>
<input type="button" class="google-button" onClick="redirectTo('google')" />
<span class="tooltiptext">Google+</span></span>
<input type="button" class="instagram-button" onClick="redirectTo('instagram')" />
<span class="tooltiptext">Instagram</span></span>
<input type="button" class="linkedin-button" onClick="redirectTo('linked_in')" />
<span class="tooltiptext">LinkedIn</span></span>
</ul>
function redirectTo(provider) {
if (php_helper)
hrefstr = window.location.protocol + "//" + php_helper + ":880/social_signin.php";
else
hrefstr = "../social_signin.php";
window.location.href = hrefstr + '?captive-portal=' + cpname + '&provider=' + provider;

}v

▪ ExtremeGuest – Social Media Authentication – PHP Helper – ONLY for Legacy Low-NAND Access Points
▪ New Social Media Authentication method requires PHP based SDK

(HybridAuth), which takes a lot of NAND memory (6MB)
▪ In distributed Captive Portal Deployments (CP hosted by AP) with legacy
APs (6521, 6532, 6522, 7502) a new PHP-Helper can be utilized
▪ PHP-Helper redirects any social media authentication to a device (AP or
Controller) that supports PHP SDK:
Captive-portal EGuest
...
server mode self
server host captive.wingsecure.com
php-helper controller socialguest.extremenetworks.com
webpage-location advanced
...

▪ ExtremeGuest – Guest Policy Enforcement
▪ ExtremeGuest server provides a security framework to assign different access

rules and priorities to different user groups via Authorization Policies
▪ How it works?
– Wireless Client (Guest User) is getting registered to a Group
– Authorization Profile is assigned to a group defining:
▪ VLAN
▪ Allowed SSID
▪ Rate Limit (from / to air per client)
▪ Inactivity Timeout
▪ Session Timeout
▪ Block Period after Session Timeout
▪ Application Policy Name (Requires Application Policy to be mapped under RADIUS Application Policy)
▪ User Role (required Role Based Firewall enabled with specific role)
▪ Time / Day of the Week Access Rules

1 Registration
Wireless Client

Policy Assignement

3 Policy Push (RADIUS)

AP
4 Policy Enforcement
AP Wireless Client

▪ ExtremeGuest – Dynamic User Control
3 Policy Push (RADIUS)

AP
4 Policy Enforcement
AP Wireless Client

▪ ExtremeGuest – Dynamic User Control - Notes
▪ Application Policy requires RADIUS Application Policy Mapping on WiNG:

▪ CoA must be enabled for Application control and dynamic disconnect & block time
enforcement:

▪ VLAN Assignment via EGuest needs RADIUS VLAN Assignment enabled on

WLAN:

▪ ExtremeGuest – Dynamic User Control – EGuest UI
▪ ExtremeGuest allows an admin to disconnect or time block the user or device:

Analyze > Users
Analyze > End Points

▪ ExtremeGuest – HelpDesk User (Voucher UI)
▪ Login with “web-user-admin” role:

▪ Login with “web-user-admin” role:

▪ Requires “radius” captive portal access type:

▪ ExtremeGuest – Troubleshooting
▪ Troubleshooting ExtremeGuest Server:

#debug eguest {module} level {error|warn|info|debug|debug2|debug3|debug4}
accounting Accounting server related traces

config Configuration related traces
dashboard Dashboard related traces
manager ExtremeGuest manager related traces
notification Notification related traces
Restarts ExtremeGuest RADIUS server in debug mode. Debug logs are captured in the file
radiusd
flash:/log/zg_radiusd.log
registration Registration related traces
reports Report related traces
socialauth Social auth related traces
splash Splash template related traces
system Commonly used modules related traces

▪ Troubleshooting WiNG Controller side:
debug cfgd eguest Enabled ExtremeGuest related traces (like configuration updates)
Debug splash page template push issues from ExtremeGuest to WiNG
debug cfgd captive-portal-page-upload
Controller

▪ Troubleshooting Client Registration / Connectivity:

Operations > Troubleshoot > Captive Portal Debug

Thank You
WWW.EXTREMENETWORKS.COM

WiNG 5.9 Training v1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WiNG 5.9 Training v1

Uploaded by

Copyright:

Available Formats

WiNG 5.

©2017 Extreme Networks, Inc. All rights reserved

Release Overview: Part 3 - NSight enhancements:

Part 2 - Location Services:

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

NX 5500 NX 75X0 NX 96X0

RFS 4010 RFS 6000 (EOS) NX 95X0 (EOS)

802.11n 802.11ac 802.11n 802.11ac

High Tier AP81XX (EOS) AP8432 AP8163 AP7562

Value Tier AP6511 AP7502

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

▪ Removed application categories in WiNG 5.9.0:

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

▪ WiNG 5.9 introduces support to manage same AP family from a Virtual

▪ Common AP family management is achieved using ANYAP profile

▪ AP7522/AP7532/AP7562 use the same firmware image, hence device

– Supported in Enterprise UI only on enterprise WING

©2017 Extreme Networks, Inc. All rights reserved

▪ VC UI adds support for multiple profiles:

©2017 Extreme Networks, Inc. All rights reserved

▪ Profiles can be assigned using auto-provisioning policy:

©2017 Extreme Networks, Inc. All rights reserved

▪ WiNG 5.9 adds support for VC integration into NSight

©2017 Extreme Networks, Inc. All rights reserved

▪ WiNG 5.9 adds support for

▪ Virtual Controller can be automatically elected based on the RF Domain

▪ Once Virtual Controller is elected, it will install virtual management IP

▪ Provides VC redundancy and failover mechanism

▪ Dynamic VC can be configured only on the AP Profile:

©2017 Extreme Networks, Inc. All rights reserved

▪ Dynamic VC configuration CLI:

©2017 Extreme Networks, Inc. All rights reserved

▪ Dynamic VC management IP address verification CLI:

7532-EXTR-BRQ-1#show ip interface brief

Note: VC election priority can be controller by increasing

©2017 Extreme Networks, Inc. All rights reserved

▪ Dynamic VC mint link:

8533-EXTR-BRQ-1#show mint links details

Note: VC election priority can be controller by increasing

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

▪ WiNG 5.9 adds support management user lockout rules to prevent

▪ User lockout can be enforced per management user role (superuser,

▪ After user lockout is triggered new event “login-lockout” is generated

▪ After user lockout timer is expired, another event “login-unlocked” will be

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

▪ Configuration CLI (management policy context):

Passwd-retry role <role> max-fail <# of failed attempts> lockout-time <time>

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

©2017 Extreme Networks, Inc. All rights reserved

▪ RSSI Info Header (type = 0):

▪ Station (Client) Header:

Station MAC Frequency BSSID SSID Type 1 Value 1

©2017 Extreme Networks, Inc. All rights reserved

▪ There are three items needed to enable ExtremeLocation sensor: