You can use this window to configure the interfaces on an Extreme Access Control engine. Interface configuration allows you to separate management traffic from end-system traffic, providing another layer of protection for sensitive data. It also provides the ability to snoop mirrored traffic on other ports.
This window is accessed from the NAC Appliance Configuration tab, by clicking the Edit button in the Interface Summary section. It displays configuration options for each of the interfaces available on the Extreme Access Control engine.
Interface Modes
There are five different modes that can be configured for an interface: Management, Registration & Remediation, Management Only, Registration & Remediation Only, Listening Only, Advanced Configuration, and Off. The mode determines the type of traffic allowed on the interface and the services provided by the interface.
You can configure all the interfaces on an engine; however, you cannot change the management interface and you are only allowed to configure one interface to allow management traffic.
Management, Registration & Remediation – This mode is the in-band management mode where both management traffic and registration, assessment, and remediation traffic use the same interface. In this mode, the engine does not limit traffic to each of the services. This behavior is the same as behavior in NAC Manager versions 4.2.x and earlier.
Management Only – In this mode, the engine binds all management services to this interface. This includes:
- traffic to Extreme Management Center and other engines (JMS and HTTP)
- all traffic to switches
- all LDAP and RADIUS traffic
- traffic for the following services: SSH daemon, SNMP daemon, and RADIUS server
- traffic for captive portal administration, sponsorship, pre-registration, and screen preview (on ports 80 and 443)
- traffic for WebView pages and Extreme Management Center web services (on ports 8080 and 8443)
Registration & Remediation Only – In this mode, the engine binds all registration and remediation services to this interface. All traffic to end-systems is initiated through this interface, including:
- assessment traffic
- NetBIOS for IP and hostname resolution
- traffic for registration pages, remediation pages, and self-registration (on ports 80 and 443)
- all agent communication traffic (on ports 8080 and 8443)
Listen Only – In this mode, the engine allows DHCP and Kerberos snooping to be performed on the interface. No IP address or hostname can be assigned to the interface.
Advanced Configuration - This mode allows you to configure the services that are provided by the selected interface, using the link in the Services field. This is useful for Extreme Access Control deployments in MSP or MSSP environments.
Off – The interface is disabled and not used in any way.
Services
The Services field displays the services that are provided by the Extreme Access Control engine interface, as determined by the selected interface mode. Each mode provides a different set of services on the interface.
If the mode is set to Advanced Configuration, the services list becomes a link that launches an Edit window where you can select or deselect the services provided by the interface. This granularity is useful for Extreme Access Control deployments in MSP or MSSP environments.
The following list describes the various services that are provided by the different modes:
- Management - The communication to and from the Extreme Management Center server. Sub-services include JMS, Web Services, and Syslog.
NOTE: The Management service cannot be moved from eth0. - Monitoring Services - The services used to monitor or contact an engine. Sub-services include the SSH daemon and SNMP agent.
- Network Services - The communication to external servers that provide networking services. Sub-services include DNS servers and NTP servers.
NOTE: The Network Services service can only be applied to one interface. - AAA Servers - The communication used by external servers for authentication and authorization. Sub-services include RADIUS servers and LDAP servers.
NOTE: The AAA Servers service can only be applied to one interface. - Device - The communication to and from a NAS (switch, router, VPN, or wireless controller). Sub-services include SNMP, RADIUS, RFC3576, SSH/Telnet, and TFTP.
- Portal: Management - the captive portal registration management services for an engine.
- End-System - The communication to and from end-systems. Sub-services include portal registration and remediation, assessment, NetBIOS, and DNS proxy.
- Traffic Snooping - DHCP and Kerberos snooping on the interface. This service is listed if the DHCP/Kerberos Snooping option is set to Enabled.
DHCP/Kerberos Snooping
Use the DHCP/Kerberos Snooping option to enable or disable DHCP and Kerberos snooping on the interface. DHCP snooping is used for IP resolution and OS detection. Kerberos snooping is used for user name detection and elevated access.
Captive Portal HTTP Mirroring
This is an advanced option that allows the interface to accept mirrored HTTP traffic which is used to display the captive portal to end users. This option is an alternative to using Policy-Based Routing and DNS Proxy.
Tagged VLANs
If the mirrored traffic includes an 802.1Q VLAN tag, then the list of VLANs to capture must be explicitly stated in this field by entering a comma-separated list of VLAN IDs from 1 to 4094. If the mirrored traffic is not tagged then this field can be left blank.
