How to Set Up Registration

---

The Extreme Networks Extreme Access Control Solution provides support for Registration which forces any new end-system connected on the network to provide the user's identity in a web page form before being allowed access to the network. Registration utilizes Registration Web Server functionality installed on an Access Control engine to allow end users to register their end-systems and automatically obtain network access without requiring the intervention of network operations. For more information on Registration and an overview of how it works, see the Registration section of the Concepts help file.

	NOTE:	For important information on web browser requirements for end-systems connecting through NAC Manager, refer to the NAC Configuration Considerations Help topic.

This Help topic describes the specific steps that must be performed when deploying Registration on your network. The steps vary depending on whether you are using Access Control Gateway engines and/or Layer 2 Access Control Controller engines on your network. (Registration is not supported on the Layer 3 Access Control Controller engines.)

For Access Control Gateway engines you must:

• Identify the location in your network topology for the Access Control Gateway installation.
• Define the access policy for authorizing unregistered end-systems.
• Configure policy-based routing on your network.
• Configure Registration parameters in NAC Manager.

For Layer 2 Access Control Controller engines you must:

• Configure Registration parameters in NAC Manager.

The Registration Web Server is pre-installed on the Access Control engine. For instructions on installing and configuring an Access Control engine, please refer to your engine Installation Guide.

	NOTE:	It is important to add a DNS entry from the Fully Qualified Domain Name (FQDN) of the Access Controlengine (both Access Control Gateways and Access Control Controllers) into the DNS servers deployed on the network so that the device running NAC Manager is able to resolve queries to these DNS servers. Otherwise, a short delay occurs in returning the Registration web page to end users on the network.

Information and instructions on:

• Extreme Access Control Gateway Configuration
  • Identifying Extreme Access Control Gateway Location
  • Third-Party Redirection Considerations
  • Defining the Unregistered Access Policy
  • Configuring Policy-Based Routing
• Configuring NAC Manager (for Extreme Access Control Gateway and Extreme Access Control Controllers)

Extreme Access Control Gateway Configuration

Perform the following steps when you are deploying Registration in a network that utilizes Access Control Gateway engines. These steps are not necessary if you are utilizing only Access Control Controller engines on your network.

Identifying Extreme Access Control Gateway Location

Although several Access Control Gateways may be deployed on the entire network depending on the number of connecting end-systems, only one Access Control Gateway is required to serve as the Registration Web Server. The location of this Access Control Gateway is important for the implementation of web redirection for unregistered end-systems on the network. The Access Control Gateway serving as the Registration Web Server must be installed on a network segment directly connected to a router or routers that exist in the forwarding path of HTTP traffic from unregistered end-systems. This is because policy-based routing will be configured on this router or routers to redirect the web traffic sourced from unregistered end-systems to this Access Control Gateway. It is important to note that only the Access Control Gateway that you wish to serve as the Registration Web Server needs to be positioned in such a manner. All other Access Control Gateways may be positioned at any location on the network, with the only requirement being that access layer switches are able to communicate to the gateways.

Typically, the Access Control Gateway serving as the Registration Web Server is positioned on a network segment directly connected to the distribution layer routers on the enterprise network, so that any HTTP traffic sourced from unregistered end-systems that are connected to the network's access layer can be redirected to that Access Control Gateway. As an alternative, the Access Control Gateway may be positioned on a network segment directly connected to the router providing connectivity to the Internet or internal web server farm. In this scenario, the HTTP traffic sourced from unregistered end-systems would be redirected to the Access Control Gateway before reaching the Internet or internal web servers.

Third-Party URL Redirection Considerations

If your environment incorporates third-party redirection (i.e., a Cisco Controller), configure the device to use the following the URL (or redirection ACL) to redirect HTTP traffic to the appropriate Captive Portal pages:

http://<GatewayIP>/static/index.jsp

Defining the Unregistered Access Policy

When you implement Registration, you assign the Unregistered Access Control Profile defined in NAC Manager as the Default Profile for all end-systems connected to the engine group. The Unregistered Access Control Profile specifies that end-systems is not assessed for security posture compliance (at this time) and authorizes end-systems on the network with the "Unregistered" access policy. With this configuration, end-systems are first forced to register to the network, and after successful registration, can be assessed for security posture compliance and subsequently quarantined or allowed network access.

Note that an end-system group may be configured to exempt certain devices from having to register to the network, based on authentication type, MAC address, or user name. For example, an end-system group for the MAC OUI of the printer vendor for the network can be configured to exempt printers from having to register for network access.

Creating the Unregistered Access Policy

The Unregistered access policy must allow unregistered end-systems access to ARP, DHCP, DNS, and HTTP; particularly HTTP communication to the Access Control Gateway implementing the Registration Web Server functionality. For a network composed of EOS policy-enabled switches in the access layer, you must create the appropriate network access services and rules for the Unregistered policy role in Policy Manager to meet these requirements, and enforce those changes to the policy-enabled switches. For a network composed of RFC 3580-enabled switches, you must ensure appropriate network services are allowed for the VLAN(s) associated to the Unregistered access policy.

For EOS policy-enabled Access Layer Switches

When configuring the Unregistered policy role (using Policy Manager) for EOS policy-enabled switches, there are two configurations that are required:

• A rule must be added that permits HTTP traffic (i.e. TCP destination port equaling 80) on the network.
• The rule must specify a class of service action that rewrites the ToS value of the HTTP traffic to a value of 'y'. This value should match the decimal equivalent used in your policy-based routing that is used on the router.

If Assisted Remediation is already deployed with the Quarantine policy role appropriately configured for web redirection on EOS policy-enabled access layer switches, the simplest way to configure the Unregistered policy role in Policy Manager is to copy and paste the Quarantine policy role under the Roles tab in Policy Manager and rename this new policy role "Unregistered".

In addition, the Policy Manager Default Policy Domain includes an Unregistered role that is already configured with a service called Redirect Web Services, that includes an "Allow HTTP and Redirect" rule configured with the Access Control Web Redirect Class of Service.

Perform the following steps in Policy Manager to configure your Unregistered policy role.

NOTE:

The Policy Manager Default Policy Domain includes an Access Control Web Redirect Class of Service that can be used. Make sure that the ToS rewrite value is set to the appropriate value for your network. If you already created a Class of Service with ToS rewrite functionality for Assisted Remediation, you may use that same Class of Service for Registration and start with step number 3 below.

1. In Policy Manager, use the Device Configuration Wizard to enable the Role-based Class of Service mode on your network devices.
2. Create a new Class of Service that implements the ToS rewrite functionality:
   1. Open the Class of Service Configuration window (Edit > Class of Service Configuration).
   2. Click the Create button and open the Create Class of Service window.
   3. Enter a name for the class of service (e.g. "Web Redirection").
   4. Select the 802.1p Priority checkbox and use the drop-down list to select the 802.1p priority to associate with the class of service.
   5. Select the Enable ToS/DSCP Marking checkbox and set the ToS Rewrite value to 'y' (hex).
   6. Click OK to create the new Class of Service.
3. Use the Classification Rule Wizard to add an "Allow HTTP" rule to a service currently included in your Unregistered policy role.
   1. Select the service in the left-panel Roles/Services tab.
   2. From the menu bar, select Tools > Classification Rule Wizard.
   3. Enter a name for the rule (e.g. "Allow HTTP").
   4. Set the rule status to Enabled.
   5. Set the rule type to All Devices.
   6. Set the traffic classification layer to Layer 4.
   7. Set the traffic classification type to IP TCP Port Destination.
   8. Set the well-known values to HTTP (80).
   9. Do not enter an IP address value.
   10. Review the traffic description summary.
   11. For the Actions, select the CoS checkbox and the class of service you created in step 2 ("Web Redirection").
   12. Select Permit Traffic for the Access Control.
   13. Click Finish to complete the rule.
4. Enforce these policy configurations to your network devices.

For RFC 3580-compliant Access Layer Switches

A VLAN must be identified to which unregistered end-systems will be assigned upon connecting to the network. This may or may not be the same VLAN assigned to end-systems when they are being assessed or quarantined. The VLAN must provision network services to an unregistered end-system that allow the end-system to open a web browser; specifically HTTP, DHCP, ARP, and DNS. Furthermore, it is required that IP connectivity between the end-system and the Access Control Gateway implementing the Registration Web Server functionality is operational.

The VLAN to which unregistered end-systems are assigned must be appropriately configured on all access layer switches where end-systems will be registering to the network. Access control lists may be configured at the default gateway router's interface for the unregistered VLAN to restrict particular types of traffic sourced from end-systems within this VLAN to other areas of the network; withstanding the previously described provisioning requirements for this VLAN.

For Both EOS policy-enabled and RFC 3580-compliant Access Layer Switches

Now that you have defined the Unregistered policy role in Policy Manager for EOS policy-enabled switches and/or the VLAN assigned to unregistered end-systems for RFC 3580-compliant switches, you must associate this policy role to the appropriate VLAN in NAC Manager.

1. In NAC Manager, click on the Manage NAC Profiles button in the toolbar. The Manage NAC Profiles window opens.
2. Select the Unregistered Access Control Profile entry and click the Edit button. The Edit NAC Profile window opens.
3. Click the Manage button in the Policy Mappings section. The Edit Policy Mapping Configuration window opens.
4. Select the Advanced Radio button.
5. Select the Unregistered policy and click the Edit button. The Edit Policy Mapping window opens.
6. Use the drop-down list to select "Unregistered" as the Policy Role. (The drop-down list displays all the policy roles you have created and saved in your Policy Manager database.)
7. If only EOS policy-enabled switches are deployed in the access layer of the network, associate the Unregistered policy with the Default VLAN [1]. If RFC 3580-compliant access layer switches are deployed, associate the "Unregistered" policy with the Unregistered VLAN you will be using in your network, adding the VLAN using the Add VLAN button, if necessary.
8. Click OK to close all the open windows. Close the Manage NAC Profiles window.

Your NAC Manager Unregistered access policy is now configured to allow unregistered end-systems the ability to communicate to the Access Control Gateway serving as the Registration Web Server. In the next step, the authentication, authorization, and assessment of unregistered end-systems will be specified.

Configuring the Unregistered Extreme Access Control Profile

Now that you have created the Unregistered access policy, you can customize the Unregistered Access Control Profile. The Unregistered Access Control Profile is defined by default in NAC Manager to specify that an unregistered end-system will not be assessed for security posture compliance and that it will be authorized on the network with the "Unregistered" policy. Therefore, unregistered end-systems will be immediately assigned to the "Unregistered" policy when connected to EOS policy-capable access layer switches and the "Unregistered" VLAN when connected to RFC 3580-compliant access layer switches, without being assessed. The authentication, assessment, and authorization settings of the Unregistered Access Control profile may be changed as required by your organization. Once you have configured the Unregistered Access Control Profile, it can be selected as the default profile for an engine group (as described in a later section) where end-systems will be required to register to the network.

To change the Unregistered Access Control Profile, use the following steps.

1. In NAC Manager, click on the Manage Access Control Profiles button in the toolbar. The Manage NAC Profiles window opens.
2. Select the Unregistered Access Control Profile entry and click the Edit button. The Edit NAC Profile window opens.
3. Select the desired authentication, assessment, and configuration settings.
4. Click OK.

Configuring Policy-Based Routing

As described above, the Access Control Gateway serving as the Registration Web Server must be located on a network segment directly connected to a router or routers that exist in the transmission path of all traffic from any end-system that is not registered. This is because policy-based routing (PBR) must be configured on the routers to redirect the web traffic sourced from unregistered end-systems to that Access Control Gateway.

If EOS policy-enabled switches are deployed on the network, this is done by configuring policy-based routing to forward all HTTP traffic with a ToS field of 'y' to the next-hop address of the Access Control Gateway serving as the Registration Web Server. If RFC 3580-enabled switches are deployed on the network, this is done by configuring policy-based routing to forward all HTTP traffic with the source IP address on the subnet(s)/VLAN(s) associated to the Unregistered access policy, to the next-hop address of the Access Control Gateway serving as the Registration Web Server.

In addition, if you are adding multiple Access Control Gateways for redundancy, the network needs to be configured for redundant policy-based routing as well.

For EOS policy-enabled Access Layer Switches

Let's consider an example where the Unregistered access policy is associated to a policy role on EOS policy-enabled switches that uses the "Allow HTTP" classification rule to assign HTTP traffic the "Web Redirection" class of service. This class of service rewrites the ToS field in the HTTP traffic to a value of 0x40 (or 64 base 10), equivalent to a DSCP value of 16. (The DSCP is the value defined in the six most significant bits of the 8-bit ToS field.) Furthermore, the Unregistered access policy is associated to VLANs 10, 20, and 30 on RFC 3580-enabled switches on the network which map to subnets 10.1.10.0/24, 10.1.20.0/24, and 10.1.30.0/24, respectively. The following steps describe how to configure policy-based routing on an N-Series router or Cisco IOS-based router when Registration is deployed for EOS policy-enabled access layer switches.

1. Configure an entry in the access-list 102 to identify HTTP traffic with a DSCP of 16.
        access-list 102 permit tcp any any eq 80 dscp 16
2. Use a route-map to configure the access-list 102 ACL to redirect HTTP traffic from end-systems to the next-hop IP address of the Access Control Gateway serving as the Registration Web Server, where "xxx.xxx.xxx.xxx" is the IP addresses of the Access Control Gateway. Note that multiple next hop IP addresses may be specified in the route-map if multiple Access Control Gateways are serving as Registration Web Servers.
        route-map 101
        match ip address 102
        set next-hop xxx.xxx.xxx.xxx
3. Apply the route map for the PBR configuration to the routed interface receiving the HTTP traffic from unregistered end-systems by entering the routed interface configuration prompt and executing the following command.
        ip policy route-map 101

For RFC 3580-compliant Access Layer Switches

Let's consider an example where the Unregistered access policy is associated to VLANs 10, 20, and 30 on RFC 3580-enabled switches on the network which map to subnets 10.1.10.0/24, 10.1.20.0/24, and 10.1.30.0/24, respectively. The following steps describe how to configure policy-based routing on an N-Series router or Cisco IOS-based router when Registration is deployed for RFC 3580-compliant access layer switches.

1. Configure an entry in the access-list 102 to identify HTTP traffic sourced from subnets 10.1.10.0/24, 10.1.20.0/24, and 10.1.30.0/24.
        access-list 102 permit tcp 10.1.10.0.0.0.0.255 any eq 80
        access-list 102 permit tcp 10.1.20.0.0.0.0.255 any eq 80
        access-list 102 permit tcp 10.1.30.0.0.0.0.255 any eq 80
   
2. Use a route-map to configure the access-list 102 ACL to redirect HTTP traffic from end-systems to the next-hop IP address of the Access Control Gateway serving as the Registration Web Server, where "xxx.xxx.xxx.xxx" is the IP addresses of the Access Control Gateway. Note that multiple next hop IP addresses may be specified in the route-map if multiple Access Control Gateways are serving as Registration Web Servers.
        route-map 101
        match ip address 102
        set next-hop xxx.xxx.xxx.xxx
3. Apply the route map for the PBR configuration to the routed interface receiving the HTTP traffic from unregistered end-systems by entering the routed interface configuration prompt and executing the following command.
        ip policy route-map 101

Setting up Redundancy on Access Control Gateways

When adding multiple Access Control Gateways for redundancy, the network needs to be configured for redundant policy-based routing as well. This is performed on the router in which policy-based routing is configured. Use the same commands described in the previous two sections except for the two following changes:

• In step 2, in addition to the single IP address set as the next-hop IP address, enter a list of IP addresses of the redundant Access Control Gateways. For example:
       set next-hop xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
• In step 3, when adding the ip policy route-map to the router interface, specify an additional command called "ip policy pinger on". This command will attempt to ping the first IP address that is specified in the next-hop to determine its availability. If it is not available, the next IP in the list of next-hops is pinged and then used, if it is available.
For example:
     ip policy route-map 101
     ip policy pinger on

With policy-based routing and the Unregistered Access Control Profile configured, Registration settings can be specified and then enabled on the network, as described in the next section.

Configuring NAC Manager (for Extreme Access Control Gateways and Extreme Access Control Controllers)

Perform the following steps when you are deploying Registration in a network that utilizes Access Control Gateway engines and/or Layer 2 Access Control Controllers. (Registration is not supported on Layer 3 Access Control Controller engines.)

Use the portal configuration section of the NAC Configuration window (in NAC Manager) to configure parameters for the Registration web pages served from the Access Control engine. All Access Control engines are initially assigned a default portal configuration. You can use this window to view and edit the default configuration or create new configurations to use. Once you have defined your portal configuration, you must enforce the Access Control configuration to your engine(s).

Use the following steps to define your portal configuration and enforce it to the engine. These steps give you an overview of the required configuration. For more detailed information, see the NAC Configuration Window and Portal Configuration Help topics.

1. Verify that Registration/Web Access is enabled in the NAC Manager Features options accessed from Tools > Options in the NAC Manager menu bar.
2. Use the NAC Manager toolbar button to open the NAC Configuration window.
3. In the left-panel tree, select the Features icon. Enable the registration, access, and assessment features you want for your network. For information on each available feature, see the Features section in the NAC Configuration Window Help topic.
   
4. In the left-panel tree, select the Portal icon. If needed, use the Portal Configuration drop-down menu in the right panel to select the configuration to configure or to create a new one.
5. Expand the Portal icon and select the portal configuration settings you want to edit:
   1. Click on Network Settings to view network web page parameters. Click on Look and Feel to view the common web page parameters. These parameters are shared by both the Remediation and the Registration web pages. You can edit and change these parameters; for a description of each parameter, see the Network Settings and Look and Feel sections of the Portal Configuration Help topic. Be aware that if you deploy both the assessment/remediation and registration features, any changes will affect the web pages for both features.
   2. Click on Common Settings where you can configure settings for the Registration web page.  You can edit and change these parameters; for a description of each parameter, see the Common Registration Settings section of the Portal Configuration Help topic.
   3. Click on Administration where you can configure settings for the registration administration web page and grant access to the page for administrators and sponsors. For information on this tab, see the Administration section of the Portal Configuration Help topic.
   4. Depending on the registration, access, and assessment/remediation features you have selected for your network, there are additional views you can access where you can configure the settings and parameters for each type. For a description of each setting and parameter, see the Portal Configuration Help topic.
6. When you have finished making your changes to the portal configuration, click Save in the NAC Configuration window and then close the window.
7. Enforce the Access Control configuration to the engine group.
8. To exempt certain end-systems or end users from having to register to the network, you can configure end-system groups based on authentication type, MAC address, or user name. For example, an end-system group for the MAC OUI of the printer vendor for the network can be configured to exempt printers from having to register for network access.

Registration is now enabled for all end-systems connecting to this engine group, with the exception of those end-systems and end users that have been exempted based on group membership.

---

Related Information

• Registration Concepts
• Portal Configuration
• Registration Administration