Configuration Tab (Extreme Access Control Engine)

This tab provides information about an Extreme Access Control engine's configuration. The information changes depending on the type of engine selected in the left-panel tree. To access this tab, select an Access Control engine in the left-panel tree, then click the Configuration tab in the right panel.

Click the graphic for more information.

General Information: This section displays general information about the Access Control engine, including its name, IP address, type (Access Control Gateway or Layer 2/Layer 3 Access Control Controller), the engine version, the IP address of the Extreme Management Center Management server, and the Access Controlengine status.

End-System Capacity: This field lists the engine's current capacity, which is the number of end-systems that have authenticated within the last 24 hours out of the maximum number of authenticating end-systems supported for the engine.

Click the link to open a window where you can configure end-system capacity. Enter the desired end-system capacity and specify the features expected to be enabled on the engine including Authentication, Accounting, Registration, and Assessment. Note that the number of end-systems supported on an engine is affected by the number of features that are enabled. Configuring the maximum capacity when all features are enabled may impact performance. The window then displays the system requirements recommended for the specified capacity and feature set. Verify that the engine meets these system requirements or make adjustments, if necessary. Click OK to set the capacity and close the window. Enforce the engine.

NAC Configuration: Displays the NAC (Access Control) Configuration assigned to the engine. Click the NAC Configuration link to open the Edit NAC Configuration window where you can make changes to the configuration, if desired. The NAC Configuration determines what Access Control Profile is assigned to an end-system connecting to the network.

Appliance Settings: Click the Appliance Settings link to open the Appliance Settings window where you can access advanced configuration options for Access Control engines. The link indicates whether the engine is using Group Settings or has an engine settings override configured.

License Status: An Access Control virtual engine has an additional License Status field that displays whether the engine has a license allocated to it. For more information on virtual engine licensing, see the Suite-Wide Tools Server Information Window Help topic section on NAC VM license. The License Status field is also displayed if you are using a NAC Enterprise license. For more information, see NAC Enterprise Licensing.

Interface Summary: Displays a summary of the current engine interface configuration. Click the Static Routes button to open the Static Route Configuration window. Click the Edit button to open the Interface Configuration window.

NAC Bypass Configuration

The NAC Bypass Configuration feature allows you to bypass NAC processing of authentication requests from end-systems connecting to the network and also disable the Access Control assessment process. For Access Control authentication bypass, Access Control either configures the switch to authenticate directly to a RADIUS server to which Access Control is configured to proxy authentication requests, or it disables RADIUS authentication on the switch. This capability is useful for troubleshooting purposes. For example, if there is a problem with an Access Control Configuration, the Disable button lets you remotely disable NAC functionality until the problem is resolved. You can then use the Enable button to re-enable Access Control functionality on the engines. When Access Control authentication or assessment is disabled, the Access Control engine name and IP address display in red text in the left-panel tree indicating the engine is in Bypass mode.

For NAC Gateway engines, when you select the option to disable Access Control authentication processing, if proxy RADIUS servers are configured for authentication in a Basic AAA Configuration, the Access Control engine configures the switches to send RADIUS packets directly to the primary and secondary RADIUS servers (from the Basic AAA Configuration), instead of talking to the RADIUS proxy through the Access Control gateway. RADIUS authentication is not disabled on the switch, and end users still need to authenticate in order to connect to the network. The switches must be defined in the back-end proxy RADIUS server as RADIUS clients with the same shared secret used by the Access Control Gateway engines. If there are no proxy RADIUS servers configured in a Basic AAA Configuration, or if an Advanced AAA Configuration is used, RADIUS authentication on the switch is disabled when NAC authentication processing is disabled.

	NOTES:	If you have disabled Access Control authentication processing and then enforce with new switches, the new switches are configured to send RADIUS packets directly to the primary and secondary RADIUS servers. These switches are reconfigured to talk to the RADIUS proxy when you enable Access Control; a second enforce is not necessary. Bypass is not an option for switches set to Manual RADIUS Configuration or ExtremeWireless controllers not configured for RADIUS strict mode.

For Access Control Controller engines, when you disable Access Control authentication, then the Access Control Controller does not send RADIUS packets directly to the RADIUS servers. Authentication is disabled on the Access Control Controller and end-systems do not need to authenticate to the network. Traffic from the end-systems bypass the Access Control Controller and go directly onto the network.

The Status fields provide the current status of the Access Control authentication or assessment process. The authentication status field also includes a link to the Verify RADIUS Configuration on Switches feature. This feature is available for Access Control Gateway engines and Layer 2 Access Control Controllers, and can be used to alert you to any RADIUS configurations that are out of sync and could cause RADIUS authentication problems on the network. For more information see How to Verify RADIUS Configuration.

Controller PEP Settings: If the engine is a Layer 2 or Layer 3 Access Control Controller, this section displays the settings for the Access Control Controller Policy Enforcement Point (PEP). (This information is configured during the Access Control Controller Initialization procedure; for more information, refer to the Access Control Controller Hardware Installation Guide.) If a Redundant Controller has been configured, it is displayed here. Use the Set Redundant Controller button to specify or change the redundant controller, if desired.

Hybrid Mode

You must enable the global Hybrid Mode option in the NAC Manager Advanced Settings option panel in order to see this controller option for your Layer 2 Access Control Controllers. Once you have enabled the global Hybrid Mode option, you can enable or disable Hybrid Mode for each individual Layer 2 Controller here on the Configuration tab. Hybrid Mode allows a Layer 2 Controller to act as a RADIUS proxy for switches, like an Access Control Gateway engine. A Switches tab appears for the controller and the controller can now be used as a gateway. Like a gateway, an enforce must be performed for the switch configuration to take effect. Disabling Hybrid Mode when a controller has switches has a similar effect to deleting a gateway: the switches have the controller removed as a reference.

	NOTE:	A controller in Hybrid Mode functions exactly as a gateway when it comes to switches other than the Policy Enforcement Point (PEP). While Assessment/Remediation and Registration continues to work "out of the box" for the PEP end-systems, this is not the case for end-systems on the switches configured to use the controller as a gateway. You need to perform the Access Control Gateway configuration outlined in the How to Set Up Assessment Remediation and How to Set Up Registration Help topics.

Advanced Configuration Button: Opens the Access Control Appliance Advanced Configuration window where you can enable the distributed end-system cache option. This advanced option is intended for large enterprise environments as a way to improve response times when handling end-system mobility. For more information, see the Advanced Configuration help topic.