How to Configure Devices

In Policy Manager, you can configure devices for authentication, whereby users identify themselves to the network and are given customized access capabilities based on what role they serve in the organization. Policy Manager uses a RADIUS server and an authentication-enabled switch to allow the active role on a port to be dynamically assigned, based on the user's login.

You can configure authentication for a single device or for multiple devices. You can also configure authentication parameters on individual ports (see How to Configure Ports), but you need to configure and enable authentication on the device before any port authentication settings will take effect.

You can configure devices in two ways:

Using the Device Configuration Wizard: The Device Configuration Wizard is a series of windows that lets you define a configuration, then apply it to the devices of your choosing. You can use this method to configure a single device, but it is especially useful for configuring multiple devices.
Using the Device Tabs: This method enables you to configure or modify the same options found in the Device Configuration Wizard, but for a selected device, using the right-panel device tabs.

Instructions on:

Using the Device Configuration Wizard
Using the Device Tabs

Using the Device Configuration Wizard

The Device Configuration Wizard is a series of windows enabling you to define an authentication configuration, then apply it to the devices of your choosing. You can elect to configure authentication settings only, RADIUS client/server communication settings, or both. You can also configure MAC Locking, Rule Accounting, and CEP (Convergence End Point) Role Mapping for the devices, and a device-level role for Matrix C1 devices only.

The Wizard also lets you create a device configuration template based on a device configuration so that you can easily configure devices that have the same authentication requirements. Once you create the template you can reuse it whenever you need that specific device configuration by simply loading the template into the Device Configuration Wizard.

From the menu bar, select Tools > Device Configuration Wizard.
This step depends on whether or not you are using a Device Configuration Template:
- To use a Device Configuration Wizard Template, click the Load button and select the template from the list in the Open Template window. After the template has loaded, you can select Jump to Device Selection to select your devices, or you can proceed with the wizard and select options to configure to edit the template configuration.
- If you are not using a using a Device Configuration Wizard Template, proceed with selecting options to configure.

Select Options to Configure

In the Device Configuration window, select the components you wish to configure from the three tabs: Authentication, RADIUS, and General.

Authentication Tab

Lets you specify the authentication type(s) you want to configure. Some devices support multiple authentication types and multiple users (Multi-User Authentication) per port, while others are restricted to only one or two authentication types and a single user per port (Single User Authentication). Refer to the NetSight Firmware Support tables for information on the authentication types supported by each device type. For more information about each type of authentication, see Authentication Types.

WARNING:

Switching Authentication Types, or changing the Authentication Status from Enabled to Disabled, will log off any currently authenticated users.

RADIUS Tab

Select the options related to the RADIUS server(s) and RADIUS client devices that you want to configure.

RADIUS Authentication Server(s) - Lets you add or remove the RADIUS servers that will be used for authentication purposes.
RADIUS Accounting Server(s) - Lets you add or remove the RADIUS servers that will be used for accounting purposes.
RADIUS Authentication Client Settings - Lets you configure and enable communication between the device (RADIUS client) and a RADIUS server or servers, for the purposes of authentication.
RADIUS Accounting Client Settings - Lets you configure and enable communication between the device (RADIUS client) and a RADIUS server or servers, for the purposes of accounting.
Application Shared Secret - Lets you set up a password that encrypts communication between Policy Manager and the devices for retrieving and setting RADIUS information.
RADIUS Response Mode - Lets you select the RADIUS response attribute that the device should use for authentication.

General Tab

Select the general device options you want to configure.

MAC Locking - Lets you enable MAC Locking on devices that support it.
Device Level Role (C1 Only) - On Matrix C1 devices, you can set a device-level role that configures the services and rules for all ports on the device. Due to a limitation of the C1 devices, services and rules from the role returned from authentication cannot be applied to the port. The services and rules from this device-level role will be used instead.
Rule Accounting - Lets you enable Rule Accounting on devices that support it. Rule accounting and rule hit reporting provide the ability to collect data on how policy rules are being used on your network. Once you have configured the accounting and reporting functionality, you can view the rule usage data that is collected using the Rule Usage tabs or the Policy Rule Hit Reports.
Class of Service Mode - Lets you select the Class of Service mode on the devices you are configuring. Classes of service can be assigned as a classification rule action, as part of the definition of an automated service, or as a role default.
Invalid Role Action - Lets you specify what happens to a user that gets an unknown or invalid role.
RFC3580 VLAN Authorization Status - Lets you enable or disable RFC 3580 VLAN Authorization on devices that support it.

Configure Settings

The sequence of windows you see next depends on the selections you made in the Device Configuration window.

	NOTE:	Each window provides the option to use the current configuration on the device(s), or set a new configuration. If you select Use Current Configuration on Device(s), the default settings in the window are visible, but are unavailable for entry or editing. Keep in mind that these values do not necessarily reflect the current settings on the device.

If you have selected to configure Authentication

All the windows you could see are listed below, but only those related to the Authentication type(s) you selected will actually appear.

Authentication Configuration Window

This window varies depending on the authentication types you have selected. Specify the authentication settings you want to configure:

General Authentication Settings
Lets you enable or disable authentication status.

Global Timeout Settings
Lets you set Session Timeout and Session Idle Timeout values.

Web-Based
Select the web-based authentication parameters you wish to configure. These parameters may not be supported on every device. Refer to the NetSight Firmware Support tables for information on what features are supported on the various device types.

Enhanced Login Mode - Lets you enable the Enhanced Login Mode which causes the authentication web page to be displayed regardless of whether the URL entered into the browser by the end user is the Web Authentication URL or not.
Web Authentication URL - Lets you enter the URL for your authentication web page.
Web Authentication IP Address - Lets you enter the IP address of your authentication web page server.
Web Page Banner - Lets you customize the banner the users see at the top of the authentication web page. For example, you might include your company name and information on what to do if the user has questions or problems. Because this banner also appears in messages that occur during successful login and failed authentication, as well as on the "Radius Busy" screen, it would not be appropriate to include "Welcome to [Your Company]" in the banner.
Web Authentication Logo Display Status - Lets you specify whether to show or hide the Extreme Networks logo on the Web Page Banner.
Guest Networking - Lets you enable guest networking which allows any user to access the network and obtain a guest policy without having to know a username or password.
Redirect Time - For devices with Enhanced Login Mode enabled. Lets you specify the amount of time (in seconds) before the end user is redirected from the authentication web page to their requested URL.
DNS Server Configuration - Lets you add your DNS domain name and server addresses to support the Enhanced Login Mode.

MAC-Based
Select the MAC authentication parameters you wish to configure:

MAC User Password - Lets you enter the password to be used for MAC authentication (1-32 characters).
MAC Mask - Lets you select a mask. Masking a MAC address is only supported on certain devices.

CEP-Based
Select the CEP authentication parameters you wish to configure:

CEP Role Mapping - Lets you select the CEP product types supported on the device, and map a role for each type. Then, when a convergence endpoint (such as an IP phone) connects to the network, the device identifies the type of endpoint and applies the assigned role.
CEP Detection - Lets you create CEP detection rules that are used to determine if a connecting end-system is a CEP device, and what type of CEP device it is. This allows Policy Manager to assign the appropriate role to the port based on the type of CEP device detected.

General Authentication Settings Window

Select whether to enable or disable the authentication type (Authentication Status) for the device(s). Leaving the status disabled gives you the ability to configure and reconfigure authentication settings without affecting your network until authentication configuration is complete. If you have selected multiple authentication types, all of the authentication types selected will be enabled or disabled with this one setting.

WARNING:

Switching Authentication Types, or changing the Authentication Status from Enabled to Disabled, will log off any currently authenticated users.

CAUTION:

Setting the authentication status to Enabled will affect communications through the front panel ports. Any front panel being used for management should be set to inactive/default mode before setting authentication status to Enabled. If you elect to enable authentication, an Authentication Status window appears offering you choices for actions that will take effect on front panel ports after the wizard is finished. These options are described in detail in the Authentication Status window. (If you choose the Select Ports to set to Inactive/Default Role option, the Set Authentication Port Mode to Inactive/Default Role window will appear at the end of the wizard after you've selected the devices to which the configuration will apply and clicked Finish.) After making your selection, click OK to return to the Authentication Settings window.

If you selected Web-Based as an Authentication Type, enable or disable WINS/DNS spoofing for DHCP clients, and select the Authentication Protocol being used.

If you are configuring Multi-User Authentication, you can set the Authentication Type Precedence. This allows you to set the order in which the authentication types will be tried on the device, with the authentication type on the left having the highest precedence (it will be tried first). Select the authentication type you want to position, and use the left or right arrow to arrange the types in the desired order of precedence.

WARNING:

Leaving the default precedence is recommended. In particular, changing the Quarantine precedence to be lower than any other type or changing the Auto Track precedence to be higher than any other type can cause problems.

Global Timeout Settings Window

Specify session and idle timeout values for each of the authentication types:

Session Timeout: Enter the maximum number of seconds an authenticated session may last before automatic termination of the session. A value of zero indicates that no session timeout will be applied.

Session Idle Timeout: Enter the maximum number of consecutive seconds an authenticated session may be idle before automatic termination of the session. A value of zero indicates that no idle timeout will be applied.

These values may be superseded by a session timeout and an idle timeout value provided by the authenticating server. For example, if a session is authenticated by a RADIUS server, that server may send a session timeout or an idle timeout value in its authentication response.

Enhanced Login Mode Window (web-based authentication only)

Enabling this feature causes the authentication web page to be displayed regardless of whether the URL entered into the browser by the end user is the Web Authentication URL or not.

Web Authentication URL Window (web-based authentication only)

Enter the URL for your authentication web page. Users access the authentication web page from a browser using this URL. The http:// is supplied. Alphabetical characters, numerical characters and dashes are allowed as part of the URL, but dots are not. The URL needs to be mapped to the Web Authentication IP address in DNS or in the hosts file of each client. It must be resolvable via DNS/WINS, either on the device or at corporate, assuming the Web Authentication mapping has been set up on the corporate DNS/WINS service. This option is grayed out if not supported by the device.

Web Authentication IP Address Window (web-based authentication only)

Enter the IP address of your authentication web page server. If you have specified a Web Authentication URL, the IP address needs to be mapped to the URL in DNS or in the hosts file of each client.

Login Web Page Banner Window (web-based authentication only)

Enter any information you want to convey to your users at the top of your authentication web page. For example, you might enter your company name, and information on what to do if the user has questions or problems. The Default button allows you to reset the banner to default text provided in a text file (pwa_banner.txt). Initially, the default banner text is the Extreme Networks contact information. However, you can customize the text for your network by editing the pwa_banner.txt file, located in the top level of the Policy Manager install director

Web Authentication Logo Display Status Window (web-based authentication only)

Specify whether to show or hide the Extreme Networks logo on your authentication web page.

DNS Server Configuration Window (web-based authentication only)

Configure your DNS domain name and server addresses to support the Enhanced Login Mode on Matrix E1 devices. Enter your local DNS Domain Name (for example, ExtremeNetworks.com), and your local DNS Server IP addresses. Enter an IP address and click Add to add a server address. Select an address and click Remove to remove an address from the list. Addresses are used in the order they are listed.

Guest Networking Window (web-based authentication only)

Guest networking allows any user to access the network and obtain a guest policy without having to know a username or password. The user accesses the authentication web page, where the username and password fields are automatically filled in, allowing them to log in as a guest. If the user does not want to log in as a guest, they can type in their valid username and password to log in.

	NOTE:	Guest networking is designed for networks using web-based authentication, with port mode set to Active/Discard.

Make the following guest networking selections:

Guest Networking Status: Use the drop-down list to specify guest networking status:

Disable -- Guest networking will be unavailable.
Local Auth -- Guest Networking will be enabled. The user accesses the authentication web page where the username field is automatically filled in with the specified Guest Name. Once the user submits the login page using this guest name, the default policy of that port becomes the active policy. The port mode must be set to Active/Discard mode.
RADIUS Auth -- Guest Networking will be enabled. The user accesses the login web page, where the username field is automatically filled in with the specified Guest Name, and the password field is masked out with asterisks. Once the user submits the login page using these credentials, the value of the Guest Password will be used for authentication. Following successful authentication from the RADIUS server, the port will apply the policy returned from the RADIUS server. The port mode must be set to Active/Discard mode.

Guest Name: Enter the guest name. This is the username that Guest Networking will use to authenticate users, and is displayed automatically on the login web page.

Guest Password: If you have selected RADIUS Auth, enter the guest password that will be used for authentication.

Redirect Time Window (web-based authentication only)

This setting applies to devices with Enhanced Login Mode enabled. Enter the amount of time (in seconds) before the end user is redirected from the authentication web page to their requested URL. Click the Default button to enter the default value of 30 seconds.

An end-system using DHCP requires time to transition from the temporary IP address issued by the authentication process to the official IP address issued by the network. Redirect Time specifies the amount of time allowed for the end station to complete this process and begin using its official IP address. The default value of 30 seconds is adequate for most networks; however, some networks may require a longer or shorter time period. If the Redirect Time is not long enough, the browser times out while attempting to load the requested URL. In networks that only use static IP addresses, a Redirect Time of 5 to 10 seconds is usually sufficient; a value of less than 5 seconds is not recommended.

For example, if a user (in Enhanced Login Mode and a Redirect Time of 30 seconds) enters the URL of "http://ExtremeNetworks.com", they will be presented the authentication web page. When the user successfully authenticates into the network, they will see a login success page that displays "Welcome to the Network. Completing network connections. You will be redirected to http://ExtremeNetworks.com in approximately 30 seconds".

MAC Mask Window

Select a MAC mask that will be used for MAC authentication.(Masking a MAC address is only supported on certain devices.) Using a mask provides a way to authenticate end stations based on a portion of their MAC address. For example, you could specify a mask that would base authentication on the manufacturer's ID portion of the MAC address. The MAC Mask is passed to the RADIUS server for authentication after the primary attempt to authenticate using the full MAC address fails.

MAC User Password Window

Enter the password that will be passed to the RADIUS server for MAC authentication (1-32 characters).

CEP Role Mapping Window

Use the Add button to select the CEP product types supported on the device, and map a role for each type.

CEP Detection Window

Use the Add button to create your CEP detection rules. (For information on creating rules, see the Add CEP Detection Rule window help topic.)

If you have selected to configure RADIUS

All the windows you could see are listed below, but only those related to the RADIUS options you selected will actually appear:

RADIUS Authentication Server(s) Window

Add or remove RADIUS servers to use for authentication purposes. The order in which the servers are listed is the order of priority for the servers; the device will try to communicate with the RADIUS server at the top of the list first.

To add a RADIUS server: Click Add to open the Add RADIUS Authentication Server window, where you will specify the information required for communication between the devices and the RADIUS server.

To remove a RADIUS server: Select the server in the table and click Remove.

	NOTE:	Setting a new configuration for RADIUS servers will remove/replace any RADIUS servers currently configured on the device(s).

RADIUS Accounting Server(s) Window

Add or remove RADIUS servers to use for accounting purposes. The order in which the servers are listed is the order of priority for the servers; the device will try to communicate with the RADIUS server at the top of the list first.

To add a RADIUS server: Click Add to open the Add RADIUS Accounting Server window, where you will specify the information required for communication between the devices and the RADIUS server.

To remove a RADIUS server: Select the server in the table and click Remove.

	NOTE:	Setting a new configuration for RADIUS servers will remove/replace any RADIUS servers currently configured on the device(s).

RADIUS Authentication Client Settings Window

Make the following RADIUS client selections:

RADIUS Client Status: Enable or disable the RADIUS client. If enabled, the device becomes a RADIUS client and will communicate with a RADIUS authentication server whenever a user logs on to a port on the device, as long as the port itself is enabled for authentication and the device is set up as a client on the RADIUS server.

Number of Retry Attempts: Enter the number of attempts the RADIUS client will make in contacting each RADIUS authentication server before giving up and trying the next RADIUS server on the list. Valid values are 1-65535.

Retry Timeout Duration (seconds): Enter the number of seconds to wait for the RADIUS authentication server to respond before trying again. Valid values are 1-65535.

RADIUS Accounting Client Settings Window

Make the following RADIUS client selections:

Client Accounting Status: Enable or disable RADIUS Accounting for SNMPv3 devices that support it. RADIUS Accounting is used by a device (the RADIUS client) to save accounting data on a RADIUS server. If enabled, an accounting session starts after the user is successfully authenticated by a RADIUS authentication server.

Accounting Update Interval (minutes): Enter the number of minutes between accounting updates, when collected accounting data is sent from the device (RADIUS client) to the RADIUS accounting server. Valid values are 1-65535. It is recommended that the value be greater than 10 minutes, and careful consideration should be given to its impact on network traffic.

Application Shared Secret Window

Select from the following choices the application shared secret you want to be used for communication between Policy Manager and the device when setting or retrieving RADIUS information.

Auto-Generate an application shared secret: If you want the system to generate a secure key automatically, select this button.

Use the following application shared secret: If you want to create your own shared secret, select this button and type in a 32-character string with optional dashes or spaces, typically xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx.

Use the default application shared secret: If you want to use the default application shared secret, click this button. This is not recommended, as it is less secure than a non-default shared secret.

WARNING:

It is important to remember the Application Shared Secret, since the shared secret specified in Policy Manager must match the shared secret on the device in order to change the shared secret. If you delete and recreate the device model, you will have to supply the correct Application Shared Secret in the device's RADIUS tab in order to retrieve or input RADIUS settings in the RADIUS tab. If you're using an Auto-Generated or User-Defined Application Shared Secret and you clear NVRAM on the device, you will need to go to the RADIUS tab for the device in Policy Manager and change the Application Shared Secret back to "Default" in order to regain access to the RADIUS information in that tab. Once Policy Manager and the device are using the same (Default) Application Shared Secret, then the Application Shared Secret can be changed to be either Auto-Generated or User-Defined.

RADIUS Response Mode Window

Select the RADIUS response attribute that the device should use for authentication:

Filter ID: The Filter ID (role) is used. If a VLAN Tunnel Attribute (VTA) is returned, it will be ignored.

VLAN Tunnel Attribute: The VLAN Tunnel Attribute is used and the Authentication-Based VLAN to Role Mappings are applied, if present. If a Filter ID is returned, it will be ignored.

Filter ID With VLAN Tunnel Attribute: Both attributes are applied in the following manner: the role is applied to the user, except that the VLAN Tunnel Attribute replaces the role's Default Access Control VLAN (if present). In this case, the Authentication-Based VLAN to Role mappings are ignored (as the role was explicitly assigned). VLAN classification rules are still applied, as defined by the assigned role.

If you have selected General

All the windows you could see are listed below, but only those related to the options you selected will actually appear:

MAC Locking Window

Configure MAC Locking status on the device. Setting MAC Locking to Enabled will allow the device to lock MAC addresses to all ports that have the MAC Locking feature enabled.

Device Level Role (C1 Only) Window

Use the drop-down list to select a device-level role that configures the services and rules for all ports on the device. Select the Clear the current default role option to set the device-level role back to <None>.

Rule Accounting Window

Configure rule accounting on the device. Rule accounting and rule hit reporting provide the ability to collect data on how policy rules are being used on your network. Once you have configured the accounting and reporting functionality, you can view the rule usage data that is collected using the Rule Usage tabs or the Policy Rule Hit Reports.

Rule Accounting - Select whether to enable or disable rule accounting on the device.
Use Expanded Format for Rule Hit System Log Messages - When enabled, the device will provide additional information in Policy Rule Hit syslog messages. For example, the additional information may include what actions may have been initiated by the rule (if any).
Clear Rule Usage on Port Link-Status Change - Clears rule usage data when the port has a link-status change when a user connects or disconnects.
Clear Rule Usage on Role Mapping Change - If a role-mapping is defined and traffic comes onto the device and is mapped to the defined role, then all rules in that role will have their rule hit data cleared. This option should be enabled for Policy Rule Hit Reporting. It allows you to start a new data collection when the name of the role changes on the port, providing for a cleaner data presentation.
Enable Syslog Server - For Policy Rule Hit Reporting, select this checkbox to set up the device to send syslog messages. (If the checkbox is grayed out, you must first enable the Policy Rule Hit Reporting feature in the Policy Manager options.)
Clear Rule Usage on Interval - Clears the rule usage data at a set interval. This option should be enabled for Policy Rule Hit Reporting because it specifies the interval at which syslog messages will be sent to the server, thereby providing data samples at even intervals. Enter the desired interval (in minutes).

If you enable any of the clear rule usage options, you must create a list of the ports on the device(s) where the clear operations will be performed, using the device Role/Rule tab.

Class of Service Mode Window

Select the Class of Service mode for the device. Policy Manager supports two modes of class of service, with each mode providing a different rate limit functionality. See Getting Started with Class of Service for more information on the two modes. You can also select an option to disable rate limits on the devices you are configuring.

Rate Limits Disabled - Select this option if you want rate limits disabled on the device. This means that any priority-based rate limits will not be written to the device on enforce, and any role-based rate limits will not be included in roles written to the device on enforce.
Role-Based Rate Limits/Transmit Queue Configuration (CoS State Enable) - Select this mode if you want to configure role-based rate limits and transmit queues on the device. See Defining Role-Based Rate Limits and How to Configure Transmit Queues for more information.
Priority-Based Rate Limits - Select this mode if you want to configure priority-based rate limits on the device. Priority-based rate limits add to the amount of time it takes to enforce and verify roles. Once you've created your rate limits and enforced them, you may want to disable rate limits so that it takes less time to enforce. See Defining Priority-Based Rate Limits for more information.

Invalid Role Action Window

Select the action you would like taken if an authenticated user is assigned an unknown or invalid role:

Apply Default - Apply the port's default role to the user.
Deny Traffic - Drop the packets for this user.
Permit Traffic - Forward traffic with the port's assigned VID.

RFC3580 VLAN Authorization Status Window

Enable or disable RFC 3580 VLAN Authorization on the device. RFC 3580 VLAN Authorization must be enabled on devices in networks where the RADIUS server has been configured to return a VLAN ID when a user authenticates. Enabling VLAN Authorization allows you to configure Authentication-Based VLAN to Role Mapping as a way to assign a role to a user during the authentication process, based on a VLAN Attribute. For more information, see VLAN to Role Mapping in the Concepts Help topic. To configure Authentication-Based VLAN to Role Mapping, use the role's Mappings tab and/or the VLAN's General tab.

Select Devices

In the Device Selection window, selectthe device(s) to which you want this configuration to apply.
If you would like to save this device configuration as a template, click Save. The Save Template window opens where you can provide a name for the template.
Click Finish.

	NOTE:	If you elected to enable authentication as part of the device configuration, and chose the "Select Ports to set to Inactive/Default Role" option, the Set Authentication State to Inactive/Default Role window now appears. Make your selections and click OK to complete the wizard.

Using the Device Tabs

Configuring a device using the device tabs enables you to set up or modify the same options found in the Device Configuration Wizard, but for a selected device, using the right-panel device tabs.

To configure a device using the device tabs:

In the left-panel Network Elements tab, select the device you want to configure. Use the right-panel tabs to configure the device.
Select the Authentication tab and fill out the tab as required. Be sure to click Apply in any part of the tab you change.
Select the RADIUS tab and fill out the tab as required.
To enable MAC Locking, select the MAC Locking tab and configure the options as desired.
In the right panel, select the Role/Rule tab and configure a device-level role (Matrix C1 devices only) or enable Rule Accounting as desired.
Select the General tab and choose your Class of Service mode.

Related Information

For information on related concepts:

For information on related tasks:

For information on related windows: