Extreme Networks

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Extreme network equipment for integration with Octopus Platform

1- Pre-requisites

If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:
- Radius Servers:
  - Primary: <IP_Radius_1> 1812 and 1813 UDP ports
  - Secondary: <IP_Radius_2> 1812 and 1813 UDP ports
- Splash Portal server:
  - Domain <captive_portal_domain> 80 and 443 TCP ports
For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius Server

The first step to configure the Extreme Networks equipment will be to add the Radius Servers for both user authentication and for sending Accounting packets.

To do this access the equipment via SSH and after accessing the configuration mode run the following commands:

aaa-policy WIFI
	authentication server 1 host <IP_Radius_1> secret 0 <secret>
	accounting server 1 host <IP_Radius_1> secret 0 <secret>
	accounting interim interval 600
	accounting type start-interim-stop
commit

2.2 Walled Garden

Once the Radius Server configuration is done, it is necessary to add the domains that the users will be able to visit without being authenticated in the captive portal. Please, find an example of the commands that you will have to execute to add any domains to the DNS Whitelist.

dns-whitelist WIFI
	permit google-analytics.com suffix
	permit doubleclick.net suffix

Add all the required domains to make the captive portal works properly in the dns-whitelist created before. Use the command permit domain suffix

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

2.3 Captive Portal

The next step is to add the external captive portal configuration and link the Radius Server and the DNS Whitelist to this captive portal. Please, execute the following commands to create the profile:

captive-portal WIFI
	server host https://<dominio_captive_portal>/login/hotspot/extreme
	webpage-location external
	accounting radius
	use aaa-policy WIFI
	use dns-whitelist WIFI
exit 
commit
write memory

2.4 WLAN Settings

After adding the Captive Portal configuration, the WiFi service must be created and the different services previously created must be associated. To do so, execute the following commands, modifying the SSID name that the APs will radiate and the vlan associated to said SSID.

After having configured the WLAN in the command line interface, it is necessary to use the user interface to update the configuration.

To do this, once inside the equipment, go to Configuration > Wireless and access the WLAN configuration created earlier.

Set up the following parameters in the Web Pages section:

Welcome URL: Enter the redirection URL found in Octopus Platform, in the WLAN section of the Location: https://<captive_portal_domain>/login/hotspot/landing/wifiarea/<WIFIAREA_ID>/<WLAN_ID>
Welcom Back URL: https://<captive_portal_domain>/login/hotspot/extreme/?client_mac=WING_TAG_CLIENT_MAC&client_ip=WING_TAG_CLIENT_IP&ap_mac=WING_TAG_AP_MAC&ssid=WING_TAG_WLAN_SSID&site=WING_TAG_RF_DOMAIN
Fail URL: https://<captive_portal_domain>/hotspot/extreme/?client_mac=WING_TAG_CLIENT_MAC&client_ip=WING_TAG_CLIENT_IP&ap_mac=WING_TAG_AP_MAC&ssid=WING_TAG_WLAN_SSID&site=WING_TAG_RF_DOMAIN&error=1
Login URL: https://<captive_portal_domain>/login/hotspot/extreme/?client_mac=WING_TAG_CLIENT_MAC&client_ip=WING_TAG_CLIENT_IP&ap_mac=WING_TAG_AP_MAC&ssid=WING_TAG_WLAN_SSID&site=WING_TAG_RF_DOMAIN
Agreement URL: https://<captive_portal_domain>/login/hotspot/extreme/?client_mac=WING_TAG_CLIENT_MAC&client_ip=WING_TAG_CLIENT_IP&ap_mac=WING_TAG_AP_MAC&ssid=WING_TAG_WLAN_SSID&site=WING_TAG_RF_DOMAIN
Registration URL: https://<captive_portal_domain>/login/hotspot/extreme/?client_mac=WING_TAG_CLIENT_MAC&client_ip=WING_TAG_CLIENT_IP&ap_mac=WING_TAG_AP_MAC&ssid=WING_TAG_WLAN_SSID&site=WING_TAG_RF_DOMAIN
No service URL: https://<captive_portal_domain>/login/hotspot/extreme/?client_mac=WING_TAG_CLIENT_MAC&client_ip=WING_TAG_CLIENT_IP&ap_mac=WING_TAG_AP_MAC&ssid=WING_TAG_WLAN_SSID&site=WING_TAG_RF_DOMAIN

**Request the full URL.

To obtain the WIFIAREA_ID and the WLAN_ID parameters to complete the URL above, please access to the WIFI platform and go to the Locations configuration menu. In the WLAN configuration tab, you will be able to check the URL that must be configured to redirect the users after their successful authentication.

2.5 AP Profile

Finally, it is necessary to enable the SSID created in the section before. To do that, execute the following commands to associate the WLAN Profile to the AP Profile. Don't forget to replace the AP Profile name by the one associated to your access points:

2.6 Authorized MAC Addresses

For user validation to work correctly, it is necessary to identify the NAS that will be able to make authentication requests to the Radius Server. All the MAC addresses of the Access Points that will radiate the configured SSID must be added, as well as the MAC address of the WiFi interface or BSSID associated to each Access Point.

These Radio MAC addresses can be obtained from the Monitor menu. Access to Monitor > Radios and you will be able to see them in the Access Point Radio Details section .

On the other hand, to obtain the MAC Address of each AP access to Configuration > Access Points and access to the information of each AP individually.

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link Locations

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1 MAC Authentication

To enable MAC Authentication it is necessary to make some changes in the created WLAN Profile. To perform the configuration, please execute the following commands replacing the profile names by the ones configured before.