Extreme Networks
CONFIGURATION GUIDE
The purpose of the following manual is to describe the necessary configuration of Extreme network equipment for integration with Octopus Platform
1- Pre-requisites
If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:
Radius Servers:
Primary: <IP_Radius_1> 1812 and 1813 UDP ports
Secondary: <IP_Radius_2> 1812 and 1813 UDP ports
Splash Portal server:
Domain <captive_portal_domain> 80 and 443 TCP ports
For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.
2- Guest module configuration
2.1 Radius Server
The first step to configure the Extreme Networks equipment will be to add the Radius Servers for both user authentication and for sending Accounting packets.
To do this access the equipment via SSH and after accessing the configuration mode run the following commands:
aaa-policy WIFI
authentication server 1 host <IP_Radius_1> secret 0 <secret>
accounting server 1 host <IP_Radius_1> secret 0 <secret>
accounting interim interval 600
accounting type start-interim-stop
commit2.2 Walled Garden
Once the Radius Server configuration is done, it is necessary to add the domains that the users will be able to visit without being authenticated in the captive portal. Please, find an example of the commands that you will have to execute to add any domains to the DNS Whitelist.
dns-whitelist WIFI
permit google-analytics.com suffix
permit doubleclick.net suffixAdd all the required domains to make the captive portal works properly in the dns-whitelist created before. Use the command permit domain suffix
If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.
2.3 Captive Portal
The next step is to add the external captive portal configuration and link the Radius Server and the DNS Whitelist to this captive portal. Please, execute the following commands to create the profile:
captive-portal WIFI
server host https://<dominio_captive_portal>/login/hotspot/extreme
webpage-location external
accounting radius
use aaa-policy WIFI
use dns-whitelist WIFI
exit
commit
write memory 2.4 WLAN Settings
After adding the Captive Portal configuration, the WiFi service must be created and the different services previously created must be associated. To do so, execute the following commands, modifying the SSID name that the APs will radiate and the vlan associated to said SSID.
After having configured the WLAN in the command line interface, it is necessary to use the user interface to update the configuration.
To do this, once inside the equipment, go to Configuration > Wireless and access the WLAN configuration created earlier.
Set up the following parameters in the Web Pages section:
Welcome URL: Enter the redirection URL found in Octopus Platform, in the WLAN section of the Location: https://<captive_portal_domain>/login/hotspot/landing/wifiarea/<WIFIAREA_ID>/<WLAN_ID>
Welcom Back URL: https://<captive_portal_domain>/login/hotspot/extreme/?client_mac=WING_TAG_CLIENT_MAC&client_ip=WING_TAG_CLIENT_IP&ap_mac=WING_TAG_AP_MAC&ssid=WING_TAG_WLAN_SSID&site=WING_TAG_RF_DOMAIN
Fail URL: https://<captive_portal_domain>/hotspot/extreme/?client_mac=WING_TAG_CLIENT_MAC&client_ip=WING_TAG_CLIENT_IP&ap_mac=WING_TAG_AP_MAC&ssid=WING_TAG_WLAN_SSID&site=WING_TAG_RF_DOMAIN&error=1
Login URL: https://<captive_portal_domain>/login/hotspot/extreme/?client_mac=WING_TAG_CLIENT_MAC&client_ip=WING_TAG_CLIENT_IP&ap_mac=WING_TAG_AP_MAC&ssid=WING_TAG_WLAN_SSID&site=WING_TAG_RF_DOMAIN
Agreement URL: https://<captive_portal_domain>/login/hotspot/extreme/?client_mac=WING_TAG_CLIENT_MAC&client_ip=WING_TAG_CLIENT_IP&ap_mac=WING_TAG_AP_MAC&ssid=WING_TAG_WLAN_SSID&site=WING_TAG_RF_DOMAIN
Registration URL: https://<captive_portal_domain>/login/hotspot/extreme/?client_mac=WING_TAG_CLIENT_MAC&client_ip=WING_TAG_CLIENT_IP&ap_mac=WING_TAG_AP_MAC&ssid=WING_TAG_WLAN_SSID&site=WING_TAG_RF_DOMAIN
No service URL: https://<captive_portal_domain>/login/hotspot/extreme/?client_mac=WING_TAG_CLIENT_MAC&client_ip=WING_TAG_CLIENT_IP&ap_mac=WING_TAG_AP_MAC&ssid=WING_TAG_WLAN_SSID&site=WING_TAG_RF_DOMAIN
**Request the full URL.
To obtain the WIFIAREA_ID and the WLAN_ID parameters to complete the URL above, please access to the WIFI platform and go to the Locations configuration menu. In the WLAN configuration tab, you will be able to check the URL that must be configured to redirect the users after their successful authentication.
2.5 AP Profile
Finally, it is necessary to enable the SSID created in the section before. To do that, execute the following commands to associate the WLAN Profile to the AP Profile. Don't forget to replace the AP Profile name by the one associated to your access points:
2.6 Authorized MAC Addresses
For user validation to work correctly, it is necessary to identify the NAS that will be able to make authentication requests to the Radius Server. All the MAC addresses of the Access Points that will radiate the configured SSID must be added, as well as the MAC address of the WiFi interface or BSSID associated to each Access Point.
These Radio MAC addresses can be obtained from the Monitor menu. Access to Monitor > Radios and you will be able to see them in the Access Point Radio Details section .
On the other hand, to obtain the MAC Address of each AP access to Configuration > Access Points and access to the information of each AP individually.
For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link Locations
3- Enterprise module configuration
In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.
3.1 MAC Authentication
To enable MAC Authentication it is necessary to make some changes in the created WLAN Profile. To perform the configuration, please execute the following commands replacing the profile names by the ones configured before.