Edit Switches in ExtremeControl Engine Group

Use this window to change a switch's primary and secondary ExtremeControl Gateway, and also edit other switch parameters including the switch's authentication access type and the RADIUS attributes to send, if desired.

You can access this window by selecting an engine or engine group in the left-panel tree. Then, in the right-panel Switches tab, select the switches you wish to edit and select the Edit button.

Edit Devices

Switch Type

Use the drop-down list to change the type of switch:

Layer 2 Out-Of-Band — A switch that will do authentication on layer 2 traffic via RADIUS to an out-of-band ExtremeControl gateway.
Layer 2 Out-Of-Band Data Center — A switch within a data center where virtualization and mobility are a factor. If an end-system changes location but does not move to a different ExtremeControl engine, ExtremeCloud IQ Site Engine removes the end-system authentication from their prior port/switch. This allows VMs that quickly move from one server to another and then back again to still have their location updated in ExtremeCloud IQ Site Engine, because only one authenticated session is allowed per end-system within ExtremeCloud IQ Site Engine.
Layer 2 RADIUS Only — In this mode, ExtremeControl does not require any information from the switch other than the end-system MAC address (from Calling-Station-Id or User-Name). The NAS-Port does not need to be specified. If the switch supports RFC 3576, you can set the Reauthentication Behavior in the Advanced Switch Settings window. IP resolution and reauthentication occasionally do not work in this mode.
VPN — A VPN concentrator being used in an ExtremeControl VPN deployment. In this case, you should specify one or more Policy Enforcement Points below. If you do not specify a Policy Enforcement Point, then ExtremeControl is unable to apply policies to restrict access after the user is granted access.

Primary Gateway: Use the drop-down list to select the primary ExtremeControl Gateway for the selected switches. If load balancing has been configured for the switch, this field is not displayed.

Secondary Gateway: Use the drop-down list to select the secondary ExtremeControl Gateway for the selected switches. If load balancing has been configured for the switch, this field is not displayed.

Auth Access Type

Use the drop-down list to select the type of authentication access allowed for these switches. This feature allows you to have one set of switches for authenticating management access requests and a different set for authenticating network access requests.

WARNING:

For ExtremeXOS/Switch Engine devices only. ExtremeControl uses CLI access to perform configuration operations on ExtremeXOS/Switch Engine devices.

Enabling an Auth type of "Any Access" or "Management Access" can restrict access to the switch after an enforce is performed. For management requests handled through ExtremeControl, make sure that an appropriate administrative access configuration is in place by assigning a profile such as "Administrator ExtremeControl Profile" to grant proper access to users. Also, verify that the current switch CLI credentials for the admin user are defined in the database against which ExtremeControl authenticates management login attempts.
Switching from an Auth type of "Any Access" or "Management Access" back to "Network Access" can restrict access to the switch after an enforce is performed. Verify that the current switch CLI credentials for the admin user are defined locally on the switch.

Any Access — the switch can authenticate users originating from any access type.
Management Access — the switch can only authenticate users that have requested management access via the console, Telnet, SSH, or HTTP, etc.
Network Access - the switch can only authenticate users accessing the network via the following authentication types: MAC, PAP, CHAP, and 802.1X. If RADIUS accounting is enabled, then the switch also monitors Auto Tracking, CEP (Convergence End Point), and Switch Quarantine sessions. If there are multiple sessions for a single end-system, the session with the highest precedence will be displayed to provide the most accurate access control information for the user. The ExtremeControl authentication type precedence from highest to lowest is: Switch Quarantine, 802.1X, CHAP, PAP, Kerberos, MAC, CEP, RADIUS Snooping, Auto Tracking.
Monitoring - RADIUS Accounting — the switch will monitor Auto Tracking, CEP (Convergence End Point), and Switch Quarantine sessions. ExtremeCloud IQ Site Engine learns about these session via RADIUS accounting. This allows ExtremeCloud IQ Site Engine to be in a listen mode, and to display access control, location information, and identity information for end-systems without enabling authentication on the switch. If there are multiple sessions for a single end-system, the session with the highest precedence displays to provide the most accurate access control information for the user. The ExtremeControl authentication type precedence from highest to lowest is: Switch Quarantine, 802.1X, CHAP, PAP, Kerberos, MAC, CEP, RADIUS Snooping, Auto Tracking.
Manual RADIUS Configuration — ExtremeCloud IQ Site Engine does not perform any RADIUS configurations on the switch. Select this option if you want to configure the switch manually using the Policy tab or CLI.

Virtual Router Name

Select the checkbox to enter the name of the Virtual Router. The default value for this field is VR-Default.

WARNING:

For ExtremeXOS/Switch Engine devices only. If ExtremeCloud IQ Site Engine has not detected and populated this field, enter the Virtual Router Name carefully. Incorrectly entering a value in this field causes the RADIUS configuration to fail, which is not reported when enforcing the configuration to the switch.

Gateway RADIUS Attributes to Send: Use the drop-down list to select the RADIUS attributes settings included as part of the RADIUS response from the ExtremeControl engine to the switch.

RADIUS Accounting: Use the drop-down list to enable RADIUS accounting on the switch. RADIUS accounting can be used to determine the connection state of the end-system sessions on the ExtremeControl engine, providing real-time connection status in ExtremeCloud IQ Site Engine. It also allows ExtremeControl to monitor Auto Tracking, CEP (Convergence End Point), and Quarantine (anti-spoofing) sessions.

Management RADIUS Server: Use the drop-down list to specify RADIUS servers used to authenticate requests for administrative access to the selected switches. Select from the RADIUS servers you have configured in ExtremeCloud IQ Site Engine, or select New or Manage to open the Add/Edit RADIUS Server or Manage RADIUS Servers windows.

Network RADIUS Server: This option lets you specify a backup RADIUS server to use for network authentication requests for the selected switches. This allows you to explicitly configure a network RADIUS server to use if there is only one ExtremeControl engine. (This option is only available if a Secondary Gateway is not specified.) Select from the RADIUS servers you have configured in Extreme Control, or select New or Manage to open the Add/Edit RADIUS Server or Manage RADIUS Servers windows.

Policy Domain

Use this option to assign the switch to a Policy tab domain and enforce the domain configuration to the switch. The switch must be an Extreme Networks switch.

NOTE:

Selecting -- Do Not Set -- for an ExtremeControl engine on which a Policy Domain is configured does not unassign the Policy Domain. To unassign a Policy Domain, use the Policy tab.

Advanced Settings: Select this button to open the Advanced Switch Settings window.

Related Information

For information on related help topics: