Interfaces Window

Use this ExtremeCloud IQ Site Engine window to configure the interfaces on an ExtremeControl engine. Interface configuration enables you to separate management traffic from end-system traffic, providing another layer of protection for sensitive data. It also provides the ability to snoop mirrored traffic on other ports.

This window is accessed from the Control > ExtremeControl tab by selecting an ExtremeControl engine, opening the Details tab, and selecting the Edit button in the Interface Summary section.

Interface Modes

There are five different modes that can be configured for an interface: Management, Registration & Remediation, Management Only, Registration & Remediation Only, Listening Only, Advanced Configuration, and Off. The mode determines the type of traffic permitted on the interface and the services provided by the interface.

You can configure all the interfaces on an engine; however, you cannot change the management interface and you are only permitted to configure one interface to enable management traffic.

Management, Registration & Remediation – This mode is the in-band management mode where both management traffic and registration, assessment, and remediation traffic use the same interface. In this mode, the engine does not limit traffic to each of the services.

Management Only – In this mode, the engine binds all management services to this interface. This includes:

  • traffic to ExtremeCloud IQ Site Engine and other engines (JMS and HTTP)
  • all traffic to switches
  • all LDAP and RADIUS traffic
  • traffic for the following services: SSH daemon, SNMP daemon, and RADIUS server
  • traffic for captive portal administration, sponsorship, pre-registration, and screen preview (on ports 80 and 443)
  • traffic for WebView pages and ExtremeCloud IQ Site Engine web services (on ports 8080 and 8443)

Registration & Remediation Only – In this mode, the engine binds all registration and remediation services to this interface. All traffic to end-systems is initiated through this interface, including:

  • assessment traffic
  • NetBIOS for IP and hostname resolution
  • traffic for registration pages, remediation pages, and self-registration (on ports 80 and 443)
  • all agent communication traffic (on ports 8080 and 8443)

Listen Only – In this mode, the engine enables DHCP and Kerberos snooping to be performed on the interface. No IP address or hostname can be assigned to the interface.

Advanced Configuration - This mode enables you to configure the services that are provided by the selected interface, using the link in the Services field. This is useful for ExtremeControl deployments in MSP or MSSP environments.

Off – The interface is disabled and not used in any way.

Services

The Services field displays the services that are provided by the ExtremeControl engine interface, as determined by the selected interface mode. Each mode provides a different set of services on the interface.

If the mode is set to Advanced Configuration, the services list becomes a link that launches an Edit window where you can select or deselect the services provided by the interface. This granularity is useful for ExtremeControl deployments in MSP or MSSP environments.

  NOTE: Only one interface can have End-System enabled when using the OAUTH2 social login. The End-System service is part of the Management, Registration, and Remediation mode, so it can also be enabled in Advanced Configuration.

The following list describes the various services that are provided by the different modes:

  • Management - The communication to and from the ExtremeCloud IQ Site Engine server. Sub-services include JMS, Web Services, and Syslog.
    NOTE: The Management service cannot be moved from eth0.
  • Monitoring Services - The services used to monitor or contact an engine. Sub-services include the SSH daemon and SNMP agent.
  • Network Services - The communication to external servers that provide networking services. Sub-services include DNS servers and NTP servers.
    NOTE: The Network Services service can only be applied to one interface.
  • AAA Servers - The communication used by external servers for authentication and authorization. Sub-services include RADIUS servers and LDAP servers.
    NOTE: The AAA Servers service can only be applied to one interface.
  • Device - The communication to and from a NAS (switch, router, VPN, or wireless controller). Sub-services include SNMP, RADIUS, RFC3576, SSH/Telnet, and TFTP.
  • Portal: Management - the captive portal registration management services for an engine.
  • End-System - The communication to and from end-systems. Sub-services include portal registration and remediation, assessment, NetBIOS, and DNS proxy.
  • Traffic Snooping - DHCP and Kerberos snooping on the interface. This service is listed if the DHCP/Kerberos Snooping option is set to Enabled.

DHCP/Kerberos Snooping

Use the DHCP/Kerberos Snooping option to enable or disable DHCP and Kerberos snooping on the interface. DHCP snooping is used for IP resolution and OS detection. Kerberos snooping is used for user name detection and elevated access.

Captive Portal HTTP Mirroring

This is an advanced option that enables the interface to accept mirrored HTTP traffic which is used to display the captive portal to end users. This option is an alternative to using Policy-Based Routing and DNS Proxy.

Tagged VLANs

If the mirrored traffic includes an 802.1Q VLAN tag, then the list of VLANs to capture must be explicitly stated in this field by entering a comma-separated list of VLAN IDs from 1 to 4094. If the mirrored traffic is not tagged then this field can be left blank.

Top