New/Edit ExtremeControl Profile

---

ExtremeControl Profiles specify the authorization and assessment requirements for the end-systems connecting to the network. Profiles also specify the security policies that will be applied to end-systems for network authorization, depending on authentication and assessment results.

ExtremeCloud IQ Site Engine comes with ten system-defined ExtremeControl profiles:

• Administrator
• Allow
• Default
• Guest Access
• Notification
• Pass Through
• Quarantine
• Registration Denied Access
• Secure Guest Access
• Unregistered

You can edit these profiles or you can define your own profiles to use for your ExtremeControl configurations. Use this window to create a new profile, or edit an existing profile. When you create a new profile, it is added to the Manage ExtremeControl Profiles window. When you edit a profile, it changes the profile wherever it is used, so you don't have to do individual edits for each profile.

To create a new profile, select the Add button in the Manage ExtremeControl Profiles window. To edit an existing profile, select a profile in the Manage ExtremeControl Profiles window and select the Edit button or select it from the left-panel.

Name

Enter a name for a new profile. If you are editing a profile, the name of the profile is displayed and cannot be edited. To change the name of a profile, right-click on the profile name in the ExtremeControl Profiles left-hand panel navigation tree and select Rename from the menu.

Reject Authentication Requests

If you select this checkbox, all authentication requests are rejected.

Authorization

Accept Policy

Use the drop-down list to select the Accept policy you want to use in this ExtremeControl profile. An Accept policy is applied to an end-system when:

• an end-system has been authorized locally (MAC authentication) by the ExtremeControlengine and has passed an assessment (if assessment in enabled).
• you have selected the Replace RADIUS Attributes with Accept Policy option.

If you select "No Policy," then the ExtremeControl engine does not include a Filter ID or VLAN Tunnel Attribute in the RADIUS attributes returned to the switch, and the default role configured on the port is assigned to the end-system. This option is necessary when configuring single user plus IP phone authentication supported on C2/C3 and B2/B3 devices.

If you select "Use User/Host LDAP Policy Mappings," an Accept Policy will be assigned, based on the end-system information in the LDAP database and the LDAP Policy Mappings configured in the Authentication Mapping.

Replace RADIUS Attributes with Accept Policy

When this option is checked, the attributes returned from the RADIUS server are replaced by the policy designated as the Accept policy. If the RADIUS server does not return a Filter ID or VLAN Tunnel attribute, the Accept policy is inserted. When this option is unchecked, the attributes returned from the RADIUS server are forwarded back "as is" and the Accept Policy would only be used to locally authorize MAC authentication requests. If the RADIUS server does not return a Filter ID or VLAN Tunnel attribute, no attributes are returned to the switch.

Use Quarantine Policy

Select this checkbox if you want to specify a Quarantine policy. The Quarantine policy is used to restrict network access for end-systems that have failed the assessment. You must have the Enable Assessment checkbox selected to activate this checkbox.

If a Quarantine policy is not specified and you have configured RADIUS in your AAA configuration, then the policy from the RADIUS attributes would be applied (unless Replace RADIUS Attributes with Accept Policy has been selected, in which case the Accept policy would be used.) If Authorize Authentication Requests Locally has been selected in your AAA configuration, then the Accept policy would be applied to those end-systems that are authorized locally. This allows an end-system onto the network with its usual network access even though the end-system failed the assessment.

Use Failsafe Policy on Error

Select this checkbox if you want to specify a Failsafe policy to be applied to an end-system when it is in an Error connection state. An Error state results if the end-system's IP address could not be determined from its MAC address, or if there was a scanning error and a scan of the end-system could not take place. A Failsafe policy should allocate a nonrestrictive set of network resources to the connecting end-system so it can continue its work, even though an error occurred in ExtremeControl operation.

If a Failsafe policy is not specified and you have configured RADIUS in your AAA configuration, then the policy from the RADIUS attributes would be applied (unless Replace RADIUS Attributes with Accept Policy has been selected, in which case the Accept policy would be used.) If Authorize Authentication Requests Locally has been selected in your AAA configuration, then the Accept policy would be applied to those end-systems that are authorized locally. This allows end-systems onto the network with their usual network access when an error occurs in ExtremeControl operation.

Assessment

Enable Assessment

Select the Enable Assessment checkbox if you want to require that end-systems are scanned by an assessment server.

	NOTES:	If you require end-systems to be scanned by an assessment server, you need to configure the assessment servers performing the scans. The Manage Assessment Settings window is the main window used to manage and configure assessment servers. To access this window, select Assessment from the ExtremeControl Configurations > ExtremeControl Profiles left-hand panel navigation tree. The ExtremeControl engine restarts when you enforce if Enable Assessment is selected the first time in an ExtremeControl profile. The ExtremeControl engine also restarts when you enforce when Enable Assessment is deselected for all ExtremeControl profiles.

Assessment Configuration

Use the drop-down list to select the assessment configuration you would like to use in this ExtremeControl Profile. Use the Edit button to add a new assessment configuration or edit a configuration, if needed. After you create an assessment configuration, it becomes available for selection in the list.

Assessment Interval

Enter an assessment interval that defines the interval between required assessments:

• Minutes - 30 to 120
• Hours - 1 to 48
• Days - 1 to 31
• Weeks - 1 to 52
• None

Hide Assessment Details and Remediation Options from User

If you select this option, the end user does not see assessment or remediation information on the Remediation Web Page. They are informed that they are quarantined, and told to contact the Help Desk for assistance.

Use Assessment Policy

Select this checkbox if you want to specify a certain policy to be applied to an end-system while it is being assessed. Use the drop-down list to select the desired policy.
Select when to apply the policy:

• During Initial Assessment Only - Only initial assessments receive the assessment policy. If the end-system is being re-assessed, it remains in its current policy.
• During All Assessments - All end-systems being assessed receive the specified assessment policy.

If an assessment policy is not specified and you have configured RADIUS in your AAA configuration, then the policy from the RADIUS attributes are applied (unless "Replace RADIUS Attributes with Accept Policy" is selected, in which case the Accept policy is used.) If "Authorize Authentication Requests Locally" is selected in your AAA configuration, then the Accept policy is applied to those end-systems authorized locally. This allows the end-system immediate network access without having to wait for assessment to be complete.

---

Related Information

For information on related help topics:

• Manage Identity and Access Profiles Window
• Manage Assessment Settings Window
• Edit Assessment Configuration Window