ExtremeControl Concepts

---

This Help topic explains some of the concepts you'll need to understand in order to make the most effective use of Access Control tab.

Information on:

• Overview of the Access Control Tab
• ExtremeControl Engines
  • Use Scenario
  • ExtremeControl VPN Deployment
• Access Control Tab Structure
  • ExtremeControl Configuration
  • Rule Components
  • ExtremeControl Profiles
  • AAA Configurations
  • Portal Configurations
• Access Policies
• Registration
• Assessment
  • Assessment Remediation
• End-System Zones
• Enforcing
• MAC Locking
• Notifications

Overview of the Access Control Tab

Extreme Networks ExtremeControl is a centralized network access control solution located in the Access Control tab that combines authentication, vulnerability assessment, and location services to authorize network access and determine the appropriate level of service for an end-system. The ExtremeControl solution ensures that only valid users and devices with appropriate security postures at the proper location are granted access to your network. For end-systems which are not compliant with defined security guidelines, the ExtremeControl solution provides assisted remediation, enabling end users to perform self-service repair steps specific to the detected compliance violation.

The Access Control tab is the management component in the Extreme Networks ExtremeControl solution. The Access Control tab and ExtremeControl engines work in conjunction to implement network access control. The Access Control tab provides one centralized interface for configuring the authentication, authorization, assessment, and remediation parameters for your ExtremeControl engines. After these configurations are enforced, the ExtremeControl engines can detect, authenticate, assess, authorize, and remediate end-systems connecting to the network according to those configuration specifications.

ExtremeControl Engines

The ExtremeControl engine is required for all Extreme Networks ExtremeControl deployments. It provides the ability to detect, authenticate, and effect the authorization of end devices attempting to connect to the network. It also integrates with, or connects to, vulnerability assessment services to determine the security posture of end-systems connecting to the network. After authentication and assessment are complete, the ExtremeControl engine effects the authorization of devices on the network by allocating the appropriate network resources to the end-system based on authentication and/or assessment results.

If authentication fails and/or the assessment results indicate a non-compliant end-system, the ExtremeControlengine can either totally deny the end-system access to the network or quarantine the end-system with a highly restrictive set of network resources, depending on its configuration. The ExtremeControl engine also provides the remediation functionality of the ExtremeControl solution by means of the remediation web server that runs on the engine. Remediation informs end users when their end-systems have been quarantined due to network security policy non-compliance, and enables end users to safely remediate their non-compliant end-systems without assistance from IT operations.

Use Scenario

The ExtremeControl Gateway engine provides out-of-band network access control for networks where intelligent wired or wireless edge infrastructure devices are deployed as the authorization point for connecting end-systems. End-systems are detected on the network through their RADIUS authentication interchange. Based on the assessment and authentication results for a connecting device, RADIUS attributes are added/modified during the authentication process to authorize the end-system on the authenticating edge switch. Therefore, the ExtremeControl Gateway can be positioned anywhere in the network topology with the only requirement being that IP connectivity between the authenticating edge switches and the ExtremeControl Gateways is operational.

It is important to note that if the wired edge of the network is non-intelligent (unmanaged switches and hubs) and is not capable of authenticating and authorizing locally connected end-systems, it is possible to augment the network topology to enable implementation of inline ExtremeControl with the ExtremeControl Gateway. This can be accomplished by adding an intelligent edge switch that possesses specialized authentication and authorization features. The Extreme Networks K-, S-, or N-Series switch is capable of authenticating and authorizing numerous end-systems connected on a single port through its Multi-User Authentication (MUA) functionality, and can be positioned upstream from non-intelligent edge devices to act as the intelligent edge on the network. In this configuration, the K-, S-, or N-Series switch acts as the intelligent edge switch on the network, although not physically located at the access edge.

For end-systems connected to EOS policy-enabled switches, a policy role is specified in the Access Control tab (policy roles are defined and distributed to those switches by the Policy tab) to authorize connecting end-systems with a particular level of network access. For end-systems connected to RFC 3580-compliant switches (Enterasys and third-party), a VLAN is specified in the Access Control tab to authorize connecting end-systems with a particular level of network access, facilitated using dynamic VLAN assignment via Tunnel RADIUS attributes.

When a user or device attempts to connect to the network, the end-system is authenticated and assessed according to configurations defined in the Access Control tab. The Access Control tab uses the results of the authentication and assessment to determine if that device meets the requirements for a compliant end-system. If the results of the authentication and security assessment are positive, ExtremeCloud IQ Site Engine authorizes the end-system with network access by assigning a designated policy role or VLAN on the switch port to which the end-system is connected. If the result of the security assessment is negative, ExtremeCloud IQ Site Engine restricts network access by assigning the user or device to a Quarantine policy role or VLAN on the switch port until the end-system is remediated and brought into a compliant state. If the result of the authentication is negative, ExtremeCloud IQ Site Engine can deny all network access for the endpoint as an invalid device or user on the network, setting the switch port to the unauthenticated state.

Depending on the engine model, the ExtremeControl Gateway provides either on-board (integrated) vulnerability assessment server functionality and/or the ability to connect to external assessment services, to determine the security posture of end-systems connecting to the network. (On-board assessment requires a separate license.)

The number of ExtremeControl Gateways you deploy on the network depends on the number of end-systems on the network. The following table displays the number of end-systems supported per ExtremeControl Gateway model. Use this table to help determine the number of gateways to deploy.

Model	Number of End‑Systems Supported	Notes
IA‑A‑20	6000	Configured ExtremeControl Features: Authentication and OS/Device Fingerprinting, but no Registration or Assessment.
	4500	Configured ExtremeControl Features: All features excluding Assessment.
	3000	Configured ExtremeControl Features: All features including Assessment.
IA‑A‑300	12000	Configured ExtremeControl Features: Authentication and OS/Device Fingerprinting, but no Registration or Assessment.
	9000	Configured ExtremeControl Features: All features excluding Assessment.
	6000	Configured ExtremeControl Features: All features including Assessment.
IA‑V	See Notes	The IA-V is used in conjunction with an ExtremeControl Enterprise license (IA-ES-12K).
NAC‑V‑20	3000	The NAC-V-20 is a virtual engine and requires an ExtremeControl VM license in the ExtremeCloud IQ Site Engine Server.
NAC‑A‑20	3000
SNS‑TAG‑ITA	3000
SNS‑TAG‑HPA	3000
SNS‑TAG‑LPA	2000

It is important to configure ExtremeControl Gateway redundancy for each switch. This is achieved by configuring two different ExtremeControl Gateway engines as a primary and secondary gateway for each switch. When connection to the primary gateway engine is lost, the secondary gateway is used. Note that this configuration supports redundancy but not load-sharing, as the secondary gateway engine is only used in the event that the primary gateway becomes unreachable. To achieve redundancy with load-sharing for two ExtremeControl Gateways, it is suggested that one half of the switches connecting to the gateways are configured with "ExtremeControl Gateway A" as the primary and "ExtremeControl Gateway B" as the secondary, and the second half are configured with "ExtremeControl Gateway B" as the primary and "ExtremeControl Gateway A" as the secondary. In this way, ExtremeControl Gateways are configured in redundant active-active operation on the network.

ExtremeControl VPN Deployment

Extreme Networks ExtremeControl provides out-of-band support for VPN remote access with specific VPN concentrators (see the Release Notes for a list of supported VPN concentrators). Out-of-band VPN support provides visibility into who and what is accessing the network over VPN. If RADIUS accounting is used, you also have the ability to determine who was on the network at any given time. In the VPN remote access use scenario, the VPN concentrator acts as a termination point for remote access VPN tunnels into the enterprise network. In addition, the Extreme Networks ExtremeControl Gateway engine is deployed to authenticate and authorize connecting end-systems on the network and implement network access control.

The process begins when the user's end-system successfully establishes a VPN tunnel with the VPN concentrator, and the VPN concentrator sends a RADIUS authentication request with the associated credentials to the ExtremeControl Gateway. The ExtremeControl Gateway proxies the authentication request to a backend authentication server (RADIUS or LDAP) to validate the identity of the end user/device or can authenticate with a local password repository within ExtremeCloud IQ Site Engine. If authentication fails, the ExtremeControl Gateway can deny the end-system access to the network by sending a RADIUS access reject message to the VPN concentrator.

After the end-system is authenticated, the ExtremeControl Gateway requests an assessment of the end-system, if assessment is configured. After authentication and assessment are complete, the ExtremeControl Gateway allocates the appropriate access control to the end-system based on authentication and/or assessment results. Access control can be implemented using one of two methods. With the first method, access control is applied directly at the VPN concentrator via RADIUS response attributes, if the VPN concentrator supports this. For example, with a Cisco ASA security engine, this can be accomplished by using the filter-ID response attribute to specify the name of a valid ACL.

With the second method, an Extreme Networks K-Series, S-Series, or N-Series device is added between the VPN's internal port and the internal network as a Policy Enforcement Point (PEP). This enables the ExtremeControl Gateway to provide a more granular access control mechanism using IP to Policy Mappings. This method must be used if you are implementing remediation on your network. If the end-system fails assessment, the ExtremeControl Gateway can apply a Quarantine policy on the PEP to quarantine the end-system. When the quarantined end user opens a web browser to any web site, its traffic is dynamically redirected to a Remediation web page that provides steps for the user to execute in order to achieve compliance. After executing the steps, the end user can reattempt network access and start the process again.

Access Control Tab Structure

The Access Control tab components are contained in three major navigation trees.

At the top are the following navigation trees:

• Engine Groups — Lists the ExtremeControl engines added to the selected engine group, the end-systems connected to those engines, the switches added to the Gateway engines in the engine group, and general information about the engine group.
• All ExtremeControl Engines — Lists all ExtremeControl engines added to ExtremeCloud IQ Site Engine, the end-systems connected to those engines, the switches added to the Gateway engines, and general information about the engine.
• ExtremeControl Configurations — Provides options to configure the end-user connection experience and control network access based on a variety of criteria including authentication.

ExtremeControl Configuration

The ExtremeControl Configuration lets you manage the end user connection experience and control network access based on a variety of criteria. The Access Control tab comes with a default ExtremeControl Configuration which is automatically assigned to your ExtremeControlengines. You can use this default configuration as is, or make changes to the default configuration, if desired.

The ExtremeControl Configuration determines what ExtremeControl Profile will be assigned to an end-system connecting to the network. It contains an ordered list of rules that are used by the configuration to assign an ExtremeControl Profile to a connecting end-system based on rule criteria. It also specifies the Default Profile which serves as a "catch-all" profile for any end-system that doesn't match one of the rules. By default, all end-systems match the Default Profile.

When an end-system connects to the network, the rules are evaluated in a top-down fashion, similar to the way an ACL would be evaluated. End-systems that do not match any of the rules are assigned the Default Profile.

Rule Components

The rules defined in an ExtremeControl Configuration provide very granular control over how end-systems are treated as they come onto the network. The following criteria can be used to define the rules used in your ExtremeControl Configuration:

• Authentication Type - for example, 802.1X or MAC authentication.
• End-System Groups - enables you to group together devices that have similar network access requirements or restrictions. For example, a list of MAC addresses, IP addresses, or hostnames.
• Device Type - enables you to group together end-systems based on their device type. The device type can be an operating system family, an operating system, or a hardware type, such as Windows, Windows 7, Debian 3.0, and HP Printers.
• Locations - enables you to specify network access requirements or restrictions based on the network location where the end user is connecting. For example, a list of switches, wireless devices, switch ports, or SSIDs.
• Time of Day - enables you to specify network access requirements or restrictions based on the day and time when the end user is accessing the network. For example, traditional work hours or weekend work hours.
• User Groups - enables you to group together end users having similar network access requirements or restrictions. For example, a list of usernames, an LDAP users group, or a RADIUS user group.

For more information, see the Manage Rule Groups window.

ExtremeControl Profiles

ExtremeControl Profiles specify the authorization and assessment requirements for the end-systems connecting to the network. Profiles also specify the security policies applied to end-systems for network authorization, depending on authentication and assessment results.

The Access Control tab comes with ten system-defined ExtremeControl Profiles:

• Administrator
• Allow
• Default
• Guest Access
• Notification
• Pass Through
• Quarantine
• Registration Denied Access
• Secure Guest Access
• Unregistered

If desired, you can edit these profiles or you can define your own profiles to use for your ExtremeControl Configurations. For more information, see the Manage ExtremeControl Profiles window.

AAA Configurations

The AAA Configuration defines the RADIUS servers, LDAP configurations, Entra IDs, and Local Password Repository that provide the authentication and authorization services for all end-systems connecting to your ExtremeControl engines. The Access Control tab comes with a default Basic AAA Configuration that ships with each ExtremeControlengine. You can use this default configuration as is, or make changes to the default configuration, if desired. For more information, see the Edit Basic AAA Configurations window.

Portal Configurations

If your network is implementing Registration or Assisted Remediation, the Portal Configuration defines the branding and behavior of the website used by the end user during the registration or remediation process. ExtremeControl engines are shipped with a default Portal Configuration. You can use this default configuration as is, or make changes to the default configuration, if desired. For more information, see Portal Configuration.

Access Policies

Access policies define the authorization level that the ExtremeControl assigns to a connecting end-system based on the end-system's authentication and/or assessment results. There are four access policies used in the Access Control tab: Accept policy, Quarantine policy, Failsafe policy, and Assessment policy. In your ExtremeControl Profiles, these access policies define a set of network access services that determine exactly how an end-system's traffic is authorized on the network. How access policies are implemented depends on whether your network utilizes ExtremeControl Controller engines and/or ExtremeControl Gateway engines.

For end-systems connected to EOS policy-enabled switches, ExtremeControl Gateway engines inform the switch to assign a policy role to a connecting end-system, as specified by the access policy. These policy roles must be defined in Policy tab and enforced to the EOS policy-enabled switches in your network.

For end-systems connected to RFC 3580-enabled switches, policy roles are associated to a VLAN ID. This enables your ExtremeControl Gateways to send a VLAN ID instead of a policy role to those switches using Tunnel RADIUS attributes.

For ExtremeControl Controller engines, authorization of the end-system is implemented locally on the ExtremeControl Controller engine by assigning a policy role to the end-system, as specified by the access policy. In this scenario, all policy roles must be defined in the ExtremeControl Controller policy configuration.

Here is a description of each the Access Control tab access policy, and some guidelines for creating corresponding policy roles in the Policy tab.

Accept Policy: The Accept access policy is applied to an end-system when it has been authorized locally by the ExtremeControl Gateway and when an end-system has passed an assessment (if an assessment was required), or if the Accept policy has been configured to replace the Filter-ID information returned in the RADIUS authentication messages. For EOS policy-enabled switches, a corresponding policy role (created in the Policy tab) would allocate the appropriate set of network resources for the end-system depending on their role in the enterprise. For example, you might associate the Accept policy in the Access Control tab to the "Enterprise User" role that is defined in the Policy tab demo.pmd file. For RFC 3580-compliant switches, the Accept access policy can be mapped to the Production VLAN. ExtremeControl Controllers are shipped with a default policy configuration that includes an Enterprise User policy role.

Quarantine Policy: The Quarantine access policy is used to restrict network access to end-systems that have failed assessment. For EOS policy-enabled switches, a corresponding Quarantine policy role (created in the Policy tab) should deny all traffic by default while permitting access to only required network resources such as basic network services (e.g. ARP, DHCP, and DNS) and HTTP to redirect web traffic for Assisted Remediation. For RFC 3580-compliant switches, the Quarantine access policy can be mapped to the Quarantine VLAN. ExtremeControl Controllers are shipped with a default policy configuration that includes a Quarantine policy role.

Failsafe Policy: The Failsafe access policy is applied to an end-system when it is in an Error connection state. An Error state results if the end-system's IP address could not be determined from its MAC address, or if there was an assessment error and an assessment of the end-system could not take place. For EOS policy-enabled switches, a corresponding policy role (created in the Policy tab) allocates a nonrestrictive set of network resources to the connecting end-system so it can continue its connectivity on the network, even though an error occurred in the ExtremeControl Solution operation. For RFC 3580-compliant switches, the Failsafe access policy can be mapped to the Production VLAN. ExtremeControl Controllers are shipped with a default policy configuration that includes a Failsafe policy role.

Assessment Policy: The Assessment access policy can be used to temporarily allocate a set of network resources to end-systems while they are being assessed. For EOS policy-enabled switches, a corresponding policy role (created in the Policy tab) should allocate the appropriate set of network resources needed by the Assessment server to successfully complete its end-system assessment, while restricting the end-system's access to the network.

Typically, the Assessment access policy enables access to basic network services (e.g. ARP, DHCP, and DNS), permits all IP communication to the Assessment servers so the assessment can be successfully completed (using destination IP address "Permit" classification rule), and HTTP to redirect web traffic for Assisted Remediation. For RFC 3580-compliant switches, the Assessment access policy can be mapped to the Quarantine VLAN. ExtremeControl Controllers are shipped with a default policy configuration that includes an Assessing policy role.

It is not mandatory to assign the Assessment policy to a connecting end-system while it is being assessed. The policy role received from the RADIUS server or the Accept policy can be applied to the end-system, enabling the end-system immediate network access while the end-system assessment is occurring in the background. In this case, the policy role or Accept policy (or the associated VLAN for RFC 3580-compliant switches) must be configured to permit access to the appropriate network resources for communication with the Assessment servers.

	NOTE:	The Assessment server sends an ICMP Echo Request (a "ping") to the end-system before the server begins to test IP connectivity to the end-system. Therefore, the Assessment policy role, the router ACLs, and the end-system's personal firewall must permit this type of communication between end-systems and Assessment servers in order for the assessment to take place. If the Assessment server cannot verify IP connectivity, the Failsafe policy is assigned to the end-system.

For more information, refer to the How to Set Up Access Policies Help topic.

Registration

The Extreme Networks ExtremeControl Solution provides support for Registration, a solution that forces any new end-system connected on the network to provide the user's identity in a web page form before being permitted access to the network, without requiring the intervention of network operations. This means that end users are automatically provisioned network access on demand without time-consuming and costly network infrastructure reconfigurations. In addition, IT operations has visibility into the end-systems and their associated users (e.g. guests, students, contractors, and employees) on the network without requiring the deployment of backend authentication and directory services to manage these users. This binding between user identity and machine is useful for auditing, compliance, accounting, and forensics purposes on the network.

End-system or user groups can be configured to exempt certain devices and users from having to register to the network, based on authentication type, MAC address, or user name. For example, a end-system group for the MAC OUI of the printer vendor for the network can be configured to exempt printers from having to register for network access.

The Registration solution has minimal impact on the end user's experience by initially redirecting guests, contractors, partners, students, or other pre-defined end users to a web page for registering their end-system when it is first connected to the network. After successful registration, the end-system is permitted access, and possibly assessed for security posture compliance checking, until the registration is administratively revoked.

Registration is supported on ExtremeControl Gateway engines and/or Layer 2 ExtremeControl Controller engines. (Registration is not supported on the Layer 3 Identity and Access Controller engines.) Registration provides flexibility in implementation by offering the following capabilities:

• Determine "valid" end users by prompting each end user for a username with additional information such as full name and email address, or a username and password (for example, email address and student ID number) which can be validated against an existing database on the network.
• Enable end users to register to the network when approved by a "sponsor" who is an internal trusted user to the organization. This is referred to as "Sponsored Registration." With sponsored registration, end users are only permitted to register to the network when approved by a sponsor. Sponsorship can provide the end user with a higher level of access than just guest or web access and enables the sponsor to fine-tune the level of access for individual end users.
• Configure the introductory message for the Registration web page (displayed to end-systems before registering to the network) to state that the end user is agreeing to the Acceptable Use Policy for the network upon registering their device. 
• Specify the maximum number of registered MAC addresses per user.
• Control areas on the network where Registration is enabled.
• Provide a web-based administrative interface served over HTTPS where registrations can be viewed, manually added, deleted, and modified by administrators and sponsors without requiring access to the Access Control tab.

The Extreme Networks ExtremeControl Solution utilizes a Registration Web Server installed on the ExtremeControl engine to provide this registration functionality to end-systems. Note that an ExtremeControl engine can implement both assisted remediation and registration concurrently.

There are specific network configuration steps that must be performed when using Registration in your ExtremeControl Solution. In addition, you must configure Registration in the Access Control tab.

How Registration Works

Here is a description of how Registration works in the Extreme Networks ExtremeControl (ExtremeControl) Solution:

• An unregistered end-system attempts to connect to the network and is assigned the unregistered access profile without being assessed by the ExtremeControl engine. For example, if connected to a Layer 2 ExtremeControl Controller, the end-system can be assigned to the "Unregistered" policy as defined in the ExtremeControl Controller's default policy configuration. If connected to an EOS policy-enabled switch, the end-system can be assigned to the "Unregistered" policy as defined in the ExtremeCloud IQ Site Engine Policy tab and enforced to the policy-enabled switches. Or, if connected to an RFC 3580-compliant switch, the end-system can be assigned to the "Unregistered" VLAN.
• The user on the unregistered end-system opens up a web browser to any URL and is redirected to the Registration Web Page served by the ExtremeControl engine.
• The end user registers its end-system on the network by entering information such as username, full name, email, and possibly a password or sponsor's email address into the Registration Web Page, and selecting the "Complete Registration" button.
• The Registration Web Server assigns the end user to an end-system group based on the Registration Behavior configured in the ExtremeControl Configuration. 
• The end-system is then automatically re-authenticated to the network by the ExtremeControlengine. Upon re-authentication, the end-system is authenticated, assessed, and authorized as defined by the profile specified in the ExtremeControl Configuration for the newly registered system. If the profile specifies to assess the end-system, an assessment of the end-system takes place at this time.

Assessment

The Extreme Networks ExtremeControl Solution integrates with assessment services to determine the security posture of end-systems connecting to the network. It uses assessment servers to assess and audit connecting end-systems and provide details about an end-system's patch levels, running processes, anti-virus definitions, device type, operating system, and other information critical in determining an end-system's security compliance. End-systems that fail assessment can be dynamically quarantined with restrictive network access to prevent security threats from entering the network.

When an assessment is performed on an end-system, a Health Result is generated. For each health result, there can be several Health Result Details. A health result detail is a result for an individual test performed during the assessment. Each health result detail is given a score ranging from 1 to 10, and based on this score, the health result is assigned a risk level. The Access Control tab uses this risk level to determine whether or not the end-system will be quarantined.

In addition, assessment tests are assigned a scoring mode which determines whether the resulting health result detail is applied towards the quarantine decision, or is used only for informational or warning purposes. Informational health result details can be used to gather information about the security risks on your network, while warning health result details enable you to notify end users when they have security risks that should be remediated. Informational or warning health result details have scores, however these health result details do not impact the end-system's overall risk level.

The Access Control tab lets you create multiple assessment configurations that can define different assessment requirements for end-systems. Assessment configurations define the following information:

• What assessment tests to run (determined by the selected test sets).
• What resources to use to run the tests (determined by the selected Assessment Resources).
• How to score assessment results (determined by the selected Risk Level and Scoring Override configurations).

Test sets let you define what type of assessment to execute, what parameters to pass to the assessment server, and which assessment server resources to use. The Access Control tab provides three default test sets; one for each type of assessment agent that is either supplied or supported by the Access Control tab. You can use these default test sets "as is" or edit them, if desired.

When you define your assessment server resources for a test set, you can specify to balance the assessment load between your all your assessment servers, or, you can specify an assessment server pool. For example, if you have four Nessus assessment servers, you can put server A and server B in server pool 1, and server C and server D in server pool 2. Then, in your test set configuration you can specify which server pool that test set should use.

You can use risk level and scoring override configurations to define how each assessment configuration will interpret an end-system's health results. The risk level configuration determines what risk level is assigned to an end-system (high, medium, or low) based on the end-system's health result details score. The scoring override configuration lets you override the default score and scoring mode assigned to a particular assessment test ID.

After you have defined your assessment configurations, they are available for selection when creating your ExtremeControl Profiles. In addition, the Access Control tab provides a default assessment configuration that is already set up with default assessment parameters and is ready to use in your ExtremeControl Profiles.

Before beginning to configure assessment on your network, read through the following information presented in the Access Control tab online Help.

• How to Set up Assessment - Provides information on the steps that must be performed in the Access Control tab prior to deploying assessment on your network, including managing your assessment servers and adding external assessment servers. It also includes basic information on how to use the default assessment configurations provided by the Access Control tab, and enable assessment for your ExtremeControl Configuration.
• ExtremeControl Assessment Phased Deployment Guide - This guide describes the phased approach to introducing assessment into your ExtremeControl deployment using Informational, Warning, and Quarantine assessment. The guide also provides information on the Access Control tab tools that can be used to monitor and evaluate assessment results, and diagnose and troubleshoot problems.
• How to Configure Assessment - Provides step-by-step instructions for configuring assessment using the phased approach described in the ExtremeControl Assessment Phased Deployment Guide. Instructions are provided for configuring phased assessment using agent-less or agent-based assessment, or a combination of both.
• How to Deploy Agent-Based Assessment - If you are deploying agent-based assessment, this Help topic provides the configuration steps specific to deploying agent-based assessment in a Windows and Mac network environment. It includes instructions for configuring agent deployment and provides information about the agent icon and notification messages that appear on the end-user's system. It also includes instructions on performing a managed deployment or installation of the agent.
• How to Set Up Assessment Remediation - Because Warning and Quarantine assessment provides end-system remediation, you must enable remediation for your ExtremeControl Configuration. This Help topic provides the specific steps that must be performed when setting up assisted remediation in your network.

Assessment Remediation

Remediation is a process that informs end users when their end-systems have been quarantined due to network security policy non-compliance, and enables end users to safely remediate their non-compliant end-systems without assistance from IT operations. The process takes place when an end-system connects to the network and assessment is performed. End users whose systems fail assessment are notified that their systems have been quarantined, and are instructed in how to perform self-service remediation specific to the detected compliance violation. After the remediation steps have been successfully performed and the end-system is compliant with network security policy, the appropriate network resources are allocated to the end-system, again without the intervention of IT operations.

The Extreme Networks ExtremeControl Solution implements local Remediation Web Server functionality to provide web notification to end users indicating when their end-systems are quarantined and what remediation steps the end user must take. The Remediation Web Server is installed on the ExtremeControlengine.

There are specific network configuration steps that must be performed when using assisted remediation in your ExtremeControl Solution. In addition, you must configure assisted remediation in the Access Control tab. For more information, see How to Set up Assessment Remediation and Portal Configuration Help topics.

How Remediation Works

Here is a description of how assisted remediation works in the Extreme Networks ExtremeControl Solution:

• An end-system connects to the network (where assessment has been configured) and is authorized with the level of network access defined by the Assessment access policy configuration.
• The end-system is assessed by the assessment server for security threats and vulnerabilities.
• When the end-system opens a web browser to any web site, the HTTP traffic is redirected to the ExtremeControl engine and a web page indicating that the end-system is currently being assessed is displayed.
• When the assessment is complete, the assessment server sends the results to the ExtremeControl engine. If the end-system failed assessment, the end-system is authorized with the level of network access defined by the Quarantine access policy configuration.
• When the quarantined end user opens a web browser to any web site, its traffic is dynamically redirected to the ExtremeControlengine.
• The ExtremeControl engine returns a web page formatted with self-service remediation information for the quarantined end-system. This web page indicates the reasons the end-system was quarantined and the remediation steps the end user must take.
• After taking the appropriate remediation steps, the end-user selects a button on the web page and attempts to reconnect to the network. A re-assessment of the end-system is initiated. If the end-system is now compliant with network security policy, the ExtremeControl engine authorizes the end-system with the appropriate access policy. If the end-system is not compliant, the Quarantine access policy is again utilized to restrict the authorization level of the end-system and the process starts again.
• After a specified number of attempts and/or maximum time to remediate have expired, the end user can be redirected to a web page requiring them to contact the helpdesk for further assistance, and a notification is sent to the helpdesk system with information regarding the non-compliant end-system.

End-System Zones

The Access Control tab end-system zones enable you to group end-systems into zones, and then limit an ExtremeCloud IQ Site Engine user’s access to ExtremeCloud IQ Site Engine end-system information and configuration based on those zones.

End-system zones are configured and managed in the Access Control tab, and are enforced for ExtremeCloud IQ Site Engine end-system information and configuration.

When an end-system authenticates to the network, ExtremeControl rules are used to assign an ExtremeControl profile and an end-system zone to the end-system. This enables you to use a variety of rule components (such as End-System Groups, Location Groups, and User Groups) to determine which zone an end-system should be assigned to.

You can create any number of end-system zones in your network. An end-system can only be assigned to one zone (but does not have to be assigned to a zone). You can view which zone an end-system is currently assigned to in the end-systems table in the Access Control tab in ExtremeCloud IQ Site Engine.

A user's authorized zones are determined by their ExtremeCloud IQ Site Engine user group membership. User groups are created and configured in the ExtremeCloud IQ Site Engine Authorization/Device Access Tool (accessed from the Tool menu), and authorized zones are assigned to each user group in the Access Control tab.

In addition to using end-system zones, you can also limit a user’s access to ExtremeCloud IQ Site Engine operations by assigning authorized rule groups. Whenever a user initiates a change to a rule group, such as adding or removing an end-system to or from a group, a check is performed to verify that the user is authorized to change that rule group. Similar to end-system zones, a user's authorized rule groups are determined by their ExtremeCloud IQ Site Engine user group membership.

A third component that should be taken into consideration is the ability to limit user access to ExtremeCloud IQ Site Engine using authorization group capabilities. For example, you can assign a user group the ExtremeCloud IQ Site Engine End-Systems Read Access capability to enable read-only access to ExtremeCloud IQ Site Engine end-system information, and use end-system zones to limit which end-systems can be viewed. You can assign a user group the ExtremeCloud IQ Site Engine End-Systems Read/Write Access capability to enable the ability to modify rule groups, and use rule group authorization to limit which rule groups the user can perform these operations on.

Capabilities are assigned to user groups using the Authorization/Device Access Tool. The Netsight Administrator group is always assigned all capabilities.

For more information, see Authorization Group Capabilities.

End-System Zone Use Cases

Here are several network scenarios where using end-system zones could be beneficial.

• A Service Provider with multiple tenants. If a service provider serves multiple tenants and each tenant has a clearly delineated set of switches, user access can be configured to enable each tenant's IT staff to only view the end-systems connecting to their own switches.
• A large enterprise with network administrator groups. In a large enterprise where specific groups of network administrators are responsible for specific groups of switches on shared engines, user access can be configured so that each administrator can view reports and other information only for their switches and end-systems.
• A large business segmented by business function. In a large enterprise where division of control is not closely tied to switches or engines, user access can be configured so that administrators only have the ability to view and manage the appropriate end user groups.

In each of these scenarios, a restricted set of authorization group capabilities must be used to prevent users from viewing and accessing information that does not pertain to their area.

Enforcing

In the Access Control tab, enforcing means writing ExtremeControl configuration information to one or more ExtremeControl engines. Any time you add or make a change to the ExtremeControl Configuration, the engines need to be informed of the change through an enforce, otherwise the changes do not take effect. When an engine needs to be enforced, the Enforce icon   displays on that engine in the left-panel tree.

To enforce, use the Enforce All button in the Enforce menu  at the bottom of the left-hand panel which writes the information to all the ExtremeControlengines. You can enforce to an individual engine or engine group by selecting the Enforce menu and selecting Selection.

TIP:

For a preview of ExtremeCloud IQ Site Engine is enforcing/updating on an individual engine, right-click the engine and choose Enforce Preview from the menu. The Access Control Engine Enforce Preview window displays, which indicates the information changing.

The enforce operation is performed in two stages: first an engine configuration audit is performed and then the actual enforce to engines is performed.

The configuration audit takes place automatically after you start the enforce operation. It looks for a wide-range of engine configuration problems including a review of the ExtremeControl Configuration, ExtremeControl Profile, rule configuration, AAA configuration, and portal configuration. The audit results are displayed in the Enforce window, enabling you to view any warning and error information. To see warning or error details, use the + icon in the left column to expand the Details information (as shown below) or select Show Details to open the information in a new window.

If you choose to correct any problems at this point, you must close the Audit Results window. When you have made your changes, select the Enforce All button to start the enforce operation and perform a new audit.

From the Enforce window, you can select the Enforce All button to enforce all engines, or use the checkboxes in the Select column to select some of the engines to enforce and select the Enforce button. In order for the enforce operation to be carried out, none of the selected engines can have an error associated with it. Even if one of the selected engine has passed the audit, it will not be enforced if other selected engines have errors.

If none of the selected engines have errors, but a selected engine has a warning associated with it, you are given the option to acknowledge the warning and proceed with the enforce anyway. When you acknowledge the warning and select OK, the enforce is performed.

TIP:

If there are warning messages that are regularly displayed during Enforce engine audits, you can use the Enforce Warning Settings to specify that these messages should be ignored and not be displayed.

The Enforce window displays the enforce operation status, as shown below.

Advanced Enforce Options

In the Enforce window, there are two Advanced enforce options available. The two options can be used for the following situations:

• Force Reconfiguration for All Switches - This option can be used if the switch RADIUS settings were manually changed via CLI or the Policy tab. Since Identity and Access does not reconfigure the switches every time there is an enforce, selecting this option forces reconfiguration of  RADIUS settings on all switches to ensure they are configured correctly.
• Force Reconfiguration for Captive Portal - During an enforce, captive portal settings are not enforced unless they have changed. You can use this option to force reconfiguration of the portal to ensure the state of the captive portal processes.

MAC Locking

MAC Locking lets you lock a MAC address to a specific switch or port on a switch so that the end-system can only access the network from that port or switch. If the end-system tries to authenticate on a different port or switch, it is rejected or assigned a specific policy based on an action that you specify when you create the MAC Lock. Access the Add MAC Lock window to set up your MAC Locks.

	NOTE:	MAC Locking to a specific port on a switch is based on the port interface name (e.g. fe.5.1). If a switch board is moved to a different slot in a chassis, or if a stack reorders itself, this name will change and break the MAC Locking settings.

Here are some examples of ways to use MAC Locking:

• A university might lock end-users on a specific floor in a dormitory to a switch that services that floor.
• A printer, server, or other end-system could be permitted network access only when it is connected to a port specified by IT operations. This prevents security issues that could result if the device was moved to a different area of the network.
• A company could lock an IP phone to a specific port on a switch. This would enable exact identification of the phone's location in case an emergency (911) call was placed from the phone.

	NOTE:	For ExtremeControl Controller Engines. -- On Layer 3 ExtremeControl Controllers, do not use MAC Locking to lock a MAC address to the Controller PEP IP address and a port on the PEP. You can however, lock a MAC address to the PEP IP and not the port, which would restrict movement of the MAC address away from the Layer 3 Controller. -- On Layer 2 ExtremeControl Controllers, a MAC address can be locked to the Controller PEP IP address and port, or just the PEP IP address, but this only controls the movement of the end-system between the downstream ports on the PEP (IP address and port) and not the actual edge of the network. -- On Layer 3 ExtremeControl Controllers, there can be cases where the Access Control tab cannot determine the MAC address of the connecting end-system (for example, DHCP is disabled and a firewall is enabled on the end-system, or the end-system is connecting through a VPN), and the MAC address for the end-system is displayed as "Unknown." In these cases, the MAC Locking feature is not supported.

Notifications

Notifications provide the ability for the Identity and Access tab to notify administrators or helpdesk personnel of important information through email, Trap, or Syslog messages. These notifications help administrators understand what is going on in their system on a real-time basis. For example, the Access Control tab could be configured to send a notification when a new end-system is learned on the network, when a MAC lock is violated, or when a new MAC address is registered on the network.