Configure RADIUS Server Certificates by EAP Group

---

ExtremeControl includes the capability to specify an EAP Group to store RADIUS server certificate(s), from which you can designate RADIUS certificate(s) for each tenant in your network based on incoming RADIUS Attributes, such as User-Name, NAS-IP-Address, and Calling-Station-ID, instead of using the default RADIUS certificate for all tenants.

	NOTE:	ExtremeCloud IQ Site Engine automatically generates alarms as the ExtremeControlEngine Internal Communications Server Certificate, the Captive Server Portal Server Certificate, the RADIUS Server Certificate, the AAA Configuration Truststore, and the ExtremeControlEngine Truststore approach their expiration date. ExtremeCloud IQ Site Engine generates a Notification alarm 30 days before expiring, a Warning alarm 7 days before expiring, and a Critical alarm when the certificate expires.

This topic provides information on how to perform the following:

• Manage RADIUS Server Certificates by EAP Group for ExtremeControl Engines
• Configure Attribute to EAP Group Mappings for ExtremeControl Engines
• Enforce Your RADIUS Server Certificate for EAP Group Changes

Manage RADIUS Server Certificates by EAP Group for ExtremeControl Engines

To add, update, or delete a certificate for an EAP Group:

1. Navigate to the Control > Access Control tab in ExtremeCloud IQ Site Engine.
2. Expand the Engines tab in the left-panel tree.
3. Expand Engine Groups to display the ExtremeControl engines in each group.
4. Select an ExtremeControl engine. The Details right panel opens.
   
   
5. In the RADIUS Certificates For EAP Groups field, select Update Certificates to open the Update RADIUS Certificate for EAP Group window.
   
   
   
   1. Drag and drop the certificate files that you want to add to the domain.
   2. Enter the name of the domain, and select the check boxes to indicate whether you want to include a password to access key files.
   3. Select OK.
   4. The Confirm New Certificate window opens.
      
      
   5. Select Yes to update the RADIUS server with the new server certificates.
6. In the RADIUS Server Multiple Certificates field, select Delete Domain Certificates to open the Certificate Domain List window.
   
   
   
   1. Select the certificates you want to remove from the domain.
   2. Select Close.
   3. Confirm the delete by selecting Yes when prompted.

Configure Attribute EAP Group Mappings for ExtremeControl Engines

To configure the Attribute EAP Group Mappings:

1. Navigate to the Control > Access Control tab in ExtremeCloud IQ Site Engine.
2. Expand the Engines tab in the left-panel tree. The Details right panel opens.
3. Expand Engine Groups in the left-panel tree to display the ExtremeControl engines in each group.
4. Right-click an ExtremeControl engine in the left-panel tree.
5. Select Attribute to EAP Group Mappings from the drop-down menu. The Attribute to EAP Group Mappings window opens.
   
   
   
   

   	NOTE:	You can also access the Attribute to EAP Group Mappings window from the Access Control tab in the right panel: Expand the Engines tab in the left-panel tree. The Details right panel opens. Select the Access ControlEngines tab in the right-panel. Right-click an ExtremeControl engine in the right panel table.

6. Select Add to open the right-panel, which includes additional fields that enable you to add the attribute to the EAP Group:
   
   
   
   1. Select the EAP Group from the drop-down list
   2. Select the RADIUS Attribute from the drop-down list. Select from: User-Name, NAS-IP-Address, or Calling-Station-Id.
   3. In the Matching Expression field, enter an attribute expression that matches the RADIUS Attribute that you selected.
      
      The following table shows several examples of attribute expressions that match the RADIUS Attribute options:
      
      

      RADIUS Attribute	Matching Expression
      User-Name	/^TestDomain\\\\/i	Matches any user-name that starts with TestDomain\ (and case-insensitive)
      User-Name	/^host\//i	Matches any user-name that starts with host\ (and case-insensitive)
      User-Name	/.*@TestDomain.com$/	Matches any user-name that ends with @TestDomain.com (and case-sensitive)
      NAS-IP-Address	/^10.10.10.10$/	Matches the exact NAS-IP-Address of 10.10.10.10.
      Calling-Station-Id	/^00-E0-2B-*/i	Matches any Calling-Station-Id that starts with 00-E0-2B (and case-insensitive)

      
      
      
      

      	NOTES:	When constructing attribute expressions to enter into the Matching Expression field, note the following factors that affect whether your expression will be valid: Case sensitivity "Starts with" and "Ends with" Exact matches Forward slash (\) and back slash (/) characters
      		Keep attribute expressions as simple as possible, and construct them by closely following the example formats provided. Always verify that the RADIUS server successfully restarts after you enforce any changes to these attribute expressions.

7. Select Save. ExtremeCloud IQ Site Engine validates successful matching expressions when you select Save, but there can be cases where an attribute expression is not validated. Depending on the error, it is possible you can determine what failed in the /var/log/radius/radius.log.
8. Select Close to add the attribute to the EAP Group mappings.

Enforce Your RADIUS Server Certificate for EAP Group Changes

To enforce your changes, choose one of the following:

Left-panel Tree:

1. Right-click the engine in the left-panel tree
2. Select Enforce from the drop-down menu.

Access Control Tab:

1. Select the Access Control Engines tab in the Details right panel.
2. Right-click an ExtremeControl engine in the right panel table.
3. Select Enforce from the drop-down menu.

---

Related Information

For information on related help topics:

• Manage Certificates