Nazaudy, a spark in your curious mind

Managing an Extreme Networks IQ Wireless

This article relates to configuration guidelines and best practices when managing an Extreme Networks IQ Wireless, an infrastructure technology that I just happen to have at my work place

In Extreme Networks you should really have only one Network Policy, and then use Classification Rules if you want to select which SSIDs will broadcast where, by assigned them to specific APs

These are the basic recommendations in a nutshell:

  1. Use a dedicated VLAN to manage the APs
  2. Consolidate SSID
  3. When RADIUS is in use, force machine-based authentication
  4. Enable WIPS
  5. Radio Profile Configuration
  6. Configure AP Template
  7. Access Control
  8. Categorise your VLANs as "trusted" and "untrusted"

 

Managing an Extreme Networks IQ Wireless

 

1.- Use a dedicated VLAN to manage the APs

The APs in Extreme Network should have their own dedicated VLAN, not shared with any other devices inside the network, this is so that they are able to communicate among themselves without any other traffic in that VLAN. The APs should also be using dynamic IP addresses instead of static, so you also need to have a DHCP Server setup for the dedicated management VLAN. Static IP address to manage AP is not best practice according to Extreme Networks, which really makes sense when you consider that your number of APs can grown considerably and you don't want to go around setting IPs on them

The APs generate lots of broadcast in the management VLAN, this is yet another reason as to why they should be managed in the own exclusive VLAN. In a "Hive" environment (Hive is a like a domain of APs), the AP choose what is called a King and Queen AP that they use to communicate constantly among themselves and all the other AP infrastructure

To choose the Management VLAN, visit Configure >> Network Policies >> Management & Native VLAN. In my example, I'm using the Management VLAN 40, which should be "untagged" in the port of where all APs are connected

Extreme Networks Management VLAN

 

Having a dedicated VLAN for your Extreme Network AP will have a positive impact in their performance

Just remember that you will need to open port UDP 12222, required for the AP to connect to the IQ Cloud as mentioned here: https://extremecloudiq.com/support/NL_GCP.html To check whether you actually have port UDP open or not, run this command on one of the AP, and look for the relevant port, if instead you see port 80, that means that port UDP 12222 has not been opened

 

 

2.- Consolidate SSID

A cool feature of Extreme Networks is that you can consolidate/combine the number of SSIDs that have the same authentication method (like for example a single password in WPA3 Access Security), and still have different passwords to access under the hood. This approaches reduces air time and management. In reality, WPA3 shouldn't be use any more, PPSK does everything that WPA3 does and much more. To start with the consolidation of your SSIDs that you WPA3 authentication, proceed as follows:

1) Create a single SSID and choose the authentication method to be Private Pre-Shared Key (PPSK)

Single SSID PPSK

 

2) Then scroll-down and start creating User Groups, where you can have up to 63 different user experiences for that single SSID, where each group can logon with their own independent password. On this screenshot I have creates some User Groups as an example, where some of them can be configured to have access to different VLANs where they can access different shares, etc

Extreme Networks User Groups example

3) Think of User Groups as the old SSIDs that you had under WPA3, once you have them defined, click on the "Add Users", where the User can be interpret as the old password in the old WPA3 SSID configuration. For example add a user under the "Guest" section, with their email, and a password to access the WiFi will be email to them. Once they enter the password to authenticate to the global SSID, Extreme Network will scan the password to find a match, and based on the match of the password, the access will be given. The access given by the match of the password is called "User Profile"

The "DeadEnd" is VLAN is the one that goes anywhere, and is use to match any non-matched passwords

4) Finally, configure the "Assignment Rules" where you match the relevant User Group with their relevant User Profile

An interesting question would be to find out how many devices are connected on each Group, once you deploy this policy you really will want to know

 

3.- When RADIUS is in use, force machine-based authentication

It is very likely that, in your corporate network, you have an SSID that uses 801.x authentication, in other words authenticating to a Domain Controller (DC) via a Network Policy Server (NPS) also called a RADIUS server. It is a common problem to use user-based authentication when an SSID is configure to use a RADIUS server, like for example you want your staff members to access internal resources an authenticate via Active Directory. If the machine belongs to AD, it is the machine the one that needs to be authenticated, and not the user. These are the problems with user-based authentication:

  • With user-based authentication, any of your users can bring their own device (full of viruses) and connect to your network using their AD credentials, effectively transferring the viruses to your share network
  • With user-based authentication, and even if you logon from a computer-joined AD, you are prompted as a user to accept the certificate use by the RADIUS. This vulnerability can be used by a hacker that can be outside the building broadcasting the same SSID of the corporate network and accepting any username+password from legitimate AD users, thus compromising your network, because users will never check the name of the certificate of the rogue SSID when accepting it. In summary, this security flaw can potentially results in users given their credentials away to a fake RADIUS server outside your premises instead of your corporate RADIUS server

Therefore, when 802.1x is in use, please stick to computer-based authentication. The initial problem is that this only works and is supported by Windows OS joined to the domain, for macOS they will have to use user-based authentication

For your internal network, you should have a dedicated server (on Failover mode) for DHCP. Unfortunately, the NPS service doesn't cluster, due to the need for each server to have a dedicated certificate name

To setup computer-based authentication, do as follows:

 

 

4.- Enable WIPS

In the Network Policy that you use for your APs, Wireless Intrusion Prevention System should be enable, this is so that you are aware and notified when anybody comes with a NetGear or hotspot enable device inside your premises; such devices will conflict with your internal Access Points, so it is good to have WIPS on to detect rogue access points and their interferences

Select Configure >> Common Objects >> Security >> WIPS Policies to start configuring your policy

WIPS

 

You will see the list of MAC OUI addresses that are permitted on the WLAN, that list is a bit (very much indeed) useless, because the APs in there don't display the DNS name that you have assigned to them, so it is hard to know whether those ones listed actually exist on your network or not, but you'll need to manually check that

Leave the "Rogue Mitigation" as Manual, so it is up to you to decide what to do with the rogue devices that are detected. Once you have WIPS enable in manual mode, you must periodically check for rogue APs and their clients on the heat map pages in your network hierarchy (on the Network 360 Plan tab of XIQ). Once you have a picture of what you have on your wireless network, you can enable the "Automatic" mode

 

5.- Radio Profile Configuration

Each Network Policy should contain AP template in Extreme Wireless, which in turn has a Radio Profile associated with it. To configure the Radio Profile, visit Configure >> Common Objects >>  Policy >> Radio Profile. Some of the most important things to know about the Radio Profile are the following:

  • Maximum Transmission Power; is the maximum power to which the AP operate
  • Maximum Power Floor, is the lowest to which the AP will operate, it cannot go lower than that unless you override the setting on the device
  • Maximum Power Max Drop, the AP scan the air by default every 10 minutes, and if it detects it is too loud, it will use this figure to start dropping its rate, in turn of every 10 minutes

For 5Ghz rage, set it like this:

Radio Profile running at 5GHz

For both ranges, and considering we are in the year 2024, it is good practice to denied access to 811.b devices, as they set the speed low for everybody else

In the 2.4GHz radio profile, enable Band Steering, setting it to Encourage the usage of 5GHz band. This is the power setting for the 2.4GHz range

Radio Profile running at 2.4 GHz

 

Enable the UNII-3 channels only when you know your client devices are all pretty new, otherwise if the AP set itself to one of those channels, an old device won't be able to connect to it

WiFi UNII-3 Channels

 

Note: Client and Load Balancing should be disabled in order to enable roaming. If you don't want roaming on your network, like on a theatre, you can enable these 2 settings,

  • Enable Client Transmission Power Control (802.11h) should be disable, because you don't really know what devices you have on your network, if all of them support 801.11h, then go ahead and enable this
  • Always tun on the "Use the Last Known power and channel during the AP boot up process", this is really handy and makes the AP boots quicker if for some reason you need to boot it during day time

Here are some screenshots of the Radio Profile configuration that I'm using on both ranges of 2.4GHz and 5GHz:

  • Background Scan = set every 10 minutes

Extreme IQX Background Scan

 

  • Dynamic Channel Switching = switch channels at night unless you have a maximum number of 50 clients connected

Dynamic Channel Switching

Other settings you can configure for both ranges under the Radio Profile are:

WiFi optimising Radio Usage

 

WiFi 6 in the Radio Profiles

This is where you configure WiFi6 settings for both ranges. "Don't confuse Wifi6 with Wifi 6E. Wifi 6 (802.11ax) uses both 2.4 and 5 Ghz Channels, but offers new features like OFDMA, MU-MIMO (UL) and some more, and while Wifi 6E is also 802.11ax with the same new features, it also offers the usage of 6 Ghz extended channels but only in certain countries. The WiFi6 features are:

  • MU-MIMO; improves capacity by allowing multiple devices to be served simultaneously through different spatial streams
  • OFDMA enhances efficiency by dividing bandwidth more granularly, enabling multiple devices to transmit or receive small amounts of data at the same time

 

 

Beamforming would be helpful for your outdoor areas, we'd just want to avoid it on the indoor APs if they're in a smaller space. It wouldn't really harm much, there just isn't a lot of benefit from beamforming in smaller areas, and it does take a little more of the APs processing to perform beamforming.

 

6.- Configure AP Template

To configure the templates, visit Configure >> Common Objects >>  Policy >> AP Template. If you don't use Multicast on your network, lower the rate on the template from the default 20,000 to 10,000 this will have a positive impact on the AP CPU and Memory Usage

 

7.- Enable Access Control

This is a feature inside the Network Profile that you should enable. In the event of your AP being off the network, with Access Control enable the AP will start broadcasting a unique SSID (AP_xxx) so that you can connect to it and fix it, saving you from using a console cable, laptop and a ladder in case the AP in in the ceiling. Work smarter, not harder

Another thing Extreme Wireless AP has, is that the support VPN (Layer 2 IPSec VPN Service), meaning that if you take an AP let's say to your home, and power it up, the AP (if all is configure correctly) will connect to your corporate wireless network on the cloud, and will start broadcasting the same SSID that you have in the office also at home

 

8.- Categorise your VLANs as "trusted" and "untrusted"

First of all, you need to categorise the number of VLANs that you have on your network between "trusted" and "untrusted" networks. The Server network should be "trusted" and the "BYOD" vlan should be of course "untrusted". For example, if you have your server VLAN as VLAN10 marked as trusted, but your VLAN13 (the WiFi for Staff, to give you an example) marked as untrusted, the traffic will need to be inspected every single time it crosses one way or another. Trusted VLANs should traverse each other instantly, without the traffic being inspected by the Firewall

To optimise traffic, the VLANs should really terminate on a Layer 3 core switch, leaving the firewall just to do firewall inspections traffic and not routing. With this design, if the firewall fails, the core network continues to work

You then create a point-to-point network, /32, with only 2 IP addresses on it, to allow the traffic between your core Layer 3 switches and your firewall. All the "untrusted" network should still terminate at the Firewall

  • Untrusted traffic should always be inspected, but trusted traffic nope. Why are we filtering (slowing in effect) trusted traffic?

Everything finishing at the Firewall, you can argue, is very secure, but unnecessary, looking more like a small network

 

Useful commands

Show ACSP Neighbor or Show ACSP Neighbor _sort rssi

 

Continuos tuning exercise to disable sticky clients

 

 

1- WiFi Concepts

In general, a higher wider range of 40 or 80 Mhz allow for better bandwidth and performance, but is more susceptible to interferences, therefore the channel width should be determine only after having a survey of the area in question

 

Wifi 6

Wifi5 was released in 2014 and its naming convention is 802.11ac, while Wifi6, released in 2019, has the name of 802.11ax

  • Wireless AX speed = 1,201 Mb/s
  • Wireless AC speed = 866 Mb/s
  • Wireless N speed = 150 Mb/s

Wifi5 users the 5Ghz frequency band only, while Wifi6 uses the 2.4Ghz and 5Ghz combined

Wifi6 is more efficient in handling multiple devices in crowded environments, in dense clients areas, providing better throughput; WiFi6 achieves that by using both 2.4 and 5 bands. In addition, a newly created 6Ghz band called Wifi 6e expands the channels availability

Target Wake Time; Wifi6 supports "target wake time", meaning it improves the battery life for connected devices

MU-MIMO (Multi-User, Multiple Input Multiple Output); it relates to the number of data channels that an AP can serve to a single device. In WiFi5 the MIMO was a 4x4, while in Wifi6 this has been expanded to 8x8 meaning the more devices can be communicated simultaneously, performing better when density devices is an issue

OFDMA (Orthogonal Frequency-Division Multiple Access); allows Wifi6 only to service multiple users packet per time segment, servicing clients simultaneously in the same frequency band rather than devices having to take terms when accessing the channel in previous Wifi generations

QAM (Quadrature Amplitude Modulation); this technical term was an integer of 256 in Wifi5, while in Wifi6 has been increased to 1024, meaning that WiFi6 can cope with more data in the same radio wave

Spatial Frequency Reuse (aka OBSS or BSS Coloring); with colour identifier, 2 AP Wifi6 enabled that are close to one another, can communicate in the same channel without causing interferences with other devices that are on the same channel but using a different colour

Beamforming; allows the AP to serve data in a specific area, instead of busting the data all around the unit

 

CLI Commands

List of useful CLI commands that you can execute in the APs while SSH do them

  • show system power mode
  • show system power usage
  • show system power status
  • show acsp neighbot # look at the RSSI (Receiving Signal Strengh Indicatior) column, we want to see -75 or lower, the closer to 0 this valu is , the loouder the AP and the more interference you'll experience
  • show int wifi0 _count
  • show int wifi1 _count # These commands check the health of your 2.4GHz and 5GHz radios respectively. CRC errors are usually related to environmental interference factors. These factors include mainly metal, glass, water, or large amounts of people. All of these factors tend to reflect, refract, or generally damage your signal, leading to more retries, which leads to slower WiFi speeds.

 

Follow this routine to capture package with WireShark:

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000080183

 

Recommendations

Disable lower rates (802.11b)

Remove the lower rates from your radio, specially the legacy 802.11b; allowing devices to transmit at lower rates may increase the WiFi overhead by up to 40%. The drawback of disabling these lower rates is that the coverage area will get reduce, and clients that are far away from that AP won't be able to transmit at lower rates, but heyho, ce la vie!

However, remember that there is not a right answer for every scenario, so it all depends of the particular area where you're broadcasting

Turn off the 2.4GHz radio of alternate AP, especially from those ones which can work well at 5GHz

 

Customize clients optional settings: https://extreme-networks.my.site.com/ExtrArticleDetail?an=000080183 

Configure Voice Enterprise options: https://documentation.extremenetworks.com/XIQ/23r6/ug/GUID-B6550487-250C-4A0F-9CB4-1637F37C8BD0.shtml 

User 20Mhz channel bandwidth

For locations with many APs and a high densityh of client, and in order to avoid co-channel interferences, use always a channel width of 20Mhz

 

Enable QoS in the user profile

This is an interesting one, where the traffic should really be enable for QoS

 

 

https://docs.aerohive.com/330000/docs/help/english/ng/Content/gui/configuration/configuring-user-profile-qos-settings.htm

 

Channel Utilization

Enable this alert in Extreme IQ portal

References