Get everything ready in your network
  • 25 Jul 2023
  • 2 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Get everything ready in your network

  • Dark
    Light
  • PDF

Article summary

In order to make XTENDISE work in your network, we need you to do some configurations in your environment.

1. Install Windows Server

  1. Get ready a virtual/physical server with Windows 2016/2019/2022 standard edition and with minimum of 4x CPU, 12 GB RAM, 200 GB HDD. The server has to be joined to your Active Directory domain.
  2. Download the latest XTENDISE version on the server. The latest XTENDISE version can be found here.
Windows Server License

XTENDISE license does not include a Windows license. The customer is responsible for licensing of the Windows server

2. Configure Active Directory

  1. Create an service/user account in your Active Directory - This account will be used by the XTENDISE application to look up adminstrator accounts during authentication and authorization. You can reuse any existing service account with read only privileges.
  2. Create a group in Active Directory for XTENDISE administrators - Users in this group will be authorized in the application as Administrators
  3. Create a group in Active Directory for XTENDISE users (optional) - Users in this group will be authorized in the application as Users. User role is an optional role with limited privileges
User authorization

Please see more information about User Authorization in the Authentication and Authorization section

3. Configure ISE

  1. Enable ERS API
    ISE 2.X - Navigate to Administration -> System -> Settings -> ERS Settings-> ERS Setting for Primary Administration Node and enable ERS for Read/Write
    ISE 3.X - Navigate to Administration -> System -> Settings -> API Settings -> API Service Setting and enable ERS (Read/Write)

  2. Create API users - Navigate to Administration -> System -> Admin Access -> Administrators -> Admin Users and create two users:
    User ers-xtendise in the admin group ERS Admin
    User mnt-xtendise in the admin group MnT Admin

  3. Configure logging destination - Navigate to Administration / System / Logging / Remote Logging Targets and create a new logging destination with the following configuration:
    Name - XTENDISE
    Target Type - TCP syslog
    Host/IP address - XTENDISE IP address
    Port - TCP/1468
    Maximum Length - 8192
    Include Alarms For this Target - True
    Buffer Messages When Server down - True
    Leave other parameters in default

  4. Assign logging categories - Navigate to Administration -> System -> Logging -> Logging Categories and include the following categories: Failed Attempts, Passed Authentications, RADIUS Accounting, Administrative and Operational Audit

4. Configure Firewall rules

Configure the following fire rules.

SourceDestinationPortNote
XTENDISEDNS ServerUDP/53Communication to DNS server
ANYXTENDISETCP/80,443Access to the application
XTENDISEAD serverTCP/389,636Communication to AD
XTENDISEISE (Both PAN nodes)TCP/9060ERS API
XTENDISEISE (Both MnT nodes)TCP/443Monitoring API
ISE (All PSN nodes)XTENDISETCP/1468Logging for Live Log
XTENDISESwitchesTCP/22Communication to switches
XTENDISEANYICMPDevice Keepalive Feature
XTENDISESMTP serverTCP/25Email Notifications
XTENDISESYSLOG serverUDP/514External logging
Firewall rules

Please note that the table lists communication requirements. If there is no firewall or any filtering device in your internal network, this step can be omited.

5. Configure WLC

Update the WLC configuration to log the AP name in the Called-Station-ID field in RADIUS accounting messages based on the picture bellow.

image.png

When you are done with configurations in your network, please continue in Install XTENDISE