Contents

Controlling Devices with TQ's AMF Application Proxy

Configuration Examples > Controlling Devices with TQ's AMF Application Proxy

---

---

Configuring TQ's AMF Application Proxy

In this section, this is an example of setting TQ's AMF Application Proxy Whitelist and AMF Application Proxy Blacklist.
Applications linked with AMF Application Proxy Blacklist use the UTM (Unified Threat Management) related functions of the AT-AR3050S/AR4050S of the AR router, and the action is set to quarantine (assign to the specified VLAN).

Note

AWC Plug-in configuration is common when using Drop Packets, quarantine, and log actions. Each action setting and VLAN ID setting for quarantine (when using quarantine action) are done in AMF Security. When using Redirect-URL Action is different from when using the above action, but the information to be set is described. The site for Redirect-URL Action uses the site of AMF Security. When using Redirect-URL Action, also refer to Settings when using Redirect-URL Action.

Note

Required licenses differ depending on the product, so check our website.

Note

Refer to Appendix / Configuring AT-AR3050S/AT-AR4050S for the AR router UTM-related functions that can be linked with AMF Security.

Note

In order to keep the recording date and time of logs etc. accurate and to operate various functions properly, it is recommended to set the system time of each product accurately. AMF Security obtains and uses the AT-VST-VRT system time. The AMF Security timezone is set in AMF Security, but the NTP synchronization destination is set in AT-VST-VRT.

This setting example assumes that TQ's dynamic VLAN is disabled. The differences in the settings when dynamic VLAN is enabled are explained in Note.
In addition, enable critical mode so that wireless terminals newly connected to AMF Security belongs to the VLAN ID set in the VAP when a failure such as a power failure occurs.

Note

TQ's AMF Application Proxy behaves differently during authentication depending on whether dynamic VLAN is disabled or enabled when WPA Enterprise is selected for security in VAP (multi-SSID) settings. Refer to Quick Tour / What is AMF Security > TQ's AMF Application Proxy / Behavior when using TQ dynamic VLAN.
Refer to Quick Tour / What is AMF Security > TQ's AMF Application Proxy / Behavior when using TQ dynamic VLAN.

Starting Configuration

Follow the flow below to configure settings when using TQ's AMF Application Proxy.

• Set the AMF Security IP Address in the system settings of AWC Plug-in
  
• Set AMF Application Proxy Server (AMF Security) information in the AP common settings/VAP (multi-SSID) settings of AWC Plug-in.
  
• Apply AP common settings to TQ with AWC Plug-in
  
• Set Vista Manager EX, TQ related information in AMF Security
  
• Set rules for UTM-related functions of AT-AR3050S/AR4050S used as an application linked to AMF Security
  
• Set Authentication Data for AMF Application Proxy Whitelist in AMF Security (policy, device)
  
• Settings for sending threat information detected by UTM-related functions to AR routers as syslog messages to AMF Security
  

Note

The AMF Application Proxy for TQ can be set from the AWC Plug-in (it cannot be done from the TQ management page).

Configuration

This setting example assumes the following configuration, but it is assumed that the basic settings for each product have been completed.

Main basic settings

• AR Router AR4050S
  PPPoE internet connection + firewall/UTM
  
• Vista Manager EX & AWC Plugin
  AMF network settings, wireless AP registration (created AP common settings have been applied to TQ)
  
• AMF Security
  Network Settings (IP Address settings)
  
• Switches
  AMF Master (L3 Switch), AMF Member (L2 Switch), VLAN for wireless terminal communication
  

AMF Security and Vista Manager EX/TQ/AR Router enable IPv4 communication regardless of whether they are on the same segment or another segment.

Note

For details on the settings of each product, refer to the document for each product.

Note

The AMF Master in this configuration uses a separate device instead of the AMF Cloud on AT-VST-VRT, but you can also use the AMF Cloud on AT-VST-VRT.

Note

For details on AT-VST-VRT basic settings (IP Address, static route settings, etc.), refer to the AT-VST-VRT document posted on our website.

Note

For details on AMF Security basic settings (application settings) performed with AT-VST-VRT, refer to the AT-VST-VRT document posted on our website.

Information on each product

Information for each product is listed below.

Setting information for each product

The information to be set for each product is shown below.

Note

The information to be set in the AWC plug-in and the information to be set in AMF Security are described when Drop Packets, Quarantine, and Log-Only actions are used, and when Redirect-URL Action is used. Refer to it according to the action to be used.

Note

Only 1812 is supported for AMF Application Proxy Server port number.

Note

Only 1812 is supported for AMF Application Proxy Server port number.

Note

Since AT-Vista Manager EX of AT-VST-VRT is used, specify the IPv4 Address of AWC Plug-in for "IPv4 Address of Vista Manager EX".

Note

"Quarantine/Redirect URL VLAN ID" in "Common Settings" is not used for Drop Packets and Log-Only actions, so leave it as default.

Note

Specify the action to be used for "OpenFlow/TQ Action".

Note

Since AT-Vista Manager EX of AT-VST-VRT is used, specify the IPv4 Address of AWC Plug-in for "IPv4 Address of Vista Manager EX".

Note

Since AT-Vista Manager EX of AT-VST-VRT is used, specify the IPv4 Address of AWC Plug-in for "IPv4 Address of Vista Manager EX".

Configuring AWC Plug-in

1. Set the IP Address of AMF Security to allow access.
   From the AWC Plug-in menu, click the "Edit" button for "System Settings" → "Permission Setting".
   The "Permission Setting (AMF Security WebAPI)" dialog is displayed.
   
   
2. Enter the AMF Security IP Address "192.168.1.30" in the Permitted IP Address, and click the "Add" button.
   
   
3. Confirm that the entered IP address "192.168.1.30" is displayed in the IP address field, and click the "Save" button.
   
   
4. Confirm that the set IP Address "192.168.1.30" is displayed next to the "Edit" button in "Permission Setting".
   
   
5. Set the AMF application proxy function information in the AP common settings assigned to the TQ.
   From the AWC plug-in menu, click "Wireless Settings" → "AP Common Setting".
   A list of AP common settings is displayed.
   
   

   Note

   AMF Application Proxy configures the VAP. Therefore, configure all VAPs that use AMF Application Proxy.

6. From the AP common settings list, click the "Details" button (magnifying glass icon) for the AP common settings you want to edit.
   
   
7. A detailed page for AP common settings is displayed. Click the "Edit" button in the upper right corner of the content field.
   
   
8. Select the wireless band to be set from the buttons at the top of the page.
   Here, select Radio 3.
   
   
9. Click the VAP to be set from the VAP list in the VAP (multi-SSID) settings, and then click Detailed Settings.
   
   
10. Select "AMF Application Proxy" in MAC Access Control.
    
    
11. Set AMF Application Proxy related information.
    Configure the following information when using Drop Packets, Quarantine, and Log-Only actions:
    

    Table 12: Information to set

    Item Name	Value
    AMF Application Proxy Server Primary IP Address	192.168.1.30
    AMF Application Proxy Server Primary Secret	password
    AMF Application Proxy Server port number	1812
    Critical mode	Enabled

    
    When using Redirect-URL Action, also refer to Settings when using Redirect-URL Action.
    
12. After setting the above information, click the "Save" button at the top right of the content field.
    Wait until the settings are reflected.
    
    When the setting is reflected, it returns to the detail screen of AP common setting.
    
    
13. Apply AP common settings to TQ.
    From AWC Plug-in menu, click "Wireless Settings" → "AP Registration/Settings".
    A list of wireless APs is displayed.
    
    
14. Check the checkboxes of the wireless APs "TQ5403-1" and "TQ5403-2".
    
    
15. Mouse over the spanner icon on the upper right of the content field and click "Manual Registration" from the displayed menu.
    
    
16. The "Apply Configuration" dialog is displayed, so click the "OK" button.
    
    
17. When the completion message is displayed, click the "Close" button.
    
    
    
18. Confirm that "Config Status" is "Latest".
    
    

AWC Plug-in configuration is complete.

Configuring AMF Security

1. Open the AMF > TQ Settings page to set the quarantine VLAN ID, Vista Manager EX, and TQ information.
   
   
2. Enter "250" for the quarantine VLAN in Quarantine/Redirect URL VLAN ID in Common Settings, and click the "Register" button.
   

   Note

   When using Drop Packets and Log-Only actions, proceed to step 4 because the default settings are not used. When using Redirect-URL Action, configure this setting in the same way as when using Quarantine Action. When using Redirect-URL Action, also refer to Settings when using Redirect-URL Action.

   
   
3. A confirmation dialog is displayed, so click the "OK" button.
   
   
   
4. Click the "Add" button in VistaManagerEX.
   The Edit VistaManagerEX dialog is displayed.
   
   
5. Set the information of Vista Manager EX.
   Set the following information:
   

   Table 13: Information to set

   Item Name	Value
   IPv4 Address of Vista Manager EX	192.168.1.20
   AWC Plug-in port number	5443
   Vista Manager EX Username	manager
   Vista Manager EX Password	TopSecret0!

   Note

   Since AT-Vista Manager EX of AT-VST-VRT is used, specify the IPv4 Address of AWC Plug-in for "IPv4 Address of Vista Manager EX".

   
   
6. After setting the above information, click the "Submit" button.
   A confirmation dialog is displayed, so click the "OK" button.
   
   
   
7. Click the "Add" button in the TQ List.
   The Edit TQ dialog is displayed.
   
   
8. Set TQ information.
   Set the following information:
   

   Table 14: Information to set

   Item Name	Value
   IPv4 Address of TQ5403-1	192.168.10.151
   Pre-Shared Key	password

   
   
9. After setting the above information, click the "Submit" button.
   A confirmation dialog is displayed, so click the "OK" button.
   
   
   
10. Set the second TQ in the same way as the first TQ.
    

    Table 15: Information to set

    Item Name	Value
    IPv4 Address of TQ5403-2	192.168.10.152
    Pre-Shared Key	password

    
    

    Note

    TQ Settings can be imported using a CSV file.
    For the format of the CSV file, please refer to References / AMF > TQ Settings.

    Setting up a linked application

11. Display the System Settings > Trap Monitor Settings page and set the rules for the AT-AR3050S/AR4050S's UTM-related functions used as linked applications.
    
    
12. Check the checkbox for "Enable the monitoring of traps from this host."
    
    
13. Set AR Router, Action, and Trap Action Target List information.
    Set the following information:
    

    Table 16: Information to set

    Item Name	Value
    Host Addresses	192.168.1.1
    OpenFlow/TQ Action	Quarantine
    Trap Action Target List	Check all

    
    When using Drop Packets or Log-Only actions, set "Drop Packets" or "Log-Only", and when using Redirect-URL Action, set "Redirect-URL". When using Redirect-URL Action, also refer to Settings when using Redirect-URL Action.
    

    Note

    Host Addresses is a setting to receive notifications only from the set IP Address.
    The target of trap monitoring here is all, but the linkage is the firewall/UTM set on the AR Router.
    For the functions that can be linked, refer to Appendix / Configuring AT-AR3050S/AT-AR4050S.

14. After setting the above information, click the "Submit" button.
    A confirmation dialog is displayed, so click the "OK" button.
    
    
    

    Registration of authentication information (policy)

15. Register the device (wireless terminal) authentication information.
    Open the Policy Settings > Network List page and click the "Add Network" button to open the Add Network page.
    

    Note

    If you select WPA Enterprise in the security of TQ's VAP (multi-SSID) settings, enable dynamic VLAN, and make the wireless terminal belong to the VLAN ID given by the RADIUS server on the WPA Enterprise side, no network policy setting is required.

    
    
16. To register VLAN100, enter Network ID and VLAN ID as follows and click the "Submit" button.
    

    Table 17: Information to set

    Item Name	Value
    Network ID	VLAN100
    VLAN ID	100

    
    
    
17. Register VLAN101 using the same procedure as for registering VLAN100.
    

    Table 18: Information to set

    Item Name	Value
    Network ID	VLAN101
    VLAN ID	101

    
    

    Registering Device

18. Registering Device
    Open the Devices > Device List page and click the "Add Device" button to open the Add Device page.
    
    
19. The first to be registered is "Device1".
    Enter "Device1" for Device ID.
    
    
20. After entering the device ID, click the "Add" button in the Interfaces column to open the Edit Interface dialog.
    
    
21. In the same dialog, enter the device's MAC Address "00:00:00:00:00:01" and click the "Submit" button.
    
    
    
22. Next, to specify the network to assign to the same device, click the "Add" button in the policies column to open the Edit Policy dialog.
    

    Note

    If you select WPA Enterprise for security in TQ's VAP (multi-SSID) settings, enable dynamic VLAN, and assign the wireless terminal to the VLAN ID given by the RADIUS server on the WPA Enterprise side, no policy setting is required.

    
    
23. In the same dialog, select the Network "VLAN100" to be assigned from the drop-down list, enter the Priority "10", and click the "Submit" button.
    
    
    
24. After entering the Device ID and adding Interfaces and Policies, click the "Submit" button.
    Return to the Devices > Device List page.
    
    
25. Register "Device2" in the same procedure as registering "Device1".
    

    Table 19: Information to set

    Item Name	Value
    Device ID	Device2
    Interfaces	00:00:00:00:00:02
    Policy Priority	10
    Policy Network	VLAN101

    
    

AMF Security configuration is done.

AR Routre Configuration

1. Use the log command to configure settings to send threat information detected by UTM-related functions to AMF Security as syslog messages.
   For the source IPv4 Address of syslog messages, specify the IPv4 Address set for the vlan1 interface.
   
   log host 192.168.1.30 ↓
   log host 192.168.1.30 level informational facility local5 ↓
   log host source vlan1 ↓
   

   Note

   The log date and time format set by the log date-format command can be used with either default or iso settings.

All product settings are complete.

Settings when using Redirect-URL Action

This section describes the settings when using Redirect-URL Action. When using this action, there are some settings that differ between the AWC Plug-in and AMF Security, unlike when using Drop Packets, Quarantine, and Log-Only actions. Some items are the same as Q actions Action, but the settings for each product are described.

Configuring AWC Plug-in

In the settings made with the AWC Plug-in, "Redirect-URL" and "External page URL" settings are added for VAP (multi-SSID).
Here, "External Page URL" specifies the site for AMF Security's Redirect-URL Action.
AWC Plug-in settings - "Wireless settings" → "AP common settings" → "VAP (multi-SSID) settings" → "Advanced settings"

Configuring AMF Security

In AMF Security, the following settings are items related to Redirect-URL Action.
Note that AMF / Redirect-URL Settings are site settings for AMF Security's Redirect-URL Action. This setting is not required when using other sites.

• AMF > TQ Settings
  
• System Settings > Trap Monitor Settings > Rules
  
• AMF > Redirect-URL Settings
  

Display example

AMF Security authenticates the wireless terminal connected to TQ based on the registered authentication information.
You can check the result of authentication on the Devices > Active Device List page.

When a wireless device is detected by the AR Router's UTM-related functions, the wireless device's information is registered on AMF Security and displayed on the Policy Settings > Action List page. At the same time, AMF Security queries AT-Vista Manager EX for the MAC Address based on the terminal information (IP Address), obtains the MAC Address of the wireless terminal held by the AWC Plug-in, and enables communication control. In the display below, the MAC Address of the wireless terminal is acquired and the IP Address and MAC Address are linked.

You can check the status of actions applied to wireless terminals on the Devices > Active Device List page.

Click the "Resume" button and then the "OK" button to release the action.

---

(C) 2024 Allied Telesis, Inc. All rights reserved.

C613-04175-00 Rev A

02 Aug 2024 15:10