Universal ZTNA

Universal Zero Trust Network Access of Extreme Networks combines the functions of a Network Access Control (NAC) system with Zero Trust Network Access (ZTNA).

Ask for a demo
Universal ZTNA of Extreme Networks
On this page Kappa Data informs you what Universal ZTNA means at Extreme Networks. This page will show you how easy you can combine Network Access Control (NAC) with Zero Trust Network Access (ZTNA)

UZTNA, combination of ZTNA and NAC

On our page Network Access Control(NAC), we have explained the advantages and control mechanisms to control the real identity of a user and allow the user access towards specific parts of the network. 

In this article, we go a step further. 

What is if we add Zero Trust Network Access (ZTNA) to a NAC system?
With ZTNA we explained already the advantages of access towards specific applications, but when identity is double checked, managed or revoked with a NAC system at a low userprice then it becomes really interesting. 

NAC + ZTNA = 3

We are 2024. Cybersecurity has become an integral part of our society. A lot of companies are therefore constantly shifting gears to raise their cybersecurity levels.

 

This year, NIS2 is also around the corner, which defines various chalk lines within which a company must operate to be compliant with cybersecurity measures imposed by governments.

 

This creates a big challenge for network/security engineers who have to set up environments so that everyone in the organisation can be connected to the necessary applications in a safe and efficient way, whether they are running on-prem or in the cloud.

 

Within this connectivity component, you are faced with two challenges. On the one hand: how do I ensure that my users who are on-site connect securely to the network in a connected and authenticated way. On the other hand: how do I ensure that my users in any location (at home, at clients’ premises, at the coffee shop, etc.) can securely connect to the required applications.

 

Solutions such as Network Access Control and Zero Trust Network Access already exist for the above challenges. The problem lies more in the fact that these are separate products, and there is no way to introduce a unified policy that solves both challenges allowing this to be managed in one place.

 

As several vendors recognised this problem, a new term was introduced, namely Universal Zero Trust Network Access. Universal ZTNA ensures that 1 policy is introduced for users regardless of where they are located.

Universal ZTNA, however, is a term that is highlighted differently by quite a few vendors. Certain vendors assume that no matter where you are, you set up a client that connects to a central point (full-tunnel) and all network traffic passes through that tunnel.

Centrally, all traffic is inspected and processed according to a set of policies, and your traffic is also routed to the relevant network (IPSec, SaaS,…). Other vendors will instead adopt the principle discussed above, where there is both a Cloud NAC offered and a ZTNA solution for remote workers.

In this article, we discuss Extreme Networks’ solution in more detail.

Extreme Networks recently added Universal ZTNA to its portfolio. This solution combines Cloud NAC for the campus with ZTNA for remote workers. Below in more detail how the different solutions are put together and exactly what the unified policy looks like.

Cloud NAC

Extreme Cloud NAC Architecture

The diagram above shows how the Cloud NAC works correctly and which components are present.

Within the Cloud NAC, there are several components:

  • Identity Providers: An Identity Provider is needed to import the users that will use the UZTNA solution. Within Cloud NAC, these are used as the backend authentication server for 802.1X Radius. A user connecting to the network (whether wireless or wired) is authenticated via the Radius service against the credentials known within the Identity Provider (Entra ID, Google Workspace, Onprem AD).
  • ExtremeCloud: within ExtremeCloud, you have two applications:
    • ExtremeCloud IQ: Extreme Networks’ SaaS Network Management solution in which switches and access points are managed. For this solution, you configure the link between LAN/WLAN and the UZTNA Cloud NAC within ExtremeCloud IQ
    • ExtremeCloud Universal ZTNA: This is the UZTNA application in which you will configure all policies, rules, etc.
  • Campus: Within the campus, the switches and APs run, which create a RADSEC tunnel to ExtremeCloud which then processes the authentication and sends a response back. There are switches and APs that send RADSEC directly to ExtremeCloud, older switches and later 3rd party switches first send Radius to a Radius Proxy that resides locally, which in turn sends RADSEC to ExtremeCloud.

UZTNA - Application Access

The second component within UZTNA is application access. With it, you give remote workers access to applications, wherever they are located.
Extreme UZTNA Application Architecture

At ExtremeCloud, you have two applications : 

  1. Extreme CloudIQ
  2. Universal ZTNA

Application Access is as well devided in two parts : 

  • Identity Provider: this is the same Identity Provider as discussed within Cloud NAC. The Identity Provider contains groups that you can use in policies to make certain applications available to a group of users.
  • Public SaaS Applications: These are applications where you can configure that they can only be used via a UZTNA connection. When a user connects via UZTNA, they can use the application, if they don’t have a connection to UZTNA they will be rejected. At the time of writing, these are: Mulesoft, Salesforce, Slack, G Suite, Splunk, Github, Atlassian, Dropbox and Zoom.
  • Remote Access: this is a user who has the UZTNA Agent on their device with which they connect towards ExtremeCloud. This is agent-based or possibly also agentless.
  • ExtremeCloud: this is the Universal ZTNA application where the policies are defined. The Secure Tunnel Relay ensures that the connections coming in through the agents are sent to the right applications.
  • IaaS (Infrastructure as a Service): applications running in the Public Cloud (AWS, Azure, Google Cloud)
  • Data Center: applications running in a Private Data Center (a service connector is installed on the hypervisor)
  • Campus: Applications running on campus (a service connector is installed in the campus network)

UZTNA Policies

In the previous sections, we discussed connectivity. Of course, the most important thing about a ZTNA solution is defining Policies. Below, we will discuss step by step how to set up Universal ZTNA from Extreme Networks:

Extreme Universal ZTNA flow

Step 1

Home screen

UZTNA Home Screen
When we log into ExtremeCloud Universal ZTNA, we see a general screen that gives us insights into what is currently going on. Here you can see the health status of applications, service connectors and Radsec proxies, along with the general usage of applications made available through Universal ZTNA.

Onboarding

Extreme UZTNA onboarding home
Via "Onboarding" you get a wizard to generate policies and perform underlying NAC and Application configuration. In this case, we choose "Secure Hybrid Access" because we want to introduce a policy that applies to our on-site employees as well as remote employees.

Definition IDP

Extreme UZTNA Onboarding step 1 IDP definition
We currently don't have an IdP defined yet, we will define it here. We can choose from ExtremeCloud Universal ZTNA (this is when you don't have an IdP, but it only applies to Application Access for now, not Cloud NAC). In this case, we will choose Entra ID.

Integration Entra ID

Extreme UZTNA Integration Entra-id
Next, we get the screen to set up the integration with Entra ID. We create an App registration within Entra ID and configure it with the appropriate values so that there is a connection between Entra ID and ExtremeCloud UZTNA. Since Cloud NAC cannot support MFA, we need to create a Conditional Access rule within Entra ID that bypasses MFA for that specific application. You can then set up a SCIM sync by creating an Enterprise Application in Entra ID so that all groups and users are automatically synced between UZTNA and Entra ID.

Import users by SCIM

Extreme UZTNA integration users with SCIM
When SCIM completes, you will see that the users have been successfully imported.

Adding Devices

Extreme UZTNA Adding users
Now we can add Devices. Devices are MAC addresses that we want to authenticate against the Cloud NAC via MAC-based authentication.

Definition User Groups

Extreme UZTNA definition user groups
Next, we can start creating User Groups in which our users are located.

Definition Device Groups

Extreme UZTNA Definition Device Groups
And finally, Device Groups in which we place our devices.

Step 2

Adding resources

Extreme UZTNA adding Resources
Now it's time to start adding resources. You can see right away that the Sites from ExtremeCloud IQ have been imported within ExtremeCloud Universal ZTNA.

Deploy Service Connector

Extreme UZTNA deploy service connectors
Next, we can start deploying a Service Connector. A Service Connector is a piece of software that ensures there is a tunnel between the network in which the application you want to make available lives, and ExtremeCloud.

Choosing name of Service Connector

Extreme Universal ZTNA choosing name service connector
You choose a name for the Service Connector you want to deploy.

Choose Deployment method

Extreme Universal ZTNA Choose deployment method Service connector
Next, you can choose the deployment method. Either you run the service connector in a docker container, or as a package on a Linux machine, or as a dedicated virtual machine via an OVA provided by Extreme Networks.Since Cloud NAC cannot support MFA, we need to create a Conditional Access rule within Entra ID that bypasses MFA for that specific application. You can then set up a SCIM sync by creating an Enterprise Application in Entra ID so that all groups and users are automatically synced between UZTNA and Entra ID.

Status Service Connector

Extreme Universal ZTNA Status Service connector
When it is installed, you will see the status on "Up".

Installation Radsec

Extreme Universal ZTNA installation Radsec
Nu kunnen we optioneel de Radsec proxy installeren.

Command Radsec for Linux

Extreme Universal ZTNA deployment Radsec command Proxy on Linux
When you install it, you will also see the command that you can include on a Linux machine to deploy the Radsec proxy.

Successfull deployment Radsec

Extreme Universal ZTNA status installation Radsec Proxy on Linux
Again, we see it returning that it has been successfully deployed and is in "running state"

CloudNAC & UZTNA connection

Extreme Universal ZTNA connection between Extreme CloudNAC and UZTNA
Within the devices, we see the APs and/or switches currently eligible to communicate with the Cloud NAC. This is also a sync between ExtremeCloud IQ and UZTNA. Currently, the APs are still communicating with a Radsec proxy, and so the SSID is configured with the Radsec proxy as the Radius server.

Connection successfull

Extreme Universal ZTNA checkup connection CloudNAC and UZTNA
Check the connection between Extreme CloudNAC and UZTNA

Step 3

Definition Applications

Extreme Universal ZTNA definition applications
In the next step, we can define the applications we want to make available through UZTNA.

Choice of Site Engine

Extreme Universal ZTNA installation Site Engine
In this case, we will make a Site Engine available through UZTNA.

Adding application & monitoring

Extreme Universal ZTNA adding application and monitoring
The application is added and also monitored for uptime.

Adding Application to group

Extreme Universal ZTNA adding application to application group
We add the application to an application group. We can then use this group further in the policies.

Step 4

Definition Hybrid Policy

Extreme Universal ZTNA Define Hybrid policy

Now it is time to start defining a hybrid policy. We will now create this one specifically for the Solution Engineers group.

In it you define a number of things

  • Name of the policy
  • User group
  • Device group
  • Application group
  • Network (VLAN or Fabric I-SID)
  • Network resource group (certain IP/subnet/port combinations to be blocked)

Adding Hybrid Policy

Extreme Universal ZTNA Adding Hybrid policyExtreme Universal ZTNA Hybrid Policy Conditions
Adding Hybrid Policy and applying conditions

Adding Hybrid Policy

Extreme Universal ZTNA Hybrid policy create sevice connector
Extreme Universal ZTNA Hybrid Policy create Service network
With this, the first hybrid policy was created, a service connector and radsec proxy was installed, a first application was created and Cloud NAC rules were added.

Conditions

There is also a form of Conditional Access for Cloud NAC built into UZTNA. That way, access can be denied/allowed based on:

  • Location
  • Time
  • Authentication (EAP-TLS, EAP-TTLS, MBA,…)

Device Posture

Access to applications can be denied if the agent notices that some things are out of order.

Extreme Universal ZTNA Device posture

Mobile Device Managament (MDM)

There is also an integration with Microsoft Intune so you can only give compliant devices access via UZTNA.

Extreme Universal ZTNA MDM

Switch Configuration

Within ExtremeCloud IQ, you can select the “Instant Secure Port” to make the switch port a “NAC” port. This way, Radius requests on that port are forwarded to UZTNA.

Extreme Universal ZTNA Switch Configuration
Extreme UZTNA Onboarding switches to CloudIQ

Frequently asked questions

Check our FAQ section where you can find the first questions that have been asked to us during the last months.

Contact us

  • Why should organizations consider implementing Extreme UZTNA as part of their cybersecurity strategy?

    Organizations should consider implementing Extreme UZTNA as part of their cybersecurity strategy because it provides a scalable, flexible, and robust security solution that adapts to modern threats and IT environments. By adopting ZTNA, organizations can:

    • Enhance security across all environments: Whether on-premises, in the cloud, or in hybrid setups, ZTNA ensures consistent security.
    • Increase resilience against advanced threats: Continuous verification and the least privilege principle reduce the risk of breaches and the impact of potential security incidents.
    • Improve user experience: With context-aware access controls, ZTNA provides secure access without compromising usability, supporting productivity in remote and mobile workforces.
    • Future-proof security: As organizations increasingly adopt cloud services and remote work, ZTNA provides a security framework that evolves with these trends, ensuring long-term protection.

  • Why is Extreme UZTNA important for enhancing cybersecurity?

    Extreme UZTNA is important for enhancing cybersecurity because it:

    • Reduces the attack surface: By limiting access to only the necessary resources and continuously verifying users and devices, ZTNA minimizes potential entry points for attackers.
    • Prevents lateral movement: Even if an attacker gains initial access, ZTNA prevents them from moving laterally across the network by enforcing strict access controls for each resource.
    • Adapts to modern IT environments: ZTNA is designed to secure access to both on-premises and cloud-based applications, making it ideal for hybrid and remote work environments.
    • Improves incident response: With granular control and visibility over access requests, security teams can quickly identify and respond to suspicious activities.

  • What is Extreme Universal Zero Trust Network Access (ZTNA)?

    Extreme Universal Zero Trust Network Access (UZTNA) is a cybersecurity solution that implements the Zero Trust security model, which assumes that no user or device should be trusted by default, whether inside or outside the network perimeter. This solution continuously verifies the identity of users and the security posture of devices before granting access to applications and data, ensuring that access is based on strict security policies.

  • How does Extreme UZTNA support compliance with cybersecurity regulations?

    Extreme UZTNA supports compliance with cybersecurity regulations by providing detailed access controls, continuous monitoring, and robust reporting capabilities. This helps organizations meet requirements for data protection, access control, and auditability, which are often mandated by regulations such as GDPR, HIPAA, and the NIS 2 directive. By enforcing strict security policies and maintaining comprehensive logs of access activities, ZTNA helps organizations demonstrate compliance with these regulations.

  • How does Extreme UZTNA differ from traditional network security approaches?

    Extreme UZTNA differs from traditional network security approaches by shifting from a perimeter-based security model to one that enforces security controls at the individual user and device level. Instead of granting broad access based on network location (e.g., inside the corporate firewall), ZTNA requires continuous verification of identity and device health, applying the principle of least privilege to grant access only to specific resources.

Contact us for a demo

Are you curious to learn how UZTNA can play an important security role at your customers? Contact us for a demo via the below button. 

Ask for a demo