Extreme Networks ExtremeCloud Appliance E1120 User Manual Download

Page: 13 / 219

•

Air Defense integration parameters

•

ExtremeLocation integration parameters

•

RTLS

•

Profiles for Centralized APs support the following features:

IoT configuration
Positioning
Analytics

•

An RF Management policy.

Note
RF Management and configuration Profiles can be shared across device groups.

Note
Most AP radio properties depend on a regulatory domain; which is defined at the site level.
Devices that are connected to ExtremeCloud Appliance but not assigned to a device group
have the status of

In-Service Trouble

. Devices that have not discovered ExtremeCloud

Appliance have the status of

Unknown

Summary of Contents for ExtremeCloud Appliance E1120

Page 1: ...ExtremeCloud Appliance User Guide Version 4 36 03 9036135 02 Published June 2019 ...

Page 2: ...Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks Inc in the United States and or other countries All other names including any product names mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies owners For additional information on Extreme Networks tradema...

Page 3: ...Sites List 27 Device List 40 Networks List 52 Clients 53 Policy 58 Chapter 4 Configure 63 Network Configuration Steps 63 Sites 64 Devices 105 Networks 118 Policy 127 AP Adoption Rules 142 Chapter 5 Onboard 145 AAA Authentication 145 Managing Captive Portal 154 Managing Access Control Groups 165 Access Control Rules 168 Chapter 6 Tools 173 Workflow 173 Logs 182 Diagnostics 185 Chapter 7 Administrat...

Page 4: ...Index 217 Table of Contents ExtremeCloud Appliance User Guide for version 4 36 03 4 ...

Page 5: ...is is searchable text within the PDF Table 2 Text Conventions Convention Description Screen displays This typeface indicates command syntax or represents information as it appears on the screen The words enter and type When you see the word enter in this guide you must type something and then press the Return or Enter key Do not press the Return or Enter key when an instruction simply says type Ke...

Page 6: ... improvements to our documentation so you can find the information you need faster Broken links or usability issues If you would like to provide feedback to the Extreme Networks Information Development team you can do so in two ways Use our short online feedback form at https www extremenetworks com documentation feedback Email us at documentation extremenetworks com Please provide the publication...

Page 7: ...problem Any related RMA Return Material Authorization numbers Subscribing to Service Notifications You can subscribe to email notifications for product and software release announcements Vulnerability Notices and Service Notifications 1 Go to www extremenetworks com support service notification form 2 Complete the form with your information all fields are required 3 Select the products for which y...

Page 8: ...e Appliance The appliance is a network device designed to integrate with an existing wired Local Area Network LAN The ExtremeCloud Appliance provides both distributed and centralized management network access and routing to wireless devices that use Wireless APs to access the network The appliance provides the following functionality Controls and configures wireless APs providing distributed or ce...

Page 9: ... series APs are supported AP3917i e k AP3916ic AP3915i e AP3912i AP3935i e AP3965i e The following ExtremeWireless WiNG APs are supported AP7522 AP7532 AP7562 AP7612 AP7632 AP7662 AP8432 AP8533 The Extreme Networks Defender Adapter SA201 is supported A wireless AP physically connects to a LAN infrastructure and establishes an IP connection to ExtremeCloud Appliance which manages the AP configurati...

Page 10: ...lecting the site configuration either Distributed or Centralized A site in ExtremeCloud Appliance is composed of one or more device groups Each device group holds one or more APs The APs in a device group must have the following in common AP Model Configuration Profile RF Domain Regulatory domain and configuration type which is defined at the site level A Centralized site can include multiple devi...

Page 11: ...uilding supports a unique configuration with its own policy requirements Clients need the ability to roam between buildings without session interruption Solution Create a Centralized site defining multiple device groups Each device group will support a unique profile configuration Distributed Site A Distributed configuration uses ExtremeWireless WiNG APs Each WiNG AP opens a WebSocket to ExtremeCl...

Page 12: ...ined for the site If you have created a default device group for a specific AP model upon discovery the APs that match that AP model are available on the Create Device Group dialog Manually select each AP to add it to the group To automatically assign APs to a device group configure Adoption Rules before APs connect for the first time If the device group is not yet created upon AP discovery the AP...

Page 13: ...page 142 Floor Plans on page 16 Site Parameters on page 65 Profiles Configuration profiles in ExtremeCloud Appliance offer consistency and simplicity Use a profile to associate configuration parameters to a device group and to apply configured network policy roles to the group You can associate a single profile to one or many device groups within a single site or across multiple sites Profiles are...

Page 14: ...l offers seamless roaming between APs of all device groups Figure 1 Centralized Site Data Model Unique Profile Per Device Group Figure 2 illustrates multiple sites with individual device groups in one RF domain sharing a common configuration profile Welcome to ExtremeCloud Appliance ExtremeCloud Appliance User Guide for version 4 36 03 14 ...

Page 15: ... configuration for each radio allowing APs to respond dynamically to changing RF conditions Apply RF Management policies to specific RF Domains After gathering information from the RF environment RF Management makes intelligent configuration choices It monitors the network for external interference neighbor interference non WiFi interference and client connectivity It then intelligently applies al...

Page 16: ...gured floor plan from the Site dashboard page You can also view floor plans from the Client and Devices workbenches Toggle between floor plan Configuration and floor plan View From the floor plan View page click Configure Site Floor Plans to open the floor plan Configuration page From the floor plan Configuration page click to display the floor plan View Related Links Site Parameters on page 65 Co...

Page 17: ...s additional consideration above the standard AP deployment guidelines for coverage and capacity The following are best practices for AP deployment Minimum Received RSS No fewer than three APs should be detecting and reporting the RSS of any client station Only RSS readings stronger than 75 dBm are used by the Location Engine Use the same AP model for the entire floor plan Design your floor plan w...

Page 18: ...t with Configure Sites and work your way down the Configure workbench as you configure your network The Dashboard is the first workbench Once the network is up and running use the Dashboard and Monitor workbenches to monitor your network activity and performance The ExtremeCloud Appliance user interface can be accessed using the HTTPS protocol on the TCP port 5825 For example if your ExtremeCloud ...

Page 19: ...configuration access control groups and a rules engine Tools Use Workflow Logs and diagnostic tools for network troubleshooting Administration Configure the system work with utilities manage upgrades apply system licenses and manage accounts ExtremeCloud Appliance offers a context sensitive Online Help system Click the drop down admin menu on any page to access the topic based Help System Figure 4...

Page 20: ...e and expands other Extreme Networks software offerings such as ExtremeAnalytics If you are already leveraging NSight this solution continues to support that investment ExtremeCloud Appliance will relay statistics that feed into NSight to keep it s visibility value intact APs and appliances running ExtremeWireless WiNG version 5 9 1 or later are supported in this deployment strategy ExtremeWireles...

Page 21: ...ces Controllers Proxied controllers can be removed from the Controllers page However if the ExtremeWireless WiNG controller has ExtremeCloud Appliance in its configuration the ExtremeWireless WiNGcontroller reappears in the list of controllers after each update Proxy controllers cannot be edited All relevant information and statistics for a proxy AP displays in ExtremeCloud Appliance However editi...

Page 22: ...ximum of 10 widgets The Overview dashboard widgets are classified according to the type of data they access Network utilization metrics including top and bottom values for clients APs switches and networks Radio Frequency metrics Switches with top and bottom throughput levels Client distribution and client count for the top and bottom manufacturer network and operating system Captive Portal metric...

Page 23: ...t include data from the 3 day dataset or from the 3 hour dataset It is possible that a new client will not appear in a dataset if the dataset has not been recently updated Figure 5 Main Dashboard Related Links Adding a New Dashboard on page 23 Modifying a Dashboard on page 24 Understanding Date and Time on page 20 Availability Link Status on page 26 Adding a New Dashboard Create additional dashboa...

Page 24: ... display up to 10 widgets Figure 6 Widget Layout Options 4 Select the Widgets tab The list of widgets by category is displayed 5 Expand the list of widgets in each category 6 Drag and drop a widget onto the dashboard within the layout that you have selected 7 Click Save Modifying a Dashboard You can customize the default dashboard views to fit your network s analytic requirements such as monitorin...

Page 25: ...vailable Utilization Provides utilization metrics such as client count and various top 10 and bottom 10 counts RF Provides Radio Frequency metrics such as RF quality RF health channel utilization and various top 10 and bottom 10 metrics This group also includes various Smart RF metrics Switch Tracks top and bottom switches by throughput Clients Tracks client distribution based on different paramet...

Page 26: ... an Availability Pair Status Description Unknown Link is down Synchronized All changes are pushed to the peer appliance Note There may be a brief period when a change on the first appliance has not yet been pushed to the second appliance During this time you could see Changed on one appliance and Synchronized on the other appliance This will be resolved as soon as the change has successfully been ...

Page 27: ...ation Provides metrics on the amount of traffic passing through the site RF Management Provides metrics on radio frequency quality and channel utilization Switches Provides metrics on switch throughput Clients Provides metrics on client distribution by protocol and client count by manufacturer operating system and network Captive Portal Provides metrics on users who access the network through capt...

Page 28: ... see AP Actions on page 106 Radio Settings Button on page 28 Switches List of switches associated with the site Clients List of clients associated with the site Troubleshooting Offers packet capture at the AP and remote console access to the AP Floor Plans Floor plans associated with the site Related Links Site Dashboard on page 27 Network Service Settings on page 119 Access Points List on page 40...

Page 29: ...matically This is the default value Auto Channel Select ACS optimizes channel arrangement based on the current situation in the field if it is triggered on all APs in a deployment ACS only relies on the information observed at the time it is triggered Once an AP has selected a channel it remains operating on that channel until the user changes the channel or triggers ACS Floor Plan View Once the f...

Page 30: ...plans display in the right side pane Here are a few things you can do with a floor plan To search for devices Click the search icon Click on the search field and select device from the drop down list To zoom in and out do one of the following Click to zoom in Click to zoom out Double click on the map to zoom in Use the mouse scroll wheel to zoom out Click the map and use the mouse scroll wheel to ...

Page 31: ...er interface controls in a pane to the right of the map display Floors Click to display the floor maps associated with the selected device group Double click a floor map in the right pane to display the full map Maps Click to display a list of possible maps Heatmap Use heat maps to represent network connectivity based on one or more AP attributes Channels Show APs by channel Link Speed Device perf...

Page 32: ... Configuring Floor Plan Zones on page 104 Configuring Camera AP Angle on page 104 Assigning Badges Badges display real time statistics that can be configured for each AP If a metric is not assigned to a badge position it is not shown on the user interface By default all the badges are assigned to an AP The following metrics can be assigned to badges RSS Filter range 100 10 dBm SNR Filter range 0 5...

Page 33: ...dge Information on page 34 Device Context Menu Right click a device icon to view the following information A link to the device configuration page A link to the device details page A link to the list of clients associated to the AP Select the Exclude check box to exclude a device from simulations If excluded data from this device will not be considered when generating heat maps Monitor ExtremeClou...

Page 34: ...ters panel on the right side of the screen A device badge displays on the floor plan when its value meets the selected filter criteria Use map filtering to troubleshoot the network displaying device badges that meet specific thresholds For example when looking for APs with 20 clients set the Client filter to 20 and look for APs with blue Client badges displayed To filter by AP statistics Monitor E...

Page 35: ...1 From the panel on the right side of the screen select the Filters icon Figure 10 Map Filters Panel Monitor ExtremeCloud Appliance User Guide for version 4 36 03 35 ...

Page 36: ...um positioning The following readiness maps are available Heat map RSS signal strength Heat map BLE Indicates expected coverage of Bluetooth Low Energy Supported on the 2 4 GHz band for APs with a BLE radio Channels map Indicates AP channel with the strongest RSS Link Speed RFQI RF Quality Index of the radios allows you to quickly identify APs with poor RF quality The labels themselves are color c...

Page 37: ...hat indicate optimal positioning of an AP To access the maps 1 From the right panel click Maps to display a list of map types 2 To activate a map click the ball and drag to the right Figure 12 Network Readiness Maps Right click anywhere on a heatmap to view the numeric value at that location on the map Monitor ExtremeCloud Appliance User Guide for version 4 36 03 37 ...

Page 38: ...d Use Cases If you want all but one AP selected 1 Click Select All 2 Right click on the AP that you don t want 3 Click Exclude AP from Simulations If you only want one AP selected 1 Click Deselect All APs 2 Right click the AP that you do want selected 3 Clear the check box Exclude AP from Simulations Related Links Positioning Heatmaps on page 39 Monitor ExtremeCloud Appliance User Guide for versio...

Page 39: ...ee ExtremeLocation Profile Settings on page 79 To access the Positioning maps from the floor plan view 1 Display an available floor plan 2 From the right panel click Positioning 3 To activate a map click the ball and drag to the right 4 To show clients select either Show Associated Clients or Show Unassociated Clients Note If your Positioning Profile is configured to track only active clients you ...

Page 40: ...8 Advanced AP Radio Settings on page 75 Network Snapshot AP Dashboard on page 44 Opening Live SSH Console to a Selected AP on page 49 Packet Capture on page 45 Switches on page 113 Controllers List on page 52 Access Points List Go to Monitor Devices Access Points to see a list of APs in ExtremeCloud Appliance The model and licensing domain of the AP determines the site configuration type and site ...

Page 41: ...discovered ExtremeCloud Appliance have the status of Unknown Related Links AP Actions on page 106 Radio Settings Button on page 28 Adding APs on page 107 Adding a Site on page 64 Device Groups on page 12 Configuring Column Display on page 20 Understanding Access Point States The following describes access point states on the Access Points Device List Table 8 AP State from the Device List State Des...

Page 42: ...n ExtremeCloud Appliance network support the 802 11ax ready access points The site type support is determined at AP discovery and registration and can be reset upon manual AP reset AP510i e indoor one dual band 2 4GHz 5GHz radio and one 5GHz radio Mode 1 2 4GHz service radio and 5GHz service radio Mode 2 2 4 5GHz Sensor and 5GHz service radio Mode 3 5GHz lower band service radio and 5GHz upper ban...

Page 43: ...0dBm providing no service The AP560 is offered in a product bundle that targets the installation environment Refer to Table 9 and Table 10 on page 44 for descriptions of each product bundle Table 9 AP560i portfolio AP Model Number Description AP560m FCC The AP560m is a pole mount bundle that includes the AP560i access point and the following brackets KT 147407 02 bracket kit KT 150173 01 ExtArm Fe...

Page 44: ...S MBO ART02 Extension Arm Network Snapshot AP Dashboard To view network details from the AP screen 1 From the left pane click Monitor Devices Access Points The Access Points list displays 2 Select an AP The network details for the selected AP appear Details for a camera AP include the camera network address If the AP is configured on a mapped floor plan a map displays showing the AP location with ...

Page 45: ...signal to noise ratio SNR levels Clients Provides metrics on client distribution by protocol operating system and manufacturer per AP Expert AP metrics for the expert user related to RFQI RTT RSS and RX and TX Rates Application Visibility Provides details about applications the client is accessing and metrics on application groups related to throughput and usage per AP To view widgets for an indiv...

Page 46: ...remote SCP server Packets can be captured from APs associated with either ExtremeCloud Appliance in an Availability Pair Packet capture will continue after failover displaying packet results in one file Continuous packet capture is supported on AP39xx and AP5xx Centralized Site If an AP must restart after a capture has started the capture will continue after the AP restart If the appliance must re...

Page 47: ...nternal capture ID Active captures are indicated in green Inactive captures are indicated in red 8 Hover over the PAC filename and select Download to download the file Related Links Packet Capture Parameters on page 47 Packet Capture on page 45 Packet Capture Parameters Field Name Field Description In the Capture Locations pane configure the following settings Wired Enables wired packet capture on...

Page 48: ...P address IP Protocol or Port The filters are mutually exclusive and are applied in the order in which they are listed Enter at least one MAC address or IP address Note Excessive packet capture degrades network performance If you are going to enable packet capture on all APs specify at least one MAC address filter and one IP address filter to avoid performance degradation Filter by MAC 1 and Filte...

Page 49: ...P Remote Console Connect The selected AP s SSH console appears 4 To terminate the SSH console session click Disconnect Switches List ExtremeCloud Appliance can manage a maximum of 1000 switches In ExtremeCloud Appliance switches are primarily used for stats reporting Switches operate independently of the connectivity state For example switch states do not change when the appliance is not reachable...

Page 50: ... from the switch screen 1 Go to Monitor Devices Switches 2 Select a switch not the check box The network details for the selected switch appear Table 13 Tabs on the Switch Details Screen Tab Description Dashboard Widgets display network details related to the selected switch Ports List of configured ports on the selected switch LAG Ports Link Aggregation Group LAG Ports organized as a list of mast...

Page 51: ... and review the widgets on the Dashboard page These widgets provide basic information for an individual switch including Utilization Top 5 busiest ports Port usage distribution showing the proportion of ports assigned to each of the possible port functions Serve an Access Point Serve a Host other than an access point Link to another bridge switch Other Port PoE states NEW Port Dashboard The Port s...

Page 52: ...dited Networks List Go to Monitor Networks to view a list of networks configured in ExtremeCloud Appliance Select a network to view the network dashboard and related network components Related Links Network Snapshot Network Dashboard on page 52 Network Widgets on page 53 Network Snapshot Network Dashboard To access the Network Services screen 1 Go to Monitor Networks 2 Select a network service fro...

Page 53: ...ides details about applications the client is accessing and metrics on application groups related to throughput and usage To view widgets for an individual network 1 Go to Monitor Networks 2 Select a network from the list and review the widgets on the Dashboard page Clients The Clients tab displays a list of clients in your network Use this information to understand client status access roles and ...

Page 54: ...l networks being broadcast by any AP managed by ExtremeCloud Appliance or by an ExtremeCloud Appliance availability pair From the Client List configure a black list or a white list but not both To filter specific users by MAC address configure Access Control rules To set up a list 1 Go to Clients and click the Blacklist icon This displays the list Mode for your network and a list of MAC addresses ...

Page 55: ...e client device must reauthenticate The session availability is not guaranteed because authentication may require additional time during which the user session may be disrupted Use this option to manually reauthenticate one or more clients Add to group Adds selected clients to a group Check Force Reauthentication to automatically reauthenticate the client to the network Remove from group Removes s...

Page 56: ... each client Use this information to understand network traffic and load Sites Lists sites associated with the client Networks Lists the network services associated with the client Select a network to display network details See Network Service Settings on page 119 Access Points Lists access points associated with the client Use the search facility to find a specific AP Station Events Log of stati...

Page 57: ... addresses and network identifiers that the client has been associated with Indicates client position on the network RADIUS Response Attributes Attributes from the RADIUS server that describe the form of access that is granted to the client RADIUS Server IP address of the external RADIUS server if any Reason Indicates the specific rule from the Access Control Rule Engine that allowed client access...

Page 58: ...ts for an individual client 1 Go to Clients 2 Select a client from the list and review the widgets on the Dashboard page Related Links Adding a New Dashboard on page 23 Modifying a Dashboard on page 24 Policy You can define policy rules for a role to specify network access Network policies are a set of rules defined in a specific order that determine how connections are authorized or denied If you...

Page 59: ... Failsafe The Enterprise User access policy is intended for admin users with full access The Quarantine access policy is used to restrict network access to end systems that have failed assessment The Quarantine policy role denies all traffic by default while permitting access to only required network resources such as basic network services e g ARP DHCP and DNS and HTTP to redirect web traffic for...

Page 60: ...m immediate network access while the end system assessment is occurring in the background In this case the policy role or accept policy or the associated VLAN for RFC 3580 compliant switches must be configured to allow access to the appropriate network resources for communication with the Assessment servers Note The Assessment server sends an ICMP Echo Request a ping to the end system before the s...

Page 61: ...e 24 Rule Level Statistics on page 61 NEW Rule Level Statistics ExtremeCloud Appliance offers rule level statistics that track policy rule usage in managing packet traffic Gather Hit Count statistics for specific roles and specific rules Widgets indicating roles with Top and Bottom Hit Counts display on the Overview dashboard Widgets indicating filter rules with Top and Bottom Hit Counts display o...

Page 62: ...nges only statistics for the latest configuration are displayed but data is saved for up to 14 days Standard ExtremeCloud Appliance reporting duration is supported Live reporting is not supported Click to set the Duration value for the time period reported Valid duration values are Last 3 hours Last 3 days Last 14 days Click to refresh the data on demand Hover the mouse over a widget to display to...

Page 63: ...pe The configuration Profile and RF Management profiles are defined at the device group level The available configuration options depend on the site definition Centralized or Distributed and the AP platform definition of the device group 3 Configure one or more networks When configuring a network you will do the following a Define network authentication b Configure roles associated with the networ...

Page 64: ...ith an In Service Trouble status Once a valid device group is created the AP is automatically listed within the device group where you can manually add it to the group 8 Optional Add one or more floor plans for each site 9 Set up access control and captive portal Related Links Sites Overview on page 10 Adding Device Groups to a Site on page 67 Network Service Settings on page 119 Policy on page 12...

Page 65: ...ry This field provides automatic search capabilities Begin typing in the field to display the time zone Related Links Floor Plans on page 16 Site Location on page 67 Device Groups on page 12 Switches on page 113 SNMP Configuration on page 199 Distributed Site on page 11 Centralized Site on page 10 Modifying Site Configuration Once a site is created you can modify the configuration settings clone t...

Page 66: ...te b Select the Switches tab c Configure the following parameters RADIUS Authentication Servers Up to two RADIUS servers configured for authentication Click Add and select from the list of IP Addresses Enable RADIUS Accounting Enable or Disable RADIUS Accounting Select Enable to enable RADIUS Accounting When RADIUS Accounting is enabled all switches in the site receive the RADIUS Accounting server...

Page 67: ...ated Links Site Parameters on page 65 Adding Device Groups to a Site Create the site then add device groups to the site To understand the relationship between sites device groups and access points see Device Groups on page 12 To add a device group to an existing site 1 Go to Configure Sites and select a site from the list 2 Select Device Groups then click Add 3 Configure the device group settings ...

Page 68: ...yment automatically create Adoption Rules Note You may need to create more than one configuration Profile per AP model depending on the configuration settings you enable Related Links Adding or Editing a Configuration Profile on page 68 Advanced Configuration Profile Settings on page 72 Configuring Smart RF Policy on page 91 AP Adoption Rules on page 142 Adding or Editing a Configuration Profile E...

Page 69: ...y Roles on page 128 Radios Configure radio mode and advanced radio settings Admin Mode Determines the radio mode Select On to enable the radio Select Off to disable the radio Mode Radio mode Values depend on the AP model and radio band For more information see Understanding Radio Mode on page 70 For each radio band Click Advanced to configure Advanced AP Radio Settings Wired Ports If the AP suppor...

Page 70: ...elected profile Related Links Advanced Configuration Profile Settings on page 72 Advanced AP Radio Settings on page 75 AirDefense Profile Settings on page 78 ExtremeLocation Profile Settings on page 79 IoT Profile Settings on page 80 Positioning Profile Settings on page 85 Analytics Profile Settings on page 85 RTLS Settings on page 86 Understanding Radio Mode ExtremeCloud Appliance presents valid ...

Page 71: ...n ac a n ac x AP510i e 2 4GHz 5GHz dual band sensor b g g n b g n a n ac g n x a n ac x 5GHz sensor a n ac a n ac x AP560i h 2 4GHz sensor b g g n b g n a n ac g n x a n ac x 5GHz sensor a n ac a n ac x AP75xx 2 4GHz sensor b g g n b g n 5GHz sensor a n ac AP76xx 2 4GHz sensor b g g n b g n 5GHz sensor a n ac Configure ExtremeCloud Appliance User Guide for version 4 36 03 71 ...

Page 72: ... and ExtremeLocation and Positioning report the MAC addresses and RSS values that the radio receives ADSP is supported on all ExtremeCloud Appliance access points On AP39xx and AP76xx both radios must be configured as sensors at the same time On the AP5xx and AP8xxx the sensor can be set per radio one radio can be configured as a sensor while the other one can be configured to pass wireless traffi...

Page 73: ...es are Off Secure Tunnel is turned off and no traffic is encrypted All SFTP SSH HTTPtraffic works normally Control An IPSEC tunnel is established from the AP to the appliance and all SFTP SSH HTTP WASSP control traffic is encrypted The AP skips the registration and authentication phases and when selected the Secure Tunnel Lifetime feature can be configured Control Data This mode only benefits brid...

Page 74: ...ag the VLAN Tagged VLAN packets include header information that identifies which VLAN the packet is coming from You can configure Tagged VLANs for all APs in a device group from the device group Advanced Settings dialog And you can override the device group setting for one or more individual APs from the AP Advance Settings Override dialog MTU Maximum Transmission Unit in bytes Determines the maxi...

Page 75: ... the selected MBA Timeout Role provides the default role to which users are automatically assigned The role can be permissive or restricted depending on the administrative configuration See Network Service Settings on page 119 When using 802 1x if none of the appliances are available then likely there is no path to authentication and new clients will be unable to authenticate on the wireless netwo...

Page 76: ...tream rates Enable this setting when you anticipate single stream clients with lower RSS power Disassociate on Low RSS Forces clients with low RSS to disassociate from an AP radio This setting is configured per radio A client is forced off an AP radio when RSS is measured at 5dBm below the Probe Suppression RSS Threshold Enabling this option forces client to roam to a better AP for improved networ...

Page 77: ...et rate is greater than the configured protection limit rate For example if the protection rate is set to 11Mbps protection will be used when sending at rates greater than 11Mbps which means 802 11g rates To maintain compatibility between the older 802 11b HR DSSS and the newer 802 11g ERP OFDM technologies a mechanism was devised to allow the older 802 11b device to understand the newer 802 11g d...

Page 78: ...in the ability to forward traffic When the AP is configured with an AirDefense dedicated sensor profile the functionality of the AP is controlled by the AirDefense server When the AP is configured as a AirDefense Radio Share profile it continues to forward traffic while sending packets to an AirDefense server To ensure rate performance an AP configured with a Radio Share profile does not forward i...

Page 79: ...ocation user associates the Tenant ID and Site information with the AP MAC address over AP WebSocket The AP can be the RSS source for both ExtremeCloud Appliance Positioning and ExtremeLocation at the same time RSS information travels both through the WASSP tunnel to the ExtremeCloud Appliance and through WebSocket to ExtremeLocation 1 Configure the following parameters Table 27 ExtremeLocation Pr...

Page 80: ... the IoT applications listed in Table 28 Table 28 IoT Application Support Application AP Models Supported iBeacon AP5xx AP76xx AP8xxx AP391x Note AP3935 AP3965 and AP7612 do not support IoT iBeacon Scan AP5xx Centralized site only AP39xx Eddystone url Beacon AP5xx AP76xx AP8xxx AP39xx Eddystone url Scan AP5xx Centralized site only AP39xx Thread Gateway AP5xx Centralized site only AP39xx Configure ...

Page 81: ...tifies an individual beacon Used to more precisely pinpoint beacon location This value complements the UUID and Major values to provide more granular identification of a specific location such as a particular shelf door way or item Valid values are 0 to 65635 Measured RSSI The calibrated or measured RSSI in dBm for the beacon The transmitted beacon includes this value in the tag Default values are...

Page 82: ...ng occurs Min RSSI This is the signal strength required to include the packet in the BLE report Valid values 10 to 100 Default value is 100 Data from beacons with an RSSI that is less than the Min RSSI configured value is filtered out Related Links iBeacon Settings on page 81 Eddystone url Beacon Settings on page 82 Eddystone url Scan Settings on page 83 Thread Gateway Settings on page 84 Eddyston...

Page 83: ...page 84 Eddystone url Scan Settings Table 32 Eddystone url Scan Settings Parameter Description Application Determines application type Select Eddystone URL Scan Destination IP Address IP address of the customer Application Server that receives the beacon report Destination Port Destination Port on the customer Application Server that presents the beacon report Scan Interval Determines how long to ...

Page 84: ...rk Master Key used to encrypt communication between nodes in a Thread Network Related Links Configuring IoT Whitelist on page 84 iBeacon Settings on page 81 iBeacon Scan Settings on page 82 Eddystone url Beacon Settings on page 82 Eddystone url Scan Settings on page 83 Configuring IoT Whitelist Create a whitelist of approved nodes for the Thread Network The IoT whitelist applies to all APs that ar...

Page 85: ...Off Disable Positioning Services Active Clients Track associated clients to the selected AP When you select this option you will not be able to view un associated clients on a floor plan All Clients Track both associated and unassociated clients 2 Click Save Related Links Adding or Editing a Configuration Profile on page 68 Position Aware Services on page 16 Positioning Heatmaps on page 39 Analyti...

Page 86: ...ticast MAC address for the RTLS application server Note Centrak and Ekahau configuration offer a default port number and multicast address You can modify the default values if necessary 3 Click Save Consider the following information related to Real Time Location System RTLS Ensure that your location based service tags are configured to transmit on all non overlapping channels 1 6 and 11 and on ch...

Page 87: ...Settings Field Description Name Name of the RF Management policy Sensitivity Note Available for Smart RF policy only Determines pre defined thresholds for Smart RF Valid values are Low Interference recovery 30 dBm Coverage Hole Recovery 20 dBm Medium Interference recovery 20 dBm Coverage Hole Recovery 20 dBm High Interference recovery 5 dBm Coverage Hole Recovery 20 dBm Custom Select Custom to mod...

Page 88: ...Power Settings on page 88 Scan Settings for Smart RF on page 92 Neighbor Recovery Settings for Smart RF on page 93 Interference Recovery Settings for Smart RF on page 94 Channel and Power Settings Modify Channel and Power settings to fine tune channel selection within an RF Management policy Channel and Power settings are available on all APs that are supported by ExtremeCloud Appliance Note APs r...

Page 89: ...nnel The AP selects the best non DFS channel Custom To configure individual channels from which to select an operating channel click Configure The Custom Channel Plan dialog displays Click the individual channels you want to include in the channel plan To select contiguous channels use the Shift key To select multiple non contiguous channels in the list use the CTRL key Click OK to save the config...

Page 90: ...igure ACS 1 Go to Configure Sites and select a Centralized site 2 Click Device Groups tab 3 Select a device group or click Add The RF Management value is ACS for AP39xx 4 Select next to RF Management to edit the ACS policy Note After modifying the default ACS policy settings if you need to return to the initial settings create a new ACS policy New policies are comprised of the ACS settings that ar...

Page 91: ...d AP5xx support Smart RF as the RF Management policy ExtremeCloud Appliance is installed with a default Smart RF policy You can modify the default policy or create a new policy Policies that are being used by a device group cannot be deleted but if the policy is not being used you can delete it Note Smart RF is now supported on AP5xx for either a Centralized site or Distributed site Only one Smart...

Page 92: ...adapt to changes in the RF environment OCS can negatively impact some devices When enabled OCS checks for sensitive clients for example Voice and Power Save clients If sensitive clients are found OCS is skipped and the Number of Threshold Awareness Hits counter is incremented Number of Threshold Awareness Hits Enabled once you enable OCS Monitoring Awareness Override When OCS is skipped the OCS Aw...

Page 93: ...alid values are Dynamic Disables smart monitoring when buffered data exists at the radio for a voice client The default setting is Dynamic for both the 5 GHz and 2 4 GHz bands Strict Disables smart monitoring when a voice client is associated to a radio Disable Do not use the Voice Aware Scanning option Transmit Load Aware Scanning Defines the threshold for channel load Channel scanning is avoided...

Page 94: ...anagement Settings on page 87 Channel and Power Settings on page 88 Scan Settings for Smart RF on page 92 Interference Recovery Settings for Smart RF on page 94 Interference Recovery Settings for Smart RF The following settings define thresholds for the Smart RF policy Interference Recovery plan supported on ExtremeWireless WiNG APs and AP5xx The default Smart RF policy enables Interference Recove...

Page 95: ...efault setting is 5 dBm 2 4 GHz Channel Switch Delta dBm Defines the threshold for initiating a channel switch on the 2 4 GHz radio Smart RF compares the difference between interference levels on the current channel and a prospective channel If the difference is below the configured threshold the channel does not change Valid values are 5 35 dBm The default setting is 5 dBm Related Links Basic RF ...

Page 96: ...utes When the deployment average CCI exceeds the specified maximum threshold Smart RF shuts down 2 4 GHz radios until the CCI reaches acceptable levels Use this option to configure the interval between successive radio shutdowns Valid values are 0 3600 minutes The default is 60 Frequency Limiter Indicates the value by which to multiply the OCS scan period to determine the minimum Frequency setting...

Page 97: ...he Floor Plans tab 2 Click the first field to display a list of available device groups within the site 3 Select one or more device groups 4 Select a floor from the list of floors to the right of the map panel See Use Case Device Group Filtering on page 97 for a use case scenario The floor plan displays 5 Use the Draw Tools to modify the floor plan Related Links Use Case Device Group Filtering on ...

Page 98: ...g Floors with Non Assigned APs and Empty Floors Before you can display a floor plan you must select one or more device groups that include the devices that are associated with the floor plan If you have imported or created a floor plan that is not yet associated with devices or if you are using a floor plan for an empty floor you can still display the floor plan To display a floor plan with place ...

Page 99: ...or plan limits depend on the appliance See Table 3 on page 18 To add a new floor plan 1 Go to Configure Sites Add a new site or select a site and click Floor Plans tab 2 In the Manage Floor Plans pane select to add a new floor plan 3 Enter a unique name for the new floor plan and the height of the floor ceiling Then select OK 4 Draw a floor plan or import an existing plan a To import an existing p...

Page 100: ...te and click Floor Plans tab 2 From the Manage Floor Plans pane do the following To import a file 1 Select Import 2 Select the file format and navigate to the floor plan file 3 Click Open Then click Save To export a file 1 Select Export 2 Select the floor plan file The floor plan file is downloaded to your local machine Setting a Background Image When creating a new floor plan the first step is to...

Page 101: ...wn distance in the room Note The following procedure corresponds to the callout numbers in Figure 18 on page 102 To scale a floor plan 1 Display the floor plan Go to Configure Sites Add a new site or select a site and click Floor Plans tab 2 Select a floor plan to edit from the drop down list 3 Under Scale Measures Click to enter a known length in the Length field that displays 1 Draw the physical...

Page 102: ... The area outside the boundary is ignored To draw boundary lines 1 Go to Configure Sites Add a new site or select a site and click Floor Plans tab 2 Click Draw Tools to display floor plan tools 3 To anchor the beginning of the boundary line click a corner of the outside boundary 4 Click each corner to anchor the line The drawing line zigzags across the image as you anchor each corner Note If you m...

Page 103: ... drawing click a corner of the inner wall 6 Click each corner of the inner wall to anchor the line and progress to the next corner 7 When you reach the end of your inner wall boundary double click the last corner to anchor the final line and disable the pen tool Note Right click on a wall to change its type or to delete it You can also click to modify a wall or click to delete it Next go to Placin...

Page 104: ...ture to set orientation If you select Wall set the AP height in meters Height is the distance from the AP to the floor From the floor plan View a black arrow displays on the map indicating the AP orientation Select the black arrow and drag to a new orientation Configuring Camera AP Angle Set the camera angle for an AP3916ic directly from the floor plan map 1 Go to Configure Sites Add a new site or...

Page 105: ...click to release your cursor 10 Click Save to save the floor plan Related Links User Interface Controls on page 31 Deleting APs from the Map To delete an AP from a floor map 1 Go to Configure Sites Add a new site or select a site and click Floor Plans tab 2 Right click on an AP icon on the map 3 Select Delete The selected AP is removed from the map 4 To delete all APs from the map at once next to ...

Page 106: ...censing domain of the AP determines the site configuration type and site licensing domain The configuration Profile and RF Management for a device group are specific to the AP platform For more information about supported access points see Access Points List on page 40 Related Links Access Points List on page 40 AP Actions on page 106 Adding APs on page 107 Adding a Site on page 64 Device Groups o...

Page 107: ...is a delay of 180 seconds between upgrading each set of APs APs serving DFS and Weather channels are upgraded within a 9 minute interval Upgrade Camera Applies to AP3916ic only Delete Delete the selected APs Reboot Restart the selected APs Related Links Radio Settings Button on page 28 Adding APs Access Points and Switches are automatically added to ExtremeCloud Appliance via the cloud connector w...

Page 108: ...mber Unique number that identifies the AP Provide this number for new and cloned APs This number is on the AP Model Select an AP model number from the drop down list The model number is on the AP Name Unique name for the AP Provide a unique name for new and cloned APs Description Text description to help identify the AP 5 Click OK Note Most AP radio properties depend on a regulatory domain which i...

Page 109: ...f you select No the radio settings are displayed You can modify radio setting from here Channel Width Determines the channel width for the radio Valid values are 20 MHz 40 MHz 80 MHz supported on 5GHz only 802 11ac and 802 11ax 160 MHz supported on 5GHz only 802 11ax Automatic Channel width is calculated automatically This is the default value Request New Channel Specifies the primary channel of t...

Page 110: ... AP operates in 2x2 or 4x4 depending on what was negotiated with the Switch PoE using the 2 event classification Note When an AP5xx configured for support in a Centralized site is connected to two switch ports configure the power capabilities of both ports identically If the power capabilities are unequal the AP will resort to Low Power Mode to ensure a stable operation Radio Setting Overrides You...

Page 111: ...tings Two port AP Related Links AP510e Professional Install Settings on page 111 AP560h Professional Install Settings on page 112 Advanced AP Settings on page 110 Configure AP Radio Settings on page 108 Adding APs on page 107 NEW AP510e Professional Install Settings The following rules apply to AP510e antenna installation Group 1 2 4GHz 5GHz accepts identical dual band antennas Group 2 5GHz accept...

Page 112: ...dios are configured Dual 5GHz mode Radio1 is enabled only if one or more antennas are configured in Group 2 Radio 2 is enabled only if one or more antennas are configured in Group 1 Figure 20 AP510e Antenna Professional Install Related Links Adding APs on page 107 NEW AP560h Professional Install Settings The AP560h is an outdoor AP that has two types of selectable internal antenna You must select ...

Page 113: ...ported switches see the Release Notes Related Links Adding a Switch on page 114 Configuring a Switch on page 115 Switch Actions on page 113 Switches List on page 49 Switch Actions Take the following actions from the switch Actions button Table 48 Switch Actions Field Description Delete Delete the selected switch Reboot Restart the selected switch Reset Issues a configuration reset and reboot to th...

Page 114: ...itch State from the Device List State Description In service Switch acknowledges the sent configuration Switch sends statistics every 5 minutes In Service Trouble Switch in process of connecting to ExtremeCloud Appliance Configuration is pending acknowledgment from switch Switch reset pending Switch reboot pending Switch upgrade pending Unknown Switch has not discovered the ExtremeCloud Appliance ...

Page 115: ...ithin a site see Switches on page 113 4 Configure the following parameters Serial Number Unique number that identifies the switch Provide this number for new and cloned switches This number is on the switch Model Select model number from the drop down list The model number is on the switch Name Unique name for the switch Provide a unique name Description Text description to help identify the switc...

Page 116: ...Master Port 2 Select the Master Port number from the drop down field Note Dialog options display for the master port after you select a port number 3 Select a Member Port number under Ports Eligible for LAG membership Then drag and drop the port onto the Master Port pane 4 Click Save Master Related Links Configuring a Switch on page 115 Advanced Switch Settings on page 118 NEW Switch Port Configur...

Page 117: ...ed for Power over Ethernet PoE must be supported on the port VLANs Select one or more configured VLANs Click the plus sign to add the VLAN to the list Authentication Mode Authentication Mode 802 1x can be configured on individual ports When Authentication is enabled on the switch port this switch gets the RADIUS Authentication definition and the RADIUS servers specified under the site configuratio...

Page 118: ...is set based on port function AP Host Inter switch and Other VLAN Configuration VLAN configuration is based on Switch port function AP All the tagged and untagged VLANS are configured for the AP s device group Host Administrator configurable The Administrator can configure any of the VLANs that are configured in the system Other Default setting Typically configures port to VLAN 1 but this is confi...

Page 119: ...t legacy APs See Privacy Settings for WEP on page 122 WPAv2 with PSK Network access is allowed to any client that knows the pre shared key PSK All data between the client and the AP is AES encrypted using the shared secret Privacy is based on the IEEE standard and privacy settings are editable If MAC based authentication MBA is enabled you can assign different roles to different devices with a PSK...

Page 120: ...rectory Access Protocol Select a configuration or select the plus sign to add a new configuration Authenticate Locally for MAC Authenticate the MAC address on ExtremeCloud Appliance Do not authenticate MAC address on the RADIUS server Default Auth Role The default network policy roles for an authenticated client Select the plus sign to create a new role Configure this setting if you want to overri...

Page 121: ...n with client certificate based authentication EAP TLS All 802 1X protocols are supported Note MBA and Captive Portal are not supported when using WPA2 Enterprise w RADIUS The devices with 802 1X use Default Auth role only Configure the following privacy settings TKIP CCMP Select this option to use Temporal Key Integrity Protocol TKIP and Counter Mode with Cipher Block Chaining Message Authenticat...

Page 122: ...ing If you select String type the secret WEP Key string used for encrypting and decrypting in the WEP Key box Key Index Select the WEP encryption key index Valid values are 1 to 4 WEP Key Type the WEP key using the Input Method chosen above Related Links Network Service Settings on page 119 Captive Portal Settings Go to Networks to enable captive portal Select the portal type Internal or External ...

Page 123: ... remote LDAP server This option enables LDAP Configuration LDAP Configuration Lightweight Directory Access Protocol Select a configuration or select the plus sign to add a new configuration Related Links Portal Website Configuration on page 155 Portal Network Configuration on page 163 Portal Administration Configuration on page 163 Default Rules for Captive Portal on page 171 Interfaces on page 18...

Page 124: ...y registration for networks redirecting HTTP traffic to the captive portal using DNS Proxy requires additional configuration Create a unique application to the third party software Refer to the following developer sites Facebook Developers page at https developers facebook com apps Google Developers page at https console developers google com projectselector apis library Microsoft Developers page ...

Page 125: ...ion if necessary Table 54 FQDN Rules Required for Social Logins Application Site Rule Parameters Facebook Allow FQDN to facebook com port HTTPS Allow FQDN to fbcdn net port HTTPS Google Allow FQDN to accounts google com port HTTPS Microsoft Allow FQDN to login live com port HTTPS Allow FQDN to gfx ms port HTTPS Allow FQDN to akadns6 net port HTTPS Salesforce Allow FQDN to login salesforce com Allo...

Page 126: ... of bandwidth If Admission Control is enabled the clients must use it If a client does not support it that client s traffic will be downgraded Note It is not recommended to enable Admission Control if all clients do not support it Admission Control for Voice VO Forces clients to request admission to use the highest priority access categories in both inbound and outbound directions Admission Contro...

Page 127: ...ecific filter definitions then the filter ID configuration identifies the specific role that is applied to the user Related Links Roles List on page 58 Configuring Roles on page 127 Class of Service on page 135 VLANS on page 137 Configuring Rates on page 142 Configuring Roles A role is a set of network access services that can be applied at various points in a policy enabled network Roles are usua...

Page 128: ...ttings on page 129 Adding Policy Roles Define policy roles to provide unique treatment of packet types when a single role is applied Note Associate each role with a configuration Profile of a device group for each AP in the group to make use of the policy role 1 Go to Configure Policy Roles Add 2 Configure the parameters for the role For more information see Policy Role Settings on page 129 3 Sele...

Page 129: ...during network configuration You can specify a unique VLAN here Click to add a new VLAN option Associated Profile Indicates profiles that this role is associated with Click to modify profile association Note Associate a role with a configuration Profile The configuration Profile is associated with the device group Each AP in the device group makes use of the policy role Rules Policy rules are orga...

Page 130: ...the user A role can have no rules if the default action is sufficient Rules are used only to provide different treatments for different packet types to which a single role is applied Specify the OSI layer to which the rule pertains The rule defines one or more actions to take on a packet matching criteria specified by the rule The criteria could be the MAC address L2 or the IP address or port numb...

Page 131: ...nks Configuring L3 L4 Rules on page 131 Policy Rules for OSI L2 to L4 on page 130 Configuring L3 L4 Rules Configure policy rules that are associated with a role from the Role Configuration page To configure an OSI Layer 3 and 4 rule which filters on IP Address and Port number 1 Select the L3 L4 drop down and select New or select the rule to edit and existing rule 2 Configure the following paramete...

Page 132: ...lies access control and quality of service actions to all the traffic associated with the application not just traffic destined for specific IP addresses or ports The control actions regulate both access control and traffic engineering rate limit marking and prioritization for applications and groups Use case examples include Identifying critical applications and assigning a higher priority and Co...

Page 133: ...on business related traffic You can create a new application rule anywhere in the list of policy rules and create any number of application rules in one role To configure application rules 1 Go to Policy Roles Add 2 For application policy rules select the L7 Application Rules drop down 3 Select in that row The Rules dialog displays From User A packet header includes both a destination IPv4 address...

Page 134: ...m Apps to the Application List When creating Application Rules you can add custom applications to the list of possible applications Take the following steps to configure a custom app for the Application Rule that is associated with a role 1 Go to Configure Policy Roles Add 2 Select the drop down arrow for L7 Application Rules and click New or select a rule in the list 3 Select in that row The Rule...

Page 135: ...a 3 bit field that is present in an Ethernet frame header when 802 1Q VLAN tagging is present The field specifies a priority value between 0 and 7 more commonly known as CS0 through CS7 These values can be used by QoS disciplines to differentiate and shape or police network traffic CoS operates only on 802 1Q VLAN Ethernet at the data link layer Layer 2 which other QoS mechanisms such as DiffServ ...

Page 136: ...e Policy Roles Add Or Class of Service Add Configure ToS DSCP and skip to step 5 2 Select Bandwidth Limit and click 3 Click Edit next to Advanced Settings 4 Click Configure ToS DSCP 5 In the ToS DSCP dialog box select either Type of Service ToS or Diffserv Codepoint DSCP Set the related options and click OK Type of Service ToS Precedence Assign a priority to the packet Packets with lower priority ...

Page 137: ...et that is being transmitted over a VLAN A packet transmitted without a VLAN tag is said to be untagged Since there is no way to identify the VLAN to which an untagged packet belongs there can be only one untagged VLAN on a VLAN trunk It is common practice to place all AP management traffic on an untagged VLAN and place user traffic on tagged VLANs ExtremeCloud Appliance preconfigures switches wit...

Page 138: ... the added I SID parameter Fabric Attach can be configured on the ExtremeCloud Appliance anywhere a B AP topology can be configured VLAN ID Specify the VLAN ID Note It is possible to configure a unique VLAN ID when configuring a role This provides more flexibility in the Contain to VLAN default Action The VLAN ID range is 1 4094 4094 is reserved for Internal VLAN ID I SID For Fabric Attach enter a...

Page 139: ...ss the ExtremeCloud Appliance user interface through this port 4 To configure advanced parameters click Advanced 5 Select Save Related Links VLAN Advanced Setting on page 139 VLANS on page 137 Generate Browser Certificates on page 153 VLAN Advanced Setting Configure the following parameters to optimize your network connectivity Modifying the following settings is optional and should include though...

Page 140: ...s a message to a group of destination hosts Fabric Attach Topology The Fabric Attach topology type allows an AP to attach to a Shortest Path Bridging Fabric Connect Network The client component on the AP communicates directly with the server on an edge switch or it can communicate with the server through a proxy to allow the AP to request VLAN to I SID backbone Service Identifier IEEE 802 1 ah map...

Page 141: ...hat includes a local and foreign ExtremeCloud Appliance make sure the Fabric Attach topology configuration is the same on each ExtremeCloud Appliance ensuring that an AP that moves between appliances has the same set of topologies Figure 22 Fabric Attach for FA Clients Automated Network Services VLAN Groups A VLAN group can be associated with a single wireless network In a large venue a VLAN group...

Page 142: ...icy Rates 2 Select Add or select an existing rate from the list 3 Configure the following parameters Average Rate CIR Specify the rate at which the network will support data transfer under normal operations It is measured in kilo bits per second kbps 4 Select Save AP Adoption Rules The AP adoption feature simplifies the deployment of a large number of APs A set of rules defines the device group as...

Page 143: ... Profile configuration Related Links Adding or Editing Adoption Rules on page 143 Deleting Adoption Rules on page 144 Adding or Editing Adoption Rules Create adoption rules that filter on one or more of the following network attributes AP Model Matching criteria is a sub string For example if filter criteria is FCC all APs with FCC in the model number will match Host Name Matching criteria is a su...

Page 144: ... matches on sub strings The full host name is not required for a match Model Model number on the AP This field matches on sub strings The full model number is not required for a match Serial Number Serial number on the AP Serial number requires an exact string match Related Links Adding or Editing Adoption Rules on page 143 AP Adoption Rules on page 142 Deleting Adoption Rules on page 144 Deleting...

Page 145: ...ging The Local Password Repository on page 151 Managing Captive Portal on page 154 Managing Access Control Groups on page 165 Access Control Rules on page 168 Setting Default AAA Config Configure authentication using one or more methods of authentication With RADIUS and Local authentication you have the option to configure an LDAP server as a backup When you choose RADIUS or LDAP authentication yo...

Page 146: ...py the Distinguished Name from the LDAP server LDAP Configuration Indicates the LDAP Configuration to use as a default Select from one of the configured LDAP Configurations Authenticate Locally for MAC Authenticate the MAC address on ExtremeCloud Appliance Do not authenticate MAC address on the RADIUS server Related Links RADIUS Settings on page 147 Advanced RADIUS Settings on page 147 LDAP Config...

Page 147: ...idirectional traffic Proxy RADIUS Accounting Requests Indicates that the RADIUS server will also handle RADIUS accounting requests Accounting Client UDP Port UDP port number used for client accounting User Datagram Protocol UDP needs only one port for full duplex bidirectional traffic Shared Secret The password that is used to validate the connection between the client and the RADIUS server Mask D...

Page 148: ...th Use Access Request Use an access request message to determine if the RADIUS server is running The request uses a username and password This method looks for any response from the server The username and password do not need to be valid A negative response will work However the username password fields are provided to prevent rejects from being logged in the backend RADIUS server Check Interval ...

Page 149: ...Configuration Name Name the LDAP configuration LDAP Configuration URL Connection URL for the LDAP server and any backup servers you have configured The backup servers are redundant servers containing the same directory information The format for the connection URL is ldap host port where host equals hostname or IP address and the default port is 389 For example ldap 10 20 30 40 389 If you are usin...

Page 150: ...r authentication from the captive portal but does not work with most 802 1x authentication types NTLM Auth This option is only useful when the backend LDAP server is a Microsoft Active Directory server This is an extension to LDAP bind that will use ntlm_auth to verify the NT hash challenge responses from a client in MsCHAP MsCHAPV2 and PEAP requests NT Hash Password Lookup If the LDAP server has ...

Page 151: ...ord Repository ExtremeCloud Appliance gives you the option to store user accounts in a local password repository in place of configuring one or more remote RADIUS servers or remote LDAP servers to handle network authentication Note When using local password authentication you may also want to configure LDAP for additional user information Take the following steps to add new user accounts to the lo...

Page 152: ...bsite security and RADIUS Server certificates for certificate based authentication to the network and for access to a captive portal The browser certificate ensures security between the wireless clients and a VLAN and the RADIUS server certificates ensure security between the RADIUS server and Network Access Control Both types of certificates offer the option to generate a new certificate or use a...

Page 153: ...te file Provide the password key provided with that file Install or Replace certificate file and key from separate files Select this option and navigate to the saved certificate file and separate key file Reset to default certificate and key Select this option to clear previous certificates and reset the ExtremeCloud Appliance to the default configuration of the Self Signed certificate Note When c...

Page 154: ...ificate 3 To add trusted certificates to ExtremeCloud Appliance click Add CA Certificates and navigate to the certificate file Then click Open 4 To add URLs to the Certificate Revocation List CRL click Add URL and provide a valid CRL 5 Check the box to allow expired CRLs to be used to validate certificates Related Links Certificates on page 152 Managing Captive Portal 1 Go to Onboard Portal A list...

Page 155: ...database Click Manage to configure settings Guest Registration Allows unauthenticated access to the network for a configurable period of time Registration has provisions for capturing end user specific information such as a name phone number or email address Allows the optional presentation of an Acceptable Use Policy Registration using credentials for Facebook Google or Microsoft are supported Cl...

Page 156: ...etermine redirection behavior Valid values are Use Network Settings Redirection Always redirect based on network settings Redirection to user s requested URL Redirects the end user to the web page they requested at network connection To specified URL Specify the URL for the web page redirection Destination field is displayed Disabled No redirection End user remains on the web page where they were ...

Page 157: ...with Yahoo credentials Obtain an Application ID and Shared Secret from Yahoo See Walled Garden Rules on page 124 Salesforce Registration Select this option to allow authentication with Salesforce credentials Obtain an Application ID and Shared Secret from Salesforce See Walled Garden Rules on page 124 Provider 1 Registration Select this option to use credentials from a custom application that you ...

Page 158: ...user is presented with the information that ExtremeCloud Appliance receives from the third party application The end user grants ExtremeCloud Appliance access to the third party information and is redirected back to the captive portal where they see a Registration in Progress message The third party application provides the requested information to ExtremeCloud Appliance which uses it to populate ...

Page 159: ...ted Users who complete registration through the Authenticated captive portal match this rule The rule checks for end system MAC addresses in the Web Authenticated Users group This rule is only present when Authenticated Registration or Authenticated Web Access is enabled Related Links Portal Website Configuration on page 155 Guest Portal Guest Web Access on page 156 Guest Portal Guest Registration...

Page 160: ...pport authentication such as Linux machines or may not have a web browser such as game systems For example a student may register to the network using their PC Then using a self registration URL provided by the system administrator they can register their additional devices Example URL https IP of portal interface self_registration Enable Pre Registration Portal Guest users can be registered in ad...

Page 161: ...om the configuration drop down lists The drop down menu for each image category displays all the images defined in the Images window Note You must add images to each portal separately Images listed under the default portal are not available to other portals until you have added the image to each portal separately Header Background Image The background image displayed behind the header image at the...

Page 162: ...olor used for accents on the web pages Edit Style Sheets Create a style sheet that adds to or overwrites the formatting styles for the portal or mobile version of the portal web pages respectively Edit Locales Define the default locale language displayed to any captive portal user unless the client locale detected from their browser matches one of the defined supplemental locales The list of avail...

Page 163: ...t have access to until they are accepted It is recommended that the test image URL is a link to an SSL site because when the captive portal is configured for Use HTTPS the browser will not allow the attempt to an HTTP test image site It is also recommended that the captive portal policies typically the Unregistered and Quarantine policies are configured to deny HTTPS traffic This prevents the test...

Page 164: ... portal Then click Edit Configuration Edit Images For more information see Look Feel settings Login Configuration Click Add to add a new configuration Related Links Login Configuration Settings on page 164 Login Configuration Settings Set up a login configuration profile to simplify user access to the captive portal Table 71 Login Configuration Settings Field Description Authentication Type Indica...

Page 165: ...gured groups displays From here you can search for a group edit group settings delete a group or add a new group 2 To edit or delete a group select a group row The group settings display To edit a group modify the group settings and click Save To delete a group click Delete 3 To add a new group from the Access Control Groups page click Add and configure the group settings Related Links Access Cont...

Page 166: ...h all of the LDAP attributes The Exists mode checks to see if the host is present in the LDAP group Valid values are Match All Match Any Exists Group Entries A list of entries for the group Use the Search field to search for an entry Related Links Working with Group Entries on page 166 Cloning Groups on page 167 Managing Access Control Groups on page 165 Default Groups Provided with Your Installat...

Page 167: ...g Access Control system groups are provided with the ExtremeCloud Appliance installation by default Blacklist A list of MAC addresses that are prohibited from accessing the network Registered Guests A list of MAC addresses that have been granted access to the network via the Guest captive portal Web Authenticated Users A list of MAC addresses that have been granted access to the network via the Au...

Page 168: ...t do not match any of the defined rules are assigned the default Catch All rule The Default Catch All rule assigns the Enterprise User policy role by default which allows full network access The policy role assigned by this rule is configurable You can edit the rule and change the Accept Policy field value Blacklist End systems with a MAC address that is a member of the Blacklist group are denied ...

Page 169: ...longer a member of the student body Access Control Rules 1 Configure Access Control Rule Learning Student The Access Control Rule takes the defined policy rule Learning Student Access and applies it to members of the student body who are using school issued computers in a single rule Group Criteria Select the following values for each group User Group Student Body End System Group School Computers...

Page 170: ...C address that is a member of the Blacklist group are denied network access They are assigned the Quarantine policy role The Quarantine policy denies all traffic by default Go to Policy Roles to configure the Quarantine policy definition Related Links Adding Policy Roles on page 128 Managing Access Control Groups on page 165 Managing Access Control Rules on page 170 Rule Settings on page 171 Acces...

Page 171: ...uthenticated Web Access is enabled Related Links Internal Captive Portal Settings on page 122 Portal Website Configuration on page 155 Portal Network Configuration on page 163 Portal Administration Configuration on page 163 Rule Settings Configure the following Access Control Rule settings and click Save Associate rules to a group type Configure groups under Access Control Groups Table 73 Access C...

Page 172: ...at you configured that is affected by the rule Policy Associate a policy role with the Access Control Rule The access control action is defined in the policy rule Select from the drop down list For more information see Preconfigured Policy Roles on page 59 Portal Associate a captive portal with a rule Related Links Managing Access Control Groups on page 165 Managing Access Control Rules on page 17...

Page 173: ...asily navigate ExtremeCloud Appliance The following is a relationship diagram illustrating the ExtremeCloud Appliance components You can easily navigate to any of these components using Workflow Go to Tools Workflow to begin Figure 23 ExtremeCloud Appliance Component Relationship Related Links ExtremeCloud Appliance User Guide for version 4 36 03 173 ...

Page 174: ...ane lists all components that are available in ExtremeCloud Appliance You can add and delete components using Workflow Select an icon on the Workflow page to display a list of available components and navigate through the component hierarchy Figure 24 Workflow Main Page Related Links How to Navigate Using Workflow on page 175 Workflow on page 173 Modifying a Component on page 181 Adding Components...

Page 175: ...omponent using Workflow 1 Select the Site icon on the Workflow page to display a list of available sites Note If there is only one available component of that type the component details or configuration page displays instead of a list of specific components 2 Select a specific site from the Site list A site has the following associated components Access Point Device Group and Switch Tools ExtremeC...

Page 176: ... has the focus White Icon This icon indicates a configured component that is associated with the center icon Grey Icon This icon is associated with the center icon It indicates a component that is available but not currently configured 3 Select the Device Group icon to display a list of available device groups Tools ExtremeCloud Appliance User Guide for version 4 36 03 176 ...

Page 177: ... components RF Management Site Access Point Profile 5 In this example there are no APs configured for Device Group 7532 therefore Access Points appears grey Click beside Access Points to open the Edit Device Group page and add one or more APs to Device Group 7532 For more information see Adding APs on page 107 Tools ExtremeCloud Appliance User Guide for version 4 36 03 177 ...

Page 178: ...igure the component 7 Continue navigating through the component hierarchy to view any component within ExtremeCloud Appliance Use the Workflow breadcrumbs to move backwards in the hierarchy Alternatively you can use the Search field on the Workflow page to search for a component Related Links Adding Components from Workflow on page 179 Deleting Components from Workflow on page 180 Modifying a Comp...

Page 179: ...own arrow under a component type and select the plus sign Configure the parameters to add the component to the appliance and click OK 1 From the Workflow pane click the arrow next to Access Points Figure 28 Workflow Pane APs 2 Select the plus sign Figure 29 Adding APs from Workflow Pane The configuration page for the selected component displays allowing for further configuration The parameters tha...

Page 180: ...dio Settings on page 108 for instructions on configuring the AP radio settings Related Links Configure AP Radio Settings on page 108 Deleting Components from Workflow You can delete ExtremeCloud Appliance components from Workflow From the Workflow pane 1 Click the drop down arrow under a component type and select an item from the list 2 Click Tools ExtremeCloud Appliance User Guide for version 4 3...

Page 181: ...profile the Edit Profile page displays Skip to step 4 The specific profile gains focus at the center of the Workflow page 3 Select the profile component that has the focus to display the Edit Profile page 4 To modify profile settings select a profile tab Note If you are editing a specific profile type for example IoT the Edit Profile page opens with that tab selected Example Network Modification 1...

Page 182: ...Configuration on page 203 Setting a Logging Filter on page 184 View Event Logs ExtremeCloud Appliance logs all messages that are triggered by system events You can view a record of the events in the user interface Event log files include the following information Date and timestamp Severity Type Product Component Message To view event log files 1 Go to Tools Logs Events The Events page opens 2 Opt...

Page 183: ...rch The station log list is updated 5 Optional Select to export the data and manage which columns display Note ExtremeCloud Appliance provides station event history for active stations You can also search for inactive stations using a MAC address or user name Related Links System Logging Configuration on page 203 Understanding Date and Time on page 20 Setting a Logging Filter on page 184 View Audi...

Page 184: ...tion Events before viewing station logs AP log files include the following information Date and timestamp AP Name The severity type for the event Message To view AP log files 1 Go to Tools Logs AP Logs 2 Optional Search for a specific AP log 3 Set a filter or use the default filter 4 Press Enter to execute a search The AP log list is updated 5 Optional Select to export the data and manage which co...

Page 185: ...twork administrators when debugging network problems Configure the following parameters Table 74 Network Utilities Field Description Target IP Address IP address for the test target Use specific source interface Indicates if a specific interface will be selected for the test Select the interface from the Select Interface field When this option is cleared ExtremeCloud Appliance runs the test based ...

Page 186: ... tab Filename Specify the name of the dump file Save File To Specify where to save the dump file Capture File Size MB Specify the max limit of the dump file in MB This feature allows you to control the size of the resulting dump file so the file does not become too large Capture Files List of previously created dump files Select a file to take action Tools ExtremeCloud Appliance User Guide for ver...

Page 187: ...95 SNMP Configuration on page 199 System Logging Configuration on page 203 System Information on page 204 Interfaces Host Attributes Attributes that define your network Host Name Domain Name Default Gateway and your DNS servers The Default Gateway IP address is the global default IP route setting for the appliance Valid values are the Admin topology gateway address and any IP address on the physic...

Page 188: ... virtual network Tagged Indicates if the interface tags traffic When traffic is tagged the VLAN ID is inserted into the packet header to identify which VLAN the packet belongs to Tagging can identify the port or interface to send a broadcast message to Port Physical port on the ExtremeCloud Appliance appliance for the interface Enable Device Registration Enable or disable AP registration through t...

Page 189: ...rver Indicates that the ExtremeCloud Appliance is used for managing IP addresses Related Links Certificates on page 152 Add a Static Route Static Routes define the default route to ExtremeCloud Appliance for legitimate wireless traffic You must be a system administrator to add a static route Note Static Routes affect the settings for the Default Gateway IP address under Host Attributes Adding a de...

Page 190: ... in a network of computers NTP SNTP Reachable An icon indicates if the NTP SNTP server is reachable Green The server is reachable Red The server is not reachable Check your NTP SNTP server settings ExtremeCloud Appliance has lost connectivity Note Network Time settings on each appliance of an Availability Pair must be identical for the configuration update process to be successful Software Upgrade...

Page 191: ...kup Location Indicates where to send the backup file Valid values are Local Remote Flash When sending a backup to a remote server configure the server properties What to back up Indicates the content of the backup file Valid values are Configs CDRs Logs and Audit which is a full backup or Configuration files only Schedule Task Indicates when the backup task runs Valid values are Never Daily Weekly...

Page 192: ... Now or Schedule Then click Upgrade Now or Configure Schedule Related Links Configuring an Upgrade Schedule on page 192 Performing a Backup on page 191 Restoring a Backup File on page 191 Remote Server Properties on page 193 Upgrade AP Images on page 194 Configuring an Upgrade Schedule After you have the image file on ExtremeCloud Appliance you can upgrade right away or schedule an upgrade To sche...

Page 193: ...Secure Copy Protocol Server IP IP Address of the server Username User name to log into the server Password Password to log into the server Directory Destination or source location of file on the server Filename Name of the backup file Destination Destination directory for copied backup file Click OK to initiate the copy action View Upgrade Logs The following ExtremeCloud Appliance appliance softwa...

Page 194: ...e ExtremeCloud Appliance shuts down then reboots A warning message is displayed asking you to confirm your selection Halt System The system enters the halted state which stops all functional services the application and associated wireless APs A warning message is displayed asking you to confirm your selection To restart the system the power to the system must be reset Web Session Timeout Determin...

Page 195: ... failover When configuring an Availability Pair consider the following information ExtremeCloud Appliance directly balances capacity allocations across both appliances in an Availability Pair Adoption Capacity is additive For example to support a 600 AP Capacity you can purchase a 500 Device Capacity 30330 and a 100 Device Capacity 30329 The Availability pair shares the installed capacity to the 6...

Page 196: ... enables wireless APs to switch over to a standby backup wireless appliance fast enough to maintain the mobile user s session availability in the following scenarios The primary wireless appliance fails see Figure 32 Figure 32 AP Fail Over When Primary Appliance Fails The wireless AP s network connectivity to the primary appliance fails see Figure 33 Administration ExtremeCloud Appliance User Guid...

Page 197: ...d Appliance outage or to connectivity failure it fails over to the backup ExtremeCloud Appliance fast enough to maintain the user session In session availability mode Figure 34 the APs connect to both the primary and backup ExtremeCloud Appliance While the connectivity to the primary ExtremeCloud Appliance is via the active tunnel the connectivity to the backup ExtremeCloud Appliance is via the ba...

Page 198: ...eer IP Address Physical VLAN address of the paired appliance This is the IP address of the Physical 1 interface port esa0 which matches the VLAN definition under System Interfaces Role Select the role of the paired appliance Valid values are Primary or Backup Note The configuration of the Primary appliance is copied to the Secondary appliance Auto AP Balancing Select the load balancing configurati...

Page 199: ...dated on the NAC server that is connected to each node Network Time settings on each appliance of an Availability Pair must be identical for the configuration update process to be successful NEW Settings Configure the following ExtremeCloud Appliance settings from the Admin menu SNMP MAC Format NSight Related Links SNMP Configuration on page 199 MAC Format on page 202 NSight Configuration on page ...

Page 200: ...MPv3 Users Click Add to add users for access to ExtremeCloud Appliance through SNMP These values are typically types of users that are configured for access No Authentication No Privacy Authentication No Privacy Authentication Privacy You can also edit user credentials and delete users SNMP Notifications Click Add to configure the IP address and port of the server that will receive SNMP messages Y...

Page 201: ...nity from the list and click Delete Related Links SNMP Configuration on page 199 Working with SNMP Notifications on page 202 Working with SNMPv3 Users on page 201 Working with SNMPv3 Users 1 To work with SNMPv3 users Go to Administration System Settings SNMP Go to Sites and select a site Then click SNMP 2 From the SNMP field select SNMPv3 The following parameters display for SNMPv3 Context String ...

Page 202: ...from the list and click Edit 5 To delete a notification select a notification from the list and click Delete Related Links SNMP Configuration on page 199 Working with SNMPv3 Users on page 201 NEW MAC Format ExtremeCloud Appliance provides the ability to define the user MAC address format for MAC based authentication Select from a set of MAC encoding formats to match the format that you are using i...

Page 203: ...twork device to the management system to identify the occurrence of conditions Traps can save network resources by reducing SNMP polling Syslog Provide the IP Address of 1 3 syslog servers and enable the type of messages that you want to send to the syslog servers Send all Service Messages Send Audit Messages Send Station Events Note To synchronize the logs the syslog daemon must be running on bot...

Page 204: ... System System Information to view the following information about your system Figure 35 Example System Information Figure 36 Example Manufacturing Information Administration ExtremeCloud Appliance User Guide for version 4 36 03 204 ...

Page 205: ...ileges Read Only Ability to log on and view administrative pages 3 To edit account settings 1 Select and existing account from the list 2 Modify settings as necessary and click Save 4 To delete an existing account 1 Select and existing account from the list 2 Click Delete Note All administrator accounts except the default account can be deleted Managing RADIUS Servers for User Authentication Confi...

Page 206: ...plications indicating the Latest Version or version numbers that include alphabetic characters are not supported Twenty percent of the appliance hardware capacity is allocated for Docker file applications Take the following steps to install an application 1 Go to Admin Applications 2 Click Add to create the Configuration Template 3 Click to add an application to ExtremeCloud Appliance 4 Install fr...

Page 207: ...d directly from ExtremeCloud Appliance The internal port in the container must be TCP port 8887 The base URL must begin with the application name For example defender The application must use relative URLs Icon The application icon Click Change to select a new image file After selecting a new image file the Default button appears Click Default to revert to the default image Image The application i...

Page 208: ...e memory allocation when multiple applications are installed Max limits are dependent on the appliance platform limitations Default value is 50 percent of maximum limitation Volume Mapping Indicates folder name and path for volume storage Volume storage will not be deleted upon application upgrade Note All data is deleted when the application is uninstalled Port Mapping Configure source and destin...

Page 209: ... access the following details about an installed application go to Admin Applications and click Dashboard Displays CPU and Memory stats for the application Details View the application configuration template details You must uninstall the application before you can modify the application configuration template Note All data is deleted when an application is uninstalled Logs View log files for the ...

Page 210: ... or Colombia The ROW must be deployed in any country except the United States Puerto Rico or Colombia EGY A wireless appliance with a EGY license will continue to require ROW hardware but the license will restrict country selection to Egypt only A wireless controller with a EGY license can manage access points deployed in Egypt The ExtremeCloud Appliance appliance license system works on simple so...

Page 211: ...t activation key is valid for an infinite period Use an activation key with a capacity key to license the devices Note Whenever the licensed region changes on the appliance all APs are changed to Auto Channel Select to prevent possible infractions to local RF regulatory requirements If this occurs all manually configured radio channel settings will be lost Installing the new license key before upg...

Page 212: ...tend your device capacity To apply a license key go to Admin License Before license activation the ExtremeCloud Appliance is presented in Demo mode In Demo mode only the Activation Key field is visible enter a temporary or permanent key in the Activation Key field If the ExtremeCloud Appliance is in Trial mode under a temporary license enter the permanent license key in the Activation Key field No...

Page 213: ...hased ExtremeCloud Appliance you received a license voucher from Extreme Networks 3 Log into the Extreme Networks web portal and redeem the voucher and provide the Locking ID 4 The Extreme Networks web portal presents the permanent key 5 On the ExtremeCloud Appliance go to Admin License 6 Copy and paste the key from the Extreme Networks web portal to the ExtremeCloud Appliance user interface 7 Cli...

Page 214: ...ion transfer and SKUs for capacity adoption Use these SKUs to transfer existing devices to ExtremeCloud Appliance Related Links Obtaining a Temporary License Key on page 213 Obtaining a Permanent License Key on page 213 Administration ExtremeCloud Appliance User Guide for version 4 36 03 214 ...

Page 215: ...so provides visibility into network and application performance allowing IT to pinpoint and resolve performance issues in the infrastructure whether they are caused by the network application or server Learn more about EAA at http www extremenetworks com product extremeanalytics Extreme Management Center Extreme Management Center Management Center formerly Netsight is a web based control interface...

Page 216: ...meControl at https www extremenetworks com product extremecontrol ExtremeSwitching ExtremeSwitching is the family of products comprising different switch types Modular X8 and 8000 series formerly BlackDiamond and S and K series switches Stackable X series and A B C and 7100 series switches Standalone SSA X430 and D 200 800 and ISW series and Mobile Backhaul E4G Learn more about ExtremeSwitching at...

Page 217: ...nticated Registration Settings 159 Authenticated Web Access Settings 159 Guest Registration Settings 157 Guest Web Access Settings 156 captive portal message string 165 certificates 152 Certificates AAA Certificate Authorities 154 channel plan configuration 89 Class of Service configuring 135 136 client actions 54 Client Events 57 client snapshot 55 Column Display configuring 20 Configuration Prof...

Page 218: ...ettings AP510e 111 AP560h 112 profiles network association 129 role association 129 proxy server 20 R radio mode 70 radio properties AP configuration 108 radio settings button 28 RADIUS Servers for user authentication 205 RADIUS Servers managing 146 RADIUS Settings 147 RADIUS Settings Advanced 147 remote server properties software upgrade 193 restoring 191 RF Management ACS 90 ACS configuring 90 c...

Page 219: ...ng 135 136 troubleshooting 209 U upgrades scheduled 192 upgrading 192 user account settings 152 user authentication RADIUS servers 205 V VLAN Groups creating 142 VLANS about 137 VLANS configuring 137 VLANS configuring multicast 139 W WEP privacy settings 122 whitelist 84 Widgets 61 widgets AP 45 widgets modifying a dashboard 24 widgets Network 53 widgets Switch 51 Workflow modifying a component 18...

Search results

Summary of Contents for ExtremeCloud Appliance E1120

Reviews:

Related manuals for ExtremeCloud Appliance E1120

Brands by name

Popular brands

Extreme Networks ExtremeCloud Appliance E1120, User Manual

Search results

Summary of Contents for ExtremeCloud Appliance E1120

Reviews:

Related manuals for ExtremeCloud Appliance E1120

Brands by name

Popular brands