Auto Provisioning Settings

Navigation

Navigate using the tab icons. Hover over an icon to see the name of the tab.

Configure > Common Objects > Policy > Auto Provisioning > Add

About Auto Provisioning

AP device templates (see AP Device Template Settings) function similarly to auto-provisioning rules described in this topic. The best-practice recommendation is to use AP device templates rather than auto-provisioning rules to configure APs as they are onboarded.

Note

When AP device templates (described in AP Device Template Settings and auto-provisioning rules are both in place when the AP is onboarded, the auto-provisioning rules are applied and the AP device template is ignored.

When you enable automatic provisioning, you can configure ExtremeCloud IQ to upload an IQ Engine image, or a configuration, or both. When you enable ExtremeCloud IQ to upload both an image and a configuration, it uploads the image first, and then the configuration. See Auto Provisioning.

Identify devices for auto provisioning by adding or importing serial numbers or IP subnetworks. Import serial numbers by selecting devices that have already been on-boarded, importing a CSV file populated with serial numbers, or entering serial numbers manually. You can use a combination of any of these methods. To add or import IP subnetworks to an auto provisioning profile, enter IP subnetworks manually or import a CSV file containing the subnetworks. You can also use IPv6 addresses to identify subnetworks..

Note

Automatic provisioning profiles are based on device models. You can define multiple profiles for the same model and distinguish which devices get which profile by specifying a serial number or IP address.

Add an Auto Provisioning Profile

To apply automatic provisioning, select , enter the following, and then select Save:

Add Serial Numbers

There are three ways to add device serial numbers to ExtremeCloud IQ—by selecting onboarded devices, importing a CSV file populated with serial numbers, or entering serial numbers manually. You can use one or more of these methods within the same auto provisioning profile. When you are finished adding serial numbers, select Save.

Select Onboarded Devices

Onboarded devices have been added to ExtremeCloud IQ, but have not been uploaded with a configuration. By default, the Select devices for initial on-boarding check box is selected and the Imported and Selected columns are displayed. To add a serial number to the auto provisioning profile, select a serial number in the Imported column, and then use > to move it to the Selected column. To select multiple devices, select one serial number, and then use Shift to select additional serial numbers. To move all of the devices in the Imported column to the Selected column use >>. To remove a serial number, select it and move it to the Imported column. Once it is there, select it, and then select Remove.

Note

You must onboard the serial numbers before you can create an auto provisioning profile that contains serial numbers.

Add Device Serial Numbers with a CSV File

Within a CSV file, you can provide a serial number, host name, IP address, network policy, location, static IP addresses, and Supplemental CLI object to a specific device model. The device-specific configuration takes precedence over the global rules in the auto provisioning profile. Select the Add additional devices via CSV import check box to import serial numbers using a CSV file. (By default, this check box is selected.)

Note

In the CSV file, you must format the device name and device function in the following way: Device Model: AP_305C (be sure to include the underscore); Device Function: Ap (Use an initial capital letter followed by a lowercase letter.)

If you already have a list of the serial numbers for all your devices— such as a list sent by Extreme Networks during the purchase process— you can use it to create an access list. Prepare a CSV file containing a single 14-digit serial number on each line. To import a CSV file, select Choose, and then select a .csv file on your local drive. After you import the serial numbers, they are displayed in the Identify Devices for Provisioning panel. Then select Save.

Add Serial Numbers Manually

Select the Manually enter additional devices check box to enter additional device serial numbers. (By default, this check box is selected.) Enter multiple serial numbers separated by a comma (without a space). Remember that each serial number is 14 digits long.

Select IP Subnetworks

To add IP subnetworks for auto provisioning, select the check box next to IP Subnetworks. Select Select IP Subnetworks.... You can import IP subnetworks with a CSV file, or enter IP subnetworks manually. You can also use IPv6 addresses to identify subnetworks.

Note

To create an auto provisioning profile that contains IP subnetworks, the devices in the profile cannot have been onboarded previously.

IP Subnetworks: You can identify devices that you want ExtremeCloud IQ to auto provision by IP address. ExtremeCloud IQ only auto provisions a device if it has an IP address in one of the selected IP subnetworks.

First, create CSV file containing a single network/netmask on each line. If you are logged into a Virtual IQ, enter just a device serial number on each line. For example:

//IP subnetwork

10.1.1.0/24

10.1.2.0/24

If you are logged into the All Virtual IQs system, include the Virtual IQ name on each line after the subnetwork entry. To import subnetworks into the home system, you can either include the name of the home system after the subnetwork and comma or omit the name and the preceding comma completely. In the following example, the first line is ignored, the subnetwork of the second line is imported into vhm-1, and the subnetworks in the third and fourth lines are imported into the home system.

//IP subnetwork, vhm name

192.168.0.0/16, vhm-1

10.1.3.0/24, home

10.1.4.0/24

After you create the .csv file, select Choose, browse to the file, and select it. The subnetworks that you imported for the current Virtual IQ appear under the Subnetworks column. Select Save to return to the Auto Provisioning panel. If you are an admin, you must log into a Virtual IQ to see the imported subnetworks available there. The auto provisioning profile does not appear in each Virtual IQ with imported subnetworks; however, they become available for the Virtual IQ admin to use when creating a new auto provisioning profile.

Add IP Subnetworks Manually

Select the check box next to Manually enter additional devices to add IP subnetworks to the auto provisioning file manually. (By default, this check box is selected.) Enter multiple IP subnetworks separated by a comma (without a space). Select Save.

Network Policy: From the drop-down list, choose the network policy containing settings that you want to push to automatically provisioned devices. You must configure a network policy in Configuration > Network Policies before you can select it here. For more information, see Network Policy Settings.

Country Code: Set the country code for the device. If you select the Upload configuration automatically check box, ExtremeCloud IQ applies the country code specified here when it automatically pushes a configuration to devices during the initial establishment of a CAPWAP connection. To change the country code on a device, navigate to Configure > Common Objects > Certificates > Certificate Management. For more information, see Create a Certificate and Key.

Note

If you clear this check box, ExtremeCloud IQ does not apply this setting to change the country code on devices when you manually push a configuration to them later. In this case, the Country Code and Device Model settings only define existing properties of the device so that ExtremeCloud IQ can provide appropriate channel selections.

Auto-assign a Location

There are two ways that you can assign a location to an auto provisioning profile. You can assign one default location to a floor within your organization's network map— for example, floor 2. Or you can assign multiple floors to buildings within your network map. Before you can assign a default location, you need to create a network map. See ML Insights. You will also need to configure a network map and IP subnetworks before you can assign a location and a subnet. For instructions about how to add IP subnetworks, see "Select IP Subnetworks".

Default Location: To assign a default location to all the devices in the auto provisioning profile, select Assign. When you select a floor from the network map, it is displayed in the Preview column. (You can only assign devices to a floor within a building.) Then select Assign. In the Assign default location dialog box, select a floor to see the path to the floor in the Preview column. Select Assign. The path to the floor you selected is listed next to Assign in the New Auto Provisioning Rule window.

Select a Location and IP Subnetwork: To assign the devices in the auto provisioning profile to a location and an IP Subnetwork, select . In the Choose Location and Subnet dialog box, select a subnet from the drop-down list. Then select a floor on the network map displayed under the Location heading. You can assign multiple subnets to multiple floors, depending on the size of your network map. Select Save. You can see the assigned subnets and locations in the New Auto Provisioning Rule panel.

Advanced Settings

Upload IQ Engine upon device authentication: Select this check box to enable ExtremeCloud IQ to upload a specific IQ Engine image to automatically discovered devices. By default, this option is disabled. Clear the check box if you do not want ExtremeCloud IQ to upload an image automatically.

Upgrade to the latest IQ Engine Version: Select this check box to specify that ExtremeCloud IQ will load the IQ Engine latest version image onto a device if it is not already running the latest version.

Upgrade to the specific IQ Engine version: Select an IQ Engine version from the drop-down list.

Upload configuration automatically: Select this check box if you want ExtremeCloud IQ to upload the defind configuration defined to automatically discovered devices. By default, this option is disabled. The configuration consists of a network policy, two radio profiles, a topology map, a pair of root and read-only administrators, and CAPWAP settings. Clear the check box if you do not want ExtremeCloud IQ to upload the configuration automatically.

If you want to configure an SSID that references an Extreme Networks device configured as a RADIUS server to provide WPA/WPA2 802.1X access security, you must set up that device as a RADIUS server first. You can then create an SSID that references the RADIUS server and provision other new devices with that SSID. To see an outline of the configuration steps required to set up an Extreme Networks RADIUS server, see AAA Server Settings.

Reboot after uploading: To activate the uploaded image and configuration, you must reboot the devices. If your deployment includes mesh points, clear this option and reboot the devices manually so that you can control the order in which the devices reboot. By default, this option is disabled. The order in which device rebooting occurs is important in a mesh environment because ExtremeCloud IQ communicates with mesh points through their portals and through any intervening mesh points as well. If an intervening portal or mesh point reboots while a mesh point farther away from ExtremeCloud IQ is still receiving its image or configuration, the data transfer is disrupted. By keeping the uploads automatic but their activation manual, you can control the activation sequence of automatically updated devices to prevent disruptions.

If your deployment does not include mesh points, select this option to reboot devices automatically to activate the uploaded configurations.

Device Credentials

To set device credentials, select the check box for Enable Device Credential. By default, this is disabled. In the expanded section, enter the following information , and then select Save:

CAPWAP Configurations

By default, when a device first connects to ExtremeCloud IQ, it uses a predefined bootstrap DTLS (Datagram Transport Layer Security) passphrase combined with several other values to derive a shared key that the device and ExtremeCloud IQ then use to authenticate each other. The elements that are used in the generation of the key ensure that it is unique for each device-ExtremeCloud IQ relationship. After the device and ExtremeCloud IQ authenticate each other and complete the DTLS handshake, they generate another key for encrypting their communications. They generate a different encryption key after every DTLS handshake.

If you configure two ExtremeCloud IQ appliances to act as nodes in an HA (high availability) pair, you need to designate one as the primary CAPWAP server and one as the secondary CAPWAP server for the devices. If they cannot connect to the primary server, they then try to connect to the secondary server.

Select Enable CAPWAP configurations to configure primary and secondary CAPWAP servers and change the passphrase. (By default, this field is disabled.) After you enable it, the following options are displayed:

Primary CAPWAP Server: From the Primary CAPWAP Server drop-down list, choose the ExtremeCloud IQ address with which you want devices to form a CAPWAP connection first.

Backup CAPWAP Server: If you are deploying ExtremeCloud IQ as a standalone device, leave this field empty. If it is in an HA pair behind a NAT device from its configured devices, use the drop-down menu to select the domain name or MIP linking to its MGT interface.

If you do not see the address you need, select , and then "IP Address" or "Host Name."

If you select "IP Address", the following fields are displayed:

If you select Host Name, the following fields are displayed:

Shared Key for Authentication: To change the passphrase, enter a new alphanumeric string in the Passphrase and Confirm Passphrase fields. The passphrase can contain between 16 and 32 characters.