Hierarchical ExtremeCloud IQ Configuration Guide

About HIQ Administrator Management

An HIQ admin can access the accounts and networks of all their direct customers' organizations. In contrast, an organization admin can only access and manage devices in his or her own organization. The HIQ admin has full read-write access to his or her local organization and to all other organizations, and can also move devices between Modifying and Removing an Organization

ExtremeCloud IQ organizes the two types of admin accounts as follows:

• An organization admin of a specific organization belongs to only that organization.
• No organization admin can belong to more than one organization.
• An HHM admin can add and delete organization admins, and can suspend or delete any organization.

About Organization Administrator Management

The organization admin can only access and manage devices in his or her own organization, while an HIQ admin can access the accounts and networks of all their direct customers' organizations. In addition, the organization admin has the role-based capabilities and limitations as assigned by the HHM HIQ. For instance, if the HIQ admin has defined the role as observer (see Admin Accounts for more about roles), the organization admin can only view the status of the organization. Conversely, if the organization admin has been assigned the operator role, has almost all the same access rights as the HIQ admin, except for not being able to manage accounts and licensing.

Each organization admin operates ExtremeCloud IQ the same way as any other ExtremeCloud IQ admin.

Enabling HHM

A ExtremeCloud IQ admin can enable HIQ at any time. However, enabling HIQ is a permanent action and cannot be undone.

Note

Activating HIQ deletes all existing ExtremeCloud IQ backups.

Navigate to   admin_name > Global Settings > Accounts > Account Details. ExtremeCloud IQ displays the Account Details window.

On the Account Details window, select Enable HHM and then select Enable in the Please Confirm prompt to have ExtremeCloud IQ enable Hierarchical ExtremeCloud IQ and make you the HIQ admin.

ExtremeCloud IQ logs you off and displays the HIQ login window.

After you have enabled HIQ , ExtremeCloud IQ uses your original credentials to log you in as the HIQ admin.

When you have logged in, you will see the normal ExtremeCloud IQ interface with two changes: Most of the ExtremeCloud IQ pages now have a icon at the top right of the window and a Viewing x of y organizations organization Indicator box below the icon.

Note

All HHM and organization administrators can see the organization indicator box, but only the HIQ administrator can see the  icon.

Adding an Organization

To add a new organization, navigate to the   (admin_name/company) > Global Settings > Organizations window.

On the Organizations window, select Add, and ExtremeCloud IQ displays the add new organization window.

On the add new organization window, add a new organization name, and select a color for the organization.

Select Add. The new organization is displayed on the Organizations window.

Modifying an Organization Name and Color

To change an organization name or color, navigate to the   admin_name > Global Settings > Organizations window.

On the Organizations window, select the check box next to the organization name that you are changing, and then select . Add or modify an HIQ admin account change the organization name and the organization color.

Select Save.

Adding an Admin to and Removing an Admin from an Organization

After you have created a new HIQ organization, you must add one or more administrators for the organization. Each organization admin can be assigned to only one organization, but multiple administrators can be added to each organization.

Navigate to   (admin name/company) > Global Settings > Account Management.

On the Admin Accounts window, select the check box next to an unassigned admin account that you want to add, and then select .

Note

HIQ admin accounts must exist before they can be assigned to an organization.

On the Edit User window, make sure that the following parameters are entered or selected:

• Email Address: The email address assigned to the account. You must enter an email address that is not already in use. That is, it cannot be assigned to another admin.
• Name: The user name assigned to the admin account.
• Organization: (Hierarchical HiveManager only.) Assign an admin to an existing HIQ organization or to all HIQ organizations here.
• Idle Session Timeout: Enter the number of minutes before sessions time out. The default is 30 minutes, and the range is from 5 to 240 minutes.
• Role: The admin role assigned to this account. The available roles are: administrator, operator, monitor, help desk, guest management, and observer. For information about these roles, see Admin Accounts.
• Location: The location assigned to this account that is used to limit the admin to a particular geographic location which consists of an organization, building, or floor. If a location is not specified, then this admin has global access to your network.

Select Save and Close.

You can select and remove an admin from the Admin Accounts window.

Modifying an Organization

To modify the settings for an existing organization, select the check box for the organization and select . Make the necessary changes, and remember to select Save.

Removing an Organization

To remove an organization, navigate to   (admin_name/company) > Global Settings > Organizations.

Select the check box for the organization and select .

Select Yes in the confirmation dialog box.

Viewing the Organization Table

You can view the HIQ organizations table by navigating to   (admin_name/company) > Global Settings > Organizations, by selecting the icon, or by selecting the Organization Indicator drop-down menu on the ExtremeCloud IQ pages. The    icon is at the top right of each window. The Organization Indicator is a text box in the upper-right of each window.

Searching for Organizations

When you select the icon or select the Organization Indicator, ExtremeCloud IQ displays the Organizations panel on the right side of the screen. The Organizations panel shows all the organizations that you can manage. Search for required organizations by entering a text string in the search text box at the top of the Organizations panel.

Selecting Organizations to View

When you select the icon or select the Organization Indicator, ExtremeCloud IQ displays the Organizations panel on the right side of the screen. The Organizations panel shows all the organizations that you can manage. Because HHM allows you to share devices across multiple organizations, you can select any or all organizations to view by selecting the required box(es) in the View column.

Selecting an Organization to Configure

When you select the icon or select the Organization Indicator, ExtremeCloud IQ displays the Organizations panel on the right side of the screen. The Organizations panel shows all the organizations that you can manage, and allows you to select which organization to configure now. select a round option button in the Configure column to select which organization you want to configure.

Adding and Removing an Administrator Account

You can create admin accounts for each organization. To add an admin account to an organization and to define the admin role-based access control, see Admin Accounts for more information.

Note

Note that you are limited to one email address when you create a new admin account. You can use a different email address if you want to add a new administrator (any role) to the same organization. The email address for each administrator you add is displayed in the Admin User column on the Organizations window.

Using the Filtering Feature

On pages where you add new user accounts or devices, the filtering feature allows you to select the specific organization to which to add. On pages where data is presented, the filtering feature allows you to select what data is presented.

Note

If you are logged in as an HIQ administrator, you can view the information gathered from networks across all the organizations you are managing. If you are logged in as an organizational admin, you can only filter data gathered from your own network.

Filtering Device Information on the Manage > Devices Window

On the right side of the Devices window, select . In the Organizations panel, select the check boxes next to the organizations you want to view. Or, you can search for the required organizations by entering a text string in the search field. If a required name becomes visible below the search box, highlight it with your cursor to select it, and then the device information for the selected organization appears in the Devices window. Select Close to save your selection.

Note

In addition to , icons on the right side of every window give you immediate access to on-line Help , and lets you provide feedback about ExtremeCloud IQ.

Filtering Information Presented by Dashboard Data Widgets

As an HIQ administrator, you can filter how data is presented by the data widgets on the Dashboard window. ExtremeCloud IQ presents the combined information gathered from all the devices managed by the HIQ account holder according to which organization names you select.

Select   and select the check boxes of the organizations to filter the data presented. If you have a large list of organizations, begin entering the name of the organization in the search field. After the name appears in the list below, select it or them with your cursor. Select Close.

If you select the check box of a single organization, the data widget only presents information gathered from devices in that organization.

If you select more than one organization, the TOP APPLICATION GROUPS widget aggregates and presents only information gathered from devices belonging to those organizations.

Note

Here is an example of how data is presented if you select two organizations. As an HHM admin, you manage the networks of two customers: Organization Blue and Organization Red. If you select the TOP 20 tab in TOP APPLICATIONS, it is possible that Organization Blue dominates the list and the data widget displays 15 Organization Blue applications versus only five for Organization Red. It is also possible, in a different scenario, that the data widget displays the top 20 applications, and they all belong to Organization Red.

For more details on data widget definitions, see Dashboard.

Adding Devices

To add devices, navigate to Manage>Devices. On the Devices window, select Add. You can also select   at the top right of the Dashboard window.

Select an organization from the Choose an organization drop-down list. Select Continue to see the QuickStart wizard.

Note

If a specific organization is not selected prior to adding a device, then devices are added to the HIQ admin account by default.

See Onboard Devices and add real and simulated devices using the QuickStart wizard.

Configuring and Deploying a Network Policy for an Organization

An HIQ admin has access rights to all the organizational accounts it manages, and can configure and deploy a network policy on behalf of an organization. Also, The HIQ admin can edit all the existing network policies.

Configuring a Network Policy

To configure a network policy for a specific organization, navigate to Configure>Network Policies. You can edit an existing network policy or add a new network policy here.

Note

If a specific organization is not selected prior to adding a device, then devices are added to the HIQ admin account by default.

Adding a Policy

Adding a new network policy for an HIQ admin follows the same workflow as any other account type. For more details, see Network Policy Settings.

Deploying a Network Policy

To upload your network policy to all the devices in the table, select the check box in the top left side of the table header. This automatically selects the check boxes next to all the devices. Select Upload.

To upload your network policy to specific devices only, select the check box for those devices, and then select Upload.

See Upload a Configuration to understand your upload choices.

Reassigning Devices

A device owned by one organization can be reassigned to another organization by only an HIQ administrator. An HIQ administrator can use this feature in a few scenarios:

• Assign devices from the inventory of the HIQ administrator to customer organizations as part of services provided.
• An HIQ administrator takes over the device inventory belonging to a specific organization.
• An HIQ administrator reassigns, and moves a device from one organization to another organization.

As an example of the third scenario, if Organization Blue has two unused devices in inventory, you can deploy them in Organization Red's network.

Note

ExtremeCloud IQ automatically resets the device to its factory default settings during the reassignment process.

Reassigning Devices Procedure

To do this, follow the steps below.

1. From the Devices window, select the devices you want to reassign or move.
2. Select the Actions button at the top of the table. Select Assign to Organization.
3. In the Assign Devices dialog box, select the organization to which to assign the devices, and then select Assign.

After you select Assign, the reassigned devices are moved to the new organization. You can see the new device assignments on the Devices window.

Generating and Filtering Reports

To generate new reports and view previously generated reports , navigate to Dashboard > My Reports. You can Add, Modify, Share, Stop, Delete , and view generated reports that appear in the Reports table.

To generate a report, select Add. On the My Reports window, you can choose four types of reports In the ORGANIZATION drop-down list. They are Network Summary, PCI DSS 3.2, WIPS History, and Usage Based reports (only available for HIQ accounts). To configure a report, select one of the report tabs.

For more details on how to view and configure the HIQ only Usage Based report, and other reports, see, Report Settings, and Reports.

Reports Type Overview

The Network Summary Report gathers statistics and provides visibility into how the network is used. For example, the top applications and wireless clients in a given time period, the top 20 access points by usage, and the radio protocol used by connecting clients. This information can help you plan and scale your network as your organization grows.

The WIPS History Report provides information that can help network administrators to physically locate and remove rogue and unauthorized APs. The WIPS History Report also provides an intruder detection history list that can help you perform regular security assessments. This can help your organization adhere to PCI DSS 3.2 record keeping requirements.

The PCI DSS 3.2 Compliance Report identifies which device configurations are not in compliance with PCI DSS and provides detailed recommendations on how to be in compliance. This is important because network infrastructures that support customer payment card transactions are required by law to adhere to PCI DSS whenever cardholder data is stored, processed, or transmitted. For example, to be compliant with PCI DSS, device configurations must not use vendor-supplied default passwords or open SSIDs.

The Usage Report, available only to HIQ account holders, provides a list of access points and switches that have been added and is managed by an organization. By default, the report displays all the organizations that are managed by the HIQ administrator. You can use the filter feature on the window to generate reports for only the organizations you choose. In the report, column titles include Host Name, Model, Serial Number, Deployed, Country Code, and Location. A filter feature also appears in the report window that allows you to filter host names by location.

Note

The Usage Report is only available for HIQ administrators and is not visible from the Report Type drop-down list for organization account holders.

Usage Based Report

The Usage Based Report provides a list of access points and switches that are currently deployed for selected organizations. Use the filter feature on the New Report page to generate reports only for the organizations you choose. The generated report column titles include Host Name, Model, Serial Number, Deployed, Country Code, and Location. A filter feature in the generated report that allows you to filter host names by location.

Note

The Usage Report is only available for Hierarchical HiveManager administrators and is not visible from the Report Type drop-down list.

Configure a Usage Based Report

ORGANIZATION: Select Your Organization, or a specific organization in the drop-down list. Note that the Usage Based is only visible for Hierarchical HiveManager account holders.

Select the Usage Based tab, and enter the following information:

Title: Enter a name for the report.

Recurrence of Report: Select from the following options:

Share With: Enter valid email addresses, separated by commas, for the people with whom you want to share this data. When you are finished, click Send Report. The report, which can take up to a minute to generate, is displayed in the Reports table. Select the name of the report to view it.

Time Range for Report: Select the time window for the data in your report by choosing from the Show and Select Range options, or by dragging the timeline handles.

• If you select Day, you can set a time range for the report by dragging the handles on the timeline to a specific time period.
• If you select Week, you can designate separate time windows for each day of the week, or for a span of 1 day, 2 days, or 7 days.
• If you select Month, you can designate a 2 day-, 1 week-, or 2 week window. You can also drag the timeline handles to any position in the time window to display data for that time period.
• To cover an entire month of recorded data, you must drag the handles on the timeline to select a 31-day time period. For months that have only 28, 29, or 30 days, ExtremeCloud IQ automatically generates reports covering the 1st day of the prior month to the 1st day of the current month.

Filtering Reports by Organization

You can use the filter feature to generate device usage information for any organization by expanding Managed Service Provider, and then Organizations in the filter panel on the left side of the New Report window. Select the check box next to All, Your Organization, or any other organization managed by the HIQ administrator.

Note

Device usage information for a specific organization appears in a report after you select the check box for the specific organization. If you select All, devices belonging to all the organizations the HIQ administrator has access to are displayed, each in its own section, in the generated report.