System Health Widget Configuration Best Practices describes details about the best practice configuration information that the System Health widget provides.
| Type | Field | Description |
|---|---|---|
| Configuration | Scheduled Configuration Backup | It is a best practice to schedule a configuration backup. Automatically back up the configuration to a separate media or host. You can restore your configuration from a backup file in the event of a system failure. See Configure a Backup Schedule. |
| Configuration | TKIP | TKIP encryption is considered to be a less secure means of communication. An industry best practice is to use a more secure option for network privacy. Disable the TKIP option within the WPA2 privacy settings. See Privacy Settings for WPA2 with PSK. A green check mark indicates that TKIP encryption is not used. A yellow warning condition indicates that TKIP encryption is enabled on a WLAN. |
| Configuration | Client-to-Client Communication | Some applications, like VoIP phones, require direct connectivity between clients on a bridged at controller network. Disabling client-to-client communication on a bridged at controller network may cause issues with VoIP connectivity. |
| Configuration | APs adopted but not assigned to a site | APs must be part of a device group and assigned to a site. See Sites Overview. |
| Configuration | AP has configuration overrides | Indicates that there are APs in your network with configured override settings. For a consistent configuration, a best practice is to configure the APs through the configuration Profile. Overrides are available for unique configuration. However, variances from the configuration Profile can result in APs not receiving general policy changes. Consider configuration Overrides carefully. To determine which APs are configured with overrides, from the AP List, display the Overrides column. See Access Points List. |
| Configuration | WEP encryption for network privacy detected | The Wi-Fi Alliance™ recommends against using WEP encryption. WEP encryption is easily broken, often taking less than a minute to break. If you must use WEP, apply a restrictive policy to the associated VLAN to reduce your exposure after a breach. |
| Configuration | Open networks detected. | Networks with Open access pose a security risk for your organization. Consider an authentication type such as MBA or Captive Portal. |
| Configuration | WLAN 802.11k Setting | Enabling 802.11k on a radio can cause radio reset. To avoid unexpected radio reset, all WLANs must have the same 11k setting; otherwise, adding and removing WLANs can cause radio reset. |
| Configuration | Manufacturing Certificate | A Best Practice is to enforce enablement of Extreme PKI certificate in the establishment of secure tunnels. |
| Configuration | Multicast filters fully open | Multicast traffic can have a negative impact on performance. Ensure that multicast access is restricted per topology. See Configuring a Multicast Rule. |
| Configuration | Mesh Node AP configuration | For a Mesh Node (non-Root) AP, a best practice is to configure Poll Timeout for at least 60 seconds. |
| Configuration | Mesh Root point configured to use dynamic RF management policy | Mesh Root APs require fixed channel assignment for proper access point operation. |
| Configuration | Mesh does not support Off-Channel Scan | Note: Supported on ExtremeCloud IQ
Controller v5.16.03 with AP v7.5.1.2 or later.
Non-root APs are configured with Mesh ACS (Automatic
Channel Selection). This allows the non-root AP to follow the channel and width of the
uplink AP. The non-root AP scans channels to find the best path to a root AP. Preferred Root
and Preferred Neighbor settings influence the path to the root AP. |
| Configuration | APs have configured unsupported functionality | The following AP models do not support
IoT and the 5GHz radio does not support 160MHz operation:
For more information about channel width, see Channel and Power Settings. |
| Configuration | Radio in sensor mode with no scan profiles assigned | Indicates that you have a radio in Sensor mode without a corresponding AirDefense profile configuration. Scan functionality requires that you configure a radio for Sensor mode and configure Profile settings for AirDefense. All configuration is handled in the configuration Profile that is assigned to the device group. See Add or Edit a Configuration Profile. |
| Configuration | Number of SSIDs per Radio | One radio can support a maximum of eight SSIDs. However, it is a best practice to configure no more than four SSIDs to a single radio. This configuration can be at the Profile level or configured as an override for a specific AP. See Add or Edit a Configuration Profile. A green check mark indicates that four or less SSIDs are configured. A yellow warning indicates that more than four SSID are configured for a single radio. |
| Configuration | Band steering enabled and 5GHz radio disabled | Client Band Steering steers dual-band capable clients to connect to the 5.0 GHz radio band instead of the 2.4 GHz radio band. A 5.0 GHz radio must be enabled on the AP for Client Band Steering to function. See Band Steering. |
| Configuration | 40 MHz channel width on 2.4GHz radio | Operating a 40MHz channel in a 2.4 GHz band can cause co-channel inference with access points in the vicinity. The 2.4 GHz band has limited available channels. Therefore, for proper channel isolation, a 2.4 GHz band allows 3-4 (region dependent) 20 MHz channels. Best practice is to configure a 40MHz channel on a 5 GHz radio. See Channel and Power Settings. |
| Configuration | Smart RF monitoring disabled | Enable Smart RF for dynamic RF management to provide RF performance optimization. Enable Smart RF from the Basic Settings tab. See Basic RF Management Settings. |
| Configuration | Probe suppression threshold | Probe Suppression Threshold should not be greater than -70dB. The Probe Suppression Threshold defines the signal strength value that is deemed too low to be acknowledged by the AP. Setting the threshold above -70dB can result in an AP not acknowledging clients in close proximity, leading to poor connectivity or a sub-optimal roaming experience. The best practice is to follow the Site Survey methodology to determine the best value for the AP installation. See Advanced AP Radio Settings. |
| Configuration | Role with more than 64 rules is assigned to an AP or Profile that does not support more than 64 rules. | ExtremeWireless Wi-Fi 6 access points support rule sets that contain up to 256 rules. AP39xx series access points support rule sets with no more than 64 rules . See Add Policy Roles. |
| Configuration | Roles with more than 64 rules are configured. | Roles with more than 64 rules may experience interoperability issues with different AP models and firmware revisions. |
| Configuration | Network with CWA is assigned to non-supported APs | Support for Centralized Web Authentication (CWA) is only available on Wi-Fi 6 access points. This feature is not supported on AP3900 series access points. See Centralized Web Authentication. |
| Configuration | Device Registration is not configured on at least one port. | The Device Registration attribute controls whether access points and switches can establish management sessions with the controller through the selected interface. For proper system operation, at least one interface is required for managed devices to connect. |
| Configuration | RADIUS Failover is not configured or there are not enough serves for redundancy | It is a best practice to configure at least one pair of RADIUS servers to support authentication redundancy. |
| Configuration | Bonded channels configured with a different frequency than the Management channel | Configure bonded channels with the same frequency as the Management channel. When channel width is larger than 20 MHz, use one 20 MHz sub-channel as a Management channel to transmit beacons. When Management channel frequency is configured differently than other channels, channel interference can occur and throughput is reduced. |
| Configuration | Default Route configured for router on data interface | Configure the Default Route/Gateway with a next-hop associated with a physical interface. Do not point the Default Route to the Admin interface. A best practice is to map the Default Route through a topology on a data port for proper system functionality. If necessary, configure the static routes via the Admin port for administration level access. |
| Configuration | Hotspot WLANs with the configured number of IDs in the roaming consortium. | Configure authentication of mobile devices to the members of a
roaming consortium, or for a particular service provider that has a roaming consortium. Add
the appropriate IEEE-assigned
Organizational Identifier (OI). Specify up to eight identifiers unique to the
organization that are part of the MAC address. The AP39xx access points continue to support only two identifiers. For more information, see SP Identification. |
| Configuration | DNS server is not configured. | ExtremeCloud IQ Controller requires internet connectivity and a Domain Name Server (DNS) configuration. Verify DNS server settings. For more information, see Host Attributes and refer to the ExtremeCloud IQ Controller Deployment Guide. |