Advanced Configuration Profile Settings

To access a configuration profile for a device group:

Go to Configure > Sites.
Select a site, then select Device Groups.
Next to Profile, select to edit the device group profile.

To edit Advanced settings, from the Edit Profile page, select Advanced and configure the following parameters:

Table 1. Advanced Configuration Profile Settings
Field	Description
Client Balancing	Enable Client Balancing to distribute client traffic evenly between APs in the same device group. In an availability pair, create a device group on each appliance. The APs within each group will manage the user traffic within that group.
Secure Tunnel	Provides encryption, authentication, and key management between the APs and/or the appliance. Valid values are: Off — Secure Tunnel is turned off and no traffic is encrypted. All SFTP/SSH/HTTP traffic works normally. Control & Data — This mode only benefits Bridged@AC VLAN topologies. An IPsec tunnel is established from the AP to the appliance and all SFTP/SSH/HTTP/WASSP control and data traffic is encrypted. The AP skips the registration and authentication phases, and when selected, the Secure Tunnel feature can be configured. This is the default setting. Debug — An IPsec tunnel is established from the AP to the appliance, no traffic is encrypted, and all SFTP/SSH/HTTP/WASSP traffic works normally. The AP skips the registration and authentication phases and when selected, the Secure Tunnel feature can be configured.
Enforce Manufacturing Certificate	Enforce usage of Extreme PKI (Public Key Infrastructure) when establishing an IKE (Internet Key Exchange) tunnel. Both APs and controllers have Extreme CA certificates installed. When this setting is enabled, the controller accepts only APs that provide Extreme PKI. Note: Supported on the Defender Adapter SA201 and on the ExtremeWireless access point models: AP39xx, Wi-Fi 6 AP models. This setting is not supported on the AP305C, AP410C, and AP460C access point models. There must be successful mutual authentication between the AP and the controller. If either side of the authentication fails, the tunnel is rejected. When this setting is enabled, APs that are not PKI capable (self-signed certificates) are not able to connect to the controller. The default is to clear this option. When this setting is cleared, the controller accepts the AP with a self-signed certificate. With either type of certificate, the certificate type must match in both directions before the authenticated tunnel is established. Authentication failure messages are logged in the ExtremeCloud IQ Controller Events Log. You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.
Enable SSH	Determines if the Secure Shell (SSH) protocol is enabled. When enabling SSH, configure a password. To configure an SSH password, go to Admin > System > Maintenance. By default, this setting is disabled. You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.
Session Persistence	Determines if session persistence is enabled. A persistent session directs a client's requests to the same backend server for the duration of a session or the time it takes to complete a task or transaction. Enable this option to improve request response times. For more information, see Session Persistence.
Mgmt VLAN ID	Separating management traffic from user data traffic is a recommended practice. The Management VLAN ID is 1 by default. AP will accept wireless client even without active connection to ExtremeCloud IQ Controller on WLANs where ExtremeCloud IQ Controller is not required. You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.
Tagged	Check this option to tag the VLAN. Tagged VLAN packets include header information that identifies which VLAN the packet is coming from. You can configure Tagged VLANs for all APs in a device group from the device group Profile Advanced Settings dialog. You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.
MTU	Maximum Transmission Unit in bytes. Determines the maximum size of each packet in transmission. Standard size is 1500 bytes. ExtremeCloud IQ Controller now supports up to 1800 bytes. This enhancement facilitates the transport of MU-DATA specifically between the AP and the appliance (or between the AP and a switch for VxLAN deployments) without incurring fragmentation. You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.
Scan Mode	Note: Supported on Wi-Fi 6 AP models. Determines which channels are scanned. Valid values are: Default Scan. — Scans all supported channels. Optimized to scan widest possible channel. Channel Lock — Scans on single channel. Custom Scan — Scan is based on a selected custom list. Define a custom channel list including channel width. Radio 1 channels are 2.4 GHz (AP510i/e includes 5 GHz channels). Radio 2 channels are 5GHz. Radio 3 channels (supported on the AP4000) are 6 GHz.
Scan Channels	Select channels for a custom channel list used for Custom Scan Scan Mode.
GE2 Port Function	Note: Ports on the Universal APs are labeled with the prefix ETH. Specify the function of the second AP Ethernet port: Client. Indicates that the client port is enabled on the AP. The client option is used in the following scenarios: When an AP radio is configured as a Client Bridge. ExtremeCloud IQ Controller automatically sets the GE2 port to Client. To leverage the second port of the access point as a Client port, allowing pass-through access to attached clients. Client access is subject to policy. This capability is also utilized in support of work group meshing. A GE2 Client port is supported on the following access points: Wi-Fi 6 AP models AP3965 When the GE2 Port is set to Client, the WLAN assignment dialog displays an option to specify the GE2 assignment, and the Wired Ports tab is available from the AP Profile. When the GE2 Port is set to Bridge, the port provides a transparent bridge that transports tagged and untagged traffic between two sides of a wireless connection, while preserving VLAN mappings over the wireless link. Packet tagging and policy is configured through services outside the wireless network configuration. A GE2 Bridge port is supported on the following access points that have more than one Ethernet port: Wi-Fi 6 AP models. Note: The ETH1/GE2 Bridge port is not supported on access points with a single Ethernet port. For more information, see Transparent Bridge. AP Ethernet port traffic backup (failover) between GE1 and GE2 LAG (Link Aggregation Group) Link aggregation combines network connections to increase throughput and to provide redundancy in case of link failure. Requires that both ports negotiate to the same speed (1 Gbps). Note: LAG is supported on ExtremeWireless AP39xx and 11ax APs. LAG is not supported on AP305C, AP410C, and AP460C. You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.
USB Power	AP models AP5010 only. Provides 2.5W of power to the USB port to power external USB devices. Valid values are: Off. USB power is turned off. Auto. USB power turns on when the AP is powered by 802.3at (radios reduced to 3x3), 802.3bt, or external power supply. USB functions in the configuration Profile are disabled by default. You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP. Note: For more information, see AP5000 Series Power Management.
PSE Power	Supports power to the PSE port for supported APs: AP310i/-1, AP310e, AP302W, and AP5010. Functions in the AP3xx configuration Profile are set to Auto by default. Valid values are: Off. PSE power is turned off. Auto. Ports provide power when the AP receives enough power to support the feature. APs can run on Low power, but for PSE power, the minimum power required is dependent on the AP model (AT power for AP310i/e and AP302W; BT power for AP5010). AP models AP5010 only. Provides 802.3af/15.4W of PSE power to the ETH1 port. Auto indicates that PSE power is turned on when the AP is powered by 802.3bt. For more information, see AP5000 Series Power Management. You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP. Note: Configuration override is supported for APs running AP firmware version 10.02.01 or later.
AP Event Level	Specify the message level you want included in the AP Events Log. Valid values are: Critical Major Minor Info You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP. For more information, see Advanced Setting Overrides. Additionally, you can override the configuration Profile setting for multiple APs from the Device List Actions menu.
Poll Timeout (Seconds)	Specifies the amount of time, in seconds, to wait for a response from the appliance before rebooting. The value range is from 3 to 600 unless the controller is in an availability pair without fast failover enabled. The default value is 3. Note: When configuring a Mesh network, we recommend a value of at least 60 for the non-root AP configuration. Also, it is a best practice to wait at least 60 seconds before applying configuration changes that are applicable to non-root (node) access points. This ensures that possible interruptions due to configuration changes are resolved. You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.
FA Auth Key	Configure custom Fabric Attach Authentication Keys up to 32 characters in length. Extreme Networks products offer a default FA AUTHENTICATION-KEY built-in. You can also configure a custom key here. When a custom key is not configured, the default key is used. The following special characters are not supported: {? <tab> \ “ `} You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP. Note: Supported on AP39xx, Wi-Fi 6 AP models access points.
LED Status	The LED Status pattern can indicate that the configuration profile has been pushed to the destination appliance. Select an LED Status. Valid values are: Off LEDs do not light. Locate LEDs blink so you can locate the AP. Normal Default mode for all APs. Identifies the AP status during the following processes: registration power on boot Note: The value Solid has been deprecated in ExtremeCloud IQ Controller version 5.26.02. If Solid was previously configured, this value is mapped to Normal with the ExtremeCloud IQ Controller version 5.26.02 upgrade. You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.
PEAP User Name and Password	Ability to configure the PEAP (Protected Extensible Authentication Protocol) user name and password for all devices in a device group or for a specific device override. Used to pre-provision devices for authorization to connect to the network. Credential and Certificate installation procedures are supported for AP39xx, SA201 Adapter, and Wi-Fi 6 AP models. You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.
Client Bridge Roaming RSS threshold [dBm]	Determines when the client bridge AP scans to find a better infrastructure AP. Valid range: from -128 to -40. Default value is -70. A scan is triggered when one or more of the following criteria is met: When the infrastructure AP RSS value is less than the configured RSS Threshold. When the poll of the infrastructure AP is lost for one second. Note: When a WLAN is configured on the client bridge AP, a scan is triggered whenever the poll of the infrastructure AP is lost, regardless of the RSS Threshold. You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.
Smart Poll	Reports link stability between the AP and a selected target (typically the appliance). Select Enable to enable the report feature and configure the following settings: Smart Poll — Disable/Enable. The default value is Disable. Smart Poll Interval in seconds. Valid values are: 5 30 60 300 (5 minutes) Default value Smart Poll Target — Identifies the target. Select to add a target address. Enter up to 10 IP addresses or Fully-Qualified Domain Names (FQDN). ExtremeCloud IQ Controller validates the address. Smart Poll Deadline — Deadline for the poll response in seconds. If the response is not received within the specified deadline, the poll status is failed. You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.