ExtremeControl Guest and IoT Manager Configuration Release 8.5.
Copyright © 2019 Extreme Networks, Inc. All Rights Reserved. Legal Notices Extreme Networks, Inc., on behalf of or through its wholly-owned subsidiary, Enterasys Networks, Inc., reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made.
l l l GTAC Knowledge — Get on-demand and tested resolutions from the GTAC Knowledgebase, or create a help case if you need more guidance. The Hub — A forum for Extreme customers to connect with one another, get questions answered, share ideas and feedback, and get problems solved. This community is monitored by Extreme Networks employees, but is not intended to replace specific guidance from GTAC.
Extreme Networks® Software License Agreement This Extreme Networks Software License Agreement is an agreement ("Agreement") between You, the end user, and Extreme Networks, Inc. ("Extreme"), on behalf of itself and its Affiliates (as hereinafter defined and including its wholly owned subsidiary, Enterasys Networks, Inc. as well as its other subsidiaries). This Agreement sets forth Your rights and obligations with respect to the Licensed Software and Licensed Materials.
2. TERM. This Agreement is effective from the date on which You install the License Key, use the Licensed Software, or a Concurrent User accesses the Server Application. You may terminate the Agreement at any time by destroying the Licensed Materials, together with all copies, modifications and merged portions in any form. The Agreement and Your license to use the Licensed Materials will also terminate if You fail to comply with any term of condition herein. 3. GRANT OF SOFTWARE LICENSE.
above those specifically granted to You. From time to time, the Licensed Software will upload information about the Licensed Software and the associated devices to Extreme. This is to verify the Licensed Software is being used with a valid license. By using the Licensed Software, you consent to the transmission of this information.
Extreme (its "Affiliates"), and/or their suppliers. This Agreement conveys a limited right to operate the Licensed Materials and shall not be construed to convey title to the Licensed Materials to You. There are no implied rights. You shall not sell, lease, transfer, sublicense, dispose of, or otherwise make available the Licensed Materials or any portion thereof, to any other party. b.
valuable confidential information and trade secrets, and that unauthorized use, copying and/or disclosure thereof are harmful to Extreme or its Affiliates and/or its/their software suppliers. 9. MAINTENANCE AND UPDATES. Updates and certain maintenance and support services, if any, shall be provided to You pursuant to the terms of an Extreme Service and Maintenance Agreement, if Extreme and You enter into such an agreement.
For Department of Defense units, the Licensed Materials are considered commercial computer software in accordance with DFARS section 227.7202-3 and its successors, and use, duplication, or disclosure by the U.S. Government is subject to restrictions set forth herein. 13. LIMITED WARRANTY AND LIMITATION OF LIABILITY.
law. You waive any objections to the personal jurisdiction and venue of such courts. None of the 1980 United Nations Convention on the Limitation Period in the International Sale of Goods, and the Uniform Computer Information Transactions Act shall apply to this Agreement. 15. GENERAL. a.
Table of Contents ExtremeControl Guest and IoT Manager Configuration 1 Extreme Networks® Software License Agreement 4 Table of Contents 11 About this Document 19 Purpose 19 Conventions 19 Text Conventions 19 Documentation and Training 20 Training 21 Getting Help 21 Subscribing to Service Notifications Providing Feedback to Us 22 23 New in this Document 24 Ability to Create Helpdesk Provisioners 24 Onboarding Template based on Vouchers 24 Onboarding Template based on CSV load of D
Guest and IoT Manager Administrator Role 29 Provisioner Role 29 Guest Users Role 30 Launching Guest and IoT Manager 30 Running the Administrator Application 32 Running the Provisioner Application 32 Using the Online Help System 34 Installing Guest and IoT Manager 36 System Requirements 36 VMware ESXi Server Requirements 36 Network Configuration for Guest and IoT Manager — Based Authentication 39 Installing the Guest and IoT Manager Virtual Appliance 40 Configuring the Guest and IoT M
Configuring Privacy Policy 61 Outlook Add-In 62 Backup and Restore Configurations 63 Storing Backup Configuration 64 Scheduling Backup 65 Restoring Configuration 67 Managing HTTPD Certificates 69 Adding a Certificate 69 Adding a Key 71 Binding a Certificate 72 Binding a Chain 74 Managing Access Control Engine 75 Configuring Engine Details 76 Configuring RADIUS Settings 77 Adding Root Certificate 79 Viewing License Status 81 Setting Notification Parameters 82 Enabling E-mail
Configuring Onboarding Template 101 Creating an Onboarding Template 101 Configuring the Common Details 103 Configuring the Guest User Account Details 107 Configuring Sponsor Approval 119 Configuring the Device Record Details 123 Configuring Device Type Groups 127 Configuring the Account Notification Templates 129 Configuring Advanced Details 140 Configuring Guest User Provisioning Using Outlook Add-in 142 Configuring Guest User Provisioning Using Vouchers 150 Configuring Guest User and
Prerequisite for Provisioner Function 187 Internal Provisioner Operations 188 Creating an Internal Provisioner Modifying Internal Provisioner Account Filtering Internal Provisioners 188 191 193 Configuring Self-Services 196 Configuring Self-Service Provisioners 196 Creating Self-Service Provisioners 196 Modifying Self-Service Provisioners 201 Viewing Self-Provisioning Services Managing Guest Users 205 206 Accessing Guest Users 206 Using Guest User Features 206 Searching Specific Guest Us
Adding a Device Record 233 Modifying Device Record 239 Finding Device Records 240 Extending Expiry of a Device 243 Managing Sponsor Actions 244 Viewing and Providing Guest Access 244 Using Self-Provisioning Services 248 Registering a New Guest User 248 Sponsor Details 249 Sponsor Details Field Descriptions 250 Registering New Devices 251 Using Self-Service for Zero Touch Guest Access 251 Guest and IoT Manager Add-In for Outlook 252 Installing Guest and IoT Manager Add-In 253 GIM
Problem: Unable to Access Guest and IoT Manager Application URL 269 Problem: User and Device Troubleshooting 269 Problem: Sponsor List is Not Available 270 Problem: Modification in Network Interface settings does not reflect post deployment 270 Problem: Outlook Add-in Issues 271 Problem: Service Unavailable in Browser 271 Problem: Time Zone Issues for Schedule Tasks 271 Problem: Users/Devices are not getting cleaned up for Housekeeping Tasks 272 Problem: Unable to Access GIM UI 273 Problem:
clear 281 dns 281 exit 282 halt 282 help 282 interface 283 interface hostname 284 ping 284 reboot 285 reinit 285 route 286 show certificates 286 show dns 287 show interface 287 show route 288 show timezone 288 sshd 289 timezone 289 tomcat 290 user 291 18 of 291
Purpose About this Document This chapter provides basic background information that sets the support information of the document into its perception. Purpose Guest and IoT Manager provides a simple and personalized web user interface through which an operational team can quickly and securely manage visitor network access. It is intended for system administrators who will be installing, managing, and configuring the Guest and IoT Manager application.
Documentation and Training Table 2. Text Conventions Convention Description Angle brackets ( < >) Angle brackets ( < > ) indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when you enter the command. If the command syntax is cfm maintenance-domain maintenance-level <0-7>, you can enter cfm maintenance-domain maintenance-level 4. Bold text Bold text indicates the GUI object name you must act upon. Examples: l Click OK.
Getting Help Current Product Documentation www.extremenetworks.com/documentation/ Archived Documentation (for earlier versions and legacy products) www.extremenetworks.com/support/documentationarchives/ Release Notes www.extremenetworks.com/support/release-notes Hardware/Software Compatibility Matrices https://www.extremenetworks.com/support/compatibilitymatrices/ White papers, data sheets, case studies, and other product resources https://www.extremenetworks.
Getting Help The Hub Call GTAC Search the GTAC (Global Technical Assistance Center) knowledge base, manage support cases and service contracts, download software, and obtain product licensing, training, and certifications. For immediate support: 1-800-998-2408 (tollfree in U.S. and Canada) or +1 408-579-2826. For the support phone number in your country, visit: www.extremenetworks.
Providing Feedback to Us 3. Select the products for which you would like to receive notifications. Note: You can modify your product selections or unsubscribe at any time. 4. Click Submit. Providing Feedback to Us Quality is our first concern at Extreme Networks, and we have made every effort to ensure the accuracy and completeness of this document.
Ability to Create Helpdesk Provisioners New in this Document The following sections detail what is new in this document. Ability to Create Helpdesk Provisioners A Helpdesk Provisioner provides a Provisioner user with the ability to view and edit all the Guest user and Device records of the Onboarding Templates to which they are assigned.
Onboarding Template based on CSV load of Users For more information, see Configuring the Common Details, Configuring the Guest User Account Details, and Configuring Guest User and Device Provisioning Using CSV. Onboarding Template based on CSV load of Users The CSV Type Onboarding Template allows creation of many Guest User accounts in Guest and IoT Manager by uploading a CSV file. The fields to be entered by the CSV file are first name, last name email and mobile number.
Added New Command in the Command Line Interface Login URL l Problem: Outlook Add-in throws Security Exception post enabling FQDN Added New Command in the Command Line Interface Added new command interface hostname. For more information see, interface hostname.
Added New Command in the Command Line Interface Guest and IoT Manager Overview Welcome to the ExtremeControl Guest and IoT Manager Web Application! The Guest and IoT Manager (GIM) is an application that integrates with ExtremeControl. The purpose is to provide non-IT personnel with the ability to provision Guest Users and / or Devices within the constrains defined by the Administrator.
Guest and IoT Manager Application Framework Once the Provisioner logs in, then the Provisioner has access to the Onboarding Templates that the Administrator has provided and is able to provision Guest User and / or Devices.
User Roles andAccess Controls the types of changes they can make. Parts of the UI features are not available to users whose role does not authorize access to those features. The Guest and IoT Manager application facilitates the following user roles.
Launching Guest and IoT Manager Guest Users Role A Guest User is a visitor or other temporary user to whom you grant specific limited rights to use the network. A Provisioner uses the Guest and IoT Manager Application to create any number of Guest User accounts. Guest User accounts are stored in Local Password Repository (LPR). The created Guest User account contains the following attributes: l l l l l Account Details: Includes Username and Password for the temporary account.
Launching Guest and IoT Manager Administrator Home Screen When Administrator logs into Guest and IoT Manager Web UI, the Last Successful Login, date, time, and the number of Failed Login Attempts between two successful logins of the Administrator account are displayed on the footer of the page. Note: You can also change the password after your first login. For more information, see the ExtremeControl Guest and IoT Manager Configuration document.
Launching Guest and IoT Manager Running the Administrator Application Use this procedure to launch the Administrator Application. Procedure 1. Open your web browser and enter the URL of the Administrator Application. http:///GIM/admin/ OR https:///GIM/admin/ 2. In the Login screen, enter the Administrator login credentials. 3. Click Login. a.
Launching Guest and IoT Manager 1. Open your web browser and enter the URL of the Provisioner Application. http:///GIM/provisioner/ OR https:///GIM/provisioner/ 2. In the Login screen, enter the Provisioner login credentials. Provisioner can be LPR user or LDAP user. Note: If you do not have a Provisioner account, contact Guest and IoT Manager Administrator. 3. Click Login. 1.
Using the Online Help System The Provisioner Application session disconnects, if it is inactive for a period of time as specified in the inactive time-out settings. The Guest and IoT Manager Administrator sets the time-out threshold limit. You need to login again to use the Application. For more information about setting the inactivity timeouts, see the ExtremeControl Guest and IoT Manager Configuration document.
Using the Online Help System sensitive topic associated with the screen or dialog box you are using in the Application. Help Features The help is context-sensitive and as such, the topic displayed in the right panel changes as you navigate. To prevent the help topic from changing when you Pause icon at the top of the help change screens in the Application, click the screen. Click Resume icon to resume the help. To open the help in a separate tab, click the Launch Help icon.
System Requirements Installing Guest and IoT Manager This chapter describes how to install Guest and IoT Manager Application. You can install Guest and IoT Manager as a virtual appliance on a VMware ESXi 5.5, 6.0 or 6.5 server. System Requirements To install and configure Guest and IoT Manager Application, you need: l A running Access Control Engine, reachable on the network from where you run Guest and IoT Manager. l A system that meets the requirements listed in the Release Notes.
System Requirements Warning: Guest and IoT Manager is provided as a Virtual Appliance. Do not install or configure any other software on the VM shipped. l l l Extreme Networks does not support the installation of any VMware specific, UNIX specific, or any third-party vendor package or RPM on its VM, other than what Extreme Networks ships as a package, image, or OVA.
System Requirements Checking the VMware Tools Status on an ESXi Server The Summary tab of the VM describes the VMware Tools status. Use this procedure to check the VMware Tools status on an ESXi server versions 5.5, 6.0 or 6.5. Procedure 1. Use the vSphere client to log in to the ESXi Server. 2. Go to the Summary tab. After a fresh install, the VMware Tools status displays as “VMware Tools: Running (Current)”.
System Requirements Note: VMware Tools may show as not installed. This is a known VMware issue where VMware Tools may not be detected correctly on certain hardware. However, this does not interfere with the functioning of the tools. It is a display issue only.
System Requirements Installing the Guest and IoT Manager Virtual Appliance We strongly recommend that you use VMware vSphere Client to import the VM into your system. Start the VMware vSphere Client and log in to the ESXi server on which you want to install Guest and IoT Manager. Use the Virtual Appliance Deploy OVF option. Procedure 1. From the VSphere Client, select File > Deploy OVF Template. 2.
System Requirements 3. On the OVF Template Details screen, review your settings. Click Back to make changes, or click Next to continue.
System Requirements 4. On the End User License Agreement screen, click Accept to accept the license and click Next. 5. On the Name and Location screen, enter a name for the virtual machine and click Next.
System Requirements 6. On the Disk Format screen, select a format in which to store the virtual machine’s virtual disks and click Next. We recommend to use Thin Provision mode.
System Requirements 7. On the Network Mapping screen, associate the Guest and IoT Manager network interfaces to the correct VM network, based on your site configuration.
System Requirements 8. On the Ready to Complete screen, review your settings. Use the Back button to make any changes or click Finish to start the import.
System Requirements Configuring the Guest and IoT Manager Virtual Appliance Use this procedure to configure the VM settings after you complete importing the VM to your system. This is the minimum configuration required to start Guest and IoT Manager Application. Procedure 1. Power on the VM and launch the Guest and IoT Manager console. Enter the User Name and Password. The default User Name and Password is admin. The Guest and IoT Manager login screen is displayed. 2.
System Requirements l "Generating new self-signed certificates for IP 10.133.133.143. Tomcat restart completed successfully. l Restarting the web services to listen on the new IP Address. l Please verify the route setting using the "route command". l Changing the DNS Setting. Tomcat restart completed successfully. 7. Enter the Domain name for GIM machine. [Default: localdomain]: extremenetworks.com 8.
System Requirements 8444 This port is used as the default port for REST. However, this port can be changed by the Administrator.
Configuringthe Administrator Account Administering Guest and IoT Manager This module is intended for Guest and IoT Manager Administrator and describes how to manage and troubleshoot the Application and its components. If you are a Provisioner, you may skip this module and proceed to Configuring Onboarding Template. Configuring the Administrator Account The Account tab in Administration menu allows you to modify the password and timeout values for Administration, Provisioner, and Outlook sessions.
Configuringthe Administrator Account 2. In the Administrator section, select Change Password to modify the existing password details. 3. Enter the details in Current Password, New Password and Confirm New Password fields. The timeout for administrator is from XMC but the rest are from the Guest and IoT Manager (GIM) application. 4. Click Save to submit the configuration. Field Descriptions Use the data in the following table to use the Administrator section.
Configuringthe Administrator Account Setting Inactivity Timeouts Use this procedure to modify the timeout values for Administration, Provisioner and Outlook sessions. Procedure 1. In the navigation pane, click Administration > Account tab. 2. In the Inactivity Timeout section, modify the duration and select the duration units from the Idle Timeout and Outlook Idle Timeout drop-down list. 3. Click Save to save the configuration.
Setting Preferences Procedure 1. In the navigation pane, click Administration > Account tab. 2. In the FQDN section, select the Use Fully Qualified Domain Name field to use FQDN instead of IP address for the Guest and IoT Manager (GIM) application Note:Ensure hostname and domain name is configured properly for FQDN to work. Click Save to save the configuration. Field Descriptions Use the data in the following table to use the FQDN section.
Setting Preferences 1. In the navigation pane, click Administration > Preferences tab. By default, the Look and Feel screen is displayed along with the current logo used in the application. 2. In the General section, configure the Logo, URL and Name as following: 1. Click Browse to navigate to the file you wish to upload in the Change Logo field, when the navigation toolbar is expanded / collapsed. 2. Optional: Enter the specified URL address in the Logo URL field. 3.
Setting Preferences Change Logos Navigates to the file you prefer to upload when navigation toolbar is expanded or collapsed. The height and width of the expanded logo must be 210 * Note: 45 pixels and collapsed logo must be 50 * 45 pixels. Logo URL Configures the URL to the Logo button. You can access the specified link in a new window when you click on the Logo. Application Name Customize the name of the Guest and IoT Manager application.
Setting Preferences 4. Select the required language and click Set as Default. The selected language is displayed as default language during Provisioner login. 5. (Optional) Select the required language(s) and click Delete to clear the added language. The default language cannot be removed. Use Ctrl / Shift to select multiple records to delete. 6. Click Save to save the configuration or Restore to Defaults to cancel the changes and restore to default value.
Setting Preferences Language Displays the preferred language in which you want the application to be displayed for the Provisioner. Currently, the Guest and IoT Manager application is available in the following languages: English, French, German, Spanish, Italian, Portuguese, Swedish, Dutch, and Russian. Administrator can select a maximum of five languages including default language and also select any one of the five languages as default.
Setting Preferences 1. In the navigation pane, click Administration > Preferences tab. 2. In the File Manager section, click Add. The Add File screen is displayed. 3. In the Add File screen, click Browse to navigate to the file you wish to upload. 4. Click Upload, to upload the files to the File Manager. The uploaded file can be used in Onboarding Template to customize the printer friendly page. 5. (Optional) Select the required file name from the displayed list and click Download to download the file. 6.
Setting Preferences 7. Click Save to save the configuration or Restore to Defaults to cancel the changes and restore to default value. Field Descriptions Use the data in the following table to use the File Manager section. Name Description Add File Uploads the files to customize the printer friendly page. By default, the application is pre-installed with the following four samples: l sample_print.css l sample_print_page.html l sample_style.css l sample_logo.
Setting Preferences $starttime Displays the start time when the Guest account becomes usable. $endtime Displays the end time of the Guest account. $termsofuse Displays the terms of use text. For more information, see the Terms of Use field description in Configuring General Details. $usercustom1 to $usercustom6 Displays additional information required during user creation.
Setting Preferences 3. (Optional) Edit the default text given in the Terms of Use section as its a free form text box. 4. Click Save to save the configuration or Restore to Defaults to cancel the changes and restore to default value. Customize Provisioner Login Page Use this procedure to customize Provisioner Login page Procedure 1. In the navigation pane, click Administration > Preferences tab. 2.
Setting Preferences Name Description Brand Logo Configures the Brand Logo. The Brand Logo Dimension is 380X245. Any uploaded image will be resized to this dimension. Title Configures the title of Provisioner Login Page. Font Type Configures the font type of all the text in Provisioner Login page. Font Color Configures the font color of all the text in Provisioner Login page.
Setting Preferences 1. In the navigation pane, click Administration > Preferences tab. 2. In the Privacy Policy field enter the required privacy policy information. 3. (Optional) Edit the default text given in the Privacy Policy field as it is a free form text box. Maximum length for the text allowed is 550 characters. Note: You can change the privacy policy hyper link inside the “href” tag, if required. You can also change the name specified for the hyperlink on need basis. 4.
Backup and RestoreConfigurations Name Description Outlook Add-Iin Download Link in Login Page Displays the Outlook Add-In Download Link in Login Page when the Outlook Add-In Download Link in Login Page field is selected. Backup and Restore Configurations The Backup / Restore tab in the Administration menu allows you to backup and restore Guest and IoT Manager configurations. This capability enables you to port the configurations between multiple Guest and IoT Manager deployments.
Backup and RestoreConfigurations on) l Configuration such as SMTP, SMS Gateway, SMS Provider and files that are present in the File Manager. Note: Guest Users, Devices, Provisioners, Self-Service Provisioner, and Onboarding Templates configurations are stored on the Extreme Management Center database for corresponding Guest and IoT Manager domain and are not part of the Guest and IoT Manager backup / restore operations.
Backup and RestoreConfigurations 2. In the Backup section, enter the name of the file in the Backup Name field. 3. Perform one of the following: l l Click Backup Now to save the local configurations to XMC. Click Backup to PC to save the Backup the Guest and IoT Manager (GIM) application Configurations to the Local Personal Computer. Field Descriptions Use the data in the following table to use the Backup screen.
Backup and RestoreConfigurations 1. In the navigation pane, click Administration > Backup / Restore tab. 2. Within the Scheduled Backup section, in the Backup Name field, enter the name of the Backup. 3. In the Occurrence field, select the occurrence for the scheduled backup as required. 4. In the At field, select the time for the scheduled backup. 5. (Optional) Click Limit Number of Backups Saved and select the number of backups to be saved from the Maximum Backups Saved drop down list.
Backup and RestoreConfigurations Field Descriptions Use the data in the following table to use the Backup screen. Name Description GIM Version Displays the Guest and IoT Manager Application version number. IP Address / Host Name Displays the IP address / Host name of the Guest and IoT Manager Application for readability. Backup Name Configures the name of the backup file.
Backup and RestoreConfigurations 1. In the navigation pane, click Administration > Backup / Restore tab. 2. Click Restore. The Restore screen displays all the available backup configurations in the Restore screen along with Application Version, IP Address / Host Name and Backup Timestamp details. 3. Do one of the following: l Select the required backup entry and click Restore. l Click on Restore from PC and upload the desired Backup file.
Managing HTTPDCertificates l DNS IP addresses and domain. 2. Click No, to restore the configuration without network configuration.. Note: The Guest and IoT Manager Application automatically reboots the Virtual Appliance. 5. (Optional) Select the required backup(s) and click Delete to clear the added backup file. You will be asked to confirm the deletion. Tip: Use Ctrl / Shift to select multiple records to delete. 6. (Optional) Click Refresh to display the most recent changes.
Managing HTTPDCertificates 3. In the Certificate File field, click Browse to select the certificate from the local folder and click Open to upload. 4. In the Alias for this Certification field, enter the alias name to assign another name for the selected new certificate. 5. Select Chain Certificate checkbox to upload a chain certificate. 6. Click Save to save the configuration or click Cancel to cancel the changes. The added certificate and chain certificate details are displayed in the certificates table.
Managing HTTPDCertificates Certificate File Configures a new certificate for the application. This must be one of the following: l l DER encoded binary X.509 file containing the certificate. Base64 encoded file containing the certificate. Alias for this certificate Configures a unique string to identify the key entry of the certificate. Chain Certificates Uploads a chain certificate.
Managing HTTPDCertificates 3. In the Private Key File field, click Browse to select the private key from the local folder and click Open to upload. 4. In the Passpharse field, enter the passphase for the selected private key. 5. In the Alias for this Key field, enter the alias name to assign another name for the selected new key. 6. Click Save to save the configuration or click Cancel to cancel the changes. The added private key details are displayed in the certificates table. 7.
Managing HTTPDCertificates Ensure that you have a added a certificate to the application and the same is listed in the Administration > Certificates table. Procedure 1. In the navigation pane, click Administration > Certificates tab. The added certificates, chain certificates, and private key are displayed along with the name and type details. 2. Select the required certificate you want to bind in the Name column. 3. Click Bind and select Bind Certificate from the drop-down list.
Managing HTTPDCertificates Passpharse Configures the passphrase that needs to be used to encrypt the file containing the private key. If the private key is not encrypted, leave this field blank. Note: Ensure that you provide the valid passphrase, so that the bind does not fail and result in HTTPD restart failure. Binding a Chain Use this procedure to bind a Certificate Chain to HTTPD server.
Managing Access Control Engine If a chain certificate is not selected, the Bind Chain option in the dropdown list is disabled. 4. In the Certificate field, select the required certificate from the drop-down list. 5. In the Private Key field, select the required private key from the drop-down list. 6. (Optional) In the Passpharse field, enter the required passpharse for the selected certificate and private key. 7. Click Save to save the configuration or click Cancel to cancel the changes.
Managing Access Control Engine Configuring Engine Details Use this procedure to configure Guest and IoT Manager to Access Control Engine. Procedure 1. In the navigation pane, click Administration > Access Control Engine tab. The Engine Details screen is displayed. 2. In the Primary Engine field, enter the IP address or host name of Access Control Engine. 3.
Managing Access Control Engine 6. Click Save to store the valid configuration in Guest and IoT Manager Application. Note: The Guest and IoT Manager uses this configuration to establish connection with the Access Control Engine. In the absence of these settings, Guest and IoT Manager is no longer connected to Provisioner and Self-Service Provisioning Application. 7. (Optional) Click Test to verify the Access Control Engine configuration. The successful / failure test configuration message is displayed. 8.
Managing Access Control Engine Application. For more information on RADUIS settings, see Guest and IoT Manager Configuration Document in Extreme Management Center. Procedure 1. In the navigation pane, click Administration > Access Control Engine tab. 2. Click RADIUS. The RADIUS screen is displayed. 3. In the RADIUS Port field, enter the port number for authentication request. 4. In the Shared Secret field, enter the pre shared key to establish the connection. 5.
Managing Access Control Engine RADIUS Port Configures the RADIUS port number where the Access Control Engine is running for centralized Authentication, Authorization, and Accounting (AAA) network access management. The default number is 1812. Access Control Engine uses RADIUS to authenticate Provisioners. Shared Secret Configures the proof of identity for authentication. The Shared Secret can be randomly selected bytes.
Managing Access Control Engine 3. In the Certificate File field, click Browse to select the certificate from the local folder and click Open to upload. 4. In the Alias for this Certification field, enter the alias name to assign another name for the selected new certificate. 5. Click Save to save the configuration or click Cancel to cancel the changes. The added Root Certificate details are displayed in the Root Certificates table and Update Trust Mode is enabled. 6. Click Trust Mode.
Managing Access Control Engine Certificate File Adds a new Root Certificate for the application. The certificate file must contain PEM-encoded certificate. Make sure that the certificate does not have a password associated with it. The certificate encoding format must be any one of the following format. Note: l l Alias for this certificate DER encoded binary X.509 file containing the certificate. Base64 encoded file containing both the certificate and the private key.
Setting NotificationParameters Different License Status Scenario License Status When engine details not configured Not Available Invalid Credentials Not Available Not compatible Not Available Not Reachable Not Available Not Trusted Not Available Reachable and valid license present Valid Reachable and there is no valid license present Not Installed / Expired For more information on Server License, see Diagnostics in Extreme Management Center.
Setting NotificationParameters Important: You can use a public mail server such as Gmail or Yahoo as the Simple Mail Transfer Protocol (SMTP) server. However, there are some limitations with these web-based SMTP servers. Emails sent using Web-based SMTP servers are likely to be marked as spam by mail clients including Outlook. Guest Users need to be made aware of this so that they do not overlook the mail.
Setting NotificationParameters 2. In the E-mail screen, select the Enable Sending of Email Notification checkbox to configure SMTP. 3. In the From Address field, enter the email address that needs to be displayed in the From line of the messages that application sends. 4. In the Server field, enter the fully-qualified domain name or the IP address. 5. In the Security field. select None, SSL/TLS or STARTTLS options from the dropdown list.
Setting NotificationParameters 7. (Optional) Select User Authentication checkbox, if your SMTP server requires authentication. The User Name and Change Password fields are enabled. 1. Enter the login credentials of SMTP server user in the Username field. 2. Select Change Password checkbox, to modify the password details. 8. (Optional) Click Test to verify that the application can reach the server using the specified email address before saving the configuration.
Setting NotificationParameters From Address Configures email address that needs to be displayed in the From line of the messages. For example, user provisioning notifications contains a From Address such as guestreception@extremenetworks.com. This address appears in all types of emails that Guest and IoT Manager Application sends. Server Configures the domain name or the IP address assigned to the mail server that transmits email notifications from the application.
Setting NotificationParameters Configuring SMS Gateway / Provider The Administrator can perform the following procedures to send the login credentials to Guest Users. l AddingSMSGateway l AddingSMSProvider l ModifyingSMSGateway/Providers l Restore to Default SMS Gateways Adding SMS Gateway Use this procedure to configure carrier gateways settings to send SMS messages to mobile service providers. Procedure 1. In the navigation pane, click Administration > Notification > SMS tab. 2.
Setting NotificationParameters 3. In the Carrier Name field, enter the name of the carrier. 4. In the Carrier Gateway field, enter the carrier gateway address. 5. In the Phone Number field, select the required calling options from the drop-down list. 6. Click Test to test the added gateway service configuration. The Test Gateway Configuration screen is displayed. 1. Enter the phone number in the Test Destination Mobile Number field. 2. Click Send Test SMS to send the SMS or click Close to close the screen.
Setting NotificationParameters SMS text messages to each mobile service provider. Note: The first SMS gateway is always a default gateway. You can select the required gateway and Set as default, if required. 9. (Optional) Select the required added carrier and click Edit to modify the SMS gateway. For more information, see Modifying SMS Gateway/Providers. 10. (Optional) Select the required added carrier gateway(s) and click Delete option in the SMS Gateway screen to clear the added carrier service.
Setting NotificationParameters Adding SMS Provider Use this procedure to configure Clickatell gateways settings to send bulk SMS messages to mobile service providers. Before you begin Ensure that you have completed Clickatell registration and have activated your account ID. The account activation email received includes User ID and Email address information. Note: If Do not Disturb (DND) service is enabled in your mobile network, you will not be able to receive any SMS notification. Procedure 1.
Setting NotificationParameters 4. In the Provider Name field, enter the name of the provider. 5. In the Provider Gateway / Host field, check the available URL details. The value displayed in this field is based on the option selected in the API Type field. 6. In the API Key field, enter the key details obtained from Clickatell. 7. In the API Type field, select the type from the drop-down list. By default, REST option is selected. 8. Click Test, to test the added gateway services configuration.
Setting NotificationParameters Name Description Provider Specifies the list of Providers. Currently, Clickatell is the only available service provider. Provider Name Configures the Provider name. Provider Gateway / Host Specifies the URL information. API Key Configures the API key. The default value for Provider Gateway / Host field is provided for both REST and HTTP API types. You need to copy the API key from Clickatell account. (https://portal.clickatell.
Setting NotificationParameters You can also view by double-clicking the required phone carrier / provider from the list. 5. In the Edit SMS Gateway screen, modify the fields required. The fields are displayed based on the selected phone carrier / provider type. 6. (Optional) The Change Visibility option can be used to hide SMS Gateways/Providers from the Provisioner application and the Self Registration page of Guest Users.
Setting NotificationParameters Two-Way SMS Provider Use this procedure to configure the Two-Way SMS Provider. Procedure 1. In the navigation pane, click Administration > Notification tab.
Housekeeping 2. Select the Two-Way SMS Provider tab and enter the field details as required. 3. Click Save to Save the changes. Field Descriptions Use the data in the following table to use the Backup screen. Name Description Service Provider Service Provider Displays the name of the service provider. Associated Phone Number Enter the Associated Phone Number with the country code. Save Saves the configuration. Restore to Defaults Cancels the configuration and resets back to the default settings.
Housekeeping records of Guest Users and Devices which have their first login pending. Housekeeping tab under the administration section allows you to specify Housekeeping tasks that are set to show the details of the housekeeping tasks that are run on Guest and IoT Manager. The administrator can configure the time when the housekeeping tasks must be performed. When the tasks are not needed, they can be disabled. The results are displayed in the logs to verify completion of process status.
Housekeeping 4. To delete Guest Users with First login pending, click the Edit button. In the Edit window pop-up enter the number of days to schedule the housekeeping task for the targeted task. The maximum value is 365 days. Note: For Devices/Guest Users with First login pending to be deleted before 'x' days, the scheduled tasks considers the period of 24 hours as 1 day. Therefore, for 'x' days the period will be 'x' * 24 hours before running the task.
Troubleshooting Run Daily At Specifies the time of day for the scheduled housekeeping task to be completed. Enable / Disable Enables or disables the scheduled housekeeping occurrence for the guest user, device or both. Edit The time in days for an enabled guest user, device, or both. Run Now Enables the administrator to run the selected housekeeping task(s). Save Saves the configuration. Cancel Cancels the configuration.
Troubleshooting 1. In the navigation pane, click Administration > Troubleshooting tab. By default, the Logs screen is displayed along with Types (Info, Error) Message and Timestamp details. 2. Click Enable Debug Logs to view the logs of type debug. By default, the debug logs are disabled. 3. (Optional) Click Download Logs to store and view the logs from the local drive. Note: The log file size is 10 MB. If the size exceeds more than 10 MB, then roll over of log file occurs. 4.
Troubleshooting 3. In the Show Support screen, click Generate Show Support to download the zip file. 4. Save the Guest and IoT Manager show support zip file to an appropriate location and contact Extreme Networks technical support. For more information, see Troubleshooting and FAQs . REST API Swagger tool allows connections directly to REST APIs through an interactive, HTML-based user interface. Where, requests can be made directly from the UI and the options can be explored by the user of the interface.
Creating anOnboarding Template For non-authentication based API, the API Information can be executed without any authorization. The response contains the API Information details. For any REST API that requires authentication, you must provide the Provisioner credentials by clicking the Authorize Button. Post Authorization one can execute any APIs that require authentication. For all the APIs the api-version header is pre-populated with v1.
Creating anOnboarding Template Before you begin Login to the Guest and IoT Manager application and ensure that it is connected with the Access Control Engine. For more information, see Configuring Engine Details. Procedure 1. In the navigation pane, click Onboarding Templates > Add. 2. In the Common tab, configure the name and common details for the Onboarding Template. For more information, see Configuring the Common Details. 3.
Creating anOnboarding Template For more information on modifying, copying and deleting Onboarding Templates, see Managing Onboarding Templates. Configuring the Common Details Use this procedure to configure common details for Onboarding Template. Procedure 1. In the navigation pane, click Onboarding Templates > Add > Common tab. The Common screen is displayed. 2. In the Onboarding Template Details section, enter the name of the template, description, and any template related notes. 3.
Creating anOnboarding Template If Provisioners are associated with REST API or Outlook Onboarding Templates then they will not be able to create new Guest Uses and Devices. Only view option is visible. 4. Select Provisioners belonging to this Onboarding Template can view and edit each other's records checkbox to manage Guest User / Device accounts of all the Provisioners belonging to this Onboarding Template. 5.
Creating anOnboarding Template Onboarding Template Type Specifies the type of Onboarding Template. Note: If no Associated LDAP Group or Default Onboarding Template configuration is selected, the system displays a pop-up message. 'No Associated LDAP Group or Default Onboarding Template configuration is selected. Without these settings LDAP Provisioner will not be able to authenticate and onboard users/devices for this template'.
Creating anOnboarding Template l Guest User and Device Provisioning using API: Creates an Onboarding Template with Guest User and Device provisioning rights for thrid party APIs.
Creating anOnboarding Template l l Guest User and Device Provisioning using CSV: Enables Provisioners to create Guest Users and Devices in bulk *.csv files. The tabs enabled are: l Guest Users l Devices l Device Type Group l Advanced Zero Touch Guest Provisioning: Enables Guest Users to create their own accounts using Self Service Provisioning Service with the help of a QR Code.
Creating anOnboarding Template Onboarding Template. Before you begin In the Common tab, select Guest User and Device Provisioning or Self Service with Sponsor Approval or Guest User and Device Provisioning using API option to configure the Guest User account details. Note: l l l l If you select Guest User Provisioning using Outlook Add-in option, skip this section and see Configuring Guest User Provisioning Using Outlook Add-in.
Creating anOnboarding Template 2. In the Guest Users screen, select the Onboarding Template for Guest Users checkbox to configure the Guest User account details. By default it is selected. 3. In the Guest Notification section, select the required checkboxes. 4. In the Username section, select an option as required. 5. In the Password section, select an option as required. 6. In the Password Complexity Check section, set the password complexity selecting the required alphanumeric checkbox. 7.
Creating anOnboarding Template 9. In the Access Groups section, select the Single and Multiple Memberships Access Groups as required. For more information, see Configuring Access Groups. 10. In the Accessible to Provisioner section, configure the General and Custom Attributes as required. 11. Click Save to save the configuration or click Cancel to cancel the changes. Field Descriptions Use the data in the following table to use the Guest User tab.
Creating anOnboarding Template Username Specifies the different available options of Username that the Administrator can enable. l l Guest Defines Username: Allows the Provisioner / User to specify Username during Provisioner Guest creation or Self Service Provisioning Services. Generate Username With: Specifies the format of the Guest Username. l Random Generated Username: Random generated Username is a combination of Uppercase letters, Lowercase letters and Numbers. By default, all are enabled.
Creating anOnboarding Template l firstintiallastname: Combination of the initial of the Firstname and Lastname of the user with an optional suffix / prefix. By default, No Prefix Suffix option is selected. For example, if firstname is "John" and the lastname is “Smith", Guest and IoT Manager default his Username to “jsmith”. Note: Administrator can restrict the Guest User and Provisioner from editing the auto-generated Username. Deselect the Username field editable checkbox to disable editing.
Creating anOnboarding Template Password Specifies the different available options of password that the Administrator can enable. l Guest Defines Password: Allows the Provisioner / User to specify Password during Provisioner Guest creation or Self Service Provisioning Services. Note: On checking Guest Confirms Password, Provisioner/Self Provisioning Service User must confirm the password while creating the Guest User account.
Creating anOnboarding Template Password Complexity Check Configures the parameters to enforce when guests change their account passwords. Different levels of password complexity is required to select passwords that contain different combinations of characters, lowercase letters, uppercase letters, digits and symbols. If multiple combinations are selected, the different levels of password complexity is selected appropriately. l l l l l characters: Configures the number of characters in the password.
Creating anOnboarding Template Access Groups Configures the Access Groups for this Onboarding Template. Select the required checkbox(s) from the available options. If there are no groups available, click the links to select the required User Groups. For more information, see Configuring Access Groups. l l User Groups - Single Membership: Configures Single Membership User Groups for the Onboarding Template.
Creating anOnboarding Template Accessible to Provisioner Configures the Guest User settings accessible to Provisioner using this Onboarding Template. The options selected in this section are available to the Provisioner. Each section allows you to customize the required fields to be Optional / Mandatory. l General: Configures the general Guest User settings. Access Groups: Configures the selected Access Groups. l l l Email: Configures the Email address of the Guest User.
Creating anOnboarding Template If a Guest User’s mobile phone service provider does not support the selected default gateway, the SMS messages are not sent. l Delete on Expire: Specifies if the account must be deleted when account validity duration expires. If you select Delete on Expire checkbox, Provisioner will be able to view this field during Guest User creation.
Creating anOnboarding Template First Login option enabled Guest User account will not expire until the user actually logs in. Once the user logs in, the account expires as per the specified duration. l Account Expiration: Enables or disables the account expiration to be accessible to the Provisioner. If you select Max Expiration Time, Provisioner can configure the account validity duration up to the maximum value specified in the Onboarding Template > Common > Temporary Accounts Validity field.
Creating anOnboarding Template Configuring Custom Attributes. Perform any one of the following: l l l If Sponsor approval is required for the Self-Service Guest Users in this Onboarding Template, go to Configuring Sponsor Approval. If this Onboarding Template manages devices, go to Configuring the Devices Record Details. Otherwise go to Configuring the Account Notification Templates.
Creating anOnboarding Template 2. In the Sponsor screen, select Sponsor approval required to configure the Sponsor approval details. 3. In the Sponsor Details section, select the required options. 4. In the Sponsor Configuration section, select the required checkboxes. 5. In the Sponsor Authentication section, select the Authentication Before Approval checkbox to login to the Provisioner account and approve or deny the request. 6. Click Save to save the configuration or click Cancel to cancel the changes.
Creating anOnboarding Template Sponsor Details Configures any one of the Sponsor details l Manually Enter Sponsor Details: Configures the Sponsor Email Domains. You can add email domain name (2– 32 character length). If the entered domain name is less than 2 characters or more than 32 characters, the Add button is disabled. For example, the domain name must be in the following the format: @healthbenifits.co.in @companyname.org @extremenetworks.travelersinsurance.
Creating anOnboarding Template Note: If you are using the GIM Sponsor Retrieval Advanced Configuration in Extreme Management Center, the check box for GIM Sponsor LDAP Group Filter controls additional Sponsor look-up based on this LDAP Group. For example, Ex. CN=Gim,CN=Users,DC=SponGroup,DC=com All the Sponsors are cached locally in Guest and IoT Manager and the frequency of the refresh depends on the Sync Duration.
Creating anOnboarding Template Sponsor Authenticatio n Select if the Provisioner needs to login to the application prior approving or denying the Sponsor request. By default, this is enabled. l Authentication Before Approval: Select to send an email to the Provisioner to login to the account and approve or deny the request. If it is unchecked, the Provisioner will receive an email with a link to approve or deny the request.
Creating anOnboarding Template 2. In the Devices screen, select Onboarding Template for Devices to configure the Device record details. By default, it is selected. 3. In the Access Groups section, select the Single and Multiple End-System Groups as required. For more information, see Configuring Access Groups. 4. In the Accessible to Provisioner section, configure the General, Custom Attributes, Device Attributes and Account Validity Period options as required. 5.
Creating anOnboarding Template Access Groups Configures the Access Groups for this Onboarding Template. Select the required checkbox(es) from the available options. If there are no groups available, click the links to select the required End-System Groups. For more information, see Configuring Access Groups. The options available are: l l End-System Groups - Single Membership: Configures single End-System Groups for the Onboarding Template.
Creating anOnboarding Template Accessible To Provisioner Configures the Devices record settings accessible to Provisioners in this Onboarding Template. The options selected in this section are available to the Provisioner. Each section allows you to customize the required fields as Optional / Mandatory. l General: Configures the general Devices record settings. l l Name: Configures the Device name.
Creating anOnboarding Template custom Device source value can be provided. l l Custom Attributes: Configures the custom attributes for Device record settings. For more information, see Configuring Custom Attributes. Device Attributes: Configures the device attributes for Device record settings. l l l l l Asset Type: Configures the Device Asset Type for Permanent / Temporary. Device Type Groups: Configures the Device Type Groups.
Creating anOnboarding Template Type Groups to be made available to the Provisioner while creating Devices. Before you begin In the Common tab, select Guest User and Device Provisioning or Guest User and Device Provisioning using API option to enable Device Type Groups tab. Procedure 1. In the navigation pane, click Onboarding Templates > Add > Device Type Groups tab. The Device Type Groups screen is displayed: 2. Click Select All to enable all the Device Type Groups. By default, it is enabled. 3.
Creating anOnboarding Template required. 4. Click Save to save the configuration or click Cancel to cancel the changes. Note: Configuring Device Type Groups limits the groups accessible to Provisioner while creating Devices. Field Description Use the data in the following table to use Device Type Groups tab. Name Description Select All Selects all the Device Type Groups accessible to Provisioners. Available Device Type Groups Specifies the available Device Type Groups accessible to Provisioner.
Creating anOnboarding Template Note: Ensure that you have set up your Email and / or SMS gateways. For more information, see Setting Notification Parameters. Configuring General Details Use this procedure to configure the account notification sent to Guest Users. Note: When using SMS Template and Email Template, if Sponsor approval is required, change the default message and variables to indicate that the request is pending for Sponsor approval. Procedure 1.
Creating anOnboarding Template 2. In the SMS Template > Message field, enter the text message. You can use the available displayed variables. 3. In the Email Charset section, select an option as required. 4. In the Email Template > Subject field, enter the subject of email sent to the Guest User and enter the message in the Message field. 5.
Creating anOnboarding Template Field Descriptions Use the data in the following table to use the General tab. Name Description SMS Template Specifies the SMS template that is used to send an SMS to the Guest User when a Provisioner and Self-Service creates or updates the account. The available options are: l Message: Configures the message using displayed available variables such as $username, $password, $sponsorname, and $sponsoremail if required.
Creating anOnboarding Template Email Charset Specifies the type of character set for the contents of the Guest User email template. The options available are: l l HTML Character Set: Configures the email template to support HTML content. You can select the Font and Color from the available list. By default, it is enabled. Plain Character Set: Configures the email template to contain only plain characters. Note: l l This Character Set is applicable for all Email Notifications.
Creating anOnboarding Template Email Template Specifies the email template that is used to send an email to the Guest User when a Provisioner and Self-Service creates or updates the account. The option available are: l l Subject: Configures the subject of the email to be sent to the Guest User.
Creating anOnboarding Template Terms of Use and/or Additional information to be included as part of guest account confirmation page Configures a message to be displayed on the Guest account confirmation screen when an account is created. The Provisioner can print this confirmation and hand it to the Guest user. By default, text entered is appended as part of email confirmation sent to the user. Note: This section is disabled for Zero Touch Onboarding Template.
Creating anOnboarding Template 2. In the Email Template > Subject field, enter the subject of the Sponsor request email and in the Message field, enter the message to be sent to the sponsor to approve or deny the access request for a Guest User account. You can use the available displayed variables. 3. In the Select Interface field, select the required interface from the drop-down list. By default, Admin is selected. 4. Click Save to submit the information or click Cancel to cancel the changes.
Creating anOnboarding Template Email Template Specifies the email template that is used to notify the Sponsor for appropriate action. The options available are: l l Subject: Configures the subject of the email to be sent to the Sponsor. Message: Configures the message using displayed available variables such as $username, $password, $firstname, $lastname, $email, $starttime, $sponsoractionlink, $endtime, and $userCustom1-6 if required.
Creating anOnboarding Template Configuring Sponsor Action Use this procedure to configure Guest User account notification when the Sponsor approves or denies the user account access request. Before you begin In the Common tab, select Self Service with Sponsor Approval option to enable the Sponsor Action tab. Procedure 1. In the navigation pane, click Onboarding Templates > Add > Notification > Sponsor Action tab.
Creating anOnboarding Template 2. In the SMS Template > Message field, enter the text message. You can use the available displayed variables. 3. In the Email Template > Subject field, enter the subject of the Sponsor request email and in the Message field, enter the message to be sent to the sponsor to approve or deny the access request for a Guest User account. You can use the available displayed variables. 4. Click Save to save the configuration or click Cancel to cancel the changes.
Creating anOnboarding Template SMS Template Specifies the email template that is used to send an email to the Guest User when a Sponsor approves or denies the Guest User account. The option available are: l l Email Template Message: Configures the message using displayed available variables such as $username, $password, $sponsorname, $sponsoremail, and $sponsoraction if requried. SMS characters: Displays the length of your message in characters. The SMS message is limited to 160 characters.
Creating anOnboarding Template 2. In the Time Zone drop-down list, select the required zone. 3. Select Default Onboarding Template for LDAP Provisioner to send the Onboarding Template as default for Provisioners who are not associated with any Onboarding Template(s). 4. In the Associated LDAP Groups section, Add or Remove the required LDAP Groups to be associated with the Onboarding Template(s). 5. Click Save to save the configuration or click Cancel to cancel the changes.
Creating anOnboarding Template Default Onboarding Template for LDAP Provisioner Enables or disables the default Onboarding Template for LDAP Provisioner. By default, it is enabled. Note: If you log in as a Provisioner: l l Associated LDAP Groups Case Scenario: The group that you are part of is not associated with any Onboarding Template. Result: The Onboarding Template(s) marked as default is / are sent to you. Configures the LDAP group(s) associated with the Onboarding Template.
Creating anOnboarding Template 1. In the navigation pane, click Onboarding Templates > Add > Guest Users tab. The Guest Users screen is displayed. 2. In the Guest Users screen, select the Onboarding Template for Guest Users checkbox to configure the Guest User account details. By default, it is enabled. 3. In the Username section, by default Generate Username With option is enabled while other options are disabled. 4. In the Password section, select an option as required. 5.
Creating anOnboarding Template 8. In the Accessible to Provisioner section, configure the General and Custom Attributes as required. 9. Click Save to save the configuration or click Cancel to cancel the changes. Field Descriptions Use the data in the following table to use the Guest User tab. Name Description Guest Notification Email notification is checked and this field is disabled for Outlook Add-in Onboarding Template.
Creating anOnboarding Template Password Specifies the different available options of password that the Administrator can enable. l l Guest Defines Password: This option is disabled for Outlook Add-in Onboarding Template. Random Generated Password: Generates random password with the specified password complexity.
Creating anOnboarding Template Password Complexity Check Configures the parameters to enforce when guests change their account passwords. Different levels of password complexity is required to select passwords that contain different combinations of characters, lowercase letters, uppercase letters, digits and symbols. If multiple combinations are selected, the different levels of password complexity is selected appropriately. l l l l l characters: Configures the number of characters in the password.
Creating anOnboarding Template User Email Domains Configures the domains that need to be excluded during Guest User creation. For example, if the specified domain is "@extremenetworks.com"; Guest User accounts with email "name@extremenetworks.com" is not created.
Creating anOnboarding Template Accessible to Provisioner Configures the Guest User settings accessible to Provisioner using this Onboarding Template. The options selected in this section are available to the Provisioner. l General: Configures the general Guest User settings. l l l l l Email: Configures the Email address of the Guest User. This option is checked and disabled for Outlook Add-in Onboarding Template. Mobile Phone: This option is disabled for Outlook Add- in Onboarding Template.
Creating anOnboarding Template Provisioner. If you select Time Based, Provisioner can configure start time and duration (upto to a maximum set limit) during guest account creation. If you select First Login, Provisioner can configure guest account duration that is valid from the moment the Guest User first logs in. For Outlook Add-in Onboarding Template, Time based is selected and the field is disabled. l Account Expiration: Enables or disables the account expiration to be accessible to Provisioner.
Creating anOnboarding Template Configuring Guest User Provisioning Using Vouchers Use this procedure to configure Guest User record details for using Vouchers. Before you begin In the Common tab, select Guest UserProvisioning using Vouchers option to configure Guest User account details. Procedure 1. In the navigation pane, click Onboarding Templates > Add > Guest Users tab. The Guest Users screen is displayed. 2.
Creating anOnboarding Template available to the Provisioner. The options are: l Select Avery 5371 Business Card Template to print in Avery 5371 format. l Select Default to print in grid format. 6. In the Access Groups section, select the Single and Multiple Memberships Groups as required. For more information, see Configuring Access Groups. 7. In the Accessible to Provisioner section, configure the General section as required. 8.
Creating anOnboarding Template Username Specifies the different available options of Username that the Administrator can enable. Only Generate Username With field is enabled. l Generate Username With: Specifies the format of the Guest User Name. l Random Generated Username: Random generated Username is a combination of Uppercase letters, Lowercase letters and Numbers. By default, all are enabled. Enter the length as a single value / range (within 3 - 40).
Creating anOnboarding Template Password Specifies the different available options of password that the Administrator can enable. l Guest Defines Password: This option is disabled for Voucher Type Onboarding Template. Guest Confirms Password: This option is disabled for Voucher Type Onboarding Template. l Random Generated Password: Generates random password with the specified password complexity.
Creating anOnboarding Template Password Complexity Check Configures the parameters to enforce when guests change their account passwords. Different levels of password complexity is required to select passwords that contain different combinations of characters, lowercase letters, uppercase letters, digits and symbols. If multiple combinations are selected, the different levels of password complexity is selected appropriately. l l l l l characters: Configures the number of characters in the password.
Creating anOnboarding Template Voucher Template This field displays the templates accessible to the provisioner. They are as follows: Default: To print in the default grid view Avery 5371 Business Card Template: To print in the Avery 5371 Business Card format view. The configurations are as follows: l Title: Configures the Title of the Business card: l Text: Configures the Text for the Title. A Maximum of 35 characters can be used in the Text of the Title.
Creating anOnboarding Template Access Groups Configures the Access Groups for Voucher Type Onboarding Template. Select the required checkbox(s) from the available options. If there are no groups available, click the links to select the required User Groups. For more information, see Configuring Access Groups. l l User Groups - Single Membership: Configures Single Membership User Groups for the Onboarding Template.
Creating anOnboarding Template Accessible to Provisioner Configures the Guest User settings accessible to Provisioner using this Onboarding Template. The options selected in this section are available to the Provisioner. l General: Configures the general Guest User settings. l l l l Email: Configures the Email address of the Guest User. This option is disabled for Voucher Type Onboarding Template. Mobile Phone: This option is disabled for Voucher Type Onboarding Template.
Creating anOnboarding Template If you select Delete on Expire checkbox, Provisioner will be able to view this field during Guest User creation. Provisioner can select this to override the specified conditions Delete on Expire / Do Not Delete On Expire and remove the accounts upon expiry. If you do not select Delete on Expire checkbox, Provisioner will not be able to view this field during Guest User account creation. If you select Delete on Expire option, the Guest Account is removed on expiry.
Creating anOnboarding Template Onboarding Template > Common > Temporary Accounts Validity field. If you select Permanent, a permanent Guest User account is created. This account does not have account activation preference and will not be deleted on expiry. For Voucher Type Onboarding Template, Max Expiration Time is selected and the field is disabled. l l l l Firstname & Lastname: This option is disabled for Voucher Type Onboarding Template. Access Groups: Configures the selected Access Groups.
Creating anOnboarding Template 2. In the Username section, by default Generate Username With along with Random Generated Username option is enabled while other options are disabled. 3. In the Password section, select an option as required. 4. In the Password Complexity Check section, set the password complexity by selecting the required alphanumeric checkbox. 5. In the Access Groups section, select the Single and Multiple Memberships Groups as required. For more information, see Configuring Access Groups.
Creating anOnboarding Template Guest Notification Display Username and Display Password are checked and this field is disabled for CSV type Onboarding Template. Username Specifies the different available options of Username that the Administrator can enable. Only Generate Username With field is enabled. l Generate Username With: Specifies the format of the Guest User Name. l Random Generated Username: Random generated Username is a combination of Uppercase letters, Lowercase letters and Numbers.
Creating anOnboarding Template Password Specifies the different available options of password that the Administrator can enable. l Guest Defines Password: This option is disabled for CSV Type Onboarding Template. Guest Confirms Password: This option is disabled for CSV Type Onboarding Template. l Random Generated Password: Generates random password with the specified password complexity.
Creating anOnboarding Template Password Complexity Check Configures the parameters to enforce when guests change their account passwords. Different levels of password complexity is required to select passwords that contain different combinations of characters, lowercase letters, uppercase letters, digits and symbols. If multiple combinations are selected, the different levels of password complexity is selected appropriately. l l l l l characters: Configures the number of characters in the password.
Creating anOnboarding Template Access Groups Configures the Access Groups for CSV Type Onboarding Template. Select the required checkbox(s) from the available options. If there are no groups available, click the links to select the required User Groups. For more information, see Configuring Access Groups. l l User Groups - Single Membership: Configures Single Membership User Groups for the Onboarding Template.
Creating anOnboarding Template Accessible to Provisioner Configures the Guest User settings accessible to Provisioner using this Onboarding Template. The options selected in this section are available to the Provisioner. l General: Configures the general Guest User settings. l l l Email: Configures the Email address of the Guest User. This option is disabled for CSV Type Onboarding Template. Mobile Phone: This option is disabled for CSV Type Onboarding Template.
Creating anOnboarding Template to override the specified conditions Delete on Expire / Do Not Delete On Expire and remove the accounts upon expiry. If you do not select Delete on Expire checkbox, Provisioner will not be able to view this field during Guest User account creation. If you select Delete on Expire option, the Guest Account is removed on expiry. If you select Do Not Delete On Expire option, the account needs to be removed manually.
Creating anOnboarding Template User account is created. This account does not have account activation preference and will not be deleted on expiry. For CSV Type Onboarding Template, Max Expiration Time is selected and the field is disabled. l l l l Firstname & Lastname: This option is disabled for CSV Type Onboarding Template. Access Groups: Configures the selected Access Groups. Resend Details: This option is not applicable to CSV Type Onboarding Template.
Creating anOnboarding Template 2. In the Devices screen, select Onboarding Template for Devices to configure the Device record details. By default, it is selected. 3. In the Access Groups section, select the Single and Multiple End-System Groups as required. For more information, see Configuring Access Groups. 4. In the Accessible to Provisioner section, configure the General, Custom Attributes, Device Attributes, and Account Validity Period options as required. 5.
Creating anOnboarding Template Accessible To Provisioner Configures the Devices record settings accessible to Provisioners in this Onboarding Template. The options selected in this section are available to the Provisioner. Each section allows you to customize the required fields as Optional / Mandatory. l General: Configures the general Devices record settings. l l Name: Configures the Device name.
Creating anOnboarding Template custom Device source can be provided. l l Custom Attributes: Configures the custom attributes for Device record settings. For more information, see Configuring Custom Attributes. Device Attributes: Configures the device attributes for Device record settings. l l l l l Asset Type: Configures the Device Asset Type for Permanent / Temporary. Device Type Groups: Configures the Device Type Groups. By default, Device Type Groups is checked and Mandatory option is selected.
Creating anOnboarding Template If you selectDelete on Expire option, the Device is removed on expiry. If you select Do Not Delete On Expire option, the device needs to be removed manually. l Account Activation: Specifies the type of account activation to be accessible to Provisioner. If you select Time Based, Provisioner can configure start time and duration (up to a maximum set limit) during guest account creation.
Creating anOnboarding Template 2. In the Guest Users screen, select the Onboarding Template for Guest Users checkbox to configure the Guest User account details. By default, it is enabled. 3. In the Username section, by default Generate Username With option is enabled while other options are disabled. 4. In the Password section, select an option as required. 5. In the Password Complexity Check section, set the password complexity by selecting the required alphanumeric checkbox. 6.
Creating anOnboarding Template Username Specifies the different available options of Username that the Administrator can enable. Only Generate Username With field is enabled. l Generate Username With: Specifies the format of the Guest User Name. this field is disabled for Zero Touch Guest User Provisioning Template.Guest Defines User Name: Specifies the Guest User name this field is disabled for Zero Touch Guest User Provisioning.
Creating anOnboarding Template Password Specifies the different available options of password that the Administrator can enable. l l Guest Defines Password: This option is disabled for this field is disabled for Zero Touch Guest User Provisioning Template. Random Generated Password: Generates random password with the specified password complexity.
Creating anOnboarding Template Password Complexity Check Configures the parameters to enforce when guests change their account passwords. Different levels of password complexity is required to select passwords that contain different combinations of characters, lowercase letters, uppercase letters, digits and symbols. If multiple combinations are selected, the different levels of password complexity is selected appropriately. l l l l l characters: Configures the number of characters in the password.
Managing OnboardingTemplates Managing Onboarding Templates Onboarding Template is a collection of settings that establishes the administrative rights and account settings of the Provisioners that associate with it. Use this procedure to manage an Onboarding Template. Procedure 1. In the navigation pane, Click Onboarding Templates. 2. Click the required Onboarding Template to manage. 3. Click Add to create a new Onboarding Template. For more information, see Creating an Onboarding Template. 4.
Managing OnboardingTemplates You can also view by double-clicking the required Onboarding Template from the list. The Edit screen is displayed. 4. In the Edit Onboarding Template screen, modify the changes in the required tabs. 5. Click Copy to Clipboard to copy the Onboarding Template summary to clipboard. 6. Click Print to print the Onboarding Template. 7. Click Save to save the configuration or Cancel to cancel the changes.
Managing OnboardingTemplates Procedure 1. In the navigation pane, click Onboarding Templates. 2. Click the required Onboarding Template from the list. 3. Click Copy. 4. In the Onboarding Template Name field, enter the name, description and notes for the new Onboarding Template. 5. Modify the required changes in all the tabs for the new Onboarding Template. 6. Click Save to save the configuration or click Cancel to cancel the changes.
ConfiguringCustom Attributes Delete Onboarding Template Member(s) Deletes all the Internal Provisioner(s) or Self Service Provisioner (s), or Guest User(s), or Device(s) of the selected Onboarding Template. If you select this option, the Guest and IoT Manager displays a screen that allows you to select the type of records to delete. If this option is selected, you need to select the required selection in the Delete Member screen.
ConfiguringCustom Attributes The languages displayed are based on the locales configured in Preferences tab. For more information, see the Setting the Locales section in Setting the Locales. 2. In the Custom Field, enter one or more labels as required in the (1-6) fields. 3. Click Save to save the configuration or click Clear to clear the configuration. You cannot clear the default and other languages available in this screen. Field Descriptions Use the data in the following table to use Guest User tab.
ConfiguringCustom Attributes Custom Field Specifies the labels for the custom fields to be displayed during Guest User Registration. For example, If Administrator specifies Country Code as the label for Custom Field 1 for the language English-US and the Provisioner or Self Service Guest User selects English-Us as the language to be displayed. Then depending on the Onboarding Template settings, the country code needs to be specified during Guest User registration.
ConfiguringAccess Groups The languages displayed are based on the locales configured in Preferences tab. For more information, see the Setting the Locales section in Setting Preferences. 2. In the Custom Field field, enter one or more labels as required in the (1-6) fields. 3. Click Save to save the configuration or click Clear to clear the configuration. Note: You cannot clear the default and other languages available in this screen.
ConfiguringAccess Groups customized for your site; the Administrator structure the fields that needs to be available during Guest User creation. l l User Groups - Single Membership: Configures the specific network to which the Guest User has access. The Provisioner may select only one Single Membership as the user must be assigned to one segment of the network.
ConfiguringAccess Groups 2. In the Available User Groups section, drag and drop the required User Groups to Single and Multiple Group Memberships. This can be used for customizing the Onboarding Templates. You can also perform the same action in reverse order. 3. Click Save to save the configuration. Field Descriptions Use the data in the following table to use Guest Users tab.
ConfiguringAccess Groups User Groups - Multiple Memberships Specifies the User Groups that provide general network access to the Guest User. Configuring Device Access Groups Use this procedure to configure Device access groups. Procedure 1. In the navigation pane, Click Onboarding Templates > Access Groups > Device tab. The Devices screen is displayed. 2.
ConfiguringAccess Groups Available End-System Access Groups Specifies the list of End-System Groups available for mapping as Single and Multiple Groups. End-System Groups Single Memberships Specifies the list of End-System Groups that provide specific network access to the Guest User. End-System Groups Multiple Memberships Specifies the End-System Access Groups that provide general network access to the Guest User.
Prerequisite for Provisioner Function Configuring Provisioners This module is intended for Guest and IoT Manager Administrator to perform operations on Provisioner accounts that are stored in the Access Control Engine local password repository. A Provisioner is a member of the organization whose account is stored either in the Access Control Engine or in LDAP. These internally stored Provisioners are referred as Internal Provisioners.
Internal ProvisionerOperations Ensure that you have created an Onboarding Template to which the new Internal Provisioner belongs. For more information, see Creating an Onboarding Template. It is necessary to train the Provisioners to use the Guest and IoT Manager Provisioner Application. For more information, see the ExtremeControl Guest and IoT Manager Configuration document.
Internal ProvisionerOperations 3. Configure the Provisioner login credentials details in the respective fields as required. 4. Select the Helpdesk Provisioner checkbox to provide the Provisioner user with the ability to view and edit all the Guest user and Device records of the Onboarding Templates to which they are assigned.
Internal ProvisionerOperations screen along with all the specified information. l l The URL to access the Provisioner application is https:///GIM/provisioner/ Provisioner URL can be also access through IP address or host name. For example: https://. 7. (Optional)Select the required Provisioner account and click Edit, to modify a provisioner account. For more information, see Modifying Internal Provisioner Account. 8.
Internal ProvisionerOperations Password and Confirm Password Configures the password of the Provisioner. Since Guest and IoT Manager encrypts the password, ensure that you make a note of the password for future reference. Note: These fields should only contain alphanumeric and special characters. Only these special characters are allowed : ! @ # $ % ^ & * ( ) + - . Email Configures the email address of the Provisioner. Comments Configures the additional information.
Internal ProvisionerOperations Note: You can also view by double-clicking the required Provisioner account from the list. By default, the Username field is disabled. 4. In the Edit Internal Provisioner screen, modify the fields required. 5. (Optional) Select Change Password to modify the Internal Provisioner’s password. You must specify New Password and Confirm New Password. 6. Click Save to save the configuration or click Cancel to cancel the changes.
Internal ProvisionerOperations Name Description First Nameand Last Name Modify the First Name, and Last Name of the Provisioner account details. The length of the name can be 30 characters or less. Note: These fields should only contain letters, number, hyphen, and underscore. Change Password Select this to modify the current password details. If selected, you must also specify New Password and Confirm New Password. Change Password is optional.
Internal ProvisionerOperations 2. In the Internal Provisioners screen, click Show Filter to narrow the search parameters and quickly find all similar provisioners. The Filter Internal Provisioner screen is displayed. 3. In the Filter Internal Provisioner screen, do the following: 1. Select All, and click Apply Filter to view all the Internal Provisioners. 2. Select Specify Filter to include the additional fields to narrow the quick search and click Apply Filter. 3. Click Cancel to cancel the changes.
Internal ProvisionerOperations Specify Filter Simplifies the search parameters to quickly find the selected search criterion that includes specified parameters. Additionally you can also enter the operator conditions to match the selected search criteria to obtain precise search results of each Provisioner.
Configuring Self-Service Provisioners Configuring Self-Services This module is intended for Guest and IoT Manager Administrator to create SelfService Provisioner. A Self-Provisioned Guest User and Devices that appears as a Guest User account and Devices is managed similar to other Guest User account and Devices. For more information, see the ExtremeControl Guest and IoT Manager Configuration document.
Configuring Self-Service Provisioners 3. In the Self-Service Username field, enter the name of the Provisioner account. 4. In the Service Type field, select the required service type from the drop-down list. If you select Device option as Service Type, the User account with provisioning rights must be successfully authenticated to create a device account and Confirmation Template fields are enabled.
Configuring Self-Service Provisioners l Use the Redirect to this URL post successful authentication on clicking login URL fields to specify the URL to which the Guest User must be redirected after a successful authentication when the Guest User clicks the login URL. 5. In the Password, Confirm Password and Service Email fields, configure the Provisioner login credentials. 6. In the Onboarding Template field, select the required Onboarding Template from the drop-down list to set the access restrictions.
Configuring Self-Service Provisioners Self-Service Username Configures the name of the Provisioner account that manages the Self-Service and also used in URL of the SelfService. The length of the name can be 30 characters or less. Note: These fields should only contain letters, number, hyphen, and underscore. Service Type Configures basic properties of Self-Provisoning Service. The Registration Page does not exist until you specify the options.
Configuring Self-Service Provisioners Onboarding Template Associates this Onboarding Template to the Self-Service Provisioner. User account with provisioning rights must be successfully authenticated to create a device account Select to provision a Device only after successful authentication of the Provisioner. Confirmation Template Specifies the confirmation message format and also contains the variables to display the Username and MAC address as part of the confirmation message.
Configuring Self-Service Provisioners QR Code Validity (in mins) Enter the time value in minutes to ensure the QR code is valid for that period. The maximum time limit that a valid QR code can be set is 1440 minutes. This field is applicable only for Zero Touch Guest Access. Redirect to this URL post successful authentication on clicking login URL. Enter the URL to which the Guest User must be redirected after a successful authentication when the Guest User clicks the login URL.
Configuring Self-Service Provisioners Note: You can also edit by double-clicking the required Self-Service Provisioner account from the list. By default, the Self-Service Username field is disabled. 4. In the Edit Self-Service Provisioner screen, modify the fields required. 5. (Optional) Select Change Password to modify the Self-Service Provisioner’s password. You must specify New Password and Confirm New Password. 6. Click Save to save the configuration or click Cancel to cancel the changes.
Configuring Self-Service Provisioners Name Description Service Type Modify the Service Type. The Options are: l Guest User l Device l Zero Touch Guest Access Device option enables User account with provisioning rights must be successfully authenticated to create a device account and Confirmation Template field. Zero Touch Guest Access option enables the QR Code Validity (in mins) and Redirect to this URL post successful authentication on clicking login URL. fields.
Configuring Self-Service Provisioners User account with provisioning rights must be successfully authenticated to create a device account Select to provision a Device only after successful authentication of the Provisioner. Confirmation Template Modify the confirmation message, if required This field is enabled, if the selected Service Type is Device only. This field is enabled, if the selected Service Type is Device only.
Viewing Self-Provisioning Services Redirect to this URL post successful authentication on clicking login URL. Enter the URL to which the Guest User must be redirected after a successful authentication when the Guest User clicks the login URL. This field is applicable only for Zero Touch Guest Access. Viewing Self-Provisioning Services The Self-Provisioning Services tab in Self-Services menu allows you to view and identify Self-Provisioning Services that you have created.
Accessing GuestUsers Managing Guest Users This module is intended for Guest and IoT Manager Administrator to manage and carry out bulk Guest User operations. A Guest User account can be permanent, temporary, automatically expiring account with specific limited rights to use the network based on the associated Onboarding Template. Accessing Guest Users The Guest Users tab in the Guest Users menu allows you to view and manage all the users created by the Provisioner(s).
Accessing GuestUsers START_TIME = CURRENT_TIME END_TIME = START_TIME + DURATION Extend Expiration Example: Consider two Guest Users, User 1 valid for a duration of one month and User 2 is valid for a duration of two months, both are expiring tomorrow and the current time is 02:00 P.M. When you select these two accounts and click Extend Expiration option, their expiry is extended as follows: 1. User 1 is extended as Start Time = 02:00 P.M. today and End Time = 02:00 P.M. today + 1 month. 2.
Accessing GuestUsers l Notification options has either SMS / Email or both enabled. l Account is not locked / expired. l Account cannot be of CSV or Voucher Type. l l Account must belong to an Onboarding Template with Randomly generated Password for Guest Accounts. Guest User account must not be in First login pending state. 7.
Accessing GuestUsers 2. In the Guest User screen, click quickly find all similar records. Show Filter to specify the search parameters and The Filter Guest Users screen is displayed. 3. To retrieve specific Guest Users, do the following: 1. For Guest Users added by the Provisioner: 1. In the Specify Filter section, select Provisioner from the drop-down list. 2. Enter the operation (Starts with, Equals, Not Equals, Contains, Ends With) and the name of the Provisioner. 3. Click Apply Filter.
Accessing GuestUsers 4. For Guest Users based on Sponsor Response 1. In the Specify Filter section, select Sponsor Response and the required search values from the drop-down list. l Approved l Denied l Pending l Auto-Approved l Auto-Denied l Not Applicable 2. Click Apply Filter. The list of all the Guest Users that have the selected Sponsor Response are displayed. 5. For Guest Users activated in last X number hours: 1.
Accessing GuestUsers click Delete to remove the guest account. Note: Use Ctrl / Shift to select multiple records to delete. 7. Click Show Filter to specify the search parameters and quickly find all similar records. The filter is applied to all columns displayed in the list view. For more information, see Searching Specific Guest Users 8. (Optional) Select the Guest User and click Print, to print the account summary.
Accessing Devices Managing Devices This module is intended for Guest and IoT Manager Administrator to carry out bulk operations on the Device records. A Device record can be permanent, temporary, automatically expiring record with specific limited rights to use the network based on the associated Onboarding Template. Accessing Devices The Devices tab in the Devices menu allows you to view and manage all the Device actions created by the Provisioner(s).
Accessing Devices Then the account is modified to: START_TIME = CURRENT_TIME END_TIME = START_TIME + DURATION Extend Expiration Example: Consider two Devices, Device 1 valid for a duration of one month and Device 2 is valid for a duration of two months, both are expiring tomorrow and the current time is 02:00 P.M. When you select these two Devices and click Extend Expiration option, their expiry is extended as follows: 1. Device 1 is extended as Start Time = 02:00 P.M. today and End Time = 02:00 P.M.
Accessing Devices Searching Specific Devices Use this procedure to retrieve specific Device record summary based on the search parameters Procedure 1. In the navigation pane, click Devices > Devices tab. The Devices screen is displayed along with the Device details created by the Provisioner. By default, 25 Devices are displayed and you can extend up to 75 Devices. 2. In the Devices screen, click Show Filter to specify the search parameters and quickly find all similar records.
Accessing Devices 2. Click Apply Filter. The list all the selected Devices activated in last X number hours are displayed. Here, X represents the number of hours as entered in Hours field are displayed. 4. For pending Devices list: 1. In the Specify Filter section, select First Login Pending and Created Before and the required search conditions operator from the drop-down list. 2. Enter the date in YYYY/MM/DD format or click the calendar icon to select a date. 3.
ConfiguringGuests Configuring Guest and Devices This module is intended for Guest and IoT Manager Provisioner to create and manage Guest User and Device account(s). Your Provisioner account is part of one or more Onboarding Templates that establish rights, such as the maximum lifetime of accounts you create, and which “Single Membership” and “Multiple Memberships” Access groups you can provide to those accounts.
ConfiguringGuests l Create guest accounts l View and manage guest accounts l l Handle the account activation time for network access usage and the duration. Remove the guest accounts automatically after expiration. Note: The assigned Onboarding Template needs to permit the Guest User management operations to the Provisioner.
ConfiguringGuests 3. In the Onboarding Template field, select the required Onboarding Template the Guest User is to be associated with from the drop-down list.. The Guest User screen is displayed for Guest and Device type Onboarding Template. The Guest User screen is displayed for Voucher Type Onboarding Template.
ConfiguringGuests The Guest User screen is displayed for CSV Type Onboarding Template.
ConfiguringGuests 4. In the Guest User Info section, configure the account details as required. 5. In the Send Notification section, configure the notification conditions as required. 6. Click Save to save the configuration or click Cancel to cancel the changes. The Successful Guest Creation message is displayed along with Username and Password details if specified in the Onboarding Template.
ConfiguringGuests Note: For CSV Type Onboarding Template, the Successful Guest Creation message is displayed along with Username and Password details. The Provisioner can copy these details to the clipboard in the supported browsers or print them.
ConfiguringGuests The added new user is displayed in the Guest User screen along with all the specified information and also sends Email / SMS notifications to the user. 7. (Optional) Click Print to print the result of the operation. This is applicable only to Voucher and CSV type Onboarding Template. For Voucher, the options are as follows: l l Select Default to print in the default grid view. Select the Avery 5371 Business card Template to print in Avery business card template view.
ConfiguringGuests The following checks are performed prior the password is shared when one or more users are selected: l Notification options has either SMS / Email or both enabled l Account is not locked / expired 10. (Optional) To send the password and details to Guest Users, select the required user and click Resend Details to send the password and details to Guest Users.
ConfiguringGuests enabled based on the associated Onboarding Template settings. Name Description Onboarding Template Specifies the list of Onboarding Templates that the Provisioner is a member of. The provisioner can add the Guest User to any one of the available Onboarding Templates.
ConfiguringGuests Username Generates Username for the created users first name. Ensure that the first name entered does not have any spaces. The length of the name can be 30 characters or less. Note: You can edit the Username and provide a unique name, if the Administrator has selected Generate Username with option while creating an Onboarding Template. User Name is auto-generated, if the Administrator has selected Random Generated Password option while creating an Onbarding Template.
ConfiguringGuests Guest User Details File Select Browse.. to select the *.csv file. The expected CSV file format must have at least one field entry. This is only applicable to CSV Type Onboarding Template. The default carrier Gateway/Provider is used for Mobile For Example: First Name, Last Name, Email, Mobile. Note: Any row in the CSV file that begins with character "#" will be ignored for processing. The maximum number of records that will be processed from the *.csv file is 5000.
ConfiguringGuests Activate Account On Configures the date and time at which the Guest User account is activated. The value in these fields defaults to the current date and time on the Guest and IoT Manager. You can also view the time zone that has been set to the current Onboarding Template. l l l Activate On First Login Date: Enter the start date for activating Guest User account. The date should be in YYYY/MM/DD format. Time: Enter the time in hours and minutes based on a 12-hour setting.
ConfiguringGuests Multiple Memberships Access Group Configures the access to the Guest User. You can select multiple options. Custom Fields: 1 to 6 Specifies the label values configured for Guest Users. For example, if the access has to be provided for a specific department, the Administrator defines which access group are available for you.
ConfiguringGuests Send Notification Specifies the address / number that is required to share the account notification details. The application automatically sends the notification via Email or SMS to the Guest and / or others to provide the new guest account details. A notification message has the format of Email / SMS template configured in the Onboarding Template of which the Guest User is a member.
ConfiguringGuests Different types of Guest User accounts created based on the validity are: l Permanent l Temporary - Time Based l Temporary - First Login Modifying Guest User Account Use this procedure to modify Guest User accounts. Procedure 1. In the navigation pane, click Guest Users > Guest Users tab. The Guest User screen is displayed with list of Guest User accounts created by the Provisioner. 2. Select the required user account to be modified and click Edit.
ConfiguringGuests 3. Modify the duration period in Duration field or modify the Activate Account On field to change the validity period to desired time frame. 7. (Optional) To remove Guest User account(s), select the required user account(s) and select Delete > Delete Selected to remove only the Guest User accounts you selected, or Delete > Delete All to remove all Guest User accounts. Tip: Use Ctrl / Shift to select multiple records to delete.
ConfiguringGuests 4. To search the Guest Users: l l Select All Guest Users to view all the Guest Users. Select Specify Filter to define additional fields by which you can filter the list of Guest Users. 5. Click Apply Filter. The corresponding records are displayed in the Guest User screen table. In the Guest User screen, select the required Guest User and scroll towards left to view the permanent access user accounts. The End Time Guest User attributes column status is displayed as blank (–).
Configuring Devices Extend Expiration Example: Consider two Guest Users, User 1 valid for a duration of one month and User 2 is valid for a duration of two months, both are expiring tomorrow and the current time is 02:00 P.M. When you select these two accounts and click Extend Expiration option, their expiry is extended as follows: 1. User 1 is extended as Start Time = 02:00 P.M. today and End Time = 02:00 P.M. today + 1 month. 2. User 2 is extended as Start Time = 02:00 P.M. today and End Time = 02:00 P.M.
Configuring Devices Procedure 1. In the navigation pane, click Devices > Devices tab. The Devices screen is displayed. 2. In the Devices screen, click Add to create a new Device record. The New Device screen is displayed. 3. In the Onboarding Template field, select the required Onboarding Template the Guest User is to be associated with from the drop-down list.. The Guest User screen is displayed for Guest and Device type Onboarding Template.
Configuring Devices 4. In the Onboarding Template field, select the required Onboarding Template the Device is to be associated with from the drop-down list. 5. In the Device Info section, configure the Device details as required. 6. Click Save to save the configuration or click Cancel to cancel the changes. The added new Device record is displayed in the Devices screen along with all the specified information. For CSV creation Result dialog is displayed.
Configuring Devices 7. (Optional) Click Print to print the result of the operation in the the default grid view. This is applicable only to CSV type Onboarding Template. 8. (Optional) Select the required Device record(s) and click Extend Expiration to extend the validity duration of the Device record(s). The validity is extended based on the duration specified during the creation. For more information, see Extending Expiry of a Device. 9.
Configuring Devices Use the paging control at the bottom of the list to move forward or backward by one page, or to the first or last page of the list. You can control number of records to be displayed per page and also click an individual page number to navigate to the specific page. Click Refresh icon to refresh the view. Field Descriptions Use data in the following table to use New Device screen. The fields are enabled based on the associated Onboarding Template settings.
Configuring Devices Device Type Specifies the list of Device types available for the selected Device type group. Records Enabled Select to enable the record. If you do not select this option, the Device is disabled. Delete on Expire Deletes the Devices from the Access Control Engine. Select this option to automatically remove expired Device records. If you do not select this option, you need to manually remove the Device records after it expires.
Configuring Devices Activate on First Login Specifies that guest account will be valid only after the first login. Note: This field is available only if the Administrator has selected First Login option in Account Validity Period section while creating an Onboarding Template and the Provisioner selects the same Onboarding Template during Device record creation from the Onboarding Template drop-down list. The Activate Account On option is replaced by Activate on First Login: Yes option.
Configuring Devices 1. In the navigation pane, click Devices > Devices tab. The Devices screen is displayed with list of Device records created by the Provisioner. 2. Select the required Device record to be modified and click Edit. You can also edit by double-clicking the required Device record from the list. The Onboarding Template field is editable only during creating an Device. 3. In the Device Info section, modify the fields required. 4.
Configuring Devices 1. In the navigation pane, click Devices > Devices tab. The Devices screen is displayed with the list of Devices created by Provisioner. 2. Select the Show drop-down list to filter the devices in the table to display only those devices added by a specific Provisioner or the Onboarding Template drop-down list to filter the devices in the table to display only those devices added through a specific Onboarding Template. 3.
Configuring Devices Specify Filter Simplifies the search parameters to quickly find the selected search criterion that includes specified parameters. Additionally, you need to enter the operator conditions to match the selected search criteria to obtain precise search results of the selected Onboarding Template.
Configuring Devices example, you can search for multiple values when using the equal (=) or not equal !=) operators. Extending Expiry of a Device Use this procedure to extends the duration of expired Device(s) by “X” days at one go. Procedure 1. In the navigation pane, click Devices > Devices tab. The Devices screen is displayed with the list of Devices provisioned 2. Select the required Device record(s) and click Extend Expiration to extend the validity duration of the Device record(s).
Managing Sponsor Actions The Provisioners can use Extend Expiration option to extend the duration of expiry for expired Device(s) also. Expiry of First Login Pending and Permanent Device accounts cannot be extended. Managing Sponsor Actions The Sponsor tab in Sponsor menu allows a Sponsor to manage guest accounts that require Sponsor's attention. A Sponsor can either be an internal Provisioner or a Provisioner belonging to a Sponsor LDAP.
Managing Sponsor Actions Provisioner is a Sponsor. You can also click the column headers to sort the list view by that column. Click the column header a second time to reverse the direction of the sort. 2. Select the required user and click View to view the selected user information. The Guest User Info screen is displayed.
Managing Sponsor Actions The view functionality is available only if the following conditions are met: l l If a valid Email ID is present for the Sponsor. LDAP Sponsor Username must be mentioned along with the complete domain. Though Guest and IoT Manager-LDAP authentication is not case sensitive, the Sponsor view functionality is case sensitive. For example, if the Provisioner Username in LDAP is <> and the domain is test.
Managing Sponsor Actions current time is 02:00 P.M. When you select these two accounts and click Extend Expiration option, their expiry is extended as follows: 1. User 1 is extended as Start Time = 02:00 P.M. today and End Time = 02:00 P.M. today + 1 month. 2. User 2 is extended as Start Time = 02:00 P.M. today and End Time = 02:00 P.M. today + 2 months. Note: Expiry of First Login Pending and Permanent Guest User accounts cannot be extended. 6. Select the required user and click Send Email.
Registering a New Guest User Using Self-Provisioning Services This chapter is intended for Guest Users to understand the Self-Provisioning Services functionality that offers guest the ability to create an account or register their devices. The available service types are: l l l Guest User: A Self-Provisioning Service that allows users to self-register to create their own accounts. Devices: A Self-Provisioning Service that allows users to register a Device.
Registering a New Guest User and the credentials are shared with the user via email / SMS or displayed. If the associated Onboarding Template has settings that requires Sponsor approval, then the Request Approval option is displayed. The Sponsor must approve for the account to be activated. 4. (Optional) Click Clear, to clear the configuration. 5. (Optional) To resend the password to Guest User, in the Username field enter the username and click Resend Password. 6.
Registering a New Guest User 4. (Optional) To resend the password to Guest Users, select the required user and click Resend Password to resend the Password. 5. (Optional) To resend the password and Details to Guest Users, select the required user and click Resend Details to resend the Password and Details to Guest Users. When Guest Users are selected to resend the Password or User Details, the application validates the following prior to resending the Password or User Details.
Registering New Devices l l Fixed Sponsor: In this scenario, the sponsor is defined by the administrator and user need not specify the Sponsor details. LDAP Sponsor: In this scenario, the sponsor is defined by the associated LDAP group. Where, the user can search and select from the list of the available sponsors. Registering New Devices Use this procedure to create a new Device using the Self-Provisioning Services.
Using Self-Service for Zero Touch Guest Access 1. The Guest User Scans the QR code. An SMS will be triggered after the scan is complete and is sent to the service provider (Twilio). Note: Ensure Two-way SMS configuration is done properly. For more information see, Two-Way SMS Provider. 2. The service provider sends the SMS to GIM and GIM creates a Guest User account. 3.
Installing Guest and IoT Manager Add-In This section provides information on how to install Add-in for Outlook that works with Windows and Macintosh computers (Outlook 2016 for Windows and Mac) and also on how to provision guest access using the installed Add-in. Installing Guest and IoT Manager Add-In Use this procedure to install Guest and IoT Manager Add-In for Outlook 2016 for Windows and Mac that helps in automating tasks when you view or create meetings.
Installing Guest and IoT Manager Add-In The ADD-INS screen is displayed. In the ADD-INS screen, you can install the add-in either from the local drive or Administration can side-load this add-in to all the Provisioner(s). 4. To install the add-in from the local drive, do the following: 1. In the ADD-INS screen, click My add-ins > + Add a custom add-in > Add from file…. to import the add-in manifest file. 2. Select Browse and navigate to the location of the add-in manifest file that you want to install. 3.
Installing Guest and IoT Manager Add-In 4. Click Install. The added add-in is displayed in the Custom add-ins section of ADDINS screen. 5. To side-load the add-in to the Provisioner(s) as an Administrator, use Exchange Administration Center (EAC). Side-loading add-ins requires at minimum the My Custom Apps role for your Exchange Server. For more information, see Install an Add-In for Outlook. GIM Add-In Note: The added add-in is activated only when the Provisioner(s) wants to raise a meeting request.
Provisioning Guest Access Provisioning Guest Access Use this procedure to provision Guest Users while scheduling the meeting. Procedure 1. Start the Outlook application. 2. In the Meeting mode, select Guest Access add-in. If you do not see the Guest Access add-in, then you need to install. 3. Click Guest Access. The task pane displays the Guest and IoT Manager Provisioner login page.
Provisioning Guest Access 4. Login to the application using Provisioner credentials. The Guest User Provisioning screen is displayed on successful authentication and if the Provisioner being part of atleast one Onboarding Template of type Outlook.
Provisioning Guest Access Ensure that the Guest and IoT Manager Application is connected to Access Control Engine to authenticate. All the fields that are mandatory in the provisioner's application is highlighted with a red ‘*’ that is added with the label field. 5. Select the required Onboarding Template to which the users in the meeting needs to be associated from the drop-down list.
Provisioning Guest Access 6. Select the required Access Groups. The Single and Multiple Memberships Access Groups are available based on the Onboarding Template configuration. 7. (Optional) Select the Activate prior to meeting (mins) or Remain activated after meeting (mins) and enter the minutes to add a buffer time between the scheduled guest access. The maximum buffer time is 30 minutes. The Guest Users obtain the access duration equal to scheduled duration along with buffer / padding duration.
Provisioning Guest Access l l l l l If the Administrator has excluded a domain during Guest User Onboarding Template creation, then the Guest User account is not created for any emails available in that specific domain. Ensure that you always expand the distribution list. You need to click Submit in the add-in once again, if there are any changes in the recipient list or meeting duration.
Provisioning Guest Access Procedure 1. The User scans the QR code and the scanned QR code triggers a SMS to Guest and IoT Manager 2. Guest and IoT Manager application validates the SMS.
Provisioning Guest Access 3. Guest and IoT Manager application then creates a Guest User account number with the Username. 4. The Response is then sent to Guest User with the account details along with the login URL. 5. Once the Guest User connects to the Wifi-SSID, the Guest User gets the IP address from DHCP. 6. The client’s Mac Address and IP address gets updated in the Extreme Cloud Application (XCA) and the details get auto populated in the XMC’s end system table.
Provisioning Guest Access 8. On clicking the Login URL that contains the encrypted details of the Guest User the details are validated by RADIUS request to NAC. 9. After the successful authentication, the end system details are fetched from XMC from the XMCs end system data. 10. The Guest and IoT Manager application associates the Guest User with the corresponding end system and forces the reauthentication of the device that is enforced through XCA. 11.
Testing RADIUSConnection Settings Troubleshooting and FAQs This chapter describes the basic concepts and general troubleshooting guidelines for problems that may occur when configuring and using the Guest and IoT Manager Application. The solutions to common questions helps you troubleshoot quires when you encounter errors. Testing RADIUS Connection Settings Use this procedure to test the RADIUS setup. Procedure 1. Create a Provisioner. For more information, see Creating an Internal Provisioner. 2.
Problem: Saving Access Control Engine Settings Guest and IoT Manager URL is not Accessible 1. Log in to the Guest and IoT Manager Virtual Appliance as Administrator. 2. From the CLI, enter command tomcat restart. Guest and IoT Manager HTTPS is not using the Custom Certificate If the Guest and IoT Manager HTTPS connection is not using the associated certificate and key after you uploaded the custom certificate and associated it with tomcat, do the following: 1.
Problem: User Groups / End System Group Not Visible in Guest and IoT Problem: User Groups / End System Group Not Visible in Guest and IoT Manager Problem Any newly created User Groups / End System Groups created in Extreme Management Center is not visible in the Access Group tab of the Onboarding Template module. Solution 1. User Groups of type Username and End System Groups of type MAC are only visible in the Guest and IoT Manager. 2.
Problem: Provisioner Cannot Login Provisioner login fails with an error stating Server error please contact administrator. Solution 1. If Access Control Engine or Extreme Management Center is not reachable, ensure that Access Control Engine and Extreme Management Center are up and reachable. 2. If Guest and IoT Manager is not configured in the Engine Group, ensure to add Guest and IoT Manager IP address and RADIUS shared secret in Engine details on Extreme Management Center. 3.
Problem: Guest and IoT Manager Email / SMS Notification Failed 4. If LDAP Provisioner and AAA rule does not have LDAP authentication selected as the authentication type in the AAA configuration, ensure the LDAP authentication is selected and required LDAP details are provided. Problem If fall through is enabled in the AAA configuration and both Local Authentication and LDAP Authentication is enabled, then the fall through does not work as expected and the second rule is not evaluated.
Problem: Unable to Access Guest and IoT Manager Application URL Problem: Unable to Access Guest and IoT Manager Application URL Problem When the admin interface IP address is updated manually through CLI command, Guest and IoT Manager URL is not reachable. Solution Verify the route settings and make appropriate change if needed. For more information, see route. Problem: User and Device Troubleshooting Problem Newly created Guest Users / Devices from Guest and IoT Manager are not authenticated.
Problem: Sponsor List is Not Available 3. Ensure that the start time is not in the future. Problem Expired Guest User / Device record is not available Guest and IoT Manager. Solution Ensure that the Delete on Expiry option is unchecked while creating the new Guest User / Device. Problem: Sponsor List is Not Available Problem The Sponsor list is not available error is seen when logging to the selfservice URL.
Problem: Outlook Add-in Issues Problem: Outlook Add-in Issues Problem Any changes to the meeting invite, either invitees or meeting time, is not reflecting in the Guest User records. Solution Ensure to click on submit after making the changes and before clicking Send Update in the meeting invite. Problem Outlook Add-in icon disappears from Outlook. Solution Restarting the Outlook application resolves this issue.
Problem: Users/Devices are not getting cleaned up for Housekeeping Tasks Solution 1. Log into the GIM console and check the time zone using the show time zone command. By default, time zone setting for GIM is in GMT. 2. Change the time zone using the timezone command in the console. Problem: Users/Devices are not getting cleaned up for Housekeeping Tasks Problem Housekeeping task is used to delete Guest Users/Devices that have their first login pending.
Problem: Unable to Access GIM UI Problem: Unable to Access GIM UI Problem Unable to access the GIM UI after having disabled and then enabled the interface or after doing a restore operation or after reboot. Solution Some routes are deleted when the GIM interfaces are disabled or when GIM VM is rebooted. Check if the added routes are deleted after having disabled the interface or after rebooting. If there are some routes that are disabled, then add the routes manually and restart tomcat.
Problem: LDAP Sponsors are not populating in the Self-Service Page l l If the LDAP Group to which the Provisioner belongs is specified in one or more of the Onboarding Templates in the Associated LDAP Groups section. Then, you must specify the LDAP group and not the User search root as previously specified in 8.2.x.
Problem: Unable to Renew Password The error is more frequent if there are multiple GIM's associated with a NAC and all of them are bulk creating Guest User / Device records. Problem: Unable to Renew Password Problem The Guest User Renew Password fails. Solution l l The reason for the failure is stated on the result dialog of the operation.
Problem: Login URL redirects to Captive Portal l l Ensure reachability of Service-B out of corporate firewall. Strict-SSL configuration should turned OFF or ON in Twilio Configuration page as per the scenario. Problem: Login URL redirects to Captive Portal Problem On clicking Login URL, the URL gets redirected to NAC Captive Portal. Solution l l l Ensure that the HTTPS traffic to GIM IP is enabled for Unregistered Profile of EndSystem.
Problem: “Server Error. Please contact Administrator" Error message on clicking AP Problem: “Server Error. Please contact Administrator" Error message on clicking Login URL Problem Guest User Auto Login fails with error message “Server Error. Please contact Administrator." Solution l l Ensure Connectivity of NAC and XMC from GIM. Make sure that MAC Address and IP Address of the Client device are getting populated in End-System table of XMC when it gets connected to AP.
Problem: Unable to Customize Provisioner Login page FQDN is not being used in URLs sent in Sponsor emails/ messages and UI checkbox is checked. Solution Ensure Hostname and Domain name is configured in the CLI. You can use the show interface CLI to check if hostname is configured on the interface.(FQDN is derived from the hostname + domain name). Problem: Unable to Customize Provisioner Login page Problem The changes are not reflected in the Provisioner Login Page.
Problem: "Login failed. Invalid credentials/Account Expired” message on Problem: "Login failed. Invalid credentials/Account Expired” message on clicking Login URL Problem Guest User Auto Login fails with error message – “Login failed. Invalid credentials/Account Expired” and no network access. Solution l Ensure the Login URL is not corrupted. l Ensure the Guest User account is not expired/disabled.
certificate Command Line Interface This chapter describes the Command Line Interface (CLI) used in Guest and IoT Manager Application to operate the system and to perform specific tasks required by Administrator. The Guest and IoT Manager CLI provides a limited set of administrative actions that you can perform on the Application. The CLI has a default timeout of 5 minutes. The following section briefs the CLI commands available on Guest and IoT Manager.
clear clear The clear command clears the terminal screen. Syntax clear Example dns The dns command configures the DNS settings. Syntax dns server primary NNN.NNN.NNN.NNN dns server secondary NNN.NNN.NNN.NNN dns server
exit Example exit The exit command closes the current active session and logout the console. Syntax exit halt The halt command ends running system and power off the Guest and IoT Manager virtual machine. Syntax halt help The help command displays the list of Guest and IoT Manager CLI commands.
interface Example interface The interface command configures the interface settings. Important: You must enter an httpd restart command after you configure the interface settings. Syntax interface <[enable|disable|stats]|[ipaddr
interface hostname Example interface hostname The Interface CLI has been modified to accept hostname for Admin, ServiceA and ServiceB interfaces. It takes only the hostname as the input, not the complete FQDN. The FQDN is derived from the hostname and domain name. Syntax Interface hostname Example To assign a hostname to ServiceA interface you can, interface ServiceA hostname serviceahostname.
reboot ping a device, the switch sends an Internet Control Message Protocol (ICMP) packet to the target device. If the device receives the packet, it sends a ping reply. After the switch receives the reply, a message is displayed that indicates traffic can reach the specified IP address. If the switch does not receive a reply, the message indicates the address is not responding. Syntax ping ping [ttl [ count ]]
route route The route command adds static routes to the system. Syntax route add|delete <[prefix|netmask] [] Example show certificates The show certificates command shows information about the certificates and keys in the certificate/key database. The command displays the name of the certificate, if deleting the certificate is allowed (you cannot delete the factory / default certificate), and if the item in the database is key or a certificate.
show dns Example show dns The show dns command displays the current DNS settings, including the search domain, and the primary and secondary DNS server settings. show dns Example show interface The show interface command displays interface information for a specific port or ports. If you do not provide a port, all of the ports in the operating system are shown. Separate the ports with white space or commas. Syntax show interface [port[,port]...
show route Example show route The show route command displays the operating system routing table in the same format as the RedHat Linux operating system at the Unix shell. Syntax show route Example show timezone The show tomzone command displays the current timezone of the Guest and IoT Manager Virtual Machine.
sshd Syntax show timezone Example sshd The sshd command lets you enable or disable sshd service. Syntax sshd Important In this Release, only sshd enable and sshd disable are supported. The optional interface and port parameters are supported in a future release. Example timezone The timzone command lets you setup the timezone of the Guest and IoT Manager Virtual Machine.
tomcat Example tomcat The tomcat command lets you start, stop, restart, or view the status of the Tomcat service that is hosting the Guest and IoT Manager web application. Syntax tomcat To restart the Tomcat service, enter tomcat restart.
user user The user command is used to enable / disable the root and debug users.
