Add User Groups

Add either a cloud-hosted or device-hosted user group. Configure a private client group.

About User Groups

Administrators and operators can configure ExtremeCloud IQ user groups with limited access privileges for VIPs and non-employees such as guests, visitors, and contractors who request network access. You can create user groups for a selected network policy or for all network policies.

You can view, add, sort, select, modify, and delete user groups and user accounts (see "User Groups" and "Users"). However, once a user group has been configured, you can only modify the name and description. This prevents issues with creating passwords. To modify other settings, you must create a new user group.

Add a New User Group

Navigate to Configure > Users > User Management > User Groups, select Add and complete the fields in the New User Group window. You can also add a new user group inside the wireless network policy when you are configuring an SSID.

  • User Group Name: Enter a name for this user group containing up to 32 characters without spaces.
  • Password DB Location: Select Cloud when you want the password database to reside in the cloud. Select Local when you want the login credentials to be stored on all APs using this SSID. You must select Local when you are creating a private client group in this user group (see "Classification Rules Overview").

When you configure a user group for an Enterprise 802.1X SSID, the password database always resides in the cloud. For a user group for a RADIUS server, the password database resides on all local APs. For a user group for a Private Pre-Shared Key SSID, the password database can reside in the cloud or on all SSID APs. For a user group for a private client group, the password database resides on all local APs.

Configure a Cloud User Group

If you selected Cloud, complete the following:

Configure password settings:

Password Type: Select PPSK (Private Pre-Shared Key) or RADIUS.

Description: Enter an optional description for this user group.

Enable CWP Register: Select this check box to require users in this user group to log in using a captive web portal. (Only available if a captive web portal is enabled.)

Generate Password Using: Select any combination of characters that you want to include in the password (Letters, Numbers, and Special Characters).
You can then enforce password complexity by choosing All selected character types, Any selected character types, or Only one character type from the drop-down list.

PSK Generation Method: Choose Password Only or User String Password. The User String Password option lets you include the user name and a string of characters in front of the generated Private PSKs.

Generate Password Length: Enter the length of automatically-generated passwords for this user group. The default length is 10 characters.
If the password generation method is Password Only, then the PPSK password can be between eight and 63 characters. If the generation method is User + String + Password, then the maximum passphrase for the Private PSK can be between eight and 31 characters.

Concatenating String: This field appears if you selected User String Password above. Enter a character string from 0 to eight alphanumeric characters. This string is used to generate Private PSKs as 'User name + Character String + Password'. For example, if you enter 'Extreme', as the string, then the generated Private PSKs are <User name>Extreme<Password>.

Configure expiration settings:

Require Authentication After: To enforce re-authentication after a session has been inactive for a period of time, select this check box and enter a time in the minutes field. The default is 30 minutes.

Account Expiration: Select an option from the drop-down list, either Never Expire, Valid During Dates, Valid For Time Period, or Daily. Complete any fields that ExtremeCloud IQ displays based on your selection. These fields describe the time frame during which the account is valid.

Action at Expiration: (Not available for accounts that are set to never expire.)
Select Access Rejected to have ExtremeCloud IQ block users from renewing their credentials.
Select Show Expiration Message to have ExtremeCloud IQ send users an on-screen prompt that they can use to renew their credentials.

Configure a delivery method

Deliver Access Key by: Select the notification delivery method for members of this user group. You can select Text Messages (SMS), or Email, or both. A standard template is applied by default for either method.

Select Add Users to see the Add new users to this User Group section. The table includes the number of users assigned to this user group , showing their name, user name, and organization.

Add users:

Select Add Users and then select Add. In the Add User dialog box, enter or select the following:

Name: Enter the user's name. This name appears in any messages sent to the email address in the Deliver Password section. The email messages, which contain login credentials and wireless connection instructions, begins with "Welcome <this_name>". When you choose Name in the User Name drop-down list, this field is required. Otherwise, it is optional and if left empty, whatever you define as the user name—email address, phone number, or other—is used in the email message. The name can be up to 32 characters including spaces.

Organization: Enter the name of an organization for this user. For permanent users, leave this empty.

Purpose of Visit: Enter the purpose of the user's visit. For permanent users, leave this empty.

Email Address: Enter the user's email address. This is only required if you choose Email Address in the User Name drop-down list. The email address can be up to 128 characters.

Phone Number: Enter the user's mobile phone number, including international dialing code. This is only required if you choose Phone Number from the User Name drop-down list.

User Name: Choose one of four identifiers from the drop-down list: Email Address (default), Name, Phone Number, or Other. If you select Other, you must enter another type of user identifier, such as Jane's iPhone, Guest, or <organization_name> in the additional field that appears.

Password: Either enter a password for this user. The password must conform to the password rules configured in the associated user group (see "Add User Groups").

  • Only administrators can view and change passwords. Other ExtremeCloud IQ admin roles will not see or be able to edit this parameter. (See "Admin Accounts" for a complete description of Administrator, Operator, Monitor, Help Desk, Guest Management, and Observer roles.)

Description: Enter an optional description of this user.

Deliver Password/Email Address: Select and enter an email address to receive the user credentials when you select Image of the Email icon for this user in the Delivery column in the Users window. The address can be up to 128 characters. This field is auto-populated if you have already entered an email address above. This option only appears if you previously selected Email in the Delivery Settings section in the user group configuration.

Select Done.

Create users in bulk:

Select Add Users and Bulk Create. In the Bulk Create Users dialog box, enter or select the following:

Username Prefix: Enter a prefix for these users' names, up to 28 characters long. The bulk-created user names will have this prefix added in front of the digits for each user, starting with 1. For instance, if the user name prefix is "1250", then the first bulk-created user is "12501", the second user is "12502", and so on.

Number of Accounts: Enter the number of users to add, between 1 and 1000.

Email User Account info to: Enter an email address, up to 128 characters, to receive the user credentials.

Select Done to save your changes, create the requested user accounts, and email the bulk-created login credentials to the saved email address in CSV file format. The CSV file contains SSID, user ID, user name, user group, access key, and expiration date for each bulk-created user.

In the Users window you can see the added user account information (see "Users").

Configure a Local User Group

If you selected Local, complete the following:

Password Type: Select PPSK (Private Pre-Shared Key) or RADIUS. You must select PPSK when you are creating a private client group in this user group.

Description: Enter an optional description for this user group.

Because you can set per-user PPSK limits for different users in the same wireless network (SSID, you no longer need to configure an SSID for each user group (for instance, with three devices per employee). Multiple per-user PPSK limits can be set in the same wireless network (SSID).

Set the maximum number of clients per private PSK: Select the check box to set per-user PPSK limits for different users in the same wireless network (SSID). By default this is not selected. Enter the maximum number of clients. The range is 0-15, 0 = no limit, the default is 0.

PCG Use: Enable use for Private Client Group: (Default = deselected.) Select the check box when you are creating a private client group (PCG) in this user group. See "Classification Rules Overview" for more information. By default this is not selected.
Select one of the following PCG operating modes:

AP-Based: An AP-based PCG uses unique user and shared keys. This mode supports common shared devices within personal network spaces. It also requires room assignments for AP anchoring and traffic tunneling.

Key-Based: A key-based PCG requires that one password be used by the entire group of devices. Key-based PCGs do not need room assignments, and no traffic tunneling is used on anchor APs.

Both: Supports both AP-based and key-based modes. This is the default.

  • Each network policy can have only one AP-based PCG wireless network (SSID), one key-based PCG SSID, and any number of non-PCG SSIDs. See "Configure a Standard Wireless Network" for instructions on assigning PCG options to a wireless network (SSID).
  • Once you select the PCG operating mode, you cannot change your selection, because the different modes create non-transferrable passwords.

Configure password settings:

Generate Password Using: Select any combination of characters to use for the password: (Letters, Numbers, and Special Characters). To enforce password complexity, select All selected character types, Any selected character types, or Only one character type from the drop-down list.

PSK Generation Method: Select Password Only or User String Password. The User String Password option lets you include a string of characters in the generated Private PSKs.

Generate Password Length: Enter the length of automatically-generated passwords for this user group. If the generation method is Password Only, then the PPSK password can be between eight and 63 characters. If the generation method is User + String + Password, then the maximum passphrase for the Private PSK can be between eight and 31 characters. The default is 10 characters.

Concatenating String: You see this field if you selected User String Password above. Enter a character string from 0 to eight alphanumeric characters. This string will be used to generate Private PSKs in the form 'User name + Character String + Password'. For example, if you enter 'Extreme', then the generated Private PSKs are <user name>Extreme<Password>.

Configure expiration settings:

Require Authentication After: To force re-authentication after a session has been inactive for a period of time, select this check box and enter a time in the minutes field. The default is 30 minutes.

Account Expiration: Select Never Expire or Valid During Dates from the drop-down list. If you select Valid During Dates, complete the displayed fields, which define the time frame during which the account is valid.

Action at Expiration: (Not available for accounts that are set to never expire.)
Select Access Rejected to block users from renewing their credentials.
Select Show Expiration Message to send users an on-screen prompt that they can use to renew their credentials.

Configure delivery settings:

Deliver Access Key by: Select Text Messages (SMS), or Email, or both to define the notification method for this user group. A standard template is applied by default for either method. Select Save.

View users:

Select Add Users. The table that appears shows the users assigned to this user group by Name, User Name, and Organization.

Add Users:

Select Add Users. Select Add to display the Add User dialog box. Enter or select the following:

Name: Enter the user's name. This name appears in all messages sent to the email address in the Deliver Password section. The email messages, which contain login credentials and wireless connection instructions, begin with "Welcome <this_name>". When you select Name in the User Name drop-down list, this field is required. Otherwise, it is optional and if left empty, whatever you define as the user name—email address, phone number, or other—is used in the email message. The name can contain up to 32 characters including spaces.

Organization: Enter the name of an organization for this user. For permanent users, leave this empty.

Purpose of Visit: Enter the purpose of the user's visit. For permanent users, leave this empty.

Email Address: Enter the user's email address. This is only required if you choose Email Address in the User Name drop-down list. The email address can contain up to 128 characters.

Phone Number: Enter the user's mobile phone number, including international dialing code. This is only required if you choose Phone Number from the User Name drop-down list.

User Name: Select one of four identifiers from the drop-down list: Email Address (default), Name, Phone Number, or Other. If you selected Other, you must enter another type of user identifier, such as Jane's iPhone, Guest, or <organization_name> in the additional field.

Password: Enter a password for this user. The password must conform to the password rules configured in the associated user group (see "Add User Groups").

  • Only administrators can view and change passwords. Other admin roles will not see or be able to edit this parameter. (See "Admin Accounts" for a complete description of the types of admin accounts.)

Description: Enter an optional description of this user.

Deliver Password/Email Address: Select and enter an email address to receive the user credentials when you select Image of the Email icon for this user in the Delivery column in the Users window. The address can contain up to 128 characters. This field is auto-populated if you have already entered an email address above. This option only appears if you previously selected Email in the Delivery Settings section in the user group configuration.

Select Done.

Create Users in Bulk

Select Add Users and then select Bulk Create.

In the Bulk Create Users dialog box, enter or select the following:

Username Prefix: Enter a prefix for these users' names, containing up to 28 characters. Bulk-created user names will have this prefix added in front of the digits for each user, starting with 1. For instance, if the user name prefix is "1250", then the first bulk-created user is "12501", the second user is "12502", and so on.

Number of Accounts: Enter the number of users to add, between 1 and 1000.

Email User Account info to: Enter an email address, containing up to 128 characters, to receive the user credentials.

Select Done. This saves your changes, creates the requested user accounts, and emails the bulk-created login credentials to the saved email addresses in CSV file format. The CSV file contains the SSID, user ID, user name, user group, access key, and expiration date for each bulk-created user. The Users window now displays the added user account information (see "Users").