Hierarchical ExtremeCloud IQ Configuration Guide
Learn about Extreme NetworksHierarchical ExtremeCloud IQ in this topic. Learn about the Hierarchical ExtremeCloud IQ admin and the organization operators in this topic.
Hierarchical ExtremeCloud IQ allows Extreme Networks channel partners to provide fully-managed enterprise-level wired and wireless services from a single ExtremeCloud IQ instance. These services can be MaaS (management as a service) and WaaS (wireless as a service) for their customers, as required.
Hierarchical ExtremeCloud IQ supports grouped devices and policies, which offers the most flexible management and entitlement capabilities in the market.
The administrator can create separate fully-managed organizations within Hierarchical ExtremeCloud IQ, and can create new accounts using role-based-access-control for new organization admins. (See "Admin Accounts" for more information on role-based access control.)
Because administrators have access to global- and organization-level accounts, Hierarchical ExtremeCloud IQ also allows them to manage entitlement keys, add devices, deploy network policies, and monitor the health status of deployed networks for every organizational-level network they manage.
In addition to global access to customer accounts, a WaaS provider can easily reassign and move devices between organizations. This feature can help with inventory management tasks. The reporting feature allows administrators to generate and share different reports, including a usage report that summarizes information about deployed devices by organization.
Also, using the organization filter feature, an administrator can view aggregated information presented on the Dashboard window for one or more organizations.
An admin can access the accounts and networks of all their direct customers' organizations. In contrast, an organization admin can only access and manage devices in his or her own organization. The admin has full read-write access to his or her local organization and to all other organizations, and can also move devices between Modifying and Removing an Organization
ExtremeCloud IQ organizes the two types of admin accounts as follows:
- An organization admin of a specific organization belongs to only that organization.
- No organization admin can belong to more than one organization.
- An admin can add and delete organization admins, and can suspend or delete any organization.
About Organization Administrator Management
The organization admin can only access and manage devices in his or her own organization, while a Hierarchical ExtremeCloud IQ admin can access the accounts and networks of all their direct customers' organizations. In addition, the organization admin has the role-based capabilities and limitations as assigned by Hierarchical ExtremeCloud IQ. For instance, if the Hierarchical ExtremeCloud IQ admin has defined the role as observer (see "Admin Accounts" for more about roles), the organization admin can only view the status of the organization. Conversely, if the organization admin has been assigned the operator role, has almost all the same access rights as the Hierarchical ExtremeCloud IQ admin, except for the ability to manage accounts and licensing.
Each organization admin operates Hierarchical ExtremeCloud IQ the same way as any other ExtremeCloud IQ admin.
To enable Hierarchical ExtremeCloud IQ, you must contact Extreme Networks.
- Enabling Hierarchical ExtremeCloud IQ is a permanent action and cannot be undone. Enabling it also deletes all existing ExtremeCloud IQ backups.
After Extreme Networks has enabled Hierarchical ExtremeCloud IQ, you can use your original credentials to log you in as the Hierarchical ExtremeCloud IQ admin.
When you have logged in, you can see the normal ExtremeCloud IQ interface with the addition of a globe icon in the top menu, by which you can access organization information.
- All Hierarchical ExtremeCloud IQ and organization administrators can see the organization indicator box, but only the Hierarchical ExtremeCloud IQ administrator can see the globe icon.
Adding an Organization
To add a new organization, navigate to Admin > (admin_name/company) > Global Settings > Organizations window.
On the Organizations window, select Add, and ExtremeCloud IQ displays the add new organization window.
On the add new organization window, add a new organization name, and select a color for the organization.
Select Add. The new organization is displayed on the Organizations window.
Modifying an Organization Name and Color
To change an organization name or color, navigate to Admin > admin_name > Global Settings > Organizations.
On the Organizations window, select the check box next to the organization name that you are changing, and then select Modify. Add or modify an admin account, change the organization name, and the organization color.
Adding an Admin to and Removing an Admin from an Organization
After you have created a new organization, you must add one or more administrators for the organization. Each organization admin can be assigned to only one organization, but multiple administrators can be added to each organization.
Navigate to Admin > admin name > Global Settings > Account Management.
On the Admin Accounts window, select the check box next to an unassigned admin account that you want to add, and then select Modify.
- Admin accounts must exist before they can be assigned to an organization.
On the Edit User window, make sure that the following parameters are entered or selected:
- Email Address: The email address assigned to the account. You must enter an email address that is not already in use. That is, it cannot be assigned to another admin.
- Name: The user name assigned to the admin account.
- Organization: (Hierarchical ExtremeCloud IQ only.) Assign an admin to an existing organization or to all organizations here.
- Idle Session Timeout: Enter the number of minutes before sessions time out. The default is 30 minutes, and the range is from 5 to 240 minutes.
- Role: The admin role assigned to this account. The available roles are: administrator, operator, monitor, help desk, guest management, and observer. For information about these roles, see "Admin Accounts".
- Location: The location assigned to this account that is used to limit the admin to a particular geographic location which consists of an organization, building, or floor. If a location is not specified, then this admin has global access to your network.
Select Save and Close.
You can select and remove an admin from the Admin Accounts window.
Modifying an Organization
To modify the settings for an existing organization, select the check box for the organization and select . Make the necessary changes, and remember to select Save.
Removing an Organization
To remove an organization, navigate to Admin > admin_name > Global Settings > Organizations.
Select the check box for the organization and select Delete.
Select Yes in the confirmation dialog box.
Viewing the Organization Table
You can view the organizations table by navigating to Admin > admin_name > Global Settings > Organizations, by selecting the globe icon, or by selecting the Organization Indicator drop-down menu on the ExtremeCloud IQ pages. The globe icon is at the top right of each window. The Organization Indicator is a text box in the upper-right of each window.
Searching for Organizations
When you select the globe icon or select the Organization Indicator, Hierarchical ExtremeCloud IQ displays the Organizations panel on the right side of the screen. The Organizations panel shows all the organizations that you can manage. Search for required organizations by entering a text string in the search text box at the top of the Organizations panel.
Selecting Organizations to View
When you select the globe icon or select the Organization Indicator, Hierarchical ExtremeCloud IQ displays the Organizations panel on the right side of the screen. The Organizations panel shows all the organizations that you can manage. Because HHM allows you to share devices across multiple organizations, you can select any or all organizations to view by selecting the required box(es) in the View column.
Selecting an Organization to Configure
When you select the globe icon or select the Organization Indicator, Hierarchical ExtremeCloud IQ displays the Organizations panel on the right side of the screen. The Organizations panel shows all the organizations that you can manage, and allows you to select which organization to configure now. select a round option button in the Configure column to select which organization you want to configure.
Adding and Removing an Administrator Account
You can create admin accounts for each organization. To add an admin account to an organization and to define the admin role-based access control, see "Admin Accounts" for more information.
- Note that you are limited to one email address when you create a new admin account. You can use a different email address if you want to add a new administrator (any role) to the same organization. The email address for each administrator you add is displayed in the Admin User column on the Organizations window.
Using the Filtering Feature
On pages where you add new user accounts or devices, the filtering feature allows you to select the specific organization to which to add. On pages where data is presented, the filtering feature allows you to select what data is presented.
- If you are logged in as an Hierarchical ExtremeCloud IQ administrator, you can view the information gathered from networks across all the organizations you are managing. If you are logged in as an organizational admin, you can only filter data gathered from your own network.
Filtering Device Information on the Manage > Devices Window
On the right side of the Devices window, select the globe icon. In the Organizations panel, select the check boxes next to the organizations you want to view. Or, you can search for the required organizations by entering a text string in the search field. If a required name becomes visible below the search box, highlight it with your cursor to select it, and then the device information for the selected organization appears in the Devices window. Select Close to save your selection.
Filtering Information Presented by Dashboard Data Widgets
As an administrator, you can filter how data is presented by the data widgets on the Dashboard window. ExtremeCloud IQ presents the combined information gathered from all the devices managed by the account holder according to which organization names you select.
Select the globe icon ,and then select the check boxes of the organizations to filter the data presented. If you have a large list of organizations, begin entering the name of the organization in the search field. After the name appears in the list below, select it with your cursor. Select Close.
If you select the check box of a single organization, the data widget only presents information gathered from devices in that organization.
If you select more than one organization, the Top Application Groups widget aggregates and presents only information gathered from devices belonging to those organizations.
- Here is an example of how data is presented if you select two organizations. As an Hierarchical ExtremeCloud IQ admin, you manage the networks of two customers: Organization Blue and Organization Red. If you select the Top 20 tab in Top Applications, it is possible that Organization Blue dominates the list and the data widget displays 15 Organization Blue applications versus only five for Organization Red. It is also possible, in a different scenario, that the data widget displays the top 20 applications, and they all belong to Organization Red.
For more details on data widget definitions, see "Dashboard".
To add devices, navigate to Manage > Devices. On the Devices window, select Add.
Select an organization from the Choose an organization drop-down list. Select Continue to see the QuickStart wizard.
- If a specific organization is not selected prior to adding a device, then devices are added to the admin account by default.
See "Onboard Devices" and add real and simulated devices using the QuickStart wizard.
Configuring and Deploying a Network Policy for an Organization
An Hierarchical ExtremeCloud IQ admin has access rights to all the organizational accounts it manages, and can configure and deploy a network policy on behalf of an organization. Also, The admin can edit all the existing network policies.
Configuring a Network Policy
To configure a network policy for a specific organization, navigate to Configure > Network Policies. You can edit an existing network policy or add a new network policy here.
- If a specific organization is not selected prior to adding a device, then devices are added to the admin account by default.
Adding a new network policy for an admin follows the same workflow as any other account type. For more details, see "Network Policy Settings".
Deploying a Network Policy
To upload your network policy to all the devices in the table, select the check box in the top left side of the table header. This automatically selects the check boxes next to all the devices. Select Upload.
To upload your network policy to specific devices only, select the check box for those devices, and then select Upload.
See "Upload a Configuration" to understand your upload choices.
A device owned by one organization can be reassigned to another organization by only an administrator. An administrator can use this feature in the following scenarios:
- Assign devices from the inventory of the administrator to customer organizations as part of services provided.
- An administrator takes over the device inventory belonging to a specific organization.
- An administrator reassigns, and moves a device from one organization to another organization.
As an example of the third scenario, if Organization Blue has two unused devices in inventory, you can deploy them in the Organization Red network.
- Hierarchical ExtremeCloud IQ automatically resets the device to its factory default settings during the reassignment process.
To do this, follow the steps below.
- From the Devices window, select the devices you want to reassign or move.
- Select the Actions button at the top of the table. Select Assign to Organization.
- In the Assign Devices dialog box, select the organization to which to assign the devices, and then select Assign.
After you select Assign, the reassigned devices are moved to the new organization. You can see the new device assignments on the Devices window.
Generating and Filtering Reports
To generate new reports and view previously generated reports , navigate to Dashboard > My Reports. You can Add, Modify, Share, Stop, Delete, and view generated reports that appear in the Reports table.
To generate a report, select Add. On the My Reports window, you can choose four types of reports In the Organization drop-down list. They are Network Summary, PCI DSS 3.2, WIPS History, and Usage Based reports (only available for Hierarchical ExtremeCloud IQ accounts). To configure a report, select one of the report tabs.
Reports Type Overview
The Network Summary Report gathers statistics and provides visibility into how the network is used. For example, the top applications and wireless clients in a given time period, the top 20 access points by usage, and the radio protocol used by connecting clients. This information can help you plan and scale your network as your organization grows.
The WIPS History Report provides information that can help network administrators to physically locate and remove rogue and unauthorized APs. The WIPS History Report also provides an intruder detection history list that can help you perform regular security assessments. This can help your organization adhere to PCI DSS 3.2 record keeping requirements.
The PCI DSS 3.2 Compliance Report identifies which device configurations are not in compliance with PCI DSS and provides detailed recommendations on how to be in compliance. This is important because network infrastructures that support customer payment card transactions are required by law to adhere to PCI DSS whenever cardholder data is stored, processed, or transmitted. For example, to be compliant with PCI DSS, device configurations must not use vendor-supplied default passwords or open SSIDs.
The Usage Report, available only to Hierarchical ExtremeCloud IQ account holders, provides a list of access points and switches that have been added and is managed by an organization. By default, the report displays all the organizations that are managed by the Hierarchical ExtremeCloud IQ administrator. You can use the filter feature on the window to generate reports for only the organizations you choose. In the report, column titles include Host Name, Model, Serial Number, Deployed, Country Code, and Location. A filter feature also appears in the report window that allows you to filter host names by location.
- The Usage Report is only available for Hierarchical ExtremeCloud IQ administrators and is not visible from the Report Type drop-down list for organization account holders.
Usage Based Report
The Usage Based Report provides a list of access points and switches that are currently deployed for selected organizations. Use the filter feature on the New Report page to generate reports only for the organizations you choose. The generated report column titles include Host Name, Model, Serial Number, Deployed, Country Code, and Location. A filter feature in the generated report that allows you to filter host names by location.
- The Usage Report is only available for Hierarchical HiveManager administrators and is not visible from the Report Type drop-down list.
Configure a Usage Based Report
ORGANIZATION: Select Your Organization, or a specific organization in the drop-down list. Note that the Usage Based is only visible for Hierarchical HiveManager account holders.
Select the Usage Based tab, and enter the following information:
Title: Enter a name for the report.
Recurrence of Report: Select from the following options:
Once: Select this button to generate this report one time.
Daily: Select this button to generate a report every day. Select to select the time of day to generate the report. You can also drag the handles in the timeline in the thumbnail to set this time.
Weekly: Select this button to generate the report on a weekly basis. You can then select the day of the week, and click to select the time of day to generate the report.
Monthly: (not available for Network Summary reports) Select this button to generate a PCI DSS or WIPS history report on a monthly basis. Select the day of the month on which you want to generate the report, and click to select the time of day to generate the report.
Share With: Enter valid email addresses, separated by commas, for the people with whom you want to share this data. When you are finished, click Send Report. The report, which can take up to a minute to generate, is displayed in the Reports table. Select the name of the report to view it.
Time Range for Report: Select the time window for the data in your report by choosing from the Show and Select Range options, or by dragging the timeline handles.
- If you select Day, you can set a time range for the report by dragging the handles on the timeline to a specific time period.
- If you select Week, you can designate separate time windows for each day of the week, or for a span of 1 day, 2 days, or 7 days.
- If you select Month, you can designate a 2 day-, 1 week-, or 2 week window. You can also drag the timeline handles to any position in the time window to display data for that time period.
- To cover an entire month of recorded data, you must drag the handles on the timeline to select a 31-day time period. For months that have only 28, 29, or 30 days, ExtremeCloud IQ automatically generates reports covering the 1st day of the prior month to the 1st day of the current month.
Filtering Reports by Organization
You can use the filter feature to generate device usage information for any organization by expanding Managed Service Provider, and then Organizations in the filter panel on the left side of the New Report window. Select the check box next to All, Your Organization, or any other organization managed by the Hierarchical ExtremeCloud IQ administrator.
- Device usage information for a specific organization appears in a report after you select the check box for the specific organization. If you select All, devices belonging to all the organizations the Hierarchical ExtremeCloud IQ administrator has access to are displayed, each in its own section, in the generated report.
Copyright © Extreme Networks, Inc. 6480 Via Del Oro, San Jose CA, 95119 USA