cancel
Showing results for 
Search instead for 
Did you mean: 

Excuse me, could you help me with this error that I get

Excuse me, could you help me with this error that I get

apicazo
New Contributor

Enforce Manufacturing Certificate is disabled for APs supported authentication using Extreme PKI

1 ACCEPTED SOLUTION

AntonScholz
New Contributor II

Hey apicazo,

It's a more warning, not an error.

This means, you will have some APs (I think AP3000/4000/5000Series?!) which support this security-feature.
You need to enable this setting in the referring Network-Profile under the "Advanced" Tab.

Here is the explanation of Extreme:

Enforce usage of Extreme PKI (Public Key Infrastructure) when establishing an IKE (Internet Key Exchange) tunnel. Both APs and controllers have Extreme CA certificates installed.

When this setting is enabled, the controller accepts only APs that provide Extreme PKI.
Note: Supported on the Defender Adapter SA201 and on the ExtremeWireless access point models: AP39xx, Wi-Fi 6 AP models.

This setting is not supported on the AP305C, AP410C, and AP460C access point models.

There must be successful mutual authentication between the AP and the controller. If either side of the authentication fails, the tunnel is rejected.

When this setting is enabled, APs that are not PKI capable (self-signed certificates) are not able to connect to the controller.

The default is to clear this option. When this setting is cleared, the controller accepts the AP with a self-signed certificate. With either type of certificate, the certificate type must match in both directions before the authenticated tunnel is established.

Authentication failure messages are logged in the ExtremeCloud IQ Controller Events Log.

You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.

View solution in original post

1 REPLY 1

AntonScholz
New Contributor II

Hey apicazo,

It's a more warning, not an error.

This means, you will have some APs (I think AP3000/4000/5000Series?!) which support this security-feature.
You need to enable this setting in the referring Network-Profile under the "Advanced" Tab.

Here is the explanation of Extreme:

Enforce usage of Extreme PKI (Public Key Infrastructure) when establishing an IKE (Internet Key Exchange) tunnel. Both APs and controllers have Extreme CA certificates installed.

When this setting is enabled, the controller accepts only APs that provide Extreme PKI.
Note: Supported on the Defender Adapter SA201 and on the ExtremeWireless access point models: AP39xx, Wi-Fi 6 AP models.

This setting is not supported on the AP305C, AP410C, and AP460C access point models.

There must be successful mutual authentication between the AP and the controller. If either side of the authentication fails, the tunnel is rejected.

When this setting is enabled, APs that are not PKI capable (self-signed certificates) are not able to connect to the controller.

The default is to clear this option. When this setting is cleared, the controller accepts the AP with a self-signed certificate. With either type of certificate, the certificate type must match in both directions before the authenticated tunnel is established.

Authentication failure messages are logged in the ExtremeCloud IQ Controller Events Log.

You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.

GTM-P2G8KFN