07-20-2023 12:22 PM
Enforce Manufacturing Certificate is disabled for APs supported authentication using Extreme PKI
Solved! Go to Solution.
08-23-2023 12:10 AM
Hey apicazo,
It's a more warning, not an error.
This means, you will have some APs (I think AP3000/4000/5000Series?!) which support this security-feature.
You need to enable this setting in the referring Network-Profile under the "Advanced" Tab.
Here is the explanation of Extreme:
Enforce usage of Extreme PKI (Public Key Infrastructure) when establishing an IKE (Internet Key Exchange) tunnel. Both APs and controllers have Extreme CA certificates installed.
This setting is not supported on the AP305C, AP410C, and AP460C access point models.
There must be successful mutual authentication between the AP and the controller. If either side of the authentication fails, the tunnel is rejected.
When this setting is enabled, APs that are not PKI capable (self-signed certificates) are not able to connect to the controller.
The default is to clear this option. When this setting is cleared, the controller accepts the AP with a self-signed certificate. With either type of certificate, the certificate type must match in both directions before the authenticated tunnel is established.
Authentication failure messages are logged in the ExtremeCloud IQ Controller Events Log.
You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.
08-23-2023 12:10 AM
Hey apicazo,
It's a more warning, not an error.
This means, you will have some APs (I think AP3000/4000/5000Series?!) which support this security-feature.
You need to enable this setting in the referring Network-Profile under the "Advanced" Tab.
Here is the explanation of Extreme:
Enforce usage of Extreme PKI (Public Key Infrastructure) when establishing an IKE (Internet Key Exchange) tunnel. Both APs and controllers have Extreme CA certificates installed.
This setting is not supported on the AP305C, AP410C, and AP460C access point models.
There must be successful mutual authentication between the AP and the controller. If either side of the authentication fails, the tunnel is rejected.
When this setting is enabled, APs that are not PKI capable (self-signed certificates) are not able to connect to the controller.
The default is to clear this option. When this setting is cleared, the controller accepts the AP with a self-signed certificate. With either type of certificate, the certificate type must match in both directions before the authenticated tunnel is established.
Authentication failure messages are logged in the ExtremeCloud IQ Controller Events Log.
You can override the configuration Profile setting for individual APs from the Advanced > Overrides dialog for the selected AP.