Extreme Networks

I think I need to update the script first...

###################################################################
# Update the Bearer Token, client secret, client-id,
# redirect-uri, and ownerid in the curl_cmd variable to
# match your developer credentials, bearer token from
# XIQ, and VIQ ID.
# Developer credentials: https://developer.aerohive.com/
# Bearer Token: XIQ Interface/Global Settings/ API Token Management
# VIQ ID: From the XIQ interface "About" menu option
###################################################################

curl_cmd = 'curl -s -k --header "Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"'
curl_cmd = curl_cmd + ' --header "X-AH-API-CLIENT-SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"'
curl_cmd = curl_cmd + ' --header "X-AH-API-CLIENT-ID: xxxxxxxx"'
curl_cmd = curl_cmd + ' --header "X-AH-API-CLIENT-REDIRECT-URI: https://x.x.x.x"'
curl_cmd = curl_cmd + ' https://va2.extremecloudiq.com/xapi/v1/monitor/devices{?ownerId=xxxxxx}'

I've found the ownerId and REDIRECT-URI address (my XIQ-SE) but struggling to find the CLIENT-ID and complete

I have used the document and managed to get an XIQ WAP to interact with the Access-Control engine. I created three SSIDs and all three worked (for PPSK, Open and Secure).

One thing that failed in my setup was the Workflow to Import the XIQ APs. When I ran it it said it succeeded very quickly as if it did not run through all of the tasks. No APs were added to XIQ-SE and no APs were added to Access-Control.

The output for the workflow showed an error:

Script Name: Process New XIQ Devices_Extract_All_Devices_from_XIQ
Date and Time: 2022-02-24T16:19:51.443
XIQ-SE User: netsight
XIQ-SE User Domain:
IP:
code: GatewayErrorCode.CLIENT_VERIFICATION_FAILED
message: Client Credential verification failed.
rawMessage: XCKCKzThhF
status: 401

I imported the workflow and appeared to succeed but nothing happened. Any ideas?

Thanks
Rob

Update... I have found this document to answer quite a few of the questions I had so I will try this out. 

https://documentation.extremenetworks.com/ExtremeCloudIQ/HowTo/ExtremeControl_for_XIQ-SE_and_XIQ_APs...

These are the sort of guides we all find useful and give great guidance with examples which are easy to follow and apply. It would be difficult to know what to do otherwise.

Hi Sam,

I have a customer that already has Cloud IQ APs and they are using PSK which has been compromised. They would like a more secure solution where they can assign VLANs for different user types. So, yes I want to use a network policy which uses the Extreme Access Control virtual appliance which is in a secure location at the customer's HQ. EAC and XIQ-SE are able to onboard to Cloud IQ as well as the APs.

Am I right that the APs need to be imported from XIQ into XIQ-SE so that they can be added to Access-Control>Switches? The APs that onboard to the cloud could be in any global location, so missing some facts about how Cloud based APs can use on premise Extreme NAC (not A3) as RADIUS Server using network policy in XIQ.

How is the AP configured under Access-Control>Switches? There is a list of different choices of RADIUS Attributes to Send in the device configuration, what should it be?

Not using Extreme A3.

Extreme Access Control could have local users or integrate with AD database.

Requirement is for 802.1X.

Thanks,
Rob