XMS-Cloud

XMS-Cloud makes it easy to manage your networks from a single, powerful dashboard. Zero-touch provisioning and centralized, multi-tenant network or chestration simplify network management functions. XMS-Cloud manages Cambium Xirrus devices.

To begin using XMS-Cloud, follow these steps:

These sections describes additional features.

Profiles

Overview

XMS profiles provide ease of management by allowing you to specify a set of APs and manage them together as a group. Create a profile and define a uniform configuration to be applied to all of the member devices. Select the APs that are members, and XMS-Cloud will ensure that they have the specified configuration. Note all managed devices are automatically updated with the latest release recommended for each device model—with no setup required.

After you create a profile to be used for most or all of your Cambium Xirrus wireless network, make it the Default profile (as described below, in Create a Profile). When new devices are acquired, they will be assigned automatically to the default profile if you haven’t assigned them to a specific profile. When they are installed and have network connectivity, they will be configured per their assigned profile. This grouping of devices for management eliminates the time- consuming and error-prone task of configuring and managing APs individually, and ensures the deployment of consistent settings across each profile.

Settings that must be unique per device are not managed by the profile. For example, the IP address and hostname are specified per device, if you don’t want to use their default values. Individual radio settings (channel, cell size, etc.) are also not changed, since you may wish to tailor them to the environment of each AP (to change them, go to My Network > Access Points, hover over an AP, click the Details button and then click the Radios button ).

To guarantee adherence to the profile’s settings, member devices should not be configured individually directly via their CLI or WMI. This usually results in temporary inconsistencies between the device configuration and the XMS database.

Profiles

A profile specifies the configuration of Cambium Xirrus devices. This simplifies uniform configuration of the wireless network, especially for network settings such as VLANs, DNS, and DHCP.

Create a Profile

To create a new profile, click Profiles on the menu bar, then select Profiles from the drop-down list. Enter a unique name and click Create New Profile. Typically, the first profile you create should be the default profile. Click the Settings button    next to your profile name and select Assign as Default. New APs will automatically be assigned to this profile unless you have assigned them to another profile (see My Network—Access Points and My Network—Clients).

Anytime you view a list of profiles, the default profile is flagged with a   .

These pages manage your profile:

Click Show Advanced to see the following additional settings.

Saving, Pushing, and Scheduling a Profile

When all of the changes to a profile are complete, click . A dialog box will ask whether you want to push the changed settings to profile member devices now (click ), or later (click  ). Since changing a device’s configuration interrupts service for between one and five minutes, you might want to delay these updates until after regular business hours. Schedule Push sends the configuration at the time that you select (up to one week in the future). If a schedule is in effect, this is indicated by a time symbol on the Save button .

The Schedule Push feature obeys the following rules:



You can click      before the scheduled time to change the schedule or to select Push Now instead. If you decide to Push Now, the schedule is canceled and the schedule settings are cleared.

General

These are general settings for this profile and for its member devices.

Advanced Settings on the General Page

Network

This page allows you to adjust the Ethernet port and IP settings of member APs. For a simple network, the default values on this page will not need to be changed.



IP Address—The default value is Use DHCP, which uses DHCP to obtain an IP address for the AP’s Ethernet port. The Set on AP—Don’t Change option leaves the IP address settings on the AP unchanged (note that the factory default is to use DHCP). If you set this to Assign Static, you will need to set a static IP address for each AP individually (select My Network in the menu bar at the top, then select the Access Points tab. Hover over an AP, and click the Details button ).

This feature helps ensure correct operation of Apple devices and services across your network. Apple Bonjour automatically finds local network devices such as printers or other computers so that clients can use them without needing any manual setup. Bonjour Director configures APs to forward Bonjour traffic between VLANs on your wired network and wireless SSIDs on APs. For example, clients may be using Apple laptops and iPhones on the wireless network, while other devices such as Apple printers that provide services are connected on the wired network in a different VLAN. Bonjour Director sets up forwarding of the Bonjour traffic that lets these devices find each other, while ensuring that other similar types of traffic don’t flood your network.

Follow these steps to use Bonjour Director.

1.

Navigate to the profiles > Network and toggle the Yes to enable Bonjour Director tab.

2.

Click Yes to enable Bonjour Forwarding.

3.

Select the Services that you would like to forward. If you select any services, then they will be the only ones forwarded, otherwise all services are. Since Bonjour can be very chatty, it is a good idea to specify only the services you need.

4.

In VLAN Forwarding, enter the VLANs on your wired and wireless networks that use Bonjour services. You can use this to allow Apple wireless devices to work together as well. For example, let’s say that AppleTV is using wireless to connect to an SSID that is associated with VLAN 56, and the wireless client is on an SSID that is associated with VLAN 58. Normally the wireless client would not be able to use Bonjour to discover the AppleTV because they are on separate VLANs. But if you add VLANs 56 and 58 to the VLAN Forwarding list, then the wireless client will be able to discover the AppleTV.

5.

In VLAN Overrides, associate one or more VLANs to pre-existing or new tags.

To configure additional settings, see “Advanced Settings”.

Advanced Settings

To configure more settings, click Show Advanced link.

Request Power - If this is set to Yes and LLDP discovers a device port that supplies power to this Access Point (on a powered switch, for example), the Access Point checks that the port is able to supply the peak power that is required by this Access Point model. The Request Power feature does this by requesting this peak power (in watts) from the PoE source, and it expects the PoE source to reply with the amount of power allocated. If the Access Point does not receive a response confirming that the power allocated by the PoE source is equal to or greater than the power requested, then the Access Point issues a Syslog message and keeps the radios down for ten minutes. The radios may be enabled manually after this. Using this feature provides a more graceful way of handling an under powered situation on an AP. When the radios are turned off, a syslog message is created—finding this is easier than hunting down an intermittent problem.

Youwillseesettingsfor the XR-320 only if yourcloud-managedAPsincludethis AP type.



XR-320 Uplink Port Configuration — If you select a Native VLAN, then that VLAN will use an untagged (Native) link. Any wired or wireless traffic tagged with this VLAN ID will egress the uplink port untagged. You may add VLAN Overrides by associating a VLAN to a pre-existing or new tag.



XR-320 Switch Configuration — The XR-320 has switch ports available for use as downlinks. These four Ethernet ports are named LAN Port 1 to LAN Port 4. If you are connecting devices to any of these ports on the XR- 320, enable them and configure them here.

1.

Enable VLANs on the LAN ports: Choose Yes to allow configuration of the LAN ports as trunk or access ports with the VLAN settings below. The LAN ports (LAN Port 1 - LAN Port 4, also called switch ports or downlinks) are the four Ethernet ports on the bottom of the wall AP. You should configure VLANs before proceeding with the steps below.

If you choose No, the AP will simply pass all traffic between the LAN ports and the Gigabit Ethernet (uplink), without any inspection or modification. This is the default behavior.

2.

Configure each LAN port as follows.

a.

Enable LAN Port: Choose Yes to enable use of this port, or No to disable it (the port will not pass traffic). The remainder of the per-port settings are only available if you enabled VLANs above.

b.

Port Mode: Select Access or Trunk. An access port carries traffic for only one VLAN, and has only one VLAN configured on the interface. A trunk port carries traffic for several VLANs at the same time. You may have multiple VLANs configured on the interface (up to 8 plus one for the PVID, see below).

c.

PVID value (Port VLAN ID): Select a VLAN from the drop down list. The VLAN must have been previously defined. All untagged ingress (entering) packets to this port will be tagged with the PVID for forwarding to other ports. Conversely, egress (exiting this port) packets are only sent out if they are tagged with this PVID (for trunk ports, packets are also sent out if they are tagged with any of that port’s Selected VLANs). Packets not meeting these conditions are dropped.

d.

PVID VLAN Overrides: Add VLAN overrides by associating VLANs to a new or existing VLAN tag.

e.

Allowed VID  values (8 max)/Allowed VLAN  Overrides: This setting is only used for trunk ports. Specify the VLANs to be handled on this trunk port. The VLANs must all have been previously defined.

3.

Authentication: For devices connecting to the XR-320 switch ports, the following authentication options areavailable.This setting applies globally to all four switch ports.



Open: This option provides no authentication.



RADIUS MAC: Uses an external RADIUS server to authenticate devices onto thewirednetwork, based on the connecting device’s MAC address. If you select this option, specify a primary and optional secondary RADIUS server. You may specify each server using a host name or IP address. Change the port if needed, and enter the shared secret needed to access each server.

You can perform 802.1x user authentication on your wireless network based on user accounts in an Active Directory server or a RADIUS server (see SSIDs below). If you are using Active Directory, set this to Yes and fill in the fields that are displayed.

You may want to try out the configuration on one AP first and make sure that it works before adding the rest of the APs to this profile. In case of problems, note that the CLI and Web Management Interface on APs both include special test commands to assist with validating proper communication between the Active Directory server and the AP.

Enter the following settings in the XMS-Cloud profile.

You must also enter the following settings:

You can set the Radius Settings for Switch by set this to Yes and fill in the fields that are displayed.

Access Points

SSIDs are the wireless networks whose names arebroadcast by an AP to client devices such as laptops and mobile phones. A user can choose which SSID to connect to. Create at least one SSID. You may create multiple SSIDs with differentsettings.

Creating New SSID

Click+New SSID to create an SSID. Enter the following.

You cannot apply one filter for two or more scheduled periods, but you can create two filters to achieve that. For example, one filter could block the category Games from 9:00 to 12:00, and another could block them from 13:00 to 18:00. Similarly, you might create two rules for different days—one to block Games Mon-Fri 8:00 to 18:00, and another to block them on Sat. from 8:00 to 12:00.

Note that a policy schedule takes precedence over rule schedules and may override them. Make sure that rules are scheduled within the policy schedule.

You can schedule the SSID to be on (available)onlyatspecifieddaysandtimes and be off the rest of the time. See Scheduling under SSID.

LEDs

To configure additional settings, see Advanced Settings.

Adavanced Settings

To configure more settings, click Show Advanced link.

To trunk a VLAN to Gig2, select YES and enter the VLAN number. Only one VLAN can be separated in this way—its tagged traffic will use Gig2, while untagged traffic will be sent out of both ports. Gig1 will be used for management traffic and production (enterprise) networks. Note that the VLAN selected here must be in use by at least one SSID. When using this option, you must ensure that the Gig1 and Gig2 ports are connected to different networks, generally on separate switches.You should reboot APs in thisprofile to ensure that these settings will take effect. Also see Limit the DHCP Pool to a single SSID, located above in the DHCP Pool settings.

If you are using an analytics server, such as Euclid or the Xirrus Position Server (XPS), use this Location Services section to set up Access Points to send collected data to the server on a regular basis. Cambium Xirrus APs can capture visitor analytics data and upload it to a server, eliminating the need to install a standalone sensor network. This data can be used to provide information such as customer traffic and location, visit duration, and frequency.

When Location Reporting is enabled, the AP collects information about stations, including the station ID and manufacturer, time and length of the visit and related time interval statistics, and signal strength and its related statistics. The AP also sends its own ID so that the server knows where the visitors were detected. Follow the steps in My Network—Floor Plans to create floor plans and set AP locations accurately. XMS sends each AP its positioning information. This allows APs to send better location information and improves integration with analytics servers. Please note that the location reporting setting that enables the display of Stations and Rogues in My Network—Floor Plansis set separately. See Stations and Rogues for details.

To capture and upload location data, set Location Reporting to Yes. Data collected from stations includes only basic device information that is broadcast by Wi-Fi enabled devices. Devices that are only detected are included, as well as those that actually connect to the Access Point.

Enter the following settings.

Data messages are uploaded via HTTPS, and they are encrypted if you entered a Customer Key. Data is sent as JSON (JavaScript Object Notation) objects. For a complete description of data and formats, see the Cambium Xirrus Wireless Access Point User’s Guide (in Appendix B, see “Location Service Data Formats”).

CaptivePortalSettings

A captive portal supports special handling when guests connect to this SSID, such as redirection to a splash page or login page. If you are using an EasyPass portal for this SSID, this setting is automatically changed to EasyPass Portal for you when you set up the Portal Configuration—SSIDspage under EasyPass, and all portal configuration should be performed on the EasyPass pages. If you use a captive portal that doesn’t use EasyPass, see the splash page, basic login page, and landing page options below.

In SSIDs, when you set Access Control to Captive Portal, the Configure button appears. Click it to set up one of the portal types below. Note that some portals have an Advanced option for entering a Whitelist of websites that users can access without going through the captive portal (see About Whitelists).

Switches

Switches page allows the user to configure cnMatrix VLANs and Policy Based Automation (PBA) using a Profile or Template. Initially user needs to create a Template or Profile and then click the Switches tile.

User can create Templates and Profiles to configure port settings, making it easy to configure and manage a single switch or 100 of switches.

To configure click on any of the ports. Add/Edit Switch Template Port, window pops up enter the fields to configure/add the Native VLAN (Management VLAN), multiple VLANs, and enable PBA.

Policies

Policies are sets of conditions, constraints, and settings that allow you to decide what types of network traffic are allowed or blocked on an AP. Each policy includes one or more rules. The policy types, depend upon where the policy is applied. Policy types are listed below, in the order of their priority (i.e., global rules have the highest priority and are applied first).

Layer 2 rules will be enforced beforeLayer 3 rules. There can be multiple policies of the same type, for instance, a Device policy for iPhones and a Device policy for Samsung phones.

After creating a policy, add one or morerules to it. Thereare two types of rules, plus advanced settings:

A policy may include multiple rules (both firewall and Application Control rules)You may fine tune policies and/or individual rules by scheduling the days and hours during which they apply.

Creating a Policy

n

Policy Based Automation - To create policies and rules for PBA Under Policy Based Automation, click the “+” button to add a new PBA policy. On the fly-out window, give the policy a name and the click +Add Rule. Select the Detection Method you wish to use and the parameters for your selected method. Then click the Add button. Then finish configuring the policy with your requirements.

n

Global      —If you select Global, the policy will apply universally. Note that the Global buttonis no longer displayed after you create the policy, since there can only be one global policy, and you have just created it.

n

SSID    —Click this, and select the SSID to which the policy will apply. Clients connecting to this SSID will be governed by the rules that you add to this policy. Note that you can schedule the SSID to be active only at specified times. See Step 5 below.

n

Personal SSID    —Click this, and this policy will apply to all Personal Wi-Fi SSIDs created by users for an EasyPass Personal Wi-Fi Portal whose SSID is part of this profile. Clients connecting to Personal Wi-Fi SSIDs will be governed by this policy. Note that the Personal SSID button is no longer displayed after you create the policy, since there can only be one Personal SSID policy, and you have just created it.

n

User Group  —Click this to create a policy that applies to a group of users. The group members are entered manually as described in Managing Onboarding Users and Their Devices — or entered automatically if you are authenticating via a RADIUS server, or using one of these portal types: EasyPass Onboarding, Google, or Azure.Group membership for a user is determined by a RADIUS attribute if you are using a RADIUS server for authentication, or by their organization or group membership if authenticating via an EasyPass Google or EasyPass Microsoft Azure portal. Thus, you can create policies for groups of users that are defined in EasyPass Onboarding, Google/Azure, or on a RADIUS server.

Enter the name of this policy in UserGroup (this name is only used to identify the policy).

If you are using an external RADIUS server for user accounts and authentication, enter the RADIUS Attribute value that you use on the server to identify users belonging to this group. Note that the RADIUS server location is specified in the SSID (see SSIDs > Authentication, or for certain captive portal options see SSIDs > Access Control).

If you are using an EasyPass Onboarding portal, set RADIUS Attribute/EasyPass Group to the Group that you entered in the portal.

If you are using an EasyPass Google or EasyPass Microsoft Azure portal, set RADIUS Attribute/EasyPass Group to the Google Apps Organization or Microsoft Azure group that identifies this user group.

When a user is authenticated, the user’s Google organization, Azure group ,onboarding group, or RADIUS Attribute value is sent back, depending on what type of authentication you are using. If  this matches the RADIUS Attribute/EasyPassGroup value that you set for a User Group policy, the user is a member of that group and the policy will be applied to the user. For a Google portal, XMS will attempt to apply the most specific organization-to-group match. For example, if a user’s organization structure is DistrictA/SchoolA/Students, then XMS will match a User Group whose EasyPass Group value is Students. If the user is in the organization structure as “/” (root), then there will be no match and the user will not be a member of a user group.

n

Device    — Click this, and select a DeviceClass to which the policy will apply. Device Class is a general category of device, such as Tablet, Desktop, Phone, or even an Appliance or Car. Optionally, use Device Type to further specify the device, for example, iPhone or Samsung. Note that the XR-320 and X2-120 do not allow you to specify a Device Type. Note that you can also createfirewall rules for an SSID that will apply to a particular device class or type.

2.

Add Firewall Rules   to your policy, if desired. (For the global policy, click the Air Cleaner button if you want to add a number of predefined firewall rules to eliminate a great deal of unnecessary wireless traffic.)You may include both firewall rules and Application Control rules (Step 3, below). For each firewall rule, click New Firewall, then fill in the following information (for Advanced options, see Step 4):

Advanced Settings, Scheduling, Editing, and Precedence for Policies

5.

Move Up/Down: Rules are applied in the order in which they are displayed on the page, with rules on the top applied first. Click the menu button (dots) to the right of a rule to show the move button . Click the rule’s move button and drag the rule to the desired location within the current policy. It cannot be moved to a different policy, and Layer 3 rules always have to stay below Layer 2 rules. Note that policies cannot be moved.

Optimization

Click the Show Advanced button below the Admin button to display this page. Use it for the following advanced features:

Client Optimizations

RF Optimizations

EasyPass

About EasyPass

EasyPass Access Services enable you to easily provide secure and controlled access to users and visitors on your Wi-Fi network.

Guest Access Portal types:

Employee/Student Access Portal types:

Additional EasyPass access features include:

Create an EasyPass Portal

You may create multiple portals and define which SSIDs offer access via each portal.

Click EasyPass on the menu bar, then click . Select one of the portal types listed below, then enter a unique Portal Name. You may also enter an optional Description of the purpose and setup of this portal for your later reference. You will select the SSIDs that offer this portal later, in the SSIDs tab (see Portal Configuration—SSIDs).

Select the portal type:

Use the following steps to set up your portal:

Portal Configuration—General

Settings are presented based on the portal type that you selected:

Self-Registration

Change the following settings as needed.

If you wish to require sponsorship (authorization) by someone at your organization before the guest is allowed to access the Wi-Fi, set this to Yes, and select the Sponsor Type:

Guest registration proceeds as follows if you have selected Require Sponsor and Manual Confirmation:

Proceed to Portal Configuration—Look & Feel and  Portal Configuration — SSIDs to complete portal configuration.

Guest Ambassador

Ambassador Portal Settings

For a Guest Ambassador portal, accounts must be manually created for each guest. Note that guests do not have an online method to request an account. Change the settings for Language, Session Expiration, Session Timeout, and Landing as described above for Self-Registration. Advanced settings for Whitelist and Quiet Client Tolerance are also available, as for Self-Registration.

Proceed to Portal Configuration—Look & Feel and Portal Configuration —SSIDs to complete portal configuration. Then click the Guests tab to start creating guest accounts as described below. You may use the Guest Lookup search field to list existing guests whose name or email contain a particular string.

Adding Guest Accounts

For each new guest account, click . You must enter the following:

You may also enter the following optional settings:

When you are done entering information for this guest, click . XMS-Cloud will display the guest name, the assigned password, and the email address to which it has been sent. The new guest account will be added to the Guests list on the Guests tab. Hover over a Guest Name for options to edit the entry, send a new password, disable (or re-enable) Wi-Fi access for the guest, or delete the entry. See also, Managing Guests.

One Click Access

For a One Click portal, no self-registration or pre-registration is required. No login is required, other than any authentication required by the portal’s SSID. This is a simple portal that offers access to anyone for a specified length of time.

Enter the following settings:

Proceed to Portal Configuration—Look & Feel and Portal Configuration— SSIDs to complete portal configuration.

One Click Guests

Click the Guests tab to view the One Click Access portal’s guest sessions, identified by the guest device MAC address. Each session’s Activation (start) and Expiration time are shown.

EasyPass Onboarding

Onboarding is the process of registering multiple Wi-Fi access devices per user. It is intended to be used by members of your organization, rather than by guests. For example, a student at a school or an employee at a company may have a laptop, a mobile phone, a printer, and an iPod that they wish to connect to Wi-Fi. EasyPass Onboarding enables Bring Your Own Device (BYOD) by allowing these devices to be registered for easy access on subsequent connections, while limiting the number of devices that a single user may have registered at one time. The user may connect via all registered devices concurrently.

EasyPass Onboarding provides a User-Preshared Key (User-PSK) for each account. A user registers a number of devices simply by using the account’s User- PSK to connect to the wireless network from each desired device. If a user tries to exceed the maximum number of devices permitted, a page is displayed to allow devices to be de-registered. This permits new devices to be registered instead.

For an onboarding portal, there are two methods for user registration.

The SSID running the onboarding portal must be secure, using WPA2/ 802.1X with AES encryption, and having authentication set to User-PSK. Assigning an SSID to this type of onboarding portal will automatically configure these settings on the SSID (see Portal Configuration—SSIDs).

Portal Settings for Onboarding

To configure an EasyPass Onboarding portal, change these settings:

Note that onboarding user accounts are described in Managing Onboarding Users and Their Devices.

EasyPass Voucher

Vouchers are designed to allow companies such as fast food outlets to provide customers with temporary access to Wi-Fi on their premises. You create vouchers in bulk, and can then hand them out to customers. You can export the vouchers as a comma-separated values (.csv) file. The .csv file may be imported into your custom application to give out voucher Access Codes, for instance, printed on a purchase receipt.

The SSID running the voucher portal is typically open (unsecured), but it may be secured if you wish. Assigning an SSID to a voucher portal will automatically configure the Access control setting on the SSID to Captive Portal (see Portal Configuration—SSIDs).

After a user connects to the SSID, the AP presents a login page that requests the voucher Access Code. When a valid code has been entered, the user is allowed Wi-Fi access. The user may connect additional devices using the same voucher, as long as the voucher has not expired.

Portal Settings for EasyPass Voucher

To configure an EasyPass voucher portal, configure these settings:

Session Expiration — This is how long the voucher access code will continue to allow Wi-Fi access. Once a voucher expires, the user will need to obtain a new voucher and will have to log in again. For example, if the expiration is two days and the user returns the next day, the access code will still be valid. Note that expiration times of 1 day or 1 month will expire at the same time of day that the user account was granted, i.e., 1 day is 24 hours. End of Day or End of Week expire at midnight on the selected day. Use the Custom option to specify the session duration in terms of days, hours, and minutes.

Maximum Device Registration — To set a limit on the number of devices that can be registered on each voucher, select Yes and enter the maximum Number of devices. Once a user has registered this number of devices, an attempt to associate another device will be denied with a message explaining that the limit has been reached. Note that a device is registered once access has been granted to it by EasyPass, and remains registered even if it is no longer associated to an AP. Both users and administrators can delete registered devices from a voucher to allow new devices to be used. See Managing Vouchers.

Landing — Users connecting to your network will be directed to this web page. You may wish to enter your organization’s home page here.

Session Timeout— Once a user's session times out, the user will be asked to enter the access code again. Note that this is different from Session Expiration, which dictates when the user needs to obtain and enter a new access code. Session Timeout is provided to keep users from having to re-log in too often if the user’s Wi-Fi connection terminates. For example, suppose a user connects and then leaves the premises for an hour. If the timeout has been set to 2 hours then the user will not have to log in again upon returning.

Advanced settings (click the Show Advanced to see these):

Generating vouchers is described in Managing Vouchers.

About Whitelists

A Whitelist specifies Internet destinations that clients can access without first having to log in—these web sites bypass the portal. For example, you may wish to add your public web site to the whitelist. To add a web site to the whitelist for this portal, enter it in the provided field, then click Add. You may enter an IP address or a domain name. Up to 32 entries may be created.

Example white list entries:

Some typical applications for this feature are:

Note the following details of the operation of this feature:

EasyPass Personal Wi-Fi

This type of portal allows guests to set up their own Personal Wi-Fi networks (i.e., Bring Your Own Network), with no intervention required on your part. Users benefit from the ability to connect all of their personal devices to a secure personal Wi-Fi network with significantly less effort.

When users connect to the SSID that you have set up for the EasyPass Personal Wi-Fi portal, they are redirected to a Personal Wi-Fi creation page to specify their own network: they enter a Personal SSID name and password. XMS-Cloud configures this Personal SSID on the single AP that the user is connected to. Users will typically set up the same SSID name and password that they use at home, which their smartphones, tablets, and other personal devices are already configured to connect with automatically. For example, if a school dormitory or a hotel offers EasyPass Personal Wi-Fi, users will be able to set up SSIDs that mimic their home networks. Their devices will automatically connect securely for the duration of the user's stay (until the Personal SSID expires).

Users may create up to twelve Personal SSIDs (smaller AP models support fewer SSIDs). Personal SSIDs created by users may be viewed and managed on the Personal SSIDs tab, as described in “Managing EasyPass Personal Wi-Fi SSIDs”.

Only one SSID per profile may be assigned to the EasyPass Personal Wi-Fi portal. Note that station-to-station traffic blocking is turned off for all profile-member APs. Thus, clients on the same SSID will be able to pass traffic.

Portal Settings for EasyPass Personal Wi-Fi

To configure an EasyPass Personal Wi-Fi portal, change these settings:

EasyPass Google

This portal lets clients use their Google Apps credentials to get single sign-on (SSO) access to the organization's network. Access may be restricted to users with email addresses in specified domains.

For extra security, Google 2-Step Verification is supported. This is a feature that admins can choose to set up for their Google domains. When a user logs in with

Google, it sends a pin code to the user via text or mobile app. The user must enter the code to complete authentication. Google portals also offer Directory Synchronization, so that if you delete users from the Google directory, their EasyPass access will also be revoked. Revoked users’ active sessions will be terminated (they will not see any message).

Google portals offer the option of restricting access based on the MAC address of the user’s device (known as a MAC ACL—-Access Control List). To restrict access with a MAC ACL, see The EasyPass Google or Azure Access Control Tab (MAC ACL).

Directory Synchronization for EasyPass Google

Directory Synchronization offers additional features for Google portals.

Set up Directory Synchronization for Google as described below.

Advanced Settings for EasyPass Google

Proceed to Portal Configuration — Look & Feel and Portal Configuration — SSIDs to complete portal configuration. Note that since authentication is performed by Azure, you do not create any login pages for user interaction, but you can customize a Manage Devices page. Go to the Users tab to view users who have authenticated to the portal.

The EasyPass Google Users Tab

Select the Users tab to display all users who have gained access to the Easypass Google portal at least one time. You can export entries as a comma-separated values (.csv) file in the same way as described in “Export to CSV file”.

To disable a user’s network access, delete the user’s entry on this page.

To view the devices that a user has onboarded, hover over the user’s entry and click the Details button . The slide-out panel lists each device along with its type and MAC address, and allows you to delete devices. You must click the Save button to save any changes made.

Note that accounts do not expire, although users will have to re-enter their credentials if you have enabled Session Timeout.

The EasyPass Google or Azure Access Control Tab (MAC ACL)

This feature allows you to restrict access to this portal so that only user devices with specific MAC addresses can gain access. For example, organizations that issue devices to users, such as schools, would like to allow only those devices to access certain portals. To use this feature, create a list of MAC addresses that are permitted on this portal—usually called a MAC Access Control List (ACL). If there are no entries in the list, then access is not restricted by MAC address.

EasyPass Microsoft Azure

Azure portal clients use their Microsoft Azure (Office 365) Active Directory credentials to get single sign-on (SSO) access to the organization's network. Access may be restricted to users in specified Azure groups. If you delete users from Azure, their EasyPass access will also be revoked. Revoked users’ active sessions will be terminated (they will not see any message).

Azure portals allow you to restrict access based on the MAC address of the user’s device (known as a MAC ACL—-Access Control List). To use this feature, see The EasyPass Google or Azure Access Control Tab (MAC ACL).

You must set up Azure to accept and service XMS-Cloud requests for authentication of clients, via one of these two methods.

To use the Cambium Xirrus EasyPass app for authorization

To authorize a portal without the app

Enter the remainder of the Azure portal settings

Advanced Settings for Microsoft Azure

Whitelist — Set this to Yes to specify Internet destinations that clients can access without first having to log in. See About Whitelists for details.

Quiet Client Tolerance — Battery powered phones and laptops often conserve battery life by turning off their Wi-Fi radios. When the client “goes quiet” the AP no longer sees it, and the AP assumes the client has disconnected. This setting allows clients to be offline for the specified time before they are considered to have disconnected. We recommend changing the default value (1 minute) only if client sessions appear to be timing out more frequently than the Session Timeout value.

Proceed to Portal Configuration—Look & Feel and Portal Configuration—SSIDs to complete portal configuration. Note that since authentication is performed by Azure, you do not create any login pages for user interaction, but you can customize a Manage Devices page. Go to the Users tab to view users who have authenticated to the portal.

The EasyPass Microsoft Azure Users Tab

Select the Users tab to display all users who have gained access to the EasyPass Microsoft Azure portal at least once. You can export entries as a comma- separated values (.csv) file in the same way as described in “Export to CSV file”.

To disable a user’s network access, delete the user’s entry on this page. The user can re-authenticate unless the user’s device has been blocked (see My Network— Clients).

To view the devices that a user has onboarded, hover over the user’s entry and click the Details button . The slide-out panel lists each device along with its type and MAC address, and allows you to delete devices. You must click the Save button to save any changes made.

The EasyPass Azure Access Control Tab (MAC ACL)

See The EasyPass Google or Azure Access Control Tab (MAC ACL).

Combine Portals on One SSID

This option offers clients the choice of two portals on one SSID. Use this to reduce the number of SSIDs in your network and simplify management. For example, you can offer two different portal types while having only one open SSID in your wired network. A Welcome Page (example below) allows the client to select one of the two portals, and the client then proceeds to obtain access using that portal.

The two portals to be combined must already have been created. Before deployment, they should be completely defined as described in Portal Configuration—General and Portal Configuration—Look & Feel. The settings on those pages will be used for the portals. There is no need to associate the individual portals with SSIDs, since you will specify an SSID for this combined portal in Portal Configuration—SSIDs. However, if SSID values are set for the individual portals, the portals will be offered on the specified SSIDs as well.

Enter the following settings:

The following portal types may be combined:

There is no Users tab for the combined portal. Each client will select one of the two portals, and will appear on that portal’s Users tab for management purposes.

Proceed to Portal Configuration—Look & Feel to create the portal choice page for clients, and then use Portal Configuration—SSIDs to select the SSID for this portal.

Portal Configuration—Look & Feel

Click the Look &  Feel tab to customize the web pages and emails used to welcome users and guests and walk them through the steps of obtaining access. You can customize pages and emails by adding a logo, background, and text, enabling terms of use, allowing social media logins, and more. Note that the last section below, How to Customize a Page, describes how to use the page design features.

Once you have completed configuration as described in the sections below, see Portal Configuration—SSIDs to assign SSIDs to your access portal.

Self-Registration Portal Pages

This includes six items that you can customize, including emails and web pages. See How to Customize a Page for details on configuring the fields on these pages.

Guest Ambassador Portal Pages

This type of portal only uses two guest pages (an email and a login page), since your organization explicitly creates all guest accounts as described in Managing Guests. See How to Customize a Page for details on configuring the fields on these pages.

One Click Portal Pages

This simple portal includes just three pages that you can customize. See How to Customize a Page for details on configuring the fields on these pages.

One-Click Access Page — This page appears for guests. It requires them to click the Agree & Connect button to accept the Terms of Use and receive access. A link is provided to view the terms of use. If you have not selected Enable Terms of Use, then guests simply click a Connect button.

Terms of Use — If you have enabled Terms of Use for this portal, this page appears if guests click the Terms of Use link on the One Click Access page.

Access Expired Page — When the guest’s Session Expiration time is reached, this page is displayed. It informs the guest when access will be allowed again (after the Session Lockout waiting period, if any, has passed).

EasyPass Onboarding Portal Pages

This type of portal only has two user pages, since your organization explicitly creates all user accounts described in Managing Onboarding Users and Their Devices. See How to Customize a Page for details on configuring the fields on this page.

EasyPass Voucher Portal Page

This type of portal only uses one guest page, since your organization explicitly creates all vouchers as described in Managing Vouchers. See How to Customize a Page for details on configuring the fields on this page.

EasyPass Personal Wi-Fi Portal Pages

This includes five pages that you can customize, including emails and web pages. See How to Customize a Page for details on configuring the fields on these pages.

enter the Personal ID field. (The Personal ID entered by the user is not verified as being valid, but it is displayed on the Personal SSIDs tab for your reference, see “Managing EasyPass Personal Wi-Fi SSIDs”.) An option option to Enable Terms of Use is provided—if selected, this displays a link to a Terms of Use page after the user has filled in the requested personal SSID information.

EasyPass Google or Microsoft Azure Portal Pages

These portals only have one user page, since the login interface is provided by Google or Azure. See How to Customize a Page for details on configuring the fields on this page.

Combined Portal Page (Two-Way Portal)

This type of portal only has one page which asks users which of the two portals they want to use. It then simply directs the user to the selected portal, which you should have already set up. See How to Customize a Page for details on configuring the fields on this page.

How to Customize a Page

Select the page to be modified from the list of pages offered on the right of the Look & Feel page, as shown in the screenshot at left. A prototype of the selected page will be displayed. Note that you can use the arrows (circled in the screenshot) to scroll up and down to show other pages.

As you make modifications, their effect is shown directly on the page. Here are the modifications that you can make. They apply to all page and portal types unless otherwise indicated.

Company Name — Will appear on the upper left. The font, size, and color cannot be changed.

Portal Configuration—SSIDs

A portal may run on multiple SSIDs, i.e., the portal may operate on more than one SSID (except for EasyPass Personal Wi-Fi portals, which may only have one SSID assigned). Each SSID may only have one portal defined on it.

Managing Guests

To configure Self-Registration or Guest Ambassador portal guests manually, or to view and manage guest accounts, click the Guests tab on the upper right. All guests with accounts are shown in the guest list regardless of the type of portal, whether self-registered or not. The State column shows whether the account is enabled (active), expired, or has been manually disabled. The most recent Activation date for the account is shown. For active accounts, Expiration shows the date that the account will expire. For expired accounts, this shows the most recent expiration date. For more information, see Session Expiration under Self-Registration.

Use of this page is described in the following topics:

Managing Guests—Details

Hover over any button to see a tool-tip showing the button’s function:

If the account does not have wireless access, you may Enable Access. If the account does have access enabled, options are provided to Remove Access or Reset & Send Password (this will also extend the expiration of access based on this new activation).

Export to CSV file

Managing Onboarding Users and Their Devices

User accounts for an EasyPass Onboarding Portal must be explicitly added to XMS-Cloud by a user or administrator. Wireless network users cannot register their own accounts. You may add individual user accounts manually, or import an Excel file with a list of accounts. When you add new users to the portal, XMS- Cloud generates a User-Preshared Key for each account (User-PSK). All of a user’s devices gain access and are registered by entering this key. An EasyPass

Onboarding user enters this User-PSK the first time he or she connects to the Cambium Xirrus Wi-Fi network from each device to be registered.

You are responsible for notifying the user about the assigned User-PSK. A list of user accounts may be exported to a .csv file, and you may use this obtain a list of user names and User-PSKs to create user notifications.

If the user attempts to register too many devices (i.e., the Maximum Device Registration value specified on the Configuration-General page has been exceeded—see Portal Settings for Onboarding), the user is notified via the Manage Devices Page (see EasyPass Onboarding Portal Pages). This page allows devices to be de-registered to make room for other devices to be onboarded.

How to Add or Manage Users

1.

To add users, or to view and manage their accounts, select the Onboarding portal from EasyPass, and then click the Users tab on the upper right.

Authentication Username (optional) is used if you have enabled Optional User Authentication in Portal Settings for Onboarding. It specifies the RADIUS user name for this account. This adds an extra level of security to the RADIUS authentication by making sure that the user authenticates with the correct account name, rather than using someone else’s RADIUS credentials. If Optional User Authentication is enabled, you may enter a username or leave this field blank for particular entries, as desired.

7.

To view user information, hover over the user’s entry and click the Details button . The More drop-down menu allows you to delete this

user entry, or generate a User-PSK (the user will have to re-register devices with the new PSK). To view and manage the devices that a user has onboarded,

8.

Click the Devices button on the left of the User Details display. This lists each device along with its type and MAC address, and allows you to delete devices.

Managing Vouchers

All EasyPass Vouchers are shown in this list, regardless of whether they have been used. The Access Code column shows the password for this voucher in clear text. The State column shows whether the access code is Pending (unused), Active (in use), or Expired (used and expired). Active and Expired vouchers show their Activation date—the first date that someone logged in using this Access Code. They also show an Expiration date—when the voucher will expire or has expired.

The Registered Devices column lists the devices (if any) that have been registered on each voucher. You may select a registered device and delete it to revoke its access privilege—if the device is currently connected to an AP, it will be disconnected. If a voucher had the maximum allowed number of devices registered, deleting one will free up a slot for a new device.

How to Manage Vouchers

1.

To add, view, and manage vouchers, select the EasyPass Vouchers portal from EasyPass, and then click the Vouchers tab on the upper right.

2.

The Voucher list shows your existing vouchers and whether each is in use (Active) or not (Pending). If a voucher is Active, the number of devices using that voucher is shown, along with the time it was activated and when it will expire. To view information about the devices registered to a voucher, hover over the voucher’s entry and click the Details button . Each device is identified by its MAC address and type. You may delete devices as desired. Note that you must click the Save button to save any changes made.

Managing EasyPass Personal Wi-Fi SSIDs

All personal SSIDs created by users (as described in EasyPass Personal Wi-Fi) are shown in this list, including those that have expired but have not been deleted due to settings on the General page. The Access Point column shows the AP on which this personal SSID was created. The Profile column shows the profile that the AP belongs to, and where this portal’s SSID is defined. The Status column shows whether the personal SSID is Expired. Active and Expired personal SSIDs show their Created date and their Expiration date. The MAC Address column shows the MAC Address of the device from which this user first connected to the AP and created this Personal SSID. The Personal ID column shows the information that the user entered (if any) when this Personal SSID was created.

Templates

User can create a template to apply bulk configuration for multiple profiles and use it as often as necessary instead of recreating every time for a profile. Once you create the templates, you can either add/edit using the UI and this saves time and eliminate errors

Following templates can be created for profile such as:

Switches

Creating Templates and Profiles to configure port settings, makes it easy to configure and manage a single switch or 100 of switches. User can configure by applying a pre-configured template as shown below:

User can apply global switch templates at the profile level within the Switch Configuration. These settings can be overridden at the individual switch level if needed.

To apply the template:

The pre-configured Switch Template will be added. You can make any changes to customize it if necessary. If any changes made to the Switch will not affect the template.

Ports

Creation of Port template which can be used in different profiles, and other enhancements. The ability to create Port templates that can be used across multiple profiles available.

Navigate to the Profiles, click the Switches tab and from the device model select the applicable port and in Start From dropdown select Template. The pre-configured port template will be added. You can make any changes to customize it if necessary. If any changes made to the port will not affect the template.

PBA

Creation of PBA templates which can be used in different profiles, and other enhancements. The ability to create PBA templates that can be used across multiple profiles available.

To apply the template, navigate to the Profile, click the Policies tile and click the add new PBA button, and from the PBA Template dropdown select the template. The pre-configured PBA template will be added. You can make any changes to the PBA to customize it if necessary.

SSIDs

Creation of SSID templates which can be used in different profiles, and other enhancements. The ability to create SSID templates that can be used across multiple profiles available.

To create an SSID template:

Once the SSID template has been configured, user can add firewall and application control rules. These rules will be enforced whenever this SSID template is used. After the template has been created, can go back to edit or delete the template as needed.

To apply the template, navigate to the Profile, click the Access Points tile and click the NEW SSID button, and from the dropdown select the create from template. The pre-configured SSID template will be added. You can make any changes to the SSID to customize it if necessary. Any changes made to the SSID will not affect the template.

My Network

My Network provides the following tabs for network monitoring and includes tools for troubleshooting.

Filters

Most of the pages in My Network offer granular insight into the network by letting you view information for a selected portion of the network. Use the Filter or Profile/Group field on the upper right to choose one of your Profiles, Access Point Groups, or SSIDs. Only data for APs in that portion of the network will be displayed. For example, you might select your Guest SSID to see data usage by visitors.(Note that in order to filter by SSID, you must set Default Firmware to Technology in Firmware Upgrades.) A tab indicates that a filteris in use by displaying the filter icon: . To revert to seeing data for all APs, set Filter back to All AccessPoints. Many pages also have a View field to select the time period to be included in the display.

My Network—Overview Tab

The Overview tab offers a number of different dashboard views for monitoring network status and performance. Select My Network on the top toolbar, then select the Overview tab. A ribbon offers the following choices:

To see results for only a portion of the network or for a limited time period, see Filters. Click or hover on areas of Overview pages that are of interest. Many of them drill down to display more detailed information. Use the Full Screen button , located on the right and below the ribbon, to expand the current display to most of the page. The Exit Full Screen button  reverts to the standard display. The Dashboard section below describes adding widgets — they can be added on other Overview pages besides dashboards.

Dashboard

Create dashboards to specify customized views of information needed for network management. For example, you can show the Top Applications (by Usage), the Top Clients (by Usage), and list Clients (by Lowest Health Scores) to show clients that have problems or are generating too much traffic. Summaries are available with summaries of the APs that are up, down, or taken out of service. Each of these types of display is called a widget. Choose from a large variety of widgets presenting different data.

To see results for only a portion of the network or for a limited time period, see Filters.

To create a dashboard and add widgets:

n

There are two types of widgets in the list that you can choose from. Regular widgets(charts, lists, graphs) are labeled with    .

n

Summary widgets (tiles) are labeled with . Summaries appear on the right side of the dashboard and display current counts, such as the current number of high alerts, the number of APs down, or the number of clients using 2.4 GHz. Some of these summaries include a link. For example, click Clients on 2.4 GHz to go to the My Network—Clients tab, with filters set to list only the current 2.4 GHz clients.

Some dashboard widgets allow you to drill down to view more detailed information. For example, the Applications section below makes extensive use of this. The Clients (by Lowest Health Scores) widget has links for clients experiencing problems — click one to go to its Client Health Score Panel for Troubleshooting.

Another example is the Top Clients (by Usage) widget that allows you to drill down multiple levels to obtain a wealth of detail for troubleshooting a client. This widget shows the clients that have generated the most traffic, and you can choose to select the top clients by time period, and by total usage or upload or download traffic.Click the menu button     to see more display options. For example, the View drop-downlist appears and lets you identifyclients by Hostname, IP Address, etc. Select the display format—list or chart—with the buttons at the bottom right.

Click a client to show a list of this client’s Top Applications (by Usage). Note that the widget’s title changes to Clients/[this client’s name]. Hover over an application to see a detailed description of that application. Click the Clients link to go back to the original display of Top Clients.

Back at the Top Clients list, hover over a client to see a pop-up of its device type and a short set of additional options.

These options include blocking this client, a shortcut to open the Client Health Score Panel for Troubleshooting, or click the Details link to jump right to the client troubleshooting panel’s    display. See My Network—Clients for more information about clients, blocking, and the troubleshooting features.

Applications

This page summarizes application usage in the wireless network. Access it via the Applications tile in the ribbon on the Overview tab.

In Top Applications by Usage, click on an application to drill down for valuable detailed information, including identifying the major users of the application. Users are identified by device MAC address or by user ID, email, or host name if one of those is available. If the traffic from a particular device is a problem, you can select the device and click its Block link to add its MAC address to a blacklist that blocks wireless network access (for example, you can block access while investigating the problem and possibly adding a filter to address the problem).

Click the Access Points tab to see the top APs handling traffic for the selected application. To return to the list of  top applications, click the widget’s title: Applications. You can create Policies to keep network usage focused on productive uses, eliminating risky and non-business-oriented applications discovered in the Applications page, or increasing the priority of mission-critical applications like VoIP and WebEx.

Application Categories by Usage is similar, but it groups applications into categories such as Streaming Media, Networking, and File Transfer. Click on a category to see it broken down to its applications that are generating the most traffic.

Map

The map is a representation of the location of your Cambium Xirrus devices. Colors indicate operational status, and geographical clusters of devices can be grouped for an at-a-glance summary of their status. See My Network—Floor Plans to drill down to views of devices sited in each of your buildings.

2.

A side panel lets you move multiple devices, or place them on the map before they have come online. Click > on the upper right to display the panel, then click the Access Points button.

3.

All of your APs are listed. Use the filter  button to filter the AP list by Model, Profile, IPAddress, or Location. A search string may have a wild card(asterisk) at the end to match any item that beginswith the string you entered.For example, BUILDING1* will match Building1, Building146, etc. Drop-downlists let you select strings to match—forexample, the Model list shows all of the model numbers in your network.