Initial Configuration
All configurations described in this chapter are performed by the tenant administrator. The system administrator here refers to the cloud management platform administrator.
Logging In to iMaster NCE-Campus as a Tenant Administrator
Context
A tenant administrator can use a browser to log in to iMaster NCE-Campus to perform system management and maintenance operations. The following web browsers are supported:
- Google Chrome 57 or later
- Microsoft Edge 20 or Microsoft Edge 40
Procedure
- Open a browser.
- Enter https://iMaster NCE-Campus server IP address:port number in the address box, and press Enter.
- The IP address of the iMaster NCE-Campus server is Northbound management IP specified when you install iMaster NCE-Campus.
- The port number is 18008. The port number used for the login must be the same as that specified during the installation.
- The method for logging in to an authentication component is the same as that for logging in to iMaster NCE-Campus.
- Ignore the security certificate warning and access the login page.
When you log in to iMaster NCE-Campus using a browser, the browser performs unidirectional authentication on iMaster NCE-Campus based on the ER certificate. The Huawei ER certificate has been pre-configured during iMaster NCE-Campus installation. This certificate is used only for temporary communication and is not for commercial use. You can apply for a new ER certificate to update the preconfigured ER certificate to improve iMaster NCE-Campus communication security. You are advised to periodically update the certificate to prevent system security risks caused by certificate expiration. After the ER certificate is updated, the message indicating a security certificate error will not be displayed.
- Google Chrome: Choose Advanced > Proceed to ... (unsafe).
- Google Chrome: Choose Advanced > Proceed to ... (unsafe).
- Enter a tenant administrator username and password, and click Log In.
- (Optional) Upon the first login, change the password as prompted. Skip this step if it is not your first login.
- For security purposes, do not save your password in the browser.
- If the system administrator has configured an email server and the MSP administrator does not set an email address for the tenant administrator during tenant account creation, an email address needs to be bound to the tenant administrator account upon the tenant's first login.
- If the system administrator has not configured an email server, no email address needs to be bound to the tenant administrator account upon the tenant's first login.
- When a sub-tenant administrator account created by the root tenant administrator logs in to iMaster NCE-Campus for the first time, no email address needs to be bound to the sub-tenant administrator account.
- (Optional) Perform two-factor authentication. If a mobile number has been set for the tenant administrator account, click Obtain Verification Code and enter the received verification code. You can log in to iMaster NCE-Campus after the verification succeeds. This step is not required if username and password authentication is selected when the MSP administrator creates the tenant administrator.
- (Optional) Sign the privacy statement.
If the MSP administrator selects a privacy statement when creating a root tenant administrator, the root tenant administrator needs to sign the privacy statement when logging in to iMaster NCE-Campus for the first time. Otherwise, the login will fail.
If the root tenant administrator has signed the privacy statement, the sub-tenant administrators created by this root tenant administrator need to sign the privacy statement as well when logging in to iMaster NCE-Campus for the first time. Otherwise, the login will fail.
- (Optional) Set a device administrator password and a password used to enter the BootROM menu of devices on iMaster NCE-Campus. This step is required only upon your first login.
After a device goes online at a new site, the two passwords set here will automatically apply to the device. This ensures device security.
If the system administrator disables The device BootROM password can be configured, tenants cannot change the BootROM password. For details about how to disable tenants from changing the BootROM password, see Configuring a BootROM Password Policy.
Configuring Account Policies and Password Policies
Context
The system administrator has configured account policies and password policies. Tenant administrators can modify these policies as needed.
Procedure
- Configure account policies.
Account policies have been configured on iMaster NCE-Campus by default. Tenant administrators can modify the account policies, such as account length policy and account login policy.
Choose from the main menu, and click Account Policy, to configure account policies.
- Configure password policies.
Password policies have been configured on iMaster NCE-Campus by default. Tenant administrators can modify the password policies as needed, for example, password complexity requirements, the password change interval, and character limitations.
Choose from the main menu, and click Password Policy, to configure password policies.
For security purposes, configure all password policies provided by iMaster NCE-Campus.
If PCI authentication is required, modify account and password policies as follows:- Enable Disable unused accounts, and set Maximum number of consecutive idles days of account to 90. An account is disabled if the account has not logged in to the system at all for more than 90 days.
- Set Invalid password monitoring period (min) to 30 in the Account Lockout Trigger Conditions area. In this case, if an account fails to log in to the system for five consecutive times within 30 minutes, the account is locked for 30 minutes.
- Set Number of historical passwords that cannot be reused to 4.
Creating a User Role
You can create user roles as needed if default user roles preset in the system cannot meet your requirements.
Context
Users with the same operation rights can be managed by role. After an account is attached to a role, the account has all rights of this role.
Procedure
- Choose from the main menu, and click the Role tab.
- Click Create. Enter the role name and select function rights for the role.
By default, the following roles are preset for tenants. These roles cannot be deleted or modified.
- Monitor: A monitor can view tenant services and configurations.
- Open Api Operator: An open API operator can use open API services and related configurations.
- Tenant Administrator: A tenant administrator can perform operations on tenant services and related configurations.
- Operator: An operator can manage system service running.
The Operator role is unavailable for tenant administrators created on iMaster NCE-Campus running V300R019C00.
- CLI Operator: A user attached with this role has the permission to import device commands using a command template. For details, see Issuing Commands Using a Template.
Issuing commands is supported only on the WAN. The CLI Operator role is available only in EVPN tunnel mode.
In the Select function list, each function node has a fixed name but the node order in the list varies depending on the iMaster NCE-Campus version. Figures in this section are for reference only.
- You are advised to create roles and grant function rights based on the following table. You can also create roles as needed.
Role Type
Rights
Management
Global management personnel, with all rights.
Monitoring
Global monitoring personnel, with all monitoring rights.
Configuration
Network configuration personnel, with rights to configure the network, traffic policies, and security policies.
Maintenance
O&M personnel, with rights to maintain devices and manage files and logs.
- For a management role: Select all functions.
- For a monitoring role, select Monitoring and all functions under it.
- For a configuration role, select Design, Provision, System, Admission, Policy, ServiceConsisitency Group, along with all functions under them.
- For a maintenance role, select Maintenance and all functions under it.
- For a management role: Select all functions.
- Click OK.
Creating a Sub-Tenant Administrator Account
Context
A tenant administrator created by an MSP administrator has all rights of a tenant, and is called a root tenant administrator.
To ensure system security, the root tenant administrator can create multiple sub-tenant administrators and attach roles to each sub-tenant administrator so that the sub-tenant administrator can have corresponding rights of the roles.
A tenant administrator can set the maximum number of concurrent online users. The value ranges from 0 to 999. The value 0 indicates that the maximum number of concurrent online users is not limited. To ensure system performance, the maximum number of concurrent online users is limited to 5000.
Procedure
- Choose from the main menu.
- Click Create, and set parameters on the Create User page.
For security purposes, keep the password secure and change it periodically.
- Manually configure a password when creating an account.
Set Password create mode to Manual and then set a password for the account. If Modify password first login is set to Yes, the user will be prompted to change the password when using this account to log in to iMaster NCE-Campus for the first time, and can successfully log in after changing the password.
- Create a password via email.
Set Password create mode to Email. After the account is created, the system sends a URL to your email box. You can click the URL to configure a password for the user account.
- If you choose to configure a password via email, configure an email server before creating an account. Otherwise, the system fails to send a URL to the specified email address. For details, see Configuring an Email Server
- If the password for a user account is configured via email, the user does not need to change the password upon the first login to iMaster NCE-Campus.
Table 6-21 Description of parameters on the Create User pageParameter
Description
Account
User account used for login.
User type
The following two user types are available:
- Local: Local users can log in to iMaster NCE-Campus only from the web UI.
- Third-party user: A third-party system user can invoke the northbound API /controller/v2/tokens to log in to iMaster NCE-Campus.NOTE:
- A third-party user can log in to iMaster NCE-Campus only by invoking the API.
- A local user can log in to iMaster NCE-Campus only through the web UI.
- After an upgrade, local users and third-party users can log in to iMaster NCE-Campus either by calling the API or through the web UI.
Password create mode
Mode in which a password is created. The options are Manual and Email.
Password
Initial login password of the newly created administrator.
NOTE:- The two parameters are configurable only when User Type is set to Local.
- If Password create mode is set to Email, set a valid email address. After the account is created, the system sends a URL to the mailbox. The user can click the URL to configure a password.
- If Password create mode is set to Email, the user does not need to change the password when logging in to iMaster NCE-Campus for the first time.
Confirm Password
Modify password first login
Whether to change the password upon first login.
Email address
When resetting passwords, users can receive new random passwords generated automatically through emails.
Mobile number
When resetting passwords, users can receive new random passwords generated automatically through SMS messages.
Role
Role to be attached to the user.
- Manually configure a password when creating an account.
- On the Managed Object page, select the sites to be managed by the sub-tenant administrator, and click Next.
If a sub-tenant administrator is authorized to managed selected sites, the administrator cannot view the following menus after logging in to iMaster NCE-Campus since the administrator does not have the permission to manage all resources:
- (Optional) Configure access control.
On the Access Control page, click Create, configure the range of IP addresses that can be used to log in to iMaster NCE-Campus, and click Next.
- Click OK.
Follow-up Procedure
- Modify account information, reset the password, and disable or enable the account.
- Choose from the main menu.
- In the Operation column, click
to modify account information, click
to reset the password, or click
to disable the account. If the account has been disabled, click
to enable the account.
- Delete an account.
- Choose from the main menu.
- Select an account, and click Delete.
- Transfer workgroup administrator rights.
If the administrator of a workgroup is changed, an upper-level administrator can transfer the workgroup administrator rights to another administrator.
Workgroup administrators can transfer their rights only to the administrators created by themselves. Before transferring rights of a workgroup administrator, ensure that the workgroup administrator has created an administrator account.
- This operation can only be performed on level-1 sub-workgroups of the workgroup to which the current user belongs and cannot be performed on the workgroups of level 2 or higher.
- If workgroup administrators remain online after their rights are transferred, they will be forced offline and has no rights.
- Choose from the main menu. Click the User tab.
- Click Select, select the desired workgroup, and click OK.
Select a desired account and click Hand Over to enable this account to become the new workgroup administrator.
The new account must be an administrator account created by the old workgroup administrator account.
If the
icon is moved to the right of the new administrator account, the rights are transferred successfully.
- Configure a user group.
User groups are used to interconnect iMaster NCE-Campus with third-party services, such as the Active Directory Federation Services (ADFS), NetIQ, LDAP server, AD server, and RADIUS server.
Choose from the main menu. Then, click the User Group tab, and click Create to create a user group.
Click Next and select objects to be managed by the user group if Select all resources is disabled.
- Perform personalized settings.
Personalized settings improve iMaster NCE-Campus access security. The personalized settings apply only to the current tenant administrator account.
- Set the number of concurrent online users.
- Choose from the main menu.
- On the Basic Information tab page, click
and set Max. concurrent users. The value 0 indicates there is no limit on the maximum number of concurrent online users.
- Change the user password.
- Choose from the main menu.
- On the Basic Information tab page, click
next to the password. In the dialog box that is displayed, set a new password.
- Modify the IP address range that can be used by the current account to log in to iMaster NCE-Campus.
- Choose from the main menu.
- On the Access Control tab page, create Create, set a start IP address and an end IP address, and click OK. If the IP address range list is empty, login is allowed from any IP address.
- Set an idle timeout interval for the current tenant administrator account.
iMaster NCE-Campus supports the idle timeout interval setting to prevent unauthorized operations when the administrator is away. If an administrator does not perform any operation within a specified period of time, the administrator will be logged out automatically and needs to log in to iMaster NCE-Campus again.
Choose from the main menu, click Idle Timeout Settings, set Idle duration (min), and click OK.
- Check online users.
Choose from the main menu, click the Online User tab, and view online users.
- Set the number of concurrent online users.
- Check whether you have signed a privacy statement.
- Choose from the main menu.
- On the Basic Information tab page, check whether you have signed the privacy statement.
- If Sign privacy statement is Not signed, you have not signed the privacy statement.
- If Sign privacy statement is Signed, you have signed the privacy statement.
- Withdraw a privacy statement.To withdraw your consent to the privacy statement, click Cancel next to Sign privacy statement and click OK in the Warning dialog box that is displayed.
You will be logged out if you withdraw the consent to the privacy statement. In addition, your mobile number and email address will be deleted. This may affect your login or password retrieval. Exercise caution when performing this operation.
to modify account information, click 
to reset the password, or click 
to disable the account. If the account has been disabled, click 
to enable the account.
icon is moved to the right of the new administrator account, the rights are transferred successfully.
and set 
next to the password. In the dialog box that is displayed, set a new password.
License Management
License Mode |
License Redistribution |
Application Scenario |
Role |
Operation |
|---|---|---|---|---|
Global permanent |
Not supported |
On-premises scenario |
System administrator |
Import license files of iMaster NCE-Campus and iMaster NCE-CampusInsight. |
MSP administrator |
View the license information. |
|||
Tenant administrator |
View the license information. |
|||
Global subscription |
Disabled |
MSP-owned cloud scenario (MSP administrators do not need to centrally manage licenses.) |
System administrator |
|
MSP administrator |
N/A |
|||
Tenant administrator |
N/A |
|||
Enabled |
MSP-owned cloud scenario (MSP administrators need to centrally manage licenses.) |
System administrator |
|
|
MSP administrator |
Distribute licenses to tenant administrators. |
|||
Tenant administrator |
View the license information. |
|||
Tenant subscription |
Disabled |
Huawei public cloud Scenario (MSP administrators do not need to centrally manage tenant licenses.) |
System administrator |
Disable the license split function when creating an MSP administrator. |
MSP administrator |
Apply for license activation codes from the Electronic Software Delivery Platform (ESDP). |
|||
Tenant administrator |
Purchase license activation codes from MSPs, and import the codes to iMaster NCE-Campus and iMaster NCE-CampusInsight. |
|||
Enabled |
Huawei public cloud Scenario (MSP administrators need to centrally manage tenant licenses.) |
System administrator |
Enable the license split function when creating an MSP administrator. |
|
MSP administrator |
Apply for license activation codes from the ESDP, and import the codes to iMaster NCE-Campus and iMaster NCE-CampusInsight. |
|||
Tenant administrator |
View the license information. |
Viewing License Information (Global Subscription Mode + License Redistribution Enabled)
Context
For global subscription licenses, if an MSP has allocated license resources to tenants, the tenants can view their own license resource status and consumption information without the need to activate licenses.
Procedure
- Choose from the main menu, and view the license resource status and consumption information.
- Click Expiration Notification, enable Receive expiration notification, and configure the email addresses of recipients. Notification emails will be sent to the specified email addresses when a license is about to expire.
- The system administrator must configure an email server before enabling Receive expiration notification. Otherwise, Receive expiration notification cannot be enabled. For details, see Configuring an Email Server.
- A maximum of five email addresses can be configured. Email addresses need to be separated with line breaks.
- If a license resource item is about to expire in less than 30 days, the system will send notification emails at 02:25 every day.
- If license expiration notification is configured, the license expiration email is sent only to the email addresses specified in Notified object. In this case, you are advised to specify the email address of the tenant administrator in Notified object.
Viewing License Information (Tenant Subscription Mode + License Redistribution Enabled)
Context
For tenant subscription licenses, if an MSP has allocated licenses to tenants, the tenants cannot activate the licenses, but can only view the status and consumption information about the licenses.
Prerequisites
The MSP has allocated licenses to tenants. For details, see Activating and Allocating a License (Tenant Subscription Mode + License Redistribution Enabled).
Procedure
- Log in to iMaster NCE-Campus as a tenant administrator and choose from the main menu to view the license status and consumption information.
Activating and Authorizing Licenses (Tenant Subscription Mode + License Redistribution Disabled)
Context
If the system administrator does not enable the license split function when creating an MSP administrator, tenants need to purchase license activation codes from the MSP and import the activation codes to activate licenses.
- After logging in to iMaster NCE-Campus for the first time, the system administrator needs to set the license mode to Tenant Subscription Mode.
- This operation applies only to the Huawei public cloud scenario.
- Tenants purchase license activation codes from the MSP.
- Coding mode: 8806
- License consumption by time: After license expiration, iMaster NCE-Campus stops providing services.
- License form: Number of devices x Number of available days
- Example: A subscription license is similar to that of a monthly package. If a customer purchases a "10 device x day" license for S5700-LI series devices with 8 ports, one device of this model can be used for 10 days, two devices of this model can be used for 5 days, and so on. The total number of license units must be 10.
- Deduction time: The system deducts and settles license resources at 02:00 every day.
Prerequisites
- A tenant account has been registered.
- The tenant has logged in to iMaster NCE-Campus using the tenant account.
- The tenant has purchased license activation codes from the MSP.
- If the tenant needs to import activation codes of iMaster NCE-CampusInsight licenses through iMaster NCE-Campus, synchronize iMaster NCE-CampusInsight licenses to iMaster NCE-Campus before interconnecting iMaster NCE-Campus to CampusInsight. For details, see Configuring Interconnection with iMaster NCE-CampusInsight.
Procedure
- Choose from the main menu.
- Import either activation codes or entitlement IDs to activate licenses.
Since the first-time registration of a device, the device starts to consume license resources no matter whether the device is online or offline, or reports alarms. License deduction starts at 02:00 every day, and each device consumes one license unit every day.
If the tenant subscription mode is configured and license redistribution is disabled, iMaster NCE-Campus provides common series license resources of 90 days (can be shared between devices) by default.
- Click Import Activation Code.
- Multiple activation codes need to be separated with line breaks.
- A maximum of 10 activation codes can be entered.
- After configuring interconnection between iMaster NCE-Campus and iMaster NCE-CampusInsight, you can import activation codes of iMaster NCE-CampusInsight licenses to iMaster NCE-Campus.
- Click Import Auth ID.
- Multiple entitlement IDs need to be separated with line breaks.
- A maximum of 10 entitlement IDs can be entered.
- Click Import Activation Code.
- View the license status.
- (Optional) Click Recalculate Expiration Time and set a unified expiration time of license resources.
The function of recalculating the license expiration time is not applicable to common series resources.
Under a tenant, the expiration time of device licenses with the same device type is automatically recalculated when settlement is performed on a daily basis.
Under a tenant, the expiration time of device licenses with different device types is not automatically recalculated. To recalculate the expiration time of such licenses, perform this step.
This function allows you to configure a unified expiration time for resource items with different expiration time for easy management and resource integration. This operation cannot be rolled back.
For example, there are three types of license resource items, including AR100 series: 10 device-days with 5 RMB per device-day; AR1200 series: 20 device-days with 10 RMB per device-day; and indoor AP series: 20 device-days with 20 RMB per device-day. Assume that iMaster NCE-Campus manages five AR100 series devices and 10 AR1200 series devices. You can click Recalculate Expiration Time to integrate license resources. The formulas are as follows: 10 x 5 + 20 x 10 + 20 x 20 = 650, 5 x 5 + 10 x 10 = 125 (consumption of all devices in a day), 650/125 = 5 R 25 (remainder 25). According to the calculation result, the license resources for AR100 and AR1200 series devices will expire in five days. The remaining 25 RMB will be added to the new license resource pool to be integrated in the next calculation.
This function enables resource allocation to be more flexible. Resources that are in arrears can be integrated so that they can be used normally.
- Click Expiration Notification, enable Receive expiration notification, and configure the email addresses of recipients. Notification emails will be sent to the specified email addresses when a license is about to expire.
- The system administrator must configure an email server before enabling Receive expiration notification. Otherwise, Receive expiration notification cannot be enabled. For details, see Configuring an Email Server.
- A maximum of five email addresses can be configured. Email addresses need to be separated with line breaks.
- If a license resource item is about to expire in less than 30 days, the system will send notification emails at 02:25 every day.
- If license expiration notification is configured, the license expiration email is sent only to the email addresses specified in Notified object. In this case, you are advised to specify the email address of the tenant administrator in Notified object.
- Check the daily consumption of license resources.
- Click
to view the detailed information about license activation codes or entitlement IDs.
After a license is loaded successfully, you can view the software ID for SnS charging and authentication.
to view the detailed information about license activation codes or entitlement IDs.
Configuring the Tunnel Mode
You need to set the tunnel mode for a tenant network. All functions are available if the tunnel mode is set to EVPN. If the tunnel mode is set to IPSecVPN, the functions including global parameter settings, ZTP configuration, overlay network configuration, and policy configuration are unavailable and the menus of unavailable functions will be automatically hidden. The available menus vary according to scenarios.
The inter-site VPN function is available only when the tunnel mode is set to IPSecVPN.
Procedure
- Choose .
- Set VPN Mode to EVPN or IPSecVPN.
- Click Apply.
Supplementary Tasks
Configuring an SMS Server
Context
You need to configure the SMS service if SMS authentication is required. iMaster NCE-Campus needs to send SMS messages in the following scenarios:
- Two-factor authentication is performed when the system administrator, an MSP administrator, or a tenant administrator logs in to iMaster NCE-Campus
- An end user attempts to access the network using a verification code received in an SMS message.
- When a guest attempts to access the network using SMS authentication, iMaster NCE-Campus needs to send an SMS message to notify administrators of guest access. After the guest passes authentication, iMaster NCE-Campus needs to send another SMS message to notify the administrators of the guest authentication result.
Before configuring the SMS service, you need to configure an SMS platform to specify the SMS gateway and configure an account based on the SMS platform to send SMS messages.
- SMS platform: You need to set parameters about a third-party SMS platform on iMaster NCE-Campus according to the information provided by the SMS platform. For details, see the interface document of the third-party SMS platform.
- SMS server: You need to set parameters for interconnection between iMaster NCE-Campus and a third-party SMS platform. After the interconnection is successful, iMaster NCE-Campus can send SMS messages.
By default, the system is pre-configured with the following SMS server connection parameters:
- fungo: http://qxt.fungo.cn/Recv_center. This is the SMS platform of fungo.cn (Beijing, China).
- twilio: https://api.twilio.com:8443/2010-04-01/Accounts/{USERNAME}/Messages.json. To use this SMS server, access www.twilio.com and apply for an account.
- If the system administrator has configured an SMS server and enabled Tenant heritable, tenant administrators can use the SMS server configured by the system administrator. Otherwise, they cannot use the SMS server configured by the system administrator and need to configure an SMS server on their own. For details about how a system administrator configures an SMS server, see Configuring an SMS Server.
If you do not want to use the SMS server configured by the system administrator, you can configure an SMS server as needed.
Prerequisites
If a tenant administrator wants to configure an SMS server, the tenant administrator needs to contact the system administrator to configure the SMS platform information. Only the system administrator can configure the SMS platform information.
Procedure
- Import an SMS server certificate.
- Contact the SMS server provider to obtain a certificate file.
- Log in to iMaster NCE-Campus as a system administrator and choose from the main menu.
- Choose Service Certificate Management from the navigation pane. On the Services page, click CampusBaseServiceServerConfigMoudle.
- Click the Trust Certificate tab and click Import. On the displayed page, enter the certificate information, select the desired SMS server certificate, and click Submit to upload the certificate to iMaster NCE-Campus.
- Choose from the main menu and click the SMS Server tab.
- Select an SMS platform, and set required parameters.
HTTPS is recommended because it is more secure than HTTP.
- Set SMS service type to HTTP SMS Service and select fungo from the SMS platform drop-down list box.
- Set SMS service type to HTTP SMS Service and select twilio from the SMS platform drop-down list box.
- Set SMS service type to SMPP SMS Service and select the created SMS platform template from the SMS platform drop-down list box.
- Set SMS service type to HTTP SMS Service and select fungo from the SMS platform drop-down list box.
- Click Test to verify validity of the SMS message sending function.
- If the test succeeds, the message "The test succeeds" is displayed, and you can receive the test SMS message from iMaster NCE-Campus.
- If the test fails, the message "Failed to test the SMS serve" is displayed. Perform operations according to the scenarios:
- If an error code is displayed in the dialog box, check the product documentation of the SMS service provider for the cause of the error, and obtain the troubleshooting method.
- If no error code is displayed in the dialog box, contact the system administrator to check the URL specified in the SMS server template to see whether the SMS server is reachable.
- After the test is successful, click Save.
Parameter Description
Parameter |
Description |
|---|---|
SMS platform |
SMS template. Administrators can configure an SMS server template to specify an SMS gateway. By default, the following SMS server connection parameters are pre-configured on iMaster NCE-Campus:
To use the SMS service provided by another carrier, you can create an SMS platform template as needed. |
Account |
Account obtained during SMS service application. |
Token |
Password obtained during SMS service application. NOTE:
For system and user security purposes, it is recommended that the password provided by a third party meet the complexity requirements. |
SMS message signature |
Signature of SMS messages. |
Send number |
Number obtained from the SMS service provider, used to check whether the number for sending SMS messages is correct. This parameter is configurable only when the twilio template is selected. |
Inheritance |
When this function is enabled and neither the MSP administrator nor the tenant administrator configures an SMS server, the SMS server configured by the system administrator is used. When this function is disabled, MSPs and tenants cannot use the SMS server configured by the system administrator. |
Test number |
Number for sending a test SMS message. The value can be any available mobile number. |
Test SMS message |
Content in a test SMS message. |
Parameter |
Description |
|---|---|
SMS platform |
SMS platform template. Administrators can configure an SMS platform template to specify an SMS gateway. |
System id |
SMS server ID obtained during SMS service application. |
Password |
Password obtained during SMS service application. |
Source number |
Number obtained from the SMS service provider, used to check whether the number for sending SMS messages is correct. |
Inheritance |
When this function is enabled and neither the MSP administrator nor the tenant administrator configures an SMS server, the SMS server configured by the system administrator is used. When this function is disabled, MSPs and tenants cannot use the SMS server configured by the system administrator. |
Test number |
Number for sending a test SMS message. The value can be any available mobile number. |
Test SMS message |
Content in a test SMS message. |
Configuring Interconnection with a Syslog Server
Importing the Syslog Server Trust Certificate
Context
This certificate is used for Syslog server authentication when iMaster NCE-Campus functions as the client to securely communicate with the Syslog server.
Procedure
- Choose from the main menu, click the Syslog Configuration tab, and click Certificate Management.
- Add a trust certificate.
- Select a certificate type on the Trust Certificate tab, select a certificate file, and click Upload. Wait for seconds until the message "File uploaded successfully." is displayed on the page.
- Click Apply. The certificate added is displayed in the certificate file list.
- Select a certificate type on the Trust Certificate tab, select a certificate file, and click Upload. Wait for seconds until the message "File uploaded successfully." is displayed on the page.
- Create a policy.
- Click the Certificate Policy tab.
- Set Policy name on the Policy page. Click
to select a certificate and click OK.
- Click Apply. The policy is created and the policy information is displayed on the page.
to select a certificate and click 
Configuring Interconnection with a Syslog Server
Context
To use the syslog server or the syslog service module of the NMS to receive and manage logs and alarms, you need to configure the syslog server and iMaster NCE-Campus.
Logs and alarms can be displayed and queried on or exported from iMaster NCE-Campus. iMaster NCE-Campus can also report logs and alarms to the syslog server or the syslog service module of the NMS using syslog messages. The syslog server manages logs and alarms. iMaster NCE-Campus reports logs and alarms to the syslog server using UDP (less secure) or TLS (secure).
Logs that can be reported to a syslog server include run logs, operation logs, and security logs, and alarms that can be reported to a syslog server include cluster alarms and device disconnection alarms. You can customize alarm information reported to a syslog server using syslog messages.
Prerequisites
- The trust certificate of a syslog server has been imported.
- (Optional) If the syslog server requires client authentication, you also need to import the following certificate files of any iMaster NCE-Campus node to the trusted domain of the syslog server.
Certificate File
Path
client.keystore
/etc/puppet/modules/opendaylight/files/ssl/syslog/client
clientTrust.keystore
Procedure
- Choose from the main menu, and click the Syslog Configuration tab.
- On the Syslog Configuration page, click Create, and set parameters for interconnection with a syslog server as planned.
- Click Test on the bottom of the page.
A test is required only when TLS is enabled. If TLS is disabled, the Test button is unavailable. In this case, skip this step and click Apply.
- If the message "Test successfully" is displayed, the syslog configuration succeeds. Click Apply.
- If the message "Test failed" is displayed, the parameters or certificates are incorrect. In this case, check the parameter values configured on and certificates imported to iMaster NCE-Campus and northbound applications. If the parameters and certificates are incorrect, modify them, and then click Test again.
Parameter Description
Parameter |
Description |
|---|---|
IP address |
IP address of the syslog server, which can be obtained from the primary syslog server. |
Port |
Port number of the syslog server, which is the same as the port number in udp(ip()port()) or tcp(ip()port()) in the Source field in the Syslog.conf file on the primary syslog server. |
Enable reporting |
Whether to report the syslog service. The IP address or domain name and port number of the syslog server can be configured only when this parameter is enabled. |
Enable TLS |
If TLS is configured on the syslog server, enable this parameter. If UDP is configured on the syslog server, disable this parameter. Before enabling this parameter, ensure that the syslog server supports TLS. |
Syslog protocol |
Protocol for reporting syslog messages. The options are RFC 5424 and RFC 3164. |
Encoding format |
UTF-8 or GBK. |
Select the type of logs to be reported |
Type of logs to be reported. |
Logs Reported by Devices
Log type |
Parameter |
Description |
|---|---|---|
Operation log |
operatorTime |
Time when the log is reported. |
account |
Account which reports the log. |
|
clientIP |
IP address of the device that reports the log. |
|
tenant |
Name of the tenant where the log is generated. |
|
tenantID |
ID of the tenant where the log is generated. |
|
operation |
Operation that generates the log. |
|
operatorObj |
Operation object. |
|
operatorResult |
Operation result. |
|
level |
Log level. |
|
detail |
Log details. |
|
type |
Log type. |
|
Security log |
operatorTime |
Time when the log is reported. |
account |
Account which reports the log. |
|
clientIP |
IP address of the device that reports the log. |
|
tenant |
Name of the tenant where the log is generated. |
|
tenantID |
ID of the tenant where the log is generated. |
|
operation |
Operation that generates the log. |
|
operatorObj |
Operation object. |
|
operatorResult |
Operation result. |
|
level |
Log level. |
|
detail |
Log details. |
|
type |
Log type. |
|
Device go-online and go-offline log |
tenantId |
ID of the tenant that generates the log. |
deviceOnlineTime |
Time when the device goes online. |
|
mac |
MAC address of the device that reports the log. |
|
result |
Operation result. |
|
deviceGroupName |
Name of the device group to which the device belongs. |
|
esn |
Device ESN. |
|
deviceName |
Device name. |
|
deviceIp |
Device IP address. |
|
failureReason |
Reason that the device fails to go online. |
|
deviceGroupId |
ID of the device group to which the device belongs. |
|
Portal user login and logout log |
tenantId |
Tenant ID. |
authLogType |
Log type. |
|
deviceGroupId |
ID of the site where the device is located. |
|
authResult |
Terminal authentication result. |
|
authTime |
Terminal authentication time. |
|
onlineTime |
Time when the terminal goes online. |
|
account |
User account name. |
|
userGroup |
User group name. |
|
accountType |
User type. The options are as follows:
|
|
terminalIP |
Terminal IP address. |
|
terminalMac |
Terminal MAC address. |
|
authType |
Authentication type. The options are as follows: ·8: 802.1X ·9: MAC address authentication ·11: Portal 2.0 authentication[w1] ·13: MAC address authentication-free ·14: Device administrator authentication ·15: Authentication using an SSL VPN-enabled firewall ·16: CWA authentication ·17: RADIUS relay authentication ·99: Unknown |
|
deviceIP |
Device IP address. |
|
deviceMac |
MAC address of the authentication point. |
|
deviceGroup |
Site where the authentication point is located. |
|
authServerIP |
IP address of the authentication server. |
|
accessSSID |
SSID to which the terminal connects. |
|
offlineTime |
Time when the terminal is disconnected. |
|
offlineReason |
Authentication failure cause. |
|
authRule |
Authentication rule. |
|
accessPolicy |
Authorization rule. |
|
terminalGroupId |
Terminal group ID. |
|
deviceFicationName |
Terminal type. |
|
deviceVendorName |
Terminal vendor. |
|
deviceModelName |
Terminal model. |
|
osFicationName |
Terminal operating system. |
|
osVendorName |
Vendor of the terminal operating system. |
|
osModelName |
Model of the terminal operating system. |
|
userGroupId |
User group ID. |
|
bsId |
User group BSID. |
|
RADIUS user login and logout log |
tenantId |
Tenant ID. |
authLogType |
Log type. |
|
deviceGroupId |
ID of the site where the device is located. |
|
authResult |
Terminal authentication result. |
|
authTime |
Terminal authentication time. |
|
onlineTime |
Time when the terminal goes online. |
|
account |
User account name. |
|
userGroup |
User group name. |
|
accountType |
User type. The options are as follows:
|
|
terminalIP |
Terminal IP address. |
|
terminalMac |
Terminal MAC address. |
|
authType |
Authentication type. The options are as follows: ·8: 802.1X ·9: MAC address authentication ·11: Portal 2.0 authentication[w1] ·13: MAC address authentication-free ·14: Device administrator authentication ·15: Authentication using an SSL VPN-enabled firewall ·16: CWA authentication ·17: RADIUS relay authentication ·99: Unknown |
|
deviceIP |
Device IP address. |
|
deviceMac |
MAC address of the authentication point. |
|
deviceGroup |
Site where the authentication point is located. |
|
authServerIP |
IP address of the authentication server. |
|
accessSSID |
SSID to which the terminal connects. |
|
offlineTime |
Time when the terminal is disconnected. |
|
offlineReason |
Authentication failure cause. |
|
authRule |
Authentication rule. |
|
authorRule |
Authorization rule. |
|
terminalGroupId |
Terminal group ID. |
|
deviceFicationName |
Terminal type. |
|
deviceVendorName |
Terminal vendor. |
|
deviceModelName |
Terminal model. |
|
osFicationName |
Terminal operating system. |
|
osVendorName |
Vendor of the terminal operating system. |
|
osModelName |
Model of the terminal operating system. |
|
userGroupId |
User group ID. |
|
bsId |
User group BSID. |
|
HWTACACS log |
tenantId |
Tenant ID. |
userName |
Authentication user name. |
|
userGroup |
Authentication user group. |
|
authenRule |
Authentication rule. |
|
authorRule |
Authorization rule. |
|
terminalIP |
Terminal IP address. |
|
clientIp |
IP address of the authentication client. |
|
serverIp |
IP address of the authentication server. |
|
userEevent |
Authentication time, including the time when the terminal goes online and offline. |
|
authenResult |
Authentication result. The value indicates whether the authentication succeeds. |
|
errorCode |
Authentication failure cause. |
|
authorResult |
Authorization result. The value indicates whether the user access is allowed or prohibited. |
|
cmdSet |
Command set authorized to the user. |
|
cmdType |
Command type (authorization command or accounting command). |
|
cmdToAuthor |
Name of the authorized command. |
|
cmdParamToAuthor |
Parameters of the authorized command. |
|
accountCmd |
Accounting command. |
|
userType |
User type. The value indicates whether the user is a local user or AD/LADP user. |
|
authenType |
Authentication type. The options are ASCII and PAP. |
|
origAuthenAttr |
Authentication packet. |
|
origAuthorAttr |
Authorization packet. |
|
origAccountAttr |
Accounting packet. |
|
shellAuthorAttr |
Shell authorization parameter. |
|
userGroupId |
User group ID. |
|
bsId |
User group BSID. |
Configuring Interconnection with a DNS Server
Context
This section describes how iMaster NCE-Campus cooperates with SafeDNS to implement URL filtering for domain names accessed by end users.
Prerequisites
Before configuring interconnection between iMaster NCE-Campus and the DNS server provided by SafeDNS, perform the following tasks on the SafeDNS website (https://www.safedns.com):
- Register an account.
- Create a sub-account for each tenant, implementing the multi-tenant capability of SafeDNS.
- Configure URL filtering rules.
You need to obtain the following information:
- DNS IP-Address: The value can be obtained from the SafeDNS website. Currently, the value can be 195.46.39.39 or 195.46.39.40.
- API Path: API address for connecting to SafeDNS. The value is https://www.safedns.com/provider_api.
- User Name: Sub-account for connecting to SafeDNS. Users can set this parameter as needed.
- Public Key: Public key used for API authentication. Each SafeDNS account has a public key, and the key is provided by the SafeDNS administrator.
Procedure
- Choose from the main menu, and click the DNS Interconnection Parameters tab.
- Set parameters as needed, and click Save.
Configuring a Mobile Number and SMS Authentication for Two-Factor Authentication
Two-factor authentication (2FA) is a security check process. It strengthens security by requiring two identity credentials to verify user identity before granting access to the system. 2FA secures user logins from attackers exploiting weak or stolen passwords. In addition, login notifications can also warn users of unauthorized access to their accounts.
iMaster NCE-Campus supports 2FA based on verification codes in SMS messages. In this mode, when logging in to iMaster NCE-Campus, a user needs to enter a regular username and password, and then is required to enter a verification code which is sent to the user's mobile phone via SMS.
Context
- Configure a mobile number. After logging in to iMaster NCE-Campus, you need to bind a mobile number to your account. After you enter a mobile number, iMaster NCE-Campus checks whether the format of the mobile number meets the requirements (1 to 20 digits) and verify that the mobile number is not bound to another account. If the mobile number meets the preceding requirements, you can apply for a verification code. The mobile number can be changed after being configured.
- Enable SMS verification upon login. After configuring a mobile number, you need to enable SMS verification upon login to implement 2FA. Before enabling SMS verification upon login, ensure that a mobile number has been configured.
When you attempt to obtain an SMS verification code, you may not receive any SMS message due to poor network signals or mobile phone issues. If this occurs, you can obtain a new verification code 1 minute later. A verification code will be valid for 5 minutes. If you obtain a new verification code before the current verification code expires for more than five consecutive times and the verification fails each time, your account will be locked for 10 minutes.
Prerequisites
An SMS server has been configured. For details, see Configuring an SMS Server.
Procedure
- Choose from the main menu.
- Click
next to Mobile number. In the dialog box that is displayed, complete the verification as prompted. Then the specified mobile number is bound to the current account.
- Click Modify next to SMS verification upon login. In the window that is displayed, enable SMS verification upon login and complete the verification using an SMS verification code.
next to Mobile number. In the dialog box that is displayed, complete the verification as prompted. Then the specified mobile number is bound to the current account.