Tenant Administrator O&M

Context

After logging in to iMaster NCE-Campus for the first time, a tenant administrator can configure services through Typical Application Scenarios or General Process Entry.

Procedure

1. Log in to iMaster NCE-Campus as a tenant administrator.
2. On the homepage, you can view device go-online and go-offline logs, user online duration, and feature configuration status. In addition, you can configure services as needed using Deployment Scenario and Auxiliary Tools.
   • Select a scenario in the Deployment Scenario area as required. Then you can configure services step by step on the displayed page.

   • Click the Smart configuration tool icon to access the command configuration tool. For details about how to use this tool, see Command Configuration Tool.

Context

A tenant administrator can customize the monitoring information displayed on the Monitoring > Health > Overview page.

Procedure

1. Choose Monitoring > Health > Overview from the main menu.
2. Click in the upper right corner.
3. Click portlets to customize the information displayed on the Overview page or cancel previous customizations. If is displayed in the lower-right corner of a portlet, the corresponding information will be displayed on the Overview page. If is not displayed, the portlet information will not be displayed on the Overview page.

   The dark area can be customized to display the site status, terminal packet loss rate, and AQM distribution, whereas the light area can be customized to display the map, trend of online Wi-Fi users, device status, worst 5 applications by AQM, worst 5 links by LQM, top 5 applications by traffic, top 5 links by traffic, abnormal cloud managed devices, alarms, task information and site signing information.

Procedure

1. Log in to iMaster NCE-Campus as a tenant administrator.
2. Choose Monitoring > Health > Overview from the main menu.
3. Check the site status, terminal packet loss rate, and AQM distribution.

4. View site distribution and status on the map.
   1. Select one or more values from the Status drop-down list box in the upper left corner to filter sites by status.

   2. Click a site icon to view the status of devices at the site.

5. Check the trend of online Wi-Fi users, device status, worst 5 applications by AQM, and worst 5 links by LQM.

6. Check the top 5 applications by traffic, top 5 links by traffic, and abnormal devices.

7. Check alarms, tasks, and site signing information.

Context

If site locations are identified on a map, iMaster NCE-Campus can display monitoring data of each site on this map. Currently, iMaster NCE-Campus supports Amap and Google Maps. To implement the map function, you need to purchase a license, obtain the API address, and configure the map URL.

After purchasing the map service, a tenant administrator can configure the map URL independently.

The map URLs configured by the tenant administrator, MSP administrator, and system administrator take effect in descending order of priority. For example, if the system, MSP, and tenant administrators each have configured a map URL, the URL configured by the tenant administrator is used preferentially.

Prerequisites

Related services have been purchased from the map service provider and the API address and key of the map have been obtained.

Procedure

1. Choose Monitoring > Health > Overview from the main menu.
2. Access the Map Settings page to configure a map URL.
   • If neither the system administrator nor the MSP administrator has configured a map URL, click Configure Map. On the Basic Settings page, set API address and Key, select Instructions for Use, and click Next Step.

   • If the system administrator or MSP administrator has configured a map URL, click to change the values of API address and Key, select Instructions for Use, and click Next Step.

3. Access the Setting the view angle page.
   • If Default viewing angle is set to All Sites, you can view locations of all sites on the map by default after logging in to iMaster NCE-Campus.

   • If Default viewing angle is set to Customize, you can set a viewing angle. After the configuration is complete, you can view locations of the sites in the custom viewing angle on the map by default after logging in to iMaster NCE-Campus.

4. Click OK.

Google Maps Key Application Procedure

1. Access the Google Maps official website at https://developers.google.com/maps/documentation/javascript/get-api-key.
2. Register a Google account and log in.
3. Create a Google Maps project.
   1. Choose Set up in Cloud Console from the navigation pane. Under Creating a project, click Create new project.

   2. Enter project information and click CREATE to create a project.

4. Apply for an API key.
   1. Choose Set up in Cloud Console from the navigation pane. Under Enabling APIs, click Enable the Maps JavaScript API.

   2. Select the created project and click ENABLE to enable the Maps JavaScript API function.

   3. On the Credentials tab page, click CREATE CREDENTIALS and click API key.

   4. Obtain the API key.

5. (Optional) Remove the Google Maps watermark.

   There is a watermark on Google Maps by default. You need to pay fees if you want to remove the watermark from the map.

   1. Choose Set up in Cloud Console from the navigation pane. Under Creating budgets and setting alerts, click Go to the Billing page.

   2. Click ADD BILLING ACCOUNT.
   3. Enter personal information.

   4. Click START MY FREE TRIAL.

Parameter Description

Context

If the system administrator has imported licenses, tenant administrators can view the license information.

Prerequisites

The system administrator has imported licenses.

Procedure

1. Choose System > System Management > License from the main menu. Click to view detailed information about the license files that have been imported.

2. Click the License Information tab to view the license information.
   • Select NCE-Campus from the Product name drop-down list to view the detailed information about controller licenses.

   • Select CampusInsight from the Product name drop-down list to view the detailed information about iMaster NCE-CampusInsight licenses.

Context

For global subscription licenses, if an MSP has allocated license resources to tenants, the tenants can view their own license resource status and consumption information without the need to activate licenses.

Procedure

1. Choose System > System Management > License from the main menu, and view the license resource status and consumption information.

2. Click Expiration Notification, enable Receive expiration notification, and configure the email addresses of recipients. Notification emails will be sent to the specified email addresses when a license is about to expire.
   • The system administrator must configure an email server before enabling Receive expiration notification. Otherwise, Receive expiration notification cannot be enabled. For details, see Configuring an Email Server.
   • A maximum of five email addresses can be configured. Email addresses need to be separated with line breaks.
   • If a license resource item is about to expire in less than 30 days, the system will send notification emails at 02:25 every day.
   • If license expiration notification is configured, the license expiration email is sent only to the email addresses specified in Notified object. In this case, you are advised to specify the email address of the tenant administrator in Notified object.

Context

For tenant subscription licenses, if an MSP has allocated licenses to tenants, the tenants cannot activate the licenses, but can only view the status and consumption information about the licenses.

Prerequisites

The MSP has allocated licenses to tenants. For details, see Activating and Allocating a License (Tenant Subscription Mode + License Redistribution Enabled).

Procedure

1. Log in to iMaster NCE-Campus as a tenant administrator and choose System > System Management > License from the main menu to view the license status and consumption information.

Context

If the system administrator does not enable the license split function when creating an MSP administrator, tenants need to purchase license activation codes from the MSP and import the activation codes to activate licenses.

• After logging in to iMaster NCE-Campus for the first time, the system administrator needs to set the license mode to Tenant Subscription Mode.
• This operation applies only to the Huawei public cloud scenario.
• Tenants purchase license activation codes from the MSP.

Prerequisites

• A tenant account has been registered.
• The tenant has logged in to iMaster NCE-Campus using the tenant account.
• The tenant has purchased license activation codes from the MSP.
• If the tenant needs to import activation codes of iMaster NCE-CampusInsight licenses through iMaster NCE-Campus, synchronize iMaster NCE-CampusInsight licenses to iMaster NCE-Campus before interconnecting iMaster NCE-Campus to CampusInsight. For details, see Configuring Interconnection with iMaster NCE-CampusInsight.

Procedure

1. Choose System > System Management > License from the main menu.
2. Import either activation codes or entitlement IDs to activate licenses.

   Since the first-time registration of a device, the device starts to consume license resources no matter whether the device is online or offline, or reports alarms. License deduction starts at 02:00 every day, and each device consumes one license unit every day.

   If the tenant subscription mode is configured and license redistribution is disabled, iMaster NCE-Campus provides common series license resources of 90 days (can be shared between devices) by default.

   • Click Import Activation Code.
     • Multiple activation codes need to be separated with line breaks.
     • A maximum of 10 activation codes can be entered.
     • After configuring interconnection between iMaster NCE-Campus and iMaster NCE-CampusInsight, you can import activation codes of iMaster NCE-CampusInsight licenses to iMaster NCE-Campus.
   • Click Import Auth ID.
     • Multiple entitlement IDs need to be separated with line breaks.
     • A maximum of 10 entitlement IDs can be entered.

3. View the license status.

4. (Optional) Click Recalculate Expiration Time and set a unified expiration time of license resources.

   The function of recalculating the license expiration time is not applicable to common series resources.

   Under a tenant, the expiration time of device licenses with the same device type is automatically recalculated when settlement is performed on a daily basis.

   Under a tenant, the expiration time of device licenses with different device types is not automatically recalculated. To recalculate the expiration time of such licenses, perform this step.

   This function allows you to configure a unified expiration time for resource items with different expiration time for easy management and resource integration. This operation cannot be rolled back.

   For example, there are three types of license resource items, including AR100 series: 10 device-days with 5 RMB per device-day; AR1200 series: 20 device-days with 10 RMB per device-day; and indoor AP series: 20 device-days with 20 RMB per device-day. Assume that iMaster NCE-Campus manages five AR100 series devices and 10 AR1200 series devices. You can click Recalculate Expiration Time to integrate license resources. The formulas are as follows: 10 x 5 + 20 x 10 + 20 x 20 = 650, 5 x 5 + 10 x 10 = 125 (consumption of all devices in a day), 650/125 = 5 R 25 (remainder 25). According to the calculation result, the license resources for AR100 and AR1200 series devices will expire in five days. The remaining 25 RMB will be added to the new license resource pool to be integrated in the next calculation.

   This function enables resource allocation to be more flexible. Resources that are in arrears can be integrated so that they can be used normally.

5. Click Expiration Notification, enable Receive expiration notification, and configure the email addresses of recipients. Notification emails will be sent to the specified email addresses when a license is about to expire.
   • The system administrator must configure an email server before enabling Receive expiration notification. Otherwise, Receive expiration notification cannot be enabled. For details, see Configuring an Email Server.
   • A maximum of five email addresses can be configured. Email addresses need to be separated with line breaks.
   • If a license resource item is about to expire in less than 30 days, the system will send notification emails at 02:25 every day.
   • If license expiration notification is configured, the license expiration email is sent only to the email addresses specified in Notified object. In this case, you are advised to specify the email address of the tenant administrator in Notified object.

6. Check the daily consumption of license resources.

7. Click to view the detailed information about license activation codes or entitlement IDs.

   After a license is loaded successfully, you can view the software ID for SnS charging and authentication.

Context

The system administrator has configured account policies and password policies. Tenant administrators can modify these policies as needed.

Procedure

1. Configure account policies.

   Account policies have been configured on iMaster NCE-Campus by default. Tenant administrators can modify the account policies, such as account length policy and account login policy.

   Choose System > User Management > Administrator from the main menu, and click Account Policy, to configure account policies.

2. Configure password policies.

   Password policies have been configured on iMaster NCE-Campus by default. Tenant administrators can modify the password policies as needed, for example, password complexity requirements, the password change interval, and character limitations.

   Choose System > User Management > Administrator from the main menu, and click Password Policy, to configure password policies.

   For security purposes, configure all password policies provided by iMaster NCE-Campus.

   If PCI authentication is required, modify account and password policies as follows:

   • Enable Disable unused accounts, and set Maximum number of consecutive idles days of account to 90. An account is disabled if the account has not logged in to the system at all for more than 90 days.
   • Set Invalid password monitoring period (min) to 30 in the Account Lockout Trigger Conditions area. In this case, if an account fails to log in to the system for five consecutive times within 30 minutes, the account is locked for 30 minutes.
   • Set Number of historical passwords that cannot be reused to 4.

Context

Users with the same operation rights can be managed by role. After an account is attached to a role, the account has all rights of this role.

Procedure

1. Choose System > User Management > Administrator from the main menu, and click the Role tab.
2. Click Create. Enter the role name and select function rights for the role.

   By default, the following roles are preset for tenants. These roles cannot be deleted or modified.

   • Monitor: A monitor can view tenant services and configurations.
   • Open Api Operator: An open API operator can use open API services and related configurations.
   • Tenant Administrator: A tenant administrator can perform operations on tenant services and related configurations.
   • Operator: An operator can manage system service running.

     The Operator role is unavailable for tenant administrators created on iMaster NCE-Campus running V300R019C00.

   • CLI Operator: A user attached with this role has the permission to import device commands using a command template. For details, see Issuing Commands Using a Template.

     Issuing commands is supported only on the WAN. The CLI Operator role is available only in EVPN tunnel mode.

   In the Select function list, each function node has a fixed name but the node order in the list varies depending on the iMaster NCE-Campus version. Figures in this section are for reference only.

3. You are advised to create roles and grant function rights based on the following table. You can also create roles as needed.

   Role Type	Rights
   Management	Global management personnel, with all rights.
   Monitoring	Global monitoring personnel, with all monitoring rights.
   Configuration	Network configuration personnel, with rights to configure the network, traffic policies, and security policies.
   Maintenance	O&M personnel, with rights to maintain devices and manage files and logs.

   • For a management role: Select all functions.

   • For a monitoring role, select Monitoring and all functions under it.

   • For a configuration role, select Design, Provision, System, Admission, Policy, ServiceConsisitency Group, along with all functions under them.

   • For a maintenance role, select Maintenance and all functions under it.

4. Click OK.

Context

A tenant administrator created by an MSP administrator has all rights of a tenant, and is called a root tenant administrator.

To ensure system security, the root tenant administrator can create multiple sub-tenant administrators and attach roles to each sub-tenant administrator so that the sub-tenant administrator can have corresponding rights of the roles.

A tenant administrator can set the maximum number of concurrent online users. The value ranges from 0 to 999. The value 0 indicates that the maximum number of concurrent online users is not limited. To ensure system performance, the maximum number of concurrent online users is limited to 5000.

Procedure

1. Choose System > User Management > Administrator from the main menu.
2. Click Create, and set parameters on the Create User page.

   For security purposes, keep the password secure and change it periodically.

   • Manually configure a password when creating an account.

     Set Password create mode to Manual and then set a password for the account. If Modify password first login is set to Yes, the user will be prompted to change the password when using this account to log in to iMaster NCE-Campus for the first time, and can successfully log in after changing the password.

   • Create a password via email.

     Set Password create mode to Email. After the account is created, the system sends a URL to your email box. You can click the URL to configure a password for the user account.

     • If you choose to configure a password via email, configure an email server before creating an account. Otherwise, the system fails to send a URL to the specified email address. For details, see Configuring an Email Server
     • If the password for a user account is configured via email, the user does not need to change the password upon the first login to iMaster NCE-Campus.
     Table 4-119 Description of parameters on the Create User page

     Parameter	Description
     Account	User account used for login.
     User type	The following two user types are available: Local: Local users can log in to iMaster NCE-Campus only from the web UI. Third-party user: A third-party system user can invoke the northbound API /controller/v2/tokens to log in to iMaster NCE-Campus. NOTE: A third-party user can log in to iMaster NCE-Campus only by invoking the API. A local user can log in to iMaster NCE-Campus only through the web UI. After an upgrade, local users and third-party users can log in to iMaster NCE-Campus either by calling the API or through the web UI.
     Password create mode	Mode in which a password is created. The options are Manual and Email.
     Password	Initial login password of the newly created administrator. NOTE: The two parameters are configurable only when User Type is set to Local. If Password create mode is set to Email, set a valid email address. After the account is created, the system sends a URL to the mailbox. The user can click the URL to configure a password. If Password create mode is set to Email, the user does not need to change the password when logging in to iMaster NCE-Campus for the first time.
     Confirm Password
     Modify password first login	Whether to change the password upon first login.
     Email address	When resetting passwords, users can receive new random passwords generated automatically through emails.
     Mobile number	When resetting passwords, users can receive new random passwords generated automatically through SMS messages.
     Role	Role to be attached to the user.

3. On the Managed Object page, select the sites to be managed by the sub-tenant administrator, and click Next.

   If a sub-tenant administrator is authorized to managed selected sites, the administrator cannot view the following menus after logging in to iMaster NCE-Campus since the administrator does not have the permission to manage all resources:

   • Monitoring > Health > Overview
   • Monitoring > Health > Inter-Site
   • Monitoring > Health > Site

   • Monitoring > Monitor Settings > Monitor Settings

4. (Optional) Configure access control.

   On the Access Control page, click Create, configure the range of IP addresses that can be used to log in to iMaster NCE-Campus, and click Next.

5. Click OK.

Follow-up Procedure

• Modify account information, reset the password, and disable or enable the account.
  1. Choose System > User Management > Administrator from the main menu.
  2. In the Operation column, click to modify account information, click to reset the password, or click to disable the account. If the account has been disabled, click to enable the account.

• Delete an account.
  1. Choose System > User Management > Administrator from the main menu.
  2. Select an account, and click Delete.

• Transfer workgroup administrator rights.

  If the administrator of a workgroup is changed, an upper-level administrator can transfer the workgroup administrator rights to another administrator.

  Workgroup administrators can transfer their rights only to the administrators created by themselves. Before transferring rights of a workgroup administrator, ensure that the workgroup administrator has created an administrator account.

  • This operation can only be performed on level-1 sub-workgroups of the workgroup to which the current user belongs and cannot be performed on the workgroups of level 2 or higher.
  • If workgroup administrators remain online after their rights are transferred, they will be forced offline and has no rights.
  1. Choose System > User Management > Administrator from the main menu. Click the User tab.
  2. Click Select, select the desired workgroup, and click OK.

     Select a desired account and click Hand Over to enable this account to become the new workgroup administrator.

     The new account must be an administrator account created by the old workgroup administrator account.

     If the icon is moved to the right of the new administrator account, the rights are transferred successfully.

• Configure a user group.

  User groups are used to interconnect iMaster NCE-Campus with third-party services, such as the Active Directory Federation Services (ADFS), NetIQ, LDAP server, AD server, and RADIUS server.

  Choose System > User Management > Administrator from the main menu. Then, click the User Group tab, and click Create to create a user group.

  Click Next and select objects to be managed by the user group if Select all resources is disabled.

• Perform personalized settings.

  Personalized settings improve iMaster NCE-Campus access security. The personalized settings apply only to the current tenant administrator account.

  • Set the number of concurrent online users.
    1. Choose System > User Management > Account Information from the main menu.
    2. On the Basic Information tab page, click and set Max. concurrent users. The value 0 indicates there is no limit on the maximum number of concurrent online users.

  • Change the user password.
    1. Choose System > User Management > Account Information from the main menu.
    2. On the Basic Information tab page, click next to the password. In the dialog box that is displayed, set a new password.

  • Modify the IP address range that can be used by the current account to log in to iMaster NCE-Campus.
    1. Choose System > User Management > Account Information from the main menu.
    2. On the Access Control tab page, create Create, set a start IP address and an end IP address, and click OK. If the IP address range list is empty, login is allowed from any IP address.

  • Set an idle timeout interval for the current tenant administrator account.

    iMaster NCE-Campus supports the idle timeout interval setting to prevent unauthorized operations when the administrator is away. If an administrator does not perform any operation within a specified period of time, the administrator will be logged out automatically and needs to log in to iMaster NCE-Campus again.

    Choose System > User Management > Administrator from the main menu, click Idle Timeout Settings, set Idle duration (min), and click OK.

  • Check online users.

    Choose System > User Management > Administrator from the main menu, click the Online User tab, and view online users.

• Check whether you have signed a privacy statement.
  1. Choose System > User Management > Account Information from the main menu.
  2. On the Basic Information tab page, check whether you have signed the privacy statement.
     • If Sign privacy statement is Not signed, you have not signed the privacy statement.
     • If Sign privacy statement is Signed, you have signed the privacy statement.
     • Withdraw a privacy statement.
       To withdraw your consent to the privacy statement, click Cancel next to Sign privacy statement and click OK in the Warning dialog box that is displayed.

       You will be logged out if you withdraw the consent to the privacy statement. In addition, your mobile number and email address will be deleted. This may affect your login or password retrieval. Exercise caution when performing this operation.

Context

If an MSP administrator configures workgroups to manage tenants, tenants cannot authorize the MSP to maintain tenant services based on user roles. If tenants require the MSP to maintain their services, they can authorize the MSP to manage services based on workgroups.

Tenant administrators can create workgroups, assign different rights to workgroup administrators, and authorize MSP workgroup administrators to manage tenant workgroups.

When an MSP is authorized to manage tenant services, MSP workgroup administrators only have the permission to manage services of tenant workgroups authorized by tenant administrators.

Procedure

1. Log in to iMaster NCE-Campus as the root tenant administrator.
2. Choose System > User Management > Administrator from the main menu, click the Role tab, and click Create to create a workgroup administrator role.

3. Choose System > User Management > Work Group from the main menu, click Create, set parameters, and click Next.
   Table 4-126 Basic information about a workgroup

   Parameter	Description
   Workgroup name	Name of a workgroup, which identifies the purpose of the workgroup.
   Number of users	Number of administrator accounts in a workgroup, including administrator accounts in the sub-workgroups of the workgroup.
   Number of workgroups	Number of sub-workgroups that can be created in the workgroup.
   Description	Workgroup description.
   Role	User roles available for users in the workgroup. By default, the following roles are supported: Tenant administrator, Operator, Monitor, and Open API operator. The operation rights of these roles are described as follows: Monitor: A monitor can view tenant services and configurations. Open Api Operator: An open API operator can use open API services and related configurations. Tenant Administrator: A tenant administrator can perform operations on tenant services and related configurations. Operator: An operator can manage system service running. When creating a workgroup, you need to use the administrator account to create roles. Otherwise, roles cannot be selected when a sub-workgroup is created in the workgroup.

4. Configure the workgroup administrator and click Next.

   For security purposes, keep the password secure and change it periodically.

   • Manually configure a password when creating the workgroup administrator.

     Set Password create mode to Manual and configure a password for the workgroup administrator.

   • Create a password via email.

     Set Password create mode to Email. After the account is created, the system sends a URL to your email box. You can click the URL to configure a password for the workgroup administrator.

     • If you choose to configure a password via email, configure an email server before creating an account. Otherwise, the system fails to send a URL to the specified email address. For details, see Configuring an Email Server
     • If the password for the workgroup administrator is configured via email, the administrator does not need to change the password upon the first login to iMaster NCE-Campus.

5. Select managed objects, that is, the sites or logic networks that can be managed by the workgroup, and then click OK.

   If a sub-tenant administrator is authorized to managed selected sites, the administrator cannot view the following menus after logging in to iMaster NCE-Campus since the administrator does not have the permission to manage all resources:

   • Monitoring > Health > Overview
   • Monitoring > Health > Inter-Site
   • Monitoring > Health > Site

   • Monitoring > Monitor Settings > Monitor Settings

6. (Optional) Authorize tenant workgroup administrator rights to the MSP administrator.

   Choose System > User Management > Account Information from the main menu.

   In the Authorization Information area, enable Authorize MSP, and select the workgroup that needs to be authorized to the MSP administrator for service management.

   Log in to iMaster NCE-Campus as an MSP administrator, create an MSP workgroup, and select an MSP-managed tenant workgroup as a managed object. The MSP workgroup administrator can only manage services of the authorized tenant workgroup after logging in to iMaster NCE-Campus.

Follow-up Procedure

• Modify a workgroup.
  1. Log in to iMaster NCE-Campus as a tenant administrator and choose System > User Management > Work Group from the main menu.
  2. Click in the Operation column in the row of the target workgroup to modify the workgroup.

• Delete a workgroup.
  1. Log in to iMaster NCE-Campus as a tenant administrator and choose System > User Management > Work Group from the main menu.
  2. Select the target workgroup and click Delete.
     • Only sub-workgroups can be deleted, and the workgroup to which the current user belongs cannot be deleted.
     • Deleting a workgroup will delete information about sub-workgroups at all levels, as well as users, roles, and user groups of the workgroup.
     • Deleting a workgroup is a risky operation. Exercise caution when performing this operation.

• Transfer workgroup administrator rights.

  If the administrator of a workgroup is changed, an upper-level administrator can transfer the workgroup administrator rights to another administrator.

  Workgroup administrators can transfer their rights only to the administrators created by themselves. Before transferring rights of a workgroup administrator, ensure that the workgroup administrator has created an administrator account.

  • This operation can only be performed on level-1 sub-workgroups of the workgroup to which the current user belongs and cannot be performed on the workgroups of level 2 or higher.
  • If workgroup administrators remain online after their rights are transferred, they will be forced offline and has no rights.
  1. Choose System > User Management > Administrator from the main menu. Click the User tab.
  2. Click Select, select the desired workgroup, and click OK.

     Select a desired account and click Hand Over to enable this account to become the new workgroup administrator.

     The new account must be an administrator account created by the old workgroup administrator account.

     If the icon is moved to the right of the new administrator account, the rights are transferred successfully.

Procedure

1. Access the Tenant Information page.

   Choose System > User Management > Tenant Information from main menu.

2. Modify the tenant name, address, email address, contact number, or description. You can also click the Upload to replace the enterprise logo. Then, click Save.

   Information customized by an administrator will be displayed on the pages available to that administrator. For example, after an administrator replaces the enterprise logo and refreshes the page, the new logo is displayed in the upper left corner of the page.

   When customizing an enterprise logo, you are advised to use an image with a size of 150 x 30 pixels to achieve the optimal display effect. The image can be in the JPG, PNG, or BMP format, with a size no more than 100 KB.

Prerequisites

New devices have been added to iMaster NCE-Campus and target sites.

Procedure

1. Choose Design > Site Agile Deployment > Device Management from the main menu, and click the Device tab.
   • Devices discovered by NETCONF are called cloud managed devices whereas devices discovered by SNMP are called traditional devices.
   • For stacked switches, only the management IP address of the master member switch is displayed.
   • Deleting a device will interrupt services. Exercise caution when performing this operation.

2. Click on the right of the Operation column to customize the fields to be displayed in the device list.

3. Export device information and download it to the local host.
   • Select desired devices and click Export to export information about the selected devices.

   • If you do not select any device and click Export, information about all devices will be exported.

4. Click a device name in the list to check the detailed device information. For details, see Device Monitoring.

Prerequisites

New devices have been added to iMaster NCE-Campus and target sites.

Procedure

Restarting a device will cause service interruptions and cause unsaved pre-configurations on this device to be lost. Save configurations before restarting a device.

1. Choose Design > Site Agile Deployment > Device Management from the main menu, and click the Device tab.
2. Use either of the following methods to restart devices:
   • To restart devices in batches, select the online devices that you want to restart and click More > Restart.

   • To restart a single device, click a device name and click Reboot Device in the upper right corner on the device details page.

3. On the page that is displayed, click OK.

Prerequisites

A WAC group has been created. For details, see Creating a WAC Group.

Procedure

1. Choose Monitoring > Health > WAC Group from the main menu.
2. Select a WAC group from the list to view information about the selected WAC group.

Context

Tenant administrators can replace faulty or obsolete devices and synchronize configurations of old devices to new devices on iMaster NCE-Campus to ensure normal service running.

Prerequisites

A new device has been added to iMaster NCE-Campus. For distributed APs and central APs, only devices in offline or unregistered state can be used for replacement.

• The model of the new device must be the same as that of the old device.
• After device replacement, iMaster NCE-Campus delivers configurations of the old device to the new device. However, the configurations delivered through the device CLI cannot be automatically delivered. You need to log in to the device CLI to perform configurations again. It is recommended that you periodically back up device configuration files. For details, see Configuring a Configuration File Backup Task.
• After a switch is replaced, iMaster NCE-Campus delivers the configurations of the old switch to the new switch and then restarts the new switch.

Procedure

1. Choose Design > Site Agile Deployment > Device Management from the main menu.
2. Find the device to be replaced in the device list, and click next to the device in the Operation column.

3. On the Device Replacement page, select a device in the New device area and click OK to replace the old device with the new device. The system will synchronize the device information, including the site, location, and configurations, from the old device to the new device.

Context

When bringing a device offline or replacing a device, you can restore the device to its deployment configurations to facilitate fast reset to its deployment state.

Only ARs support this function.

Procedure

1. Choose Design > Site Agile Deployment > Device Management from the main menu.
2. Select the device to be reset, and click More > Restore Deployment Configurations.

3. In the displayed High Risk dialog box, click Yes.

   Restoring a device to its deployment configurations will cause the device to go offline. As a result, the device fails to be managed by iMaster NCE-Campus.

Context

When bringing a device offline or replacing a device, you can restore the device to its factory defaults within one click.

• Only switches running V200R011C10SPC550 and later versions support this function.
• The firewalls, ARs, WACs, Fit APs, and stacks do not support this function.

Procedure

1. Choose Design > Site Agile Deployment > Device Management from the main menu.
2. Select the device to be reset, and click More > Restore Factory Defaults.

3. In the displayed CAUTION dialog box, select I have fully understand possible risks, and click Yes.

Context

Tenant administrators can query the login and logout logs of an AP, including failure causes.

Procedure

1. Choose Design > Site Agile Deployment > Device Management from the main menu.
2. Click the name of the desired AP. The Single Device Info page is displayed.
3. Click the Event Logs tab to view the AP's login and logout logs.

Context

A device certificate is a digital file that has the digital signature assigned by a CA and includes information about the public key owner, public key issuer, validity period, and specific extension information. A Secure Sockets Layer (SSL) channel can be set up between a device and a server using a device certificate to ensure security for information transmission between the two ends.

When the current device certificate expires or cannot meet security requirements, a new certificate must be installed to ensure security.

After certificates are replaced, devices will automatically restart. Otherwise, the replaced certificates do not take effect. Since devices go offline during the restart, ensure that services will not be affected during certificate replacement.

Procedure

1. Log in to iMaster NCE-Campus as a tenant administrator. Choose Maintenance > Device Maintenance > Device Certificate Management from the main menu, click the Device Certificate Management tab, select the device whose certificate needs to be replaced, and click Certificate Signing Request to export the certificate request file of the device (into a .csr file).
   • A certificate request file cannot be exported for multiple times. Otherwise, the previously exported certificate request files become invalid. If you have used a certificate request file exported earlier to apply for a certificate, the applied certificate will also become invalid.
   • For details about how to determine whether a device certificate is an old certificate, see How Do I Determine Whether a Device Certificate Is an Old Certificate.

2. Upload the request file to the PKI website to apply for a new certificate, and obtain the pem public key file. To apply for this public key file, contact Huawei engineers.
3. Upload the device certificate and click Upload Certificate. In the displayed dialog box, select the certificate file and click OK.
   • The certificate to upload must be named by the device ESN. Otherwise, the certificate cannot be uploaded.

4. On the Device Certificate Management page, wait until the new certificate status changes to Uploaded, and click Submit to replace the certificate. After the certificate is delivered, iMaster NCE-Campus sends a restart command to the device. If the new certificate status is Delivery success after the device restart, the certificate is successfully replaced.

   For details about new certificate statuses, see Table 4-132.

   Table 4-132 New certificate statuses

   New Certificate Status	Description
   Not uploaded	The new certificate has not been uploaded to the device.
   Uploaded	The new certificate has been uploaded to the device.
   Delivering	iMaster NCE-Campus is delivering the new certificate to the device.
   Delivery failure	iMaster NCE-Campus fails to deliver the new certificate to the device. You need to replace the certificate again.
   Delivery success	iMaster NCE-Campus has successfully delivered the certificate to the device. Certificate replacement is successful.

Context

The Network Time Protocol (NTP) defines the time synchronization mechanism. It synchronizes the time between distributed servers and clients.

When the time of all the devices on a network need to be synchronized, it is almost impossible for an administrator to manually change the system clock through the CLI. This is because the workload is heavy and clock accuracy cannot be ensured. NTP can quickly synchronize the clocks of devices on the network and ensure high precision.

Procedure

1. Choose Provision > Physical Network > Site Configuration from the main menu.
2. Choose Site > Service Parameters. In the Basic Info area, configure the time zone and NTP server for devices.

Context

A tenant administrator can remotely log in to the CLI of an online device from iMaster NCE-Campus and perform operations in the CLI.

After network devices are managed by iMaster NCE-Campus, if you need to clear configuration on the devices using commands, for example, if a management subnet changes, or the network devices need to be managed by iMaster NCE-Campus of a new version, running the reset saved-configuration command clears only the configuration files saved on the network devices. As such, you cannot remotely log in to the network devices using STelnet.

When clearing configuration on S series switches, in addition to the reset saved-configuration command, run the following command to clear configuration files and database data saved on the devices.

• Versions earlier than V200R019C00SPC500: Run the reset cloud-mng db-configuration command in the user view.
• V200R019C00SPC500 and later versions: Run the reset netconf db-configuration command in the user view.
• This operation is not supported for devices at a site created based on configuration files.

Procedure

1. Choose Design > Site Agile Deployment > Device Management from the main menu.
2. Click the name of the desired device to access the Single Device Info page.
3. Click Command Line in the upper right corner of the page to remotely log in to the CLI of the device.
   If the login fails and the following error information is displayed, rectify the fault and log in again.

   1. IP/port did not match: The IP address or port is incorrect.
   2. Authentication fail: The authentication fails.
   3. Disconnected by device: The device is disconnected.
   4. Unable to open channel: The SSH channel fails to be set up.
   5. Connection Reset By Peer: A network exception occurs.

      The following figure shows an example.

   • After remotely logging in to a device's CLI, do not modify the configurations delivered by iMaster NCE-Campus to the device. Otherwise, services will be affected.
   • Do not run commands to change the level of logs to be printed to debug.
   • In any scenario, the interval for clicking Command Line must be greater than one minute.
   • Before exiting the MSP operating mode, you need to close the CLI window (if the remote CLI login function is enabled). If you exit the MSP operating mode and then close the CLI window of a device, you will fail to log in to the CLI of the device again. In this case, you can use either of the following solutions:
     • Wait for 10 minutes after which iMaster NCE-Campus will automatically clear the data and then open the CLI again.
     • Log out and then use the MSP account to log in to the device CLI again.

   • In the CLI, if parameter names and their values are not in the same column due to abnormal line breaks, add any font in the monospaced font family to the operating system font library.
   • If you remotely log in to the CLI of another device from the CLI of a cloud managed device, you can press Shift+Backspace to delete unnecessary information when entering commands in the CLI.
   • If authentication without a password is configured on iMaster NCE-Campus cluster nodes, the function of remotely logging in to the device CLI from iMaster NCE-Campus will be unavailable.
   • VXLAN-capable switches do not support remote login to the device CLI.
   • Only the following models of AR support remote login to the device CLI:

     AR-Sc-U-BC, AR-Se-U-BC, AR-Sa-U-BC, AR-So-U-BC, AR-Sc-Lc-BC, AR-Se-L-BC, AR-Sa-La-BC, AR-So-Lo-BC, AR-Sc-Lc-MC, AR-Se-L-MC, AR-Sa-La-MC, AR-So-Lo-MC, AR-Sc-MC, AR-Se-MC, AR161EW, AR169EGW-L, AR169EW, AR161, AR161W, AR161F, AR161FW, AR161FGW-L, AR168F, AR169F, AR169FGW-L, AR1220C, AR1220EVW, AR1220E, AR2220, AR2220E, AR2204-51GE, AR2204-27GE, AR2204XE, AR2240, AR2240C, AR3260, AR3670, AR1000V, AR1610-X6, AR651W-X4, AR651-X8, AR651, AR651C, SRG3360, AR2204-51GE-P, AR2204-51GE-R, AR2204-27GE-P.

4. (Optional) Click Export Screen Display to export command outputs.

Prerequisites

If you need to log in to the web system of a WAC through iMaster NCE-Campus, ensure that you have run the following command on the WAC to configure an interface for interconnection with iMaster NCE-Campus. Otherwise, you may fail to log in to the WAC's web system.

http secure-server server-source -i Vlanif 11       //The VLANIF interface is used for the WAC to communicate with iMaster NCE-Campus. VLANIF 11 is used as an example here.

Procedure

1. Choose Design > Site Agile Deployment > Device Management from the main menu.
2. Click the name of the desired device to access the Summary page.
3. Click Device Configuration in the upper right corner of the page to remotely log in to device's web system.

   When you click Device Configuration, the SSH proxy tunnel function is automatically enabled. After you close the web system, the SSH proxy tunnel function is automatically disabled after some time.

   • A tenant administrator cannot log in to the web systems of two devices at the same time.
   • This function is supported on firewalls and WACs.
   • This function is supported on the AR6280 and AR651C.
   • This function is supported on the following switch models:
     • S12700 series switches
     • S12700-E series switches
     • S7700 series switches
     • S5720-56C-HI-AC
     • S5720-32C-HI-24S-AC
     • S5720-56C-PWR-HI-AC
     • S5720-56C-PWR-HI-AC1
     • S5730-36C-HI
     • S5730-36C-PWH-HI
     • S5730-44C-HI
     • S5730-44C-PWH-HI
     • S5730-60C-HI
     • S5730-60C-PWH-HI
     • S5730-68C-HI
     • S5730-68C-PWH-HI
     • S5730-36C-HI-24S
     • S5730-44C-HI-24S
     • S5730-60C-HI-48S
     • S5730-68C-HI-48S
     • S5731-H24T4XC
     • S5731-H48T4XC
     • S5731-H24P4XC
     • S5731-H48P4XC
     • S6720-30L-HI-24S
     • S6720-50L-HI-48S
     • S6730-H48X6C
     • S6730-H24X6C

Signature Database Upgrade Process

Figure 4-15 shows the signature database upgrade process.

Figure 4-15 Signature database upgrade process

1. iMaster NCE-Campus sends a signature database upgrade request to the control server to request the IP address of a download server. The communication between them is encrypted and no other data processor is involved.

   iMaster NCE-Campus communicates with the control server using HTTPS (port 443) or HTTP (port 80). If iMaster NCE-Campus upgrades the signature database through a proxy server, only HTTP can be used.

2. After verification succeeds, the control server sends the IP address of a download server to iMaster NCE-Campus.

3. iMaster NCE-Campus requests signature database files from the download server.
   The protocol and port used by iMaster NCE-Campus to communicate with the download server varies.

   • If iMaster NCE-Campus uses HTTPS and port 443 to communicate with the control server, iMaster NCE-Campus uses the same protocol and port number to communicate with the download server.

   • If iMaster NCE-Campus uses HTTP to communicate with the control server:

     • If iMaster NCE-Campus directly connects to the upgrade center, it connects to the download server using FTP in passive mode. The FTP control channel port number is 21, and the data channel port number is dynamically allocated from 10001 to 15000.

     • If iMaster NCE-Campus connects to a proxy server, it connects to the download server using HTTP and port 80.

4. The download server sends encrypted signature database files to iMaster NCE-Campus.

   HTTPS is recommended, because it is securer than HTTP. When using HTTP, strictly restrict the matching conditions of security policies.

5. A device request signature database files from iMaster NCE-Campus. The requested data includes the device model, device version, device ESN, signature database type, signature database version, and country/region (optional).
6. iMaster NCE-Campus sends signature database files to the device based on the device request.

Prerequisites

• The configuration of the signature database server has been completed. For details, see Configuring the Signature Server.
• The latest signature database files have been downloaded to iMaster NCE-Campus. For details, see Upgrading the Signature Database on iMaster NCE-Campus.

Procedure

1. Choose Maintenance > Device Maintenance > Signature Database Upgrade from the main menu.
2. Select the site for which the signature database needs to be upgraded and click Create New Policy. On the Create New Policy page that is displayed, configure a policy for upgrading the signature database at a specific time every week or immediately, and click OK.
   • All tenants share one set of signature database files.
   • ARs support the upgrade of two types of signature databases: SA_H30071001(1600+) and SA_H30071000(6000+).
   • After a device is added to a site, you are advised to upgrade the signature database on the device to ensure that the version of the signature database on the device is the same as that on iMaster NCE-Campus.

3. During the upgrade, click to view the upgrade progress.

   Before an upgrade, the system checks whether the version of the local signature database is the latest version and performs an upgrade if the version is not the latest. The new signature database is saved to the file server for devices to download, and is also saved to the database for devices to use for application query. The old signature database is automatically deleted if it is not used by any site. If the old signature database is still used by a site, this signature database is retained in the database and on the file server.

4. To view the upgrade details, click the Upgrade Details tab.

Context

Tenant administrators can activate a device license on iMaster NCE-Campus.

Pre-configuration Tasks

The tenant administrator has uploaded a device license file to iMaster NCE-Campus. For details, see Managing Files.

Procedure

1. Choose Maintenance > Device Maintenance > Device License Active from the main menu.
2. Select the device license to be activated, and click Active.

Parameter Description

Context

Third-party IoT cards can be installed on APs. To configure and maintain third-party IoT services, you can deliver commands to the IoT cards through iMaster NCE-Campus.

• Currently, commands can be delivered only to BOE SES-Imagotag IoT cards.
• You can obtain the commands that can be delivered to IoT cards from the card supplier. If a command is incorrect, this command may fail to be executed or the card may function improperly. Exercise caution when delivering commands to IoT cards.

Procedure

1. Choose Monitoring > Health > Devices 360 from the main menu. The device monitoring page is displayed.
2. Choose AP > IoT to view IoT card information.

   The meanings of icons in the Operation column are as follows:

   • : Reset IoT card network configurations.
   • : Restart the IoT card.
   • : Restore the IoT card to its factory defaults.
   • : Switch flash partitions of the IoT card.

3. Deliver a command to IoT cards to configure IoT services.
   • To deliver a command to a single IoT card, select the desired IoT card and click Deliver commands.

     In the dialog box that is displayed, click OK. Enter the command to be delivered and click OK.

   • Click All deliver commands to deliver a command to all online IoT cards at a site.

     In the dialog box that is displayed, click OK. Enter the command to be delivered and click OK.

4. Click the Command Delivery Results tab and check whether the command is successfully delivered. If the command fails to be delivered, contact technical support or the IoT card supplier to rectify the fault based on the failure cause in the Failure Cause column.

   Click View in the Detail column to view command delivery details.