MSP Administrator O&M

Procedure

1. Log in to iMaster NCE-Campus using an MSP administrator account.
2. View the tenant list information on the Dashboard. You can create tenants.

Context

If a user logs in to the local CLI of an online device and configures or modifies device services using commands, the configurations may conflict with those delivered byiMaster NCE-Campus, resulting in service exceptions..

To prevent such problems, an MSP administrator can authorize tenant administrators to enable or disable the local CLI-based configuration function for devices.

This function is applicable to switches only.

Procedure

1. Log in to iMaster NCE-Campus.

2. Click next to the target tenant, click Disable authorization, and click OK. After the authorization is disabled, the tenant cannot enable the local CLI-based configuration function for switches, and users cannot configure switches through the CLI.

Follow-up Procedure

A tenant administrator can enable or disable the local CLI-based configuration function for devices. For details, see Enabling or Disabling Local CLI-based Device Configuration.

Context

If the system administrator has imported licenses, the MSP administrator can view the license information.

Prerequisites

The system administrator has imported licenses.

Procedure

1. Choose System > Administrator > License Management from the main menu. Click to view the detailed information about the loaded license file.

2. Click the License Information tab to view the license information.
   • Select NCE-Campus from the Product name drop-down list to view the detailed information about controller licenses.

   • Select CampusInsight from the Product name drop-down list to view the detailed information about iMaster NCE-CampusInsight licenses.

Context

If the system administrator has allocated license packages to an MSP administrator, the MSP administrator can allocate license resources to tenants for refined management.

The MSP administrator can assign license resources to tenants only after the system administrator logs in to iMaster NCE-Campus for the first time and sets the license mode to Global Subscription Mode and License Redistribution to Yes.

Prerequisites

The system administrator has allocated a license package to the MSP administrator. For details, see Managing Licenses (Global Subscription Mode + License Redistribution Enabled).

Procedure

1. Choose System > Administrator > License Management from the main menu. The license management page is displayed. View information about the license package allocated by the system administrator to the MSP administrator and the license consumption information.

   Click the package name to view details about the package.

2. Click Expiration Notification, enable Receive expiration notification, and configure the email addresses of recipients. Notification emails will be sent to the specified email addresses when a license is about to expire.
   • The system administrator must configure an email server before enabling Receive expiration notification. Otherwise, Receive expiration notification cannot be enabled. For details, see Configuring an Email Server.
   • A maximum of five email addresses can be configured. Email addresses need to be separated with line breaks.
   • If a license resource item is about to expire in less than 30 days, the system will send notification emails at 02:25 every day.
   • If license expiration notification is configured, the license expiration email is sent only to the email addresses specified in Notified object. In this case, you are advised to specify the email address of the tenant administrator in Notified object.

3. Click the Tenant License tab and allocate license resources to tenants.
   1. Click on the left of a tenant to view the license status and resource consumption of the tenant.

   2. Click Create, click in the Package Name column to select a license package, and click OK.

   3. Configure the number of license resources (unit: device x day) and click . The license package is allocated to the tenant.

   4. (Optional) Click to freeze the license package. A frozen license package cannot be redistributed or used. Click to change the number of resources in the license package. Click to delete an allocated package.

      Freezing or deleting a license package will cause the related devices to go offline. Therefore, exercise caution when performing these operations.

   5. (Optional) Click Disable Strategy and set Unified deactivation time and Longest Arrears (days) of the license package.

      The license will be deactivated either at the deactivation time set in Disable Strategy or the actual expiration time of the license, whichever is earlier.

Follow-up Procedure

Log in to iMaster NCE-Campus as a tenant administrator and view the license resource status and consumption information. For details, see Viewing License Information (Global Subscription Mode + License Redistribution Enabled).

Context

If the system administrator has enabled the Split licenses function when creating an MSP administrator, the MSP administrator can centrally import the activation code to activate the license and allocates license resources to each tenant based on the tenant's service requirements. In this case, tenants cannot import license resources by themselves.

• The system administrator logs in to iMaster NCE-Campus for the first time and sets the license mode to Tenant Subscription Mode.
• This task applies only to Huawei Public Cloud Scenario, in which the MSP obtains license activation codes from the Electronic Software Delivery Platform (ESDP) and allocates them to tenants.

Prerequisites

• A tenant account has been registered.
• The system administrator has enabled the Split licenses function.
• The MSP administrator has applied for a license activation code.
• If you need to import the activation code of the CampusInsight license to iMaster NCE-Campus, ensure that the CampusInsight license has been synchronized to iMaster NCE-Campus before iMaster NCE-Campus and CampusInsight are interconnected. For details, see Configuring Interconnection with iMaster NCE-CampusInsight.

Procedure

1. Choose System > Administrator > License Management from the main menu.
2. Import activation codes or authorization IDs to activate licenses. Either activation codes or authorization IDs need to be imported.
   • Click Import Activation Code.
     • Multiple activation codes need to be separated by line breaks.
     • The number of activation codes cannot exceed 10.
     • After iMaster NCE-Campus interconnects with CampusInsight, you can import the activation code of the CampusInsight license to iMaster NCE-Campus.
   • Click Import Auth ID.
     • Multiple authorization IDs need to be separated by line breaks.
     • The number of authorization IDs cannot exceed 10.

   Since the first-time registration of a device, the device starts to consume license resources. License consumption continues no matter whether the device is online or offline, or reports alarms. License deduction starts at 02:00 every day, and each device consumes one unit of license every day.

   In tenant subscription (splittable) mode, iMaster NCE-Campus does not provide 90-day common series resources for users by default.

3. View the license status.

4. (Optional) Click Recalculate Expiration Time and set a unified expiration time of license resources.

   The function of recalculating the license expiration time is not applicable to common series resources.

   Under a tenant, the expiration time of device licenses with the same device type is automatically recalculated when settlement is performed on a daily basis.

   Under a tenant, the expiration time of device licenses with different device types is not automatically recalculated. To recalculate the expiration time of such licenses, perform this step.

   This function allows you to configure a unified expiration time for resource items with different expiration time for easy management and resource integration. This operation cannot be rolled back.

   For example, there are three types of license resource items, including AR100 series: 10 device-days with 5 RMB per device-day; AR1200 series: 20 device-days with 10 RMB per device-day; and indoor AP series: 20 device-days with 20 RMB per device-day. Assume that iMaster NCE-Campus manages five AR100 series devices and 10 AR1200 series devices. You can click Recalculate Expiration Time to integrate license resources. The formulas are as follows: 10 x 5 + 20 x 10 + 20 x 20 = 650, 5 x 5 + 10 x 10 = 125 (consumption of all devices in a day), 650/125 = 5 R 25 (remainder 25). According to the calculation result, the license resources for AR100 and AR1200 series devices will expire in five days. The remaining 25 RMB will be added to the new license resource pool to be integrated in the next calculation.

   This function enables resource allocation to be more flexible. Resources that are in arrears can be integrated so that they can be used normally.

5. Click Expiration Notification, enable Receive expiration notification, and configure the email addresses of recipients. Notification emails will be sent to the specified email addresses when a license is about to expire.
   • The system administrator must configure an email server before enabling Receive expiration notification. Otherwise, Receive expiration notification cannot be enabled. For details, see Configuring an Email Server.
   • A maximum of five email addresses can be configured. Email addresses need to be separated with line breaks.
   • If a license resource item is about to expire in less than 30 days, the system will send notification emails at 02:25 every day.
   • If license expiration notification is configured, the license expiration email is sent only to the email addresses specified in Notified object. In this case, you are advised to specify the email address of the tenant administrator in Notified object.

6. Check the daily consumption of license resources.

7. Click to view the detailed information about license activation codes or entitlement IDs.

   After a license is loaded successfully, you can view the software ID for SnS charging and authentication.

8. Click the Tenant License tab and allocate license resources to tenants.
   1. Click on the left of a tenant. The license items for 54 types of products are displayed under each tenant, and the number of resources is 0.

   2. Click in the Operation column and configure the number of license resources required by the tenant (unit: device x day). Then click .

   3. (Optional) Click to freeze the license. A frozen license cannot be redistributed or used. Click to change the number of license resources.

      If you freeze the license, related devices will go offline. Therefore, exercise caution when performing this operation.

   4. (Optional) Click Disable Strategy and set Unified deactivation time and Longest Arrears (days) of the license package.

      The license will be deactivated either at the deactivation time set in Disable Strategy or the actual expiration time of the license, whichever is earlier.

Follow-up Procedure

Log in to iMaster NCE-Campus as a tenant administrator and choose System > System Management > License from the main menu to view the license resource status and consumption information.

Context

If an MSP administrator created by the system administrator has all the rights of the MSP, this MSP administrator is called the root MSP administrator.

To ensure system security, the root MSP administrator can create multiple sub-MSPs and assign different rights to each sub-MSP by role.

Prerequisites

• View MSP administrator account policies.

  Account policies have been configured on iMaster NCE-Campus by default. An MSP administrator can view account policies, for example, account length policy and account login policy.

  Choose System > Administrator > Administrator from the main menu, and click Account Policy to view MSP administrator account policies.

• View MSP administrator password policies.

  Password policies have been configured on iMaster NCE-Campus by default. An MSP administrator can view password policies, for example, password complexity policy, password change interval policy, and character limitation policy.

  Choose System > Administrator > Administrator from the main menu, and click Password Policy, to view MSP administrator password policies.

  For security purposes, configure all password policies provided by iMaster NCE-Campus.

  If PCI authentication is required, modify account and password policies as follows:

  • Enable Disable unused accounts, and set Maximum number of consecutive idles days of account to 90. An account is disabled if the account has not logged in to the system at all for more than 90 days.
  • Set Invalid password monitoring period (min) to 30 in the Account Lockout Trigger Conditions area. In this case, if an account fails to log in to the system for five consecutive times within 30 minutes, the account is locked for 30 minutes.
  • Set Number of historical passwords that cannot be reused to 4.

• Roles have been created.

  If functional rights of existing roles in the system do not meet requirements, you can create new roles before creating accounts or workgroup.

  Choose System > Administrator > Administrator from the main menu, and click the Role tab. Click Create, and select functional rights to create a role.

  By default, a system administrator has following roles. These roles cannot be deleted or modified.

  • MSP Administrator: The MSP administrator performs manager services and configurations.
  • Operator: The operator manages system service running.
  • Open Api Operator: The open API operator owns the privilege of open API services and configurations.

Procedure

1. Choose System > Administrator > Administrator from the main menu.
2. Click Create, and set parameters on the Create User page.

   For security purposes, keep the password secure and change it periodically.

   • Manually set a password when creating a user account.

     Set Password create mode to Manual and then set a password for the account. If Modify password first login is set to Yes, the user will be prompted to change the password when using this account to log in to iMaster NCE-Campus for the first time, and can successfully log in after changing the password.

   • Create a password via email.

     Set Password create mode to Email. After the account is created, the system sends a URL to your email box. You can click the URL to configure a password for the user account.

     • If you choose to configure a password via email, configure an email server before creating an account. Otherwise, the system fails to send a URL to the specified email address. For details, see Configuring an Email Server
     • If the password for a user account is configured via email, the user does not need to change the password upon the first login to iMaster NCE-Campus.
     Table 4-84 Description of parameters on the Create Account page

     Parameter	Description
     Account	Login account of a newly created administrator.
     User type	LOCAL: Local users can log in to iMaster NCE-Campus only from the web UI. THIRD-PARTY SYSTEM ACCESS: A third-party system access user calls the northbound API /controller/v2/tokens to log in to iMaster NCE-Campus. NOTE: If the user type is Third-party system access, the user can log in to iMaster NCE-Campus only by API call. If the user type is Local, the user can log in to iMaster NCE-Campus only from the web portal. In an upgrade scenario, the user type is changed from Local or Third-party system access to Both. When the user type is Both, the user can log in to iMaster NCE-Campus either by API call or from the web portal.
     Password create mode	Mode in which a password is created. The options are Manual and Email.
     Password	Initial login password of the newly created administrator. NOTE: This parameter is displayed only when User Type is Local. If the password creation mode is set to Email, you must enter a valid email address. After the account is created, the system sends a link to the mailbox. You need to click the link to configure the account and password. In this mode, you do not need to change the password when you log in to iMaster NCE-Campus for the first time.
     Confirm password
     Modify password first login	Whether to change the password upon first time login.
     Mobile number	Email address of an MSP, which is provided for easy and prompt contact by Tenants under the MSP.
     Email address	Phone number of an MSP, which is provided for easy and prompt contact by Tenants under the MSP.
     Role	Selected the role from the drop-down list.

3. On the Managed Object page that is displayed, select the accounts to be managed by the MSP administrator, and click Next. By default, Select All Resources is enabled. In this case, the MSP administrator can manage all tenants. If you disable Select All Resources, you can select the tenants to be managed by the MSP administrator. In addition, select a role that is authorized by the tenant administrator to the MSP administrator. When the MSP administrator accesses the tenant Portal to maintain tenant services, the MSP administrator has the rights of the role authorized by the tenant administrator.

4. On the Access Control page that is displayed, click Create. Set the allowed IP address range, and click OK.

   After the IP address range is added, the account can use only an IP address within this range to log in to iMaster NCE-Campus. If no IP address range is added, the account can use any IP address to log in to iMaster NCE-Campus.

   After logging in to iMaster NCE-Campus using this account, choose System > System Management > Account Information from the main menu. On the Access Control page that is displayed, maintain the IP address range.

5. Click OK. The account is created successfully.

Follow-up Procedure

• Modify the account information, reset the password, and disable or enable an account.
  1. Choose System > Administrator > Administrator from the main menu.
  2. In the Operation column, click to modify the account information, click to reset the password, click to disable an account, and click to enable an account that has been disabled.

• Delete an account.
  1. Choose System > Administrator > Administrator from the main menu.
  2. Select an account and click Delete.

• Transfer workgroup administrator rights.

  If the administrator of a workgroup is changed, an upper-level administrator can transfer the corresponding rights to another administrator.

  Workgroup administrators can transfer their rights to the administrators created by themselves. Before transferring rights of a work administrator, ensure that the workgroup administrator has created an administrator account.

  • This operation can only be performed on level-1 sub-workgroups of the workgroup to which the current user belongs and cannot be performed on the workgroups of level 2 or higher.
  • If workgroup administrators remain online after their rights are transferred, they will be forced offline and has no rights.
  1. Choose System > Administrator > Administrator from the main menu. Click the User tab.
  2. Click Select, select the desired workgroup, and click OK.

     Select a desired account and click Hand Over to enable this account to become the new workgroup administrator.

     The new account must be an administrator account created by the old workgroup administrator account.

     If the icon is moved to the right of the new administrator account, the rights are transferred successfully.

• Set a user group.

  User groups are used to interconnect iMaster NCE-Campus with third-party services, such as the Active Directory Federation Services (ADFS), NetIQ, LDAP server, AD server, and RADIUS server.

  Choose System > Administrator > Administrator from the main menu, click the User Group tab, and click Create to create a user group.

  Click Next to select the managed objects of the user group.

  Only users with the MSP administrator rights can configure user groups.

• Configure personal settings.

  Personnel settings improve the access security of iMaster NCE-Campus. This function takes effect only for the current user.

  • Set the number of concurrently online users.
    1. Choose System > System Management > Account Information from the main menu.
    2. On the Basic Information page, set Max. concurrent users and click . The value 0 indicates there is no limit on the maximum number of concurrent online users.

  • Modify the password.
    1. Choose System > System Management > Account Information from the main menu.
    2. On the Basic Information page, click behind the password. In the dialog box that is displayed, set a new password.

  • Adjust the range of IP addresses that can be used by the current account to log in to iMaster NCE-Campus.

    Click Access Control tab. On the Access Control page, set the IP address range and click OK. If no IP address range is set, there is no limit on the login IP address range of the current account.

  • Set the idle timeout interval.

    To prevent other personnel from performing unauthorized operations when the administrator leaves, iMaster NCE-Campus provides the function of setting the idle timeout interval of the administrator. If an administrator does not perform any operation within the specified interval, the account will be automatically logged out. To perform further operations after the account is logged out, the administrator must log in to iMaster NCE-Campus again.

    Choose System > Administrator > Administrator from the main menu, click , set the idle time, and click OK.

  • Check online users.

    Choose System > Administrator > Administrator from the main menu and click the Online User tab.

• Check whether you have signed a privacy statement.
  1. Choose System > System Management > Account Information from the main menu.
  2. On the Basic Information page, check whether you have signed the privacy statement.
     • If Sign privacy statement is Not signed, you have not signed the privacy statement.
     • If Sign privacy statement is Signed, you have signed the privacy statement.
• Withdraw a privacy statement.
  To withdraw your consent to this privacy statement, click Cancel next to Sign privacy statement and click OK in the Warning dialog box that is displayed.

  You will be logged out if you withdraw the consent to the privacy statement. In addition, your mobile number and email address will be deleted from the controller. This may affect your login or password retrieval. Exercise caution when performing this operation.

Context

The sub-accounts and user roles created by the administrator are not isolated. Horizontal unauthorized operations may be performed, which brings security risks.

For example, the default root administrator account, who has the highest rights, creates account A and account B, and assigns the accounts to subordinate departments or partners, respectively. If both account A and account B have the account management and role management rights, account A and account B can modify and delete accounts and roles of each other.

To prevent horizontal unauthorized operations, you can configure a workgroup to isolate accounts and user roles created by administrators. Workgroups are configured a hierarchical tree structure, that is, upper-level workgroups grant rights to lower-level workgroups. Users in a workgroup can maintain accounts and roles in their own workgroup along with lower-level workgroups. Among workgroups at the same level, account permissions are isolated and data is invisible to each other.

To prevent horizontal unauthorized operations, the default root administrator can assign workgroup administrator accounts, instead of sub-accounts, to subordinate departments or branches.

• A maximum of five levels of workgroups can be created.
• Only the administrator of father workgroup can create sub-workgroups.
• The current user can configure an account policy and a password policy and set idle timeout settings only for the workgroup to which the user belongs but not for the sub-workgroups of the workgroup.

Pre-configuration Tasks

• A tenant administrator creates a workgroup and workgroup administrator account.
• The tenant administrator authorizes the workgroup rights to the MSP administrator.

Procedure

1. Log in to iMaster NCE-Campus using the MSP administrator account, and choose System > Administrator > Work Group. Click Create, enter workgroup information, and click Next.
   Table 4-91 Basic information about a workgroup

   Parameter	Description
   Workgroup name	Name of a workgroup, which identifies the purpose of the workgroup.
   Number of users	Number of administrator accounts in a workgroup, including administrator accounts in the sub-workgroups of the workgroup.
   Number of workgroups	Number of sub-workgroups that can be created in a workgroup.
   Description	Workgroup description.
   Role	User roles of a workgroup. By default, workgroup supports the following roles: MSP administrator, Operator, and Open API operator. The operation rights of these roles are: MSP Administrator: The MSP administrator performs manager services and configurations. Operator: The operator manages system service running. Open Api Operator: The open API operator owns the privilege of open API services and configurations. When creating a workgroup, you need to use the administrator account to create role. Otherwise, Role cannot be selected when a sub workgroup is created for the workgroup.

2. Configure workgroup administrator information and click Next.
   • Manually set a password when creating a user account.

     For security purposes, keep the password secure and change it periodically.

     Set Password create mode to Manual. Then you can directly set a password when creating the account.

   • Create a password via email.

     Set Password create mode to Email. After the account is created, the system sends a URL to your email box. You can click the URL to configure a password for the account.

     • If you choose to create a password via email, configure an email server before creating an account. Otherwise, the system fails to send a URL to the specified email address. For details, see Configuring an Email Server
     • If a password is created via email, you do not need to change the password upon the first login to iMaster NCE-Campus.

3. Select managed objects, that is, select the tenants that can be managed by the workgroup. Then, select the workgroup created by the tenant administrator and click OK. In addition, select a role that is authorized by the tenant administrator to the MSP administrator.

   If the tenant administrator has granted the permission of managing tenant workgroups to the MSP administrator, the MSP administrator can log in to iMaster NCE-Campus and maintain services of the tenants in the specified tenant workgroups.

Follow-up Procedure

• Modify workgroup information.
  1. Log in to using the MSP account and choose System > Administrator > Work Group from the main menu.
  2. Click in the Operation column to modify the workgroup information.

• Delete a workgroup.
  1. Log in to using the MSP account and choose System > Administrator > Work Group from the main menu.
  2. Select an account and click Delete.
     • Only sub-workgroups can be deleted, and the workgroup to which the current user belongs cannot be deleted.
     • Deleting a workgroup will delete information about sub-workgroups at all levels, as well as users, roles, and user groups of the workgroup.
     • Deleting a workgroup is a risky operation. Exercise caution when performing this operation.
• Transfer workgroup administrator rights.

  If the administrator of a workgroup is changed, an upper-level administrator can transfer the corresponding rights to another administrator.

  Workgroup administrators can transfer their rights to the administrators created by themselves. Before transferring rights of a work administrator, ensure that the workgroup administrator has created an administrator account.

  • This operation can only be performed on level-1 sub-workgroups of the workgroup to which the current user belongs and cannot be performed on the workgroups of level 2 or higher.
  • If workgroup administrators remain online after their rights are transferred, they will be forced offline and has no rights.
  1. Choose System > Administrator > Administrator from the main menu. Click the User tab.
  2. Click Select, select the desired workgroup, and click OK.

     Select a desired account and click Hand Over to enable this account to become the new workgroup administrator.

     The new account must be an administrator account created by the old workgroup administrator account.

     If the icon is moved to the right of the new administrator account, the rights are transferred successfully.

Context

When an MSP administrator creates a tenant administrator, the system collects information such as the email address and mobile number of the user, notifies the user that the information has been obtained, and asks for the user's authorization.

You can manage privacy statements online. For example, you can create, delete, modify, and query a privacy statement, query the privacy statement list, or publish a privacy statement as required.

By default, the privacy statement function is enabled on iMaster NCE-Campus. If this function is not required, you can disable it on the management plane. Privacy statements will become unavailable after this function is disabled. To disable the privacy statement function, perform the following steps:

1. Log in to the management plane.
2. Choose Product > Software Management > Deploy Product Software from the main menu, choose More > Modify Configurations, set

   supportSignPrivacystatement(supportSignPrivacystatement, use 'ON', or 'OFF to OFF), and click OK

   .

3. Click to check whether the configuration is successful.

Prerequisites

The administrator has the permission to create, release, modify, and delete a privacy statement.

Procedure

1. Choose System > Administrator > Privacy Management from the main menu.
2. Click Create. On the Create Privacy Statement page, set the name, version, and content of the privacy statement.

   A privacy statement can be in the draft or released state. A privacy statement in the released state cannot be released again.

3. Click OK. The privacy statement is created.
4. Click in the Operation column of the desired privacy statement. In the Warning dialog box that is displayed, click OK to release the latest privacy statement.

   If a privacy statement with the same name has been published, set the version number to a value greater than that of the published one.

Related Operations

Follow-up Procedure

When creating a tenant administrator, the MSP administrator configures that the tenant administrator has to sign the privacy statement.

• Tenants for which a privacy statement has been configured must sign the privacy statement as prompted when they log in to iMaster NCE-Campus. Otherwise, the login will fail.
• After a privacy statement is in released state, the privacy statement version of the tenant who is using the privacy statement with the same name will change to the latest version. When the tenant or MSP logs in to the system, the tenant needs to sign the latest privacy statement.

Context

A Root tenant is responsible for configuring and maintaining services on a tenant network.

Prerequisites

• The tenant administrator created by the MSP can select the Username/Password or Username/Password + SMS verification code authentication mode. If Username/Password + SMS verification code is configured, you need to configure an SMS server in advance. For details, see Configuring an SMS Server.
• When the system administrator creates an MSP administrator, the system administrator needs to enter user information such as the email address and mobile number, and creates a privacy statement for the user to sign. The privacy statement notifies the user that the information has been obtained and asks for the user's authorization. For details, see Managing Privacy Statements.

Procedure

1. Log in to iMaster NCE-Campus as an MSP administrator.
2. Choose Tenant Management > Tenant Management > Tenant Management.
3. Click Create to configure tenant information. The tenant name must be different from existing accounts. Set Authorize MSP as required.

   After Authorize MSP is enabled, the Tenant Administrator role is attached to the MSP. In this manner, when the MSP administrator accesses the tenant portal to maintain tenant services, the MSP administrator has the rights of the Tenant Administrator role authorized by the tenant administrator.

   If Username/Password + SMS verification code is selected, enter the service phone number for receiving SMS messages.

   You need to create a privacy statement in advance. For details, see Managing Privacy Statements. Tenant administrators for which a privacy statement has been configured must sign the privacy statement as prompted when they log in to iMaster NCE-Campus. Otherwise, the login will fail.

   If Username/Password + SMS verification code is configured, the SMS verification code must meet the following requirements:

   • The validity period of a verification code is 5 minutes. If the validity period exceeds 5 minutes, you need to obtain a new verification code.
   • You cannot obtain a verification code multiple times within 1 minute. After 1 minute, you can click the verification code button again to resend a verification code SMS message. The previous verification code automatically becomes invalid.
   • The function of obtaining verification codes is locked for 10 minutes after five consecutive attempts.
   • If you enter an incorrect verification code for three consecutive times, the verification code becomes invalid and you need to obtain a new one.

4. Click Next to configure tenant administrator information.

   For security purposes, keep the password secure and change it periodically.

   • Manually set a password when creating a user account.

     Set Password create mode to Manual. Then you can directly set a password when creating the account. You will be prompted to change the password when logging in to iMaster NCE-Campus for the first time. You can log in only after the password is changed successfully.

   • Create a password via email.

     Set Password create mode to Email. After the account is created, the system sends a URL to your email box. You can click the URL to configure a password for the account.

     • If you choose to create a password via email, configure an email server before creating an account. Otherwise, the system fails to send a URL to the specified email address. For details, see Configuring an Email Server
     • If a password is created via email, you do not need to change the password upon the first login to iMaster NCE-Campus.

5. Click OK.

Follow-up Procedure

Parameter Description

Procedure

1. Access the MSP Information page.

   Choose System > System Management > MSP Information from the main menu.

2. Modify the MSP name, address, mailbox, phone number and description. You can also click Upload to replace the enterprise logo. Then, click Save.

   Personalized information customized by an administrator will be displayed on the pages available to that administrator. For example, after an administrator replaces the enterprise logo and refreshes the page, the new logo is displayed in the upper left corner of the page.

   When customizing an enterprise logo, you are advised to use an image with the pixel size 150 x 30 to achieve the optimal display effect. The image can be in the JPG, PNG, or BMP format, with a size no more than 100 KB.

Prerequisites

The tenant administrator has authorized the MSP to manage the services.

Procedure

1. Log in to iMaster NCE-Campus as the MSP administrator.
2. Under Tenants List, click the tenant name. The view for managing services for the tenant is displayed.

Context

An MSP administrator can view and manage devices of managed tenants.

Procedure

1. Choose Tenant Management > Tenant Management > Device List.
2. Select a tenant, filter devices by search criteria, and view basic device information in the list.
3. Click to set dimensions for display of additional device information.

4. Export device information and download it to the local host.
   • Select specified devices and click Export to export information about the selected devices.

   • If you do not select any device and click Export, information about all devices will be exported.

Context

If a tenant administrator finds that the device to be added has been used and the device cannot be either deleted or added, contact the system administrator to clear the ESN of the device. After the ESN of the device is cleared, the device can be added.

Prerequisites

When the system administrator clears the ESN of a device or deletes a device, the system will notify the tenant administrator who is using the device through an email.

To ensure that the email can be sent successfully, perform the following configurations.

• The MSP administrator has correctly configured the email server. For details, see Configuring an Email Server.
• When creating a tenant administrator, you must specify an email address. By default, the notification email is sent to the tenant administrator.

Procedure

1. Choose Tenant Management > Tenant Management > Device List.

2. Select a device, and click Clear ESN.

   In the dialog box that is displayed, click Confirmed, and then click OK.

   After the ESN is cleared, the tenant administrator can still view the device on the system UI, but the device is unavailable. The system then notifies the tenant administrator who is using the device through an email.

3. Select a device, and click Delete Device.

   If the device has been added to the fabric, the device then cannot be deleted.

   In the dialog box that is displayed, click Confirmed, and then click OK.

   After the device is deleted, the device cannot be viewed on the system UI. The system then notifies the tenant administrator who is using the device through an email.

Context

An MSP administrator can check tenant networks periodically, detect network, device, and service exceptions, handle the exceptions, and send reports to specified email boxes after preventive maintenance inspections (PMIs).

The MSP administrator can perform preventive maintenance inspection (PMI) on tenant devices managed by the controller using NETCONF to detect potential risks in a timely manner.

Prerequisites

The admin or MSP administrator has correctly configured the email server.

Procedure

1. Choose Maintenance > Maintenance > PMI from the main menu.
2. Execute a PMI task.
   • Add devices to be inspected to sites before starting the PMI. Otherwise, the PMI will fail.
   • WACs, Fit APs, and distributed APs do not support PMI.
   1. Click the PMI List tab.
   2. Inspect tenant devices.
      • Inspect all devices of a tenant. Find the tenant to be inspected in the list and click Start PMI to inspect all devices of the tenant.

      • To perform PMI for multiple devices under a tenant: Click the tenant icon, select the devices for which PMI needs to be performed, and click Start PMI to inspect all devices of the tenant. PMI starts on the selected devices in batches.

      • Inspect a single device of a tenant. Click the tenant icon, select a device, and click in the Operation column to inspect the tenant device.

        For devices that fail in the PMI, you can view the failure cause in the Device Status column. The possible causes are as follows:

        • The device is not online.
        • The device does not belong to any site.
        • The device or version is not supported.
        • iMaster NCE-Campus restarted during the PMI.
        • A user logs in to the device in the CLI.
        • Failed to create a session or connection: An SSH channel fails to be established between iMaster NCE-Campus and the device.
        • PMI timeout: PMI times out if it takes more than 16 minutes to inspect a single device.
        • Authentication failure: The device is configured with the HWTACACS authentication and escape functions on iMaster NCE-Campus, but the HWTACACS server is faulty or the network is disconnected. Alternatively, iMaster NCE-Campus fails to configure the password of the admin user for the device.
        • Existing session or connection: The CLI of the device has been opened.
   3. After the PMI is complete, click Export and view the PMI report.

      The exported PMI report is in .pdf format.

3. View the inspection list.
   1. Click the PMI Record tab.
   2. Find required historical PMI records from the list. You can export PMI packet, export PMI report, delete, and resend them through emails.
      • iMaster NCE-Campus can save historical PMI records for three years at most.
      • An inspection task can be in one of the following status:
        • All Success: All devices are inspected successfully.
        • Partial Success: Some devices are inspected successfully.
        • Abnormal: The inspection task is not complete due to an exception, for example, the inspection task is manually stopped.

4. Configure a notification email sending policy.
   1. click the PMI Settings tab
   2. Set Email notification to , click Add, add email addresses of recipients, and click OK.

   3. Set the email title, and click Save.

      If the email address of the MSP administrator has been verified, by default, the system automatically adds the email address of the MSP administrator to the recipient email address list when the email sending function is enabled and this email address cannot be deleted or changed.

      If Notification title uses the default value, iMaster NCE-Campus automatically updates the date in the title to the actual date on which the email is sent. The automatic date updating function does not take effect for a customized title.

Context

If iMaster NCE-Campus needs to send emails to users, you need to configure an email server first.

iMaster NCE-Campus needs to send emails in the following scenarios:

• The MSP administrator or tenant administrator forgets the password: iMaster NCE-Campus sends a reset password to the administrator through an email.
• The tenant administrator performs alarm settings on iMaster NCE-Campus: iMaster NCE-Campus sends emails to notify users of reported alarms.
• The tenant administrator wants to use the email-based deployment function: iMaster NCE-Campus needs to send deployment emails to related personnel.
• Tenants want to register accounts by themselves: iMaster NCE-Campus sends an email containing an activation link to the tenants.
• The MSP administrator inspects tenant devices: iMaster NCE-Campus sends the inspection report to the administrator's mailbox, if needed.
• The MSP administrator deletes ESNs or devices: iMaster NCE-Campus sends a notification email to the tenant administrator, if needed.
• A tenant license is about to expire: iMaster NCE-Campus sends a notification email to a tenant.
• When portal authentication is configured for guest access, you need to set the approver notification mode or guest notification mode to email notification.

The system administrator has configured an email server for sending emails. If the MSP administrator wants to use another email server, the MSP administrator needs to configure an email server separately.

If both the system administrator and MSP administrator have configured an email server, the email server configured by the MSP administrator is used preferentially. If the email server configured by the MSP administrator is not found, the email server configured by the system administrator is used.

Procedure

1. Upload an email server certificate.
   1. Contact the SMS server provider to obtain a certificate file.
   2. Choose System > System Management > Certificate Management from the main menu.
   3. Choose Service Certificate Management from the navigation pane. On the Services page, click CampusBaseServiceServerConfigMoudle.
   4. Click the Trust Certificate tab and click Import. On the displayed page, enter the certificate information, select the desired email server certificate, and click Submit to upload the certificate to iMaster NCE-Campus.

2. Choose System > System Management > Third-Party Service from the main menu.
3. Set parameters for connecting to the email server.

   If the email server uses a third-party CA certificate, you are advised to disable Validate server certificate.

4. Click Test to verify the email sending function.
   • If the message "The test succeeds" is displayed and the mailbox receives the test email, the configuration is successful. Click Save.
   • If the message "The test succeeds" is displayed but the mailbox does not receive the test email, check whether the email function of the SMTP server is normal.
   • If the message "Failed to connect to the email server" is displayed, check whether the above parameters are correctly configured.
     • Affected by the network quality and performance of the SMTP server, the time of receiving emails will be delayed within two minutes.
     • Some SMTP providers set the right control for third-party application access. If the test fails, check whether the function of controlling third-party application access is enabled on the SMTP server and set password to the authentication password of the SMTP server.
     • Limited by security policies of email service providers, administrators may fail to receive emails in some scenarios. If no email is received, log in to the email service website or contact the email service provider to check whether the email is returned or other exceptions occur. Alternatively, replace the email server and try again.

Parameter Description

Context

You need to configure the SMS service if SMS authentication is required.

Before configuring the SMS service, you need to configure an SMS platform to specify the SMS gateway and configure account information based on the SMS platform to send SMS messages.

• SMS platform: You need to set parameters about a third-party SMS platform on iMaster NCE-Campus according to the information provided by the SMS platform. For details, see the interface document of the third-party SMS platform.
• SMS server: You need to set parameters for interworking between iMaster NCE-Campus and a third-party SMS platform. After the interconnection is successful, iMaster NCE-Campus can send SMS messages.

  By default, the system is pre-configured with the following SMS server connection parameters:

  • fungo: http://qxt.fungo.cn/Recv_center. This is the SMS platform of fungo.cn (Beijing, China).
  • twilio: https://api.twilio.com:8443/2010-04-01/Accounts/{USERNAME}/Messages.json. To use this SMS server, access www.twilio.com and apply for an account.

Prerequisites

The system administrator has created an SMS server template.

Procedure

1. Import an SMS server certificate.
   1. Contact the SMS server provider to obtain a certificate file.
   2. Log in to iMaster NCE-Campus as a system administrator and choose System > System Management > Certificate Management from the main menu.
   3. Choose Service Certificate Management from the navigation pane. On the Services page, click CampusBaseServiceServerConfigMoudle.
   4. Click the Trust Certificate tab and click Import. On the displayed page, enter the certificate information, select the desired SMS server certificate, and click Submit to upload the certificate to iMaster NCE-Campus.

2. Choose System > System Management > Third-Party Service and click the SMS Server tab.
3. Select an SMS Platform, and configure the related data.

   HTTPS is recommended because it is more secure than HTTP.

   • Set SMS Service type to HTTP SMS Service and select fungo from the SMS platform drop-down list box.

   • Set SMS Service type to HTTP SMS Service and select twilio from the SMS platform drop-down list box.

   • Set SMS Service type to SMPP SMS Service and select the created SMS template from the SMS platform drop-down list box.

4. Click Test to verify validity of the SMS message sending function.
   • If the test succeeds, the message "The test succeeds" is displayed, and you can receive the test SMS message from iMaster NCE-Campus.
   • If the test fails, the message "Failed to test the SMS serve" is displayed. Perform operations according to the scenarios:
     • If an error code is displayed in the dialog box, check the product documentation of the SMS service provider for the cause of the error, and obtain the troubleshooting method.
     • If no error code is displayed in the dialog box, contact the system administrator to check the URL specified in the SMS server template to see whether the SMS server is reachable.

5. After the test is successful, click Save.

Parameter Description

Prerequisites

You have purchased related services from a map service provider and obtained the API address (URL) and key value of the map. For details about how to apply for a key value, see Google Maps Key Application Procedure.

Procedure

1. Choose System > System Management > Third-Party Service, and click the Map URL Settings tab.
2. Click Edit corresponding to the map, enter values of API address and Key, and select Instructions for Use.

3. Click OK.

Google Maps Key Application Procedure

1. Access the Google Maps official website at https://developers.google.com/maps/documentation/javascript/get-api-key.
2. Register a Google account and log in.
3. Create a Google Maps project.
   1. Choose Set up in Cloud Console from the navigation pane. Under Creating a project, click Create new project.

   2. Enter project information and click CREATE to create a project.

4. Apply for an API key.
   1. Choose Set up in Cloud Console from the navigation pane. Under Enabling APIs, click Enable the Maps JavaScript API.

   2. Select the created project and click ENABLE to enable the Maps JavaScript API function.

   3. On the Credentials tab page, click CREATE CREDENTIALS and click API key.

   4. Obtain the API key.

5. (Optional) Remove the Google Maps watermark.

   There is a watermark on Google Maps by default. You need to pay fees if you want to remove the watermark from the map.

   1. Choose Set up in Cloud Console from the navigation pane. Under Creating budgets and setting alerts, click Go to the Billing page.

   2. Click ADD BILLING ACCOUNT.
   3. Enter personal information.

   4. Click START MY FREE TRIAL.

Parameter Description

Context

System software packages or patches on a third-party file server can be used for device upgrade or patch installation. To support this, you need to store system software packages and patches on the third-party file server, and configure interconnection between iMaster NCE-Campus and the file server.

Prerequisites

You have set up and configured an SFTP or HTTPS file server.

Procedure

1. Choose System > System Management > Third-Party Service from the main menu, and click the File Server Manage tab. The page for configuring the file server is displayed.
2. Click Add, and configure a third-party file server. You can select SFTP or HTTPS to transfer files.
   • If SFTP is selected, configure the username, password, IP address, and port number of the file server.

   • If HTTPS is selected, configure the authentication mode, IP address, and port number of the file server.

3. Click OK.

Follow-up Procedure

• To upload the system software packages or patches required for device upgrade to iMaster NCE-Campus through a third-party file server and to upgrade devices, perform the following steps:
  1. Choose Maintenance > Maintenance > File Management from the main menu. On the file list page, configure the information about system software packages and patches. For details, see Create files in File Management.
  2. Log in to iMaster NCE-Campus as a tenant administrator. Choose Maintenance > Device Maintenance > Device Upgrade from the main menu, and select SFTP or HTTPS when upgrading devices. For details, see Upgrading/Downgrading NETCONF-Managed Devices.

Context

When O&M personnel need to send notifications to related personnel.

O&M personnel set remote notification parameters, specify the notification content to be sent or use the preset notification template, and manually trigger the sending of emails to related personnel.

Before sending notifications, O&M personnel need to create notified users or notified user groups.

Prerequisite

An administrator has been created.

Procedure

1. Choose System > System Management > Third-Party Service from the main menu.
2. Click the Notified User Management tab and configure the users and user groups to be notified.
   • Click the Notified Users tab, click Create, and configure the user information. Enter the user name, set at least one of the mobile number and email address, and click OK.

     The user name is case sensitive.

   • Click the Notified User Groups tab, click Create, and configure the user group information. Enter the user group information, select users, add the users to the user group, and click OK.

     By creating user groups, O&M personnel can send notifications to users by group.

     • The mobile number and email address of a user cannot be empty at the same time. Otherwise, the user cannot be added to the user group.
     • On the Notified Users tab page, you can click Create to add notified users. By default, newly created users are added to the user group.
     • A maximum of 200 users can be added to a notified user group.
     • When adding users to a user group, you can search for users by User Name, Mobile Number, or Email on the Notified Users and O&M Users tab pages.
     • If the mobile number and email address of a user are both empty, the user cannot be added to a user group.
     • The user group name is case sensitive.

Follow-up Procedure

• Modifying, querying, deleting, and exporting notified user information
  • Modifying notified user information

    To modify the information about a user to be notified, click next to the user in the Operation column in the Notified Users list.

  • Querying notified user information

    To query information about one or more users to be notified, select User Name, Mobile Number, or Email from the drop-down list box at the upper right corner of the Notified Users tab page, enter the corresponding information in the search box, and click . The Notified Users list displays the users who meet the search criteria.

  • Deleting a notified user

    To delete a user to be notified, click next to the user in the Operation column in the Notified Users list.

  • Export notified user information

    To export notified user information, click Export All on the Notified Users tab page. In the Warning dialog box that is displayed, click OK. In the Set File Format and Password dialog box, set the file format, password, and confirm password to export notified user information to the local PC.

• Modifying, copying, querying, and deleting notified user group information
  • Modifying notified user group information

    To modify the information about a notified user group, click next to the user group in the Operation column in the Notified User Groups list.

  • Copying a notified user group

    To create a notified user group that has similar information with an existing notified user group, click in the Operation column in the Notified User Groups list to copy the notified user group information, modify the information as required, and create a notified user group.

  • Searching for a notified user group

    To query information about one or more notified user groups, enter the user group name in the search box at the upper right corner of the Notified User Groups tab page and click . The Notified User Groups list displays the user groups that meet the search criteria.

  • Deleting a notified user group

    To delete a notified user group, click next to the user group in the Operation column in the Notified User Groups list.