Onboarding Devices for OmniVista Cirrus Management
This section describes the required prerequisites and general workflow to onboard OmniSwitch and Access Point devices for OmniVista Cirrus 10 Management, as well as troubleshooting information.
Switch Onboarding Workflow
The process to onboard AOS Switches for OmniVista management is described in this section. It is important to verify and configure the required prerequisites before attempting to onboard and provision a switch.
When a switch boots up, it contacts the DHCP Server and gets the location of the OmniVista Cirrus Activation Server. The Cloud Agent on the switch then makes an HTTPS call to the OmniVista Cirrus Activation Server and is matched to a Device Catalog entry containing the Management User and Provisioning Templates for that switch/switch model. OmniVista Cirrus then uses SSH to log into the switch using the credentials specified in the Management User Template and configures/provisions the switch. Once provisioning is complete, the switch is manageable by OmniVista.
Verify the Required Prerequisites for Onboarding Switches
The prerequisite configurations below must be completed to ensure a successful onboarding process. Once the prerequisites are met, switches can be deployed as described in the Basic Deployment Workflow section.
Verify Network Prerequisites are configured. For example: DHCP, Firewall, DNS settings.
Verify Device Prerequisites for the switch are configured. For example: Minimum AOS software supported; license info; models supported
At a minimum, the Management User Template is pushed to the switch. This template provides the login credentials that OmniVista Cirrus will use to communicate with the switch. A Default Management User template is used, unless you select another template. The Default Management User Template uses the “admin/switch” login credentials to connect with the Switch.
Configure any additional configuration to append to the switch configuration through CLI commands in a Provisioning Template.
Configure CLI-Based Provisioning Settings to specify the onboarding process for switches with no initial configuration (no initial template, no value mapping).
To implement BYOD/Guest Access authentication, configure the UPAM Radius Server as the RADIUS authentication server for switches. This step is required until OmniVista Cirrus supports AAA Server profiles, which is planned for the next release.
Create a new NAS Client and configure the UPAMRRadiusServer with the same shared secret that was used for the new NAS Client. The NAS Client and UPAMRadiusServer shared secret must match.
Important Note: Changing the shared secret on the UPAM Radius Server will affect all managed devices that authenticate through that UPAM Radius Server. This requires configuring the new shared secret for all NAS Client profiles to match the new shared secret for the UPAM Radius Server.Include the following CLI command in the Provisioning Template that OmniVista Cirrus will push to the switch. This command will push the UPAMRadiusServer profile to the AOS switches:
aaa radius-server "UPAMRadiusServer" host <UPAM IP Displayed In UI> key "<newSharedSecret>" retransmit 2 timeout 5 auth-port 31812 acc-port 31813 vrf-name default
Basic Deployment Workflow
The basic deployment workflow is slightly different for new "out-of-the-box" switches or currently-deployed switches.
New Switches
OmniVista Cirrus uses SSH to log into the switch using the credentials specified in the Default Management User Template and configures/provisions the switch. It is recommended that you change the login credentials contained in this template or create a new Management User Template.
Note: After switches are successfully onboarded and provisioned, it is highly recommended that you change the default "admin" password on the switches.Make sure the switch has Internet access and is running from the Working directory.
Declare the switch(es) in the Device Catalog List and specify the Management User Template and the required Provisioning Template (see Prerequisites above) to assign to the switch.
Connect the switch(es) to the network.
New “out-of-the-box” switches automatically call the OmniVista Cirrus Activation Server when first connected to the network. OmniVista Cirrus verifies the call home request is from an AOS switch, then checks if the switch serial number is already declared in the Device Catalog List for an Organization. If found, OmniVista Cirrus returns the required certificates that the switch needs to initiate a VPN connection to OmniVista Cirrus.
The switch initiates the VPN connection. Once the connection is made, OmniVista Cirrus downloads, installs, and starts the OmniVista Cirrus Agent on the switch. The OmniVista Cirrus Agent package consists of a monitoring and configuration agent that interacts on a push-pull, on demand basis with OmniVista Cirrus to manage switches.
OmniVista Cirrus then delivers the provisioning configuration (Management User Template and Provisioning Template) assigned to the switch when you added the switch to the Device Catalog List.
Once the switch is onboarded in OmniVista Cirrus, the switch running configuration will become unsaved. OmniVista Cirrus will automatically save the configuration if "Certify" was enabled (the default) when you added the switch to the Device Catalog List. If the “Certify” option was disabled, then the switch configuration remains unsaved and you should perform a "Save to Running" action from the Device Catalog.
When the switch is successfully onboarded and managed, the Activation Status and Management Connectivity for the switch is updated in the Device Catalog.
Currently Deployed Switches
A switch should be running from the Working Directory for provisioning. If a switch is running from the Certified Directory, reload the switch from the Working Directory before beginning the steps below.
Note that a switch running from the Certified Directory can be provisioned, however, the configuration is temporary and will not be persisted. The switch will lose its configuration if it reboots. If a switch is provisioned from the Certified Directory, reload the switch from the Working Directory and "Force Provision" the configuration to the switch from the Results screen. When you "Force Provision" a switch, the configuration is pushed to the switch the next time the switch contacts OmniVista Cirrus. See the Results Screen online help for more information on manually pushing ("Force Provisioning") a configuration to a provisioned switch.
If the switch is currently managed by OmniVista Cirrus 10, go to the Device Catalog List and delete the switch(es). Otherwise, go to Step 2.
Go to the CLI-Based Provisioning Management User Templates screen to view/configure the Default Management User Template or the template you want to assign to the switch when the switch is added to the Device Catalog List. The Management User Template is initially applied to a switch that is successfully provisioned and enables OmniVista Cirrus management of the switch.
Select "Use existing credentials" and enter the current CLI/FTP Username and Password for the switch. OmniVista Cirrus will expect these credentials to already exist on the switch. See the Management User Templates online help for more information on configuring the Management User Template.
Note: If the switch username/password is different than the one defined in the Management User Template, OmniVista Cirrus will be unable to connect to the switch and provisioning will fail. The switch will be displayed on the Results screen with a Provisioning Status of "Failed". If this happens, configure the "Use existing credentials" option on the Management User Template, and "Force Provision" the switch. See the Results screen online help for more information on "Force Provisioning".
Declare the switch(es) in the Device Catalog List and specify the Management User Template and the required Provisioning Template (see Prerequisites above) to assign to the switch. When the switch(es) contacts OmniVista Cirrus, it will be matched to a corresponding Device Catalog List entry and the configuration in the templates will be pushed to the switch(es). The CLI-based configuration in the Provisioning Template is appended to the existing switch configuration file.
Use one of the following options to enable the switch(es) to contact OmniVista Cirrus for provisioning.
Manually Reboot the Device - Power on and power off the device.
Restart the Cloud Agent on the Device - Telnet to the device and disable the Cloud Agent using the following command: cloud-agent admin-state disable force (enter y at the confirmation prompt). Then enable the Cloud Agent using the following command: cloud-agent admin-state enable.
Once the connection is made, OmniVista Cirrus downloads, installs, and starts the OmniVista Cirrus Agent on the switch. The OmniVista Cirrus Agent package consists of a monitoring and configuration agent that interacts on a push-pull, on demand basis with OmniVista Cirrus to manage switches.
OmniVista Cirrus then delivers the provisioning configuration (Management User Template and Provisioning Template) assigned to the switch when you added the switch to the Device Catalog List.
When the switch is successfully onboarded and managed, the Activation Status and Management Connectivity for the switch is updated in the Device Catalog.
When a Provisioning Template is pushed to the switch, the configuration in the template is appended to the existing switch configuration file. If the Provisioning Template configuration conflicts with the current switch configuration, provisioning will fail and the device will not be manageable by OmniVista Cirrus. If provisioning fails, go to the Results screen and check the "Last Provision Message" column for more information. If the Provisioning Template is the problem, make any necessary updates to the Provisioning Template then “Force Provision” the configuration to the switch from the Results screen. The next time the switch contacts OmniVista Cirrus, provisioning should be successful. See the Results screen online help for more information on manually pushing ("Force Provisioning") a Rule to a switch.
Access Point Onboarding Workflow
The process to onboard Stellar AP devices for OmniVista management is described below. It is important to verify and configure the required prerequisites before attempting to onboard and provision an Access Points.
The following is the basic deployment workflow for onboarding Stellar AP Series devices for OmniVista Cirrus management.
Declare the AP device(s) in the Device Catalog List.
Make sure the AP has Internet access.
Connect the AP to the network and power it on.
The AP will automatically call the OmniVista Cirrus Activation Server.
OmniVista Cirrus verifies the call home request is from an AWOS AP device, then checks if the AP serial number is already declared in the Device Catalog List for an Organization. If found, OmniVista Cirrus returns the required certificates that the AP needs to initiate a VPN connection to OmniVista Cirrus.
The AP will then connect with OmniVista Cirrus.
If the AP is unable to connect with OmniVista Cirrus, the AP will operate in Express Mode and periodically call home until the AP is able to connect with OmniVista Cirrus.
The AP is registered and licensed once it successfully connects with OmniVista Cirrus.
When the AP is successfully onboarded and managed, the Activation Status and Management Connectivity for the AP is updated in the Device Catalog.
Troubleshooting the Onboarding Process
Provisioning Fails
If provisioning fails, go to the Results screen and check the "Last Provisioning Message" column for the reason. The most common cause of failure is that OmniVista Cirrus does not know the correct credentials to SSH/SFTP the switch. The credentials that OmniVista Cirrus uses to connect to the switch are specified in the Default Management User Template or in a Custom Management Template. If the Provisioning Template is the problem, make any necessary updates to the Provisioning Template, and save it. The next time the switch contacts OmniVista Cirrus, provisioning should be successful.
For additional troubleshooting information, refer to the Device Onboarding - FAQs/Troubleshooting online help page.
Verify the OmniVista Cirrus Agent Installation On the Switch
In addition to the OmniVista Cirrus Agent options available through the OmniVista Cirrus UI, you can also perform the following CLI commands on the switch.
To verify the Agent was successfully downloaded and installed on the switch, use the show pkgmgr CLI command:
To verify that the two components of the OmniVista Cirrus Agent package (Config Agent and Monitoring Agent) were started, use the show appmgr CLI command:
Moving Access Points from OmniVista Cirrus 4 to OmniVista Cirrus 10
If you want to move Access Points that are already managed in OmniVista Cirrus 4 to OmniVista Cirrus 10, click here for more information.