Using ZTP to Provision a Managed Device

When a factory-default controller boots, it starts the auto-provisioning process. The following sections describe the provisioning workflow, and the process to prepare your network for ZTP Zero Touch Provisioning. ZTP is a device provisioning mechanism that allows automatic and quick provisioning of devices with a minimal or at times no manual intervention. for a managed device.

When a managed device establishes an HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. connection to the Activate server and requests provisioning information, the Activate server authenticates the managed device and provides that device with provisioning information, including the IP address of its Mobility Conductor and secondary Mobility Conductor, and its country code.

If the managed device is unsuccessful in retrieving the provisioning parameters from Activate, it will retry in 30 seconds. The managed device will keep trying to retrieve the provisioning parameters from Activate until it is successful, or the administrator initiates Mini-Setup or Full-Setup provisioning.

Before you can use Activate to associate a managed device to Mobility Conductor, you must configure Activate with additional device settings for each managed device and Mobility Conductor, create a folder for those local devices, then assign a provisioning rule to the folder that associates the managed devices to a specified conductor and configuration node. Use the following procedures to configure device details for the Mobility Conductor and managed devices, create folders, and define the provisioning rule.

Upgrading a Legacy Device via Activate

Starting with AOS-8.1.0.0, a factory-default controller running AOS-8 6.0.0.0 can use Activate Zero-Touch Provisioning to upgrade its software as part of the provisioning process. If Activate detects that a factory-default managed device running AOS-8 6.x has been assigned a Managed Device to Conductor Controller provisioning rule, Activate will automatically send that managed device the information it needs to automatically download and upgrade to the latest version of AOS-8.

Configuring Device details for a Managed Device

When you place an order for a controller, that device appears in the Activate Devices list displaying the preconfigured settings for its serial number, MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, and software image. Before you can add a managed device to a allowlist, you must use the Activate interface to assign a name to each managed device, and use the Activate interface to identify the Mobility Conductor in a managed device deployment.

The following procedure describes how to configure managed device or Mobility Conductor device settings using Activate:

1. Click the Devices icon at the top of the page to display the Devices page.
2. Select a managed device or Mobility Conductor from the Devices list. If the list is very large, you can click the filter icon by any Devices list column heading and choose which entries to display, then select the managed device from the smaller, filtered list.
3. If the device will be used as the Mobility Conductor, select the Conductor Controller check box.
4. In the Device Detail section of the Devices page, enter the following values:
   • Device name: (Required) an IP address or fully-qualified domain name for the managed device or Mobility Conductor
   • Full name: (Optional) a user-friendly name for the device
   • Description: (Optional) a short text string describing the device

5. Click Done to save your settings.

Figure 1   Device Details for a Managed Device

Creating a New Managed Device Folder

Associate multiple managed devices to the same Mobility Conductor by moving those managed devices into a single Activate folder.

The following procedure describes how to add a new folder to the Folders list:

1. Click the Setup icon to display the Setup page.
2. Click the New link in the title bar of the Folders list. The Create a New Folder window appears.
3. Enter the following information for the folder:
   • Name —Name of the new managed device folder. The folder name must be 100 characters or less, and cannot include the characters ?, # or &.
   • Parent —The parent folder for the new folder. The new folder will be created under the selected parent.
   • Notes —(Optional) Use this field to add any additional notes about the folder.

4. Click Done to save the new folder.

Configuring the Provisioning Rule

A folder can only have one provisioning profile configured within it and the provisioning profile can only reference one configuration node. Consequently, it is necessary to create a folder and associate the provisioning rule for each group of managed devices that share a common configuration node.

The following procedure describes how to create a new provisioning rule for the new managed device folder:

1. Click the Setup icon to display the Setup page.
2. In the folders section of the Setup page, select the new managed device folder.
3. Click the New link in the title bar of the Rules list. The Create a New Rule window appears at the bottom of the page. Enter a value for each required field, then click Done to save your settings.

Figure 2  New Provisioning Rule

Table 1: Provisioning Rule Configuration Settings

Provisioning Rule Setting	Description
Rule Type	Click the Rule Type drop-down list, and select Provisioning Rule.
Parent Folder	Select the folder to which this provisioning rule applies.
Provision Type	Select the Managed Device to Conductor Controller rule type.
Redundancy Level	Select No Redundancy to configure just a single Mobility Conductor, choose L2 redundancy to define a local backup at the same site as the Mobility Conductor or select L3 to define an additional primary and backup Mobility Conductor at a different location than the main primary and backup Mobility Conductor pair. NOTE: If you select the L3 option, you must configure a Mobility Conductor and Secondary Mobility Conductor for Site 1 and Site 2.
Primary Controller	MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the primary Mobility Conductor. Activate sends a managed device allowlist with information about the managed devices in this folder to the Mobility Conductor with this MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.
Conductor Controller IP	Enter the IP address used to access Mobility Conductor or the primary/backup Mobility Conductor pair.
Secondary Controller	(Optional for Layer-2 or Layer-3 redundancy) MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of a backup Mobility Conductor, for deployments that require layer-2 or Layer-3 redundancy.
VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. Concentrator MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.	The MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the managed device (or other device) that terminates VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels to the datacenter.
VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. Concentrator IP	The IP address of the managed device (or other device) that terminates VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels to the datacenter.
Country Code	Select a country code to be assigned to the managed devices in this folder.
Local Config Group	Enter the name of a local configuration group to assign that group of local configuration settings to the managed devices in this folder.

Moving a Managed Device to the New Folder

The following procedure describes how to assign one or more managed devices to a folder:

1. Click the Devices icon at the top of the page to display the Devices page.
2. Click the filter icon by any Devices list column heading and choose which entries to display. You can repeat this step and filter the list by multiple criteria types until the Devices list shows only those devices you want to move to a new folder.
3. Click the Move to Folder button at the top of the Devices page. A drop-down window appears, displaying with all folder names.
4. Select the destination folder for the devices.
5. A confirmation window appears, showing the total number of devices that will be moved.
6. Click OK to confirm the change, or click Cancel to cancel the move.

You can also assign an individual device to a new folder by selecting that device from the Devices list and manually changing its parent folder in the Device Details window.

Retrieval of a Managed Device Allowlist from Activate

Activate may be configured to supply the list of managed devices to the Mobility Conductor to be added to the allowlist.

The Mobility Conductor sends a query to Activate every hour. To initiate an immediate query to Activate, access the Mobility Conductor through CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. and issue the command “activate sync.”

When the Mobility Conductor sends the query to Activate, Activate searches for all provisioning rules of the type managed node to conductor controller that include the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  address of this Mobility Conductor in the primary controller field.

Activate Interface Communication

The managed device and the Mobility Conductor interact with the Activate server to receive information about each other. Once the Activate server is properly configured with the appropriate folders and provisioning rules, Activate automatically manages the relationship between Mobility Conductor and all the managed devices associated with that conductor.

The Mobility Conductor regularly contacts the Activate server to get a list of its associated managed devices. Managed devices interact with the Activate server to learn about their role, Mobility Conductor information, and their regulatory domain. The Mobility Conductor sends its own information and not managed device information. Activate reuses information in the AP-information field for controller interactions between Mobility Conductor and managed devices.

The following steps describe how Mobility Conductor retrieves the allowlist database from the Activate server.

1. The Mobility Conductor sends an initial post with a keepalive Signal sent at periodic intervals from one device to another to verify that the link between the two devices is working. If no reply is received, data will be sent by a different path until the link is restored. A keepalive can also be used to indicate that the connection should be preserved so that the receiving device does not consider it timed out and drop it. connection type that includes the following information:
   • type = Provision update
   • mode = controller
   • a session ID
   • AP information that includes <serial number>, <mac-address>, <model>
2. Activate responds with the following information:
   • type = provision update
   • an Activate-assigned session ID
   • status
   • connection = keep alive.
3. The Mobility Conductor then sends a second POST Power On Self Test. An HTTP request method that requests data from a specified resource. with ‘close’ connection type with the following information:
   • type = provision update,
   • the session ID received from Activate,
   • Device information that includes <serial number>, <mac-address>, <model>
   • certificate length
   • signed certificate
   • device certificate
4. Activate then responds with the following information:
   • type = provision update,
   • the same session ID that Activate assigned in the first response
   • status = success or failure
   • mode = conductor
   • the list of managed devices from the allowlist database, where each list entry contains a <mac- address>,<serial number>,<model>,<mode>,<hostname>, and <config group>