- play_arrow Introduction
- About the Administration Portal User Guide
- Administration Portal Overview
- Administration Portal Tasks for SP Administrators And OpCo Administrators
- Accessing Administration Portal
- Personalize the Administration Portal
- Switching the Tenant Scope
- About the Administration Portal Dashboard
- Changing the Administration Portal Password
- Resetting Your Password
- Configuring Two-Factor Authentication
- Resend Activation Link in Administration Portal
- Changing the Password on First Login
- Resetting the Password for OpCo and Tenant Users
- Setting Password Duration
- Extending the User Login Session
- About the Display Preferences
- Add a Theme in Administration Portal
- Apply or Modify a Theme
- Upload a Custom Font
- play_arrow Managing E-Mail
- play_arrow Managing Authentication
- play_arrow Managing Operating Companies
- play_arrow Managing Resources
- About the POPs Page
- Creating a Single POP
- Importing Data for Multiple POPs
- Viewing the History of POP Data Imports
- Viewing the History of POP Data Deletions
- View the History of Device Data Deletions
- Manually Importing Provider Hub Sites
- About the Tenant Devices Page
- About the Provider Hub Devices Page
- Add a Provider Hub Device
- Edit Provider Hub Site Parameters
- Manage a Provider Hub Device
- Upgrade a Provider Hub Device
- Delete a Provider Hub Site
- Perform Return Material Authorization (RMA) for a Provider Hub Device
- Grant Return Material Authorization (RMA) for a Provider Hub Device
- Generate Device RSI for Provider Hub Devices
- Managing a Tenant Device
- Device Redundancy Support Overview
- Viewing the History of Tenant Device Activation Logs
- Secure OAM Network Overview
- Secure OAM Network Redundancy Overview
- Rebooting Tenant Devices and Provider Hub Devices
- Identifying Connectivity Issues by Using Ping
- Identifying Connectivity Issues by Using Traceroute
- Remotely Accessing a Device CLI
- Device Template Overview
- Multi-Service Shared Bearer Overview
- About the Device Template Page
- Cloning a Device Template
- Importing a Device Template
- Configuring Template Settings in a Device Template
- Updating Stage-2 Configuration Template in a Device Template
- Configuring Stage-2 Initial Configuration in a Device Template
- Modifying a Device Template Description
- Deleting a Device Template
- Configuration Templates Overview
- Configuration Templates Workflow
- About the Configuration Templates Page
- Predefined Configuration Templates
- Edit, Clone, and Delete Configuration Templates
- Deploy Configuration Templates to Devices
- Undeploy a Configuration Template from a Device
- Dissociate a Configuration Template from a Device
- Preview and Render Configuration Templates
- Import Configuration Templates
- Export a Configuration Template
- Assign Configuration Templates to Device Templates
- Add Configuration Templates
- Jinja Syntax and Examples for Configuration Templates
- View the Configuration Deployed on Devices
- APN Overview
- Configuring APN Settings on CPE Devices
- Device Images Overview
- About the Device Images Page
- Staging an Image
- Deploying Device Images to Devices
- Uploading a Device Image
- Deleting Device Images
- Network Services Overview
- About the Network Services Page
- About the Service Overview Page
- About the Service Instances Page
- Allocating a Service to Tenants
- Removing a Service from Tenants
- play_arrow Managing Signatures
- Signature Database Overview
- About the Signature Database Page
- Downloading a Signature Database
- Download Locations for Signature Database
- Application Signatures Overview
- About the Application Signatures Page
- Understanding Custom Application Signatures
- Adding Application Signatures
- Editing, Cloning, and Deleting Application Signatures
- Adding Application Signature Groups
- Editing, Cloning, and Deleting Application Signature Groups
- play_arrow Managing Profiles
- Application Quality of Experience Overview
- Configure and Monitor Application Quality of Experience
- About the Application Traffic Type Profiles Page
- Predefined Application Traffic Type Profiles
- Add Traffic Type Profiles
- Edit and Delete Application Traffic Type Profiles
- SLA Profiles and SD-WAN Policies Overview
- About the SLA-Based Steering Profiles Page
- Adding SLA-Based Steering Profiles
- Editing and Deleting SLA-Based Steering Profiles
- About the Path-Based Steering Profiles Page
- Adding Path-Based Steering Profiles
- Editing and Deleting Path-Based Steering Profiles
- About the Breakout Profiles Page
- Adding Breakout Profiles
- Editing and Deleting Breakout Profiles
- play_arrow Managing Licenses
- play_arrow Managing Users and Roles
- Role-Based Access Control Overview
- About the Users Page in Administration Portal
- Add Service Provider and OpCo Users
- Edit and Delete Service Provider Users and OpCo Users
- Resetting the Password for Service Provider, OpCo, and Tenant Users
- Roles Overview
- About the Roles Page
- Add User-Defined Roles for Service Provider, OpCo, and Tenant Users
- Edit, Clone, and Delete User-Defined Roles for Service Provider, OpCo, and Tenant Users
- Access Privileges for Role Scopes (Operating Company and Tenant)
- play_arrow Managing Jobs
- play_arrow Managing Audit Logs
- play_arrow Monitoring
- About the Monitor Overview Page
- Alerts Overview
- About the Generated Alerts Page
- About the Alert Definitions/Notifications Page
- Creating and Managing Security Alerts
- About the Alarms Page
- BGP Alarms on Provider Hubs
- Monitoring Support for LTE Links on Dual CPEs
- Enable E-mail Notifications for SD-WAN Alarms
- Rogue Device Detection
- Multitenancy
- About the SLA Performance of All Tenants Page
- About the SLA Performance of a Single Tenant Page
- Monitoring Application-Level SLA Performance for Secure SD-WAN-Advanced
- Viewing the SLA Performance of a Site
- Viewing the SLA Performance of an Application or Application Group
- Understanding SLA Performance Score for Applications, Links, Sites, and Tenants
- Syslog Streaming
Adding a Single Tenant
You can use the Add Tenant page to add tenant data and other objects associated with a tenant, such as tenant user, network details, deployment scenario, service profiles, and custom properties. A single tenant can support one or more of the following services:
Begin by creating all the resources required for the network point of presence (POP).
The information listed on the Tenants page changes depending on the authentication mode configured:
Local Authentication—You can add the administrative user information as the first step from the Tenants page.
Authentication and Authorization with SSO Server—The Admin User information is not displayed on the Tenants page because users are not created in CSO and they are managed in the SAML identity provider. In addition, users are dynamically authorized to the CSO role based on the mapping rules configured in the SAML authentication.
Authentication with SSO Server—When you create the administrative user, the login page does not require you to configure a password because the user is created in the SSO without the password and you can only enter the username.
To add a tenant:
Field | Description |
|---|---|
Tenant Info | |
Name | Enter a name for the tenant. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters. Example: test-tenant |
| Email
Notifications By default, e-mail notifications are disabled for all users. SP, OpCo, and tenant administrators can enable or disable these notifications. Tenant administrators can override the settings configured by the SP or OpCo administrator. For example, if the OpCo administrator enables Login Notifications, then all users of the existing and new tenants are automatically configured to receive login notifications. However, a tenant can choose to disable the login notifications for its users. | |
| Login Notification | Enable this toggle button if you want users to be notified when they log in to CSO. |
| User Addition Notification | Enable this toggle button if you want users to be notified when they are added to a scope (service provider, tenant, and OpCo). |
| User Removal Notification | Enable this toggle button if you want users to be notified when they are removed from a scope (service provider, tenant, and OpCo). |
Admin user | |
First Name | Enter the first name of the user. |
Last Name | Enter the last name of the user. |
Username (Email) | Enter the e-mail address of the user. The e-mail address is used as the username for the user for logging in to CSO. |
Roles | Select one or more roles (both predefined and custom roles) that you want to assign to the tenant user. Note: In the Available column, all tenant scope roles are listed. Click the right arrow(>) to move the selected role or roles from the Available column to the Selected column. Note that you can use the search icon on the top right of each column to search for role names. To preview the access privileges assigned to a role, click the role name. |
Password Policy | |
Password Expiration Days | Specify the duration (in days) after which the password expires and must be changed. The range is from 1 through 365. The default value is 180 days. Click Next to continue. |
Deployment Info | |
Services for Tenant | Select one or more services for the tenant:
Note: The options listed in Customer Portal > Resources > Site Management > Add are filtered based on the service that you have selected for a tenant. For example, if you have selected only SD-WAN for a tenant, in Customer portal > Resources > Sites Management > Add > Branch Site (Manual), only the SD-WAN capabilities (Secure SD-WAN Essentials or both Secure SD-WAN Essentials and Secure SD-WAN Advanced based on the SD-WAN service level chosen) are listed. |
Service Level | Note: This field appears only if you selected the SD-WAN in the Services for Tenant field. Choose an SD-WAN service type for the tenant. The following options are available:
Click Next to continue. |
Tenant Properties | |
SSL Settings Note: This setting is applicable only to the SD-WAN deployment scenario. | |
Default SSL Proxy Profile | Click the toggle button to enable a default SSL proxy profile for the tenant. If you enable this option, the following items are created when a tenant is added:
This option is disabled by default. Note: You use this option to create a tenant-wide default profile; enabling or disabling this option does not mean that SSL is enabled or disabled. If you enable this option, you must add a root certificate. |
Root Certificate | You can add a root certificate (X.509 ASCII format) by importing the certificate content from a file or by pasting the certificate content:
After the tenant is successfully added, a default root certificate, a default SSL proxy profile, and a default SSL proxy profile intent are created. Note:
|
VPN Authentication Note: This setting is applicable only to the SD-WAN (Advanced or Essential) deployment scenario. | |
Authentication Type | Select the VPN authentication method to establish a secure IPsec tunnel:
Starting in Release 6.3.0, CSO supports customization of the public key infrastructure (PKI) certificate attributes at the tenant level. You can configure these attributes as custom properties in the Tenant-Specific Attributes field. |
Overlay Tunnel Encryption Note: This is applicable only to the SD-WAN (Advanced or Essential) deployment scenario. | |
Encryption Type | For security reasons, all data that passes through the VPN tunnel must be encrypted. Select the encryption type:
The default encryption type is AES-256-GCM. |
Network Segmentation | |
Network Segmentation | Click the toggle button to enable or disable network segmentation on the tenant. You enable network segmentation:
Note: CSO applies longest prefix match (LPM), also known as specific route-based routing, to each department in case network segmentation is enabled. LPM is applied to the default VPN in case network segmentation is disabled. See Understanding Specific Route-based Routing Within the SD-WAN Overlay for the details. |
Dynamic Mesh This setting is applicable only to Secure SD-WAN Advanced deployment scenarios. Note: Sites with the Secure SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or a tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal. | |
Threshold for Creating a Tunnel Set a threshold value, above which a tunnel is created between two sites. | |
Number of sessions | Specify the maximum number of sessions closed (for a time duration of 2 minutes) between two branch sites. The dynamic mesh tunnel is created between two branch sites if the number of sessions closed (for a time duration of 2 minutes) is greater than or equal to the value that you specified. The default threshold value (the number of sessions for 2 minutes) is 5. For example, if you specify the number of sessions as 5, dynamic mesh tunnels are created if the number of sessions closed between two branch sites in 2 minutes exceeds 5. |
Threshold for Deleting a Tunnel Set a threshold value, below which a tunnel is deleted between two sites. | |
Number of sessions | Specify the minimum number of sessions closed (for a time duration of 15 minutes) between two branch sites. The dynamic mesh tunnel is deleted between two branch sites if the number of sessions closed (for a time duration of 15 minutes) is lesser than or equal to the value that you specified. The default threshold value (the number of sessions for 15 minutes) is 2. For example, if you specify the number of sessions as 2, the dynamic mesh tunnels are deleted if the number of sessions closed is lesser than or equal to 2. |
Max Dynamic Mesh Tunnels | |
Max tunnels per CSO | Displays the maximum number of dynamic mesh tunnels that can be created in CSO. The total number of dynamic mesh tunnels that can be created by all tenants in CSO is limited to 125000. A major alarm is raised if the number of dynamic mesh tunnels created by all tenants reaches seventy percent of the maximum value. A critical alarm is raised if the number of dynamic mesh tunnels created by all tenants reaches ninety percent of the maximum value. To view alarms, see Monitor > Alerts & Alarms > Alarms in Administration Portal. For more information about alarms, see About the Alarms Page. |
Max tunnels per tenant | Specify the maximum number of dynamic mesh tunnels that the tenant can create. Range: 1 through 50,000. A major alarm is raised if the number of dynamic mesh tunnels created by all sites in a tenant reaches seventy percent of the maximum value. A critical alarm is raised if the number of dynamic mesh tunnels created by all sites in a tenant reaches ninety percent of the maximum value. To view alarms, see Monitor > Alerts & Alarms > Alarms in Customer Portal. For more information about alarms, see About the Alarms Page. |
Dynamic Mesh | Click the toggle button to disable dynamic meshing between sites in the tenant. Dynamic meshing is enabled by default. |
Cloud Breakout Settings Note: This setting is applicable only to Secure SD-WAN Advanced deployment scenarios. | |
Customer Domain Name | Enter the domain name of the tenant. The domain name is used in cloud breakout profiles to generate the fully qualified domain name (FQDN). The cloud security providers use the FQDN to identify the IPsec tunnels. Example:test.gmail.com |
Quality of service settings | |
Class of Service | Click this toggle button to enable (default) or disable CSO from configuring QoS on the devices of a tenant. This setting is valid only for tenants with SD-WAN services.
|
Advanced Settings (Optional) | |
Primary/Secondary Hub Affinity | By default, hub affinity is enabled. Enable the toggle button to configure the CPEs to prefer the user-selected primary and secondary hubs over other paths for the SD-WAN overlay traffic. Disable the toggle button to configure the CPEs to prefer the shortest routes over the user-selected primary and secondary hubs for the SD-WAN overlay traffic. For more details, see Understanding Specific Route-based Routing Within the SD-WAN Overlay. |
Tenant-Owned Public IP Pool | You can add one or more public IPv4 subnets that are part of the tenant’s pool of public IPv4 addresses. The tenant IP pool addresses are assumed to be public IP addresses and represent public LAN subnets in SD-WAN branch sites. To add an IPv4 subnet:
You can enter more IPv4 subnets by following the preceding procedure. You can also modify subnets that you entered by selecting a row and clicking the edit (pencil) icon. To delete a subnet, select the subnet and click the delete icon. If you update the IP address pool of a tenant, CSO runs a job to automatically update and reprovision the tenant sites. |
Tenant-specific Attributes | If you have set up a third-party provider edge (PE) device by using software other than CSO, configure settings on that router by specifying custom parameters and its corresponding values.
Starting in Release 6.3.0, CSO supports customization of the public key infrastructure (PKI) certificate attributes. For more details, refer to Table 2. |
Name | Specify any information about the site that you want to pass to a third-party router. Example: Location |
Value | Specify a value for the information about the site that you want to pass to a third-party device. Example: Boston Click Next to continue. |
Summary | You can review the configuration in the Summary tab and modify the settings, if required. You can also download the settings that you configure as a JavaScript Object Notation (JSON) file by clicking the Download as JSON link at the bottom of the page. |
CSO supports the tenant-specific attributes listed in Table 2. Enter a Role Name and a Value to customize a parameter or enable a feature.
| Role Name | Value | Description |
|---|---|---|
| PKI Certificate Attributes | ||
| PKI_O | {{TENANT_NAME}} Default value. Modify it if required. | Customizes the organization name in the PKI certificate. |
| PKI_OU | {{EMPTY}} Default value. Modify it if required. | Customizes the organization unit name in the PKI certificate. |
| PKI_OU1 | {{EMPTY}} Default value. Modify it if required. | Customizes the organization unit 1 name in the PKI certificate. |
| PKI_OU2 | {{EMPTY}} Default value. Modify it if required. | Customizes the organization unit 2 name in the PKI certificate. |
| PKI_C | US Default value. Modify it if required. | Customizes the country name in the PKI certificate. |
| PKI_ST | {{EMPTY}} Default value. Modify it if required. | Customizes the state name in the PKI certificate. |
| PKI_L | {{EMPTY}} Default value. Modify it if required. | Customizes the locality name in the PKI certificate. |
In the Value field for PKI certificate attributes, you can either specify a value directly (for example, US), or use a place holder in double curly braces (for example, {{TENANT_NAME}}). CSO supports the following values in double curly braces:
- {{TENANT_NAME}} - On certificate generation, CSO replaces this value with the actual tenant name.
- {{SITE_NAME}} - On certificate generation, CSO replaces this value with the actual site name.
- {{EMPTY}} - On certificate generation, CSO does not list any value against this role name.
If you configure a custom property for the PKI certificate, ensure that the certificate is renewed (from Administration > Certificate Management > VPN Authentication page) for the values to reflect on the device.
