Controllerless Networks

There should be only 1 master AP.  On the UI, in the top middle box...do you see all the APs?

No, the IAPs are not showing up in the UI for the first IAP connected.  I was able to pull up the gui for each add'l IAP by figuring out which IP they were assigned, they are making themselves the master.

OK...is the native VLAN working?  Is there a native VLAN configured?  By default, the IAP for management (the cluster) will send those packets out UNTAGGED on the switch port.  With some vendors...once you set it as a trunk, you must define the access VLAN or native VLAN id.

Extreme configs aren't the easiest to decipher...but this is what to check.

Yes, the native vlan is configured, the switch ports the IAPs are on are untagged on the native vlan, we have the ports tagged with the employee wifi vlan (WLAN_WAP, vlan 2002) which is our secure wifi.   For example:

ports 2:29 - 2:32 are the IAPs, the IAPs are all being assigned correct IPs from vlan 14 (/16 subnet)

Alpine3808:2 # show vlan "vlan_14"  <<<Natve Vlan
VLAN Interface[3-202] with name "vlan_14" created by user
Tagging: 802.1Q Tag 14
Priority: 802.1P Priority 7
IP: 10.x.x.x/255.255.0.0
STPD: None
Ignore-stp: Disabled on this vlan
Ignore-bpdu: Disabled on this vlan
Protocol: IP = EtherType:0806 EtherType:0800
Loopback: Disable
RateShape: Disable
QosProfile:QP1
QosIngress:None
Ports: 163. (Number of active ports=52)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Untag: *2:29 *2:30 *2:31 *2:32

Tagged: *1:1 *1:3 *1:4

Alpine3808:3 #

===================================================

Alpine3808:4 # sh vlan "WLAN_WPA"  <<<Employee wifi
VLAN Interface[10-209] with name "WLAN_WPA2" created by user
Tagging: 802.1Q Tag 2002
Priority: 802.1P Priority 7
STPD: None
Ignore-stp: Disabled on this vlan
Ignore-bpdu: Disabled on this vlan
Protocol: Match all unfiltered protocols.
Loopback: Disable
RateShape: Disable
QosProfile:QP1
QosIngress:None
Ports: 7. (Number of active ports=7)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Tagged: *1:1 *1:3 *1:4 *2:29 *2:30 *2:31 *2:32

Alpine3808:5 #

Do I need to set the native vlan on the IAP master, the first IAP I bring up to vlan 14 ?  under Wired> default_wired_port_profile?

The native vlan on the IAPs is currently set to vlan 1

You should NOT alter that profile.  It shouldn't be needed in your scenario.  Is there anything blocking at the switch level?  Can you paste your config from the IAP?

I don't see anything preventing them from talking on the switch level...but I'm not positive, I'm completely new to the extreme switches, cisco trained.  As mentioned before, the IAPs did join when first configured on the Netgear ProSafe PoE switch I use for configuring, which makes me suspect the issues lies within the switch.  IAPs config is below:

version 6.2.1.0-3.4.0
virtual-controller-country US
virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name xxxxxxxxxxxxx
organization "xxxxxxxxxxxx"
virtual-controller-ip 10.140.xxx.xxx
terminal-access
ntp-server xxx.xx.xxx.xxx
clock timezone Mountain-Time -07 00
clock summer-time MDT recurring second sunday march 02:00 first sunday november 02:00
rf-band all
dynamic-radius-proxy
ams-ip 10.10.1.xx
ams-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

allow-new-aps

arm
 wide-bands 5ghz
 min-tx-power 18
 max-tx-power 127
 band-steering-mode prefer-5ghz
 air-time-fairness-mode fair-access
 client-aware
 scanning
ip dhcp pool
 subnet 10.222.26.xxx
 subnet-mask 255.255.255.0
 dns-server xxx.xxx.xxx.xxx
 domain-name xxxxxxxxxxx
 lease-time 240

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

mas-integration

mgmt-user admin xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan access-rule default_wired_port_profile
 index 0
 rule any any match any any any permit

wlan access-rule Employee
 index 1
 rule any any match any any any permit

wlan access-rule Guest
 index 2
 rule any any match udp 67 68 permit
 rule xxx.xxx.xxx.xxx 255.255.255.255 match udp 53 53 permit
 rule xxx.xxx.xxx.xxx 255.255.255.255 match udp 53 53 permit
 rule xxx.xxx.xxx.xxx 255.255.255.255 match udp 53 53 permit
 rule xxx.xxx.xxx.xxx 255.255.255.255 match udp 123 123 permit
 rule any any match tcp 80 80 permit
 rule any any match tcp 443 443 permit
 rule xxx.xxx.xxx.xxx 255.255.255.255 match any any any permit
 rule any any match tcp 3389 3389 permit
 rule any any match udp 4172 4172 permit
 rule any any match tcp 4172 4172 permit
 rule any any match tcp 32111 32111 permit
 rule any any match tcp 8009 8009 permit
 rule any any match tcp 4001 4001 permit

wlan access-rule machine_only
 index 3
 rule any any match any any any permit

wlan access-rule user_only
 index 4
 rule any any match any any any permit

wlan access-rule wired-instant
 index 5
 rule 10.140.xxx.xxx 255.255.255.255 match tcp 80 80 permit
 rule 10.140.xxx.xxx 255.255.255.255 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan ssid-profile Employee
 enable
 index 0
 type employee
 essid Employee
 opmode wpa-tkip,wpa-aes,wpa2-aes,wpa2-tkip
 max-authentication-failures 0
 vlan 1431
 auth-server xxxxxx
 set-role-machine-auth machine_only user_only
 rf-band all
 captive-portal disable
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter none
 blacklist
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

wlan ssid-profile Guest
 enable
 index 1
 type guest
 essid Guest
 opmode opensystem
 max-authentication-failures 0
 vlan guest
 auth-server InternalServer
 rf-band all
 captive-portal internal
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter none
 per-user-bandwidth-limit 1200
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

auth-survivability cache-time-out 24

wlan auth-server xxxxxx
 ip 10.10.0.xxx
 port 1812
 acctport 1813
 key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 nas-ip 10.140.xxx.xxx
 nas-id xxxxxx

wlan captive-portal
 background-color 13369344
 banner-color 16777215
 banner-text "Welcome to the Guest Network"
 terms-of-use "WARNING: This network is not secure, use it at your own risk. By using the xxxx Guest network, you acknowledge that the service is not secure. xxx is not liable to you or any other party for any lack of privacy while using xxx's Guest network."
 use-policy "Please read the terms and conditions before using the xxx Guest network."

wlan external-captive-portal
 server localhost
 port 80
 url "/"
 auth-text "Authenticated"

blacklist-time 3600
auth-failure-blacklist-time 3600

ids classification

ids
 wireless-containment none

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x

wired-port-profile wired-instant
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-instant
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x

enet0-port-profile default_wired_port_profile

uplink
 preemption
 enforce none
 failover-internet-pkt-lost-cnt 10
 failover-internet-pkt-send-freq 30
 failover-vpn-timeout 180

airgroup
 disable

airgroupservice airplay
 disable
 description AirPlay

airgroupservice airprint
 disable
 description AirPrint

You have this line in there..did you configure this from the defaults?

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x