diff --git a/docs/network-mobile/helium-plus-guides/helium-plus-extreme.mdx b/docs/network-mobile/helium-plus-guides/helium-plus-extreme.mdx
new file mode 100644
index 000000000..78c57fafe
--- /dev/null
+++ b/docs/network-mobile/helium-plus-guides/helium-plus-extreme.mdx
@@ -0,0 +1,333 @@
+---
+id: helium-plus-extreme
+title: Extreme ExtremeCloud IQ Conversion Guide
+pagination_label: Extreme ExtremeCloud IQ Conversion Guide
+sidebar_label: Extreme
+description:
+ Configure ExtremeCloud IQ with RadSecProxy, Passpoint, and Hotspot 2.0 for Helium Mobile.
+slug: /mobile/helium-plus-extreme
+image: https://docs.helium.com/img/link-image.png
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl'
+
+## Prerequisites
+
+- ExtremeCloud IQ is running on your Extreme system.
+- An on-prem Extreme controller is in use for the network.
+- At least one access point is linked to that controller.
+- Existing SSID(s) already have basic traffic routing in place.
+- You have an Intel-based host on the network for the RadSecProxy container.
+- RadSecProxy is deployed and running before you configure Extreme. See
+ [Deploy RadSecProxy Container](#deploy-radsecproxy-container) for deployment steps.
+
+---
+
+## High-Level Steps
+
+1. Deploy the RadSecProxy container and note the host’s IP address.
+2. Set up the wireless LAN: create an SSID and add RADIUS (RadSec) servers.
+3. Configure Hotspot 2.0 for Passpoint.
+4. Deploy the configuration to your access points.
+5. Test Passpoint connectivity.
+
+---
+
+## Deploy RadSecProxy Container
+
+RADIUS messages used to authenticate users and for session accounting are transmitted unsecured and
+over UDP by default. By directing these messages internally in your secure network to a RadSecProxy,
+the UDP is then converted to a TLS protected TCP connection to the Helium Network core AAA servers.
+
+### RadSecProxy Prerequisites
+
+- An Intel-based machine with Docker installed.
+- The Intel-based machine has a private IP in your network reachable from your Extreme controller.
+- ACLs or Firewalls allow Extreme controller and Docker container to communicate UDP on port 1812
+ and 1813.
+- ACLs or Firewalls allow container/host to reach the internet on TCP ports 2083 and 3802.
+
+### RadSecProxy Container Deployment
+
+1. Un-zip and untar the `Helium_RadSec_Docker.tar.gz` file into a directory of your choice on the
+ host machine. This will unpack:
+ - `Dockerfile` - The Docker instructions to build the container
+ - `Radsecproxy.conf` - Pre-populated to connect to Helium Network AAA servers
+ - `docker-compose.yml` - File to start and stop the container as a daemon
+
+ ```bash
+ tar -xvzf Helium_RadSec_Docker.tar.gz
+ ```
+
+2. Into the same directory, copy the 3 certificates obtained from Helium Network:
+ - `ca.pem` - The root CA certificate
+ - `cert.pem` - The user certificate
+ - `key.pem` - The key file matched to the certificate
+
+3. Start the container using:
+
+ ```bash
+ sudo docker compose up -d
+ ```
+
+4. To stop the container:
+
+ ```bash
+ sudo docker compose down
+ ```
+
+5. Record the private IP address of the RadSecProxy host machine. You'll use this IP when
+ configuring RADIUS servers in your Extreme controller.
+
+---
+
+## Access the ExtremeCloud IQ Dashboard
+
+Sign in to ExtremeCloud IQ with an account that has admin rights (or equivalent for your
+environment). Once logged in, the dashboard shows your access points.
+
+> **Note:** The UI exposes many options; this guide only calls out fields you must set. Leave
+> unspecified options at their defaults unless you have a reason to change them.
+
+---
+
+## Set Up the Wireless LAN
+
+You will define a network policy, an SSID, and RadSec/RADIUS servers.
+
+### Create a Network Policy
+
+1. In the left menu, click **Configure**.
+
+
+
+
+
+2. Open **Network Policies**.
+
+
+
+
+The Network Policy list is shown.
+
+
+
+
+3. Click **Add Network Policy**. The new-policy screen opens with **Policy Details** selected.
+
+4. Under **What type of policy are you creating?**, keep **Wireless** checked and clear **Switches**
+ and **Routing**.
+
+5. Set a **Policy Name** (e.g. `Helium_network_policy`) and click **Save** (bottom right). You are
+ taken to the Wireless Networks screen.
+
+### Create an SSID
+
+1. Go to **Configure** → **Network Policies** → **Wireless Networks** (top).
+2. Click **+** to add an SSID and choose **All other Networks (standard)**. The SSID and
+ authentication form is shown.
+
+
+
+
+
+3. Set an **SSID Name** for internal use (e.g. `Helium`) and a **Broadcast Name** for clients; these
+can match.
+
+4. Set **SSID Usage** to **Enterprise** (instead of Private Pre-Shared Key). For **Key Management**,
+ choose **WPA3-802.1X** and for **Encryption Method**, choose **CCMP (AES)**.
+
+### Add RadSec Authentication Servers to the Network Policy
+
+The controller will talk to your RadSecProxy; RadSecProxy then sends RADIUS over TLS to Helium. Use
+the RadSecProxy host’s private IP or hostname from
+[Deploy RadSecProxy Container](#deploy-radsecproxy-container).
+
+Add a RADIUS server group and add your RadSec server(s) to it. Your Extreme controller must support
+RadSec (RADIUS over TLS).
+
+1. On the **Wireless Networks** screen, scroll to **Authentication Settings**.
+2. Under **Authenticate via RADIUS Server**, click **+** to create a RADIUS server group. The
+ **Configure RADIUS Servers** dialog opens.
+3. Give the group a name (e.g. `Helium_radsec_group`).
+4. Click **Settings** next to the group. In **Select RADIUS Settings**, set **Accounting interim
+ update interval** to `300` seconds, then click **Save RADIUS Settings**. You are back in
+ Configure RADIUS Servers.
+5. Click **+** under **External RADIUS Server**. A **New External RADIUS Server** block appears.
+
+
+
+
+6. Set a **Name** (e.g. `primary_radius`).
+7. Click **+** beside **IP/Host Name**, choose **IP Address**, and in the **New IP Address or Host
+ Name** dialog set an object **Name** (e.g. `Primary`).
+8. In **IP/Host Name**, enter your RadSecProxy address and port `1812` (e.g. `192.168.1.100`). Click
+ **Save IP Object**. The new server section now shows that IP/host object.
+9. Set **Shared Secret** to `mysecret` (the default in the Helium RadSecProxy container).
+10. Click **Save External RADIUS**. Back on Configure RADIUS Servers, the new server (e.g.
+ `primary_radius`) is listed.
+11. Check the box for that server so it is included in the group, then click **Save RADIUS**. You
+ return to Authentication Settings with the new group and server shown.
+12. Click **Save** (bottom right) to store the network policy. You are back on Wireless Networks
+ with your new SSID listed.
+
+### Assign the SSID to the Network Policy
+
+1. On the **Wireless Networks** page, check the box for your SSID (e.g. `Helium`).
+2. Click **Next** (bottom right) to attach that SSID to the network policy.
+
+Wireless LAN and policy setup are done.
+
+---
+
+## Configure Hotspot 2.0
+
+Hotspot 2.0 (Passpoint) lets devices automatically connect to your WiFi when they are in range.
+ExtremeCloud IQ uses the supplemental CLI for Hotspot 2.0; you type or paste commands in the GUI.
+Prepare the CLI in a text file first so you can paste it when you enable the supplemental CLI.
+
+### Compose Your CLI
+
+Put the following in a text file so you can paste it into the Supplemental CLI later. These commands
+tie your network policy to Hotspot 2.0.
+
+1. **Hotspot profile and network type**
+ Create a profile (e.g. `Helium-profile`) with an ANQP domain ID and network type. Use
+ `anqp-domain-id 0` so ANQP is scoped to this AP. Use network type `2` for a chargeable public
+ network with internet access.
+
+```
+ hotspot profile Helium-profile
+ hotspot profile Helium-profile anqp-domain-id 0
+ hotspot profile Helium-profile network-type 2 access-internet
+```
+
+2. **Operator and language**
+ Set the operator name (e.g. `Helium-Operator`) and language (e.g. English).
+
+```
+ hotspot profile Helium-profile operator-name Helium-Operator language-code eng
+```
+
+3. **IP support**
+ Use IPv4 with double-NAT private addressing (`ip-type ipv4 2`) and no IPv6 (`ipv6 0`).
+
+```
+ hotspot profile Helium-profile ip-type ipv4 2 ipv6 0
+```
+
+4. **Domains**
+ Add both Helium Passpoint domains:
+
+```
+ hotspot profile Helium-profile domain-name freedomfi.com
+ hotspot profile Helium-profile domain-name hellohelium.com
+```
+
+5. **NAI realms**
+ Define NAI realms for Helium Passpoint with encoding type `0`, EAP method `13` (EAP-TLS), and
+ certificate as the authentication method.
+
+```
+ hotspot profile Helium-profile nai-realm freedomfi.com encoding-type 0
+ hotspot profile Helium-profile nai-realm freedomfi.com eap-method 13
+ hotspot profile Helium-profile nai-realm hellohelium.com encoding-type 0
+ hotspot profile Helium-profile nai-realm hellohelium.com eap-method 13
+```
+
+6. **SSID security**
+ Set the Helium SSID to use WPA3-AES 802.1X:
+
+```
+ security-object Helium security protocol-suite wpa3-aes-8021x
+```
+
+7. **Attach hotspot profile to SSID**
+ Apply the hotspot profile to the Helium SSID:
+
+```
+ ssid Helium hotspot-profile Helium-profile
+```
+
+8. **Persist config**
+ Save the configuration:
+
+```
+ save configuration
+```
+
+### Enable the Supplemental CLI
+
+1. Under your user icon (top right), open **Global Settings**.
+
+
+
+
+2. Under **Administration**, open **VIQ Management** on the left. The VIQ Management page opens.
+
+
+
+
+3. Ensure **Supplemental CLI** is turned ON.
+
+### Apply the Hotspot 2.0 Configuration to the Network Policy
+
+1. Go to **Configure** → **Network Policies**. Open your policy (e.g. `Helium_network_policy`).
+2. Click your SSID name (e.g. `Helium`) to open the Wireless Network page.
+3. Open **Additional Settings** in the top bar (e.g. you may see the DNS Server page).
+4. Under **Policy Settings** on the left, open **Supplemental CLI**.
+5. Ensure **Supplemental CLI** is enabled on this page.
+
+
+
+
+6. Enter a **Name** (e.g. `Hotspot`) and paste your CLI commands into **CLI Commands**.
+7. Click **Save** (bottom right). A confirmation appears that the supplemental CLI was saved.
+8. Click **Next** to open **Apply the network policy to selected devices**.
+9. Click **Eligible** to list access points, then select the APs you want (checkboxes in the
+ **Status** column).
+10. Click **Upload** (bottom right). The **Device Update** dialog opens.
+
+
+
+
+11. Under **Update Network Policy and Configuration**, choose **Complete Configuration Update** (not
+ Delta).
+12. Click **Perform Update** (bottom right). The APs reboot; wait a few minutes. A success message
+ appears when deployment finishes.
diff --git a/sidebarsDocs.js b/sidebarsDocs.js
index 786a16dfc..acee941e1 100644
--- a/sidebarsDocs.js
+++ b/sidebarsDocs.js
@@ -22,6 +22,7 @@ module.exports = {
'network-mobile/helium-plus-guides/helium-plus-aruba',
'network-mobile/helium-plus-guides/helium-plus-aruba-central',
'network-mobile/helium-plus-guides/helium-plus-cambium-cnmaestro',
+ 'network-mobile/helium-plus-guides/helium-plus-extreme',
'network-mobile/helium-plus-guides/helium-plus-fortinet',
'network-mobile/helium-plus-guides/helium-plus-juniper-mist',
'network-mobile/helium-plus-guides/helium-plus-meraki',
diff --git a/static/img/mobile-data-only/extreme/extreme-configure.png b/static/img/mobile-data-only/extreme/extreme-configure.png
new file mode 100644
index 000000000..f93e65f49
Binary files /dev/null and b/static/img/mobile-data-only/extreme/extreme-configure.png differ
diff --git a/static/img/mobile-data-only/extreme/extreme-configureradius.png b/static/img/mobile-data-only/extreme/extreme-configureradius.png
new file mode 100644
index 000000000..d1ace0724
Binary files /dev/null and b/static/img/mobile-data-only/extreme/extreme-configureradius.png differ
diff --git a/static/img/mobile-data-only/extreme/extreme-createssid.png b/static/img/mobile-data-only/extreme/extreme-createssid.png
new file mode 100644
index 000000000..c5812f893
Binary files /dev/null and b/static/img/mobile-data-only/extreme/extreme-createssid.png differ
diff --git a/static/img/mobile-data-only/extreme/extreme-deviceupdate.png b/static/img/mobile-data-only/extreme/extreme-deviceupdate.png
new file mode 100644
index 000000000..fffa93555
Binary files /dev/null and b/static/img/mobile-data-only/extreme/extreme-deviceupdate.png differ
diff --git a/static/img/mobile-data-only/extreme/extreme-globalsettings.png b/static/img/mobile-data-only/extreme/extreme-globalsettings.png
new file mode 100644
index 000000000..1d27eb4d4
Binary files /dev/null and b/static/img/mobile-data-only/extreme/extreme-globalsettings.png differ
diff --git a/static/img/mobile-data-only/extreme/extreme-networkheliumpolicy.png b/static/img/mobile-data-only/extreme/extreme-networkheliumpolicy.png
new file mode 100644
index 000000000..7e17f6232
Binary files /dev/null and b/static/img/mobile-data-only/extreme/extreme-networkheliumpolicy.png differ
diff --git a/static/img/mobile-data-only/extreme/extreme-networkpolicies.png b/static/img/mobile-data-only/extreme/extreme-networkpolicies.png
new file mode 100644
index 000000000..dfe43f190
Binary files /dev/null and b/static/img/mobile-data-only/extreme/extreme-networkpolicies.png differ
diff --git a/static/img/mobile-data-only/extreme/extreme-supplementalcli.png b/static/img/mobile-data-only/extreme/extreme-supplementalcli.png
new file mode 100644
index 000000000..ac5bc68dd
Binary files /dev/null and b/static/img/mobile-data-only/extreme/extreme-supplementalcli.png differ
diff --git a/static/img/mobile-data-only/extreme/extreme-viqmanagement.png b/static/img/mobile-data-only/extreme/extreme-viqmanagement.png
new file mode 100644
index 000000000..a0effafc9
Binary files /dev/null and b/static/img/mobile-data-only/extreme/extreme-viqmanagement.png differ
})
+})
+})
+})
+})
+ })
+ })
+ })
+ })
+