Transcript X - Free

Advanced WLAN Configuration
Version 3.5r1
1
2008
Confidential 2010
Copyright Notice
Copyright © 2010 Aerohive Networks, Inc. All rights reserved.
Aerohive Networks, the Aerohive Networks logo, HiveOS, HiveAP,
HiveManager, and GuestManager are trademarks of Aerohive
Networks, Inc. All other trademarks and registered trademarks are
the property of their respective companies.
2
2008
Confidential 2010
Getting Started
3
2008
Confidential 2010
Lab: Get Connected
1. Connect to class WLAN
Internet
Guest
Client
Connect to SSID: Class-Guest
IP: 10.5.1.N/24
Gateway: 10.5.1.1
VLAN 1
Instructor PC
Mgt0 IP: 10.5.1.N/24 VLAN 1
WLAN Policy: WLAN-Classroom
SSID: Class-Guest
Security: WPA/WPA2 Personal (PSK)
Network Key: aerohive123
 Please connect to the SSID: Class-Guest
 Network Key: aerohive123
 You should get an IP in the 10.5.1.0/24 subnet
4
2008
Confidential 2010
Lab: Get Connected
2. Get class files from instructor
 From your PC open a web browser and for the URL type:
ftp://ftp:[email protected].? (Ask Instructor for the IP address)
– Username: ftp
– Password: aerohive
 You will find:
– Courseware (pptx files)
• If you do not have MS office 2003 or later, please download a PPTX
viewer from Microsoft
– Topology map jpg images
• Used for the planning tool and topology map lab
– Tight VNC
• Please install the Viewer only – This is used to connect to a hosted PC
– User files for Private PSK in CSV format
• This is for the Private PSK lab
– Putty SSH Client (If you don’t have an SSH client already)
• SSHv2 is used to access the console server to access the CLI of your AP
5
2008
Confidential 2010
Lab: Get Connected
1. Connect to Hosted HiveManager
 Securely browse to HiveManager
https://training-hm1.aerohive.com
or
https://72.20.106.120
Supported Browsers:
– Firefox
– Internet Explorer
– Chrome
 Default Login Credentials:
– Login: adminX
X = Student ID 2 - 15
– Password: aerohive123
6
2008
Confidential 2010
Lab: Get Connected
4. Certificate error - Continue to the website
 If prompted, accept the certificate permanently or add the security
exception or continue to the website
 Note: (Do not perform this operation in the classroom)
In your own company you can import your own HiveManager certificate
going to: HomeAdministrationHiveManager Services
– Check  Update HTTPS Certificate
– You can generate a self-signed certificate or import a third-party
certificate
– Click Update
7
2008
Confidential 2010
Lab: Get Connected
5. Connect to class WLAN
 Click Agree to the End
user license agreement
8
2008
Confidential 2010
Lab: Get Connected
6. The dashboard appears
Click to hide
left menu bar
Select widgets
to see
Click blue bar and drag
to move widget to new
location on screen
 From the dashboard you can get a summary of your WLAN
 The dashboard is customizable
 This dashboard will be covered in more detail later in this course
9
2008
Confidential 2010
HiveManager Help
HiveManager provides a rich and powerful online help
 Click Help… on the top menu bar to get a menu of
the help options
 There is a help box on the right side of the guided
configuration

A link to Help also exists in the Start Here screen
10
2008
Confidential 2010
Help System in HiveManager
 If you click Help in the upper right hand
corner of the HiveManager Settings
– HiveManager Help
• Context sensitive help based on where
you are when you select this option
– Settings
Online
Training
Deployment,
Quickstart,
ad Mounting
Guides
CLI
Reference
Guides
Web-based
Help Files
• Lets you specify a path to host the online
help web pages locally on your network
– Videos and Guides
• Contains links to all Aerohive
documentation and computer-based
training modules
• You can also download the web-based
help system from here as well
– Check for Updates
• Checks Aerohive’s latest code
– About HiveManager
11
2008
Confidential 2010
Help: Context Sensitive
 Context sensitive help
can be viewed in any
configuration window
 By default your PC must
be connect to the Internet
to view the help files
unless you have
downloaded them and
hosted on your own web
server
12
2008
Confidential 2010
Help: Navigation
Click here to
go to the home page
Search on
Current Page
Global Search
13
2008
Confidential 2010
Help: Global Search
You can enter
multiple words
for a global
search
The help is automatically
expanded when the search
strings are found. Each word
in the list is highlighted in
different color
Click the relevant
section
14
2008
Confidential 2010
Help: Search For Words Within Pages
 Search for an exact word or phrase match within a page
– This is a complete word match, not a partial word match
Adds or removes
highlighting
Enter word here to
highlight on page
15
2008
Confidential 2010
Help: Files Location
Here you can specify
a path to locally
hosted help files
 Help files are referenced from the Internet
 If Internet access is not available when you manage your HiveManager,
download the web-based help files from the Videos & Guides section on
the help menu, and store them on your own local web server
 Then specify a path to your own hosted web pages and click update
16
2008
Confidential 2010
Getting Started
Creating a WLAN Policy
and Managing HiveAPs
17
2008
Confidential 2010
Connect To HiveManager
(In case you walked in late!)
 Securely browse to HiveManager
https://training-hm1.aerohive.com
or
https://70.20.106.120
Supported Browsers:
– Firefox
– Internet Explorer
 Default Login Credentials:
– Login: adminX
X = Student ID 2 - 15
– Password: aerohive123
18
2008
Confidential 2010
Access Your Hosted HiveAP
 Use Putty or your favorite SSH
tool to SSH to
training-console.aerohive.com
– Ports 7002 though 7015
Note: Student IDs are 2
though 15 so the SSH port
number corresponds to the
student ID: 7002 though
7015
 You will first see the Terminal
Server Login, just press enter:
Login as: <enter>
X-A-001122 login: admin
Password: aerohive123
Note: For Mac OSX or Linux use:
ssh -l admin training-console.aerohive.com –p 700X
19
2008
Confidential 2010
Access Your Hosted HiveAP
 Use Putty or your favorite SSH
tool to SSH to
training-console.aerohive.com
– Ports 7022 though 7035
Note: Student IDs are 2
though 15 so the SSH port
number corresponds to the
student ID: 7022 though
7035
 You will first see the Terminal
Server Login, just press enter:
Login as: <enter>
X-A-001122 login: admin
Password: aerohive123
Note: For Mac OSX or Linux use:
ssh -l admin training-console.aerohive.com –p 700X
20
2008
Confidential 2010
Set HiveManager
Time Settings
Essential When Generating Certificates,
Using Private PSK, Wireless VPN, User
Manager, Time-Based Authentication,
and Schedules
21
2008
Confidential 2010
Set the Time and Time Zone
(Instructor Only)
 Go to HomeAdministrationHiveManager Settings
 For System Date/Time click Settings
22
2008
Confidential 2010
Set the Time and Time Zone
(Instructor Only)
 Time Zone: <Time Zone of HiveManager>
 Set the date/time manually or synchronize with an NTP server
 Click  to save and update
Note:The HiveManager services will be restarted
 After a minute, you can log back into the HiveManager
23
2008
Confidential 2010
Aerohive Base WLAN Policy
Creation
Quick Start
24
2008
Confidential 2010
Lab: Create Base WLAN Policy
1. Add a new WLAN policy
 Go to Configuration
Guided Configuration
WLAN Policies
 Click New
 Enter a WLAN Policy
Name: WLAN-X
Go to next slide
25
2008
Confidential 2010
Lab: Create Base WLAN Policy
2. Create a New Hive
 Click + to create a new
Hive
 Hive: Hive-X
 Modify Encryption
Protection
– Select Automatically
generate Password
 Save your Hive
26
2008
Confidential 2010
Lab: Create Base WLAN Policy
3. Create an SSID SSID
– WLAN Policy –
SSID Profiles
 Click: Add/Remove SSID
Profile
 Click + to create a new
SSID Profile
Go to next slide
27
2008
Confidential 2010
Lab: Create Base WLAN Policy
4. Configure SSID
– SSID Profile –
 Profile Name: Class-PSK-X
 SSID: Class-PSK-X
Note: The profile name typically
matches the SSID unless you want
different settings for the same SSID
in different locations.
IMPORTANT: For the SSID labs, please
follow the class naming convention. SSIDs
are broadcasted over the air so we do not
want to people to accidentally connect
28
SSID Access Security
 Select: WPA/WPA2
PSK (Personal)
– Use Default WPA/WPA2
PSK Settings
 Key Value: aerohive123
 Confirm Value: aerohive123
User Profile for Traffic Mgmt
 Click + to create a new user
profile
2008
Confidential 2010
Lab: Create Base WLAN Policy
5. Create User Profile for Employees
– SSID/User Profile –




Name: Employee(10)-X
Attribute Number: 10
Default VLAN: 1
Click Apply
 Ensure your user profile is
selected
 Click Save to save the SSID
29
2008
Confidential 2010
Lab: Create Base WLAN Policy
6. Configure SSID
– WLAN Policy –
SSID Profiles
 Select your SSID:
Class-PSK-X from the Available
SSID Profiles list:
and use the right arrow button
‘ >’ to move it to the
Selected SSID Profiles list
 Click Apply
Really – Make sure
you click Apply
 Do not save the WLAN
policy, go to
Note: The WLAN policy must be assigned to one or
the next slide
more HiveAPs for it to take affect
30
2008
Confidential 2010
Lab: Create Base WLAN Policy
7. Create an NTP Server object
Configure the NTP server to
configure the time zone and
NTP server settings. This is
important for any service
that depends on time, such
as VPN and RADIUS which
use certificates, schedules,
Private PSK validity, etc...
 From your WLAN policy
under the Optional
Settings
 Expand Management
Server Settings
 Next to NTP Server
– Click +
31
2008
Confidential 2010
Lab: Create Base WLAN Policy
8. Configure NTP Server Settings
 Name: Time-X
 Time Zone: <Please use
the time zone for the
location of the class>
 Uncheck  Sync click
with HiveManager
 NTP Server: pool.ntp.org
 Click Apply
– Did you click Apply?
 Click Save
32
2008
Confidential 2010
Lab: Create Base WLAN Policy
9. Save your WLAN Policy
Back in your WLAN policy
 Ensure NTP server is set
to: Time-X
 Click Save
33
2008
Confidential 2010
Lab: Create Base WLAN Policy
10. Verify Your WLAN Policy
 After saving your WLAN policy, you can review the settings here by
looking at the columns for your WLAN policy
• Hive
• SSID Profiles
 When done, click Monitor to go to the list of HiveAPs
Go to next slide
34
2008
Confidential 2010
Provision HiveAPs
With Base WLAN Policy
35
2008
Confidential 2010
Wireless VPN Lab
Network IP Summary
WLAN Branch Office – HiveAP VPN Clients
VPN Client
X-A-HiveAP
Gateway FW(NAT)
10.5.1.?
10.5.1.1 2.2.2.2
WLAN HQ – HiveAP VPN Servers
Firewall NAT Rules
1.1.1.X10.8.1.X
RADIUS
10.8.1.200
Client PC
10.8.20.?/24
GW: 10.8.20.1
Gateway
10.8.1.1
DHCP Server VLAN 20
Net: 10.8.20.0/24
Pool: 10.8.20.150
- 10.8.20.200
VPN Server
Gateway: 10.8.20.1 X-B-HiveAP
Layer 3 IPsec VPN Tunnels - IP Headers
(10.5.1.?)2.2.2.2  1.1.1.2
Layer 2 GRE Tunnels - IP Headers
Tunnel0 10.8.1.X0  10.8.1.X
MGT0
10.8.1.X/24
VPN Client Tunnel Address Pool
AP VPN 1: 10.8.1.X0 – 10.8.1.X9
? – Address Learned though DHCP
36
2008
Confidential 2010
Configure Your HiveAP-A (X-A-######)
37
2008
Confidential 2010
Lab: Provision Two HiveAPs
1. Modify your HiveAP-A
 Click the Config
radio button near
the top of the screen
to see the
configuration view
 Note that HiveAPs
are set to default
WLAN policy and
Hive
 Select the check
box  next to your
HiveAP
X-A-###### and
click Modify
38
2008
Confidential 2010
Lab: Provision Two HiveAPs
2. Modify settings for your HiveAP-A
Configure the HiveAP settings
and WLAN Policy
 Location:
<First-name_Last-name>
 For WLAN Policy select:
WLAN-X
 Topology Map:
..Classroom
 Select: Use both radios
for client access
 2.4GHz(wifi0) Power: 1
 5GHz (wifi1) Power: 1
 Click Save
Note: Because the APs are stacked on top of each other in a hosted rack and
are connected via coax to the hosted PCs, please set the power level to 1.
In a real deployment you can leave the power set to auto and ACSP will
determine the appropriate power setting
39
2008
Confidential 2010
Configure Your HiveAP-B (X-B-######)
40
2008
Confidential 2010
Lab: Provision Two HiveAPs
3. Select and Modify your HiveAP-B
 Verify the settings
for your X-B-HiveAP
by looking at the
columns
 Select the check
box  next to your
HiveAP
X-B-###### and
click Modify
41
2008
Confidential 2010
Lab: Provision Two HiveAPs
4. Modify Settings for Your HiveAP-B
 Location:
<First-name_Last-name>
 For WLAN Policy select:
WLAN-X
– Assigning your HiveAP to
a WLAN policy is how the
HiveAP will inherit a
majority of its
configuration settings
 Topology Map:
..Classroom
 Select: Use both radios
for client access
Do not save
Go to the next slide
42
2008
Confidential 2010
Lab: Provision Two HiveAPs
5. Set Power and Static IP Address for HiveAP-B
 2.4GHz(wifi0) Power: 1
 5GHz (wifi1) Power: 1
This HiveAP will be a VPN
server, so you will need to
give it a static IP address:
[Optional Settings]
 Expand Interface and
Networks Settings
– Uncheck DHCP Client
Enabled
– IP: 10.8.1.X
– Mask: 255.255.255.0
– Gateway: 10.8.1.1
 Click Save
Go to the next slide
43
2008
Confidential 2010
Lab: Provision Two HiveAPs
6. View configuration and monitor status
 Verify the settings for your X-B-HiveAP by looking at the columns
 You can click Monitor view to see that the HiveAPs and HiveManager are
not in sync. The green square and red triangle con shows that
 You can click the Host Name column header to sort the HiveAPs by
hostname
44
2008
Confidential 2010
For Your Information Outside US
Set the Country Code for World Mode HiveAPs
Note: Please do not perform in
this class unless told to do so
by your instructor!
Updating the country code on
a HiveAP configures the
radios to meet government
requirements for a country
You can update the country by
going to Monitor
Access PointsNew HiveAPs
 Select all the HiveAPs
 Click Update...
Update Country Code
 Select the appropriate country
code
 Click Upload
45
2008
Confidential 2010
Lab: Provision Two HiveAPs
7. Update the Configuration on Your HiveAPs
 Select the check box  next to your two HiveAPs
 Click UpdateUpload and Activation Configuration
46
2008
Confidential 2010
Lab: Provision Two HiveAPs
8. Update the Configuration on Your HiveAP
 Go to Configuration
Guided Configuration
 Click Settings
 Change Activation time to:
Activate after [ 5 ] Seconds
– This is because mesh is not
being used, and therefore you
do not have to worry about
cutting off connectivity to a
mesh HiveAP
 Click the Save Icon 
– These settings will remain for
all subsequent uploads
 Do not save
 Go to the next slide
47
2008
Confidential 2010
Lab: Provision Two HiveAPs
9. Update the Configuration on Your HiveAPs
 You can view the configuration
that will be sent to the HiveAP if
that interests you
– Right click the hostname of
the HiveAP
– Select View Configuration
– After reviewing, close the
configuration window by
clicking the [x]
 Click Upload to update the
configuration on your HiveAPs
 Go to the next slide
48
2008
Confidential 2010
Lab: Provision Two HiveAPs
10. View The HiveAP Update Results
 You will be taken to the results page so you can view the status of your
update
 If you leave this screen, you can go back by going to: Monitor
Access Points
HiveAP Update Results
49
2008
Confidential 2010
Lab: Provision Two HiveAPs
11. Monitor HiveAP Status
Note: You can expand or
collapse the New HiveAPs list
by clicking here
 Go to MonitorAccess PointsHiveAPs
 Your HiveAP will have moved from the New HiveAPs list to the Managed
HiveAPs list
 When the Audit column icon turns to two green squares
 And the Uptime changes back from 0, the first update is complete
50
2008
Confidential 2010
Test Access to SSID Used
In Base WLAN Policy
51
2008
Confidential 2010
Test Base WLAN Policy
Internet
Internal Network
Hosted PC
Student-X
Connect to SSID: Class-PSK-X
IP: 10.5.1.N/24
Gateway: 10.5.1.1
AD Server:
10.5.1.10
VLANs 1-20
Mgt0 IP: 10.5.1.N/24 VLAN 1
WLAN Policy: WLAN-X
SSID:
Authentication:
Encryption:
Preshared Key:
User Profile 1:
Attribute:
VLAN:
IP Firewall:
QoS:
DHCP Settings:
(VLAN 1)
network 10.5.1.0/24
10.5.1.140 – 10.5.1.240
Class-PSK-X
WPA or WPA2 Personal
TKIP or AES
aerohive123
Employee(10)-X
10
1
None
def-user-qos
52
2008
Confidential 2010
Access Your Hosted Client PC
Using the web for PC, Mac, or Linux
 http://training-pcX.aerohive.com:5800
 Click Options:
– Specify Encoding: Tight
– Click Close
 VNC Authentication
– Password: aerohive
– Click OK
53
2008
Confidential 2010
Access Your Hosted Client PC
Using the TightVNC Application
 If you are using a windows PC
and you do not have Java
installed, you can install the
TightVNC client application
– TightVNC has good
compression so please use
TightVNC for class instead of
any other application
 Start TightVNC
– VNC Host:
training-pcX.aerohive.com
– Click Connect
– Password: aerohive
54
2008
Confidential 2010
If you are not logged in
Login to Hosted PC
 Click
to send a
control alt delete
 Login: user
 Password: Aerohive1
55
2008
Confidential 2010
Lab: Test Base WLAN Policy
1. Connect to the Class-PSK-X SSID
 From the hosted PC
– Double-click the
wireless
connection icon
on the bottom
right of the task
bar
x
– Connect to your
SSID:
Class-PSK-X
– Passphrase/
Network Key:
aerohive123
– Click Connect
56
2008
Confidential 2010
Lab: Test Base WLAN Policy
2. View Active Clients List
Click here to modify
the displayed columns
 After associating with your SSID, you should see your
connection in the active clients list in HiveManager
– Go to MonitorClientsActive Clients
 Your IP address should be from the 10.5.1.0/24 network
 To change the layout of the columns in the Active Clients list, you
can click the icon with a pencil in it:
57
2008
Confidential 2010
Lab: Test Base WLAN Policy
3. Modify Columns in the Active Clients List
 For this class, you can add the User
Profile Attribute, VLAN and BSSID
 Move them right after channel in the
Select Columns list
 Click Save
 You should now see:
– BSSID: <MAC Address>
User Profile Attribute: 10
– VLAN: 1
58
2008
Confidential 2010
Create SSID Using
WPA/WPA2 Enterprise (802.1X)
Using RADIUS for Authentication
59
2008
Confidential 2010
LAB: Secure WLAN Access Test
With 802.1X Diagram
Internet
Student-X
VLANs 1-20
Connect to SSID: Class-802.1X-X
IP: 10.5.10.N/24
Gateway: 10.5.10.1
AD (IAS-RADIUS) Server:
10.5.1.10
Mgt0 IP: 10.5.1.N/24 VLAN 1
WLAN Policy: WLAN-X
SSID: Class-802.1X-X
Authentication: WPA or WPA2 Personal
Encryption: TKIP or AES
User Profile 1: Employee(10)-X
Attribute: 10 (RADIUS Attribute Returned)
VLAN: 1
IP FW From Access: FromClient-X
IP FW To Access : (Default Deny)
User Profile 2: Employee-Default
Attribute: 1000 (No RADIUS Attribute Returned)
VLAN: 10
IP FW From Access: Employee-Default
IP FW To Access: (Default Deny)
60
DHCP Settings:
(VLAN 1)
network 10.5.1.0/24
10.5.1.140 – 10.5.1.240
(VLAN 10)
network 10.5.10.0/24
10.5.10.140 – 10.5.10.240
2008
Confidential 2010
On Local RADIUS Server
Configuring RADIUS Clients
For HiveAPs that are
not VPN clients,
set the RADIUS
server to accept
RADIUS
messages from
the MGT0
interface IP on all
HiveAPs
 This class uses:
10.5.1.0/24
 Click Next
61
2008
Confidential 2010
On Local RADIUS Server
Configuring RADIUS Clients
 Set the shared
secret to secure
the
communication
between the
HiveAPs and
RADIUS server
 This class uses:
aerohive123
Note: For a real
network, please
use a longer,
more secure key
62
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
1. Edit your WLAN Policy and Add SSID Profile
An 802.1X capable SSID and
related settings can be
configured from your WLAN
Policy
 Go to Configuration
WLAN Policies
 Edit WLAN-X
 Under SSID Profiles click
Add/Remove SSID Profile
 Create a new SSID Profile
– Click +
 Go to Next Slide
63
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
2. Configure SSID and RADIUS Server
 Profile Name: Class-802.1X-X
 SSID: Class-802.1X-X
 SSID Access Security
– Select: WPA/WPA2 802.1X
(Enterprise)
 Next to RADIUS Server
– Click +
 Go to Next Slide
64
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
3. Configure RADIUS Server
Define RADIUS Server Settings
 Click the radio button for:
External RADIUS Server
 Profile Name: RADIUS-X
 Primary RADIUS Server:
10.5.1.10
 Shared Secret: aerohive123
 Confirm Secret: aerohive123
 Click Apply
 Go to Next Slide
65
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
4. Configure SSID with RADIUS and User Profile
Back in your SSID Configuration
 Make sure your RADIUS server
is selected: RADIUS-X
 Specify User Profile assigned if
not attribute is returned from
RADIUS after successful
authentication:
Employees(1000)
Note: This user profile was
created by the Instructor
 Specify User Profiles assigned
via attributes returned from
RADIUS after successful
authentication: Employee(10)-X
 Save your SSID
 Go to Next Slide
66
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
5. Remove Existing SSID and Add New SSID
 To clean up the air in the data center, remove all other SSID profiles
from the selected SSID profiles list using the << button
– You should have no SSID Profiles listed under the Selected SSID
Profiles list
 From the Available SSID Profiles, select Class-802.1X-X and
use the > button to move it to the Selected SSID Profiles List
 Click Apply ---- Please please, please click apply!
 Go to Next Slide
67
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
6. Verify Configuration and Save WLAN Policy
 Verify your 802.1X SSID is listed under the SSID profiles and that your
SSID is mapped to two different user profiles:
Employees(1000) and Employee(10)-X
 Save your WLAN Policy
 From the WLAN policy
summary you can verify your
SSID Class-802.1X-X is
assigned to your WLAN Policy
68
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
7. Update delta configuration of your HiveAP
From MonitorHiveAPs
 Select both of your
HiveAPs
 X-A-HiveAP
 X-B-HiveAP
 Select Update...
Upload and Activate
Configuration
 If you want to see the delta
configuration, click the link
for your HiveAP
– Close the View
Configuration window
after viewing the delta
configuration changes
 Click Upload
Click HiveAP link
to view delta
configuration
69
2008
Confidential 2010
Configuring and Testing Your
802.1X Supplicant
For Microsoft XP and Vista
Supplicants
70
2008
Confidential 2010
Connect to 802.1X SSID
(First Attempt Will Fail)
On the remote hosted PC
 From the Microsoft
Wireless client:
– Click Class-802.1X-X
– Click Connect
 Note: The connection will fail
because Windows XP
defaults Smart Card or
Other Certificates (EAPTLS), instead of PEAP
– However, the SSID entry
will be created, so all you
have to do is modify it
 Click Change Advanced
Settings
71
2008
Confidential 2010
Microsoft Wireless Network Client
802.1X Supplicant Configuration
 View your Wireless Connections then click to
Change advanced settings
 In the Wireless network properties window
enter the following:

– Change EAP Type to: Protected EAP (PEAP)
Click OK
72
72
2008
Confidential 2010
SSID Should Now Be Connected
 Your Client will
automatically connect
to the
Class-802.1X-X
SSID
73
2008
Confidential 2010
View Active Clients
 After associating with your SSID, you should see your connection in
the active clients list in HiveManager
– Go to MonitorClientActive Clients




User Name: AHDEMO\user
BSSID: <The MAC address for your AP’s SSID>
VLAN: 1
User Profile Attribute: 10
74
2008
Confidential 2010
Example: Troubleshooting
Invalid User Profile Returned From RADIUS
 From MonitorAccess PointsHiveAPs (Monitor View)
 If you see an alarm when trying to perform 802.1X, click the alarm icon
 This alarm specifies that an attribute was returned from the RADIUS
server that is not defined on the HiveAP – In this case 50
 Select the check box next to the alarm and then Click clear
75
2008
Confidential 2010
Generate HiveAP RADIUS
Server Certificates
Required When HiveAPs are Configured
as RADIUS Servers or VPN Servers
76
2008
Confidential 2010
LAB: Generate a Root CA Certificate
for HiveManager (Instructor Only)
Remember this
password
 Go to ConfigurationAdvanced Configuration 
Keys and CertificatesHiveManager CA
 Fill in the requested information and choose a secure password
 Click Create
77
2008
Confidential 2010
HiveManager Root CA Certificate
Location and Uses


To view certificates, go to:
Configuration
Advanced Configuration
Keys and Certificates
Certificate Mgmt
This root CA certificate is used to:
– Sign the CSR (certificate signing
request) that the HiveManager
creates on behalf of the AP acting
as a RADIUS or VPN server
– Validate HiveAP certificates to
remote client
• 802.1X clients (supplicants) will
need a copy of the CA Certificate
in order to trust the certificates on
the HiveAP RADIUS server(s)


Root CA Cert Name:
“AerohiveHMCA.pem”
Root CA key Name: hm_key.pem
78
2008
Confidential 2010
LAB: HiveAP Server Certificate and Key
1. Generate HiveAP Server Certificate









Enter HiveAP-X
Notes Below


Remember 
Password 
Go to Configuration
Advanced Configuration
Keys and CertificatesServer CSR
Common Name: HiveAP-Server-X
Note: This is usually the FQDN of the HiveAP
Organizational Name: Company
Organization Unit: Department
Locality Name: City
State/Province: <2 Characters>
Country Code: <2 Characters>
Email Address: [email protected]
Subject Alternative Name: <Leave empty>
Note: This is used if you want to generate unique
certificates for each HiveAP VPN server, and you
want to have HiveAP VPN clients validate one of
these fields. See notes below the slide.
Key Size: 1024
Password & Confirm: aerohive123
CSR File Name: HiveAP-X
Click Create
79
2008
Confidential 2010
LAB: HiveAP Server Certificate and Key
2. Sign and Combine!
Enabling this setting helps
prevent certificate and key
mismatches when configuring
the RADIUS settings
 Select Sign by HiveManager CA
– The HiveManager CA will sign the HiveAP Server certificate
 The validity period should be the same as or less than the number of
days the HiveManager CA Certificate is valid
– Validity: 1826 (5 years + leap day)
 Check Combine key and certificate into one file
 Click OK
80
2008
Confidential 2010
LAB: HiveAP Server Certificate and Key
3. View HiveAP Certificate and Key File
 To view certificates, go to:
Configuration
Advanced
Configuration
Keys and Certificates
Certificate Mgmt
 The certificate and key file
name is:
HiveAP-X_key_cert.pem
81
2008
Confidential 2010
Wireless VPN
Version 3.5r1
Using HiveAPs and IPsec VPN Clients
and IPsec VPN Servers to Provides VPN
Connections with Wireless LANs
82
2008
Confidential 2010
Wireless VPN Overview
-For your reading pleasure
Aerohive’s Wireless VPN delivers a simple and cost effective solution for mobile workers in
remote locations like branch offices, teleworker home offices, and conference centers, to
securely access corporate resources through a layer 2 IPsec VPN. Built upon Aerohive’s
cooperative control architecture, Aerohive’s wireless VPN has the advantages of being
implemented on a highly resilient architecture utilizing best path forwarding, policy
enforcement at the edge with user-based QoS and firewall policy, and branch office
services including DHCP and RADIUS, which are centrally managed using HiveManager–
Aerohive’s WLAN management platform.

Aerohive’s Wireless VPN solution allows workers in remote offices using wireless or
Ethernet connected laptops, desktops, and phones to directly access their corporate
network through a secure layer 2 IPsec VPN. This gives workers access to resources as if
they were physically attached to the corporate network, and still have direct access to local
branch or home office devices, like printers and file servers that may or may not be
corporate resources. This is made possible with best path forwarding, split tunneling, and
NAT technology. To protect corporate resources, stations that are attached to the branch
office that do not meet policy specifications for the VPN, will not be able to access the
corporate network or locally attached corporate devices.
83
2008
Confidential 2010
Wireless VPN Benefits
-For your reading pleasure
Easy to Use
– L2 IPsec VPN solution simplifies deployment, because it extends the local network across the
VPN without the need to dedicate subnets for each remote site and set up DHCP relays on branch
routers or firewalls
– Automatic certificate creation and distribution for validating VPN devices
– Profile-based Split Tunneling
•

Flexible
– Single mode of operation supports all deployments
– Supported in all HiveAP platforms, Hardware Acceleration in 300 series
– Multiple end point support
•
•


Users and Services can be bridged locally or tunneled based on user profile
Backup VPN gateway support
Distributed Wireless VPN tunnel termination
Complete Functionality
– Multiple AP Support with secure and fast roaming
– Mesh Portals and Mesh Points supported
– RADIUS, DHCP, NTLM, LDAP and NTP can selectively go to local or remote network
– Rogue AP and rogue client detection, DoS prevention, Firewall, and QoS all occur locally on the
remote HiveAP
Economical
– No license fees for wireless VPN, or any of the other features on the HiveAPs
– For the cost of an AP, you get wireless VPN servers
84
2008
Confidential 2010
Teleworker Home Office
Please View Notes Below Slide
IPsec
Teleworker Home Office
Work Laptop
SSID: Corp
10.5.10.51
Primary and
Backup VPN
Tunnels
HiveAP 5
VPN Client
192.168.1.2
DHCP Server
Corporate Wi-Fi Devices
VLAN 10 10.5.10.0/24
Corporate Wi-Fi Voice
VLAN 11 10.5.11.0/24
Internet
HiveAP1
VPN
Server
Home PC
with Printer
192.168.1.5
Work Phone
SSID: Voice
10.5.11.33
Headquarters
Home Laptop
SSID: Home
192.168.1.6
Internet
Provider
Gateway
192.168.1.1
HiveAP2
VPN
Server
DMZ
Notes Below
85
2008
Confidential 2010
Branch Office VPN with Bridging
Headquarters
Branch Office
Laptop
SSID: Corp
10.5.10.12
HiveAP3
VPN Client
192.168.1.5
IPsec
Primary and
Backup VPN
Tunnels
HiveAP4
VPN Client
192.168.1.6
DHCP Server
Corporate Wi-Fi Devices
VLAN 10 10.5.10.0/24
Corporate Wi-Fi Voice
VLAN 11 10.5.11.0/24
Gateway
192.168.1.1
HiveAP1
VPN
Server
Internet
Phone
SSID: Voice
10.5.11.33
Desktop
10.5.10.10
Guest Laptop
SSID: Guest
192.168.1.50
Printer
10.5.10.11
HiveAP2
VPN
Server
Phone
10.5.11.5
Wireless
Wired
DMZ
86
2008
Confidential 2010
Create VPN Services Policy
87
2008
Confidential 2010
Wireless VPN Lab
Lab Network Diagram
HiveAP-A
VPN Client
Client
AD 10.8.1.200
- VLAN 1
WEB 10.8.20.150
- VLAN 20
1.1.1.1
2.2.2.2
NAPT Policy
ANY 2.2.2.2
10.5.1.<DHCP>
NAT Policy
1.1.1. X 10.8.1. X
10.8.1.X
WLAN Policy: WLAN-X
HiveAP-B
VPN Server
WLAN Policy: WLAN-X
Hostname: X-A-<6-digits of mac>
Hive: Hive-X
Interface mgt0: 10.5.1.<DHCP> /24 VLAN 1
Interface tunnel0: 10.8.1.X0
Hostname: X-B-<6-digits of mac>
Hive: Hive-X
Interface mgt0: 10.8.1.X/24 VLAN 1
VPN:
IP Pool: 10.8.1. X0 - 10.8.1.X9
 Configure two HiveAPs,
– HiveAP-A will be a VPN client
– HiveAP-B will be a VPN server
88
2008
Confidential 2010
Wireless VPN Labs
Network IP Summary
WLAN Branch Office – HiveAP VPN Clients
VPN Client
X-A-HiveAP
10.5.1.?/24 Gateway FW(NAT)
10.5.1.1 2.2.2.2
WLAN HQ – HiveAP VPN Servers
Firewall NAT Rules
1.1.1.X10.8.1.X
RADIUS
10.8.1.200
Client PC
10.8.20.?/24
GW: 10.8.20.1
Gateway
10.8.1.1
DHCP Server VLAN 20
Net: 10.8.20.0/24
Pool: 10.8.20.150
- 10.8.20.200
VPN Server
Gateway: 10.8.20.1 X-B-HiveAP
Layer 3 IPsec VPN Tunnels - IP Headers
(10.5.1.?)2.2.2.2  1.1.1.2
Layer 2 GRE Tunnels - IP Headers
Tunnel0 10.8.1.X0  10.8.1.X
MGT0
10.8.1.X/24
VPN Client Tunnel Address Pool
AP VPN 1: 10.8.1.X0 – 10.8.1.X9
? – Address Learned though DHCP
89
2008
Confidential 2010
LAB: Create VPN Services Policy
1. Create VPN Policy
 Modify your WLAN Policy
Configuration
WLAN Policies
WLAN-X
| Optional Settings |
 VPN Service Settings
– VPN Service: Click +
to create a new VPN
services policy
 Go to Next Slide
90
2008
Confidential 2010
LAB: Create VPN Services Policy
2. Define Name and IP Settings




Profile Name: VPN-X
Server Public IP: 1.1.1.X
Server MGT0 IP Address: 10.8.1.X
VPN Client Tunnel Interface Pool:
Note: It is recommended that the pool is in
the same subnet as the MGT0 interface of
HiveAP VPN server. This pool is used for
GRE tunnel IP addresses on HiveAP VPN
clients.
– Client Tunnel IP Address Pool Start:
10.8.1.X0
– Client Tunnel IP Address pool End:
10.8.1.X9
– Client Tunnel IP Address Netmask:
255.255.255.0
 Go to Next Slide
91
2008
Confidential 2010
LAB: Create VPN Services Policy
3. Assign VPN Certificates for VPN Server
 IPsec VPN Certification Authority Settings:
– VPN Certificate Authority:
AerohiveHMCA.pem
– VPN Certificate:
HiveAP-X_key_cert.pem
– VPN Cert Private Key:
HiveAP-X_key_cert.pem
 Optional Settings
– VPN Client Credentials:
These are VPN XAUTH credentials
that get generated automatically. A
unique credential gets created for each
tunnel interface IP address in the
tunnel interface address pool.
• Nothing needs to be done here
 Go to Next Slide
92
2008
Confidential 2010
LAB: Create VPN Services Policy
How XAUTH Credentials are Used
 The default IKE peer authentication method for the wireless VPN is
"hybrid"
 In hybrid mode,
– The VPN server authenticates itself to the client with an RSA
signature, which requires the server to have a server certificate, and
the client must have the root CA certificate that signed the server
certificate so it can validate the server
 The server authenticates the client using Xauth
– HiveManager generates a set of credentials (random string for
username and passwords) for each HiveAP VPN client and HiveAP
VPN server pair
– When the VPN client uses valid credentials to authenticate
with the VPN server, the tunnel can be established
– If the credentials are removed from either the VPN client or VPN
server, the tunnel cannot be established
93
2008
Confidential 2010
LAB: Create VPN Services Policy
4. View Advanced Server Options
 Expand Advanced Server Options
 No changes are necessary for the
following options
| IKE Phase 1 Options |
| IKE Phase 2 Options |
 Enable peer IKE ID validation
 Go to Next Slide
94
2008
Confidential 2010
LAB: Create VPN Services Policy
5. Configure Advanced Client Options
 Expand Advanced Client Options
– Set HiveAP VPN Client to use DNS
Server through tunnel: 10.5.1.10
| Management Traffic Tunnel Options|
– Determine which traffic from the
HiveAP to send though the tunnel
• SNMP Traps
• RADIUS
Note: Set these so that RADIUS
messages and SNMP traps generated
from the HiveAP VPN clients are sent
though the VPN tunnel to the servers
on the HQ network
| Client IKE Settings |
– Check Enable NAT traversal
Adds a UDP header with port 4500 on
to the IPsec packets
 Go to Next Slide
95
2008
Confidential 2010
For Redundancy: Dead Peer Detection
and AMRP Heartbeat Settings
 Used for switching between HiveAP VPN Server 1 and
HiveAP VPN Server 2 upon failure
– DPD Verifies IKE Phase 1
• Send Heartbeat every 10 seconds (by default)
• If you miss one heartbeat, send at the Retry Interval instead of at the
normal Interval settings
• If you miss the number of retries specified, failover to backup VPN server
Default DPD failover time:
~16 seconds
Default AMRP failover time:
~21 seconds
– AMRP Verifies end to end through GRE and VPN Tunnel
• Send Heartbeat every 10 seconds (by default)
• If you miss one heartbeat, send 1 at second intervals instead of at the
normal Interval setting
• If you miss the number of retries specified, failover to backup VPN server
96
2008
Confidential 2010
LAB: Create VPN Services Policy
6. Save VPN Services Policy
 Save the VPN Service
Settings
2008
Confidential 2010
LAB: Create VPN Services Policy
7. Modify SSID to Add New User VPN Policy
Back in your WLAN Policy
 Ensure your VPN Service
Policy is set to VPN-X
 Do not save your WLAN
policy at this time
 Go to the next slide
98
2008
Confidential 2010
Configure 802.1X SSID
for Wireless VPN Access
99
2008
Confidential 2010
Wireless VPN Labs
Network IP Summary
WLAN Branch Office – HiveAP VPN Clients
VPN Client
X-A-HiveAP
10.5.1.?/24 Gateway FW(NAT)
10.5.1.1 2.2.2.2
WLAN HQ – HiveAP VPN Servers
Firewall NAT Rules
1.1.1.X10.8.1.X
RADIUS
10.8.1.200
Client PC
Tunnel Interface:
10.8.20.?/24
GW: 10.8.20.1 10.8.1.X0
Gateway
10.8.1.1
DHCP Server VLAN 20
Net: 10.8.20.0/24
Pool: 10.8.20.150
- 10.8.20.200
VPN Server
Gateway: 10.8.20.1 X-B-HiveAP
Layer 3 IPsec VPN Tunnels - IP Headers
(10.5.1.?)2.2.2.2  1.1.1.X
Layer 2 GRE Tunnels - IP Headers
Tunnel0 10.8.1.X0  10.8.1.X9
MGT0
10.8.1.X/24
VPN Client Tunnel Address Pool
AP VPN 1: 10.8.1.X0 – 10.8.1.X9
? – Address Learned though DHCP
100
2008
Confidential 2010
Tunnel Traffic Header Overview
Branch
Office
Internet
2.2.2.2
1.1.1.1
(NAPT) ANY  2.2.2.2
4
HiveAP 1
VPN Client
MGT0 10.5.1.100
Tunnel0 10.8.1.50
1
Wireless Client
MAC: 0022.22aa.aa22
VLAN: 20
IP: 10.8.20.50
Corporate
Headquarters
(NAT)1.1.1.2  10.8.1.2
FW: Public IP
NAT Traversal
FW: Public IP
2.2.2.2
UDP - Src & Dst Port 4500
AP: Private IP Src Port Changes w/NAPT 1.1.1.2
10.5.1.100
3
MGT0 IP
10.5.1.100
2
Tunnel0
10.8.1.50
Client Traffic
10.8.20.50
0022.22aa.aa22
VLAN Tag: 20
IPsec (ESP) Tunnel
Encrypts GRE and
Client Traffic
GRE Tunnel
Encapsulates client
Layer 2 Traffic
Layer 2 Client Data
101
5
MGT0 IP
Before NAT
1.1.1.2
After NAT
10.8.1.2
6
MGT0
10.8.1.2
7
Client Traffic
10.8.20.150
0011.11bb.bb11
VLAN Tag: 20
HiveAP
VPN Server
MGT0 10.8.1.2
8
Corporate Server
MAC: 0011.11bb.bb11
VLAN: 20
IP: 10.8.20.150
2008
Confidential 2010
Instructor Only: On Local RADIUS Server
Configuring HiveAP RADIUS Clients
For HiveAPs that are
VPN clients, set the
RADIUS server to
accept RADIUS
messages from the
Tunnel IP address
pool set up on the
HiveAP VPN server
to assign to HiveAP
VPN clients
 For this class, the
tunnel IP pool
assigned to HiveAP
VPN clients is :
10.8.1.0/24
 Click Next
102
2008
Confidential 2010
Instructor Only: On Local RADIUS Server
Configuring HiveAP RADIUS Clients
 Set the shared
secret to secure the
communication
between the
HiveAPs and
RADIUS server
– For this class
use:
aerohive123
 Click Finish
Note: For a real
network, please
use a more secure
key
103
2008
Confidential 2010
LAB: Configure SSID for Wireless VPN
1. Create New RADIUS Server Object for SSID
Configure a new RADIUS
server for your SSID, that is
accessible through the VPN
 From inside your WLAN
policy click the link to modify
your SSID: Class-802.1X-X
104
2008
Confidential 2010
LAB: Configure SSID for Wireless VPN
2. Configure RADIUS Server Object
Define RADIUS Server Settings
for use with wireless clients
through the VPN
 Next to RADIUS Server,
click +
 Click the radio button for
External RADIUS Server
 Profile Name: RADIUS-VPN-X
 Primary RADIUS Server:
10.8.1.200
 Shared Secret: aerohive123
 Confirm Secret: aerohive123
 Click Apply to save the new
RADIUS object
 Do not save, go to next slide
105
2008
Confidential 2010
LAB: Configure SSID for Wireless VPN
3. Modify Employee User Profile
 Select the Employee(10)-X
user profile from the
Selected user profile list
 Click the Modify Icon: 
106
2008
Confidential 2010
LAB: Create VPN Services Policy
4. Change VLAN and Add VPN Settings
Set the User Profile to use the
VPN and a new VLAN
 Assign the
Default VLAN: 20
| Optional Settings |
 Expand GRE or VPN
Tunnels
 Select: VPN tunnel for
client traffic
| Split Tunnel |
– Select Split Tunnel with
NAT to Local Subnet and
Internet
 Click Save
107
2008
Confidential 2010
LAB: Configure SSID for Wireless VPN
5. Save your SSID
 Save your SSID
108
2008
Confidential 2010
Split Tunnel Firewall Policy
Automatically Created
 When you select the option to use split tunnel to local subnet and
Internet, the following policy gets created on the HiveAP
– The following policy will not be displayed in HiveManager
From Access Firewall Policy
Source IP
Destination IP
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
10.5.1.0/24
0.0.0.0/0
10.0.0.0/8
0.0.0.0/0
172.16.0.0/12
0.0.0.0/0
192.168.0.0/16
0.0.0.0/0
0.0.0.0/0
Service
DHCP-Server
Any
Any
Any
Any
Any
Action
Permit (tunnel)
NAT
Permit (tunnel)
Permit (tunnel)
Permit (tunnel)
NAT
– Note, by default there is no To Access firewall policy, so if you want
traffic to be initiated from HQ to the wireless clients thought the VPN,
you will need to create a To Access policy that permits access
109
2008
Confidential 2010
LAB: Create VPN Services Policy
6. Verify VPN Settings and Save WLAN Policy
Back in the WLAN
Policy
 Expand VPN Service
Settings
– Ensure the
Employee(10)-X
user profile is set
to use VPN
Tunnel and that
it is set to Yes for
Split Local
Traffic (Split
Tunnel)
 Click Save
110
2008
Confidential 2010
HiveAP VPN Roles
And Updating the Configuration
Configuring HiveAPs to be
VPN Clients and VPN Servers
111
2008
Confidential 2010
LAB: Assign HiveAPs to VPN Roles
1. Modify Your HiveAP-A and Make VPN Client
 From MonitorHiveAPs
 Modify your HiveAP-A:
X-A-######
| Optional Settings |
 Expand Services Settings
– VPN Service Role:
Client
 Click Save
112
2008
Confidential 2010
LAB: Assign HiveAPs to VPN Roles
2. Modify Your HiveAP-B and Make VPN Server
 From MonitorHiveAPs
 Modify your HiveAP-B:
X-B-######
| Optional Settings |
 Expand SSID Allocation
– (Optional) Clear the
check boxes to disable
the SSIDs on this HiveAP
VPN server
 Expand Services Settings
– VPN Service Role:
Server
 Click Save
113
2008
Confidential 2010
LAB: Assign HiveAPs to VPN Roles
3. Verify HiveAP Roles
 You will now see icons specifying whether the HiveAP is a
VPN client or
VPN Server
 The up and down arrows next to the keys are red when the VPN is not
establish
– The VPN will be established after updating the configuration of the
HiveAPs
114
2008
Confidential 2010
LAB: Assign HiveAPs to VPN Roles
4. Update Delta Configuration and VPN Certs
From MonitorHiveAPs
 Select both of your
HiveAPs
 X-A-HiveAP
 X-B-HiveAP
 Select Update...
Upload and Activate
Configuration
 If you want to see the delta
configuration, click the link
for your HiveAP
– Close the View
Configuration window
after viewing the delta
configuration changes
 Click Upload
Click HiveAP link
to view delta
configuration
115
2008
Confidential 2010
LAB: Assign HiveAPs to VPN Roles
5. View Update Results
 After a successful update, you can move your mouse over the
Description to see what was updated
– Here you should see that the VPN Certificates and Keys and the
Configuration has been updated
116
2008
Confidential 2010
LAB: Assign HiveAPs to VPN Roles
6. Monitor Status of VPN HiveAPs
 From MonitorHiveAPs you can see that the VPN is up because the
up and down arrows are green
117
2008
Confidential 2010
LAB: Assign HiveAPs to VPN Roles
7. HiveAP VPN Diagnostics
View VPN Tunnel
Diagnostic Commands
 Select one of theVPN
HiveAPs
 X-A-HiveAP
 Click ToolsDiagnostics
Show IPSec SA
Note: It is clear to see that a
VPN is functional if you see the
tunnel from the MGT0 IP of the
VPN client to the (NAT) Address
of the MGT0 of the VPN Server,
and the reverse. Both use
different SAs (Security
Associations)
– State: Mature
118
2008
Confidential 2010
Diagnostics Show IKE Event
 Click Tools
Diagnostics
Show IKE Event
 If you see that phase 1
failed due to a
certificate problem
– Check the time on
the HiveAPs
• show clock
• show time
– Ensure you have the
correct certificates
loaded on the
HiveAPs in the VPN
services policy
119
2008
Confidential 2010
LAB: Assign HiveAPs to VPN Roles
8. HiveAP VPN Topology
 You can view the VPN topology
by going to: Configuration
Advanced Configuration
Security Policies
VPN Services
– Click View for your VPN
– If you move your mouse over
the HiveAP icons you can
see how long the tunnel has been established
– If the icons are green, the tunnel is established
– If the icons are red, the tunnel is down
120
2008
Confidential 2010
VPN Topology Example
 Here is an example of a
VPN topology with 12
HiveAP VPN clients and
two HiveAP VPN servers
for tunnel load sharing and
redundancy
121
2008
Confidential 2010
Testing Your VPN Access
With 802.1X Client (Supplicant)
Using Microsoft XP
122
2008
Confidential 2010
If Your Remote PC IS Connected
From the Previous Lab
Note: If you have not set up your
802.1X supplicant on the
hosted client PC, please refer
to the 802.1X section earlier
in this training
 Disconnect from:
Class-802.1X-X
 Then reconnect to:
Class-802.1X-X
 Make sure you
can connect
123
2008
Confidential 2010
Verify Status of Wireless Client
And VPN Connection from PC
Once your wireless client is
connected to Class-802.1X-X
 Verify your IP address by
opening a command prompt
and typing
ipconfig /all
 If the Ethernet adapter
Wireless Network Connection
is set to: 10.8.20.N
– Then you are connected
through the tunnel to
VLAN 20
– Great Job!!!
124
2008
Confidential 2010
Test your hosted PCs VPN
Connection
 From your hosted PC,
open a browser and
connect to:
http://10.8.20.150
 If this works, your hosted
PC is going though the
VPN on VLAN 20
125
2008
Confidential 2010
Check Status of Wireless Client
 From MonitorClientsActive Clients
– Locate the client on the remote hosted PC, and see if it is connected
with a 10.8.20.N IP address
126
2008
Confidential 2010
To View the XAUTH Credentials
Xauth credentials are automatically
assigned to HiveAP VPN clients
that are assigned to this VPN
services policy
127
Go to Configuration
Advanced Configuration
Security Policies
VPN Services
 If an AP gets lost or stolen,
you can remove the
credential and push the
configuration to the HiveAP
VPN server
– That will prevent the
VPN client from
building a tunnel to the
VPN server
 You can also generate new
credentials and push them
out to the HiveAP VPN
servers and clients
2008
Confidential 2010
VPN Lab Clean-up
Please remote the VPN tunnel
configuration from the Employee(10) User
Profile and change the VLAN before
continuing to the next labs
128
2008
Confidential 2010
Lab: VPN Lab Cleanup
1. Change VLAN and Disable Tunnel
 From Configuration
User Profiles
 Select your Employee(10)-X
user profile
 Set the default VLAN to: 10
 Under Optional Settings
GRE or VPN Tunnels
– Set the option for:
No tunnel
 Click Save
Note: We do not need to
update the configuration at this
time. You will update the
configuration in the next lab.
129
2008
Confidential 2010
Lab: VPN Lab Cleanup
2. Remove Tunnel Roles from HiveAPs
 From Monitor
Access Points
HiveAPs
 Select the check box next to both of
your HiveAPs
–  X-A-######
–  X-B-######
 Set VPN Service Role: None
 Click Save
130
2008
Confidential 2010
HiveAP Classification
Examples
To Simplify the WLAN Policy
Configuration When Different Settings for
HiveAPs are Needed at Different Locations
2008
Confidential 2010
Question: How do define a single WLAN
policy, but configure different settings?
Area-X
L2-Switch
L2-Switch
DMZ-X
Router
HiveAP Device Settings
HiveAP Device Settings
Interface mgt0: 10.8.1.X
Classification Tag: DMZ
WLAN Policy: WLAN-X
MGT0 VLAN: 1
Interface mgt0: 10.5.2.?
Classification Tag: Area-1
WLAN Policy: WLAN-X
MGT0 VLAN: 2
132

For example, in the WLAN
policy, you can only define
one MGT interface VLAN

But if the HiveAPs are in
different networks with
different MGT0 VLANs, what
can you do?
2008
Confidential 2010
Answer: HiveAP Classification
Define an Object That is Variable
HiveAP Classification
Tag Settings:
HiveAP 1 Configuration
HiveAP 2 Configuration
This WLAN policy
is assigned to
HiveAP 1 and
HiveAP 2:
VLAN Object Definition
133
2008
Confidential 2010
HiveAP Classification
Tag Selection
 If you specify multiple tags on a HiveAP, make sure the object
is defined to match
VLAN Object Definition
HiveAP 1 Configuration
HiveAP 2 Configuration

If you want to make this VLAN object match all
HiveAPs in HQ, you must define  Tag 1 as: HQ, but
uncheck Tag 2 and  Tag 3 so they will be ignored

If you do not uncheck Tag 2 and Tag 3, you will have
to match all three tags on each HiveAP
134
2008
Confidential 2010
Object That Support
HiveAP Classification
 Objects that support
HiveAP classification
– IP/Hostname Objects
– MAC Addresses/OUIs
– VLANs
– User Profile Attribute
Groups
 These objects can be
configured once, but the
values assigned to the
HiveAP change based on
the HiveAPs
– Topology Map
– Classifier Tag
– IP Address
– Hostname
135
2008
Confidential 2010
HiveAP Classification
Types
 VLANs, IP Address Objects, MAC
Address objects, and User Profile
Attribute groups can have
classification rules based on:
– Map Name
• Uses topology maps
– HiveAP Name
– Classifier Tag
• Requires tags are defined in the
configuration of HiveAPs
– Global
• Selected if no match is found for
any of the other types
 You can mix and match, the first
matching rule is used
– Global is checked as the last
match even if it is defined first
136
2008
Confidential 2010
WLAN Policy Example 1 - PSK
Using Classification Tags for VLANs
Inside
L2-Switch
L2-Switch
DMZ
Router
HiveAP Device Settings
HiveAP Device Settings
Interface mgt0: 10.8.1.X
Classification Tag: DMZ
WLAN Policy: WLAN-X
MGT0 VLAN: 1
Interface mgt0: 10.5.2.?
Classification Tag: Inside
WLAN Policy: WLAN-X
MGT0 VLAN: 2
VLAN Object: X-MGT0-VLANs
WLAN Policy: WLAN-X
VLAN ID: 2
Type: Classifier Tag
Value: Tag 1: HQ
Tag 2: Bldg1
Tag 3: Trusted
VLAN ID: 1
Type: Global
MGT0 VLAN: X-MGT0-VLANs
Native VLAN: 1
* Global VLAN is set, but it will not be used in this lab
137
2008
Confidential 2010
Lab: HiveAP Classification
1. Assign Classification Tag to HiveAP-A
 From MonitorHiveAPs
– Select the check box 
next to your HiveAP-A
X-A-###### and
click Modify
 Expand Advanced Settings
| HiveAP Classification |
 Enter a value:
Tag 1 – HQ
Tag 2 – Bldg1
Tag 3 – Trusted
..
Note: You change these
settings for a group of HiveAPs
if you select multiple HiveAPs
before editing them
 Click Save
138
2008
Confidential 2010
Lab: HiveAP Classification
2. Assign Classification Tag to HiveAP-B
 From MonitorHiveAPs
– Select the check box 
next to your HiveAP-B
X-B-###### and
click Modify
 Expand Advanced Settings
| HiveAP Classification |
 Enter a value:
Tag 1 – HQ
Tag 2 – Bldg1
Tag 3 – DMZ
..
Note: You change these
settings for a group of HiveAPs
if you select multiple HiveAPs
before editing them
 Click Save
139
2008
Confidential 2010
Lab: HiveAP Classification
3. In your WLAN Policy Create a New VLAN
The VLAN for the MGT0 interface on a HiveAP is assigned via the WLAN
policy
 Go to ConfigurationWLAN Policies
 Edit WLAN-X
 Next to MGT interface VLAN, Click +
 Go to Next Slide
140
2008
Confidential 2010
Lab: HiveAP Classification
4. Create a VLAN Policy for MGT0 VLANs
..
 VLAN Name: X-MGT0-VLANs
– VLAN ID: 2
– Type: Classifier
– Value:
• Uncheck Tag 1: <empty>
• Uncheck Tag 2: <empty>
• Check Tag 3: Trusted
– Click Apply (Do not save)
 Click New
– VLAN ID: 1
– Type: Global
– Click Apply
Note: HiveAPs in the DMZ use VLAN 1,
which will match the global define here
 Save your VLAN object
141
2008
Confidential 2010
Lab: HiveAP Classification
5. Assign MGT0 Interface VLAN to New VLAN
 In your WLAN Policy, verify the
MGT0 Interface VLAN is set to: X-MGT0-VLANs
 The Native (untagged) VLAN should still be set to: 1
 Save your WLAN Policy
142
2008
Confidential 2010
Lab: HiveAP Classification
6. View Configuration Audit
 Click the mismatch icon
for your HiveAP-A to see the
configuration changes
 You should see that the MGT0 interface is being set to VLAN 2
 If you click the mismatch icon for HiveAP-B, you will not see a change in
the VLAN, because it is already set to use VLAN 1
143
2008
Confidential 2010
Lab: HiveAP Classification
7. Update Delta Configuration
From MonitorHiveAPs
 Select both of your
HiveAPs
 X-A-HiveAP
 X-B-HiveAP
 Select Update...
Upload and Activate
Configuration
 If you want to see the delta
configuration, click the link
for your HiveAP
– Close the View
Configuration window
after viewing the delta
configuration changes
 Click Upload
Click HiveAP link
to view delta
configuration
144
2008
Confidential 2010
Lab: HiveAP Classification
8. View Update Results
 After a successful update, you can move your mouse over the
Description to see what was updated
145
2008
Confidential 2010
Lab: HiveAP Classification
9. View the New IP Address for your HiveAP
 From MonitorHiveAPs
– Verify that the new IP address for your HiveAP
is in the subnet: 10.5.2.0/24
Note: It may take up to a moment to reflect the changes
New IP Address in
VLAN 2
146
2008
Confidential 2010
HiveAP Classification
Example
2008
Confidential 2010
Using Classification Tags for VLANs
Example
Area-1
Student
Client
HiveAP VLAN: 2
User VLANs: 3 - 5
Area-2
L2-Switch
L2-Switch
HiveAP VLAN: 6
User VLANs: 7 - 9
Router
Student
Client
10.1.7.10
10.1.3.10
HiveAP Device Settings
HiveAP Device Settings
Interface mgt0: DHCP-Client
Classification Tag: Area-2
WLAN Policy: Campus-Policy
Interface mgt0: DHCP-Client
Classification Tag: Area-1
WLAN Policy: Campus-Policy
WLAN Policy Settings: Campus-Policy
VLAN Network Objects
VLAN-HiveAPs
Classifier Tag:
Classifier Tag:
VLAN-Students
Classifier Tag:
Classifier Tag:
VLAN-Faculty
Classifier Tag:
Classifier Tag:
VLAN-Voice
Classifier Tag:
Classifier Tag:
Area-1 – VLAN 2
Area-2 – VLAN 6
Area-1 – VLAN 3
Area-2 – VLAN 7
Area-1 – VLAN 4
Area-2 – VLAN 8
Area-1 – VLAN 5
Area-2 – VLAN 9
* Set global VLAN must be set, but it will not be used
Hive: Hive-Campus
MGT0 VLAN: VLAN-HiveAPs Native VLAN: 1
SSID1: Student-WiFi
Network Security: WPA/WPA2
With PSK
TKIP or AES
SSID 2: Faculty-WiFi
Network Security: WPA/WPA2
With PSK
TKIP or AES
SSID 2: Voice-WiFi
Network Security: WPA/WPA2
With PSK
TKIP or AES
148
User Profile:
Attribute:
Tunnel Policy:
VLAN
User Profile:
Attribute:
Tunnel Policy:
VLAN :
User Profile:
Attribute:
Tunnel Policy:
VLAN :
Students
100
L3-Roaming
VLAN-Students
Faculty
101
L3-Roaming
VLAN-Faculty
Voice
102
L3-Roaming
VLAN-Voice
2008
Confidential 2010
HiveAPs as RADIUS Servers
149
2008
Confidential 2010
Local User Database
150
2008
Confidential 2010
LAB: Create Local User Database
 Used for IEEE 802.1X and for Captive Web Portal Authentication
 The local user database is used as a primary or backup user store for
the HiveAP RADIUS server for
IEEE 802.1X EAP-PEAP, EAP-TTLS, or EAP-TLS authentication
 It is highly beneficial for branch or small office deployments that require a
local user database
 The local user database can also be used as a backup to authentication
with Active Directory
 If the Active Directory service is unavailable, the local database can
automatically be used
151
2008
Confidential 2010
LAB: HiveAP as RADIUS Server
1. Create a Local User Group
As a theft protection
mechanism, if Save in
DRAM only is selected, the
user database will be
erased if the AP is powered
off or rebooted and it will
automatically get it from
HiveManager.
 Go to ConfigurationAdvanced Confguration
AuthenticationLocal User Groups and click New
 User Group Name: group(10)-0X (X is 2 digits=01, 02, .. , 14, 15)
 User Attribute: 10
 VLAN ID: <Leave blank, will inherit from user profile>
 Re-auth Time: 1800
 Click Save
2008
152
Confidential 2010
LAB: HiveAP as a RADIUS Server
2. Manually Create a Local User
 Go to ConfigurationAdvanced Configuration
AuthenticationLocal Users and click New
 User Group: group(10)-0X
Entering a description makes it
 Username: user-X
easier to filter/search for users in
the user list. For example, later
 Password: aerohive123
you will filter on “0X-rad” to find
 Confirm Password: aerohive123
all the users you have created
 Description: 0X-rad
and imported in this lab.
 Click Save
153
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
3. Prepare your user file to import
From the list of files you downloaded
from the instructor, locate and edit your
Company-X-radius-users.csv file. (You can edit
with a spreadsheet program or notepad)
 Modify the first user entry and make up a
username and enter your real email address so
that you can send yourself the PSK
 Save the file (The file must end with .csv)
user login
name
User Type
1 = RADIUS
User
User Group
Name
Set the passwords
for the user accounts
Description
Lines that start
with a # are
commended out
154
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
4. Import your user list file
 Go to ConfigurationAdvancedConfiguration
AuthenticationLocal Users
 Click Import
 Browse for your modified RADIUS user list file in .csv format
 Click Import
Please make sure you are in local
users, NOT local user groups
Make sure you do
not have any errors
and ensure all 5
users were imported
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
5. Use the filter to find your users
Apply a filter to view your Private PSK users
 Go to ConfigurationAuthenticationLocal Users
 Click Filter
 Enter the first part of the description: 0X-rad
(Where 0X is your two digit student ID 02 -15)
 Click Search
 Go to next slide
156
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
6. View your list of RADIUS user accounts
 Here you can see the user you created as well as the users you imported
from the CSV file
 Later, the user group will be assigned to a RADIUS server on a HiveAP
 The HiveAP will be able to authenticate all the users in the user groups
assigned to the HiveAP RADIUS server using IEEE 802.1X/EAP or
authenticated Captive web portal
157
2008
Confidential 2010
Create SSID Using
WPA/WPA2 Enterprise (802.1X)
Using a RADIUS User Database on a
HiveAP for Authentication
158
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
With 802.1X/EAP SSID Diagram
Internet
Student-X
VLANs 1-20
Connect to SSID: Class-802.1X-X
IP: 10.5.10.N/24
Gateway: 10.5.10.1
AD DHCP Server: 10.5.1.10
Mgt0 IP: 10.5.2.N/24
VLAN 2
RADIUS Server
WLAN Policy: WLAN-X
SSID: Class-802.1Xb-X
Authentication: WPA or WPA2 Personal
Encryption: TKIP or AES
User Profile 1: Employee(10)-X
Attribute: 10 (RADIUS Attribute Returned)
VLAN: 10
User Profile 2: (Employee-Default)
Attribute: 1000 (No RADIUS Attribute Returned)
VLAN: 8
159
DHCP Settings:
(VLAN 1)
network 10.5.1.0/24
10.5.1.140 – 10.5.1.240
(VLAN 2)
network 10.5.2.0/24
10.5.2.140 – 10.5.2.240
(VLAN 8)
network 10.5.8.0/24
10.5.8.140 – 10.5.8.240
(VLAN 10)
network 10.5.10.0/24
10.5.10.140 – 10.5.10.240
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
1. Edit your WLAN Policy and Add SSID Profile
An 802.1X capable SSID and
related settings can be
configured from your WLAN
Policy
 Go to Configuration
WLAN Policies
 Edit WLAN-X
 Under SSID Profiles click
Add/Remove SSID Profile
 Create a new SSID Profile
– Click +
 Go to Next Slide
160
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
2. Configure SSID and RADIUS Server
 Profile Name: Class-802.1X-Xb
 SSID: Class-802.1X-Xb
 SSID Access Security
– Select: WPA/WPA2 802.1X
(Enterprise)
 Next to RADIUS Server
– Click +
 Go to Next Slide
161
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
3. Define Settings for HiveAP RADIUS Server
Select the radio button for
 HiveAP RADIUS server
Note: Defining RADIUS within an SSID,
instead of defining the profile objects
separately before modifying the SSID,
has the advantage of automatically
creating two profiles, a AAA Client
Settings profile, and a HiveAP AAA
Server Settings profile, and it ensures
they are configured correctly for each
other




162
Profile Name: AP-RADIUS-X
Primary RADIUS Server: 10.5.2.X
| Available Local User Groups |
– Select your user group(10)-X
and click the > button to move
it to the Selected Local User
Groups
Click Apply
Do not save – go to next slide
2008
Confidential 2010
LAB: HiveAP as RADIUS Server
4. Assign user profiles and save


163
The RADIUS Server should now
be set to: AP-RADIUS-X
Under User Profiles for Traffic
Management
– User profile assigned if no
attribute is returned:
Employees(1000)
– User profile assigned via
attributes returned from
RADIUS... select:
Employee(10)-X
Note: If you have multiple
groups assigned to the HiveAP
RADIUS server, each group
can assign a different user
profile attribute, and therefore
in that case, you can define
more user profiles here.
Click Save
2008
Confidential 2010
LAB: HiveAP as RADIUS Server
5. Remove Existing SSID and Add New SSID
 To clean up the air in the data center, remove all other SSID profiles
from the selected SSID profiles list using the << button
– You should have no SSID Profiles listed under the Selected SSID
Profiles list
 From the Available SSID Profiles, select Class-802.1X-Xb and
use the > button to move it to the Selected SSID Profiles List
 Click Apply ---- Please, please, please click apply!
 Then Save your WLAN policy
164
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
6. View Certificate Assigned to RADIUS Server
 Go to Configuration
Advanced Configuration
Authentication
HiveAP AAA Server Settings
 Modify your RADIUS Server
Object: AP-RADIUS-X
Note: By default, the HM-DefaultServer Cert and Key are selected
which works if you did not create a
new HiveAP root CA certificate.
In an earlier lab, a new
HiveManager Root CA certificate
was created, therefore the default
certificates signed by the old
HiveManager Root CA key will no
longer work.
 Do not save – go to next slide
165
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
7. Change Certificate Used by RADIUS Server
 Assign your AAA RADIUS
Server to use:
– CA Cert File:
AerohiveHMCA.pem
– Server Cert File:
HiveAP-X_key_cert.pem
– Server Key File:
HiveAP-X_key_cert.pem
Note: The key and cert were
generated as a combined
certificate in an earlier lab.
– Key File Password:
aerohive123
– Confirm Password:
aerohive123
 Save the RADIUS Server profile
166
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
8. Configure a Static IP for the RADIUS HiveAP
 Go to Access
PointsManaged HiveAPs
and Modify your HiveAP-A:
X-A-######
 Under Optional Settings
– Expand Interface and
network settings
• Uncheck [ ] DHCP client
Enable
• IP Address: 10.5.2.X
• Netmask:255.255.255.0
• Gateway: 10.5.2.1
Note: This lab assumes the
HiveAP MGT0 interface is in
VLAN 2, which was assigned
in the previous HiveAP
classification lab
 Click Save
167
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
9. Assign HiveAP to be RADIUS Server
Assign the RADIUS Server Object to
the HiveAP designated as the
RADIUS server
 Under Optional Settings, expand
Service Settings
 Set HiveAP RADIUS service to:
AP-RADIUS-X
 Remove the VPN Service Role by
setting to: None
Otherwise RADIUS traffic may be
tunneled from settings in previous
labs.
 Click Save
168
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
10. Update Delta Configuration and RADIUS Certs
From MonitorHiveAPs
 Select both of your
HiveAPs
 X-A-HiveAP
 X-B-HiveAP
 Select Update...
Upload and Activate
Configuration
 If you want to see the delta
configuration, click the link
for your HiveAP
– Close the View
Configuration window
after viewing the delta
configuration changes
 Click Upload
Click HiveAP-A
link to view delta
configuration
169
2008
Confidential 2010
LAB: HiveAP as a RADIUS Server
11. Update Delta Configuration and RADIUS Certs
 After a successful update, you can move your mouse over the
description to see what was updated
– Here you should see that the AAA Certificates and Keys, the user
database, and the Configuration have been updated
170
2008
Confidential 2010
Client Access Preparation Distributing CA Certificates
to Wireless Clients
171
2008
Confidential 2010
LAB: Export the HiveManager
CA Root Certificate on the Remote PC






172
Note: The HiveManager Root
CA certificate should be
installed on the client PCs that
will be using the RADIUS
service on the HiveAPs for
802.1X authentication
From the VNC connection to the
student PC, open a connection
to: https://hivemanager
Login with: adminX
password: aerohive123
Go to Configuration
Keys and Certificates
Certificate Mgmt
Select AerohiveHMCA.pem
Click Export
2008
Confidential 2010
LAB: Export the HiveManager
CA Root Certificate
Add .cer extension to the end
of the file name so it can be
recognized by windows
173
 Select a directory on your
remote PC to export the
AerohiveHMCA.pem
certificate
 Rename the extension of
the AerohiveHMCA.pem
file to
AerohiveHMCA.pem.cer.
– This way, the
certificate will
automatically be
recognized by
Microsoft Windows
2008
Confidential 2010
LAB: Install AerohiveHMCA Certificate
on Wireless Client PC
 Find the file that was just exported to
your client PC
 Double-click the certificate file
 Click Install Certificate
Issued to: hm-training.ahdemo.local
This is the name of the certificate if you wish
to find it in the certificate store, or if you want
to select it in the windows supplicant PEAP
configuration.
174
2008
Confidential 2010
LAB: Install AerohiveHMCA Certificate
on Wireless Client PC
 In the certificate install
wizard window click Next
 Click Automatically
select the certificate
store based on the type
of certificate
 Click Next
 If prompted, click OK on
the Do you want to
install this certificate
message
 Click Finish
175
2008
Confidential 2010
LAB: Verify AerohiveHMCA
Certificate is Valid
 If you double-click the
certificate now, if you go to the
Certification Path tab, you will
see that the certificate is OK
 You can also check the Valid
From date in the Details tab
– If the date on the
HiveManager is wrong, or
has the wrong time zone,
this date may be invalid
176
2008
Confidential 2010
Configuring and Testing Your
802.1X Supplicant
For Microsoft XP and Vista
Supplicants
177
2008
Confidential 2010
Lab: Testing 802.1X to HiveAP RADIUS
1. Connect to Class-802.1X-Xb SSID
 From the wireless client on the
hosted PC
– Click Class-802.1X-Xb
– Click Connect
***This connection will fail, but it
will create an SSID on the client
that you can modify to edit the
settings to change the auth
from smart card or other
certificates to Protected EAP
178
2008
Confidential 2010
Lab: Testing 802.1X to HiveAP RADIUS
2. Configure 802.1X Supplicant (802.1X Client)
 View your Wireless Connections then click to
Change advanced settings
 In the Wireless network properties window
enter the following:

– Change EAP Type to: Protected EAP (PEAP)
Click OK
179
179
2008
Confidential 2010
Lab: Testing 802.1X to HiveAP RADIUS
3. Enter credentials for 802.1X
Note: Because we are using VPN,
the “Enter Credentials” window
most likely will not appear. Click
the wireless icon once and the
window should appear. You may
have to move the Wireless
network connection window out of
the way if it is on top.
 Enter the user name: user-X
 Password: aerohive123
 Click OK
 Wait a second then click the
wireless icon again
 Click OK to validate the certificate
c
vcv
Because of the VNC connection
Click here for the credentials
window to appear. You may have
to try several times.
180
2008
Confidential 2010
Lab: Testing 802.1X to HiveAP RADIUS
4. Verify that you are connected to the SSID
 Your Client will
connect to the
Class-802.1X-Xb
SSID
181
2008
Confidential 2010
Lab: Testing 802.1X to HiveAP RADIUS
5. View Active Clients
 After associating with your SSID, you should see your
connection in the active clients list in HiveManager
– Go to MonitorClientActive Clients




User Name: user-X
BSSID: <The MAC address for your AP’s SSID>
VLAN: 10
User Profile Attribute: 10
182
2008
Confidential 2010
Client Monitor
Example of an invalid user account
Shows IP of RADIUS server
SSL negotiation uses the
RADIUS server certificate
At this point you know the aaa
certificates were installed correctly and
the server certificate validation done
by the client passed
The user is not in the user database.
View the AAA server settings and
ensure the correct user group is
selected, and the HiveAP is a RADIUS
server. Then update the configuration
of the HiveAP.
183
2008
Confidential 2010
RADIUS Test
Built Into HiveManager
To test a RADIUS account
 Go to ToolsRADIUS Test
 RADIUS Server:
0X-A-######
 HiveAP RADIUS Client:
0X-A-######
 Select RADIUS
authentication server
 Username: user-X
 Password: aerohive123
 Click Test
..
The user is not in the user database.
View the AAA server settings and
ensure the correct user group is
selected, and the HiveAP is a RADIUS
server. Then update the configuration
of the HiveAP.
After fixing the problem and running the
test again, the authentication was
successful
184
2008
Confidential 2010
HiveAP RADIUS Server
With Active Directory Integration
185
2008
Confidential 2010
Create a New Active Directory
Administrator–(Instructor Only)
On Windows 2003 AD Server
 In your domain, select Users,
right click and select NewUser
Note: The name used in this example is
not relevant, you can use any name




First Name: HiveAP
Last Name: Admin
Full Name: HiveAP Admin
User Logon:
hiveapadmin @ahdemo.local
 Click Next
186
2008
Confidential 2010
Create a New Active Directory
HiveAP Administrator –(Instructor Only)
 Enter a Password: Aerohive1
 Confirm Password: Aerohive1
 Uncheck User must change
password at next login
 Uncheck User cannot change
password
 Check Password never
expires
 Uncheck Account is disabled
 Click Next
 Click Finish
187
2008
Confidential 2010
HiveAP Administrator
Group Membership
 If you view the HiveAP Admin
properties, you can see that the
HiveAP Admin only needs to be a
member of Domain Users
188
2008
Confidential 2010
Optionally Create an Organizational
Unit Where HiveAPs Can Be Added
 In order for HiveAPs to authenticate users with Active Directory, each
HiveAP will be dynamically added to the domain as a computer
 In order to organize the domain, you can create an organization unit (OU)
where HiveAPs can be added
 Select your domain ahdemo.local
 right click and select NewOrganizational Unit
 Enter a name: Wireless then click OK
189
2008
Confidential 2010
Optionally Create Organizational
Units Where HiveAPs Can Be Added
 Optionally you can create more
OUs (sub directories) to further
organize the wireless networking
 Select the Wireless OU
 Right click and select:
NewOrganizational Unit
 Enter a name: HiveAPs
 Click OK
– This will be used as the
computer store for HiveAPs
190
2008
Confidential 2010
Delegate Control of Wireless OU
to the HiveAP Admin (INSTRUCTOR ONLY)
 Right Click the Wireless
OU and select Delegate
Control...
191
2008
Confidential 2010
Delegate Control of Wireless OU
to the HiveAP Admin


Welcome to the Delegation of Control Wizard
– Click Next
Users or Groups
– Add HiveAP Admin
– Click Next
192
2008
Confidential 2010
Delegate Control of Wireless OU
to the HiveAP Admin
 Select Create a custom
task to delegate
 Click Next
193
2008
Confidential 2010
Delegate Control of Wireless OU
to the HiveAP Admin
 For Active Directory Object
Type
– Select Computer Objects
and leave the rest of the
default settings
– Check Create selected
objects in this folder
– Click Next
 For Permissions
– Check Read
– Check Write
– And leave the rest of the
default settings
 Click Next
194
2008
Confidential 2010
Delegate Control of Wireless OU
to the HiveAP Admin
 Click Finish
195
2008
Confidential 2010
Configure Active Directory Settings
196
2008
Confidential 2010
Lab: AD Settings Configuration
1. Configure AD Settings
 From Configuration
Advanced Configuration
Authentication
AAA User Directory Settings
Note: In 3.5r1, this header was called
AAA Server Settings









197
Click New
Name: AD-X
Select: Active Directory
Active Directory Server: 10.5.1.10
Domain: AHDEMO
Full Name: ahdemo.local
BindDN Name:
[email protected]
BindDN Password: Aerohive1
Go to next slide
2008
Confidential 2010
Lab: AD Settings Configuration
2. Configure AD Settings - Continued
 Admin User Name:
(Leave Empty for Class)
Note: This step is optional from
HiveManager. This step can be
performed directly from the
HiveAP if someone is security
conscious about storing an
Administrator password for
Active Directory in
HiveManager. The screen shot
had it filled in so you can see
the syntax
 Computer OU:
Wireless/HiveAPs
Note: The HiveAP Admin was
given access to this OU
 Click Save
198
2008
Confidential 2010
Lab: AD Settings Configuration
3. Configure HiveAP RADIUS with AD Settings
 Go to Configuration
Advanced Configuration
Authentication
HiveAP AAA Server Settings
 Modify AP-RADIUS-X
 Uncheck Local Database,
 Under Optional Settings, expand
Database Access Settings
 Check  Active Directory
 Select AD-X with priority:
Primary
 Click Apply …Please make sure
you click apply
 Click Save
199
2008
Confidential 2010
SSID for 802.1X
Using HiveAP RADIUS with
AD Integration
200
2008
Confidential 2010
LAB: HiveAP RADIUS w/ AD Integration
1. Edit your WLAN Policy and Add SSID Profile
An 802.1X capable SSID and
related settings can be
configured from your WLAN
Policy
 Go to Configuration
WLAN Policies
 Edit WLAN-X
 Under SSID Profiles click
Add/Remove SSID Profile
 Under Available SSID
Profiles
– Click +
 Go to Next Slide
201
2008
Confidential 2010
LAB: HiveAP RADIUS w/ AD Integration
2. Configure SSID and Create RADIUS Server
 Profile Name: Class-802.1X-Xc
 SSID: Class-802.1X-Xc
 SSID Access Security
– Select: WPA/WPA2 802.1X
(Enterprise)
 Next to: Select RADIUS Servers
for 802.1X….
– Select: AP-RADIUS-X
(Defined in a previous lab)
 Go to Next Slide
202
2008
Confidential 2010
LAB: HiveAP RADIUS w/ AD Integration
3. Assign user profile settings
 Specify User Profile assigned if
not attribute is returned from
RADIUS after successful
authentication:
Employees(1000)
(This user profile was created by
the Instructor)
 Specify User Profiles assigned
via attributes returned from
RADIUS after successful
authentication: Employee(10)-X
 Click Save
 Go to Next Slide
203
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
5. Remove Existing SSID and Add New SSID
 To clean up the air in the data center, remove all other SSID profiles
from the selected SSID profiles list using the << button
– You should have no SSID Profiles listed under the Selected SSID
Profiles list
 From the Available SSID Profiles, select Class-802.1X-X and
use the > button to move it to the Selected SSID Profiles List
 Click Apply ---- Please please, please click apply!
 Go to Next Slide
204
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
6. Verify Configuration and Save WLAN Policy
 Verify the SSID:
Class-802.1X-Xc is
listed under the SSID
profiles and that your
SSID is mapped to
two different user
profiles:
Employees(1000)
and Employee(10)-X
 Please make sure
you have NTP
Server settings
defined under in the
Management Server
Settings section
 Click Save
205
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
7. Update delta configuration of your HiveAP
From MonitorHiveAPs
 Select your HiveAP
 X-A-HiveAP
 Select Update...
Upload and Activate
Configuration
 If you want to see the delta
configuration, click the link
for your HiveAP
– Close the View
Configuration window
after viewing the delta
configuration changes
 Click Upload
Click HiveAP link
to view delta
configuration
206
2008
Confidential 2010
Optional: Verify HiveAP RADIUS Service
From the CLI of the HiveAP
If you want to verify the
RADIUS server status on your
HiveAP
 From the CLI of your
HiveAP type:
show aaa radius-server
 Take a look to see if the
settings look similar to the
settings displayed on the
right
01-A-008b40#
show aaa radius-server
All local RADIUS server parameters:
RADIUS-server:
Enabled
port:
1812
Station-auth type:
tls peap ttls leap
CA:
AerohiveHMCA.pem
server-cert:
HiveAP-1_key_cert.pem
private-key:
HiveAP-1_key_cert.pem
private-key-password: Encrypted
remote retry period:
30 secs
local check period:
300 secs
ldap retry interval:
600 secs
primary active directory (active):
admin user:
server:
10.5.1.10
computers OU:
Wireless/HiveAPs
default domain info:
netBOIS name
ahdemo
full domain name:
ahdemo.local
bindDN:
[email protected]
207
2008
Confidential 2010
Optional: Verify HiveAP Time
From the CLI of the HiveAP
 From CLI of HiveAP
# show time
Timezone:
GMT-8
# show clock
2009-04-16 14:30:45 Thursday
208
2008
Confidential 2010
Joining HiveAPs to Active Directory
Computer OU = Wireless/HiveAPs
 From the AD server, you can
go to Active Directory Users
and Computers and see when
the HiveAP joins the domain
 If you specify an Active
Directory administrator
account in the AAA User
Directory Settings, then the
HiveAP will automatically add
itself to the domain
 If you did not specify an Active
Directory administrator, you
will have to manually add your
HiveAP to the domain much
like you would do with a
computer
Click
Refresh
Select the computer
OU you specified in the
AAA User Directory
Settings
209
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
8. Join HiveAP RADIUS Server to Domain
Run the following test to join
your HiveAP RADIUS server to
the Active Directory Domain
 Go to Tools
AD/LDAP Test
 Select RADIUS Server:
X-A-######
 Select Test joining the
HiveAP to an Active
Directory domain
 Select Active Directory
Domain: Primary
 User Name: hiveapadmin
 Password: Aerohive1
 Click Test
Here you can see that
the HiveAP is joined to
the domain
210
2008
Confidential 2010
Alternative: Join HiveAP RADIUS Server to
Domain using the HiveAP CLI
 02-A-064200# exec aaa net-join primary username
hiveapadmin password Aerohive1
(Note: The password will be hidden when typing )
Exec-Program output:
Joined '02-A-064200' to server 'ahdemo.local'
successful (NT_STATUS_OK)
 If you have problems joining your AD server, you may need to enter
the Administrator account credentials to join the HiveAP to the
domain
Go to the Wireless/HiveAPs
OU to see the HiveAP
added as a computer in the
domain.
You may have to refresh the
screen to see the HiveAP
appear after joining the
HiveAP to the domain.
211
2008
Confidential 2010
Troubleshooting –
Joining a HiveAP to a Domain
 Possible Cause: The
Administrator does not have
privileges to add a
computer/HiveAP to
this OU
 Solution: Use an Administrator
with more privileges
 Possible cause: The HiveAP
was previously added to a
different OU, and this
administrator does not have
privileges to remove the other
entry
 Action: Delegate administration
of this OU to allow the selected
administrator to add computers
to this OU
Here you can see that the
HiveAP has failed to join the
domain
212
2008
Confidential 2010
Troubleshooting –
Joining a HiveAP to a Domain
 Possible Cause: The NTP
Server settings have not been
configured on the HiveAP
 Solution: Configure the NTP
Server settings by going to your
WLAN Policy
Management Services
NTP Server
Here you can see that the
HiveAP time is not accurate
213
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
9. Test the user account for your hosted PC
 Select RADIUS Server:
X-A-######
 Select Test HiveAP
credentials for Active
Directory Integration
 User Name: user
 Password: Aerohive1
 Click Test
Kerberos authentication
passed for the user
214
2008
Confidential 2010
Note for Classroom Environment
802.1X Supplicant Configuration
 The first time you try to connect to your SSID, the connection will
fail because Windows XP defaults to use Smart Card and Other
Certificate instead of PEAP
X
215
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
10. Configure Supplicant
 From the hosted PC, connect to
the Class-802.1X-Xc SSID
 Wait a few seconds while the
supplicant tries to validate
identity
1. Click Change
advanced settings
2. Select tab
– Note: This will fail because
windows XP uses Smart Card or
Other Certificates instead of
PEAP
 To configure the network for
PEAP, click Change advanced
settings
 Click the Wireless Networks tab
 Double-click the SSID:
Class-802.1X-Xc
 Click the Authentication tab
4. Select tab
3. Double-click
216
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
11. Configure supplicant to use PEAP
Select Protected
EAP (PEAP)
 For the EAP type, select Protected EAP
(PEAP)
 Click Properties to see that you have
enabled Validate the server
certificate
 Also, if click Configure... next to the
authentication method, you can see that
the client will automatically use the
Windows logon name and password that
was entered to log into the computer
 Click OK until you have saved and
existed from the supplicant configuration
217
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
12. Connect to SSID and Validate Certificate
1. Click your
SSID to connect
3. Click OK
2. Because of VNC, you will
have to click your mouse once
on the wireless icon to see the
Validate Certificate pop up
218
 Connect to your
SSID
 Because VNC is
used, the pop up
windows may not
appear, click once
on the wireless
icon to get the
Validate
Certificate pop-up
window
 Click OK
 Your client should
now connect to the
SSID
2008
Confidential 2010
LAB: Secure WLAN Access With 802.1X
13. View Active Client to Verify User Profile
Once you are connected, you can view the
active clients list to see your user profile and
VLAN information
 Go to MonitorClientsActive Clients
 Note the user profile is the user profile
assigned for the SSID if no RADIUS
attribute is returned
– User Profile: 1000
– VLAN: 8
– IP Address: 10.5.8.#
 In the next lab you will learn how to change
the user profile for users in different Active
Directory groups
219
User Profile
Attribute Value
2008
Confidential 2010
Mapping Active Directory
memberOf Attribute
to User Profiles
220
2008
Confidential 2010
HiveAP as a RADIUS Server
Using AD Member Of for User Profile Assignment
Internet
Employee
David
VLANs 1-20
AD DHCP Server: 10.5.1.10
Connect to SSID: Corp-802.1X
HiveAP
RADIUS Server
SSID: Corp-802.1X
User Profile
Attribute
VLAN
FW Policy
Employee-CEO
100
11
No restriction
Employee-IT
110
10
No restriction
Employee-Sales
120
8
Limited access
HiveAP RADIUS Server Settings
Local User Group
User Profile Attribute
CEO-Staff
100
IT-Staff
110
Sales
120
2. The Member Of
must match a user
group, which assigns
the user profile
attribute for the SSID
221
1. After validating
the user credentials,
the AD server
returns the
list of a users AD
groups via the
Member Of attribute
to the HiveAP
RADIUS server
2008
Confidential 2010
HiveAP as a RADIUS Server
Using AD Member Of for User Profile Assignment
 In your WLAN policy, you defined an SSID with two user profiles
– Employees(1000) – Set if no RADIUS attribute is returned
• This use profile for example is for general employee staff, and they get
assigned to VLAN 8
– Employee(10)-X – Set if a RADIUS attribute is returned
• This user profile for example is for privileged employees, and they get
assigned to VLAN 10
 Because the HiveAP RADIUS server is using AD to authenticate the
users, and AD does not return RADIUS attributes, how can we assign
users to different user profiles?
 Though AD does not return RADIUS attributes, it does return other
attribute values, like memberOf which is a list of AD groups to which the
user belongs
222
2008
Confidential 2010
Instructor Only: Confirm User is a
member of the Employee Groups
 Right click the username “user” and
click Properties
 Click on the Member Of tab
 The user account “user” should be
assigned to all the groups for all the
students in class
Employee-1
Employee-2
..
Empoloyee-15
 Click OK
223
2008
Confidential 2010
REFERENCE: debug radiusd
Shows the memberOf attributes returned


When the user authenticates, the Active Directory server will return each of the user
groups and if the RADIUS server has a matching group, the user will be assigned a
user profile based on the user profile defined in the matching user group
Note: For the lab coming up next, every PC is logged in as “user”, but each student
has their own HiveAP RADIUS server with only one user group defined, which will
match one of the member Of groups returned
Debug output during client authentication shows member Of...
2010-04-28 12:36:58 debug auto shared-secret 2570*, NAS 10.5.2.2, RADIUS srv 10.5.2.2
2010-04-28 12:36:58 debug rlm_ldap: performing user authorization for AHDEMO\user
2010-04-28 12:36:58 debug rlm_ldap: (re)connect to 10.5.1.10:389, authentication 0
2010-04-28 12:36:58 debug rlm_ldap: bind as [email protected]/****** to 10.5.1.10:389
2010-04-28 12:36:58 debug rlm_ldap: waiting for bind result ...
2010-04-28 12:36:58 debug rlm_ldap: Bind was successful
2010-04-28 12:36:58 debug rlm_ldap: performing search in dc=ahdemo,dc=local, with filter
([email protected])
2010-04-28 12:36:58 debug rlm_ldap: Adding memberOf as AH-FreeRADIUS-Group-Name =
"CN=Employee-4,CN=Users,DC=ahdemo,DC=local"
2010-04-28 12:36:58 debug rlm_ldap: Adding memberOf as AH-FreeRADIUS-Group-Name =
"CN=Employee-3,CN=Users,DC=ahdemo,DC=local"
2010-04-28 12:36:58 debug rlm_ldap: Adding memberOf as AH-FreeRADIUS-Group-Name =
"CN=Employee-2,CN=Users,DC=ahdemo,DC=local"
224
2008
Confidential 2010
Lab: Use AD to Assign User Profile
1. Map memberOf attribute to user profile
 From Configuration
Advanced Configuration
Authentication 
HiveAP AAA Server Settings
AP-RADIUS-X
 Expand Database Access Settings
 Check  LDAP server attribute
Mapping
 Select  Map LDAP user groups
to local user groups
 LDAP User Group Attribute:
memberOf
 Under Available Local User
Groups, click + to create a new
group
225
2008
Confidential 2010
Lab: Use AD to Assign User Profile
2. Create user group to map to memberOf group
Create a group that matches a
group that the username:
“user” is a member of
 User Group Name:
Employee-X
Note: This group name must
match a group returned by
the AD server by the
memberOf attribute
 User Type:  RADIUS users
 User Profile Attribute:10
Note: The user profile
attribute is returned from the
HiveAP RADIUS server if this
is the matching group
 Click Save
226
2008
Confidential 2010
Lab: Use AD to Assign User Profile
3. Map Employee-X user group to memberOf
 Select the Employee-X
user group and move it to
the selected local user
groups list
 Click Save
227
2008
Confidential 2010
Lab: Use AD to Assign User Profile
4. Update delta configuration of your HiveAP
From MonitorHiveAPs
 Select your HiveAP
 X-A-HiveAP
 Select Update...
Upload and Activate
Configuration
 If you want to see the delta
configuration, click the link
for your HiveAP
– Close the View
Configuration window
after viewing the delta
configuration changes
 Click Upload
Click HiveAP link
to view delta
configuration
228
2008
Confidential 2010
Lab: Use AD to Assign User Profile SSID
5. Disconnect and Reconnect to Class-802.1X-Xc
To test the mapping of the
memberOf attribute to
your user profile
 Disconnect from the
Class-802.1X-Xc SSID
 Connect to the
Class-802.1X-Xc SSID
229
2008
Confidential 2010
Lab: Use AD to Assign User Profile SSID
6. Verify your active client settings
 From MonitorClientsActive Clients
– Your client should now be assigned to
• IP Address: 10.5.10.#
• User Profile Attribute: 10
• VLAN: 10
230
2008
Confidential 2010
If you have problem…
Troubleshooting
 An extremely useful tool for this configuration is an LDAP browser,
so you can confirm you are getting the right information from the
Active Directory server:
http://download.softerra.com/files/ldapbrowser26.msi
– It will show you what memberOf attribute is being returned for each
user
 Confirm the Local Group Name matches the Active Directory Group
name exactly
– Sho run | include aaa
 debug radius comm
 debug radius excessive
 debug radius verbose
 debug console
 no debug console
 no debug radius
231
2008
Confidential 2010
Secure and Fast Roaming
232
2008
Confidential 2010
Layer 2 Roaming
 User associates and
authenticates and keys
are distributed
 AP predicatively pushes
keys and session state to
one hop neighbors
 As client roams and
associates with another
AP the traffic continues
uninterrupted
RADIUS Server
Roam
2008
Confidential 2010
Layer 3 Roaming
Router
Subnet B
Subnet A
GRE Tunnel
Like Layer 2 roaming the
Layer 3 roam predicatively
pushes keys to one hop
neighbors.
In order to maintain IP
connectivity a tunnel is
created to home subnet.
Tunnel continues to follow
roaming user until sessions
end then tunnel is terminated
and the user accesses the
local network
2008
Confidential 2010
Layer 3 Roaming Details
235
2008
Confidential 2010
Layer 3 Roaming
Detailed Explanation
HiveAPs can then communicate
over the LAN using
UDP Port 3000
Subnet 10.5.1.0/24
Floor 1
Corp-Hive
10.5.1.11/24
Corp-Hive
10.5.1.12/24
HiveAP Layer 3
roaming information is
advertised in beacons
and can be heard by
HiveAPs in the same
Hive.
Subnet 10.5.10.0/24
Floor 2
10.5.1.13/24
10.6.1.7/24
Beacon IE: (Encrypted)
Hive: Corp-Hive
L3 roaming enabled
Mgt0 IP: 10.5.1.13/24
10.6.1.8/24
Beacon IE: (Encrypted)
Hive: Corp-Hive
L3 roaming enabled
Mgt0 IP: 10.6.1.7/24
236
10.6.1.9/24
HiveAPs scan
channels to locate
layer 3 roaming
neighbors and
communicate with
each other over the
Ethernet network.
2008
Confidential 2010
Layer 3 Roaming
Detailed Explanation
Neighboring AP sends
HiveAP DA information to
neighboring subnets
Subnet 10.5.1.0/24
Floor 1
Subnet 10.6.1.0/24
Floor 2
Corp-Hive
Corp-Hive
DA
10.5.1.11/24
10.5.1.12/24
10.5.1.13/24
10.6.1.7/24
10.6.1.8/24
10.6.1.9/24
Receive:
DA for
subnet: 10.5.1.0/24
10.5.1.11
Send:
DA for
subnet: 10.5.1.0/24
10.5.1.11
237
2008
Confidential 2010
Layer 3 Roaming
Detailed Communication
Subnet 10.5.1.0/24
Floor 1
Preparation for roaming by
contacting DA for APs as the
potential tunnel end points
Corp-Hive
Subnet 10.6.1.0/24
Floor 2
Corp-Hive
DA
10.5.1.11/24
10.5.1.12/24
DA Send:
Best tunnel endpoint
for subnet: 10.5.1.0/24
10.5.1.12
10.5.1.13/24
10.6.1.7/24
10.6.1.8/24
Received
from DA:
Query DA:
Best
tunnel
endpoint
Least
loaded
AP for
forsubnet:
subnet:10.5.1.0/24
10.5.1.0/24
10.5.1.12
238
10.6.1.9/24
HiveAPs preselect best APs
in each subnet to be a
tunnel endpoints
The tunnel is built only when
a client eventually roams
2008
Confidential 2010
Layer 3 Roaming
Detailed Communication
Client
Roaming
DNXP
Cache
Update
GRE Tunnel
Subnet 10.5.1.0/24
Floor 1
Subnet 10.6.1.0/24
Floor 2
eth0.1 10.5.1.1
eth0.2 10.5.10.1
eth0.1 10.6.1.1
eth0.2 10.6.10.1
Corp-Hive
Corp-Hive
u1
10.5.1.11/24
u1
10.5.1.12/24
10.5.1.13/24
Layer 3
roam
Layer 2
roam
Session State
& PMK
u1
10.6.1.7/24
u1
10.6.1.8/24
DNXP
L3 10.5.1.12
u1
10.5.10.33/24 10.5.10.33/24
The clients IP address is maintained
239
10.6.1.9/24
As clients arrive on the
new subnet, the HiveAP
will use an existing tunnel
for the client, or if that
tunnel is heavily loaded, it
can create a tunnel to
another portal in the
DNXP table.
2008
Confidential 2010
Layer 3 Roaming
Detailed Communication
DNXP
GRE Tunnel
Subnet 10.5.1.0/24
Floor 1
Subnet 10.6.1.0/24
Floor 2
eth0.1 10.5.1.1
eth0.2 10.5.10.1
eth0.1 10.6.1.1
eth0.2 10.6.10.1
Corp-Hive
Corp-Hive
u1
10.5.1.11/24
10.5.1.12/24
u1
10.5.1.13/24
u1
10.6.1.7/24
u1
10.6.1.8/24
DNXP
L3 10.5.1.12
Session State
& PMK
u1
10.6.1.9/24
DNXP
L3 10.5.1.12
u1
10.5.10.33/24
240
2008
Confidential 2010
Layer 3 Roaming
Local Subnet Connection
DNXP
GRE Tunnel
Subnet 10.5.1.0/24
Floor 1
Subnet 10.5.10.0/24
Floor 2
eth0.1 10.5.1.1
eth0.2 10.5.10.1
eth0.1 10.6.1.1
eth0.2 10.6.10.1
Corp-Hive
Corp-Hive
u1
10.5.1.11/24
Session State
& PMK
u1
10.5.1.12/24
u1
10.5.1.13/24
u1
10.6.1.7/24
Based on the number of packets per
minute sent to and received by the
client, the HiveAP can be configured
to disable the tunnels and de-auth
the client so that it will reconnected
and obtain an IP address from the
local network.
241
u1
10.6.1.8/24
u1
10.6.1.9/24
De-auth
u1
10.6.10.95/24
10.5.10.33/24
2008
Confidential 2010
Configuring Dynamic Tunneling for
Layer 3 Roaming
242
2008
Confidential 2010
Lab: Enable Layer 3 Roaming
1. In your user profile, create a tunnel policy
Note: Tunnel policies are mutually
exclusive. There is no need to enable more
than one type of tunnel policy, so a radio
button is used to select the type.
243
Layer 3 roaming is enabled
per user profile by configuring
a tunnel policy
 Edit your employee User
Profile by going to
Configuration
Guided Configuration
User Profiles
 Edit Employee(10)-X
 Under Optional Settings
expand GRE or VPN
Tunnels
 Next to GRE tunnel for
roaming or station
isolation click +
2008
Confidential 2010
Lab: Enable Layer 3 Roaming
2. Configure Layer 3 Roaming Policy
Note: The number of packets per minute to select
varies based on the number of devices, types of
devices, and applications running on your network.
In my local network for example, my idle PC sends
and receives about 500 packets per minute.
Running a voice call from a soft client my PC sends
and receives about 4000 packets per minute. So I
have chosen to unroam if I my PC does not receive
2000 packets per minute in one minute time frame,
which means my tunnel should remain during a
voice call or file transfer.
244
Enable the ability to
dynamically build tunnels for
layer 3 roaming
 Name: L3-Roaming-X
 Under Tunnel Settings
 Select  Enable
Dynamic tunneling for
Layer 3 Roaming
 Unroaming Threshold: 60
seconds
 Number of packets per
minute: 2000
 Click Save
2008
Confidential 2010
Lab: Enable Layer 3 Roaming
3. Configure VLANs for User Profile
Ensure the Tunnel Policy is set
to: L3-Roaming-X
Note: Because the user profile is
applied to HiveAPs in different
locations, such as the trusted
network and the DMZ, you can
use HiveAP classification to
define one policy to set the user
VLANs in each location
 Next to Default VLAN,
– Click+
245
2008
Confidential 2010
Lab: Enable Layer 3 Roaming
4. Configure the User VLANs

VLAN Name: 0X-Employee-VLANs
– VLAN ID: 1
– Type: Global
– Click Apply (Do not save)
 Click New
– VLAN ID: 10
– Type: Classifier
– Value:
• Uncheck Tag 1: <empty>
• Uncheck Tag 2: <empty>
• Check Tag 3: Trusted
– Click Apply then Save
Note: Users that connect to HiveAPs
in the trusted network will be assigned
to VLAN 10, and in the DMZ or any
other network, they will be assigned to
VLAN 1
246
2008
Confidential 2010
Lab: Enable Layer 3 Roaming
5. Configure VLANs for User Profile
 Ensure the Default VLAN is set
to: L3-Roaming-X
 Click Save
247
2008
Confidential 2010
Lab: Enable Layer 3 Roaming
6. Update delta configuration of your HiveAP
From MonitorHiveAPs
 Select both of your
HiveAPs
 X-A-HiveAP
 X-B-HiveAP
 Select Update...
Upload and Activate
Configuration
 If you want to see the delta
configuration, click the link
for your HiveAP
– Close the View
Configuration window
after viewing the delta
configuration changes
 Click Upload
Click HiveAP link
to view delta
configuration
248
2008
Confidential 2010
Testing Layer 3 Roaming
In Hosted Data Center
 Unfortunately we cannot test layer 3 roaming in the hosted data
center because
– The HiveAPs are hard wired via coax to their clients
– The power level of the HiveAPs has been set to 1 dBm so the clients
can connect to their SSIDs. If we do not set the power to 1 dBm, the
power is too high for the clients that are connected via coax
• Because the power is low, and the rest of the RF connections are
terminated, testing in the remote lab is not possible
 If the instructor has time and the equipment, they can demonstrate
layer 3 roaming locally in class
249
2008
Confidential 2010
Layer 3 Roaming
Verification Notes
250
2008
Confidential 2010
Notes: Layer 3 Roaming
View Roaming Neighbors
 From MonitorAccess
PointsHiveAPs
 If you select the check box
next to your HiveAP then
select Tools
Diagnostics
Show DNXP Neighbors
– You can view the
HiveAPs Layer 2 and
Layer 3 roaming
neighbors
• View the State column
Shows whether
a HiveAP is a
layer 2 or layer 3
neighbor
251
2008
Confidential 2010
Layer 3 Roaming
Testing in Hosted Lab
 If you select the check box
next to your HiveAP then
select Tools
Diagnostics
Show DNXP Cache
– If a client is connect to
the HiveAP, you can
view the information
that is being sent to
the neighboring
HiveAPs
– The Tunnel-end is
the HiveAP that will be
the tunnel end point
for DNXP after the
client roams across
subnet boundaries
2. This AP will be the
tunnel end point for
the 10.5.2.0/24
subnet until its tunnel
load is too high
1. Shows the MAC
address of the client
and their tunnel end
point after roaming
252
2008
Confidential 2010
Note: Layer 3 Roaming/Unroaming
Ensure Valid VLANs for MGT0
Trusted Network
DMZ Network
DHCP for Internal VLAN 10
{10.5.10.50-10.5.10.200}
DHCP for DMZ VLAN 1
{10.6.1.50-10.6.1.200}
Dynamic GRE Tunnel
10.5.2.X to 10.6.1.X
VLANs 1-20
VLAN1
L3 Roam
10.5.2.X
10.6.1.X
WLAN Policy: Internal-Policy-X
WLAN Policy: Internal-Policy-X
Hive: Hive-Class-X
Interface mgt0: 10.5.2.X/24 VLAN 2
SSID: Class-PSK-X
User Profile: Employees(10)-X
Attribute: 10
Local VLAN: 1
Mobility: L3-Roaming-X
Classifier Tag 3: Trusted
Hive:
Interface mgt0:
SSID:
User Profile:
Attribute:
Local VLAN:
Mobility:
Classifier Tag 3:
Hive-Class-X
10.6.1.X/24 VLAN 1
Class-PSK-X
Employees(10)-X
10
1
L3 Roaming-X
DMZ
 In this case the Employee VLAN is 1, but the HiveAP MGT0 interface
VLAN differs whether the HiveAP is in the Trusted network or the DMZ
using HiveAP classification
253
2008
Confidential 2010
Note: Layer 3 Roaming/Unroaming
Ensure Valid VLANs for Users
Trusted Network
DMZ Network
DHCP for Internal VLAN 10
{10.5.10.50-10.5.10.200}
DHCP for DMZ VLAN 1
{10.6.1.50-10.6.1.200}
Dynamic GRE Tunnel
10.5.2.X to 10.6.1.X
VLANs 1-20
10.5.2.X
10.6.1.X
WLAN Policy: Internal-Policy-X
WLAN Policy: Internal-Policy-X
Hive: Hive-Class-X
Interface mgt0: 10.5.2.X/24 VLAN 2
SSID: Class-PSK-X
User Profile: Employees(10)-X
Attribute: 10
Local VLAN: X-Employee-VLANs (10)
Mobility: L3-Roaming-X
Classifier Tag 3: Trusted

VLAN1
L3 Roam
Hive:
Interface mgt0:
SSID:
User Profile:
Attribute:
Local VLAN:
Mobility:
Classifier Tag 3:
Hive-Class-X
10.6.1.X/24 VLAN 1
Class-PSK-X
Employees(10)-X
10
X-Employee-VLANs (1)
L3 Roaming-X
DMZ
Note: In order for unroaming to work, the VLAN for the user profile must be valid in all
networks. To do this, you can configure HiveAP classification for the employee VLAN
and set the VLAN in this example to 10 if it is in the trusted network, and 1 if it is in the
DMZ.
254
2008
Confidential 2010
Identity-Based Tunnels
With Captive Web Portal and DHCP Server
Services provided by HiveAPs
255
2008
Confidential 2010
Identity-Based Tunnels LAB
Using Tag On DMZ VLAN
Internal Network
Internet
10.5.2.1
SSID: Class-Guest-X
IP: 10.7.1X.N/24
Gateway: 10.7.1X.1
10.7.1.1
GRE Tunnel
10.5.1.N to 10.7.1.X
Guest
Client
DMZ Network
DHCP Settings
for VLAN 1X (X is 2 digits):
network 10.7.1X.0/24
ip range 10.7.1X.100 to
10.7.1X.199
Tunnel Destination
Tunnel Source
Hostname: X-A-000000
Interface mgt0: 10.5.1.N/24 VLAN 1
WLAN Policy: WLAN-X
Hostname: X-B-000000
Interface mgt0: 10.7.1.X/24 VLAN 1
WLAN Policy: WLAN-X
Tag1: DMZ-X
WLAN Policy: WLAN-X
Hive: Hive-Class-X
SSID: Class-Guest-X
Tunnel Policy: Tunnel-X
Captive Web Portal: CWP-Tunnel-X
Tunnel Settings: Enable static identity-based-tunnel
Registration Type: Use-Policy-Accept
Tunnel Destination: IP Range Start:10.7.1.X End:10.7.1.X
User Profile: Role-Tunnel(1X)
Tunnel Source: 10.5.1.0/24 and 10.5.2.0/24
Attribute: 1X
Tunnel Password: aerohive123
VLAN: 1X
MGT0 VLAN: 2
Tunnel Policy: Tunnel-X
Native VLAN: 1
256
2008
Confidential 2010
Lab: HiveAP Prep for Layer 3 Tests
1. Assign HiveAP-B to New Static IP Address
 From MonitorHiveAPs
– Select the check box  next
to your HiveAP-B:
X-B-###### and click Modify
 Expand Interface and Network
Settings
 Uncheck DHCP Client Enabled
 IP Address: 10.7.1.X
 Netmask: 255.255.255.0
 Gateway: 10.7.1.1
Note: Your MGT0 VLAN will be
set to VLAN 100 using HiveAP
classification for this new subnet
to work.
 Please do not save
 Continue to Next Slide
257
2008
Confidential 2010
Lab: HiveAP Prep for Layer 3 Tests
2. Verify HiveAP Classification Tag is DMZ
 Expand Advanced
Settings
| HiveAP Classification |
 Verify Tag 3 is set to:
DMZ
*This was set in the
HiveAP Classification
Lab
 Click Save
258
2008
Confidential 2010
Lab: HiveAP Prep for Layer 3 Tests
3. In WLAN Policy, Modify MGT0 VLAN
The VLAN for the MGT0 interface on a HiveAP is assigned via the WLAN
policy
 Go to ConfigurationGuided ConfigurationWLAN Policies
 Edit WLAN-X
 Next to MGT interface VLAN, Click  (To Modify)
 Go to Next Slide
259
2008
Confidential 2010
Lab: HiveAP Prep for Layer 3 Tests
4. Add DMZ to VLAN 100
Add another VLAN entry
 Click New
 VLAN ID: 100
– Type: Classifier
– Uncheck  Tag 1
– Uncheck  Tag 2
– Check  Tag 3: DMZ
– Click Apply
 After clicking apply,
Save your VLAN object
260
2008
Confidential 2010
Lab: HiveAP Prep for Layer 3 Tests
5. Verify X-MGT0-VLANs is set to MGT0 Interface
 In your WLAN Policy, verify the
MGT0 Interface VLAN is set to: X-MGT0-VLANs
 The Native (untagged) VLAN should still be set to: 1
 Save your WLAN Policy
261
2008
Confidential 2010
Lab: HiveAP Prep for Layer 3 Tests
6. Update Delta Configuration
From MonitorHiveAPs
 Select your HiveAP-B
 X-B-HiveAP
 Select Update...
Upload and Activate
Configuration
 If you want to see the delta
configuration, click the link
for your HiveAP
– Close the View
Configuration window
after viewing the delta
configuration changes
 Click Upload
Click HiveAP link
to view delta
configuration
262
100
2008
Confidential 2010
Lab: HiveAP Prep for Layer 3 Tests
7. View Update Results
 After a successful update, you can move your mouse over the
Description to see what was updated
263
2008
Confidential 2010
Lab: HiveAP Prep for Layer 3 Tests
8. View the New IP Address for your HiveAP
 From MonitorHiveAPs
– Verify that the new IP address for your HiveAP-B
is: 10.7.1.X/24
It may take up to a moment to reflect the changes
New IP Address in VLAN
100 (10.7.1.0/24)
264
2008
Confidential 2010
Identity-Based Tunnels
With Captive Web Portal Configuration
265
2008
Confidential 2010
Identity-Based Tunnels
 If VLAN segmentation is not possible due to the network architecture at
the access layer, guests can be tunneled, using the identity-based tunnel
functionality, directly to one or more HiveAPs within a firewalled DMZ
area, such as a lobby
 The client in the internal network is assigned a VLAN and an IP address
from the tunnel destination
 All client traffic is then tunneled to the HiveAPs in the DMZ
266
2008
Confidential 2010
Identity-Based Tunnels LAB
Using Tag On DMZ VLAN
Internal Network
Internet
10.5.2.1
SSID: Class-Guest-X
IP: 10.7.1X.N/24
Gateway: 10.7.1X.1
10.7.1.1
GRE Tunnel
10.5.1.N to 10.7.1.X
Guest
Client
DMZ Network
DHCP Settings
for VLAN 1XX (01, 02, ..,13)
network 10.7.1XX.0/24
ip range 10.7.1XX.100 to
10.7.1XX.199
Tunnel Destination
Tunnel Source
Hostname: X-B-000000
Interface mgt0: 10.7.1.X/24 VLAN 1
WLAN Policy: WLAN-X
Tag1: DMZ-X
WLAN Policy: WLAN-X
Hostname: X-A-000000
Interface mgt0: 10.5.2.N/24 VLAN 1
WLAN Policy: WLAN-X
SSID: Class-Guest-X
Hive: Hive-Class-X
Captive Web Portal: CWP-Tunnel-X
Tunnel Policy: GRE-Tunnel-X
Registration Type: Use-Policy-Accept
Tunnel Settings: Enable static identity-based-tunnel
User Profile: Role-Tunnel(1XX)
Tunnel Destination: IP Range Start:10.7.1.X End:10.7.1.X
Attribute: 1XX
Tunnel Source: 10.5.1.0/24 and 10.5.2.0/24
VLAN: 1XX
Tunnel Password: <random generated>
Tunnel Policy: GRE-Tunnel-X
MGT0 VLAN: 2
Native VLAN: 1
267
2008
Confidential 2010
LAB: Guest Access with CWP and Tunnels
1. Edit your WLAN Policy and Add SSID Profile
To add an SSID to be used by
guests
 Go to Configuration
WLAN Policies
 Edit WLAN-X
 Under SSID Profiles click
Add/Remove SSID Profile
 Create a new SSID Profile
– Click +
 Go to Next Slide
268
2008
Confidential 2010
LAB: Guest Access with CWP and Tunnels
2. Create a New Guest SSID
 Profile Name: Class-Guest-X
 SSID: Class-Guest-X
 SSID Access Security
WPA/WPA2-PSK(Personal)
Note: You can use any access
security method in real life. It is
common to use Private PSK for
secure guest access or
Open for non-secure guest access
 Key Value and Confirm Value:
aerohive123
 Check  Enable Captive
Web Portal
 Click + to create a new
captive web portal
 Go to Next Slide
269
2008
Confidential 2010
LAB: Guest Access with CWP and Tunnels
3. Configure Captive Web Portal
 Name: CWP-Guest-X
 Registration Type: Use Policy
Acceptance
 Click Customize Login Page to see
the use policy
– You can edit text in the use
policy field, or replace it with
your own using copy and paste
– You can click Preview to view
the customized web page
– Click Save to save your
customized Login Page settings
 Please do not save the captive
web portal at this time..
Go to the next slide…
270
2008
Confidential 2010
LAB: Guest Access with CWP and Tunnels
4. Configure Captive Web Portal
 Expand the Captive Web
Portal Success Page
section
 Click Customize Success
Page
 Select the option to
Redirect to the initially
requested page…
Note: This will bring up the
web page the client initially
requested after they agree
to the acceptable use
policy
 Click Save to save your
captive web portal settings
 Go to Next Slide
271
2008
Confidential 2010
LAB: Guest Access with CWP and Tunnels
5. Assign CWP and Configure SSID
Back in your Guest SSID Config
 Ensure Captive Web Portal is
set to: CWP-Guest-X
Note: you can use Open, but
that is much less secure
User Profiles for Traffic Management
 Under the heading –
User profile assigned to users
that associate with this SSID
– Click + to create a new user
profile
– Click More Settings…
 Go to Next Slide
272
2008
Confidential 2010
LAB: Guest Access with CWP and Tunnels
6. Create a user profile to tunnel traffic
Define a user profile to tunnel traffic
Note: XX= 2 Digits (02,03, .. ,12,13)
 Name: Role-Tunnel(1XX)
 Attribute Number: 1XX
 Default VLAN: 1XX
Note: This VLAN is encapsulated inside
the GRE tunnel and sent to the tunnel
destination where the VLAN must exist.
Note: The name, attribute number and
default VLAN do not have to match.
Optional Settings
 Expand the GRE or VPN Tunnels
section
 Select GRE tunnel for roaming or
station isolation
 Click + to create a GRE tunnel
policy
273
2008
Confidential 2010
LAB: Guest Access with CWP and Tunnels
7. Configure tunnel settings
Configure the tunnel information for both
sides of the tunnel in this policy
 Name: GRE-Tunnel-X
 Select Enable Static Identity-Based
Tunnels
 Tunnel Destination –
Select IP Address: 10.7.1.X
Note: You can specify a range of
consecutive HiveAPs if you have multiple
HiveAPs at the tunnel destination for
redundancy and load sharing.
 Available IP Addresses
– Select 10.5.2.0/24 and 10.5.1.0/24
and click the > button
 Tunnel Authentication
– Click Generate
 Click Save
274
2008
Confidential 2010
LAB: Guest Access with CWP and Tunnels
8. Create a user profile to tunnel traffic
Select the tunnel policy
 Tunnel policies: GRE-Tunnel-X
Note: If you do configure firewall
policies, be aware that your firewall
policies are applied before your
traffic is tunneled to the destination
HiveAP. Also note that the IP
address of your client will be from
the remote network at the tunnel
destination.
Click Save
275
2008
Confidential 2010
LAB: Guest Access with CWP and Tunnels
9. Assign user profile to SSID
Assign the user profile with the tunnel
settings to this SSID
 User Profile assigned to users that
associate with this SSID:
Role-Tunnel(1X X)
 Make sure everything looks right…
 Click Save
Note: When a client associates with
this SSID and completes the
registration process, their traffic is
tunneled to the destination HiveAP
specified by the tunnel policy in the
user profile. If a client associates
with this SSID on the tunnel
endpoint, the traffic is forwarded
without tunneling
276
2008
Confidential 2010
LAB: Guest Access with CWP and Tunnels
10. Remove Existing SSID and Add New SSID
 To clean up the air, remove
all other SSID profiles from
the selected SSID profiles
list using the << button
– The SSID Profiles listed
under the Selected SSID
Profiles list is now empty
 From the Available SSID
Profiles, select
Class-Guest-X and use
the > button to move it to the
Selected SSID Profiles List
 Click Apply
**Really, please click apply
 Save the WLAN policy
277
2008
Confidential 2010
HiveAP DHCP Service
On Tunnel End Point
On Tunnel Endpoint
278
2008
Confidential 2010
Identity-Based Tunnels LAB
Using Tag On DMZ VLAN
Internal Network
Internet
10.5.2.1
SSID: Class-Guest-X
IP: 10.7.1X.N/24
Gateway: 10.7.1X.1
10.7.1.1
GRE Tunnel
10.5.1.N to 10.7.1.X
Guest
Client
DMZ Network
DHCP Settings
for VLAN 1XX (01, 02, ..,13)
network 10.7.1XX.0/24
ip range 10.7.1XX.100 to
10.7.1XX.199
Tunnel Destination
Tunnel Source
Hostname: X-B-000000
Interface mgt0: 10.7.1.X/24 VLAN 1
WLAN Policy: WLAN-X
Tag1: DMZ-X
WLAN Policy: WLAN-X
Hostname: X-A-000000
Interface mgt0: 10.5.2.N/24 VLAN 1
WLAN Policy: WLAN-X
SSID: Class-Guest-X
Hive: Hive-Class-X
Captive Web Portal: CWP-Tunnel-X
Tunnel Policy: GRE-Tunnel-X
Registration Type: Use-Policy-Accept
Tunnel Settings: Enable static identity-based-tunnel
User Profile: Role-Tunnel(1XX)
Tunnel Destination: IP Range Start:10.7.1.X End:10.7.1.X
Attribute: 1XX
Tunnel Source: 10.5.1.0/24 and 10.5.2.0/24
VLAN: 1XX
Tunnel Password: <random generated>
Tunnel Policy: GRE-Tunnel-X
MGT0 VLAN: 2
Native VLAN: 1
279
2008
Confidential 2010
LAB: Configure DHCP Service for Guests
1. Create DHCP Server for VLAN 1XX
To create a DHCP server and
IP pool for VLAN 1XX
 Go to Configuration
Advanced Configuration
Network Objects
DHCP Server & Relay
 Name: DHCP-VLAN-1XX
 Interface: mgt0.X
 IP Address: 10.7.1XX.2
 Netmask: 255.255.255.0
 VLAN ID: 1XX
Please do not save,
go to next slide…
280
2008
Confidential 2010
LAB: Configure DHCP Service for Guests
2. Configure IP Pool and Options
Configure the IP pool and DHCP
options
 Under IP Pool
– Start IP Address:
10.7.1XX.100
– End IP Address:
10.7.1XX.199
 Click Apply
(Really, please click apply!)
 Under DHCP Server Options
 Default Gateway: 10.7.1XX.1
Note: The netmask is
automatically inherited from
the mgt0.X interface
 DNS Server 1 IP: 10.5.1.10
 Click Save
281
2008
Confidential 2010
LAB: Configure DHCP Service for Guests
3. Assign DHCP Server to Endpoint HiveAP
Because the clients will be tunneled to the
HiveAP at the destination, the DHCP
server should be at the destination
From MonitorHiveAPs
 Select your HiveAP-B:  X-B-HiveAP
 Click Modify
 Expand SSID Allocation
– Clear the check boxes to disable the
SSIDs on the 2.4GHz and 5GHz radios.
Note: Though not necessary in a real
deployment, for this lab, this will ensure
all traffic is tunneled.
 Expand Service Settings
– Select your DHCP server object:
DHCP-VLAN-1XX and move it to the
Selected List
 Save the settings for this HiveAP
282
2008
Confidential 2010
Update Configuration
of HiveAPs
To Update GRE-Tunnel and DHCP Server
Configuration
283
2008
Confidential 2010
LAB: Guest GRE Tunnel and DHCP Server
1. Update Configuration of HiveAPs
From MonitorHiveAPs
 Select both your HiveAPs:
 X-A-HiveAP
 X-B-HiveAP
 Select Update...
Upload and Activate
Configuration
 If you want to see the delta
configuration, click the link
for your HiveAP
– Close the View
Configuration window
after viewing the delta
configuration changes
 Click Upload
Click HiveAP link
to view delta
configuration
284
2008
Confidential 2010
LAB: Guest GRE Tunnel and DHCP Server
2. Monitor Update Results
 Ensure that your update is successful
 From MonitorHiveAPs
– You can see an icon next to your HiveAP letting you know it is now a
DHCP server
285
2008
Confidential 2010
LAB: Guest GRE Tunnel and DHCP Server
3. Connect to your Class-Guest-X SSID
 On your remote hosted
PC, connect to the
SSID: Class-Guest-X
 Passphrase/Network
Key: aerohive123
286
2008
Confidential 2010
LAB: Guest GRE Tunnel and DHCP Server
4. Agree to Acceptable Use Policy
 Open a web browser and Browse
to a decent web site:
http://www.aerohive.com
 A captive web portal page will be
displayed
 Fill out the web registration form

287
Click Accept to agree to the
Acceptable Use Policy
2008
Confidential 2010
LAB: Guest GRE Tunnel and DHCP Server
5. Verify Access To Internet
 Once the login is successful,
you can access the network
 You should automatically be
redirected to the web page you
initially requested
288
2008
Confidential 2010
LAB: Guest GRE Tunnel and DHCP Server
6. View Active Clients List
After associating with your SSID, you should see your connection in the
active clients list in HiveManager
– Go to MonitorClientsActive Clients
 Your IP address should be from the 10.7.1XX.0/24 network
 Note the IP address, VLAN and user profile attribute
– VLAN: 1XX
– User Profile Attribute: 1XX
289
2008
Confidential 2010
LAB: Guest GRE Tunnel and DHCP Server
7. Verify Tunnel
290
2008
Confidential 2010
Private PSK
User-Based Pre-Shared Keys and Policy
2008
Confidential 2010
Lab: Secure WLAN Access With
Private PSK Diagram
Internet
Student-X
VLANs 1-20
Connect to SSID: Class-PPSK-X
IP: 10.5.10.N/24
Gateway: 10.5.10.1
AD (IAS) Server:
10.5.1.10
Mgt0 IP: 10.5.2.N/24 VLAN 2
WLAN Policy: WLAN-X
SSID: Class-PPSK-X
SSID Type: Private PSK
Authentication: WPA or WPA2 Personal
Encryption: TKIP or AES
User Group: PPSK-Corp-X
Attribute: 10
User Profile: Employee(10)-X
Local Users:
Create Users in Group: PPSK-Corp-X
30 Users with PSKs: X-corp0001 X-corp0030 with
automatically created PSKs
292
DHCP Settings:
(VLAN 1)
network 10.5.1.0/24
10.5.1.140 – 10.5.1.240
(VLAN 2)
network 10.5.2.0/24
10.5.2.140 – 10.5.1.240
(VLAN 8)
network 10.5.8.0/24
10.5.8.140 – 10.5.8.240
(VLAN 10)
network 10.5.11.0/24
10.5.10.140 – 10.5.10.240
(VLAN 11)
network 10.5.11.0/24
10.5.11.140 – 10.5.11.240
2008
Confidential 2010
SSIDs with WPA or WPA2 Personal
Use Pre Shared Keys (PSKs)
User 1
SSID: Corp-WiFi
Shared Key: aSecretPhrase
User 2
SSID: Corp-WiFi
Shared Key: aSecretPhrase
User 3
SSID: Corp-WiFi
Shared Key: aSecretPhrase
AP
SSID: Corp-WiFi
Authentication: WPA2 Personal
Shared Key: aSecretPhrase
User Profile: Employee-Profile
 All users share the same key
– If a user leaves or if a PC or portable device is lost, for security
reasons, the shared key should be changed, and every client will
have to update the keys on their wireless clients
 All users share the same network policy
– Because all users share the same SSID with the same key, they will
also have the same network policies, such as their VLAN, because
there have no way to uniquely identify users or types of users
293
2008
Confidential 2010
SSID with 802.1X/EAP Dynamically Create
Pairwise Master Keys (PMKs)
User 1
SSID: Corp-WiFi
PMK: d6#$%^98f..
User 2
SSID: Corp-WiFi
PMK: 87fe@#$%a..
User 3
SSID: Corp-WiFi
PMK: 90)356*&f..
AP
RADIUS
SSID: Corp-WiFi
Authentication: WPA2 Enterprise (802.1X)
- User 1 - PMK: d6#$%^98f..
- User 2 - PMK: 87fe@#$%a..
- User 3 - PMK: 90)356*&f..
 With 802.1X, after a user successfully authenticates with RADIUS,
a unique key is created for each user and AP pair called a PMK
– If a user leaves the company or a user loses a device, the user
account can be disabled and passwords can be changed to prevent
access to corporate resources
 New PMKs are created every time user authenticates
 Users can have unique network policies
– Because users are identified by their user name, based on the user
or group, they can be assigned to different network policies
294
2008
Confidential 2010
Private Preshared Key (PSK)
Allows creation of unique PSKs per user
User 1
SSID: Corp-WiFi
Key: d6#$%^98f..
User 2
SSID: Corp-WiFi
Key: 87fe@#$%a..
User 3
SSID: Corp-WiFi
Key: 90)356*&f..
HiveAP
SSID: Corp-WiFi
SSID Type: Private PSK
Authentication: WPA2 Personal
- User 1 – Private PSK: d6#$%^98f..
- User 2 – Private PSK: 87fe@#$%a..
- User 3 – Private PSK: 90)356*&f..
 Private PSKs are unique pre shared keys created for individual
users on the same SSID
 Client configuration is simple, just enter the SSID shared key for
WPA or WPA2 personal (PSK)
– No 802.1X supplicant configuration is required
– Works with devices that do not support 802.1X/EAP
 You can automatically generate unique keys for users, and
distribute via email, or any way you see fit
 If a user leaves or a device is lost or stolen, the PSK for that user or
device can simply be revoked
295
2008
Confidential 2010
Private Preshared Key (PSK)
Allows creation of unique PSKs per user
User 1
SSID: Corp-WiFi
PSK: d6#$%^98f..
User 2
SSID: Corp-WiFi
PSK: 87fe@#$%a..
User 3
SSID: Corp-WiFi
PSK: 90)356*&f..
HiveAP
SSID: Corp-WiFi
SSID Type: Private PSK
Authentication: WPA2 Personal
- User 1 – Private PSK: d6#$%^98f..
- User 2 – Private PSK: 87fe@#$%a..
- User 3 – Private PSK: 90)356*&f..
 You can create network policies for individual users or groups of users
including different VLANs, firewall policies, tunnels, and schedules
 Fast roaming occurs without the need for opportunistic key caching
 Private PSKs can be automatically generated using User Manager or
GuestManager providing the ability for a lobby administrator to generate
guests unique keys for secure guest access
296
2008
Confidential 2010
Private Preshared Key (PSK)
Deployment Recommendations
 Private PSK is recommended for augmenting WLAN deployments
that authenticate clients with WPA or WPA2 Enterprise
(802.1X/EAP), but have some devices that:
– Support WPA or WPA2 Personal, but do not support WPA or WPA2
Enterprise with 802.1X/EAP
– Do not support opportunistic key caching for seamless roaming
 Recommended in place of using traditional PSKs for environments
that do not have a WLAN deployment using WPA or WPA2
Enterprise with 802.1X/EAP
 Recommended for secure guest access using User Manager or
GuestManager for Private PSK creation
– An online training module for User Manager and Private PSKs can viewed
by going to: www.aerohive.com/training/cbt
297
2008
Confidential 2010
Configure Private PSK
For Secure Guest Access
298
2008
Confidential 2010
Configuration Notes





Configure Time Service on HiveManager
Configure Email Service on HiveManager
Create User Manager Administrator and Operator Accounts
Create Private PSK Groups and Private PSK Users
Create Private PSK SSID and Captive Web Portal for Use Policy
Acceptance
299
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
1. Create Private PSK Group
 Go to Configuration
Advanced Configuration
Authentication
Local User Groups
 Click New
 User Group Name:
PPSK-guests(100)-0X
(0X=02-15)
 User Type:  Automatically
generated private PSK users
 User Profile Attribute: 100
 VLAN: <empty>
Note: The VLAN is inherited
from the user profile
 Do not save,
please go to the next slide
300
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
2. Configure User Name and Private PSK Secret
 Private PSK Secret:
<enter random characters>
Note: This secret never needs to be
known or seen again, it is used to
add more complexity to the
automatically generated PSKs.
 User Name Prefix: 0X-guest
Note: This is the prefix for all the
Private PSKs that will be generated.
If you create 100 PPSK accounts,
then the guest accounts will be
created as 0X-guest0001 though
0X-guest0100
 Expand Private PSK Advanced
Options
301
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
3. Configure Time Zone and Validity Period
 Password Length: 8
Note: If Private PSKs were being
generated for corporate accounts, this
should be a much larger password
length. However, for guests, because
they are entering the password on their
mobile device from a printout or from an
email, for administrative purposes, it is
better to generate smaller length PSKs.
 Time Zone: <Local Time Zone>
Note: This should be the time zone of
where the HiveAPs are located in real
life, but for class, use your local class
time zone
 PSK Validity Period: Recurring
 Schedule: Click +
302
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
4. Configure PPSK Recurrance Schedule
 Schedule Name: daily-X
 Select  Recurrent
Note: By selecting recurrent, the
Private PSKs will be regenerated on
a 24 hour basis. The guests will
need to obtain a new PSK on a daily
basis for network access.
  Start Time 1: 00hr 00min
End Time : 23hr 59min
Note: By specifying a start and end
time, the PSKs will only be
functional between the start and
end times.
 Click Save
303
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
5. Configure PSK character types and then save
 Character types used in generated
PSKs and manually created
passwords:
– Check  Letters
– Uncheck  Digits
– Uncheck  Special Characters
Note: Because these are daily PSKs,
you can use upper and lower case letters
to make it easy to type. If you mix in
digits, the client may have problems with
identifying the difference between letters
and digits: 1, I, l, 0, O, for
example. However, mixing in special
characters is fine, but it may be more
complicated for clients to enter in their
mobile device.
 Click Save
304
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
6. Bulk Create 20 PPSK Daily User Accounts
 Go to Configuration
Advanced Configuration
Authentication
Local Users
 Click the Bulk button
 Create User Under Group:
PPSK-guests(100)-X
 Number of New Users: 20
 Click Create
305
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
7. Filter and View Private PSK Users
Apply a filter to view your
Private PSK users
 Go to Configuration
Authentication
Local Users
 Click Filter
Click here to select or
deselect all entries
 Enter a part of a user
name or description to
locate the users you
created
– 0X-guest
– Click Search
 Go to next slide
306
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
8. View Clear Text PSKs or Obscure PSKs
Click here to see the
clear text PSK
Click here to obscure
the PSK
307
 You can view the
PSKs for each
Private PSK user
in clear text, or
you can chose to
keep them
obscured
 Here you can also
see the validity
time of the PSKs
 These accounts
will be assigned to
guests from the
user manager
interface
2008
Confidential 2010
Create a Guest SSID
Secured with Private PSK
308
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
9. Modify your WLAN Policy and Add an SSID
To configure a Private PSK SSID
 Go to ConfigurationWLAN Policies
 Edit your WLAN policy: WLAN-X
 Click Add/Remove SSID Profile
 Under the Available SSID Profiles selection box - Click +
 Go to Next Slide
309
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
10. Configure SSID to use Private PSK
 Profile Name:
Class-Daily-X
 SSID: Class-Daily-X
 Under SSID Access
Security select
 Private PSK
 Uncheck  Use Default
Private PSK Settings
 Click Options>>
310
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
11. Configure Private PSK Shared User Limit
In the Advanced Option
section, limit the number of
devices that can share a
private PSK. For example, you
may want to have one guest
use their PC and their mobile
phone or PDA. By default,
there is no limit to the number
of times a Private PSK can be
shared.
 Check  Private PSK
Shared User Limit: 2
Note: This means that within a
Hive, a single Private PSK can
only be used by two devices.
 Click Options<<
311
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
12. Create a Captive Web Portal
 Select your Private PSK User
Group: PPSK-guests(100)-X
and click the right arrow >
button
 Check  Enable Use Policy
Acceptance CWP
– Then Click +
Note: This captive web
portal will be used to ensure
that guests agree to an
acceptable use policy
312
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
13. Configure a Captive Web Portal
 Name: CWP-Accept-X
 Registration Type:
Use Policy Acceptance
Note: In each section, you can
click Customize… if you want
to modify the default web pages
or import your own pages.
 Expand Captive Web Portal
Success Page Settings
– Select  Redirect to an
external page:
http://www.aerohive.com
 Save your Captive Web Portal
Settings
313
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
14. Create a user profile for guests
 Back in the SSID ensure the
Use Policy Acceptance CWP is
selected as: CWP-Accept-X
 Under Available Use Profiles
– Click +
 Name: Guests(100)-X
 Attribute Number: 100
 Default VLAN: 8
 Check  Manage users for
this profile via User Manager
 Click Apply
 Go to next slide
314
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
15. Select user profile and save
Select the user profile that
matches the attribute that will be
returned based on the setting in
the Private PSK user group
 Under Available User Profiles
select Guests(100)-X and
click the right arrow button
 Click Save
 Go to next slide
315
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
16. Select SSID, Apply, then Save
 Under SSID Profiles click the
<< button to remove all
existing SSIDs
 Under Available SSID
Profiles, select
Class-Daily-X and
click the > button to move it
to Selected SSID Profiles
 Click Apply then click Save
316
2008
Confidential 2010
Lab: Secure Guest Access with Private PSK
17. Update the configuration of your HiveAP
From Monitor
Access Points
HiveAPs
 Select Your  X-A-HiveAP
 Select Update...
Upload and Activate
Configuration
 Click Upload
317
2008
Confidential 2010
User Manager Administration
318
2008
Confidential 2010
User Manager
Permissions Defined in Admin Groups
 User Manager is a simplified
interface into HiveManager that
provides a simple interface for
lobby operators to create secure
guest accounts
 User Manager is a free license
 There are two types of
permissions for user manager
access, administrators and
operators
319
2008
Confidential 2010
User Manager
Permissions Defined in Admin Groups
User Manager Operator
User Manager Administrator
 Here is an example of the permissions defined for user manager
operators and administrators
320
2008
Confidential 2010
Lab: User Manager Administration
1. Create a User Manager Operator
Create an operator account who will
be able to log into the User Manager
interface in HiveManager and
generate guest accounts for secure
access to the guest WLAN







321
Email: [email protected]
Name: lobby-X
Password: aerohive123
Confirm Password: aerohive123
Check  Limit operator access to
the selected Private PSK User
Groups
– Select: PPSK-guests(100)-X
Check  Limit operator access to
the selected SSID Profiles
– Select: Class-Daily-X
Click Save
2008
Confidential 2010
Lab: User Manager Administration
2. Create a User Manager Administrator
Create a User Manager
administrator who will have access
to generate reports based on
guest access
 Email:
[email protected]
 Name: manager-X
 Password: aerohive123
 Confirm Password:
aerohive123
 Group Name:
User Manager Admin
 Click Save
322
2008
Confidential 2010
User Manager
Operations
323
2008
Confidential 2010
Lab: User Manager Operation
1. Log in to the User Manager interface
Note: If you are logged in to
HiveManager, you will need to
log out, or you can use a different
web browser so that you can log
in with a different account
https://training-hm1.aerohive.com
 Login: lobby-X
 Password: aerohive123
 Click Login
324
2008
Confidential 2010
Lab: User Manager Operation
1. Log in to the User Manager interface
Note: Pretend you just walked
in the company door as a
guest, and you are also the
lobby administrator
 User Group:
PPSK-guests(100)-X
 Visitor Name:
<Your Name>
 Email Address:
<Your real email address>
 Visitor Company:
<Your Company>
 Sponsor: lobby-X
 SSID Name: Class-Daily-X
 Click Save
325
2008
Confidential 2010
Lab: User Manager Operation
2. Log in to the User Manager interface
 Select the check box  next to your guest account
 Click Email
– Note: For this to work, the guest will need a mobile networking
device that can access email without Wi-Fi access, such as a mobile
phone PDA device
 Note: you also have the option to Print the account information and hand
it to the guest
326
2008
Confidential 2010
Lab: Test Secure Guest Access
1. Connect to the Class-Daily-X SSID
 From the Hosted PC
– Connect to
Class-Daily-X
 Enter the private PSK
generated from user
manager
 Click OK
327
2008
Confidential 2010
Lab: Test Secure Guest Access
2. View Active Session Information
 After associating with your SSID, you should see your connection in the
active clients list in HiveManager
– Go to MonitorClientsActive Clients
 Your IP address should be from the 10.5.8.0/24 network
 Note the client information:
– Username: 0X-guest000N
– VLAN: 8
– User Profile Attribute: 100
328
2008
Confidential 2010
Troubleshooting with Client Monitor
Example of Invalid PSK
329
2008
Confidential 2010
Troubleshooting
 HiveAP Troubleshooting Commands
– Check the time and time zone
• show clock
• show timezone
– Check the Private PSK users and Private PSK groups
• show auth private-psk
330
2008
Confidential 2010
Location Services
HiveAP Location Servers
With Client Watch Lists
331
2008
Confidential 2010
HiveAP Distributed
Location Services
 The HiveAPs can locate
Topology Map
client devices in the WLAN
 The HiveAP that has a client
Client
associated with it becomes
the owner for the client
 Neighboring HiveAPs report
their RSSI information to the
client to the owner
 The HiveAP owner
calculates a location and
HiveAP A
sends an aggregate report
to HiveManager on a
Client 1
periodic basis
 Note: More details are in the
notes below and in the help HiveAP B
RSSI
Report
332
HiveManager
RSSI
Report
RSSI
Aggregated
Report
HiveAP C
Client 1 Owner
2008
Confidential 2010
Lab: HiveAP Location Services
1. Create a HiveAP Location Service Policy
 From Configuration
Guided Configuration
WLAN Policies, edit your WLAN
Policy: WLAN-X
 Ensure all the HiveAPs in the class
are in the same hive
– Select Hive-Class
 Under Optional Settings
Expand Management Server
Settings
 Next to Location Server
– Click +
333
2008
Confidential 2010
Lab: HiveAP Location Services
2. Configure Aerohive Location Server
 Name: AP-Location-X
 Check  Enable Location
Server
 Select Aerohive
Location Server
 Click Save
334
2008
Confidential 2010
Lab: HiveAP Location Services
3. Create a location watch list
 Back in the WLAN policy, ensure the Location Server is: AP-LocationX
Next you will need to create or select a location watch list. This is a list of
MAC addresses for clients which you want to have HiveAPs track location.
Because this class network is a small network, you will select the default
All Client location watch list.
 Next to Location Watch List, select the drop down list for All Clients
2008
 Then Save your WLAN Policy 335
Confidential 2010
Lab: HiveAP Location Services
4. Update the configuration of your HiveAP
From Monitor
Access Points
HiveAPs
 Select Your  X-A-HiveAP
 Select Update...
Upload and Activate
Configuration
 Click Upload
336
2008
Confidential 2010
Note: Location Watch Lists
Creating a Place Holder Watch List
 If you do create your own
location watch list, you must
add at least one client MAC
address entry which does not
have to be valid at this time, so
you can type: 000000000000
 Click Apply then Save
 By doing this, you can then add
clients to the watch list from the
Active Clients View
337
2008
Confidential 2010
Note: Location Watch Lists
Add Active Clients to Watch List




From MonitorClientsActive Clients
Select the check box  next to the Active Clients you want to track
Click Operation...Add to Watch Listwatch-X
You will then need to upload and activate the configuration for your
HiveAP
 Note: For class, you want to use the All Clients watch list because ever
AP in class will need to track the same clients to get at least 3 APs to
locate your client
338
2008
Confidential 2010
Class Demonstration
 Because the hosted clients are connected directly the class
HiveAPs via Wi-Fi coax cable, the location services will not work
very well because other HiveAPs will not see the neighboring
clients
 If the instructor has three or more HiveAPs, location services can
be tested in the class
 Just ensure the local classroom HiveAPs are added to the same
topology map, are in the same Hive, and that they are placed
accurately (or somewhat close to accurate) as the topology map
reflects
339
2008
Confidential 2010
Example: Client Location
On Topology Map
Select
Clients
Client
Client
340
2008
Confidential 2010
DHCP Server and NAT Access
341
2008
Confidential 2010
Using a HiveAP as a DHCP Server
and NAT Gateway for Client Traffic
Student-X
Internet
VLAN 1
IP: 10.5.2.1
Connect to SSID: Class-NAT-X
IP: 10.5.5.N/24
Gateway: 10.5.5.1



Mgt0 IP: 10.5.2.N/24
Gateway 10.5.2.1
VLAN 1
The client connects to the

SSID: Class-NAT-X and
SSID: Class-NAT-X
obtains an IP address in
User Profile: branch(5)-X
the 10.5.5.0/24 network
Firewall Policy: NAT-X
The HiveAP creates a
DHCP Settings:
virtual interface for the
Mgt0.5 IP: 10.5.5.2/24
default gateway 10.5.5.1
IP Pool
and responds to ARP
10.5.5.100 – 10.5.5.200
The traffic from the client is DHCP Options:
set to the HiveAP
Gateway: 10.5.5.1
The firewall rules
assigned to the client by
its user profile translate
the traffic from the client
to a source IP of the
HiveAP’s MGT0 interface,
then traffic is sent to the
HiveAP’s default gateway
 NAT Support
342
2008
Confidential 2010
Lab: Create an SSID with NAT Access
1. Modify your WLAN Policy
 Go to Configuration
Guided Configuration
WLAN Policies
 Click the link to modify your
WLAN policy: WLAN-X
 Go to next slide
343
2008
Confidential 2010
Lab: Create an SSID with NAT Access
2. Create a new SSID
– WLAN Policy –
SSID Profiles
 Click: Add/Remove SSID
Profile
 Click + to create a new
SSID Profile
Go to next slide
344
2008
Confidential 2010
Lab: Create an SSID with NAT Access
3. Configure the SSID and create a user profile
– SSID Profile –
 Profile Name: Class-NAT-X
 SSID: Class-NAT-X
SSID Access Security
 Select: WPA/WPA2
PSK (Personal)
– Use Default WPA/WPA2
PSK Settings
 Key Value: aerohive123
 Confirm Value: aerohive123
User Profile for Traffic Mgmt
 Click + to create a new user
profile
 Click More Settings...
345
2008
Confidential 2010
Lab: Create an SSID with NAT Access
4. Create User Profile for Branch Office Clients
– SSID > User Profile –





346
Name: Branch(5)-X
Attribute Number: 5
Default VLAN: 5
Expand Firewalls
Under IP Firewall Policy,
next to From-Access click +
2008
Confidential 2010
Lab: Create an SSID with NAT Access
5. Create a firewall rule for DHCP
Configure a firewall rule to permit the client to obtain an IP address via DHCP
Note: This rule must be configured without NAT,
because DHCP requests cannot be NATed
 Policy Name: NAT-X
– Source IP: Any
– Destination IP: Any
– Service: DHCP-Server
– Action: Permit
 Click Apply and do not save, then go to the next slide
347
2008
Confidential 2010
Lab: Create an SSID with NAT Access
6. Create a firewall rule for NAT access
Configure a firewall rule to network address port translate (NAPT) the
source IP address all traffic from the clients to the MGT0 interface of the
HiveAP
 Under Policy Rule: Click New
– Source IP: Any
– Destination IP: Any
– Service: Any
– Action: NAT
 Click Apply and do not save, then go to the next slide
348
2008
Confidential 2010
Lab: Create an SSID with NAT Access
7. Verify firewall policy rules then save
 Verify your firewall rules look like the following picture
– Permit DHCP-Server (without NAT)
– NAT all the rest of the traffic
 Click Save
349
2008
Confidential 2010
Lab: Create an SSID with NAT Access
8. Assign Firewall Policy to User Profile
Back in your user profile under IP
Firewall Policy
 From-Access: NAT-X
 To-Access: <Empty>
 Default-Action: Deny
 Click Save
350
2008
Confidential 2010
Lab: Create an SSID with NAT Access
9. Assign user profile to SSID then save
 Make sure the new
user profile is
selected:
branch(5)-X
 Click Save
351
2008
Confidential 2010
Lab: Create an SSID with NAT Access
10. Assign SSID to WLAN policy then save
– WLAN Policy –
SSID Profiles
 Select your SSID:
Class-NAT-X from the
Available SSID Profiles list:
and use the right arrow button
‘ >’ to move it to the
Selected SSID Profiles list
 Click Apply
Really – Make sure
you click Apply
 Click Save to save
your WLAN policy
Note: The WLAN policy must be assigned to one or
more HiveAPs for it to take affect
2008
352
Confidential 2010
Configure DHCP Server
For NATed IP Pools
Requires a HiveAP 300 Series
until HiveOS version 3.5r2,
Which will support the 100 series
353
2008
Confidential 2010
Lab: Configure HiveAP DHCP Service
1. Create a DHCP server object
Create a DHCP Server object for
VLAN 5, which is the VLAN assigned
by the Branch(5)-X user profile
 Name: DHCP-X
 Interface: mgt0.5
 IP Address: 10.5.5.2
 Netmask: 255.255.255.0
 VLAN ID: 5
 Leave default settings for the
rest of the options...
 IP Pools
– Start IP Address: 10.5.5.100
– End IP Address: 10.5.5.200
Note: Everyone in class will configure the
same IP addresses and pools, and that is
 Click Apply but do NOT save
OK because all traffic is locally processed
 Go to the next slide...
by their own HiveAPs then NATed.
354
2008
Confidential 2010
Lab: Configure HiveAP DHCP Service
2. Define gateway IP and enable NAT support
Define default gateway and
Enable NAT support
 Expand DHCP Server
Options
– Default Gateway: 10.5.5.1
 Expand Advanced
–  Enable NAT Support
Note: Even though a HiveAP
is a layer 2 device, it will use
one of its reserved MAC
addresses and assign it to
the default gateway specified
in the DHCP server options
allowing it to respond to ARP
and act like a router
 Click Save
355
2008
Confidential 2010
Lab: Configure HiveAP DHCP Service
3. Enable DHCP service on HiveAP
Enable DHCP server service on your HiveAP
 From Monitor
Access Points
HiveAPs
 Select the checkbox next to your HiveAP:
 X-A-######
 Click Modify
 Under Optional Settings
DHCP Server & Relay
 Expand Service Settings
 Select your DHCP Server object:
DHCP-X and click the > button to move it
to the Selected Servers lists
 Click Save
356
2008
Confidential 2010
Lab: Configure HiveAP DHCP Service
4. Upload and Activate Configuration
 Select the checkbox
next to your HiveAP:
 X-A-######
 Click Update...
Upload and Activate
Configuration
 Click Upload
357
2008
Confidential 2010
Test DHCP Server and NAT Access
358
2008
Confidential 2010
Lab: Test DHCP Server and NAT Access
1. Connect to the NAT SSID
 From the hosted PC,
connect to the
Class-NAT-X SSID
 Network Key:
aerohive123
 Confirm network key:
aerohive123
 Click Connect
359
2008
Confidential 2010
Lab: Test DHCP Server and NAT Access
2. Verify IP and Internet Connectivity
From the hosted PC, open a
CMD prompt and view your IP
address
 ipconfig
Note: Your IP address
should be in the
10.5.5.0/24 subnet
 ping www -t
(which is: 10.6.1.150)
360
2008
Confidential 2010
Lab: Test DHCP Server and NAT Access
3. Verify that IP session is being NATed
 From the command line interface of your HiveAP, you can view the IP
session information for active sessions to see if NAT is being performed
02-A-064200# show forwarding-engine ip-session protocol 1
IP session table:
Ageout time (in ms)
Total entries: 2/8191
Traffic from the client: 10.5.5.100 is
sent to the www server 10.6.1.150
Id:2; Ageout:1036; Flags:0x8251; QOS:2; Up: 0 min 1 sec; InPol:NAT-1/2;
10.5.5.100/4112 -> 10.6.1.150/4112; Proto 1; Flg:0x0; Pkts:1 Bytes:60 Parent-MAC-Sess: 21
10.6.1.150/4112 -> 10.5.2.2/64511; Proto 1; Flg:0x0; Pkts:1 Bytes:60
Id:1; Ageout:36; Flags:0x8251; QOS:2; Up: 0 min 2 sec; InPol:NAT-1/2;
Traffic from the www server: 10.6.1.150 is
sent to 10.5.2.2 which is the IP address
of the MGT0 interface of the HiveAP.
This means NAT is working.
361
When you are
done, please stop
the continuous
ping from the
hosted PC
2008
Confidential 2010
Supplemental Courseware/
Scratch Pad
362
2008
Confidential 2010
AD Troubleshooting
Using HiveAP CLI
363
2008
Confidential 2010
LAB: Verify HiveAP Admin Account
 exec aaa ldap-search username hiveapadmin
Exec-Program output:
Search user 'hiveapadmin' in basedn
'CN=Users,DC=ahdemo,DC=local' successful
364
2008
Confidential 2010
LAB: Verify Wireless User Accounts
 exec aaa ldap-search username user
Exec-Program output:
Search user 'user' in basedn
'CN=Userss,DC=ahdemo,DC=local' failed
 In this case there was a type-o on the DN, not the extra s on Userss
 exec aaa ldap-search username user
Exec-Program output:
Search user 'user' in basedn
'CN=Users,DC=ahdemo,DC=local' successful
365
2008
Confidential 2010
LAB: Verify NTLM Authentication
With Wireless User Account
 exec aaa ntlm-auth username user2 password Aerohive1
2009-04-16 11:37:53 info
admin:<exec aaa ntlm-auth
username user2 password *** >
2009-04-16 11:37:53 debug
samba-tools: Kerberos
session setup successful
Exec-Program output:
NT_STATUS_OK: Success (0x0)
366
2008
Confidential 2010
367
2008
Confidential 2010
SSL Negotiation Fails
Invalid CA Cert
 This is an example that fails because the certificate was not
installed or configured properly
368
2008
Confidential 2010
Bridging Notes For HiveAPs
369
2008
Confidential 2010
HiveAP Ethernet Interfaces in
Bridge Mode
One or both of the Ethernet ports can be in bridge mode with MAC learning.
The HiveAP can learn 128 MAC addresses if an L2 switch is connected to the HiveAP eth0 or eth1 ports in
bridge mode. You can also hard code the MAC addresses that are allowed on the port.
* If you connect a router to the bridge port, then all traffic to the HiveAP would come from same MAC
address, so in a sense we would support an unlimited number of wired clients.
Wired clients show up in the active clients list as well in 3.5r1.
2.4 GHz
or 5 GHz
mesh
Corp LAN
SSID exist
on radio that is
not used for mesh
Either 2.4 GHz or 5 GHz
Loops are prevented, so a redundant configuration as show above is permitted. No spanning tree is needed.
Ethernet interface in bridge mode can provide a captive web portal as well.
Ethernet interfaces can also be in bridge-802.1Q mode to and allow traffic
from any VLAN to go though the HiveAP. You can limit which VLANs are permitted as well.
370
2008
Confidential 2010
Revoking Private PSK Accounts
371
2008
Confidential 2010
Revoking Private PSK Users
If a user leaves the company, or if their device is lost or stolen, you can
revoke a users key and de-authenticate any active client using the
individual private PSK
Apply a filter to view your Private PSK users
 Go to ConfigurationAdvanced Configuration
AuthenticationLocal Users
 Check the box next to one or more users and click Remove
 Go to next slide
372
2008
Confidential 2010
Update User Database
To Revoke Private PSK Users
From Managed HiveAPs
 Select Your  HiveAP
 Select Update...Upload User Database
373
2008
Confidential 2010
Update User Database
To Revoke Private PSK Users
 Click Delta Upload
(Compare with
running config)
 If you click the link
for the hostname of
your HiveAP you
can see the user
commands that will
be sent to the
HiveAP
 Click Upload
NOTE: Once a client
is revoked, it can
never be activated
again, the user
will need to obtain
a new Private PSK
374
2008
Confidential 2010
CLI on HiveAPs Can Be Used
To Verify Revoked Users
AH-0045d0# show auth private-psk
Interface=wifi0.1; SSID=Class-PPSK-1;
Total entries: 30
No. User
Group
---- ---------------- --------------1
01-corp0030
PPSK-Corp-01
2
01-corp0029
PPSK-Corp-01
3
01-corp0028
PPSK-Corp-01
Protocol-suite=PSK-auto;
PMK
---e1d4
7a61
a975
Valid
----Yes
Yes
Yes
4cf3
e7c7
8d07
1964
a4c5
70c5
c41b
No
Yes
Yes
No
Yes
Yes
No
...
24
25
26
27
28
29
30
01-corp0007
01-corp0006
01-corp0005
01-corp0004
01-corp0003
01-corp0002
01-corp0001
PPSK-Corp-01
PPSK-Corp-01
PPSK-Corp-01
PPSK-Corp-01
PPSK-Corp-01
PPSK-Corp-01
PPSK-Corp-01
NOTE: Once a client is revoked, it can never be activated again, the user will
need to obtain a new Private PSK
375
2008
Confidential 2010
Revoked Private PSK Users
Are Immediately De-Authenticated
 To view the active clients, go to ClientsActive Clients
 The revoked clients will no longer be active
376
2008
Confidential 2010
Wireless VPN
Troubleshooting Commands
377
2008
Confidential 2010
VPN CLI Commands
show vpn ipsec sa
02-A-038cc0#
show vpn ipsec sa
SA(Security Association) information as following:
IPsec Security Association Information:
10.5.1.150 [4500] 1.1.1.2 [4500]
tunnel-id: 9
esp-udp mode=tunnel spi=101699633(0x060fd031) reqid=0(0x00000000)
Encryption: aes-cbc
Authentication: hmac-sha1
seq=0x00000000 replay=4 flags=0x20000000 state=mature
created: Sep 3 10:58:51 2010
current: Sep 3 11:13:25 2010
diff: 874(s)
hard: 3600(s)
soft: 2880(s)
last: Sep 3 10:58:51 2010
hard: 0(s)
soft: 0(s)
current: 141008(bytes) hard: 0(bytes) soft: 0(bytes)
current: 668(pkts)
hard: 0(pkts)
soft: 0(pkts)
failed: 0(pkts) replay: 0(pkts) replay window: 0(pkts)
sadb_seq=1 pid=993 refcnt=0
1.1.1.2 [4500] 10.5.1.150 [4500]
tunnel-id: 9
esp-udp mode=tunnel spi=49616501(0x02f51675) reqid=0(0x00000000)
Encryption: aes-cbc
Authentication: hmac-sha1
seq=0x00000000 replay=4 flags=0x20000000 state=mature
created: Sep 3 10:58:51 2010
current: Sep 3 11:13:25 2010
diff: 874(s)
hard: 3600(s)
soft: 2880(s)
last: Sep 3 10:58:51 2010
hard: 0(s)
soft: 0(s)
current: 116016(bytes) hard: 0(bytes) soft: 0(bytes)
current: 1065(pkts)
hard: 0(pkts)
soft: 0(pkts)
failed: 0(pkts) replay: 0(pkts) replay window: 0(pkts)
sadb_seq=0 pid=993 refcnt=0
378
2008
Confidential 2010
VPN CLI Commands
show vpn ipsec-tunnel
02-A-038cc0# show vpn ipsec-tunnel
IPsec Tunnel Duration:
Source
Destination
Created
Duration
------------------------ ------------------------ -------------------- ---------------------------------------10.5.1.150[4500]
1.1.1.2[4500]
2010-09-03 10:58:51 0 days 0 hours 12 minutes 28 seconds
Total IPsec Tunnel Sessions: 1
Tunnel Statistic Information::
Src IP
Dst IP
Remaining-Lifetime
------------------------ ---------------------------------10.5.1.150[4500]
1.1.1.2[4500]
rekey
1.1.1.2[4500]
10.5.1.150[4500]
rekey
Pkts
Bytes
Auth-Err
Other-Err
SPI
---------- ---------- ---------- ---------- ---------- ------605
130848
0
0
0x060fd031 2132(s)
1027
112324
0
0
0x02f51675 2132(s)
379
2008
Confidential 2010
VPN CLI Commands
show amrp tunnel
02-A-038cc0# show amrp tunnel
Total 1 tunnels
DA - DNXP Access, DB - DNXP Backhaul
IA - INXP Access, IB - INXP Backhaul
VA - VPN Access, VB - VPN Backhaul
No. Peer
Type client age
TTL
------------------------------------------------------------------------------1 10.8.1.2
VA
1
02:30:14
02-A-038cc0# show amrp tunnel 10.8.1.2
VPN access tunnel <tunnel0 -> 10.8.1.2>
age: 02:32:34
client count: 1
state: ESTABLISHED
state age: 02:32:33
last echo request: 00:00:03 sec ago
last echo reply: 00:00:03 sec ago
heartbeat interval: 10 sec
heartbeat fail retry: 10
flag: 0x3
380
2008
Confidential 2010
VPN CLI Commands
show vpn gre-tunnel
02-A-038cc0# show vpn gre-tunnel
Tunnel table:
T=Type; Z=Zone; PN=policy numbers;
Age Out=idle time of the tunnel since last receive packet
TXs=TX packets; TXE=TX errors; RXs=RX packets; RXE=RX errors;
Type: G=General route encapsulation; O=Other tunnel;
Zone: A=Access; B=Backhaul;
Total entries: 1
ID
T Z PN Age Out Src IP
Dst IP
TXs
TXE RXs
RXE
---- - - --- -------- --------------- --------------- -------- ---- -------- ---1
G A 1
109
10.8.1.20
10.8.1.2
36
0
23
0
381
2008
Confidential 2010
VPN CLI Commands
show vpn ike event (Failure Event)
03-A-0377c0# show vpn ike event
2009-10-01 14:05:40:Peer failed phase 1 authentication
(certificate problem?)(10.5.1.151[4500]>1.1.1.2[4500])
2009-10-01 14:06:30:Peer not
responding(10.5.1.151[4500]->1.1.1.2[4500])
2009-10-01 14:06:30:Phase 1 deleted(10.5.1.151[4500]>1.1.1.2[4500])
2009-10-01 14:06:31:Peer failed phase 1 authentication
(certificate problem?)(10.5.1.151[4500]>1.1.1.2[4500])
 In this case, the root CA certificate was not pushed to the AP, so it
cannot validate the VPN server
382
2008
Confidential 2010
VPN CLI Commands
show vpn ike event (Failure Resolution)
04-A-04c000# show vpn ike event
2010-09-03 17:48:39:Peer not responding(10.5.1.157[4500]->1.1.1.2[4500])
2010-09-03 17:48:39:Phase 1 deleted(10.5.1.157[4500]->1.1.1.2[4500])
2010-09-03 17:48:40:Peer failed phase 1 authentication (certificate
problem?)(10.5.1.157[4500]->1.1.1.2[4500])


Originally the wrong root CA certificate was sent to the HiveAP
After updating the certificate by updating the configuration
– After typing clear ike sa, the VPN processes are restarted and the
negotiation and the tunnel became established
04-A-04c000# clear vpn ike sa
04-A-04c000# show vpn ike event
2010-09-03 17:58:50:Phase 1 deleted(10.5.1.150[4500]->1.1.1.2[4500])
2010-09-03 17:58:51:Phase 1 started(10.5.1.150[500]->1.1.1.2[500])
2010-09-03 17:58:51:Phase 1 established(10.5.1.150[4500]->1.1.1.2[4500])
2010-09-03 17:58:51:Xauth exchange start(10.5.1.150[4500]->1.1.1.2[4500])
2010-09-03 17:58:51:Xauth exchange passed(10.5.1.150[4500]->1.1.1.2[4500])
2010-09-03 17:58:51:Add security policy into kernel stack
done(10.5.1.150[4500>1.1.1.2[4500])
2010-09-03 17:58:51:ISAKMP mode config done(10.5.1.150[4500]->1.1.1.2[4500])
2010-09-03 17:58:51:Phase 2 started(10.5.1.150[4500]->1.1.1.2[4500])
2010-09-03 17:58:51:Phase 2 established(10.5.1.150[4500]->1.1.1.2[4500])
383
2008
Confidential 2010
Use Client Monitor
To View Connection Status
 From MonitorActive ClientsOperationsClient Monitor
 Add the MAC address of a client to monitor its connection status
384
2008
Confidential 2010