Transcript X - Free
Advanced WLAN Configuration Version 3.5r1 1 2008 Confidential 2010 Copyright Notice Copyright © 2010 Aerohive Networks, Inc. All rights reserved. Aerohive Networks, the Aerohive Networks logo, HiveOS, HiveAP, HiveManager, and GuestManager are trademarks of Aerohive Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies. 2 2008 Confidential 2010 Getting Started 3 2008 Confidential 2010 Lab: Get Connected 1. Connect to class WLAN Internet Guest Client Connect to SSID: Class-Guest IP: 10.5.1.N/24 Gateway: 10.5.1.1 VLAN 1 Instructor PC Mgt0 IP: 10.5.1.N/24 VLAN 1 WLAN Policy: WLAN-Classroom SSID: Class-Guest Security: WPA/WPA2 Personal (PSK) Network Key: aerohive123 Please connect to the SSID: Class-Guest Network Key: aerohive123 You should get an IP in the 10.5.1.0/24 subnet 4 2008 Confidential 2010 Lab: Get Connected 2. Get class files from instructor From your PC open a web browser and for the URL type: ftp://ftp:[email protected].? (Ask Instructor for the IP address) – Username: ftp – Password: aerohive You will find: – Courseware (pptx files) • If you do not have MS office 2003 or later, please download a PPTX viewer from Microsoft – Topology map jpg images • Used for the planning tool and topology map lab – Tight VNC • Please install the Viewer only – This is used to connect to a hosted PC – User files for Private PSK in CSV format • This is for the Private PSK lab – Putty SSH Client (If you don’t have an SSH client already) • SSHv2 is used to access the console server to access the CLI of your AP 5 2008 Confidential 2010 Lab: Get Connected 1. Connect to Hosted HiveManager Securely browse to HiveManager https://training-hm1.aerohive.com or https://72.20.106.120 Supported Browsers: – Firefox – Internet Explorer – Chrome Default Login Credentials: – Login: adminX X = Student ID 2 - 15 – Password: aerohive123 6 2008 Confidential 2010 Lab: Get Connected 4. Certificate error - Continue to the website If prompted, accept the certificate permanently or add the security exception or continue to the website Note: (Do not perform this operation in the classroom) In your own company you can import your own HiveManager certificate going to: HomeAdministrationHiveManager Services – Check Update HTTPS Certificate – You can generate a self-signed certificate or import a third-party certificate – Click Update 7 2008 Confidential 2010 Lab: Get Connected 5. Connect to class WLAN Click Agree to the End user license agreement 8 2008 Confidential 2010 Lab: Get Connected 6. The dashboard appears Click to hide left menu bar Select widgets to see Click blue bar and drag to move widget to new location on screen From the dashboard you can get a summary of your WLAN The dashboard is customizable This dashboard will be covered in more detail later in this course 9 2008 Confidential 2010 HiveManager Help HiveManager provides a rich and powerful online help Click Help… on the top menu bar to get a menu of the help options There is a help box on the right side of the guided configuration A link to Help also exists in the Start Here screen 10 2008 Confidential 2010 Help System in HiveManager If you click Help in the upper right hand corner of the HiveManager Settings – HiveManager Help • Context sensitive help based on where you are when you select this option – Settings Online Training Deployment, Quickstart, ad Mounting Guides CLI Reference Guides Web-based Help Files • Lets you specify a path to host the online help web pages locally on your network – Videos and Guides • Contains links to all Aerohive documentation and computer-based training modules • You can also download the web-based help system from here as well – Check for Updates • Checks Aerohive’s latest code – About HiveManager 11 2008 Confidential 2010 Help: Context Sensitive Context sensitive help can be viewed in any configuration window By default your PC must be connect to the Internet to view the help files unless you have downloaded them and hosted on your own web server 12 2008 Confidential 2010 Help: Navigation Click here to go to the home page Search on Current Page Global Search 13 2008 Confidential 2010 Help: Global Search You can enter multiple words for a global search The help is automatically expanded when the search strings are found. Each word in the list is highlighted in different color Click the relevant section 14 2008 Confidential 2010 Help: Search For Words Within Pages Search for an exact word or phrase match within a page – This is a complete word match, not a partial word match Adds or removes highlighting Enter word here to highlight on page 15 2008 Confidential 2010 Help: Files Location Here you can specify a path to locally hosted help files Help files are referenced from the Internet If Internet access is not available when you manage your HiveManager, download the web-based help files from the Videos & Guides section on the help menu, and store them on your own local web server Then specify a path to your own hosted web pages and click update 16 2008 Confidential 2010 Getting Started Creating a WLAN Policy and Managing HiveAPs 17 2008 Confidential 2010 Connect To HiveManager (In case you walked in late!) Securely browse to HiveManager https://training-hm1.aerohive.com or https://70.20.106.120 Supported Browsers: – Firefox – Internet Explorer Default Login Credentials: – Login: adminX X = Student ID 2 - 15 – Password: aerohive123 18 2008 Confidential 2010 Access Your Hosted HiveAP Use Putty or your favorite SSH tool to SSH to training-console.aerohive.com – Ports 7002 though 7015 Note: Student IDs are 2 though 15 so the SSH port number corresponds to the student ID: 7002 though 7015 You will first see the Terminal Server Login, just press enter: Login as: <enter> X-A-001122 login: admin Password: aerohive123 Note: For Mac OSX or Linux use: ssh -l admin training-console.aerohive.com –p 700X 19 2008 Confidential 2010 Access Your Hosted HiveAP Use Putty or your favorite SSH tool to SSH to training-console.aerohive.com – Ports 7022 though 7035 Note: Student IDs are 2 though 15 so the SSH port number corresponds to the student ID: 7022 though 7035 You will first see the Terminal Server Login, just press enter: Login as: <enter> X-A-001122 login: admin Password: aerohive123 Note: For Mac OSX or Linux use: ssh -l admin training-console.aerohive.com –p 700X 20 2008 Confidential 2010 Set HiveManager Time Settings Essential When Generating Certificates, Using Private PSK, Wireless VPN, User Manager, Time-Based Authentication, and Schedules 21 2008 Confidential 2010 Set the Time and Time Zone (Instructor Only) Go to HomeAdministrationHiveManager Settings For System Date/Time click Settings 22 2008 Confidential 2010 Set the Time and Time Zone (Instructor Only) Time Zone: <Time Zone of HiveManager> Set the date/time manually or synchronize with an NTP server Click to save and update Note:The HiveManager services will be restarted After a minute, you can log back into the HiveManager 23 2008 Confidential 2010 Aerohive Base WLAN Policy Creation Quick Start 24 2008 Confidential 2010 Lab: Create Base WLAN Policy 1. Add a new WLAN policy Go to Configuration Guided Configuration WLAN Policies Click New Enter a WLAN Policy Name: WLAN-X Go to next slide 25 2008 Confidential 2010 Lab: Create Base WLAN Policy 2. Create a New Hive Click + to create a new Hive Hive: Hive-X Modify Encryption Protection – Select Automatically generate Password Save your Hive 26 2008 Confidential 2010 Lab: Create Base WLAN Policy 3. Create an SSID SSID – WLAN Policy – SSID Profiles Click: Add/Remove SSID Profile Click + to create a new SSID Profile Go to next slide 27 2008 Confidential 2010 Lab: Create Base WLAN Policy 4. Configure SSID – SSID Profile – Profile Name: Class-PSK-X SSID: Class-PSK-X Note: The profile name typically matches the SSID unless you want different settings for the same SSID in different locations. IMPORTANT: For the SSID labs, please follow the class naming convention. SSIDs are broadcasted over the air so we do not want to people to accidentally connect 28 SSID Access Security Select: WPA/WPA2 PSK (Personal) – Use Default WPA/WPA2 PSK Settings Key Value: aerohive123 Confirm Value: aerohive123 User Profile for Traffic Mgmt Click + to create a new user profile 2008 Confidential 2010 Lab: Create Base WLAN Policy 5. Create User Profile for Employees – SSID/User Profile – Name: Employee(10)-X Attribute Number: 10 Default VLAN: 1 Click Apply Ensure your user profile is selected Click Save to save the SSID 29 2008 Confidential 2010 Lab: Create Base WLAN Policy 6. Configure SSID – WLAN Policy – SSID Profiles Select your SSID: Class-PSK-X from the Available SSID Profiles list: and use the right arrow button ‘ >’ to move it to the Selected SSID Profiles list Click Apply Really – Make sure you click Apply Do not save the WLAN policy, go to Note: The WLAN policy must be assigned to one or the next slide more HiveAPs for it to take affect 30 2008 Confidential 2010 Lab: Create Base WLAN Policy 7. Create an NTP Server object Configure the NTP server to configure the time zone and NTP server settings. This is important for any service that depends on time, such as VPN and RADIUS which use certificates, schedules, Private PSK validity, etc... From your WLAN policy under the Optional Settings Expand Management Server Settings Next to NTP Server – Click + 31 2008 Confidential 2010 Lab: Create Base WLAN Policy 8. Configure NTP Server Settings Name: Time-X Time Zone: <Please use the time zone for the location of the class> Uncheck Sync click with HiveManager NTP Server: pool.ntp.org Click Apply – Did you click Apply? Click Save 32 2008 Confidential 2010 Lab: Create Base WLAN Policy 9. Save your WLAN Policy Back in your WLAN policy Ensure NTP server is set to: Time-X Click Save 33 2008 Confidential 2010 Lab: Create Base WLAN Policy 10. Verify Your WLAN Policy After saving your WLAN policy, you can review the settings here by looking at the columns for your WLAN policy • Hive • SSID Profiles When done, click Monitor to go to the list of HiveAPs Go to next slide 34 2008 Confidential 2010 Provision HiveAPs With Base WLAN Policy 35 2008 Confidential 2010 Wireless VPN Lab Network IP Summary WLAN Branch Office – HiveAP VPN Clients VPN Client X-A-HiveAP Gateway FW(NAT) 10.5.1.? 10.5.1.1 2.2.2.2 WLAN HQ – HiveAP VPN Servers Firewall NAT Rules 1.1.1.X10.8.1.X RADIUS 10.8.1.200 Client PC 10.8.20.?/24 GW: 10.8.20.1 Gateway 10.8.1.1 DHCP Server VLAN 20 Net: 10.8.20.0/24 Pool: 10.8.20.150 - 10.8.20.200 VPN Server Gateway: 10.8.20.1 X-B-HiveAP Layer 3 IPsec VPN Tunnels - IP Headers (10.5.1.?)2.2.2.2 1.1.1.2 Layer 2 GRE Tunnels - IP Headers Tunnel0 10.8.1.X0 10.8.1.X MGT0 10.8.1.X/24 VPN Client Tunnel Address Pool AP VPN 1: 10.8.1.X0 – 10.8.1.X9 ? – Address Learned though DHCP 36 2008 Confidential 2010 Configure Your HiveAP-A (X-A-######) 37 2008 Confidential 2010 Lab: Provision Two HiveAPs 1. Modify your HiveAP-A Click the Config radio button near the top of the screen to see the configuration view Note that HiveAPs are set to default WLAN policy and Hive Select the check box next to your HiveAP X-A-###### and click Modify 38 2008 Confidential 2010 Lab: Provision Two HiveAPs 2. Modify settings for your HiveAP-A Configure the HiveAP settings and WLAN Policy Location: <First-name_Last-name> For WLAN Policy select: WLAN-X Topology Map: ..Classroom Select: Use both radios for client access 2.4GHz(wifi0) Power: 1 5GHz (wifi1) Power: 1 Click Save Note: Because the APs are stacked on top of each other in a hosted rack and are connected via coax to the hosted PCs, please set the power level to 1. In a real deployment you can leave the power set to auto and ACSP will determine the appropriate power setting 39 2008 Confidential 2010 Configure Your HiveAP-B (X-B-######) 40 2008 Confidential 2010 Lab: Provision Two HiveAPs 3. Select and Modify your HiveAP-B Verify the settings for your X-B-HiveAP by looking at the columns Select the check box next to your HiveAP X-B-###### and click Modify 41 2008 Confidential 2010 Lab: Provision Two HiveAPs 4. Modify Settings for Your HiveAP-B Location: <First-name_Last-name> For WLAN Policy select: WLAN-X – Assigning your HiveAP to a WLAN policy is how the HiveAP will inherit a majority of its configuration settings Topology Map: ..Classroom Select: Use both radios for client access Do not save Go to the next slide 42 2008 Confidential 2010 Lab: Provision Two HiveAPs 5. Set Power and Static IP Address for HiveAP-B 2.4GHz(wifi0) Power: 1 5GHz (wifi1) Power: 1 This HiveAP will be a VPN server, so you will need to give it a static IP address: [Optional Settings] Expand Interface and Networks Settings – Uncheck DHCP Client Enabled – IP: 10.8.1.X – Mask: 255.255.255.0 – Gateway: 10.8.1.1 Click Save Go to the next slide 43 2008 Confidential 2010 Lab: Provision Two HiveAPs 6. View configuration and monitor status Verify the settings for your X-B-HiveAP by looking at the columns You can click Monitor view to see that the HiveAPs and HiveManager are not in sync. The green square and red triangle con shows that You can click the Host Name column header to sort the HiveAPs by hostname 44 2008 Confidential 2010 For Your Information Outside US Set the Country Code for World Mode HiveAPs Note: Please do not perform in this class unless told to do so by your instructor! Updating the country code on a HiveAP configures the radios to meet government requirements for a country You can update the country by going to Monitor Access PointsNew HiveAPs Select all the HiveAPs Click Update... Update Country Code Select the appropriate country code Click Upload 45 2008 Confidential 2010 Lab: Provision Two HiveAPs 7. Update the Configuration on Your HiveAPs Select the check box next to your two HiveAPs Click UpdateUpload and Activation Configuration 46 2008 Confidential 2010 Lab: Provision Two HiveAPs 8. Update the Configuration on Your HiveAP Go to Configuration Guided Configuration Click Settings Change Activation time to: Activate after [ 5 ] Seconds – This is because mesh is not being used, and therefore you do not have to worry about cutting off connectivity to a mesh HiveAP Click the Save Icon – These settings will remain for all subsequent uploads Do not save Go to the next slide 47 2008 Confidential 2010 Lab: Provision Two HiveAPs 9. Update the Configuration on Your HiveAPs You can view the configuration that will be sent to the HiveAP if that interests you – Right click the hostname of the HiveAP – Select View Configuration – After reviewing, close the configuration window by clicking the [x] Click Upload to update the configuration on your HiveAPs Go to the next slide 48 2008 Confidential 2010 Lab: Provision Two HiveAPs 10. View The HiveAP Update Results You will be taken to the results page so you can view the status of your update If you leave this screen, you can go back by going to: Monitor Access Points HiveAP Update Results 49 2008 Confidential 2010 Lab: Provision Two HiveAPs 11. Monitor HiveAP Status Note: You can expand or collapse the New HiveAPs list by clicking here Go to MonitorAccess PointsHiveAPs Your HiveAP will have moved from the New HiveAPs list to the Managed HiveAPs list When the Audit column icon turns to two green squares And the Uptime changes back from 0, the first update is complete 50 2008 Confidential 2010 Test Access to SSID Used In Base WLAN Policy 51 2008 Confidential 2010 Test Base WLAN Policy Internet Internal Network Hosted PC Student-X Connect to SSID: Class-PSK-X IP: 10.5.1.N/24 Gateway: 10.5.1.1 AD Server: 10.5.1.10 VLANs 1-20 Mgt0 IP: 10.5.1.N/24 VLAN 1 WLAN Policy: WLAN-X SSID: Authentication: Encryption: Preshared Key: User Profile 1: Attribute: VLAN: IP Firewall: QoS: DHCP Settings: (VLAN 1) network 10.5.1.0/24 10.5.1.140 – 10.5.1.240 Class-PSK-X WPA or WPA2 Personal TKIP or AES aerohive123 Employee(10)-X 10 1 None def-user-qos 52 2008 Confidential 2010 Access Your Hosted Client PC Using the web for PC, Mac, or Linux http://training-pcX.aerohive.com:5800 Click Options: – Specify Encoding: Tight – Click Close VNC Authentication – Password: aerohive – Click OK 53 2008 Confidential 2010 Access Your Hosted Client PC Using the TightVNC Application If you are using a windows PC and you do not have Java installed, you can install the TightVNC client application – TightVNC has good compression so please use TightVNC for class instead of any other application Start TightVNC – VNC Host: training-pcX.aerohive.com – Click Connect – Password: aerohive 54 2008 Confidential 2010 If you are not logged in Login to Hosted PC Click to send a control alt delete Login: user Password: Aerohive1 55 2008 Confidential 2010 Lab: Test Base WLAN Policy 1. Connect to the Class-PSK-X SSID From the hosted PC – Double-click the wireless connection icon on the bottom right of the task bar x – Connect to your SSID: Class-PSK-X – Passphrase/ Network Key: aerohive123 – Click Connect 56 2008 Confidential 2010 Lab: Test Base WLAN Policy 2. View Active Clients List Click here to modify the displayed columns After associating with your SSID, you should see your connection in the active clients list in HiveManager – Go to MonitorClientsActive Clients Your IP address should be from the 10.5.1.0/24 network To change the layout of the columns in the Active Clients list, you can click the icon with a pencil in it: 57 2008 Confidential 2010 Lab: Test Base WLAN Policy 3. Modify Columns in the Active Clients List For this class, you can add the User Profile Attribute, VLAN and BSSID Move them right after channel in the Select Columns list Click Save You should now see: – BSSID: <MAC Address> User Profile Attribute: 10 – VLAN: 1 58 2008 Confidential 2010 Create SSID Using WPA/WPA2 Enterprise (802.1X) Using RADIUS for Authentication 59 2008 Confidential 2010 LAB: Secure WLAN Access Test With 802.1X Diagram Internet Student-X VLANs 1-20 Connect to SSID: Class-802.1X-X IP: 10.5.10.N/24 Gateway: 10.5.10.1 AD (IAS-RADIUS) Server: 10.5.1.10 Mgt0 IP: 10.5.1.N/24 VLAN 1 WLAN Policy: WLAN-X SSID: Class-802.1X-X Authentication: WPA or WPA2 Personal Encryption: TKIP or AES User Profile 1: Employee(10)-X Attribute: 10 (RADIUS Attribute Returned) VLAN: 1 IP FW From Access: FromClient-X IP FW To Access : (Default Deny) User Profile 2: Employee-Default Attribute: 1000 (No RADIUS Attribute Returned) VLAN: 10 IP FW From Access: Employee-Default IP FW To Access: (Default Deny) 60 DHCP Settings: (VLAN 1) network 10.5.1.0/24 10.5.1.140 – 10.5.1.240 (VLAN 10) network 10.5.10.0/24 10.5.10.140 – 10.5.10.240 2008 Confidential 2010 On Local RADIUS Server Configuring RADIUS Clients For HiveAPs that are not VPN clients, set the RADIUS server to accept RADIUS messages from the MGT0 interface IP on all HiveAPs This class uses: 10.5.1.0/24 Click Next 61 2008 Confidential 2010 On Local RADIUS Server Configuring RADIUS Clients Set the shared secret to secure the communication between the HiveAPs and RADIUS server This class uses: aerohive123 Note: For a real network, please use a longer, more secure key 62 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 1. Edit your WLAN Policy and Add SSID Profile An 802.1X capable SSID and related settings can be configured from your WLAN Policy Go to Configuration WLAN Policies Edit WLAN-X Under SSID Profiles click Add/Remove SSID Profile Create a new SSID Profile – Click + Go to Next Slide 63 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 2. Configure SSID and RADIUS Server Profile Name: Class-802.1X-X SSID: Class-802.1X-X SSID Access Security – Select: WPA/WPA2 802.1X (Enterprise) Next to RADIUS Server – Click + Go to Next Slide 64 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 3. Configure RADIUS Server Define RADIUS Server Settings Click the radio button for: External RADIUS Server Profile Name: RADIUS-X Primary RADIUS Server: 10.5.1.10 Shared Secret: aerohive123 Confirm Secret: aerohive123 Click Apply Go to Next Slide 65 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 4. Configure SSID with RADIUS and User Profile Back in your SSID Configuration Make sure your RADIUS server is selected: RADIUS-X Specify User Profile assigned if not attribute is returned from RADIUS after successful authentication: Employees(1000) Note: This user profile was created by the Instructor Specify User Profiles assigned via attributes returned from RADIUS after successful authentication: Employee(10)-X Save your SSID Go to Next Slide 66 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 5. Remove Existing SSID and Add New SSID To clean up the air in the data center, remove all other SSID profiles from the selected SSID profiles list using the << button – You should have no SSID Profiles listed under the Selected SSID Profiles list From the Available SSID Profiles, select Class-802.1X-X and use the > button to move it to the Selected SSID Profiles List Click Apply ---- Please please, please click apply! Go to Next Slide 67 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 6. Verify Configuration and Save WLAN Policy Verify your 802.1X SSID is listed under the SSID profiles and that your SSID is mapped to two different user profiles: Employees(1000) and Employee(10)-X Save your WLAN Policy From the WLAN policy summary you can verify your SSID Class-802.1X-X is assigned to your WLAN Policy 68 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 7. Update delta configuration of your HiveAP From MonitorHiveAPs Select both of your HiveAPs X-A-HiveAP X-B-HiveAP Select Update... Upload and Activate Configuration If you want to see the delta configuration, click the link for your HiveAP – Close the View Configuration window after viewing the delta configuration changes Click Upload Click HiveAP link to view delta configuration 69 2008 Confidential 2010 Configuring and Testing Your 802.1X Supplicant For Microsoft XP and Vista Supplicants 70 2008 Confidential 2010 Connect to 802.1X SSID (First Attempt Will Fail) On the remote hosted PC From the Microsoft Wireless client: – Click Class-802.1X-X – Click Connect Note: The connection will fail because Windows XP defaults Smart Card or Other Certificates (EAPTLS), instead of PEAP – However, the SSID entry will be created, so all you have to do is modify it Click Change Advanced Settings 71 2008 Confidential 2010 Microsoft Wireless Network Client 802.1X Supplicant Configuration View your Wireless Connections then click to Change advanced settings In the Wireless network properties window enter the following: – Change EAP Type to: Protected EAP (PEAP) Click OK 72 72 2008 Confidential 2010 SSID Should Now Be Connected Your Client will automatically connect to the Class-802.1X-X SSID 73 2008 Confidential 2010 View Active Clients After associating with your SSID, you should see your connection in the active clients list in HiveManager – Go to MonitorClientActive Clients User Name: AHDEMO\user BSSID: <The MAC address for your AP’s SSID> VLAN: 1 User Profile Attribute: 10 74 2008 Confidential 2010 Example: Troubleshooting Invalid User Profile Returned From RADIUS From MonitorAccess PointsHiveAPs (Monitor View) If you see an alarm when trying to perform 802.1X, click the alarm icon This alarm specifies that an attribute was returned from the RADIUS server that is not defined on the HiveAP – In this case 50 Select the check box next to the alarm and then Click clear 75 2008 Confidential 2010 Generate HiveAP RADIUS Server Certificates Required When HiveAPs are Configured as RADIUS Servers or VPN Servers 76 2008 Confidential 2010 LAB: Generate a Root CA Certificate for HiveManager (Instructor Only) Remember this password Go to ConfigurationAdvanced Configuration Keys and CertificatesHiveManager CA Fill in the requested information and choose a secure password Click Create 77 2008 Confidential 2010 HiveManager Root CA Certificate Location and Uses To view certificates, go to: Configuration Advanced Configuration Keys and Certificates Certificate Mgmt This root CA certificate is used to: – Sign the CSR (certificate signing request) that the HiveManager creates on behalf of the AP acting as a RADIUS or VPN server – Validate HiveAP certificates to remote client • 802.1X clients (supplicants) will need a copy of the CA Certificate in order to trust the certificates on the HiveAP RADIUS server(s) Root CA Cert Name: “AerohiveHMCA.pem” Root CA key Name: hm_key.pem 78 2008 Confidential 2010 LAB: HiveAP Server Certificate and Key 1. Generate HiveAP Server Certificate Enter HiveAP-X Notes Below Remember Password Go to Configuration Advanced Configuration Keys and CertificatesServer CSR Common Name: HiveAP-Server-X Note: This is usually the FQDN of the HiveAP Organizational Name: Company Organization Unit: Department Locality Name: City State/Province: <2 Characters> Country Code: <2 Characters> Email Address: [email protected] Subject Alternative Name: <Leave empty> Note: This is used if you want to generate unique certificates for each HiveAP VPN server, and you want to have HiveAP VPN clients validate one of these fields. See notes below the slide. Key Size: 1024 Password & Confirm: aerohive123 CSR File Name: HiveAP-X Click Create 79 2008 Confidential 2010 LAB: HiveAP Server Certificate and Key 2. Sign and Combine! Enabling this setting helps prevent certificate and key mismatches when configuring the RADIUS settings Select Sign by HiveManager CA – The HiveManager CA will sign the HiveAP Server certificate The validity period should be the same as or less than the number of days the HiveManager CA Certificate is valid – Validity: 1826 (5 years + leap day) Check Combine key and certificate into one file Click OK 80 2008 Confidential 2010 LAB: HiveAP Server Certificate and Key 3. View HiveAP Certificate and Key File To view certificates, go to: Configuration Advanced Configuration Keys and Certificates Certificate Mgmt The certificate and key file name is: HiveAP-X_key_cert.pem 81 2008 Confidential 2010 Wireless VPN Version 3.5r1 Using HiveAPs and IPsec VPN Clients and IPsec VPN Servers to Provides VPN Connections with Wireless LANs 82 2008 Confidential 2010 Wireless VPN Overview -For your reading pleasure Aerohive’s Wireless VPN delivers a simple and cost effective solution for mobile workers in remote locations like branch offices, teleworker home offices, and conference centers, to securely access corporate resources through a layer 2 IPsec VPN. Built upon Aerohive’s cooperative control architecture, Aerohive’s wireless VPN has the advantages of being implemented on a highly resilient architecture utilizing best path forwarding, policy enforcement at the edge with user-based QoS and firewall policy, and branch office services including DHCP and RADIUS, which are centrally managed using HiveManager– Aerohive’s WLAN management platform. Aerohive’s Wireless VPN solution allows workers in remote offices using wireless or Ethernet connected laptops, desktops, and phones to directly access their corporate network through a secure layer 2 IPsec VPN. This gives workers access to resources as if they were physically attached to the corporate network, and still have direct access to local branch or home office devices, like printers and file servers that may or may not be corporate resources. This is made possible with best path forwarding, split tunneling, and NAT technology. To protect corporate resources, stations that are attached to the branch office that do not meet policy specifications for the VPN, will not be able to access the corporate network or locally attached corporate devices. 83 2008 Confidential 2010 Wireless VPN Benefits -For your reading pleasure Easy to Use – L2 IPsec VPN solution simplifies deployment, because it extends the local network across the VPN without the need to dedicate subnets for each remote site and set up DHCP relays on branch routers or firewalls – Automatic certificate creation and distribution for validating VPN devices – Profile-based Split Tunneling • Flexible – Single mode of operation supports all deployments – Supported in all HiveAP platforms, Hardware Acceleration in 300 series – Multiple end point support • • Users and Services can be bridged locally or tunneled based on user profile Backup VPN gateway support Distributed Wireless VPN tunnel termination Complete Functionality – Multiple AP Support with secure and fast roaming – Mesh Portals and Mesh Points supported – RADIUS, DHCP, NTLM, LDAP and NTP can selectively go to local or remote network – Rogue AP and rogue client detection, DoS prevention, Firewall, and QoS all occur locally on the remote HiveAP Economical – No license fees for wireless VPN, or any of the other features on the HiveAPs – For the cost of an AP, you get wireless VPN servers 84 2008 Confidential 2010 Teleworker Home Office Please View Notes Below Slide IPsec Teleworker Home Office Work Laptop SSID: Corp 10.5.10.51 Primary and Backup VPN Tunnels HiveAP 5 VPN Client 192.168.1.2 DHCP Server Corporate Wi-Fi Devices VLAN 10 10.5.10.0/24 Corporate Wi-Fi Voice VLAN 11 10.5.11.0/24 Internet HiveAP1 VPN Server Home PC with Printer 192.168.1.5 Work Phone SSID: Voice 10.5.11.33 Headquarters Home Laptop SSID: Home 192.168.1.6 Internet Provider Gateway 192.168.1.1 HiveAP2 VPN Server DMZ Notes Below 85 2008 Confidential 2010 Branch Office VPN with Bridging Headquarters Branch Office Laptop SSID: Corp 10.5.10.12 HiveAP3 VPN Client 192.168.1.5 IPsec Primary and Backup VPN Tunnels HiveAP4 VPN Client 192.168.1.6 DHCP Server Corporate Wi-Fi Devices VLAN 10 10.5.10.0/24 Corporate Wi-Fi Voice VLAN 11 10.5.11.0/24 Gateway 192.168.1.1 HiveAP1 VPN Server Internet Phone SSID: Voice 10.5.11.33 Desktop 10.5.10.10 Guest Laptop SSID: Guest 192.168.1.50 Printer 10.5.10.11 HiveAP2 VPN Server Phone 10.5.11.5 Wireless Wired DMZ 86 2008 Confidential 2010 Create VPN Services Policy 87 2008 Confidential 2010 Wireless VPN Lab Lab Network Diagram HiveAP-A VPN Client Client AD 10.8.1.200 - VLAN 1 WEB 10.8.20.150 - VLAN 20 1.1.1.1 2.2.2.2 NAPT Policy ANY 2.2.2.2 10.5.1.<DHCP> NAT Policy 1.1.1. X 10.8.1. X 10.8.1.X WLAN Policy: WLAN-X HiveAP-B VPN Server WLAN Policy: WLAN-X Hostname: X-A-<6-digits of mac> Hive: Hive-X Interface mgt0: 10.5.1.<DHCP> /24 VLAN 1 Interface tunnel0: 10.8.1.X0 Hostname: X-B-<6-digits of mac> Hive: Hive-X Interface mgt0: 10.8.1.X/24 VLAN 1 VPN: IP Pool: 10.8.1. X0 - 10.8.1.X9 Configure two HiveAPs, – HiveAP-A will be a VPN client – HiveAP-B will be a VPN server 88 2008 Confidential 2010 Wireless VPN Labs Network IP Summary WLAN Branch Office – HiveAP VPN Clients VPN Client X-A-HiveAP 10.5.1.?/24 Gateway FW(NAT) 10.5.1.1 2.2.2.2 WLAN HQ – HiveAP VPN Servers Firewall NAT Rules 1.1.1.X10.8.1.X RADIUS 10.8.1.200 Client PC 10.8.20.?/24 GW: 10.8.20.1 Gateway 10.8.1.1 DHCP Server VLAN 20 Net: 10.8.20.0/24 Pool: 10.8.20.150 - 10.8.20.200 VPN Server Gateway: 10.8.20.1 X-B-HiveAP Layer 3 IPsec VPN Tunnels - IP Headers (10.5.1.?)2.2.2.2 1.1.1.2 Layer 2 GRE Tunnels - IP Headers Tunnel0 10.8.1.X0 10.8.1.X MGT0 10.8.1.X/24 VPN Client Tunnel Address Pool AP VPN 1: 10.8.1.X0 – 10.8.1.X9 ? – Address Learned though DHCP 89 2008 Confidential 2010 LAB: Create VPN Services Policy 1. Create VPN Policy Modify your WLAN Policy Configuration WLAN Policies WLAN-X | Optional Settings | VPN Service Settings – VPN Service: Click + to create a new VPN services policy Go to Next Slide 90 2008 Confidential 2010 LAB: Create VPN Services Policy 2. Define Name and IP Settings Profile Name: VPN-X Server Public IP: 1.1.1.X Server MGT0 IP Address: 10.8.1.X VPN Client Tunnel Interface Pool: Note: It is recommended that the pool is in the same subnet as the MGT0 interface of HiveAP VPN server. This pool is used for GRE tunnel IP addresses on HiveAP VPN clients. – Client Tunnel IP Address Pool Start: 10.8.1.X0 – Client Tunnel IP Address pool End: 10.8.1.X9 – Client Tunnel IP Address Netmask: 255.255.255.0 Go to Next Slide 91 2008 Confidential 2010 LAB: Create VPN Services Policy 3. Assign VPN Certificates for VPN Server IPsec VPN Certification Authority Settings: – VPN Certificate Authority: AerohiveHMCA.pem – VPN Certificate: HiveAP-X_key_cert.pem – VPN Cert Private Key: HiveAP-X_key_cert.pem Optional Settings – VPN Client Credentials: These are VPN XAUTH credentials that get generated automatically. A unique credential gets created for each tunnel interface IP address in the tunnel interface address pool. • Nothing needs to be done here Go to Next Slide 92 2008 Confidential 2010 LAB: Create VPN Services Policy How XAUTH Credentials are Used The default IKE peer authentication method for the wireless VPN is "hybrid" In hybrid mode, – The VPN server authenticates itself to the client with an RSA signature, which requires the server to have a server certificate, and the client must have the root CA certificate that signed the server certificate so it can validate the server The server authenticates the client using Xauth – HiveManager generates a set of credentials (random string for username and passwords) for each HiveAP VPN client and HiveAP VPN server pair – When the VPN client uses valid credentials to authenticate with the VPN server, the tunnel can be established – If the credentials are removed from either the VPN client or VPN server, the tunnel cannot be established 93 2008 Confidential 2010 LAB: Create VPN Services Policy 4. View Advanced Server Options Expand Advanced Server Options No changes are necessary for the following options | IKE Phase 1 Options | | IKE Phase 2 Options | Enable peer IKE ID validation Go to Next Slide 94 2008 Confidential 2010 LAB: Create VPN Services Policy 5. Configure Advanced Client Options Expand Advanced Client Options – Set HiveAP VPN Client to use DNS Server through tunnel: 10.5.1.10 | Management Traffic Tunnel Options| – Determine which traffic from the HiveAP to send though the tunnel • SNMP Traps • RADIUS Note: Set these so that RADIUS messages and SNMP traps generated from the HiveAP VPN clients are sent though the VPN tunnel to the servers on the HQ network | Client IKE Settings | – Check Enable NAT traversal Adds a UDP header with port 4500 on to the IPsec packets Go to Next Slide 95 2008 Confidential 2010 For Redundancy: Dead Peer Detection and AMRP Heartbeat Settings Used for switching between HiveAP VPN Server 1 and HiveAP VPN Server 2 upon failure – DPD Verifies IKE Phase 1 • Send Heartbeat every 10 seconds (by default) • If you miss one heartbeat, send at the Retry Interval instead of at the normal Interval settings • If you miss the number of retries specified, failover to backup VPN server Default DPD failover time: ~16 seconds Default AMRP failover time: ~21 seconds – AMRP Verifies end to end through GRE and VPN Tunnel • Send Heartbeat every 10 seconds (by default) • If you miss one heartbeat, send 1 at second intervals instead of at the normal Interval setting • If you miss the number of retries specified, failover to backup VPN server 96 2008 Confidential 2010 LAB: Create VPN Services Policy 6. Save VPN Services Policy Save the VPN Service Settings 2008 Confidential 2010 LAB: Create VPN Services Policy 7. Modify SSID to Add New User VPN Policy Back in your WLAN Policy Ensure your VPN Service Policy is set to VPN-X Do not save your WLAN policy at this time Go to the next slide 98 2008 Confidential 2010 Configure 802.1X SSID for Wireless VPN Access 99 2008 Confidential 2010 Wireless VPN Labs Network IP Summary WLAN Branch Office – HiveAP VPN Clients VPN Client X-A-HiveAP 10.5.1.?/24 Gateway FW(NAT) 10.5.1.1 2.2.2.2 WLAN HQ – HiveAP VPN Servers Firewall NAT Rules 1.1.1.X10.8.1.X RADIUS 10.8.1.200 Client PC Tunnel Interface: 10.8.20.?/24 GW: 10.8.20.1 10.8.1.X0 Gateway 10.8.1.1 DHCP Server VLAN 20 Net: 10.8.20.0/24 Pool: 10.8.20.150 - 10.8.20.200 VPN Server Gateway: 10.8.20.1 X-B-HiveAP Layer 3 IPsec VPN Tunnels - IP Headers (10.5.1.?)2.2.2.2 1.1.1.X Layer 2 GRE Tunnels - IP Headers Tunnel0 10.8.1.X0 10.8.1.X9 MGT0 10.8.1.X/24 VPN Client Tunnel Address Pool AP VPN 1: 10.8.1.X0 – 10.8.1.X9 ? – Address Learned though DHCP 100 2008 Confidential 2010 Tunnel Traffic Header Overview Branch Office Internet 2.2.2.2 1.1.1.1 (NAPT) ANY 2.2.2.2 4 HiveAP 1 VPN Client MGT0 10.5.1.100 Tunnel0 10.8.1.50 1 Wireless Client MAC: 0022.22aa.aa22 VLAN: 20 IP: 10.8.20.50 Corporate Headquarters (NAT)1.1.1.2 10.8.1.2 FW: Public IP NAT Traversal FW: Public IP 2.2.2.2 UDP - Src & Dst Port 4500 AP: Private IP Src Port Changes w/NAPT 1.1.1.2 10.5.1.100 3 MGT0 IP 10.5.1.100 2 Tunnel0 10.8.1.50 Client Traffic 10.8.20.50 0022.22aa.aa22 VLAN Tag: 20 IPsec (ESP) Tunnel Encrypts GRE and Client Traffic GRE Tunnel Encapsulates client Layer 2 Traffic Layer 2 Client Data 101 5 MGT0 IP Before NAT 1.1.1.2 After NAT 10.8.1.2 6 MGT0 10.8.1.2 7 Client Traffic 10.8.20.150 0011.11bb.bb11 VLAN Tag: 20 HiveAP VPN Server MGT0 10.8.1.2 8 Corporate Server MAC: 0011.11bb.bb11 VLAN: 20 IP: 10.8.20.150 2008 Confidential 2010 Instructor Only: On Local RADIUS Server Configuring HiveAP RADIUS Clients For HiveAPs that are VPN clients, set the RADIUS server to accept RADIUS messages from the Tunnel IP address pool set up on the HiveAP VPN server to assign to HiveAP VPN clients For this class, the tunnel IP pool assigned to HiveAP VPN clients is : 10.8.1.0/24 Click Next 102 2008 Confidential 2010 Instructor Only: On Local RADIUS Server Configuring HiveAP RADIUS Clients Set the shared secret to secure the communication between the HiveAPs and RADIUS server – For this class use: aerohive123 Click Finish Note: For a real network, please use a more secure key 103 2008 Confidential 2010 LAB: Configure SSID for Wireless VPN 1. Create New RADIUS Server Object for SSID Configure a new RADIUS server for your SSID, that is accessible through the VPN From inside your WLAN policy click the link to modify your SSID: Class-802.1X-X 104 2008 Confidential 2010 LAB: Configure SSID for Wireless VPN 2. Configure RADIUS Server Object Define RADIUS Server Settings for use with wireless clients through the VPN Next to RADIUS Server, click + Click the radio button for External RADIUS Server Profile Name: RADIUS-VPN-X Primary RADIUS Server: 10.8.1.200 Shared Secret: aerohive123 Confirm Secret: aerohive123 Click Apply to save the new RADIUS object Do not save, go to next slide 105 2008 Confidential 2010 LAB: Configure SSID for Wireless VPN 3. Modify Employee User Profile Select the Employee(10)-X user profile from the Selected user profile list Click the Modify Icon: 106 2008 Confidential 2010 LAB: Create VPN Services Policy 4. Change VLAN and Add VPN Settings Set the User Profile to use the VPN and a new VLAN Assign the Default VLAN: 20 | Optional Settings | Expand GRE or VPN Tunnels Select: VPN tunnel for client traffic | Split Tunnel | – Select Split Tunnel with NAT to Local Subnet and Internet Click Save 107 2008 Confidential 2010 LAB: Configure SSID for Wireless VPN 5. Save your SSID Save your SSID 108 2008 Confidential 2010 Split Tunnel Firewall Policy Automatically Created When you select the option to use split tunnel to local subnet and Internet, the following policy gets created on the HiveAP – The following policy will not be displayed in HiveManager From Access Firewall Policy Source IP Destination IP 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 10.5.1.0/24 0.0.0.0/0 10.0.0.0/8 0.0.0.0/0 172.16.0.0/12 0.0.0.0/0 192.168.0.0/16 0.0.0.0/0 0.0.0.0/0 Service DHCP-Server Any Any Any Any Any Action Permit (tunnel) NAT Permit (tunnel) Permit (tunnel) Permit (tunnel) NAT – Note, by default there is no To Access firewall policy, so if you want traffic to be initiated from HQ to the wireless clients thought the VPN, you will need to create a To Access policy that permits access 109 2008 Confidential 2010 LAB: Create VPN Services Policy 6. Verify VPN Settings and Save WLAN Policy Back in the WLAN Policy Expand VPN Service Settings – Ensure the Employee(10)-X user profile is set to use VPN Tunnel and that it is set to Yes for Split Local Traffic (Split Tunnel) Click Save 110 2008 Confidential 2010 HiveAP VPN Roles And Updating the Configuration Configuring HiveAPs to be VPN Clients and VPN Servers 111 2008 Confidential 2010 LAB: Assign HiveAPs to VPN Roles 1. Modify Your HiveAP-A and Make VPN Client From MonitorHiveAPs Modify your HiveAP-A: X-A-###### | Optional Settings | Expand Services Settings – VPN Service Role: Client Click Save 112 2008 Confidential 2010 LAB: Assign HiveAPs to VPN Roles 2. Modify Your HiveAP-B and Make VPN Server From MonitorHiveAPs Modify your HiveAP-B: X-B-###### | Optional Settings | Expand SSID Allocation – (Optional) Clear the check boxes to disable the SSIDs on this HiveAP VPN server Expand Services Settings – VPN Service Role: Server Click Save 113 2008 Confidential 2010 LAB: Assign HiveAPs to VPN Roles 3. Verify HiveAP Roles You will now see icons specifying whether the HiveAP is a VPN client or VPN Server The up and down arrows next to the keys are red when the VPN is not establish – The VPN will be established after updating the configuration of the HiveAPs 114 2008 Confidential 2010 LAB: Assign HiveAPs to VPN Roles 4. Update Delta Configuration and VPN Certs From MonitorHiveAPs Select both of your HiveAPs X-A-HiveAP X-B-HiveAP Select Update... Upload and Activate Configuration If you want to see the delta configuration, click the link for your HiveAP – Close the View Configuration window after viewing the delta configuration changes Click Upload Click HiveAP link to view delta configuration 115 2008 Confidential 2010 LAB: Assign HiveAPs to VPN Roles 5. View Update Results After a successful update, you can move your mouse over the Description to see what was updated – Here you should see that the VPN Certificates and Keys and the Configuration has been updated 116 2008 Confidential 2010 LAB: Assign HiveAPs to VPN Roles 6. Monitor Status of VPN HiveAPs From MonitorHiveAPs you can see that the VPN is up because the up and down arrows are green 117 2008 Confidential 2010 LAB: Assign HiveAPs to VPN Roles 7. HiveAP VPN Diagnostics View VPN Tunnel Diagnostic Commands Select one of theVPN HiveAPs X-A-HiveAP Click ToolsDiagnostics Show IPSec SA Note: It is clear to see that a VPN is functional if you see the tunnel from the MGT0 IP of the VPN client to the (NAT) Address of the MGT0 of the VPN Server, and the reverse. Both use different SAs (Security Associations) – State: Mature 118 2008 Confidential 2010 Diagnostics Show IKE Event Click Tools Diagnostics Show IKE Event If you see that phase 1 failed due to a certificate problem – Check the time on the HiveAPs • show clock • show time – Ensure you have the correct certificates loaded on the HiveAPs in the VPN services policy 119 2008 Confidential 2010 LAB: Assign HiveAPs to VPN Roles 8. HiveAP VPN Topology You can view the VPN topology by going to: Configuration Advanced Configuration Security Policies VPN Services – Click View for your VPN – If you move your mouse over the HiveAP icons you can see how long the tunnel has been established – If the icons are green, the tunnel is established – If the icons are red, the tunnel is down 120 2008 Confidential 2010 VPN Topology Example Here is an example of a VPN topology with 12 HiveAP VPN clients and two HiveAP VPN servers for tunnel load sharing and redundancy 121 2008 Confidential 2010 Testing Your VPN Access With 802.1X Client (Supplicant) Using Microsoft XP 122 2008 Confidential 2010 If Your Remote PC IS Connected From the Previous Lab Note: If you have not set up your 802.1X supplicant on the hosted client PC, please refer to the 802.1X section earlier in this training Disconnect from: Class-802.1X-X Then reconnect to: Class-802.1X-X Make sure you can connect 123 2008 Confidential 2010 Verify Status of Wireless Client And VPN Connection from PC Once your wireless client is connected to Class-802.1X-X Verify your IP address by opening a command prompt and typing ipconfig /all If the Ethernet adapter Wireless Network Connection is set to: 10.8.20.N – Then you are connected through the tunnel to VLAN 20 – Great Job!!! 124 2008 Confidential 2010 Test your hosted PCs VPN Connection From your hosted PC, open a browser and connect to: http://10.8.20.150 If this works, your hosted PC is going though the VPN on VLAN 20 125 2008 Confidential 2010 Check Status of Wireless Client From MonitorClientsActive Clients – Locate the client on the remote hosted PC, and see if it is connected with a 10.8.20.N IP address 126 2008 Confidential 2010 To View the XAUTH Credentials Xauth credentials are automatically assigned to HiveAP VPN clients that are assigned to this VPN services policy 127 Go to Configuration Advanced Configuration Security Policies VPN Services If an AP gets lost or stolen, you can remove the credential and push the configuration to the HiveAP VPN server – That will prevent the VPN client from building a tunnel to the VPN server You can also generate new credentials and push them out to the HiveAP VPN servers and clients 2008 Confidential 2010 VPN Lab Clean-up Please remote the VPN tunnel configuration from the Employee(10) User Profile and change the VLAN before continuing to the next labs 128 2008 Confidential 2010 Lab: VPN Lab Cleanup 1. Change VLAN and Disable Tunnel From Configuration User Profiles Select your Employee(10)-X user profile Set the default VLAN to: 10 Under Optional Settings GRE or VPN Tunnels – Set the option for: No tunnel Click Save Note: We do not need to update the configuration at this time. You will update the configuration in the next lab. 129 2008 Confidential 2010 Lab: VPN Lab Cleanup 2. Remove Tunnel Roles from HiveAPs From Monitor Access Points HiveAPs Select the check box next to both of your HiveAPs – X-A-###### – X-B-###### Set VPN Service Role: None Click Save 130 2008 Confidential 2010 HiveAP Classification Examples To Simplify the WLAN Policy Configuration When Different Settings for HiveAPs are Needed at Different Locations 2008 Confidential 2010 Question: How do define a single WLAN policy, but configure different settings? Area-X L2-Switch L2-Switch DMZ-X Router HiveAP Device Settings HiveAP Device Settings Interface mgt0: 10.8.1.X Classification Tag: DMZ WLAN Policy: WLAN-X MGT0 VLAN: 1 Interface mgt0: 10.5.2.? Classification Tag: Area-1 WLAN Policy: WLAN-X MGT0 VLAN: 2 132 For example, in the WLAN policy, you can only define one MGT interface VLAN But if the HiveAPs are in different networks with different MGT0 VLANs, what can you do? 2008 Confidential 2010 Answer: HiveAP Classification Define an Object That is Variable HiveAP Classification Tag Settings: HiveAP 1 Configuration HiveAP 2 Configuration This WLAN policy is assigned to HiveAP 1 and HiveAP 2: VLAN Object Definition 133 2008 Confidential 2010 HiveAP Classification Tag Selection If you specify multiple tags on a HiveAP, make sure the object is defined to match VLAN Object Definition HiveAP 1 Configuration HiveAP 2 Configuration If you want to make this VLAN object match all HiveAPs in HQ, you must define Tag 1 as: HQ, but uncheck Tag 2 and Tag 3 so they will be ignored If you do not uncheck Tag 2 and Tag 3, you will have to match all three tags on each HiveAP 134 2008 Confidential 2010 Object That Support HiveAP Classification Objects that support HiveAP classification – IP/Hostname Objects – MAC Addresses/OUIs – VLANs – User Profile Attribute Groups These objects can be configured once, but the values assigned to the HiveAP change based on the HiveAPs – Topology Map – Classifier Tag – IP Address – Hostname 135 2008 Confidential 2010 HiveAP Classification Types VLANs, IP Address Objects, MAC Address objects, and User Profile Attribute groups can have classification rules based on: – Map Name • Uses topology maps – HiveAP Name – Classifier Tag • Requires tags are defined in the configuration of HiveAPs – Global • Selected if no match is found for any of the other types You can mix and match, the first matching rule is used – Global is checked as the last match even if it is defined first 136 2008 Confidential 2010 WLAN Policy Example 1 - PSK Using Classification Tags for VLANs Inside L2-Switch L2-Switch DMZ Router HiveAP Device Settings HiveAP Device Settings Interface mgt0: 10.8.1.X Classification Tag: DMZ WLAN Policy: WLAN-X MGT0 VLAN: 1 Interface mgt0: 10.5.2.? Classification Tag: Inside WLAN Policy: WLAN-X MGT0 VLAN: 2 VLAN Object: X-MGT0-VLANs WLAN Policy: WLAN-X VLAN ID: 2 Type: Classifier Tag Value: Tag 1: HQ Tag 2: Bldg1 Tag 3: Trusted VLAN ID: 1 Type: Global MGT0 VLAN: X-MGT0-VLANs Native VLAN: 1 * Global VLAN is set, but it will not be used in this lab 137 2008 Confidential 2010 Lab: HiveAP Classification 1. Assign Classification Tag to HiveAP-A From MonitorHiveAPs – Select the check box next to your HiveAP-A X-A-###### and click Modify Expand Advanced Settings | HiveAP Classification | Enter a value: Tag 1 – HQ Tag 2 – Bldg1 Tag 3 – Trusted .. Note: You change these settings for a group of HiveAPs if you select multiple HiveAPs before editing them Click Save 138 2008 Confidential 2010 Lab: HiveAP Classification 2. Assign Classification Tag to HiveAP-B From MonitorHiveAPs – Select the check box next to your HiveAP-B X-B-###### and click Modify Expand Advanced Settings | HiveAP Classification | Enter a value: Tag 1 – HQ Tag 2 – Bldg1 Tag 3 – DMZ .. Note: You change these settings for a group of HiveAPs if you select multiple HiveAPs before editing them Click Save 139 2008 Confidential 2010 Lab: HiveAP Classification 3. In your WLAN Policy Create a New VLAN The VLAN for the MGT0 interface on a HiveAP is assigned via the WLAN policy Go to ConfigurationWLAN Policies Edit WLAN-X Next to MGT interface VLAN, Click + Go to Next Slide 140 2008 Confidential 2010 Lab: HiveAP Classification 4. Create a VLAN Policy for MGT0 VLANs .. VLAN Name: X-MGT0-VLANs – VLAN ID: 2 – Type: Classifier – Value: • Uncheck Tag 1: <empty> • Uncheck Tag 2: <empty> • Check Tag 3: Trusted – Click Apply (Do not save) Click New – VLAN ID: 1 – Type: Global – Click Apply Note: HiveAPs in the DMZ use VLAN 1, which will match the global define here Save your VLAN object 141 2008 Confidential 2010 Lab: HiveAP Classification 5. Assign MGT0 Interface VLAN to New VLAN In your WLAN Policy, verify the MGT0 Interface VLAN is set to: X-MGT0-VLANs The Native (untagged) VLAN should still be set to: 1 Save your WLAN Policy 142 2008 Confidential 2010 Lab: HiveAP Classification 6. View Configuration Audit Click the mismatch icon for your HiveAP-A to see the configuration changes You should see that the MGT0 interface is being set to VLAN 2 If you click the mismatch icon for HiveAP-B, you will not see a change in the VLAN, because it is already set to use VLAN 1 143 2008 Confidential 2010 Lab: HiveAP Classification 7. Update Delta Configuration From MonitorHiveAPs Select both of your HiveAPs X-A-HiveAP X-B-HiveAP Select Update... Upload and Activate Configuration If you want to see the delta configuration, click the link for your HiveAP – Close the View Configuration window after viewing the delta configuration changes Click Upload Click HiveAP link to view delta configuration 144 2008 Confidential 2010 Lab: HiveAP Classification 8. View Update Results After a successful update, you can move your mouse over the Description to see what was updated 145 2008 Confidential 2010 Lab: HiveAP Classification 9. View the New IP Address for your HiveAP From MonitorHiveAPs – Verify that the new IP address for your HiveAP is in the subnet: 10.5.2.0/24 Note: It may take up to a moment to reflect the changes New IP Address in VLAN 2 146 2008 Confidential 2010 HiveAP Classification Example 2008 Confidential 2010 Using Classification Tags for VLANs Example Area-1 Student Client HiveAP VLAN: 2 User VLANs: 3 - 5 Area-2 L2-Switch L2-Switch HiveAP VLAN: 6 User VLANs: 7 - 9 Router Student Client 10.1.7.10 10.1.3.10 HiveAP Device Settings HiveAP Device Settings Interface mgt0: DHCP-Client Classification Tag: Area-2 WLAN Policy: Campus-Policy Interface mgt0: DHCP-Client Classification Tag: Area-1 WLAN Policy: Campus-Policy WLAN Policy Settings: Campus-Policy VLAN Network Objects VLAN-HiveAPs Classifier Tag: Classifier Tag: VLAN-Students Classifier Tag: Classifier Tag: VLAN-Faculty Classifier Tag: Classifier Tag: VLAN-Voice Classifier Tag: Classifier Tag: Area-1 – VLAN 2 Area-2 – VLAN 6 Area-1 – VLAN 3 Area-2 – VLAN 7 Area-1 – VLAN 4 Area-2 – VLAN 8 Area-1 – VLAN 5 Area-2 – VLAN 9 * Set global VLAN must be set, but it will not be used Hive: Hive-Campus MGT0 VLAN: VLAN-HiveAPs Native VLAN: 1 SSID1: Student-WiFi Network Security: WPA/WPA2 With PSK TKIP or AES SSID 2: Faculty-WiFi Network Security: WPA/WPA2 With PSK TKIP or AES SSID 2: Voice-WiFi Network Security: WPA/WPA2 With PSK TKIP or AES 148 User Profile: Attribute: Tunnel Policy: VLAN User Profile: Attribute: Tunnel Policy: VLAN : User Profile: Attribute: Tunnel Policy: VLAN : Students 100 L3-Roaming VLAN-Students Faculty 101 L3-Roaming VLAN-Faculty Voice 102 L3-Roaming VLAN-Voice 2008 Confidential 2010 HiveAPs as RADIUS Servers 149 2008 Confidential 2010 Local User Database 150 2008 Confidential 2010 LAB: Create Local User Database Used for IEEE 802.1X and for Captive Web Portal Authentication The local user database is used as a primary or backup user store for the HiveAP RADIUS server for IEEE 802.1X EAP-PEAP, EAP-TTLS, or EAP-TLS authentication It is highly beneficial for branch or small office deployments that require a local user database The local user database can also be used as a backup to authentication with Active Directory If the Active Directory service is unavailable, the local database can automatically be used 151 2008 Confidential 2010 LAB: HiveAP as RADIUS Server 1. Create a Local User Group As a theft protection mechanism, if Save in DRAM only is selected, the user database will be erased if the AP is powered off or rebooted and it will automatically get it from HiveManager. Go to ConfigurationAdvanced Confguration AuthenticationLocal User Groups and click New User Group Name: group(10)-0X (X is 2 digits=01, 02, .. , 14, 15) User Attribute: 10 VLAN ID: <Leave blank, will inherit from user profile> Re-auth Time: 1800 Click Save 2008 152 Confidential 2010 LAB: HiveAP as a RADIUS Server 2. Manually Create a Local User Go to ConfigurationAdvanced Configuration AuthenticationLocal Users and click New User Group: group(10)-0X Entering a description makes it Username: user-X easier to filter/search for users in the user list. For example, later Password: aerohive123 you will filter on “0X-rad” to find Confirm Password: aerohive123 all the users you have created Description: 0X-rad and imported in this lab. Click Save 153 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server 3. Prepare your user file to import From the list of files you downloaded from the instructor, locate and edit your Company-X-radius-users.csv file. (You can edit with a spreadsheet program or notepad) Modify the first user entry and make up a username and enter your real email address so that you can send yourself the PSK Save the file (The file must end with .csv) user login name User Type 1 = RADIUS User User Group Name Set the passwords for the user accounts Description Lines that start with a # are commended out 154 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server 4. Import your user list file Go to ConfigurationAdvancedConfiguration AuthenticationLocal Users Click Import Browse for your modified RADIUS user list file in .csv format Click Import Please make sure you are in local users, NOT local user groups Make sure you do not have any errors and ensure all 5 users were imported 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server 5. Use the filter to find your users Apply a filter to view your Private PSK users Go to ConfigurationAuthenticationLocal Users Click Filter Enter the first part of the description: 0X-rad (Where 0X is your two digit student ID 02 -15) Click Search Go to next slide 156 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server 6. View your list of RADIUS user accounts Here you can see the user you created as well as the users you imported from the CSV file Later, the user group will be assigned to a RADIUS server on a HiveAP The HiveAP will be able to authenticate all the users in the user groups assigned to the HiveAP RADIUS server using IEEE 802.1X/EAP or authenticated Captive web portal 157 2008 Confidential 2010 Create SSID Using WPA/WPA2 Enterprise (802.1X) Using a RADIUS User Database on a HiveAP for Authentication 158 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server With 802.1X/EAP SSID Diagram Internet Student-X VLANs 1-20 Connect to SSID: Class-802.1X-X IP: 10.5.10.N/24 Gateway: 10.5.10.1 AD DHCP Server: 10.5.1.10 Mgt0 IP: 10.5.2.N/24 VLAN 2 RADIUS Server WLAN Policy: WLAN-X SSID: Class-802.1Xb-X Authentication: WPA or WPA2 Personal Encryption: TKIP or AES User Profile 1: Employee(10)-X Attribute: 10 (RADIUS Attribute Returned) VLAN: 10 User Profile 2: (Employee-Default) Attribute: 1000 (No RADIUS Attribute Returned) VLAN: 8 159 DHCP Settings: (VLAN 1) network 10.5.1.0/24 10.5.1.140 – 10.5.1.240 (VLAN 2) network 10.5.2.0/24 10.5.2.140 – 10.5.2.240 (VLAN 8) network 10.5.8.0/24 10.5.8.140 – 10.5.8.240 (VLAN 10) network 10.5.10.0/24 10.5.10.140 – 10.5.10.240 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server 1. Edit your WLAN Policy and Add SSID Profile An 802.1X capable SSID and related settings can be configured from your WLAN Policy Go to Configuration WLAN Policies Edit WLAN-X Under SSID Profiles click Add/Remove SSID Profile Create a new SSID Profile – Click + Go to Next Slide 160 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server 2. Configure SSID and RADIUS Server Profile Name: Class-802.1X-Xb SSID: Class-802.1X-Xb SSID Access Security – Select: WPA/WPA2 802.1X (Enterprise) Next to RADIUS Server – Click + Go to Next Slide 161 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server 3. Define Settings for HiveAP RADIUS Server Select the radio button for HiveAP RADIUS server Note: Defining RADIUS within an SSID, instead of defining the profile objects separately before modifying the SSID, has the advantage of automatically creating two profiles, a AAA Client Settings profile, and a HiveAP AAA Server Settings profile, and it ensures they are configured correctly for each other 162 Profile Name: AP-RADIUS-X Primary RADIUS Server: 10.5.2.X | Available Local User Groups | – Select your user group(10)-X and click the > button to move it to the Selected Local User Groups Click Apply Do not save – go to next slide 2008 Confidential 2010 LAB: HiveAP as RADIUS Server 4. Assign user profiles and save 163 The RADIUS Server should now be set to: AP-RADIUS-X Under User Profiles for Traffic Management – User profile assigned if no attribute is returned: Employees(1000) – User profile assigned via attributes returned from RADIUS... select: Employee(10)-X Note: If you have multiple groups assigned to the HiveAP RADIUS server, each group can assign a different user profile attribute, and therefore in that case, you can define more user profiles here. Click Save 2008 Confidential 2010 LAB: HiveAP as RADIUS Server 5. Remove Existing SSID and Add New SSID To clean up the air in the data center, remove all other SSID profiles from the selected SSID profiles list using the << button – You should have no SSID Profiles listed under the Selected SSID Profiles list From the Available SSID Profiles, select Class-802.1X-Xb and use the > button to move it to the Selected SSID Profiles List Click Apply ---- Please, please, please click apply! Then Save your WLAN policy 164 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server 6. View Certificate Assigned to RADIUS Server Go to Configuration Advanced Configuration Authentication HiveAP AAA Server Settings Modify your RADIUS Server Object: AP-RADIUS-X Note: By default, the HM-DefaultServer Cert and Key are selected which works if you did not create a new HiveAP root CA certificate. In an earlier lab, a new HiveManager Root CA certificate was created, therefore the default certificates signed by the old HiveManager Root CA key will no longer work. Do not save – go to next slide 165 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server 7. Change Certificate Used by RADIUS Server Assign your AAA RADIUS Server to use: – CA Cert File: AerohiveHMCA.pem – Server Cert File: HiveAP-X_key_cert.pem – Server Key File: HiveAP-X_key_cert.pem Note: The key and cert were generated as a combined certificate in an earlier lab. – Key File Password: aerohive123 – Confirm Password: aerohive123 Save the RADIUS Server profile 166 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server 8. Configure a Static IP for the RADIUS HiveAP Go to Access PointsManaged HiveAPs and Modify your HiveAP-A: X-A-###### Under Optional Settings – Expand Interface and network settings • Uncheck [ ] DHCP client Enable • IP Address: 10.5.2.X • Netmask:255.255.255.0 • Gateway: 10.5.2.1 Note: This lab assumes the HiveAP MGT0 interface is in VLAN 2, which was assigned in the previous HiveAP classification lab Click Save 167 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server 9. Assign HiveAP to be RADIUS Server Assign the RADIUS Server Object to the HiveAP designated as the RADIUS server Under Optional Settings, expand Service Settings Set HiveAP RADIUS service to: AP-RADIUS-X Remove the VPN Service Role by setting to: None Otherwise RADIUS traffic may be tunneled from settings in previous labs. Click Save 168 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server 10. Update Delta Configuration and RADIUS Certs From MonitorHiveAPs Select both of your HiveAPs X-A-HiveAP X-B-HiveAP Select Update... Upload and Activate Configuration If you want to see the delta configuration, click the link for your HiveAP – Close the View Configuration window after viewing the delta configuration changes Click Upload Click HiveAP-A link to view delta configuration 169 2008 Confidential 2010 LAB: HiveAP as a RADIUS Server 11. Update Delta Configuration and RADIUS Certs After a successful update, you can move your mouse over the description to see what was updated – Here you should see that the AAA Certificates and Keys, the user database, and the Configuration have been updated 170 2008 Confidential 2010 Client Access Preparation Distributing CA Certificates to Wireless Clients 171 2008 Confidential 2010 LAB: Export the HiveManager CA Root Certificate on the Remote PC 172 Note: The HiveManager Root CA certificate should be installed on the client PCs that will be using the RADIUS service on the HiveAPs for 802.1X authentication From the VNC connection to the student PC, open a connection to: https://hivemanager Login with: adminX password: aerohive123 Go to Configuration Keys and Certificates Certificate Mgmt Select AerohiveHMCA.pem Click Export 2008 Confidential 2010 LAB: Export the HiveManager CA Root Certificate Add .cer extension to the end of the file name so it can be recognized by windows 173 Select a directory on your remote PC to export the AerohiveHMCA.pem certificate Rename the extension of the AerohiveHMCA.pem file to AerohiveHMCA.pem.cer. – This way, the certificate will automatically be recognized by Microsoft Windows 2008 Confidential 2010 LAB: Install AerohiveHMCA Certificate on Wireless Client PC Find the file that was just exported to your client PC Double-click the certificate file Click Install Certificate Issued to: hm-training.ahdemo.local This is the name of the certificate if you wish to find it in the certificate store, or if you want to select it in the windows supplicant PEAP configuration. 174 2008 Confidential 2010 LAB: Install AerohiveHMCA Certificate on Wireless Client PC In the certificate install wizard window click Next Click Automatically select the certificate store based on the type of certificate Click Next If prompted, click OK on the Do you want to install this certificate message Click Finish 175 2008 Confidential 2010 LAB: Verify AerohiveHMCA Certificate is Valid If you double-click the certificate now, if you go to the Certification Path tab, you will see that the certificate is OK You can also check the Valid From date in the Details tab – If the date on the HiveManager is wrong, or has the wrong time zone, this date may be invalid 176 2008 Confidential 2010 Configuring and Testing Your 802.1X Supplicant For Microsoft XP and Vista Supplicants 177 2008 Confidential 2010 Lab: Testing 802.1X to HiveAP RADIUS 1. Connect to Class-802.1X-Xb SSID From the wireless client on the hosted PC – Click Class-802.1X-Xb – Click Connect ***This connection will fail, but it will create an SSID on the client that you can modify to edit the settings to change the auth from smart card or other certificates to Protected EAP 178 2008 Confidential 2010 Lab: Testing 802.1X to HiveAP RADIUS 2. Configure 802.1X Supplicant (802.1X Client) View your Wireless Connections then click to Change advanced settings In the Wireless network properties window enter the following: – Change EAP Type to: Protected EAP (PEAP) Click OK 179 179 2008 Confidential 2010 Lab: Testing 802.1X to HiveAP RADIUS 3. Enter credentials for 802.1X Note: Because we are using VPN, the “Enter Credentials” window most likely will not appear. Click the wireless icon once and the window should appear. You may have to move the Wireless network connection window out of the way if it is on top. Enter the user name: user-X Password: aerohive123 Click OK Wait a second then click the wireless icon again Click OK to validate the certificate c vcv Because of the VNC connection Click here for the credentials window to appear. You may have to try several times. 180 2008 Confidential 2010 Lab: Testing 802.1X to HiveAP RADIUS 4. Verify that you are connected to the SSID Your Client will connect to the Class-802.1X-Xb SSID 181 2008 Confidential 2010 Lab: Testing 802.1X to HiveAP RADIUS 5. View Active Clients After associating with your SSID, you should see your connection in the active clients list in HiveManager – Go to MonitorClientActive Clients User Name: user-X BSSID: <The MAC address for your AP’s SSID> VLAN: 10 User Profile Attribute: 10 182 2008 Confidential 2010 Client Monitor Example of an invalid user account Shows IP of RADIUS server SSL negotiation uses the RADIUS server certificate At this point you know the aaa certificates were installed correctly and the server certificate validation done by the client passed The user is not in the user database. View the AAA server settings and ensure the correct user group is selected, and the HiveAP is a RADIUS server. Then update the configuration of the HiveAP. 183 2008 Confidential 2010 RADIUS Test Built Into HiveManager To test a RADIUS account Go to ToolsRADIUS Test RADIUS Server: 0X-A-###### HiveAP RADIUS Client: 0X-A-###### Select RADIUS authentication server Username: user-X Password: aerohive123 Click Test .. The user is not in the user database. View the AAA server settings and ensure the correct user group is selected, and the HiveAP is a RADIUS server. Then update the configuration of the HiveAP. After fixing the problem and running the test again, the authentication was successful 184 2008 Confidential 2010 HiveAP RADIUS Server With Active Directory Integration 185 2008 Confidential 2010 Create a New Active Directory Administrator–(Instructor Only) On Windows 2003 AD Server In your domain, select Users, right click and select NewUser Note: The name used in this example is not relevant, you can use any name First Name: HiveAP Last Name: Admin Full Name: HiveAP Admin User Logon: hiveapadmin @ahdemo.local Click Next 186 2008 Confidential 2010 Create a New Active Directory HiveAP Administrator –(Instructor Only) Enter a Password: Aerohive1 Confirm Password: Aerohive1 Uncheck User must change password at next login Uncheck User cannot change password Check Password never expires Uncheck Account is disabled Click Next Click Finish 187 2008 Confidential 2010 HiveAP Administrator Group Membership If you view the HiveAP Admin properties, you can see that the HiveAP Admin only needs to be a member of Domain Users 188 2008 Confidential 2010 Optionally Create an Organizational Unit Where HiveAPs Can Be Added In order for HiveAPs to authenticate users with Active Directory, each HiveAP will be dynamically added to the domain as a computer In order to organize the domain, you can create an organization unit (OU) where HiveAPs can be added Select your domain ahdemo.local right click and select NewOrganizational Unit Enter a name: Wireless then click OK 189 2008 Confidential 2010 Optionally Create Organizational Units Where HiveAPs Can Be Added Optionally you can create more OUs (sub directories) to further organize the wireless networking Select the Wireless OU Right click and select: NewOrganizational Unit Enter a name: HiveAPs Click OK – This will be used as the computer store for HiveAPs 190 2008 Confidential 2010 Delegate Control of Wireless OU to the HiveAP Admin (INSTRUCTOR ONLY) Right Click the Wireless OU and select Delegate Control... 191 2008 Confidential 2010 Delegate Control of Wireless OU to the HiveAP Admin Welcome to the Delegation of Control Wizard – Click Next Users or Groups – Add HiveAP Admin – Click Next 192 2008 Confidential 2010 Delegate Control of Wireless OU to the HiveAP Admin Select Create a custom task to delegate Click Next 193 2008 Confidential 2010 Delegate Control of Wireless OU to the HiveAP Admin For Active Directory Object Type – Select Computer Objects and leave the rest of the default settings – Check Create selected objects in this folder – Click Next For Permissions – Check Read – Check Write – And leave the rest of the default settings Click Next 194 2008 Confidential 2010 Delegate Control of Wireless OU to the HiveAP Admin Click Finish 195 2008 Confidential 2010 Configure Active Directory Settings 196 2008 Confidential 2010 Lab: AD Settings Configuration 1. Configure AD Settings From Configuration Advanced Configuration Authentication AAA User Directory Settings Note: In 3.5r1, this header was called AAA Server Settings 197 Click New Name: AD-X Select: Active Directory Active Directory Server: 10.5.1.10 Domain: AHDEMO Full Name: ahdemo.local BindDN Name: [email protected] BindDN Password: Aerohive1 Go to next slide 2008 Confidential 2010 Lab: AD Settings Configuration 2. Configure AD Settings - Continued Admin User Name: (Leave Empty for Class) Note: This step is optional from HiveManager. This step can be performed directly from the HiveAP if someone is security conscious about storing an Administrator password for Active Directory in HiveManager. The screen shot had it filled in so you can see the syntax Computer OU: Wireless/HiveAPs Note: The HiveAP Admin was given access to this OU Click Save 198 2008 Confidential 2010 Lab: AD Settings Configuration 3. Configure HiveAP RADIUS with AD Settings Go to Configuration Advanced Configuration Authentication HiveAP AAA Server Settings Modify AP-RADIUS-X Uncheck Local Database, Under Optional Settings, expand Database Access Settings Check Active Directory Select AD-X with priority: Primary Click Apply …Please make sure you click apply Click Save 199 2008 Confidential 2010 SSID for 802.1X Using HiveAP RADIUS with AD Integration 200 2008 Confidential 2010 LAB: HiveAP RADIUS w/ AD Integration 1. Edit your WLAN Policy and Add SSID Profile An 802.1X capable SSID and related settings can be configured from your WLAN Policy Go to Configuration WLAN Policies Edit WLAN-X Under SSID Profiles click Add/Remove SSID Profile Under Available SSID Profiles – Click + Go to Next Slide 201 2008 Confidential 2010 LAB: HiveAP RADIUS w/ AD Integration 2. Configure SSID and Create RADIUS Server Profile Name: Class-802.1X-Xc SSID: Class-802.1X-Xc SSID Access Security – Select: WPA/WPA2 802.1X (Enterprise) Next to: Select RADIUS Servers for 802.1X…. – Select: AP-RADIUS-X (Defined in a previous lab) Go to Next Slide 202 2008 Confidential 2010 LAB: HiveAP RADIUS w/ AD Integration 3. Assign user profile settings Specify User Profile assigned if not attribute is returned from RADIUS after successful authentication: Employees(1000) (This user profile was created by the Instructor) Specify User Profiles assigned via attributes returned from RADIUS after successful authentication: Employee(10)-X Click Save Go to Next Slide 203 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 5. Remove Existing SSID and Add New SSID To clean up the air in the data center, remove all other SSID profiles from the selected SSID profiles list using the << button – You should have no SSID Profiles listed under the Selected SSID Profiles list From the Available SSID Profiles, select Class-802.1X-X and use the > button to move it to the Selected SSID Profiles List Click Apply ---- Please please, please click apply! Go to Next Slide 204 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 6. Verify Configuration and Save WLAN Policy Verify the SSID: Class-802.1X-Xc is listed under the SSID profiles and that your SSID is mapped to two different user profiles: Employees(1000) and Employee(10)-X Please make sure you have NTP Server settings defined under in the Management Server Settings section Click Save 205 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 7. Update delta configuration of your HiveAP From MonitorHiveAPs Select your HiveAP X-A-HiveAP Select Update... Upload and Activate Configuration If you want to see the delta configuration, click the link for your HiveAP – Close the View Configuration window after viewing the delta configuration changes Click Upload Click HiveAP link to view delta configuration 206 2008 Confidential 2010 Optional: Verify HiveAP RADIUS Service From the CLI of the HiveAP If you want to verify the RADIUS server status on your HiveAP From the CLI of your HiveAP type: show aaa radius-server Take a look to see if the settings look similar to the settings displayed on the right 01-A-008b40# show aaa radius-server All local RADIUS server parameters: RADIUS-server: Enabled port: 1812 Station-auth type: tls peap ttls leap CA: AerohiveHMCA.pem server-cert: HiveAP-1_key_cert.pem private-key: HiveAP-1_key_cert.pem private-key-password: Encrypted remote retry period: 30 secs local check period: 300 secs ldap retry interval: 600 secs primary active directory (active): admin user: server: 10.5.1.10 computers OU: Wireless/HiveAPs default domain info: netBOIS name ahdemo full domain name: ahdemo.local bindDN: [email protected] 207 2008 Confidential 2010 Optional: Verify HiveAP Time From the CLI of the HiveAP From CLI of HiveAP # show time Timezone: GMT-8 # show clock 2009-04-16 14:30:45 Thursday 208 2008 Confidential 2010 Joining HiveAPs to Active Directory Computer OU = Wireless/HiveAPs From the AD server, you can go to Active Directory Users and Computers and see when the HiveAP joins the domain If you specify an Active Directory administrator account in the AAA User Directory Settings, then the HiveAP will automatically add itself to the domain If you did not specify an Active Directory administrator, you will have to manually add your HiveAP to the domain much like you would do with a computer Click Refresh Select the computer OU you specified in the AAA User Directory Settings 209 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 8. Join HiveAP RADIUS Server to Domain Run the following test to join your HiveAP RADIUS server to the Active Directory Domain Go to Tools AD/LDAP Test Select RADIUS Server: X-A-###### Select Test joining the HiveAP to an Active Directory domain Select Active Directory Domain: Primary User Name: hiveapadmin Password: Aerohive1 Click Test Here you can see that the HiveAP is joined to the domain 210 2008 Confidential 2010 Alternative: Join HiveAP RADIUS Server to Domain using the HiveAP CLI 02-A-064200# exec aaa net-join primary username hiveapadmin password Aerohive1 (Note: The password will be hidden when typing ) Exec-Program output: Joined '02-A-064200' to server 'ahdemo.local' successful (NT_STATUS_OK) If you have problems joining your AD server, you may need to enter the Administrator account credentials to join the HiveAP to the domain Go to the Wireless/HiveAPs OU to see the HiveAP added as a computer in the domain. You may have to refresh the screen to see the HiveAP appear after joining the HiveAP to the domain. 211 2008 Confidential 2010 Troubleshooting – Joining a HiveAP to a Domain Possible Cause: The Administrator does not have privileges to add a computer/HiveAP to this OU Solution: Use an Administrator with more privileges Possible cause: The HiveAP was previously added to a different OU, and this administrator does not have privileges to remove the other entry Action: Delegate administration of this OU to allow the selected administrator to add computers to this OU Here you can see that the HiveAP has failed to join the domain 212 2008 Confidential 2010 Troubleshooting – Joining a HiveAP to a Domain Possible Cause: The NTP Server settings have not been configured on the HiveAP Solution: Configure the NTP Server settings by going to your WLAN Policy Management Services NTP Server Here you can see that the HiveAP time is not accurate 213 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 9. Test the user account for your hosted PC Select RADIUS Server: X-A-###### Select Test HiveAP credentials for Active Directory Integration User Name: user Password: Aerohive1 Click Test Kerberos authentication passed for the user 214 2008 Confidential 2010 Note for Classroom Environment 802.1X Supplicant Configuration The first time you try to connect to your SSID, the connection will fail because Windows XP defaults to use Smart Card and Other Certificate instead of PEAP X 215 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 10. Configure Supplicant From the hosted PC, connect to the Class-802.1X-Xc SSID Wait a few seconds while the supplicant tries to validate identity 1. Click Change advanced settings 2. Select tab – Note: This will fail because windows XP uses Smart Card or Other Certificates instead of PEAP To configure the network for PEAP, click Change advanced settings Click the Wireless Networks tab Double-click the SSID: Class-802.1X-Xc Click the Authentication tab 4. Select tab 3. Double-click 216 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 11. Configure supplicant to use PEAP Select Protected EAP (PEAP) For the EAP type, select Protected EAP (PEAP) Click Properties to see that you have enabled Validate the server certificate Also, if click Configure... next to the authentication method, you can see that the client will automatically use the Windows logon name and password that was entered to log into the computer Click OK until you have saved and existed from the supplicant configuration 217 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 12. Connect to SSID and Validate Certificate 1. Click your SSID to connect 3. Click OK 2. Because of VNC, you will have to click your mouse once on the wireless icon to see the Validate Certificate pop up 218 Connect to your SSID Because VNC is used, the pop up windows may not appear, click once on the wireless icon to get the Validate Certificate pop-up window Click OK Your client should now connect to the SSID 2008 Confidential 2010 LAB: Secure WLAN Access With 802.1X 13. View Active Client to Verify User Profile Once you are connected, you can view the active clients list to see your user profile and VLAN information Go to MonitorClientsActive Clients Note the user profile is the user profile assigned for the SSID if no RADIUS attribute is returned – User Profile: 1000 – VLAN: 8 – IP Address: 10.5.8.# In the next lab you will learn how to change the user profile for users in different Active Directory groups 219 User Profile Attribute Value 2008 Confidential 2010 Mapping Active Directory memberOf Attribute to User Profiles 220 2008 Confidential 2010 HiveAP as a RADIUS Server Using AD Member Of for User Profile Assignment Internet Employee David VLANs 1-20 AD DHCP Server: 10.5.1.10 Connect to SSID: Corp-802.1X HiveAP RADIUS Server SSID: Corp-802.1X User Profile Attribute VLAN FW Policy Employee-CEO 100 11 No restriction Employee-IT 110 10 No restriction Employee-Sales 120 8 Limited access HiveAP RADIUS Server Settings Local User Group User Profile Attribute CEO-Staff 100 IT-Staff 110 Sales 120 2. The Member Of must match a user group, which assigns the user profile attribute for the SSID 221 1. After validating the user credentials, the AD server returns the list of a users AD groups via the Member Of attribute to the HiveAP RADIUS server 2008 Confidential 2010 HiveAP as a RADIUS Server Using AD Member Of for User Profile Assignment In your WLAN policy, you defined an SSID with two user profiles – Employees(1000) – Set if no RADIUS attribute is returned • This use profile for example is for general employee staff, and they get assigned to VLAN 8 – Employee(10)-X – Set if a RADIUS attribute is returned • This user profile for example is for privileged employees, and they get assigned to VLAN 10 Because the HiveAP RADIUS server is using AD to authenticate the users, and AD does not return RADIUS attributes, how can we assign users to different user profiles? Though AD does not return RADIUS attributes, it does return other attribute values, like memberOf which is a list of AD groups to which the user belongs 222 2008 Confidential 2010 Instructor Only: Confirm User is a member of the Employee Groups Right click the username “user” and click Properties Click on the Member Of tab The user account “user” should be assigned to all the groups for all the students in class Employee-1 Employee-2 .. Empoloyee-15 Click OK 223 2008 Confidential 2010 REFERENCE: debug radiusd Shows the memberOf attributes returned When the user authenticates, the Active Directory server will return each of the user groups and if the RADIUS server has a matching group, the user will be assigned a user profile based on the user profile defined in the matching user group Note: For the lab coming up next, every PC is logged in as “user”, but each student has their own HiveAP RADIUS server with only one user group defined, which will match one of the member Of groups returned Debug output during client authentication shows member Of... 2010-04-28 12:36:58 debug auto shared-secret 2570*, NAS 10.5.2.2, RADIUS srv 10.5.2.2 2010-04-28 12:36:58 debug rlm_ldap: performing user authorization for AHDEMO\user 2010-04-28 12:36:58 debug rlm_ldap: (re)connect to 10.5.1.10:389, authentication 0 2010-04-28 12:36:58 debug rlm_ldap: bind as [email protected]/****** to 10.5.1.10:389 2010-04-28 12:36:58 debug rlm_ldap: waiting for bind result ... 2010-04-28 12:36:58 debug rlm_ldap: Bind was successful 2010-04-28 12:36:58 debug rlm_ldap: performing search in dc=ahdemo,dc=local, with filter ([email protected]) 2010-04-28 12:36:58 debug rlm_ldap: Adding memberOf as AH-FreeRADIUS-Group-Name = "CN=Employee-4,CN=Users,DC=ahdemo,DC=local" 2010-04-28 12:36:58 debug rlm_ldap: Adding memberOf as AH-FreeRADIUS-Group-Name = "CN=Employee-3,CN=Users,DC=ahdemo,DC=local" 2010-04-28 12:36:58 debug rlm_ldap: Adding memberOf as AH-FreeRADIUS-Group-Name = "CN=Employee-2,CN=Users,DC=ahdemo,DC=local" 224 2008 Confidential 2010 Lab: Use AD to Assign User Profile 1. Map memberOf attribute to user profile From Configuration Advanced Configuration Authentication HiveAP AAA Server Settings AP-RADIUS-X Expand Database Access Settings Check LDAP server attribute Mapping Select Map LDAP user groups to local user groups LDAP User Group Attribute: memberOf Under Available Local User Groups, click + to create a new group 225 2008 Confidential 2010 Lab: Use AD to Assign User Profile 2. Create user group to map to memberOf group Create a group that matches a group that the username: “user” is a member of User Group Name: Employee-X Note: This group name must match a group returned by the AD server by the memberOf attribute User Type: RADIUS users User Profile Attribute:10 Note: The user profile attribute is returned from the HiveAP RADIUS server if this is the matching group Click Save 226 2008 Confidential 2010 Lab: Use AD to Assign User Profile 3. Map Employee-X user group to memberOf Select the Employee-X user group and move it to the selected local user groups list Click Save 227 2008 Confidential 2010 Lab: Use AD to Assign User Profile 4. Update delta configuration of your HiveAP From MonitorHiveAPs Select your HiveAP X-A-HiveAP Select Update... Upload and Activate Configuration If you want to see the delta configuration, click the link for your HiveAP – Close the View Configuration window after viewing the delta configuration changes Click Upload Click HiveAP link to view delta configuration 228 2008 Confidential 2010 Lab: Use AD to Assign User Profile SSID 5. Disconnect and Reconnect to Class-802.1X-Xc To test the mapping of the memberOf attribute to your user profile Disconnect from the Class-802.1X-Xc SSID Connect to the Class-802.1X-Xc SSID 229 2008 Confidential 2010 Lab: Use AD to Assign User Profile SSID 6. Verify your active client settings From MonitorClientsActive Clients – Your client should now be assigned to • IP Address: 10.5.10.# • User Profile Attribute: 10 • VLAN: 10 230 2008 Confidential 2010 If you have problem… Troubleshooting An extremely useful tool for this configuration is an LDAP browser, so you can confirm you are getting the right information from the Active Directory server: http://download.softerra.com/files/ldapbrowser26.msi – It will show you what memberOf attribute is being returned for each user Confirm the Local Group Name matches the Active Directory Group name exactly – Sho run | include aaa debug radius comm debug radius excessive debug radius verbose debug console no debug console no debug radius 231 2008 Confidential 2010 Secure and Fast Roaming 232 2008 Confidential 2010 Layer 2 Roaming User associates and authenticates and keys are distributed AP predicatively pushes keys and session state to one hop neighbors As client roams and associates with another AP the traffic continues uninterrupted RADIUS Server Roam 2008 Confidential 2010 Layer 3 Roaming Router Subnet B Subnet A GRE Tunnel Like Layer 2 roaming the Layer 3 roam predicatively pushes keys to one hop neighbors. In order to maintain IP connectivity a tunnel is created to home subnet. Tunnel continues to follow roaming user until sessions end then tunnel is terminated and the user accesses the local network 2008 Confidential 2010 Layer 3 Roaming Details 235 2008 Confidential 2010 Layer 3 Roaming Detailed Explanation HiveAPs can then communicate over the LAN using UDP Port 3000 Subnet 10.5.1.0/24 Floor 1 Corp-Hive 10.5.1.11/24 Corp-Hive 10.5.1.12/24 HiveAP Layer 3 roaming information is advertised in beacons and can be heard by HiveAPs in the same Hive. Subnet 10.5.10.0/24 Floor 2 10.5.1.13/24 10.6.1.7/24 Beacon IE: (Encrypted) Hive: Corp-Hive L3 roaming enabled Mgt0 IP: 10.5.1.13/24 10.6.1.8/24 Beacon IE: (Encrypted) Hive: Corp-Hive L3 roaming enabled Mgt0 IP: 10.6.1.7/24 236 10.6.1.9/24 HiveAPs scan channels to locate layer 3 roaming neighbors and communicate with each other over the Ethernet network. 2008 Confidential 2010 Layer 3 Roaming Detailed Explanation Neighboring AP sends HiveAP DA information to neighboring subnets Subnet 10.5.1.0/24 Floor 1 Subnet 10.6.1.0/24 Floor 2 Corp-Hive Corp-Hive DA 10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24 Receive: DA for subnet: 10.5.1.0/24 10.5.1.11 Send: DA for subnet: 10.5.1.0/24 10.5.1.11 237 2008 Confidential 2010 Layer 3 Roaming Detailed Communication Subnet 10.5.1.0/24 Floor 1 Preparation for roaming by contacting DA for APs as the potential tunnel end points Corp-Hive Subnet 10.6.1.0/24 Floor 2 Corp-Hive DA 10.5.1.11/24 10.5.1.12/24 DA Send: Best tunnel endpoint for subnet: 10.5.1.0/24 10.5.1.12 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 Received from DA: Query DA: Best tunnel endpoint Least loaded AP for forsubnet: subnet:10.5.1.0/24 10.5.1.0/24 10.5.1.12 238 10.6.1.9/24 HiveAPs preselect best APs in each subnet to be a tunnel endpoints The tunnel is built only when a client eventually roams 2008 Confidential 2010 Layer 3 Roaming Detailed Communication Client Roaming DNXP Cache Update GRE Tunnel Subnet 10.5.1.0/24 Floor 1 Subnet 10.6.1.0/24 Floor 2 eth0.1 10.5.1.1 eth0.2 10.5.10.1 eth0.1 10.6.1.1 eth0.2 10.6.10.1 Corp-Hive Corp-Hive u1 10.5.1.11/24 u1 10.5.1.12/24 10.5.1.13/24 Layer 3 roam Layer 2 roam Session State & PMK u1 10.6.1.7/24 u1 10.6.1.8/24 DNXP L3 10.5.1.12 u1 10.5.10.33/24 10.5.10.33/24 The clients IP address is maintained 239 10.6.1.9/24 As clients arrive on the new subnet, the HiveAP will use an existing tunnel for the client, or if that tunnel is heavily loaded, it can create a tunnel to another portal in the DNXP table. 2008 Confidential 2010 Layer 3 Roaming Detailed Communication DNXP GRE Tunnel Subnet 10.5.1.0/24 Floor 1 Subnet 10.6.1.0/24 Floor 2 eth0.1 10.5.1.1 eth0.2 10.5.10.1 eth0.1 10.6.1.1 eth0.2 10.6.10.1 Corp-Hive Corp-Hive u1 10.5.1.11/24 10.5.1.12/24 u1 10.5.1.13/24 u1 10.6.1.7/24 u1 10.6.1.8/24 DNXP L3 10.5.1.12 Session State & PMK u1 10.6.1.9/24 DNXP L3 10.5.1.12 u1 10.5.10.33/24 240 2008 Confidential 2010 Layer 3 Roaming Local Subnet Connection DNXP GRE Tunnel Subnet 10.5.1.0/24 Floor 1 Subnet 10.5.10.0/24 Floor 2 eth0.1 10.5.1.1 eth0.2 10.5.10.1 eth0.1 10.6.1.1 eth0.2 10.6.10.1 Corp-Hive Corp-Hive u1 10.5.1.11/24 Session State & PMK u1 10.5.1.12/24 u1 10.5.1.13/24 u1 10.6.1.7/24 Based on the number of packets per minute sent to and received by the client, the HiveAP can be configured to disable the tunnels and de-auth the client so that it will reconnected and obtain an IP address from the local network. 241 u1 10.6.1.8/24 u1 10.6.1.9/24 De-auth u1 10.6.10.95/24 10.5.10.33/24 2008 Confidential 2010 Configuring Dynamic Tunneling for Layer 3 Roaming 242 2008 Confidential 2010 Lab: Enable Layer 3 Roaming 1. In your user profile, create a tunnel policy Note: Tunnel policies are mutually exclusive. There is no need to enable more than one type of tunnel policy, so a radio button is used to select the type. 243 Layer 3 roaming is enabled per user profile by configuring a tunnel policy Edit your employee User Profile by going to Configuration Guided Configuration User Profiles Edit Employee(10)-X Under Optional Settings expand GRE or VPN Tunnels Next to GRE tunnel for roaming or station isolation click + 2008 Confidential 2010 Lab: Enable Layer 3 Roaming 2. Configure Layer 3 Roaming Policy Note: The number of packets per minute to select varies based on the number of devices, types of devices, and applications running on your network. In my local network for example, my idle PC sends and receives about 500 packets per minute. Running a voice call from a soft client my PC sends and receives about 4000 packets per minute. So I have chosen to unroam if I my PC does not receive 2000 packets per minute in one minute time frame, which means my tunnel should remain during a voice call or file transfer. 244 Enable the ability to dynamically build tunnels for layer 3 roaming Name: L3-Roaming-X Under Tunnel Settings Select Enable Dynamic tunneling for Layer 3 Roaming Unroaming Threshold: 60 seconds Number of packets per minute: 2000 Click Save 2008 Confidential 2010 Lab: Enable Layer 3 Roaming 3. Configure VLANs for User Profile Ensure the Tunnel Policy is set to: L3-Roaming-X Note: Because the user profile is applied to HiveAPs in different locations, such as the trusted network and the DMZ, you can use HiveAP classification to define one policy to set the user VLANs in each location Next to Default VLAN, – Click+ 245 2008 Confidential 2010 Lab: Enable Layer 3 Roaming 4. Configure the User VLANs VLAN Name: 0X-Employee-VLANs – VLAN ID: 1 – Type: Global – Click Apply (Do not save) Click New – VLAN ID: 10 – Type: Classifier – Value: • Uncheck Tag 1: <empty> • Uncheck Tag 2: <empty> • Check Tag 3: Trusted – Click Apply then Save Note: Users that connect to HiveAPs in the trusted network will be assigned to VLAN 10, and in the DMZ or any other network, they will be assigned to VLAN 1 246 2008 Confidential 2010 Lab: Enable Layer 3 Roaming 5. Configure VLANs for User Profile Ensure the Default VLAN is set to: L3-Roaming-X Click Save 247 2008 Confidential 2010 Lab: Enable Layer 3 Roaming 6. Update delta configuration of your HiveAP From MonitorHiveAPs Select both of your HiveAPs X-A-HiveAP X-B-HiveAP Select Update... Upload and Activate Configuration If you want to see the delta configuration, click the link for your HiveAP – Close the View Configuration window after viewing the delta configuration changes Click Upload Click HiveAP link to view delta configuration 248 2008 Confidential 2010 Testing Layer 3 Roaming In Hosted Data Center Unfortunately we cannot test layer 3 roaming in the hosted data center because – The HiveAPs are hard wired via coax to their clients – The power level of the HiveAPs has been set to 1 dBm so the clients can connect to their SSIDs. If we do not set the power to 1 dBm, the power is too high for the clients that are connected via coax • Because the power is low, and the rest of the RF connections are terminated, testing in the remote lab is not possible If the instructor has time and the equipment, they can demonstrate layer 3 roaming locally in class 249 2008 Confidential 2010 Layer 3 Roaming Verification Notes 250 2008 Confidential 2010 Notes: Layer 3 Roaming View Roaming Neighbors From MonitorAccess PointsHiveAPs If you select the check box next to your HiveAP then select Tools Diagnostics Show DNXP Neighbors – You can view the HiveAPs Layer 2 and Layer 3 roaming neighbors • View the State column Shows whether a HiveAP is a layer 2 or layer 3 neighbor 251 2008 Confidential 2010 Layer 3 Roaming Testing in Hosted Lab If you select the check box next to your HiveAP then select Tools Diagnostics Show DNXP Cache – If a client is connect to the HiveAP, you can view the information that is being sent to the neighboring HiveAPs – The Tunnel-end is the HiveAP that will be the tunnel end point for DNXP after the client roams across subnet boundaries 2. This AP will be the tunnel end point for the 10.5.2.0/24 subnet until its tunnel load is too high 1. Shows the MAC address of the client and their tunnel end point after roaming 252 2008 Confidential 2010 Note: Layer 3 Roaming/Unroaming Ensure Valid VLANs for MGT0 Trusted Network DMZ Network DHCP for Internal VLAN 10 {10.5.10.50-10.5.10.200} DHCP for DMZ VLAN 1 {10.6.1.50-10.6.1.200} Dynamic GRE Tunnel 10.5.2.X to 10.6.1.X VLANs 1-20 VLAN1 L3 Roam 10.5.2.X 10.6.1.X WLAN Policy: Internal-Policy-X WLAN Policy: Internal-Policy-X Hive: Hive-Class-X Interface mgt0: 10.5.2.X/24 VLAN 2 SSID: Class-PSK-X User Profile: Employees(10)-X Attribute: 10 Local VLAN: 1 Mobility: L3-Roaming-X Classifier Tag 3: Trusted Hive: Interface mgt0: SSID: User Profile: Attribute: Local VLAN: Mobility: Classifier Tag 3: Hive-Class-X 10.6.1.X/24 VLAN 1 Class-PSK-X Employees(10)-X 10 1 L3 Roaming-X DMZ In this case the Employee VLAN is 1, but the HiveAP MGT0 interface VLAN differs whether the HiveAP is in the Trusted network or the DMZ using HiveAP classification 253 2008 Confidential 2010 Note: Layer 3 Roaming/Unroaming Ensure Valid VLANs for Users Trusted Network DMZ Network DHCP for Internal VLAN 10 {10.5.10.50-10.5.10.200} DHCP for DMZ VLAN 1 {10.6.1.50-10.6.1.200} Dynamic GRE Tunnel 10.5.2.X to 10.6.1.X VLANs 1-20 10.5.2.X 10.6.1.X WLAN Policy: Internal-Policy-X WLAN Policy: Internal-Policy-X Hive: Hive-Class-X Interface mgt0: 10.5.2.X/24 VLAN 2 SSID: Class-PSK-X User Profile: Employees(10)-X Attribute: 10 Local VLAN: X-Employee-VLANs (10) Mobility: L3-Roaming-X Classifier Tag 3: Trusted VLAN1 L3 Roam Hive: Interface mgt0: SSID: User Profile: Attribute: Local VLAN: Mobility: Classifier Tag 3: Hive-Class-X 10.6.1.X/24 VLAN 1 Class-PSK-X Employees(10)-X 10 X-Employee-VLANs (1) L3 Roaming-X DMZ Note: In order for unroaming to work, the VLAN for the user profile must be valid in all networks. To do this, you can configure HiveAP classification for the employee VLAN and set the VLAN in this example to 10 if it is in the trusted network, and 1 if it is in the DMZ. 254 2008 Confidential 2010 Identity-Based Tunnels With Captive Web Portal and DHCP Server Services provided by HiveAPs 255 2008 Confidential 2010 Identity-Based Tunnels LAB Using Tag On DMZ VLAN Internal Network Internet 10.5.2.1 SSID: Class-Guest-X IP: 10.7.1X.N/24 Gateway: 10.7.1X.1 10.7.1.1 GRE Tunnel 10.5.1.N to 10.7.1.X Guest Client DMZ Network DHCP Settings for VLAN 1X (X is 2 digits): network 10.7.1X.0/24 ip range 10.7.1X.100 to 10.7.1X.199 Tunnel Destination Tunnel Source Hostname: X-A-000000 Interface mgt0: 10.5.1.N/24 VLAN 1 WLAN Policy: WLAN-X Hostname: X-B-000000 Interface mgt0: 10.7.1.X/24 VLAN 1 WLAN Policy: WLAN-X Tag1: DMZ-X WLAN Policy: WLAN-X Hive: Hive-Class-X SSID: Class-Guest-X Tunnel Policy: Tunnel-X Captive Web Portal: CWP-Tunnel-X Tunnel Settings: Enable static identity-based-tunnel Registration Type: Use-Policy-Accept Tunnel Destination: IP Range Start:10.7.1.X End:10.7.1.X User Profile: Role-Tunnel(1X) Tunnel Source: 10.5.1.0/24 and 10.5.2.0/24 Attribute: 1X Tunnel Password: aerohive123 VLAN: 1X MGT0 VLAN: 2 Tunnel Policy: Tunnel-X Native VLAN: 1 256 2008 Confidential 2010 Lab: HiveAP Prep for Layer 3 Tests 1. Assign HiveAP-B to New Static IP Address From MonitorHiveAPs – Select the check box next to your HiveAP-B: X-B-###### and click Modify Expand Interface and Network Settings Uncheck DHCP Client Enabled IP Address: 10.7.1.X Netmask: 255.255.255.0 Gateway: 10.7.1.1 Note: Your MGT0 VLAN will be set to VLAN 100 using HiveAP classification for this new subnet to work. Please do not save Continue to Next Slide 257 2008 Confidential 2010 Lab: HiveAP Prep for Layer 3 Tests 2. Verify HiveAP Classification Tag is DMZ Expand Advanced Settings | HiveAP Classification | Verify Tag 3 is set to: DMZ *This was set in the HiveAP Classification Lab Click Save 258 2008 Confidential 2010 Lab: HiveAP Prep for Layer 3 Tests 3. In WLAN Policy, Modify MGT0 VLAN The VLAN for the MGT0 interface on a HiveAP is assigned via the WLAN policy Go to ConfigurationGuided ConfigurationWLAN Policies Edit WLAN-X Next to MGT interface VLAN, Click (To Modify) Go to Next Slide 259 2008 Confidential 2010 Lab: HiveAP Prep for Layer 3 Tests 4. Add DMZ to VLAN 100 Add another VLAN entry Click New VLAN ID: 100 – Type: Classifier – Uncheck Tag 1 – Uncheck Tag 2 – Check Tag 3: DMZ – Click Apply After clicking apply, Save your VLAN object 260 2008 Confidential 2010 Lab: HiveAP Prep for Layer 3 Tests 5. Verify X-MGT0-VLANs is set to MGT0 Interface In your WLAN Policy, verify the MGT0 Interface VLAN is set to: X-MGT0-VLANs The Native (untagged) VLAN should still be set to: 1 Save your WLAN Policy 261 2008 Confidential 2010 Lab: HiveAP Prep for Layer 3 Tests 6. Update Delta Configuration From MonitorHiveAPs Select your HiveAP-B X-B-HiveAP Select Update... Upload and Activate Configuration If you want to see the delta configuration, click the link for your HiveAP – Close the View Configuration window after viewing the delta configuration changes Click Upload Click HiveAP link to view delta configuration 262 100 2008 Confidential 2010 Lab: HiveAP Prep for Layer 3 Tests 7. View Update Results After a successful update, you can move your mouse over the Description to see what was updated 263 2008 Confidential 2010 Lab: HiveAP Prep for Layer 3 Tests 8. View the New IP Address for your HiveAP From MonitorHiveAPs – Verify that the new IP address for your HiveAP-B is: 10.7.1.X/24 It may take up to a moment to reflect the changes New IP Address in VLAN 100 (10.7.1.0/24) 264 2008 Confidential 2010 Identity-Based Tunnels With Captive Web Portal Configuration 265 2008 Confidential 2010 Identity-Based Tunnels If VLAN segmentation is not possible due to the network architecture at the access layer, guests can be tunneled, using the identity-based tunnel functionality, directly to one or more HiveAPs within a firewalled DMZ area, such as a lobby The client in the internal network is assigned a VLAN and an IP address from the tunnel destination All client traffic is then tunneled to the HiveAPs in the DMZ 266 2008 Confidential 2010 Identity-Based Tunnels LAB Using Tag On DMZ VLAN Internal Network Internet 10.5.2.1 SSID: Class-Guest-X IP: 10.7.1X.N/24 Gateway: 10.7.1X.1 10.7.1.1 GRE Tunnel 10.5.1.N to 10.7.1.X Guest Client DMZ Network DHCP Settings for VLAN 1XX (01, 02, ..,13) network 10.7.1XX.0/24 ip range 10.7.1XX.100 to 10.7.1XX.199 Tunnel Destination Tunnel Source Hostname: X-B-000000 Interface mgt0: 10.7.1.X/24 VLAN 1 WLAN Policy: WLAN-X Tag1: DMZ-X WLAN Policy: WLAN-X Hostname: X-A-000000 Interface mgt0: 10.5.2.N/24 VLAN 1 WLAN Policy: WLAN-X SSID: Class-Guest-X Hive: Hive-Class-X Captive Web Portal: CWP-Tunnel-X Tunnel Policy: GRE-Tunnel-X Registration Type: Use-Policy-Accept Tunnel Settings: Enable static identity-based-tunnel User Profile: Role-Tunnel(1XX) Tunnel Destination: IP Range Start:10.7.1.X End:10.7.1.X Attribute: 1XX Tunnel Source: 10.5.1.0/24 and 10.5.2.0/24 VLAN: 1XX Tunnel Password: <random generated> Tunnel Policy: GRE-Tunnel-X MGT0 VLAN: 2 Native VLAN: 1 267 2008 Confidential 2010 LAB: Guest Access with CWP and Tunnels 1. Edit your WLAN Policy and Add SSID Profile To add an SSID to be used by guests Go to Configuration WLAN Policies Edit WLAN-X Under SSID Profiles click Add/Remove SSID Profile Create a new SSID Profile – Click + Go to Next Slide 268 2008 Confidential 2010 LAB: Guest Access with CWP and Tunnels 2. Create a New Guest SSID Profile Name: Class-Guest-X SSID: Class-Guest-X SSID Access Security WPA/WPA2-PSK(Personal) Note: You can use any access security method in real life. It is common to use Private PSK for secure guest access or Open for non-secure guest access Key Value and Confirm Value: aerohive123 Check Enable Captive Web Portal Click + to create a new captive web portal Go to Next Slide 269 2008 Confidential 2010 LAB: Guest Access with CWP and Tunnels 3. Configure Captive Web Portal Name: CWP-Guest-X Registration Type: Use Policy Acceptance Click Customize Login Page to see the use policy – You can edit text in the use policy field, or replace it with your own using copy and paste – You can click Preview to view the customized web page – Click Save to save your customized Login Page settings Please do not save the captive web portal at this time.. Go to the next slide… 270 2008 Confidential 2010 LAB: Guest Access with CWP and Tunnels 4. Configure Captive Web Portal Expand the Captive Web Portal Success Page section Click Customize Success Page Select the option to Redirect to the initially requested page… Note: This will bring up the web page the client initially requested after they agree to the acceptable use policy Click Save to save your captive web portal settings Go to Next Slide 271 2008 Confidential 2010 LAB: Guest Access with CWP and Tunnels 5. Assign CWP and Configure SSID Back in your Guest SSID Config Ensure Captive Web Portal is set to: CWP-Guest-X Note: you can use Open, but that is much less secure User Profiles for Traffic Management Under the heading – User profile assigned to users that associate with this SSID – Click + to create a new user profile – Click More Settings… Go to Next Slide 272 2008 Confidential 2010 LAB: Guest Access with CWP and Tunnels 6. Create a user profile to tunnel traffic Define a user profile to tunnel traffic Note: XX= 2 Digits (02,03, .. ,12,13) Name: Role-Tunnel(1XX) Attribute Number: 1XX Default VLAN: 1XX Note: This VLAN is encapsulated inside the GRE tunnel and sent to the tunnel destination where the VLAN must exist. Note: The name, attribute number and default VLAN do not have to match. Optional Settings Expand the GRE or VPN Tunnels section Select GRE tunnel for roaming or station isolation Click + to create a GRE tunnel policy 273 2008 Confidential 2010 LAB: Guest Access with CWP and Tunnels 7. Configure tunnel settings Configure the tunnel information for both sides of the tunnel in this policy Name: GRE-Tunnel-X Select Enable Static Identity-Based Tunnels Tunnel Destination – Select IP Address: 10.7.1.X Note: You can specify a range of consecutive HiveAPs if you have multiple HiveAPs at the tunnel destination for redundancy and load sharing. Available IP Addresses – Select 10.5.2.0/24 and 10.5.1.0/24 and click the > button Tunnel Authentication – Click Generate Click Save 274 2008 Confidential 2010 LAB: Guest Access with CWP and Tunnels 8. Create a user profile to tunnel traffic Select the tunnel policy Tunnel policies: GRE-Tunnel-X Note: If you do configure firewall policies, be aware that your firewall policies are applied before your traffic is tunneled to the destination HiveAP. Also note that the IP address of your client will be from the remote network at the tunnel destination. Click Save 275 2008 Confidential 2010 LAB: Guest Access with CWP and Tunnels 9. Assign user profile to SSID Assign the user profile with the tunnel settings to this SSID User Profile assigned to users that associate with this SSID: Role-Tunnel(1X X) Make sure everything looks right… Click Save Note: When a client associates with this SSID and completes the registration process, their traffic is tunneled to the destination HiveAP specified by the tunnel policy in the user profile. If a client associates with this SSID on the tunnel endpoint, the traffic is forwarded without tunneling 276 2008 Confidential 2010 LAB: Guest Access with CWP and Tunnels 10. Remove Existing SSID and Add New SSID To clean up the air, remove all other SSID profiles from the selected SSID profiles list using the << button – The SSID Profiles listed under the Selected SSID Profiles list is now empty From the Available SSID Profiles, select Class-Guest-X and use the > button to move it to the Selected SSID Profiles List Click Apply **Really, please click apply Save the WLAN policy 277 2008 Confidential 2010 HiveAP DHCP Service On Tunnel End Point On Tunnel Endpoint 278 2008 Confidential 2010 Identity-Based Tunnels LAB Using Tag On DMZ VLAN Internal Network Internet 10.5.2.1 SSID: Class-Guest-X IP: 10.7.1X.N/24 Gateway: 10.7.1X.1 10.7.1.1 GRE Tunnel 10.5.1.N to 10.7.1.X Guest Client DMZ Network DHCP Settings for VLAN 1XX (01, 02, ..,13) network 10.7.1XX.0/24 ip range 10.7.1XX.100 to 10.7.1XX.199 Tunnel Destination Tunnel Source Hostname: X-B-000000 Interface mgt0: 10.7.1.X/24 VLAN 1 WLAN Policy: WLAN-X Tag1: DMZ-X WLAN Policy: WLAN-X Hostname: X-A-000000 Interface mgt0: 10.5.2.N/24 VLAN 1 WLAN Policy: WLAN-X SSID: Class-Guest-X Hive: Hive-Class-X Captive Web Portal: CWP-Tunnel-X Tunnel Policy: GRE-Tunnel-X Registration Type: Use-Policy-Accept Tunnel Settings: Enable static identity-based-tunnel User Profile: Role-Tunnel(1XX) Tunnel Destination: IP Range Start:10.7.1.X End:10.7.1.X Attribute: 1XX Tunnel Source: 10.5.1.0/24 and 10.5.2.0/24 VLAN: 1XX Tunnel Password: <random generated> Tunnel Policy: GRE-Tunnel-X MGT0 VLAN: 2 Native VLAN: 1 279 2008 Confidential 2010 LAB: Configure DHCP Service for Guests 1. Create DHCP Server for VLAN 1XX To create a DHCP server and IP pool for VLAN 1XX Go to Configuration Advanced Configuration Network Objects DHCP Server & Relay Name: DHCP-VLAN-1XX Interface: mgt0.X IP Address: 10.7.1XX.2 Netmask: 255.255.255.0 VLAN ID: 1XX Please do not save, go to next slide… 280 2008 Confidential 2010 LAB: Configure DHCP Service for Guests 2. Configure IP Pool and Options Configure the IP pool and DHCP options Under IP Pool – Start IP Address: 10.7.1XX.100 – End IP Address: 10.7.1XX.199 Click Apply (Really, please click apply!) Under DHCP Server Options Default Gateway: 10.7.1XX.1 Note: The netmask is automatically inherited from the mgt0.X interface DNS Server 1 IP: 10.5.1.10 Click Save 281 2008 Confidential 2010 LAB: Configure DHCP Service for Guests 3. Assign DHCP Server to Endpoint HiveAP Because the clients will be tunneled to the HiveAP at the destination, the DHCP server should be at the destination From MonitorHiveAPs Select your HiveAP-B: X-B-HiveAP Click Modify Expand SSID Allocation – Clear the check boxes to disable the SSIDs on the 2.4GHz and 5GHz radios. Note: Though not necessary in a real deployment, for this lab, this will ensure all traffic is tunneled. Expand Service Settings – Select your DHCP server object: DHCP-VLAN-1XX and move it to the Selected List Save the settings for this HiveAP 282 2008 Confidential 2010 Update Configuration of HiveAPs To Update GRE-Tunnel and DHCP Server Configuration 283 2008 Confidential 2010 LAB: Guest GRE Tunnel and DHCP Server 1. Update Configuration of HiveAPs From MonitorHiveAPs Select both your HiveAPs: X-A-HiveAP X-B-HiveAP Select Update... Upload and Activate Configuration If you want to see the delta configuration, click the link for your HiveAP – Close the View Configuration window after viewing the delta configuration changes Click Upload Click HiveAP link to view delta configuration 284 2008 Confidential 2010 LAB: Guest GRE Tunnel and DHCP Server 2. Monitor Update Results Ensure that your update is successful From MonitorHiveAPs – You can see an icon next to your HiveAP letting you know it is now a DHCP server 285 2008 Confidential 2010 LAB: Guest GRE Tunnel and DHCP Server 3. Connect to your Class-Guest-X SSID On your remote hosted PC, connect to the SSID: Class-Guest-X Passphrase/Network Key: aerohive123 286 2008 Confidential 2010 LAB: Guest GRE Tunnel and DHCP Server 4. Agree to Acceptable Use Policy Open a web browser and Browse to a decent web site: http://www.aerohive.com A captive web portal page will be displayed Fill out the web registration form 287 Click Accept to agree to the Acceptable Use Policy 2008 Confidential 2010 LAB: Guest GRE Tunnel and DHCP Server 5. Verify Access To Internet Once the login is successful, you can access the network You should automatically be redirected to the web page you initially requested 288 2008 Confidential 2010 LAB: Guest GRE Tunnel and DHCP Server 6. View Active Clients List After associating with your SSID, you should see your connection in the active clients list in HiveManager – Go to MonitorClientsActive Clients Your IP address should be from the 10.7.1XX.0/24 network Note the IP address, VLAN and user profile attribute – VLAN: 1XX – User Profile Attribute: 1XX 289 2008 Confidential 2010 LAB: Guest GRE Tunnel and DHCP Server 7. Verify Tunnel 290 2008 Confidential 2010 Private PSK User-Based Pre-Shared Keys and Policy 2008 Confidential 2010 Lab: Secure WLAN Access With Private PSK Diagram Internet Student-X VLANs 1-20 Connect to SSID: Class-PPSK-X IP: 10.5.10.N/24 Gateway: 10.5.10.1 AD (IAS) Server: 10.5.1.10 Mgt0 IP: 10.5.2.N/24 VLAN 2 WLAN Policy: WLAN-X SSID: Class-PPSK-X SSID Type: Private PSK Authentication: WPA or WPA2 Personal Encryption: TKIP or AES User Group: PPSK-Corp-X Attribute: 10 User Profile: Employee(10)-X Local Users: Create Users in Group: PPSK-Corp-X 30 Users with PSKs: X-corp0001 X-corp0030 with automatically created PSKs 292 DHCP Settings: (VLAN 1) network 10.5.1.0/24 10.5.1.140 – 10.5.1.240 (VLAN 2) network 10.5.2.0/24 10.5.2.140 – 10.5.1.240 (VLAN 8) network 10.5.8.0/24 10.5.8.140 – 10.5.8.240 (VLAN 10) network 10.5.11.0/24 10.5.10.140 – 10.5.10.240 (VLAN 11) network 10.5.11.0/24 10.5.11.140 – 10.5.11.240 2008 Confidential 2010 SSIDs with WPA or WPA2 Personal Use Pre Shared Keys (PSKs) User 1 SSID: Corp-WiFi Shared Key: aSecretPhrase User 2 SSID: Corp-WiFi Shared Key: aSecretPhrase User 3 SSID: Corp-WiFi Shared Key: aSecretPhrase AP SSID: Corp-WiFi Authentication: WPA2 Personal Shared Key: aSecretPhrase User Profile: Employee-Profile All users share the same key – If a user leaves or if a PC or portable device is lost, for security reasons, the shared key should be changed, and every client will have to update the keys on their wireless clients All users share the same network policy – Because all users share the same SSID with the same key, they will also have the same network policies, such as their VLAN, because there have no way to uniquely identify users or types of users 293 2008 Confidential 2010 SSID with 802.1X/EAP Dynamically Create Pairwise Master Keys (PMKs) User 1 SSID: Corp-WiFi PMK: d6#$%^98f.. User 2 SSID: Corp-WiFi PMK: 87fe@#$%a.. User 3 SSID: Corp-WiFi PMK: 90)356*&f.. AP RADIUS SSID: Corp-WiFi Authentication: WPA2 Enterprise (802.1X) - User 1 - PMK: d6#$%^98f.. - User 2 - PMK: 87fe@#$%a.. - User 3 - PMK: 90)356*&f.. With 802.1X, after a user successfully authenticates with RADIUS, a unique key is created for each user and AP pair called a PMK – If a user leaves the company or a user loses a device, the user account can be disabled and passwords can be changed to prevent access to corporate resources New PMKs are created every time user authenticates Users can have unique network policies – Because users are identified by their user name, based on the user or group, they can be assigned to different network policies 294 2008 Confidential 2010 Private Preshared Key (PSK) Allows creation of unique PSKs per user User 1 SSID: Corp-WiFi Key: d6#$%^98f.. User 2 SSID: Corp-WiFi Key: 87fe@#$%a.. User 3 SSID: Corp-WiFi Key: 90)356*&f.. HiveAP SSID: Corp-WiFi SSID Type: Private PSK Authentication: WPA2 Personal - User 1 – Private PSK: d6#$%^98f.. - User 2 – Private PSK: 87fe@#$%a.. - User 3 – Private PSK: 90)356*&f.. Private PSKs are unique pre shared keys created for individual users on the same SSID Client configuration is simple, just enter the SSID shared key for WPA or WPA2 personal (PSK) – No 802.1X supplicant configuration is required – Works with devices that do not support 802.1X/EAP You can automatically generate unique keys for users, and distribute via email, or any way you see fit If a user leaves or a device is lost or stolen, the PSK for that user or device can simply be revoked 295 2008 Confidential 2010 Private Preshared Key (PSK) Allows creation of unique PSKs per user User 1 SSID: Corp-WiFi PSK: d6#$%^98f.. User 2 SSID: Corp-WiFi PSK: 87fe@#$%a.. User 3 SSID: Corp-WiFi PSK: 90)356*&f.. HiveAP SSID: Corp-WiFi SSID Type: Private PSK Authentication: WPA2 Personal - User 1 – Private PSK: d6#$%^98f.. - User 2 – Private PSK: 87fe@#$%a.. - User 3 – Private PSK: 90)356*&f.. You can create network policies for individual users or groups of users including different VLANs, firewall policies, tunnels, and schedules Fast roaming occurs without the need for opportunistic key caching Private PSKs can be automatically generated using User Manager or GuestManager providing the ability for a lobby administrator to generate guests unique keys for secure guest access 296 2008 Confidential 2010 Private Preshared Key (PSK) Deployment Recommendations Private PSK is recommended for augmenting WLAN deployments that authenticate clients with WPA or WPA2 Enterprise (802.1X/EAP), but have some devices that: – Support WPA or WPA2 Personal, but do not support WPA or WPA2 Enterprise with 802.1X/EAP – Do not support opportunistic key caching for seamless roaming Recommended in place of using traditional PSKs for environments that do not have a WLAN deployment using WPA or WPA2 Enterprise with 802.1X/EAP Recommended for secure guest access using User Manager or GuestManager for Private PSK creation – An online training module for User Manager and Private PSKs can viewed by going to: www.aerohive.com/training/cbt 297 2008 Confidential 2010 Configure Private PSK For Secure Guest Access 298 2008 Confidential 2010 Configuration Notes Configure Time Service on HiveManager Configure Email Service on HiveManager Create User Manager Administrator and Operator Accounts Create Private PSK Groups and Private PSK Users Create Private PSK SSID and Captive Web Portal for Use Policy Acceptance 299 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 1. Create Private PSK Group Go to Configuration Advanced Configuration Authentication Local User Groups Click New User Group Name: PPSK-guests(100)-0X (0X=02-15) User Type: Automatically generated private PSK users User Profile Attribute: 100 VLAN: <empty> Note: The VLAN is inherited from the user profile Do not save, please go to the next slide 300 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 2. Configure User Name and Private PSK Secret Private PSK Secret: <enter random characters> Note: This secret never needs to be known or seen again, it is used to add more complexity to the automatically generated PSKs. User Name Prefix: 0X-guest Note: This is the prefix for all the Private PSKs that will be generated. If you create 100 PPSK accounts, then the guest accounts will be created as 0X-guest0001 though 0X-guest0100 Expand Private PSK Advanced Options 301 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 3. Configure Time Zone and Validity Period Password Length: 8 Note: If Private PSKs were being generated for corporate accounts, this should be a much larger password length. However, for guests, because they are entering the password on their mobile device from a printout or from an email, for administrative purposes, it is better to generate smaller length PSKs. Time Zone: <Local Time Zone> Note: This should be the time zone of where the HiveAPs are located in real life, but for class, use your local class time zone PSK Validity Period: Recurring Schedule: Click + 302 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 4. Configure PPSK Recurrance Schedule Schedule Name: daily-X Select Recurrent Note: By selecting recurrent, the Private PSKs will be regenerated on a 24 hour basis. The guests will need to obtain a new PSK on a daily basis for network access. Start Time 1: 00hr 00min End Time : 23hr 59min Note: By specifying a start and end time, the PSKs will only be functional between the start and end times. Click Save 303 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 5. Configure PSK character types and then save Character types used in generated PSKs and manually created passwords: – Check Letters – Uncheck Digits – Uncheck Special Characters Note: Because these are daily PSKs, you can use upper and lower case letters to make it easy to type. If you mix in digits, the client may have problems with identifying the difference between letters and digits: 1, I, l, 0, O, for example. However, mixing in special characters is fine, but it may be more complicated for clients to enter in their mobile device. Click Save 304 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 6. Bulk Create 20 PPSK Daily User Accounts Go to Configuration Advanced Configuration Authentication Local Users Click the Bulk button Create User Under Group: PPSK-guests(100)-X Number of New Users: 20 Click Create 305 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 7. Filter and View Private PSK Users Apply a filter to view your Private PSK users Go to Configuration Authentication Local Users Click Filter Click here to select or deselect all entries Enter a part of a user name or description to locate the users you created – 0X-guest – Click Search Go to next slide 306 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 8. View Clear Text PSKs or Obscure PSKs Click here to see the clear text PSK Click here to obscure the PSK 307 You can view the PSKs for each Private PSK user in clear text, or you can chose to keep them obscured Here you can also see the validity time of the PSKs These accounts will be assigned to guests from the user manager interface 2008 Confidential 2010 Create a Guest SSID Secured with Private PSK 308 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 9. Modify your WLAN Policy and Add an SSID To configure a Private PSK SSID Go to ConfigurationWLAN Policies Edit your WLAN policy: WLAN-X Click Add/Remove SSID Profile Under the Available SSID Profiles selection box - Click + Go to Next Slide 309 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 10. Configure SSID to use Private PSK Profile Name: Class-Daily-X SSID: Class-Daily-X Under SSID Access Security select Private PSK Uncheck Use Default Private PSK Settings Click Options>> 310 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 11. Configure Private PSK Shared User Limit In the Advanced Option section, limit the number of devices that can share a private PSK. For example, you may want to have one guest use their PC and their mobile phone or PDA. By default, there is no limit to the number of times a Private PSK can be shared. Check Private PSK Shared User Limit: 2 Note: This means that within a Hive, a single Private PSK can only be used by two devices. Click Options<< 311 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 12. Create a Captive Web Portal Select your Private PSK User Group: PPSK-guests(100)-X and click the right arrow > button Check Enable Use Policy Acceptance CWP – Then Click + Note: This captive web portal will be used to ensure that guests agree to an acceptable use policy 312 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 13. Configure a Captive Web Portal Name: CWP-Accept-X Registration Type: Use Policy Acceptance Note: In each section, you can click Customize… if you want to modify the default web pages or import your own pages. Expand Captive Web Portal Success Page Settings – Select Redirect to an external page: http://www.aerohive.com Save your Captive Web Portal Settings 313 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 14. Create a user profile for guests Back in the SSID ensure the Use Policy Acceptance CWP is selected as: CWP-Accept-X Under Available Use Profiles – Click + Name: Guests(100)-X Attribute Number: 100 Default VLAN: 8 Check Manage users for this profile via User Manager Click Apply Go to next slide 314 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 15. Select user profile and save Select the user profile that matches the attribute that will be returned based on the setting in the Private PSK user group Under Available User Profiles select Guests(100)-X and click the right arrow button Click Save Go to next slide 315 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 16. Select SSID, Apply, then Save Under SSID Profiles click the << button to remove all existing SSIDs Under Available SSID Profiles, select Class-Daily-X and click the > button to move it to Selected SSID Profiles Click Apply then click Save 316 2008 Confidential 2010 Lab: Secure Guest Access with Private PSK 17. Update the configuration of your HiveAP From Monitor Access Points HiveAPs Select Your X-A-HiveAP Select Update... Upload and Activate Configuration Click Upload 317 2008 Confidential 2010 User Manager Administration 318 2008 Confidential 2010 User Manager Permissions Defined in Admin Groups User Manager is a simplified interface into HiveManager that provides a simple interface for lobby operators to create secure guest accounts User Manager is a free license There are two types of permissions for user manager access, administrators and operators 319 2008 Confidential 2010 User Manager Permissions Defined in Admin Groups User Manager Operator User Manager Administrator Here is an example of the permissions defined for user manager operators and administrators 320 2008 Confidential 2010 Lab: User Manager Administration 1. Create a User Manager Operator Create an operator account who will be able to log into the User Manager interface in HiveManager and generate guest accounts for secure access to the guest WLAN 321 Email: [email protected] Name: lobby-X Password: aerohive123 Confirm Password: aerohive123 Check Limit operator access to the selected Private PSK User Groups – Select: PPSK-guests(100)-X Check Limit operator access to the selected SSID Profiles – Select: Class-Daily-X Click Save 2008 Confidential 2010 Lab: User Manager Administration 2. Create a User Manager Administrator Create a User Manager administrator who will have access to generate reports based on guest access Email: [email protected] Name: manager-X Password: aerohive123 Confirm Password: aerohive123 Group Name: User Manager Admin Click Save 322 2008 Confidential 2010 User Manager Operations 323 2008 Confidential 2010 Lab: User Manager Operation 1. Log in to the User Manager interface Note: If you are logged in to HiveManager, you will need to log out, or you can use a different web browser so that you can log in with a different account https://training-hm1.aerohive.com Login: lobby-X Password: aerohive123 Click Login 324 2008 Confidential 2010 Lab: User Manager Operation 1. Log in to the User Manager interface Note: Pretend you just walked in the company door as a guest, and you are also the lobby administrator User Group: PPSK-guests(100)-X Visitor Name: <Your Name> Email Address: <Your real email address> Visitor Company: <Your Company> Sponsor: lobby-X SSID Name: Class-Daily-X Click Save 325 2008 Confidential 2010 Lab: User Manager Operation 2. Log in to the User Manager interface Select the check box next to your guest account Click Email – Note: For this to work, the guest will need a mobile networking device that can access email without Wi-Fi access, such as a mobile phone PDA device Note: you also have the option to Print the account information and hand it to the guest 326 2008 Confidential 2010 Lab: Test Secure Guest Access 1. Connect to the Class-Daily-X SSID From the Hosted PC – Connect to Class-Daily-X Enter the private PSK generated from user manager Click OK 327 2008 Confidential 2010 Lab: Test Secure Guest Access 2. View Active Session Information After associating with your SSID, you should see your connection in the active clients list in HiveManager – Go to MonitorClientsActive Clients Your IP address should be from the 10.5.8.0/24 network Note the client information: – Username: 0X-guest000N – VLAN: 8 – User Profile Attribute: 100 328 2008 Confidential 2010 Troubleshooting with Client Monitor Example of Invalid PSK 329 2008 Confidential 2010 Troubleshooting HiveAP Troubleshooting Commands – Check the time and time zone • show clock • show timezone – Check the Private PSK users and Private PSK groups • show auth private-psk 330 2008 Confidential 2010 Location Services HiveAP Location Servers With Client Watch Lists 331 2008 Confidential 2010 HiveAP Distributed Location Services The HiveAPs can locate Topology Map client devices in the WLAN The HiveAP that has a client Client associated with it becomes the owner for the client Neighboring HiveAPs report their RSSI information to the client to the owner The HiveAP owner calculates a location and HiveAP A sends an aggregate report to HiveManager on a Client 1 periodic basis Note: More details are in the notes below and in the help HiveAP B RSSI Report 332 HiveManager RSSI Report RSSI Aggregated Report HiveAP C Client 1 Owner 2008 Confidential 2010 Lab: HiveAP Location Services 1. Create a HiveAP Location Service Policy From Configuration Guided Configuration WLAN Policies, edit your WLAN Policy: WLAN-X Ensure all the HiveAPs in the class are in the same hive – Select Hive-Class Under Optional Settings Expand Management Server Settings Next to Location Server – Click + 333 2008 Confidential 2010 Lab: HiveAP Location Services 2. Configure Aerohive Location Server Name: AP-Location-X Check Enable Location Server Select Aerohive Location Server Click Save 334 2008 Confidential 2010 Lab: HiveAP Location Services 3. Create a location watch list Back in the WLAN policy, ensure the Location Server is: AP-LocationX Next you will need to create or select a location watch list. This is a list of MAC addresses for clients which you want to have HiveAPs track location. Because this class network is a small network, you will select the default All Client location watch list. Next to Location Watch List, select the drop down list for All Clients 2008 Then Save your WLAN Policy 335 Confidential 2010 Lab: HiveAP Location Services 4. Update the configuration of your HiveAP From Monitor Access Points HiveAPs Select Your X-A-HiveAP Select Update... Upload and Activate Configuration Click Upload 336 2008 Confidential 2010 Note: Location Watch Lists Creating a Place Holder Watch List If you do create your own location watch list, you must add at least one client MAC address entry which does not have to be valid at this time, so you can type: 000000000000 Click Apply then Save By doing this, you can then add clients to the watch list from the Active Clients View 337 2008 Confidential 2010 Note: Location Watch Lists Add Active Clients to Watch List From MonitorClientsActive Clients Select the check box next to the Active Clients you want to track Click Operation...Add to Watch Listwatch-X You will then need to upload and activate the configuration for your HiveAP Note: For class, you want to use the All Clients watch list because ever AP in class will need to track the same clients to get at least 3 APs to locate your client 338 2008 Confidential 2010 Class Demonstration Because the hosted clients are connected directly the class HiveAPs via Wi-Fi coax cable, the location services will not work very well because other HiveAPs will not see the neighboring clients If the instructor has three or more HiveAPs, location services can be tested in the class Just ensure the local classroom HiveAPs are added to the same topology map, are in the same Hive, and that they are placed accurately (or somewhat close to accurate) as the topology map reflects 339 2008 Confidential 2010 Example: Client Location On Topology Map Select Clients Client Client 340 2008 Confidential 2010 DHCP Server and NAT Access 341 2008 Confidential 2010 Using a HiveAP as a DHCP Server and NAT Gateway for Client Traffic Student-X Internet VLAN 1 IP: 10.5.2.1 Connect to SSID: Class-NAT-X IP: 10.5.5.N/24 Gateway: 10.5.5.1 Mgt0 IP: 10.5.2.N/24 Gateway 10.5.2.1 VLAN 1 The client connects to the SSID: Class-NAT-X and SSID: Class-NAT-X obtains an IP address in User Profile: branch(5)-X the 10.5.5.0/24 network Firewall Policy: NAT-X The HiveAP creates a DHCP Settings: virtual interface for the Mgt0.5 IP: 10.5.5.2/24 default gateway 10.5.5.1 IP Pool and responds to ARP 10.5.5.100 – 10.5.5.200 The traffic from the client is DHCP Options: set to the HiveAP Gateway: 10.5.5.1 The firewall rules assigned to the client by its user profile translate the traffic from the client to a source IP of the HiveAP’s MGT0 interface, then traffic is sent to the HiveAP’s default gateway NAT Support 342 2008 Confidential 2010 Lab: Create an SSID with NAT Access 1. Modify your WLAN Policy Go to Configuration Guided Configuration WLAN Policies Click the link to modify your WLAN policy: WLAN-X Go to next slide 343 2008 Confidential 2010 Lab: Create an SSID with NAT Access 2. Create a new SSID – WLAN Policy – SSID Profiles Click: Add/Remove SSID Profile Click + to create a new SSID Profile Go to next slide 344 2008 Confidential 2010 Lab: Create an SSID with NAT Access 3. Configure the SSID and create a user profile – SSID Profile – Profile Name: Class-NAT-X SSID: Class-NAT-X SSID Access Security Select: WPA/WPA2 PSK (Personal) – Use Default WPA/WPA2 PSK Settings Key Value: aerohive123 Confirm Value: aerohive123 User Profile for Traffic Mgmt Click + to create a new user profile Click More Settings... 345 2008 Confidential 2010 Lab: Create an SSID with NAT Access 4. Create User Profile for Branch Office Clients – SSID > User Profile – 346 Name: Branch(5)-X Attribute Number: 5 Default VLAN: 5 Expand Firewalls Under IP Firewall Policy, next to From-Access click + 2008 Confidential 2010 Lab: Create an SSID with NAT Access 5. Create a firewall rule for DHCP Configure a firewall rule to permit the client to obtain an IP address via DHCP Note: This rule must be configured without NAT, because DHCP requests cannot be NATed Policy Name: NAT-X – Source IP: Any – Destination IP: Any – Service: DHCP-Server – Action: Permit Click Apply and do not save, then go to the next slide 347 2008 Confidential 2010 Lab: Create an SSID with NAT Access 6. Create a firewall rule for NAT access Configure a firewall rule to network address port translate (NAPT) the source IP address all traffic from the clients to the MGT0 interface of the HiveAP Under Policy Rule: Click New – Source IP: Any – Destination IP: Any – Service: Any – Action: NAT Click Apply and do not save, then go to the next slide 348 2008 Confidential 2010 Lab: Create an SSID with NAT Access 7. Verify firewall policy rules then save Verify your firewall rules look like the following picture – Permit DHCP-Server (without NAT) – NAT all the rest of the traffic Click Save 349 2008 Confidential 2010 Lab: Create an SSID with NAT Access 8. Assign Firewall Policy to User Profile Back in your user profile under IP Firewall Policy From-Access: NAT-X To-Access: <Empty> Default-Action: Deny Click Save 350 2008 Confidential 2010 Lab: Create an SSID with NAT Access 9. Assign user profile to SSID then save Make sure the new user profile is selected: branch(5)-X Click Save 351 2008 Confidential 2010 Lab: Create an SSID with NAT Access 10. Assign SSID to WLAN policy then save – WLAN Policy – SSID Profiles Select your SSID: Class-NAT-X from the Available SSID Profiles list: and use the right arrow button ‘ >’ to move it to the Selected SSID Profiles list Click Apply Really – Make sure you click Apply Click Save to save your WLAN policy Note: The WLAN policy must be assigned to one or more HiveAPs for it to take affect 2008 352 Confidential 2010 Configure DHCP Server For NATed IP Pools Requires a HiveAP 300 Series until HiveOS version 3.5r2, Which will support the 100 series 353 2008 Confidential 2010 Lab: Configure HiveAP DHCP Service 1. Create a DHCP server object Create a DHCP Server object for VLAN 5, which is the VLAN assigned by the Branch(5)-X user profile Name: DHCP-X Interface: mgt0.5 IP Address: 10.5.5.2 Netmask: 255.255.255.0 VLAN ID: 5 Leave default settings for the rest of the options... IP Pools – Start IP Address: 10.5.5.100 – End IP Address: 10.5.5.200 Note: Everyone in class will configure the same IP addresses and pools, and that is Click Apply but do NOT save OK because all traffic is locally processed Go to the next slide... by their own HiveAPs then NATed. 354 2008 Confidential 2010 Lab: Configure HiveAP DHCP Service 2. Define gateway IP and enable NAT support Define default gateway and Enable NAT support Expand DHCP Server Options – Default Gateway: 10.5.5.1 Expand Advanced – Enable NAT Support Note: Even though a HiveAP is a layer 2 device, it will use one of its reserved MAC addresses and assign it to the default gateway specified in the DHCP server options allowing it to respond to ARP and act like a router Click Save 355 2008 Confidential 2010 Lab: Configure HiveAP DHCP Service 3. Enable DHCP service on HiveAP Enable DHCP server service on your HiveAP From Monitor Access Points HiveAPs Select the checkbox next to your HiveAP: X-A-###### Click Modify Under Optional Settings DHCP Server & Relay Expand Service Settings Select your DHCP Server object: DHCP-X and click the > button to move it to the Selected Servers lists Click Save 356 2008 Confidential 2010 Lab: Configure HiveAP DHCP Service 4. Upload and Activate Configuration Select the checkbox next to your HiveAP: X-A-###### Click Update... Upload and Activate Configuration Click Upload 357 2008 Confidential 2010 Test DHCP Server and NAT Access 358 2008 Confidential 2010 Lab: Test DHCP Server and NAT Access 1. Connect to the NAT SSID From the hosted PC, connect to the Class-NAT-X SSID Network Key: aerohive123 Confirm network key: aerohive123 Click Connect 359 2008 Confidential 2010 Lab: Test DHCP Server and NAT Access 2. Verify IP and Internet Connectivity From the hosted PC, open a CMD prompt and view your IP address ipconfig Note: Your IP address should be in the 10.5.5.0/24 subnet ping www -t (which is: 10.6.1.150) 360 2008 Confidential 2010 Lab: Test DHCP Server and NAT Access 3. Verify that IP session is being NATed From the command line interface of your HiveAP, you can view the IP session information for active sessions to see if NAT is being performed 02-A-064200# show forwarding-engine ip-session protocol 1 IP session table: Ageout time (in ms) Total entries: 2/8191 Traffic from the client: 10.5.5.100 is sent to the www server 10.6.1.150 Id:2; Ageout:1036; Flags:0x8251; QOS:2; Up: 0 min 1 sec; InPol:NAT-1/2; 10.5.5.100/4112 -> 10.6.1.150/4112; Proto 1; Flg:0x0; Pkts:1 Bytes:60 Parent-MAC-Sess: 21 10.6.1.150/4112 -> 10.5.2.2/64511; Proto 1; Flg:0x0; Pkts:1 Bytes:60 Id:1; Ageout:36; Flags:0x8251; QOS:2; Up: 0 min 2 sec; InPol:NAT-1/2; Traffic from the www server: 10.6.1.150 is sent to 10.5.2.2 which is the IP address of the MGT0 interface of the HiveAP. This means NAT is working. 361 When you are done, please stop the continuous ping from the hosted PC 2008 Confidential 2010 Supplemental Courseware/ Scratch Pad 362 2008 Confidential 2010 AD Troubleshooting Using HiveAP CLI 363 2008 Confidential 2010 LAB: Verify HiveAP Admin Account exec aaa ldap-search username hiveapadmin Exec-Program output: Search user 'hiveapadmin' in basedn 'CN=Users,DC=ahdemo,DC=local' successful 364 2008 Confidential 2010 LAB: Verify Wireless User Accounts exec aaa ldap-search username user Exec-Program output: Search user 'user' in basedn 'CN=Userss,DC=ahdemo,DC=local' failed In this case there was a type-o on the DN, not the extra s on Userss exec aaa ldap-search username user Exec-Program output: Search user 'user' in basedn 'CN=Users,DC=ahdemo,DC=local' successful 365 2008 Confidential 2010 LAB: Verify NTLM Authentication With Wireless User Account exec aaa ntlm-auth username user2 password Aerohive1 2009-04-16 11:37:53 info admin:<exec aaa ntlm-auth username user2 password *** > 2009-04-16 11:37:53 debug samba-tools: Kerberos session setup successful Exec-Program output: NT_STATUS_OK: Success (0x0) 366 2008 Confidential 2010 367 2008 Confidential 2010 SSL Negotiation Fails Invalid CA Cert This is an example that fails because the certificate was not installed or configured properly 368 2008 Confidential 2010 Bridging Notes For HiveAPs 369 2008 Confidential 2010 HiveAP Ethernet Interfaces in Bridge Mode One or both of the Ethernet ports can be in bridge mode with MAC learning. The HiveAP can learn 128 MAC addresses if an L2 switch is connected to the HiveAP eth0 or eth1 ports in bridge mode. You can also hard code the MAC addresses that are allowed on the port. * If you connect a router to the bridge port, then all traffic to the HiveAP would come from same MAC address, so in a sense we would support an unlimited number of wired clients. Wired clients show up in the active clients list as well in 3.5r1. 2.4 GHz or 5 GHz mesh Corp LAN SSID exist on radio that is not used for mesh Either 2.4 GHz or 5 GHz Loops are prevented, so a redundant configuration as show above is permitted. No spanning tree is needed. Ethernet interface in bridge mode can provide a captive web portal as well. Ethernet interfaces can also be in bridge-802.1Q mode to and allow traffic from any VLAN to go though the HiveAP. You can limit which VLANs are permitted as well. 370 2008 Confidential 2010 Revoking Private PSK Accounts 371 2008 Confidential 2010 Revoking Private PSK Users If a user leaves the company, or if their device is lost or stolen, you can revoke a users key and de-authenticate any active client using the individual private PSK Apply a filter to view your Private PSK users Go to ConfigurationAdvanced Configuration AuthenticationLocal Users Check the box next to one or more users and click Remove Go to next slide 372 2008 Confidential 2010 Update User Database To Revoke Private PSK Users From Managed HiveAPs Select Your HiveAP Select Update...Upload User Database 373 2008 Confidential 2010 Update User Database To Revoke Private PSK Users Click Delta Upload (Compare with running config) If you click the link for the hostname of your HiveAP you can see the user commands that will be sent to the HiveAP Click Upload NOTE: Once a client is revoked, it can never be activated again, the user will need to obtain a new Private PSK 374 2008 Confidential 2010 CLI on HiveAPs Can Be Used To Verify Revoked Users AH-0045d0# show auth private-psk Interface=wifi0.1; SSID=Class-PPSK-1; Total entries: 30 No. User Group ---- ---------------- --------------1 01-corp0030 PPSK-Corp-01 2 01-corp0029 PPSK-Corp-01 3 01-corp0028 PPSK-Corp-01 Protocol-suite=PSK-auto; PMK ---e1d4 7a61 a975 Valid ----Yes Yes Yes 4cf3 e7c7 8d07 1964 a4c5 70c5 c41b No Yes Yes No Yes Yes No ... 24 25 26 27 28 29 30 01-corp0007 01-corp0006 01-corp0005 01-corp0004 01-corp0003 01-corp0002 01-corp0001 PPSK-Corp-01 PPSK-Corp-01 PPSK-Corp-01 PPSK-Corp-01 PPSK-Corp-01 PPSK-Corp-01 PPSK-Corp-01 NOTE: Once a client is revoked, it can never be activated again, the user will need to obtain a new Private PSK 375 2008 Confidential 2010 Revoked Private PSK Users Are Immediately De-Authenticated To view the active clients, go to ClientsActive Clients The revoked clients will no longer be active 376 2008 Confidential 2010 Wireless VPN Troubleshooting Commands 377 2008 Confidential 2010 VPN CLI Commands show vpn ipsec sa 02-A-038cc0# show vpn ipsec sa SA(Security Association) information as following: IPsec Security Association Information: 10.5.1.150 [4500] 1.1.1.2 [4500] tunnel-id: 9 esp-udp mode=tunnel spi=101699633(0x060fd031) reqid=0(0x00000000) Encryption: aes-cbc Authentication: hmac-sha1 seq=0x00000000 replay=4 flags=0x20000000 state=mature created: Sep 3 10:58:51 2010 current: Sep 3 11:13:25 2010 diff: 874(s) hard: 3600(s) soft: 2880(s) last: Sep 3 10:58:51 2010 hard: 0(s) soft: 0(s) current: 141008(bytes) hard: 0(bytes) soft: 0(bytes) current: 668(pkts) hard: 0(pkts) soft: 0(pkts) failed: 0(pkts) replay: 0(pkts) replay window: 0(pkts) sadb_seq=1 pid=993 refcnt=0 1.1.1.2 [4500] 10.5.1.150 [4500] tunnel-id: 9 esp-udp mode=tunnel spi=49616501(0x02f51675) reqid=0(0x00000000) Encryption: aes-cbc Authentication: hmac-sha1 seq=0x00000000 replay=4 flags=0x20000000 state=mature created: Sep 3 10:58:51 2010 current: Sep 3 11:13:25 2010 diff: 874(s) hard: 3600(s) soft: 2880(s) last: Sep 3 10:58:51 2010 hard: 0(s) soft: 0(s) current: 116016(bytes) hard: 0(bytes) soft: 0(bytes) current: 1065(pkts) hard: 0(pkts) soft: 0(pkts) failed: 0(pkts) replay: 0(pkts) replay window: 0(pkts) sadb_seq=0 pid=993 refcnt=0 378 2008 Confidential 2010 VPN CLI Commands show vpn ipsec-tunnel 02-A-038cc0# show vpn ipsec-tunnel IPsec Tunnel Duration: Source Destination Created Duration ------------------------ ------------------------ -------------------- ---------------------------------------10.5.1.150[4500] 1.1.1.2[4500] 2010-09-03 10:58:51 0 days 0 hours 12 minutes 28 seconds Total IPsec Tunnel Sessions: 1 Tunnel Statistic Information:: Src IP Dst IP Remaining-Lifetime ------------------------ ---------------------------------10.5.1.150[4500] 1.1.1.2[4500] rekey 1.1.1.2[4500] 10.5.1.150[4500] rekey Pkts Bytes Auth-Err Other-Err SPI ---------- ---------- ---------- ---------- ---------- ------605 130848 0 0 0x060fd031 2132(s) 1027 112324 0 0 0x02f51675 2132(s) 379 2008 Confidential 2010 VPN CLI Commands show amrp tunnel 02-A-038cc0# show amrp tunnel Total 1 tunnels DA - DNXP Access, DB - DNXP Backhaul IA - INXP Access, IB - INXP Backhaul VA - VPN Access, VB - VPN Backhaul No. Peer Type client age TTL ------------------------------------------------------------------------------1 10.8.1.2 VA 1 02:30:14 02-A-038cc0# show amrp tunnel 10.8.1.2 VPN access tunnel <tunnel0 -> 10.8.1.2> age: 02:32:34 client count: 1 state: ESTABLISHED state age: 02:32:33 last echo request: 00:00:03 sec ago last echo reply: 00:00:03 sec ago heartbeat interval: 10 sec heartbeat fail retry: 10 flag: 0x3 380 2008 Confidential 2010 VPN CLI Commands show vpn gre-tunnel 02-A-038cc0# show vpn gre-tunnel Tunnel table: T=Type; Z=Zone; PN=policy numbers; Age Out=idle time of the tunnel since last receive packet TXs=TX packets; TXE=TX errors; RXs=RX packets; RXE=RX errors; Type: G=General route encapsulation; O=Other tunnel; Zone: A=Access; B=Backhaul; Total entries: 1 ID T Z PN Age Out Src IP Dst IP TXs TXE RXs RXE ---- - - --- -------- --------------- --------------- -------- ---- -------- ---1 G A 1 109 10.8.1.20 10.8.1.2 36 0 23 0 381 2008 Confidential 2010 VPN CLI Commands show vpn ike event (Failure Event) 03-A-0377c0# show vpn ike event 2009-10-01 14:05:40:Peer failed phase 1 authentication (certificate problem?)(10.5.1.151[4500]>1.1.1.2[4500]) 2009-10-01 14:06:30:Peer not responding(10.5.1.151[4500]->1.1.1.2[4500]) 2009-10-01 14:06:30:Phase 1 deleted(10.5.1.151[4500]>1.1.1.2[4500]) 2009-10-01 14:06:31:Peer failed phase 1 authentication (certificate problem?)(10.5.1.151[4500]>1.1.1.2[4500]) In this case, the root CA certificate was not pushed to the AP, so it cannot validate the VPN server 382 2008 Confidential 2010 VPN CLI Commands show vpn ike event (Failure Resolution) 04-A-04c000# show vpn ike event 2010-09-03 17:48:39:Peer not responding(10.5.1.157[4500]->1.1.1.2[4500]) 2010-09-03 17:48:39:Phase 1 deleted(10.5.1.157[4500]->1.1.1.2[4500]) 2010-09-03 17:48:40:Peer failed phase 1 authentication (certificate problem?)(10.5.1.157[4500]->1.1.1.2[4500]) Originally the wrong root CA certificate was sent to the HiveAP After updating the certificate by updating the configuration – After typing clear ike sa, the VPN processes are restarted and the negotiation and the tunnel became established 04-A-04c000# clear vpn ike sa 04-A-04c000# show vpn ike event 2010-09-03 17:58:50:Phase 1 deleted(10.5.1.150[4500]->1.1.1.2[4500]) 2010-09-03 17:58:51:Phase 1 started(10.5.1.150[500]->1.1.1.2[500]) 2010-09-03 17:58:51:Phase 1 established(10.5.1.150[4500]->1.1.1.2[4500]) 2010-09-03 17:58:51:Xauth exchange start(10.5.1.150[4500]->1.1.1.2[4500]) 2010-09-03 17:58:51:Xauth exchange passed(10.5.1.150[4500]->1.1.1.2[4500]) 2010-09-03 17:58:51:Add security policy into kernel stack done(10.5.1.150[4500>1.1.1.2[4500]) 2010-09-03 17:58:51:ISAKMP mode config done(10.5.1.150[4500]->1.1.1.2[4500]) 2010-09-03 17:58:51:Phase 2 started(10.5.1.150[4500]->1.1.1.2[4500]) 2010-09-03 17:58:51:Phase 2 established(10.5.1.150[4500]->1.1.1.2[4500]) 383 2008 Confidential 2010 Use Client Monitor To View Connection Status From MonitorActive ClientsOperationsClient Monitor Add the MAC address of a client to monitor its connection status 384 2008 Confidential 2010