Instructor-led Training AEROHIVE ADVANCED WLAN CONFIGURATION (AAWC) 1 2011 Aerohive Networks CONFIDENTIAL Copyright Notice 2 Copyright 2012 Aerohive Networks, Inc. All rights reserved.
Aerohive Networks, the Aerohive Networks logo, HiveOS, Hive AP, Aerohive AP, Aerohive Device, HiveManager, and GuestManager are trademarks of Aerohive Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.
2012 Aerohive Networks Inc. Creating a WLAN Policy and Managing Aerohive Devices GETTING STARTED 3 2011 Aerohive Networks CONFIDENTIAL Lab: Get Connected 1. Connect to class WLAN 4 Please connect to the SSID: aerohive-class Network Key: aerohive123 You should get an IP in the 10.5.1.0/24 subnet SSID: Security: Network Key: Class-SSID WPA/WPA2 Personal (PSK) aerohive123 Guest Client VLAN 1 WLAN Policy: WLAN-Classroom Internet Mgt0 IP: 10.5.1.N/24 VLAN 1 Class-SSID 10.5.1.N/24 10.5.1.1 Connect to SSID: IP: Gateway: Instructor PC 2011 Aerohive Networks CONFIDENTIAL Lab: Get Connected 2. Get class files from instructor 5 From your PC open a web browser and for the URL type: ftp://ftp:aerohive@10.5.#.# (Ask Instructor for the IP address) Username: ftp Password: aerohive You will find: Courseware (pptx files) If you do not have MS office 2003 or later, please download a PPTX viewer from Microsoft Topology map jpg images Used for the planning tool and topology map lab TightVNC(Windows) & RealVNC (Mac) Please install the Viewer only This is used to connect to a hosted PC User files for Private PSK in CSV format This is for the Private PSK lab 2011 Aerohive Networks CONFIDENTIAL Introductions 6 What is your name? What is your organizations name? How long have you worked in Wi-Fi? How long have you used Aerohive?
2011 Aerohive Networks CONFIDENTIAL Facilities Discussion 7 Course Material Distribution Course Times Restrooms Break room Smoking Area Break Schedule Morning Break Lunch Break Afternoon Break 2011 Aerohive Networks CONFIDENTIAL Aerohive Advanced WLAN Configuration (AAWC) Course Overview 8 Each student connects to HiveManager, a remote PC, and a Aerohive AP over the Internet from their wireless enabled laptop in the classroom, and then performs hands on labs the cover the following topics:
Overview of Aerohive Cooperative Control Architecture and Products 802.1X/EAP architecture overview 802.1X with external RADIUS RADIUS attributes for user profile assignment Using Client Monitor to troubleshoot 802.1X/EAP HiveManager Certificate Authority Aerohive devices as RADIUS servers that integrate with Active Directory for 802.1X user authentication and credential caching LDAP Attributes for user profile assignment Aerohive devices as Layer 2 IPsec VPN client and VPN servers Self registration guest management using PPSK Device classification Layer 3 roaming Guest Management using GRE tunneling to a DMZ Aerohive devices as a DHCP server Bonjour Gateway Mobile Device Management (MDM)
2 Day Hands on Class 2011 Aerohive Networks CONFIDENTIAL Aerohive Instructor Led Training 9 Aerohive Education Services offers a complete curriculum that provides you with the courses you will need as a customer or partner to properly design, deploy, administer, and troubleshoot all Aerohive WLAN solutions. Aerohive Essentials WLAN Configuration (AEWC) First-level course Aerohive Advanced WLAN Configuration (AAWC) Second-level course Aerohive Routing WLAN Configuration (ABOD)- Branch on Demand course www.aerohive.com/training Aerohive Class Schedule
2011 Aerohive Networks CONFIDENTIAL Wi-Fi Books Authored by Aerohive Employees 10 CWNA Certified Wireless Network Administrator Official Study Guide by David D. Coleman and David A. Westcott CWSP Certified Wireless Security Professional Official Study Guide by David D. Coleman, David A. Westcott, Bryan E. Harkins and Shawn M. Jackman CWAP Certified Wireless Analysis Professional Official Study Guide by David D. Coleman, David A. Westcott, Ben Miller and Peter MacKenzie 802.11 Wireless Networks: The Definitive Guide, Second Edition by Mathew Gast 802.11n: A Survival Guide by Mathew Gast Aerohive Employees 2011 Aerohive Networks CONFIDENTIAL Aerohive Forums 11
Announcing Aerohives new online community HiveNation Have a question, an idea or praise you want to share? Join the HiveNation Community - a place where customers, evaluators, thought leaders and students like yourselves can learn about Aerohive and our products while engaging with like-minded individuals. How do I join? Visit http://community.aerohive.com/aerohive and sign up!
2011 Aerohive Networks CONFIDENTIAL Aerohive Social Media 12 The HiveMind Blog: http://blogs.aerohive.com
Follow us on Twitter: @Aerohive Instructor: David Coleman: @mistermultipath Instructor: Bryan Harkins: @80211University Instructor: Gregor Vucajnk: @GregorVucajnk
Please feel free to tweet about #Aerohive training during class. 2011 Aerohive Networks CONFIDENTIAL Hosted Training Equipment In Data Center 13 13 14 Aerohive Access Points with external antenna connections and RF cables to connect to USB Wi-FI for each virtual client in the ESXi Server Access Points are connected from eth0 to a layer 2 PoE Switch (Yellow cables) Access Points are connected from their console port to a console server (White Cables) Console server to permit SSH access into the serial console of Aerohive Access Points Layer 2 Managed PoE switch with 802.1Q VLAN trunk support Server running VMware ESXi with Dual Quad or Six Core Intel Processors, 15000RPM 450MB or 600MB redundant disks, 36 Gig RAM, 3 USB Ports Minimum to connect to 3 USB hubs Firewall with routing support, NAT, and multiple Virtual Router Instances 2011 Aerohive Networks CONFIDENTIAL Network Layout for Data Center 14 10.5.2.*/24 No Gateway 10.5.2.*/24 No Gateway 10.5.2.*/24 No Gateway HiveManager MGT 10.5.1.20/24
Win2008 AD Server MGT 10.5.1.10/24 Linux Server MGT 10.6.1.150./24
L3 Switch/Router/Firewall eth0 10.5.1.1/24 VLAN 1 eth0.1 10.5.2.1/24 VLAN 2 eth0.2 10.5.8.1/24 VLAN 8 eth0.3 10.5.10.1/24 VLAN 10 eth1 10.6.1.1/24 (DMZ) L2 Switch Native VLAN 1 Aerohive AP Common Settings Default Gateway: None MGT0 VLAN 2 Native VLAN 1 LAN ports connected to L2-Switch with 802.1Q VLAN Trunks X=2 X=3 X=N X=2 X=3 X=N Ethernet: 10.5.1.202/24 No Gateway Wireless: 10.5.10.$/24 Gateway: 10.5.10.1 Ethernet: 10.5.1.203/24 No Gateway Wireless: 10.5.V.X/24 Gateway: 10.5.V.1 Ethernet : 10.5.1.20N/24 No Gateway Wireless: 10.5.V.X/24 Gateway: 10.5.V.1 14Client PCs For Wireless Access 14 Aerohive AP 340s Terminal Server 10.5.1.5/24 Services for Hosted Class Win2008 AD Server: - RADIUS(NPS) - DNS - DHCP Linux Server: - Web Server - FTP Server
2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. INSTRUCTOR LOGIN 16 2011 Aerohive Networks CONFIDENTIAL Instructor: Getting Started With Training 1. Authenticate With Firewall Authentication Server 17 For lab1 or lab2 https://training-auth.aerohive.com For lab3 https://training-auth3.aerohive.com Login with credentials provided by training@aerohive.com
2011 Aerohive Networks CONFIDENTIAL Instructor ONLY: Getting Started With Training 2. Connect to the Hosted Training HiveManager 18 Securely browse to the appropriate HiveManager for class TRAINING LAB 1 https://training-hm1.aerohive.com https://72.20.106.120 TRAINING LAB 2 https://training-hm2.aerohive.com https://72.20.106.66 TRAINING LAB 3 https://training-hm3.aerohive.com https://209.128.124.220 Supported Browsers: Firefox, Internet Explorer, Chrome Class Login Credentials: Login: admin Password: <instructor secret> Note: In order to access the HiveManager, someone at your location needs to enter the training firewall credentials given to them by the instructor first 2011 Aerohive Networks CONFIDENTIAL Instructor ONLY: Getting Started With Training 3. Agree to End User License Agreement 19 Click Agree to the End user license agreement 2011 Aerohive Networks CONFIDENTIAL Instructor ONLY: Getting Started Only Seen at First Login... 20 Welcome Page Settings... Hive Name: Class NOTE: The Hive Name will also be used as the name for some of the automatically created quick start objects New HiveManager Password: <password for HiveManager and Aerohive Devices> Quick Start SSID Password: aerohive123 Time Zone: <Your time zone> Click Continue
NOTE: Setting the HiveManager Password Here sets the Aerohive Device Access Console SSID Key and the CLI admin password. You can change some of these settings individually by going to HomeGlobal Settings 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Quick Start Objects Are Typically Name from the Hive Name At first login, the administrator is prompted to fill out settings for Hive Name, HiveManager administrator password, and a Quick start SSID password
HiveManager uses the Hive name to as the name for automatically generated quick start objects such as the DNS service, NTP service, QoS Classification profile, LLDP profile, ALG profile, etc.. that will work in most cases without need for modification. You can create your own objects, or use the quick start ones.
21 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Quick Start Objects Examples For example, a DNS service object with the name Class is automatically generated an NTP service object with the name Class is automatically generated These objects are used when configuring WLAN and routing settings
22 2011 Aerohive Networks CONFIDENTIAL HiveManager Administrator Privileges Your Access Has Been Limited! 23 We love you, but we are going to limit your access for class Each of you will have your own HiveManager administrator account with the following privileges Privileges are set in Admin Groups HomeAdminstrationAdministrators Admin Groups You then create an administrator and assign to an admin group HomeAdministrationAdministrators Administrators 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. HiveManager version 5.1 Instructor-led Training QUICK REVIEW OF AEROHIVE PRODUCT LINE 25 2011 Aerohive Networks CONFIDENTIAL AP110 Dual Radio 802.11n 2X Gig.E -20 to 55C 0 to 40C 3x3:3 450 Mbps HP Radios 2x2:2 300 Mbps 11n High Power Radios 1X Gig. E -40 to 55C TPM Security Chip PoE (802.3af + 8023.at) and AC PoE (802.at) N/A Indoor Industrial Indoor Outdoor Plenum & Dust Proof Plenum Rated Water Proof (IP 68) Aerohive Wi-Fi Platforms AP121 AP330 AP350 AP170 1X Gig.E 2x2:2 300 Mbps Radios 2x2:2 300 Mbps Radio 1-Radio 802.11n USB for 3G Modem N/A AP141 BR100 5X Fast.E 54Mbps N/A N/A N/A USB for Future Usage 1-Radio 802.11b/g/n Physical & Virtual Access Console Virtual Access Console 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Aerohive Routing Platforms 27 BR 100 BR 200 Aerohive AP 330 Aerohive AP 350 Single Radio Dual Radio 2X 10/100/1000 Ethernet 5-10 Mbps FW/VPN 30-50Mbps FW/VPN 1x1 11bgn 3x3:3 450 Mbps 11abgn 5X 10/100 5X 10/100/1000 0 PoE PSE 0 PoE PSE 2X PoE PSE * * Also available as a non-Wi-Fi device L3 IPSec VPN Gateway (VMware) ~500 Mbps VPN 1000 Tunnels 2 Virtual Interfaces HiveOS Virtual Appliance
2011 Aerohive Networks CONFIDENTIAL HiveOS Virtual Appliance 28 Supports the following GRE Tunnel Gateway L2 IPSec VPN Gateway L3 IPSec VPN Gateway RADIUS Authentication Server RADIUS Relay Agent Bonjour Gateway Use a HiveOS Virtual Appliance instead of an AP when higher scalability for these features are required
Function Scale Layer 2 Tunnels 1024 Tunnels RADIUS Local users per CVG 9999 # Users Cache (RADIUS Server) 1024 # Users simultaneous (RADIUS Server) 512 2011 Aerohive Networks CONFIDENTIAL Express Mode Optimized for ease of use Uniform company-wide policy One user profile per SSID Enterprise Mode Enterprise sophistication Multiple Network policies Multiple user profiles/SSID HiveManager Appliance 2U Redundant power& fans HA redundancy 5000 APs HiveManager Virtual Appliance VMware ESX & Player HA redundancy 1500 APs with minimum configuration
HiveManager 1U Appliance HA redundancy 500 APs HiveManager Online Cloud-based SaaS management HiveManager Form Factors 29 HiveManager Appliance 2U Redundant power & fans HA redundancy 5000 APs HiveManager Virtual Appliance VMware ESX & Player HA redundancy 5000 APs with minimum configuration HiveManager 1U Appliance HA redundancy 500 APs HiveManager Online Cloud-based SaaS management Topology Reporting Heat Maps SLA Compliance RF Planner SW, Config, & Policy Guest Mgmt 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. Essential When Generating Certificates, Using Private PSK, Wireless VPN, User Manager, Time-Based Authentication, and Schedules SET HIVEMANAGER TIME SETTINGS 31 2011 Aerohive Networks CONFIDENTIAL Instructor Only Set the Time and Time Zone Set Manually or Use NTP for Time 32 To change time settings: From HomeAdministration HiveManager Settings In the upper right corner of System Date/Time click Settings 2011 Aerohive Networks CONFIDENTIAL Instructor Only Set the Time and Time Zone Set Manually or Use NTP for Time Set the time zone Set the date/time manually or synchronize with an NTP server Click the Save icon NOTE: The HiveManager services will be restarted After a minute, you can log back into the HiveManager NOTE: In a later lab, you will configure your APs to update time from an NTP Server as well. 33 Note: Aerohive has an NTP server available with hostname ntp1.aerohive.com 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. Get Connected to HiveManager AEROHIVE ENTERPRISE MODE 35 2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 1. Connect to the Hosted Training HiveManager 36 Securely browse to the appropriate HiveManager for class TRAINING LAB 1 https://training-hm1.aerohive.com https://72.20.106.120 TRAINING LAB 2 https://training-hm2.aerohive.com https://72.20.106.66 TRAINING LAB 3 https://training-hm3.aerohive.com https://209.128.124.220 Supported Browsers: Firefox, Internet Explorer, Chrome Class Login Credentials: Login: adminX X = Student ID 2 - 29 Password: aerohive123 NOTE: In order to access the HiveManager, someone at your location needs to enter the training firewall credentials given to them by the instructor first. 2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 2. Agree to End User License Agreement 37 Click Agree to the End user license agreement 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. HELP SYSTEM 39 2011 Aerohive Networks CONFIDENTIAL HiveManager Help 40 HiveManager provides a rich and powerful online help
Click Help on the top menu bar to get a menu of the help options
Click Help 2011 Aerohive Networks CONFIDENTIAL Help System in HiveManager 41 When you click Help in the upper right hand corner of the HiveManager Settings you have several options. HiveManager Help Context sensitive help based on where you are when you select this option Settings Lets you specify a path to host the online help web pages locally on your network Videos and Guides Contains links to all Aerohive documentation and computer-based training modules You can also download the web-based help system from here as well Check for Updates Checks Aerohives latest code About HiveManager 2011 Aerohive Networks CONFIDENTIAL Help System in HiveManager 42 Web-based Help Files Deployment, Quickstart, and Mounting Guides CLI Reference Guides Online Training 2011 Aerohive Networks CONFIDENTIAL Concept Check! Just in case you forgot from AEWC! 43 1. Where can you download all of the technical documentation and online training videos about Aerohive products?
2. Can you download the entire help system and store it on your own computer?
2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. Creating Your Wireless LAN AEROHIVE ENTERPRISE MODE 45 2011 Aerohive Networks CONFIDENTIAL Goal 46 The goal for this lab is to: Clone your own network policy from a default template Create a WPA2 Personal SSID and push the configuration to your Aerohive AP Use a remotely hosted PC to test connectivity to your new SSID
2011 Aerohive Networks CONFIDENTIAL Network Policies Three Sections 47 Network Configuration There are three main panels, you can click on a panel header to go to the panel Clicking on the Configure & Update Devices panel saves the configuration, as does save, or Continue
1. Configure Network Policy 2. Configure Interface & User Access 3. Configure & Update Devices 2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 1. Find a Network Policy to Clone 48 Go to Configuration Select to highlight the QuickStart- Wireless-Only Policy Click the settings icon: ^ ^ Click Clone 2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 2. Clone Initial Wireless Network Policy 49 Name: WLAN-X Hive: Class Click Clone 2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 3. Configure Network Policy 50 Click the orange bar to edit your Network Policy Select to highlight your Network Policy Click ^ ^ to Edit 1. Click the orange bar 2. Click ^ ^ to then select Edit
2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 4. Ensure Class Hive and Wireless Only are Selected 51 Here you can set the Hive, and whether you want Wireless Only, or Wireless and Routing Hive: Class Ensure Wireless Only is selected NOTE: This class focuses on Wireless Only deployments Click Save Click OK For Configuring a Set of Aerohive Access Points For Configuring a Set of Aerohive Routers and Access Points that connect through the Aerohive routers Click OK For Use With Bonjour 2011 Aerohive Networks CONFIDENTIAL Network Policy Types 52 Wireless Only Use when you have an AP only deployment, or you require specific wireless policies for APs in a mixed AP and router deployment Wireless + Routing Use when you are managing routers, or APs behind routers that do not require different Network Policies than the router they connect through BR100 BR200 AP AP Internet Internet Small Branch Office or Teleworker Site Small to Medium Size Branch Office that may have APs behind the router 2011 Aerohive Networks CONFIDENTIAL Network Policy Types 53 Bonjour Only Policy Recommended to deploy a Bonjour Gateway in 3 rd Party networks Bonjour Gateway Lab later in class
2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 5. Configure Network Policy 54 All Network Policy Configuration is done from the Configure Interface & User Access Panel 2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 6. Create a New SSID 55 Network Configuration Next to SSIDs click Choose Then click New
2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 7. Configure Employee SSID 56 SSID Profile: Class-PSK-X X = 2 29 (Student ID) SSID: Class-PSK-X Select WPA/WPA2 PSK (Personal) Key Value: aerohive123 Confirm Value: aerohive123 Click Save Click OK
IMPORTANT: For the SSID labs, please follow the class naming convention. 2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 8. Create a User Profile 57 To the right of your SSID, under User Profile, click Add/Remove
Choose User Profiles Click New
2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 9. Define User Profile Settings 58 Name: Employee-X Attribute Number:10 Network or VLAN-only Assignment: 10 Click Save
REMEMBER: User Profiles are used for traffic management. 2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 10. Choose User Profile and Continue 59 Ensure Employee-X User Profile is highlighted Click Save Click Continue or click the bar to Configure & Update Devices 2011 Aerohive Networks CONFIDENTIAL Hosted Training Lab Network IP Summary 60 VPN Server X-B-Aerohive AP MGT0 10.8.1.X/24 VPN Client X-A-Aerohive AP MGT0: 10.5.2.# Firewall NAT Rules 1.2.1.X10.8.1.X FW(NAT) 2.2.2.2 Gateway 10.5.2.1 Gateway 10.8.1.1 Client PC
WLAN Branch Office Aerohive AP VPN Clients WLAN HQ Aerohive AP VPN Servers # Address Learned though DHCP RADIUS 10.8.1.200 2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 11. Update the configuration of your Aerohive AP 61 From the Configure & Update Devices section, modify your AP specific settings Click the Name column to sort the APs Click the link for your AP: X-A-###### 2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 12. Update the configuration of your A-Aerohive AP 62 Location: <First-name_Last-name> Topology Map: ..Classroom Network Policy: def-policy-template Note: Leave this set to default so you can see how it is automatically set to your new network policy when you update the configuration. Set the power down to 1dBm on both radios because the APs are stacked in a rack in the data center 2.4GHz(wifi0) Power: 1 5GHz (wifi1) Power: 1 Do not Click Save yet
2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 13. Configure Settings on Your A-Aerohive AP 63 Under Optional Settings Expand MGT0 interface settings Uncheck E DHCP Client without fallback Check Static IP IP Address: 10.5.2.X Netmask: 255.255.255.0 Gateway: 10.5.2.1 Do not Click Save yet 2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 14. Configure Settings on Your A-Aerohive AP 64 Under Optional Settings Expand Advanced Settings Check Override MGT VLAN: 2 Click Save 2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 15. Update the configuration of your B-Aerohive AP 65 From the Configure & Update Devices section, modify your AP specific settings Click the Name column to sort the APs Click the link for your AP: X-B-###### 2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 16. Update the configuration of your B-Aerohive AP 66 Location: <First-name_Last- name> Topology Map: <Empty> Set the Admin State on the 2.4 GHz and 5 GHz radios to Down they are not used for these labs Expand MGT0 Interface Settings, and verify a static IP address is set: MGT0 IP Address: 10.8.1.X Netmask: 255.255.255.0 Gateway: 10.8.1.1 Click Save
2011 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 17. Update the configuration of both your Aerohive APs 67 In the Configure & Update Devices section Click the Name column to sort the APs Check to box next to your APs: X-A-###### and X-B-###### Click Upload and click Yes to change the network policy Selected Network Policy 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Setting Up a Wireless Network 18. Update the configuration of both your APs Click Reboot In the Confirm window Click Yes
68 Click Reboot Click Yes 2011 Aerohive Networks CONFIDENTIAL Because the filter is set by default to Current Policy/Default Policies, you will only see devices assigned to your selected network policy, or the def-policy-template (assigned to new devices) Lab: Setting Up a Wireless Network 19. Wait a minute for to complete the upload 69 Filter set by default to Current Policy/Default Policies Selected Network Policy Set to None if you want to see all devices 2011 Aerohive Networks CONFIDENTIAL 20. Overview of Upload Settings 70 Click Settings 2011 Aerohive Networks CONFIDENTIAL Overview of Update Settings 71 Complete Upload: The entire Aerohive AP configuration is uploaded and a reboot is required Delta Upload: Only configuration changes are uploaded and no reboot is required The default is Auto- HiveManager is smart enough to know if the upload is Complete or Delta The first upload is always a complete upload If a Delta upload ever fails, best practice is to select a Complete upload and force a reboot 2011 Aerohive Networks CONFIDENTIAL Go to MonitorDevicesAll Devices for more detailed information and tools There are two display modes available for monitoring devices Display Device Status Information Shows the current status of the device Lab: Setting Up a Wireless Network 21. Monitoring Devices (Display Device Status) Set items per page Change column settings Turn off auto refresh if you want to make changes without interruption If Audit is Red exclamation point, click it to see the difference between HiveManager and the device. 2011 Aerohive Networks CONFIDENTIAL Display Device Configuration Settings Shows the current configuration settings for the device Lab: Setting Up a Wireless Network 22. Monitoring Devices (Display Device Configuration) 73 Network Policy IP Settings Change column settings 2011 Aerohive Networks CONFIDENTIAL When the device reboot is complete, The Audit column will show two green squares An Orange (Default DTLS) Alarm will be cleared and the Alarm column should display green The uptime will restart from 0 Min Your AP will be ready for accepting clients Also note that the MGT0 IP address of your A- Aerohive AP will be in the 10.5.2.0/24 subnet
Lab: Setting Up a Wireless Network 23. Monitoring Devices 74 2011 Aerohive Networks CONFIDENTIAL For Your Information Outside US Set the Country Code for World Mode Devices 75 IMPORTANT: The Class APs are in the US, so please DO NOT change the country code! Note: Updating the country code on an AP configures the radios to meet government requirements for a country You can update the country by going to MonitorAll Devices Select all the devices that within a single country Click Update... Update Country Code Select the appropriate country code Click Upload Repeat these steps if you have devices in additional countries 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. TEST YOUR CONFIGURATION USING THE HOSTED PC 77 2011 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID Test SSID Access at Hosted Site 78 SSID: Authentication: Encryption: Preshared Key: User Profile 1: Attribute: VLAN: IP Firewall: QoS: Class-PSK-X WPA or WPA2 Personal TKIP or AES aerohive123 Employee(10)-X 10 10 None def-user-qos
Hosted PC Student-X VLANs 1-20 Mgt0 IP: 10.5.2.N/24 VLAN 1 WLAN Policy: WLAN-X Internal Network AD Server: 10.5.1.10
Internet Connect to SSID: IP: Gateway: Class-PSK-X 10.5.10.N/24 10.5.10.1 Use VNC client to access Hosted PC: password: aerohive 2011 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 1. For Windows: Use TightVNC client 79 If you are using a windows PC Use TightVNC TightVNC has good compression so please use this for class instead of any other application Start TightVNC For Lab 1 or Lab 2 training-pcX.aerohive.com For Lab 3 lab3-pcX.aerohive.com Select O Low-bandwidth connection Click Connect Password: aerohive. Click OK
2011 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 2. For Mac: Use the Real VNC client 80 If you are using a Mac RealVNC has good compression so please use this for class instead of any other application Start RealVNC For Lab 1 or Lab 2 training-pcX.aerohive.com For Lab 3 lab3-pcX.aerohive.com Click Connect Password: aerohive. Click OK
2011 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 3. In case the PCs are not logged in 81 If you are not automatically logged in to your PC If you are using the web browser client Click the button to Send Ctrl-Alt-Del If you are using the tightVNC client
Click to send a
control alt delete Login: AH-LAB\user Password: Aerohive1 Click the right arrow to login 2011 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 4. Remove Wireless Networks on Hosted PC 82 From the bottom task bar, click the locate wireless networks icon Select Open Network and Sharing Center Click Manage wireless Networks Select a network, then click Remove Repeat until all the networks are removed Click [x] to close the window 2011 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 5. Connect to Your Class-PSK-X SSID 83 Single-click the wireless icon on the bottom right corner of the windows task bar Click your SSID Class-PSK-X Click Connect Security Key: aerohive123 Click OK
2011 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 6. View Active Clients List 84 After associating with your SSID, you should see your connection in the active clients list in HiveManager Go to MonitorClientsActive Clients Your IP address should be from the 10.5.10.0/24 network
2011 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 7. Add Additional Columns 85 To change the layout of the columns in the Active Clients list, you can click the spreadsheet icon Select VLAN and User Profile Attribute from the Available Columns list and click the right arrow With VLAN and User Profile Attribute selected, click the Up button so that the columns are moved after Host Name Click Save
Click to change column layout 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. THE CLIENT MONITOR TOOL 87 2011 Aerohive Networks CONFIDENTIAL Client & Aerohive AP Layer 2 Handshakes 88 2011 Aerohive Networks CONFIDENTIAL Lab: Client Monitor 1. Select a client to monitor 89 To start monitoring a clients connection state go to: MonitorClientsActive Clients Select the check box next to a client to monitor Note: If your client does not appear, you can skip this step for now Click Operation...Client Monitor Click Add Client For class, ensure Associated Aerohive AP is selected (Do not select All) The MAC address of your client will be selected Note: You can manually enter a the wireless client MAC address without delimiters Click Add Click Client Monitor Select your Aerohive AP Click Operation... Click Add Click Add New Client 2011 Aerohive Networks CONFIDENTIAL Lab: Client Monitor 2. Start the client monitor 90 Check E Filter Probe Note: This removes all the probe requests and responses you will see from clients and APs so you can focus on protocol connectivity Click Start Note: Your client will be monitored until you click Stop. You can leave this window, and if you go back to Operation... Client Monitor, you will see the list of all clients being monitored You can expand the window by dragging the bottom right corner Select your client to see the connection logs for your client as they occur
1. Check E Filter Probe 2. Click Start 3. Drag bottom right corner of window to expand 2011 Aerohive Networks CONFIDENTIAL Client Monitor Results 91 Throughout the labs, go to the client monitor for your PC to view the ongoing results 4-way handshake completes Client is assigned IP address from DHCP 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. TIME SETTINGS FOR HIVEMANAGER AND AEROHIVE APS 93 2011 Aerohive Networks CONFIDENTIAL Verify Time Settings 94 HiveManager and Aerohive APs should have up to date time settings, preferably by NTP Go to HomeAdministrationHiveManager Settings Next to System Date/Time click Settings 2011 Aerohive Networks CONFIDENTIAL Lab: Create a NTP Policy 1. Create an NTP Server object 95 Go to Configuration Select your Network Policy: WLAN-X and click OK Click Additional Settings Expand Management Server Settings Note: Upon first login to a new HiveManager system, an NTP server policy is automatically created with the same name as the original Hive name. However, for this lab, create a new NTP server policy. Next to NTP Server Click + Note: You should configure the NTP server to set the time zone and NTP server settings. This is important for any service that depends on time, such as VPN and RADIUS which use certificates, schedules, Private PSK validity, etc...
2011 Aerohive Networks CONFIDENTIAL Lab: Create a NTP Policy 2. Configure NTP Server Settings 96 Name: NTP-X Time Zone: <Please use the Pacific time Zone> Uncheck E Sync clock with HiveManager NTP Server: ntp1.aerohive.com Click Apply Did you click Apply? Click Save 2011 Aerohive Networks CONFIDENTIAL Lab: Create a NTP Policy 3. Save your WLAN Policy 97 Back in your the Additional Settings Ensure NTP server is set to: NTP-X Click Save 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. SECURE WIRELESS LANS WITH IEEE 802.1X USING PEAP AUTHENTICATION 99 2011 Aerohive Networks CONFIDENTIAL IEEE 802.1X with EAP 100 Supplicant Computer Authentication Server (RADIUS) 802.11 association EAPoL-start EAP-request/identity EAP-response/identity (username) RADIUS-access-request EAP-request (challenge) RADIUS-access-challenge EAP-response (hashed resp.) RADIUS-access-request EAP-success RADIUS-access-accept (PMK) Access Granted Access Please! Calculating key for user Access blocked Authenticator (AP) Calculating my key 2011 Aerohive Networks CONFIDENTIAL Extensible Authentication Protocol (EAP) Comparison Chart 101 2011 Aerohive Networks CONFIDENTIAL LAB: Secure WLAN Access With 802.1X/EAP Using External RADIUS 102 Student-X VLANs 1-20 Mgt0 IP: 10.5.2.N/24 VLAN 1 Network Policy: WLAN-X AD Server: 10.5.1.10 NPS (2008)
Internet Connect to SSID: IP: Gateway: Class-EAP-X 10.5.10.N/24 10.5.10.1 SSID: Authentication: Encryption: Auth User Profile: Attribute: VLAN: Default User Profile: Attribute: VLAN:
Class-EAP-X WPA or WPA2 Personal TKIP or AES Employee-X 10 (RADIUS Attribute Returned) 10 Employee-Default-X 1000 (No RADIUS Attribute Returned) 8 2011 Aerohive Networks CONFIDENTIAL Instructor Only: On Hosted RADIUS Server Verify RADIUS Client Settings 103 For Aerohive APs that are not VPN clients, set the RADIUS server to accept RADIUS messages from the MGT0 interface IP on all Aerohive APs This class uses: 10.0.0.0/8 Shared Secret: aerohive123 NOTE: Use a stronger key in real life! 2011 Aerohive Networks CONFIDENTIAL On Hosted RADIUS Server Configuring RADIUS Return Attributes 104 After successful authentication by users in the AH-LAB\Wireless Windows AD group, RADIUS will return three attribute value pairs to assign the Aerohive user profile. Standard RADIUS Attribute/Value Pairs Returned Tunnel-Medium-Type: IPv4 Tunnel-Type: GRE Tunnel-Pvt-Group-ID: 10 2011 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 1. Create a New SSID 105 To configure a 802.1X/EAP SSID for Secure Wireless Access Go to Configuration Select your Network Policy: WLAN-X and click OK Next to SSIDs, click Choose Click New
2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Secure WLAN Access With 802.1X/EAP 2. Configure a 802.1X/EAP SSID Profile Name: Class-EAP-X SSID: Class-EAP-X Under SSID Access Security select WPA/WPA2 802.1X (Enterprise) Click Save 106 2011 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 3. Select new Class-EAP-X SSID 107 Click to deselect the Class-PSK-X SSID Ensure the Class-EAP-X SSID is selected Click OK Click to deselect Class-PSK-X Ensure Class-EAP-X is highlighted then click OK 2011 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 4. Create a Use Policy Captive Web Portal 108 Under Authentication, click <RADIUS Settings> In Choose RADIUS, click New Click Click 2011 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 5. Define the External RADIUS Server 109 RADIUS Name: RADIUS-X IP Address/Domain Name: 10.5.1.10 Shared Secret: aerohive123 Confirm Secret: aerohive123 Click Apply Click Save Click Apply When Done! 2011 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 6. Create a New User Profile 110 Under User Profile, click Add/Remove
Click New 2011 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 7. Define User Profile Settings 111 Name: Employee-Default-X
Attribute Number: 1000
Network or VLAN-only Assignment: 8
Click Save
2011 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 8. Assign User Profile as Default for the SSID 112 With the Default tab selected, ensure the Employee-Default-X user profile is highlighted IMPORTANT: This user profile will be assigned if no attribute value is returned from RADIUS after successful authentication, or if attribute value 1000 is returned. Click the Authentication tab Default Tab Authentication Tab 2011 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 9. Assign User Profile to be Returned by RADIUS Attribute 113 Select the Authentication tab Select (highlight) Employee-X NOTE: The (User Profile Attribute) is appended to the User Profile Name Click Save Authentication Tab 2011 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 10. Verify and Continue 114 Ensure Employee-Default-X and Employee-X user profiles are assigned to the Class-EAP-X SSID Click Continue or click the bar to Configure & Update Devices 2011 Aerohive Networks CONFIDENTIAL In the Configure & Update Devices section Select the Filter: Current Policy Check to box next to your APs: X-A-######, X-B-###### Click Upload Lab: Secure WLAN Access With 802.1X/EAP 11. Update the configuration of your Aerohive AP 115 115 Selected Network Policy Current Policy 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. For Windows 7 Supplicants CONFIGURING AND TESTING YOUR 802.1X SUPPLICANT 117 2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 1. Connect to Secure Wireless Network 118 From the bottom task bar, and click the locate wireless networks icon Click Class-EAP-X Click Connect
NOTE: If this fails, there is a chance there is a certificate issue with the Hosted PC in VMware Please remedy by following the next slides
Wireless Network Icon 2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 2. Add a wireless network 119 Only perform the next steps if the initial connection was not successful From the bottom task bar, click the locate wireless networks icon Select Open Network and Sharing Center Click Manage wireless Networks Click Add 2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 3. Manually create a network profile 120 Click Manually create a network profile Network Name: Class-EAP-X Security type: WPA2-Enterprise Click Next 2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 4. Change settings to authenticate as user 121 Click Change connection settings Click Security Click Advanced Settings
2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 5. Select Authentication Mode 122 Click E Specify authentication mode
Select User Authentication
Click OK
Click OK for the rest of the windows to save the settings
The PC should connect to the SSID automatically after a moment
2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 6. View Active Clients 123 After associating with your SSID, you should see your connection in the active clients list in HiveManager Go to MonitorClientActive Clients
User Name: DOMAIN\user VLAN: 10 User Profile Attribute: 10
2011 Aerohive Networks CONFIDENTIAL Example: Troubleshooting Invalid User Profile Returned From RADIUS 124 From MonitorAll Devices If you see an alarm when trying to authenticate with 802.1X/EAP, click the alarm icon for details
This alarm specifies that an attribute was returned from the RADIUS server that is not defined on the Aerohive AP In this case 50
Select the check box next to the alarm and then Click clear Invalid User Profile Returned 2011 Aerohive Networks CONFIDENTIAL Default RADIUS attributes used for User Profile assignment 125 By default, user profile assignment by RADIUS attributes uses these Attribute/Value Pairs: Tunnel-Medium-Type: IPv4 Tunnel-Type: GRE Tunnel-Pvt-Group-ID: 10
Standard RADIUS Attribute/Value Pairs Returned Tunnel-Medium-Type: IPv4 Tunnel-Type: GRE Tunnel-Pvt-Group-ID: 10 2011 Aerohive Networks CONFIDENTIAL RADIUS Attribute Based User Profile Assignment 126 User Profiles can be assigned based upon any returned RADIUS attributes The attributes can be Standard or Custom
Standard RADIUS Attribute Standard RADIUS Attribute 2011 Aerohive Networks CONFIDENTIAL Client Monitor For 802.1X/EAP Example of an invalid user account 127
SSL negotiation uses the RADIUS server certificate Shows IP of RADIUS server At this point you know the AAA certificates were installed correctly and the server certificate validation done by the client passed The user is not in the user database. View the AAA server settings and ensure the correct user group is selected, and the Aerohive AP is a RADIUS server. Then update the configuration of the Aerohive AP. 2011 Aerohive Networks CONFIDENTIAL Client Monitor Troubleshooting 802.1X 128 Client Monitor is the perfect tool to troubleshoot 802.1X/EAP problems
More information can be found at: http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/troubleshooting- wi-fi-connectivity-with-hivemanager-tools 2011 Aerohive Networks CONFIDENTIAL RADIUS Test Built Into HiveManager 129 To test a RADIUS account Go to Tools Server Access Tests RADIUS Test RADIUS Server: 10.5.1.10 Aerohive AP RADIUS Client: 0X-A-###### Select ORADIUS authentication server Username: user Password: Aerohive1
Click Test You can even see the attribute values that are returned 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. RADIUS PROXY 131 2011 Aerohive Networks CONFIDENTIAL Instructor Only: On Hosted RADIUS Server Verify RADIUS Client Settings 132 For Aerohive APs that are not VPN clients, set the RADIUS server to accept RADIUS messages from the MGT0 interface IP on all Aerohive APs This class uses: 10.0.0.0/8 Shared Secret: aerohive123 NOTE: Use a stronger key in real life! 2011 Aerohive Networks CONFIDENTIAL RADIUS Proxy on Aerohive APs 133 Aerohive APs can be RADIUS proxies APs can set their RADIUS server to be the RADIUS proxy AP The RADIUS proxy AP proxies the authentication requests to the RADIUS server A single IP can be set on the RADIUS server for all the APs that need to authenticate RADIUS Server 10.5.1.10
AP RADIUS Proxy & RADIUS Client 10.5.2.2 AP RADIUS Clients AP RADIUS Clients RADIUS Client Settings Permit 10.5.2.2/32 2011 Aerohive Networks CONFIDENTIAL Lab: Using Hive Devices as a RADIUS Proxy 1. Designating a RADIUS Proxy 134 From Configuration click the Show Nav Button on the left Expand Advanced Configuration Click Authentication Click RADIUS Proxy Then click the New button 2011 Aerohive Networks CONFIDENTIAL 135 Lab: Using Hive Devices as a RADIUS Proxy 2. RADIUS Proxy Details Use Proxy-X as the Proxy Name Click the + next to RADIUS Server Do not Save yet! 2011 Aerohive Networks CONFIDENTIAL 136 Lab: Using Hive Devices as a RADIUS Proxy 3. RADIUS Server Details Use RADIUS-Server-X as the RADIUS Name Under Add New RADIUS Server use the dropdown arrow and select 10.5.1.10 Server Type Auth/Acct Enter and Confirm the Shared Secret of aerohive123 Select Server Role as Primary Click Apply Click Save Click Apply 2011 Aerohive Networks CONFIDENTIAL 137 Lab: Using Hive Devices as a RADIUS Proxy 4. RADIUS Proxy Details Use the dropdown arrow next to Default under Realm Name to select RADIUS-Server-X as your RADIUS Server Set the Realm name to: ah-lab.local Ensure the Strip the Realm name from proxied access requests check box is selected Verify your settings Click Apply Do not Save yet Click Apply 2011 Aerohive Networks CONFIDENTIAL 138 Lab: Using Hive Devices as a RADIUS Proxy 5. RADIUS Proxy No need for RADIUS Clients Though different Realms can go to different RADIUS servers, for this lab, set them to: RADIUS-Server-X Note: When your APs and AP RADIUS Proxy are in the same hive, i.e. configured with the same hive name, then you do not need to configure RADIUS clients on the AP RADIUS proxy. This is because the RADIUS client and shared keys are automatically generated among APs in a Hive. Click Save 2011 Aerohive Networks CONFIDENTIAL Lab: Using Hive Devices as a RADIUS Proxy 6. Set AP to be RADIUS Proxy 139 Go to Monitor Access Points Aerohive APs Check the box next to your X-A-###### AP Click Modify Under Optional Settings expand Service Settings Assign Device RADIUS Proxy to: Proxy-X Click Save
Note: A RADIUS icon will appear next to your AP 2011 Aerohive Networks CONFIDENTIAL Lab: Using Hive Devices as a RADIUS Proxy 7. Select your Network Policy 140 To edit your SSID: Go to Configuration Select your Network Policy: WLAN-X and click OK
2011 Aerohive Networks CONFIDENTIAL Lab: Using Hive Devices as a RADIUS Proxy 8. Define the AAA client profile 141 Under Authentication, click <RADIUS Settings> In Choose RADIUS, click New Click Click 2011 Aerohive Networks CONFIDENTIAL Lab: Using Hive Devices as a RADIUS Proxy 9. Define the External RADIUS Server (Use the Proxy) 142 RADIUS Name: RADIUS-Proxy-X IP Address/Domain Name: 10.5.2.X No other settings are needed as long as the APs are in the same Hive Click Apply Click Save Click Apply When Done! 2011 Aerohive Networks CONFIDENTIAL Lab: Using Hive Devices as a RADIUS Proxy 10. Verify and Continue 143 Ensure Employee-Default-X and Employee-X user profiles are assigned to the Class-EAP-X SSID Click Continue or click the bar to Configure & Update Devices 2011 Aerohive Networks CONFIDENTIAL It is recommended that Complete Uploads be used for complex configuration changes In the Configure & Update Devices section Click Settings Lab: Using Hive Devices as a RADIUS Proxy 11. Complete Upload 144 144 2011 Aerohive Networks CONFIDENTIAL Select Complete Upload Select Activate after 5 seconds Click Save Lab: Using Hive Devices as a RADIUS Proxy 12. Complete Upload 145 145 2011 Aerohive Networks CONFIDENTIAL In the Configure & Update Devices section Select the Filter: Current Policy Check to box next to your AP: X-A-###### Click Upload Access points will reboot automatically Lab: Using Hive Devices as a RADIUS Proxy 13. Update the configuration of your Aerohive AP 146 146 Selected Network Policy Current Policy 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. For Windows 7 Supplicants CONFIGURING AND TESTING YOUR 802.1X SUPPLICANT 148 2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 1. Connect to Secure Wireless Network 149 From the bottom task bar, and click the locate wireless networks icon Click Class-EAP-X Click Connect
NOTE: If this fails, there is a chance there is a certificate issue with the Hosted PC in VMware Please remedy by following the next slides
Wireless Network Icon 2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 2. Add a wireless network 150 Only perform the next steps if the initial connection was not successful From the bottom task bar, click the locate wireless networks icon Select Open Network and Sharing Center Click Manage wireless Networks Click Add 2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 3. Manually create a network profile 151 Click Manually create a network profile Network Name: Class-EAP-X Security type: WPA2-Enterprise Click Next 2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 4. Change settings to authenticate as user 152 Click Change connection settings Click Security Click Advanced Settings
2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 5. Select Authentication Mode 153 Click E Specify authentication mode
Select User Authentication
Click OK
Click OK for the rest of the windows to save the settings
The PC should connect to the SSID automatically after a moment
2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 6. View Active Clients 154 After associating with your SSID, you should see your connection in the active clients list in HiveManager Go to MonitorClientActive Clients
User Name: DOMAIN\user VLAN: 10 User Profile Attribute: 10
2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. Required When Aerohive APs are Configured as RADIUS Servers or VPN Servers GENERATE AEROHIVE AP RADIUS SERVER CERTIFICATES 156 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 HiveManager Root CA Certificate Location and Uses This root CA certificate is used to: Sign the CSR (certificate signing request) that the HiveManager creates on behalf of the AP acting as a RADIUS or VPN server Validate Aerohive AP certificates to remote client 802.1X clients (supplicants) will need a copy of the CA Certificate in order to trust the certificates on the Aerohive AP RADIUS server(s) Root CA Cert Name: DefaultCA.pem Root CA key Name: Default_Key.pem
Note: The CA key is only ever used or seen by HiveManager
To view certificates, go to: Configuration, click Show Nav, then go to Advanced Configuration Keys and CertificatesCertificate Mgmt 157 2011 Aerohive Networks CONFIDENTIAL Use the Existing HiveManager CA Certificate, Do not Create a New One! 158 For this class, please do not create a new HiveManager CA certificate, otherwise it will render all previous certificates invalid. On your own HiveManager, you can create your own HiveManager CA certificate by going to: Configuration, Click Show Nav, then go to Advanced ConfigurationKeys and CertificatesHiveManager CA Remember this password 2011 Aerohive Networks CONFIDENTIAL LAB: Aerohive AP Server Certificate and Key 1. Generate Aerohive AP Server Certificate 159 Go to Configuration, click Show Nav Advanced Configuration Keys and CertificatesServer CSR Common Name: server-X Organizational Name: Company Organization Unit: Department Locality Name: City State/Province: <2 Characters> Country Code: <2 Characters> Email Address: userX@ah-lab.com Subject Alternative Name: User FQDN: userX@ah-lab.com Note: This lets you add an extra step of validating the User FQDN in a certificate during IKE phase 1 for IPsec VPN. This way, the Aerohive AP needs a valid signed certificate, and the correct user FQDN. Key Size: 1024 Password & Confirm: aerohive123 CSR File Name: AP-X Click Create Remember Password Enter AP-X Notes Below 2011 Aerohive Networks CONFIDENTIAL LAB: Aerohive AP Server Certificate and Key 2. Sign and Combine! 160 Select Sign by HiveManager CA The HiveManager CA will sign the Aerohive AP Server certificate The validity period should be the same as or less than the number of days the HiveManager CA Certificate is valid Enter the Validity: 3650 approximately 10 years Check Combine key and certificate into one file Click OK
Enabling this setting helps prevent certificate and key mismatches when configuring the RADIUS settings Use this option to send a signing request to an external certification authority. 2011 Aerohive Networks CONFIDENTIAL LAB: Aerohive AP Server Certificate and Key3. View Aerohive AP Certificate and Key File 161 To view certificates, go to: Configuration, click Show Nav Then go to Advanced Configuration Keys and Certificates Certificate Mgmt The certificate and key file name is: AP-X_key_cert.pem QUIZ Which CA signed this Aerohive AP server key?
What devices need to install the CA public cert? 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. AEROHIVE AP RADIUS SERVER WITH ACTIVE DIRECTORY INTEGRATION 163 2011 Aerohive Networks CONFIDENTIAL Aerohive AP RADIUS Server AD (Kerberos) Integration The Goal 164 Aerohive Devices are configured as RADIUS servers to perform all the 802.1X EAP operations Aerohive AP RADIUS servers will be joined to the AD domain in order to Let the Aerohive APs perform local 802.1X EAP processing Allow the Aerohive AP to access the AD user store in order to authenticate users Allow the Aerohive AP to cache credentials in case the AD server is not accessible During the configuration, one Aerohive AP is selected as the test Aerohive AP to Obtain domain information Test joining a Aerohive AP to the domain, which performs the actual join operation for that AP Test user authentication Perform LDAP browsing operations
2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. CREATING A DELEGATED ADMINISTRATOR FOR JOINING AEROHIVE AP RADIUS SERVERS TO THE DOMAIN 166 2011 Aerohive Networks CONFIDENTIAL Two Accounts Needed 167 Aerohive AP Admin Account Used to Join Aerohive APs to the domain LDAP Query Account Used by the Aerohive AP that functions as a RADIUS server to perform LDAP queries 2011 Aerohive Networks CONFIDENTIAL Create a New Active Directory Aerohive AP Administrator (Instructor Only) 168 On Windows 2008 AD Server In your domain, select Users, right click and select NewUser Note: The name used in this example is not relevant, you can use any name First Name: Aerohive AP Last Name: Admin Full Name: Aerohive AP Admin User Logon: Aerohive APadmin @ah- lab.local Click Next
2011 Aerohive Networks CONFIDENTIAL Create a New Active Directory Aerohive AP Administrator (Instructor Only) 169 Enter a Password: Aerohive1 Confirm Password: Aerohive1 Uncheck User must change password at next login Uncheck User cannot change password Check Password never expires Uncheck Account is disabled Click Next Click Finish 2011 Aerohive Networks CONFIDENTIAL Aerohive AP Administrator Group Membership 170 Locate and double click the new Aerohive AP Admin Click Member Of Note: Here you can see that the Aerohive AP Admin only needs to be a member of Domain Users
2011 Aerohive Networks CONFIDENTIAL Delegate Control of the Computer OU to the Aerohive AP Admin (INSTRUCTOR ONLY) 171 Right Click the Computers OU and select Delegate Control... 2011 Aerohive Networks CONFIDENTIAL Delegate Control of the Computer OU to the Aerohive AP Admin 172 Welcome to the Delegation of Control Wizard Click Next Users or Groups Click Add Type Aerohive AP Admin Click OK Click Next
2011 Aerohive Networks CONFIDENTIAL Delegate Control of the Computer OU to the Aerohive AP Admin 173 Select Create a custom task to delegate Click Next 2011 Aerohive Networks CONFIDENTIAL Delegate Control of the Computer OU to the Aerohive AP Admin 174 For Active Directory Object Type Select Computer Objects and leave the rest of the default settings Check Create selected objects in this folder Click Next For Permissions Check Read Check Write And leave the rest of the default settings Click Next
2011 Aerohive Networks CONFIDENTIAL Delegate Control of the Computer OU to the Aerohive AP Admin 175 Click Finish 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. CONFIGURE ACTIVE DIRECTORY SETTINGS 177 2011 Aerohive Networks CONFIDENTIAL Active Directory Integration Types 178 APs use external RADIUS server that integrates with AD Each AP is the authenticator for RADIUS, but EAP processing/authentication occurs on the external RADIUS server APs use AP RADIUS server that integrates with AD Each AP is the authenticator for RADIUS EAP processing/authentication happens on Aerohive APs that have RADIUS service configured RADIUS Aerohive APs join AD domain This gives them the ability to cache credentials used to authenticate users in case the AD is no longer reachable 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 1. Select your Network Policy 179 To edit your SSID: Go to Configuration Select your Network Policy: WLAN-X and click OK
2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Aerohive AP Active Directory Integration 2. Select your Network Policy To configure the Aerohive AP as a RADIUS server... Select the Configure & Update Devices bar Select the Filter: Current Policy Click the link for your A-Aerohive AP X-A-######
180 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 3. Deselect the proxy object 181 Create a Aerohive AP RADIUS Service Object Under Optional Settings, expand Service Settings Next to Device RADIUS Proxy deselect the proxy object created from the previous lab
2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 4. Create a Aerohive AP RADIUS Service Object 182 Create a Aerohive AP RADIUS Service Object Under Optional Settings, expand Service Settings Next to Device RADIUS Service click +
2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 5. Create a Aerohive AP RADIUS Service Object 183 Name: ap-radius-X Expand Database Settings Uncheck Local Database Check External Database Under Active Directory, click + to define the RADIUS Active Directory Integration Settings
2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 5. Select a Aerohive AP to Test AD Integration 184 Name: AD-X Aerohive AP for Active Directory connection setup, select your A Aerohive AP: X-A-##### This will be used to test Active Directory integration Once this Aerohive AP is working, it can be used as a template for configuring other Aerohive AP RADIUS servers with Active Directory integration The IP settings for the selected Aerohive AP are gathered and displayed 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 6. Modify DNS Settings for Test Aerohive AP 185 Set the DNS server to: 10.5.1.10 This DNS server should be the Active Directory DNS server or an internal DNS server aware of the Active Directory domain Click Update This applies the DNS settings to the Network Policy and to the Aerohive AP so that it can test Active Directory connectivity 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 7. Specify Domain and Retrieve Directory Information 186 Domain: ah-lab.local Click Retrieve Directory Information The Active Directory Server IP will be populated as well as the BaseDN used for LDAP user lookups 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 8. Specify Domain and Retrieve Directory Information 187 Domain Admin: hiveapadmin(The delegated admin) Password and Confirm Password: Aerohive1 Click Join Check Save Credentials NOTE: By saving credentials you can automatically join APs to the domain without manual intervention 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 9. Specify A User to Perform LDAP User Searches 188 Domain User user@ah-lab.local (a standard domain user ) Password and Confirm Password: Aerohive1 Click Validate User You should see the message: The user was successfully authenticated. These user credentials will remain and be used to perform LDAP searches to locate user accounts during authentication. 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 10. Save the AD Settings 189 Click Save 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 11. Save the RADIUS Settings 190 Select AD-X with priority: Primary Click Apply Please make sure you click apply Do not save yet.. 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 12. Save the RADIUS Settings 191 Enable the ability for an AP RADIUS server to cache user credentials in the event that the AD server is not reachable, if the user has previously authenticated Check Enable RADIUS Server Credentials Caching Do not save yet... 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 13. Assign new Aerohive AP server certificate 192 Assign the Aerohive AP RADIUS server to the newly created AP server certificate and key CA Cert File: Default_CA.pem Server Cert File: AP-X_key_cert.pem Server Key File: AP-X_key_cert.pem Key File Password & confirm password: aerohive123 Click Save 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP Active Directory Integration 14. Save the AP Settings 193 Ensure that the Aerohive AP RADIUS Service is set to: AP-RADIUS- X Click Save NOTE: Your A- Aerohive AP will have an icon displayed showing that it is a RADIUS server
2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. SSID FOR 802.1X/EAP AUTHENTICATION USING AEROHIVE AP RADIUS WITH AD KERBEROS INTEGRATION 195 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP RADIUS w/ AD Integration 1. Edit your WLAN Policy and Add SSID Profile 196 Configure an SSID that uses the 802.1X/EAP with AD (Kerberos) Integration Select the Configure Interfaces & User Access bar Next to SSIDs click Choose In Chose SSIDs Select New
2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Aerohive AP RADIUS w/ AD Integration 2. Configure a 802.1X/EAP SSID Profile Name: Class-AD-X SSID: Class-AD-X Under SSID Access Security select WPA/WPA2 802.1X (Enterprise) Click Save 197 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP RADIUS w/ AD Integration 3. Select new Class-AD-X SSID 198 Click to deselect the Class-EAP-X SSID Ensure the Class-AD-X SSID is selected Click OK Click to deselect Class-EAP-X Ensure Class-AD-X is highlighted then click OK 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP RADIUS w/ AD Integration 4. Create a Use Policy Captive Web Portal 199 Under Authentication, click <RADIUS Settings> In Choose RADIUS, click New Click Click 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP RADIUS w/ AD Integration 5. Define the External RADIUS Server 200 RADIUS Name: AP-RADIUS-X IP Address/Domain Name: 10.5.2.X Leave the Shared Secret Empty NOTE: When the Aerohive AP is a RADIUS server, APs in the same Hive automatically generate a shared secret Click Apply Click Save Click Apply When Done! 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP RADIUS w/ AD Integration 6. Select User Profiles 201 Verify that under Authentication, AP-RADIUS-X is assigned Under User Profile click Add/Remove 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP RADIUS w/ AD Integration 7. Assign User Profile as Default for the SSID 202 With the Default tab select (highlight) the Employee-Default-X user profile IMPORTANT: This user profile will be assigned if no attribute value is returned from RADIUS after successful authentication, or if attribute value 1000 is returned. Click the Authentication tab Default Tab Authentication Tab 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP RADIUS w/ AD Integration 8. Assign User Profile to be Returned by RADIUS Attribute 203 In the Authentication tab Select (highlight) Employee-X NOTE: The (User Profile Attribute) is appended to the User Profile Name Click Save Authentication Tab 2011 Aerohive Networks CONFIDENTIAL Lab: Aerohive AP RADIUS w/ AD Integration 9. Verify and Continue 204 Ensure Employee-Default-X and Employee-X user profiles are assigned to the Class-AD-X SSID Click Continue or click the bar to Configure & Update Devices 2011 Aerohive Networks CONFIDENTIAL In the Configure & Update Devices section Click the Name column to sort the APs Check to box next to your A-Aerohive AP: X-A-###### Click Upload Lab: Aerohive AP RADIUS w/ AD Integration 10. Update the configuration of your Aerohive AP 205 Selected Network Policy 2011 Aerohive Networks CONFIDENTIAL ADDITIONAL AEROHIVE AP AD INTEGRATION INFORMATION 206 2011 Aerohive Networks CONFIDENTIAL Optional: Verify Aerohive AP Time From the CLI of the Aerohive AP 207 From CLI of Aerohive AP # show time Timezone: GMT-8 # show clock 2011-07-13 11:14:45 Wednesday
2011 Aerohive Networks CONFIDENTIAL Joining Aerohive APs to Active Directory Computer OU = Wireless/Aerohive APs 208 From the AD server, you can go to Active Directory Users and Computers and see when the Aerohive AP joins the domain If you specify an Active Directory administrator account in the AAA User Directory Settings, then the Aerohive AP will automatically add itself to the domain If you did not specify an Active Directory administrator, you will have to manually add your Aerohive AP to the domain much like you would do with a computer
Click Refresh Select the computer OU Here you can see the hostname of your Aerohive AP 2011 Aerohive Networks CONFIDENTIAL Join Aerohive AP RADIUS Server to Domain 209 Note: you performed this step for your Aerohive AP in the configuration, however, here is how you do it for the rest of the Aerohive AP RADIUS servers in your network. Go to Tools Server Access Tests AD/LDAP Test Select RADIUS Server: X-A-###### Select Test joining the Aerohive AP to an Active Directory domain Select Active Directory Domain: Primary User Name: Aerohive APadmin Password: Aerohive1 Click Test Aerohive AP Join Success 2011 Aerohive Networks CONFIDENTIAL Alternative: Join Aerohive AP RADIUS Server to Domain using the Aerohive AP CLI 210 02-A-064200# exec aaa net-join primary username Aerohive APadmin password Aerohive1 (Note: The password will be hidden when typing ) Exec-Program output: Joined '02-A-064200' to server 'ah-lab.local' successful (NT_STATUS_OK) If you have problems joining your AD server, you may need to enter the Administrator account credentials to join the Aerohive AP to the domain Go to the Wireless/Aerohive APs OU to see the Aerohive AP added as a computer in the domain. You may have to refresh the screen to see the Aerohive AP appear after joining the Aerohive AP to the domain. 2011 Aerohive Networks CONFIDENTIAL Troubleshooting Joining a Aerohive AP to a Domain 211 Possible Cause: The Administrator does not have privileges to add a computer/Aerohive AP to this OU Solution: Use an Administrator with more privileges
Possible cause: The Aerohive AP was previously added to a different OU, and this administrator does not have privileges to remove the other entry Action: Delegate administration of this OU to allow the selected administrator to add computers to this OU Here you can see that the Aerohive AP has failed to join the domain 2011 Aerohive Networks CONFIDENTIAL Troubleshooting Joining a Aerohive AP to a Domain 212 Possible Cause: The NTP Server settings have not been configured on the Aerohive AP Solution: Configure the NTP Server settings by going to your WLAN Policy Management Services NTP Server
Here you can see that the Aerohive AP time is not accurate 2011 Aerohive Networks CONFIDENTIAL Test the user account for your hosted PC 213 Select RADIUS Server: X-A-###### Select Test Aerohive AP credentials for Active Directory Integration User Name: user Password: Aerohive1 Click Test
Kerberos authentication passed for the user 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. CLIENT ACCESS PREPARATION - DISTRIBUTING CA CERTIFICATES TO WIRELESS CLIENTS 215 2011 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 1. Go to HiveManager from the Remote PC 216 From the VNC connection to the hosted PC, open a connection to: For HM 1 - https://hm1 For HM 2 - https://hm2 For HM 3 - https://hm3 Login with: adminX password: aerohive123 NOTE: Here you are accessing HiveManager via the PCs Ethernet connection
2011 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 2. Download Default CA Certificate to the Remote PC 217 NOTE: The HiveManager Root CA certificate should be installed on the client PCs that will be using the RADIUS service on the Aerohive APs for 802.1X authentication
From the Remote PC, go to Configuration, then click Show Nav, Advanced Configuration Keys and Certificates Certificate Mgmt Select Default_CA.pem Click Export 2011 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 3. Rename HiveManager Default CA Cert 218 Export the public root Default_CA.pem certificate to the Desktop of your hosted PC This is NOT your Aerohive AP server certificate, this IS the HiveManager public root CA certificate Rename the extension of the Default_CA.pem file to Default_CA.cer This way, the certificate will automatically be recognized by Microsoft Windows Click Save Make the Certificate name: Default_CA.cer Save as type: All Files 2011 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 4. Install HiveManager Default CA Cert 219 Find the file that was just exported to your hosted PC Double-click the certificate file on the Desktop: Default_CA Click Install Certificate
Issued to: HiveManager This is the name of the certificate if you wish to find it in the certificate store, or if you want to select it in the windows supplicant PEAP configuration.
2011 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 5. Finish certification installation 220 In the Certificate Import Wizard click Next Click O Place all certificate in the following store Click Browse 2011 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 6. Select Trusted Root Certification Authorities 221 Click Trusted Root Certification Authorities Click OK Click Next 2011 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 7. Finish Certificate Import 222 Click Finish Click Yes Click OK 2011 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 8. Verify certificate is valid 223 Click OK to Close the certificate Double-click Default_CA to reopen the certificate You will see that the certificate is valid and it valid from a start and end date Click the Details tab 2011 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 9. View the Certificate Subject 224 In the details section, view the certificate Subject This Subject: HiveManager is what will appear in the list of trusted root certification authorities in your supplicant configured later in this lab. Protected EAP (PEAP) Properties In supplicant (802.1X client) 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. For Windows 7 Supplicants CONFIGURING AND TESTING YOUR 802.1X SUPPLICANT 226 2011 Aerohive Networks CONFIDENTIAL Lab: Testing Aerohive AP RADIUS w/ AD Integration 1. Connect to Secure Wireless Network 227 On the hosted PC, from the bottom task bar, click the wireless networks icon Click Class-AD-X Click Connect A windows security alert should appear, click Details to verify this certificate if from HiveManager, then click Connect
server-2 is the AP cert, and HiveManager is the trusted CA 2011 Aerohive Networks CONFIDENTIAL If the Wireless Client Fails to Connect 228 Please remedy by following the next slides Otherwise, skip to the end of this lab
2011 Aerohive Networks CONFIDENTIAL Testing Aerohive AP RADIUS w/ AD Integration 2. Add a wireless network 229 Only perform the next steps if the initial connection was not successful From the bottom task bar, click the locate wireless networks icon Select Open Network and Sharing Center Click Manage wireless Networks Click Add 2011 Aerohive Networks CONFIDENTIAL Lab: Testing Aerohive AP RADIUS w/ AD Integration 3. Manually create a network profile 230 Click Manually create a network profile Network Name: Class-AD-X Security type: WPA2-Enterprise Click Next 2011 Aerohive Networks CONFIDENTIAL Lab: Testing Aerohive AP RADIUS w/ AD Integration 4. Change settings to authenticate as user 231 Click Change connection settings Click Security Click Advanced Settings
2011 Aerohive Networks CONFIDENTIAL Lab: Testing Aerohive AP RADIUS w/ AD Integration 5. Select Authentication Mode 232 Click E Specify authentication mode
Select User Authentication
Click OK
Click OK for the rest of the windows to save the settings
The PC should connect to the SSID automatically after a moment
2011 Aerohive Networks CONFIDENTIAL NOTE: User Profile Attribute is the Employee-Default-X user profile for the SSID. This user profile is being assigned because no User Profile Attribute Value was returned from RADIUS. Lab: Testing Aerohive AP RADIUS w/ AD Integration 6. View Active Clients 233 After associating with your SSID, you should see your connection in the active clients list in HiveManager Go to MonitorClientActive Clients IP Address: 10.5.8.# User Name: DOMAIN\user VLAN: 8 User Profile Attribute: 1000
2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. MAPPING ACTIVE DIRECTORY MEMBEROF ATTRIBUTE TO USER PROFILES 235 2011 Aerohive Networks CONFIDENTIAL Aerohive AP as a RADIUS Server - Using AD Member Of for User Profile Assignment 236 In your WLAN policy, you defined an SSID with two user profiles Employees(1000)-X Set if no RADIUS attribute is returned This use profile for example is for general employee staff, and they get assigned to VLAN 8 Employee(10)-X Set if a RADIUS attribute is returned This user profile for example is for privileged employees, and they get assigned to VLAN 10 Because the Aerohive AP RADIUS server is using AD to authenticate the users, and AD does not return RADIUS attributes, how can we assign users to different user profiles? Though AD does not return RADIUS attributes, it does return other attribute values, like memberOf which is a list of AD groups to which the user belongs 2011 Aerohive Networks CONFIDENTIAL Instructor Only: Confirm User is a member of the Employee Groups 237 Right click the username user and click Properties
Click on the Member Of tab
The user account user should be assigned to all the groups for all the students in class Employee-1 Employee-2 .. Employee-29
Click OK 2011 Aerohive Networks CONFIDENTIAL Lab: Use AD to Assign User Profile 1. Map memberOf attribute to user profile 238 From Configuration, Show Nav, Advanced Configuration Authentication Aerohive AP AAA Server Settings AP-RADIUS-X Expand Database Settings Check E LDAP server attribute Mapping Select O Manually map LDAP user groups to user profiles LDAP User Group Attribute: memberOf Domain: dc=AH-LAB,dc=LOCAL Click + to expand the LDAP tree 2011 Aerohive Networks CONFIDENTIAL Lab: Use AD to Assign User Profile 2. Add group to user profile mapping 239 Expand the tree structure to locate Expand CN=Users Select CN = Employee-X For Maps to, from the drop down list, select the user profile: Employee-X Click Apply The mapping appears below the LDAP directory Click Save Click the LDAP Group Map group to Employee(10)-X NOTE: The CN in Active Directory does not have to match the name of the user profile, this is just by choice, not necessity. 2011 Aerohive Networks CONFIDENTIAL In the Configure & Update Devices section Click the Name column to sort the APs Check to box next to your AP: X-A-###### Click Upload Lab: Use AD to Assign User Profile SSID 3. Update the configuration of your Aerohive AP 240 Selected Network Policy 2011 Aerohive Networks CONFIDENTIAL Lab: Use AD to Assign User Profile SSID 4. Disconnect and Reconnect to the Class-AD SSID 241 To test the mapping of the memberOf attribute to your user profile Disconnect from the Class-AD-X SSID Connect to the Class-AD-X SSID 2011 Aerohive Networks CONFIDENTIAL Lab: Use AD to Assign User Profile SSID 5. Verify your active client settings 242 From MonitorClientsActive Clients Your client should now be assigned to IP Address: 10.5.10.# User Profile Attribute: 10 VLAN: 10 NOTE: In the previous lab, without the LDAP group mapping, the user was assigned to attribute 1000 in VLAN 8 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. Using Aerohive APs and IPsec VPN Clients and IPsec VPN Servers to Provides VPN Connections with Wireless LANs WIRELESS VPN 244 2011 Aerohive Networks CONFIDENTIAL Internet Headquarters Aerohive Layer 3 VPN 245 Remote Site Notes Below Layer 2 VPN client devices BR-100 router
Note: Layer 3 VPNs are taught in the Aerohive Branch on Demand (ABOD) class 2011 Aerohive Networks CONFIDENTIAL Internet Headquarters Aerohive Layer 2 VPN 246 Remote Site Notes Below Layer 2 VPN client devices AP-100 series
2011 Aerohive Networks CONFIDENTIAL Wireless VPN Benefits -For your reading pleasure- 247 Easy to Use L2 IPsec VPN solution simplifies deployment, because it extends the local network across the VPN without the need to dedicate subnets for each remote site and set up DHCP relays on branch routers or firewalls Automatic certificate creation and distribution for validating VPN devices Profile-based Split Tunneling Users and Services can be bridged locally or tunneled based on user profile Flexible Single mode of operation supports all deployments Supported in all Aerohive AP platforms, Hardware Acceleration in 300 series Multiple end point support Backup VPN gateway support Distributed Wireless VPN tunnel termination Complete Functionality Multiple AP Support with secure and fast roaming Mesh Portals and Mesh Points supported RADIUS, DHCP, NTLM, LDAP and NTP can selectively go to local or remote network Rogue AP and rogue client detection, DoS prevention, Firewall, and QoS all occur locally on the remote Aerohive AP Economical No license fees for wireless VPN, or any of the other features on the Aerohive APs For the cost of an AP, you get wireless VPN servers Please review the notes pages 2011 Aerohive Networks CONFIDENTIAL Internet Aerohive AP1 VPN Server Aerohive AP2 VPN Server Headquarters DHCP Server Corporate Wi-Fi Devices VLAN 10 10.8.20.0/24 Corporate Wi-Fi Voice VLAN 11 10.8.21.0/24 Teleworker Home Office Please View Notes Below Slide 248 Work Laptop SSID: Corp 10.8.20.51 Home PC with Printer 192.168.1.5 Teleworker Home Office Home Laptop SSID: Home 192.168.1.6
IPsec Primary and Backup VPN Tunnels Work Phone SSID: Voice 10.8.21.33 Internet Provider Gateway 192.168.1.1 Aerohive AP 5 VPN Client 192.168.1.2
Phone 10.8.21.5 Branch Office Guest Laptop SSID: Guest 192.168.1.50 Printer 10.8.20.11 Desktop 10.8.20.10 Aerohive AP1 VPN Server Aerohive AP2 VPN Server Headquarters DMZ DHCP Server Corporate Wi-Fi Devices VLAN 10 10.8.20.0/24 Corporate Wi-Fi Voice VLAN 11 10.8.21.0/24 Phone SSID: Voice 10.8.21.33 Internet Wired Wireless IPsec Primary and Backup VPN Tunnels Gateway 192.168.1.1 Branch Office VPN with Bridging 249 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. CONFIGURE 802.1X SSID FOR WIRELESS VPN ACCESS 251 2011 Aerohive Networks CONFIDENTIAL Wireless VPN Lab Lab Network Diagram 252 Configure two Aerohive APs, Aerohive AP-A will be a VPN client Aerohive AP-B will be a VPN server Client 10.8.1.X 10.5.2.<DHCP> Aerohive AP-B VPN Server Aerohive AP-A VPN Client Hostname: Hive: Interface mgt0: Interface tunnel0: X-A-<6-digits of mac> Class 10.5.2.<DHCP>/24 VLAN 2 10.8.1.X0 WLAN Policy: WLAN-X WLAN Policy: WLAN-X Hostname: Hive: Interface mgt0: IP Pool: X-B-<6-digits of mac> Class 10.8.1.X/24 VLAN 1 10.8.1. X0 - 10.8.1.X9
2.2.2.2 1.2.1.1 NAT Policy 1.2.1. X 10.8.1. X NAPT Policy ANY 2.2.2.2 AD 10.8.1.200 - VLAN 1 WEB 10.8.20.150 - VLAN 20 2011 Aerohive Networks CONFIDENTIAL Wireless VPN Labs Network IP Summary 253 VPN Server X-B-Aerohive AP MGT0 10.8.1.X/24
VPN Client X-A-Aerohive AP 10.5.2.?/24 Firewall NAT Rules 1.2.1.X10.8.1.X FW(NAT) 2.2.2.2 Gateway 10.5.2.1 Gateway 10.8.1.1 Client PC 10.8.20.?/24 GW: 10.8.20.1 DHCP Server VLAN 20 Net: 10.8.20.0/24 Pool: 10.8.20.150 - 10.8.20.200 Gateway: 10.8.20.1 Layer 3 IPsec VPN Tunnels - IP Headers (10.5.2.?)2.2.2.2 1.2.1.X WLAN Branch Office Aerohive AP VPN Clients WLAN HQ Aerohive AP VPN Servers Layer 2 GRE Tunnels - IP Headers Tunnel0 10.8.1.X0 10.8.1.X ? Address Learned though DHCP VPN Client Tunnel Address Pool AP VPN 1: 10.8.1.X0 10.8.1.X9 RADIUS 10.8.1.200 tunnel0: 10.8.1.X0 2011 Aerohive Networks CONFIDENTIAL Instructor Only: On Hosted RADIUS Server Verify RADIUS Client Settings 254 For this class, the tunnel IP pool assigned to Aerohive AP VPN clients is: 10.8.1.0/24 NOTE: Aerohive APs that are VPN clients, the RADIUS server must accept RADIUS messages from an IP address in the Tunnel IP address pool assigned to each Aerohive AP VPN client Address: 10.0.0.0/8 will include all IP addresses that are needed Shared Secret: aerohive123 2011 Aerohive Networks CONFIDENTIAL LAB: Configure Access for Wireless VPN 1. Select your Class-EAP-X SSID for VPN 255 Reassign your Class-EAP-X SSID to use for VPN Next to SSIDs click Choose Click to deselect the Class-AD-X SSID Click to select (highlight) the Class-EAP-X SSID Click OK
Click to deselect Class-AD-X Ensure Class-EAP-X is highlighted then click OK 2011 Aerohive Networks CONFIDENTIAL LAB: Configure Access for Wireless VPN 2. Configure External RADIUS Server 256 Under Authentication, click <RADIUS-X> In Choose RADIUS, click New Click Click 2011 Aerohive Networks CONFIDENTIAL LAB: Configure Access for Wireless VPN 3. Configure External RADIUS Server 257 Define RADIUS Server Settings for use with wireless clients through the VPN Click the radio button for External RADIUS Server Profile Name: VPN-RADIUS-X Primary RADIUS Server: 10.8.1.200 Shared Secret: aerohive123 Confirm Secret: aerohive123 Click Apply Did you click Apply? Click Save
2011 Aerohive Networks CONFIDENTIAL LAB: Configure Access for Wireless VPN 4. Modify Employee-X User Profile to be in VLAN 20 258 Modify the Employee-X user profile to assign users to VLAN 20 which is in the DMZ
Under User Profile, click Employee-X
2011 Aerohive Networks CONFIDENTIAL LAB: Configure Access for Wireless VPN 5. Change Employee-X VLAN to 20 259 Name: Employee-X
Attribute Number: 10
Change Network or VLAN-only Assignment to: 20
Click Save
2011 Aerohive Networks CONFIDENTIAL LAB: Configure Access for Wireless VPN 6. Save the SSID Settings 260 Verify settings, then click Save
2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. CONFIGURE LAYER 2 IPSEC VPN 262 2011 Aerohive Networks CONFIDENTIAL Wireless VPN Labs Network IP Summary 263 VPN Server X-B-Aerohive AP MGT0 10.8.1.X/24
VPN Client X-A-Aerohive AP 10.5.2.?/24 Firewall NAT Rules 1.2.1.X10.8.1.X FW(NAT) 2.2.2.2 Gateway 10.5.2.1 Gateway 10.8.1.1 Client PC 10.8.20.?/24 GW: 10.8.20.1 DHCP Server VLAN 20 Net: 10.8.20.0/24 Pool: 10.8.20.150 - 10.8.20.200 Gateway: 10.8.20.1 Layer 3 IPsec VPN Tunnels - IP Headers (10.5.2.?)2.2.2.2 1.2.1.X WLAN Branch Office Aerohive AP VPN Clients WLAN HQ Aerohive AP VPN Servers Layer 2 GRE Tunnels - IP Headers Tunnel0 10.8.1.X0 10.8.1.X9 ? Address Learned though DHCP VPN Client Tunnel Address Pool AP VPN 1: 10.8.1.X0 10.8.1.X9 RADIUS 10.8.1.200 Tunnel Interface: 10.8.1.X0 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Tunnel Traffic Header Overview and Example 264 2.2.2.2 1.2.1.1 Internet Aerohive AP VPN Server MGT0 10.8.1.2 MGT0 IP Before NAT 1.2.1.2 After NAT 10.8.1.2 (NAT)1.2.1.2 10.8.1.2 MGT0 IP 10.5.2.100 NAT Traversal UDP - Src & Dst Port 4500 Src Port Changes w/NAPT Tunnel0 10.8.1.50 MGT0 10.8.1.2 IPsec (ESP) Tunnel
Encrypts GRE and Client Traffic GRE Tunnel Encapsulates client Layer 2 Traffic Wireless Client MAC: 0022.22aa.aa22 VLAN: 20 IP: 10.8.20.50 Corporate Server MAC: 0011.11bb.bb11 VLAN: 20 IP: 10.8.20.150 Client Traffic 10.8.20.50 0022.22aa.aa22 VLAN Tag: 20 Layer 2 Client Data Client Traffic 10.8.20.150 0011.11bb.bb11 VLAN Tag: 20 (NAPT) ANY 2.2.2.2 FW: Public IP 2.2.2.2 AP: Private IP 10.5.2.100 FW: Public IP 1.2.1.2 Aerohive AP 1 VPN Client MGT0 10.5.2.100 Tunnel0 10.8.1.50 Branch Office Corporate Headquarters 1 2 3 4 8 7 6 5 2011 Aerohive Networks CONFIDENTIAL LAB: Create VPN Services Policy 1. Create a Layer 2 IPsec VPN Policy 265 To create a Layer 2 IPsec VPN Policy Next to Layer 2 IPsec VPN, click Choose Click New
2011 Aerohive Networks CONFIDENTIAL LAB: Create VPN Services Policy 2. Define Name and IP Settings 266 Profile Name: VPN-X For Aerohive AP VPN Server 1, select your B Aerohive AP: X-B- ###### This will fill in the Server MGT0 IP Address and the MGT0 Default Gateway Server Public IP: 1.2.1.X NOTE: It is recommended that the following VPN client tunnel IP address pool is in the same subnet as the MGT0 interface of Aerohive AP VPN server. Client Tunnel IP Address Pool Start: 10.8.1.X0 Client Tunnel IP Address Pool End: 10.8.1.X9 Client Tunnel IP Address Netmask: 255.255.255.0 Do not save yet... 2011 Aerohive Networks CONFIDENTIAL LAB: Create VPN Services Policy 3. Define Name and IP Settings 267 Go to User Profiles for Traffic Management Next to: Employee-X Select Enabled Select the radio button for Split Tunnel NOTE: Split tunnel uses the built-in stateful firewall policy to determine which traffic should be sent to the Internet, and which traffic should go through the tunnel.
Do not save yet... 2011 Aerohive Networks CONFIDENTIAL Split Tunnel Firewall Policy Automatically Created 268 When you select the option to use split tunnel to local subnet and Internet, the following policy gets created on the Aerohive AP The following policy will not be displayed in HiveManager From Access Firewall Policy Source IP Destination IP Service Action 0.0.0.0/0 0.0.0.0/0 DHCP-Server Permit (tunnel) 0.0.0.0/0 10.5.2.0/24 Any NAT 0.0.0.0/0 10.0.0.0/8 Any Permit (tunnel) 0.0.0.0/0 172.16.0.0/12 Any Permit (tunnel) 0.0.0.0/0 192.168.0.0/16 Any Permit (tunnel) 0.0.0.0/0 0.0.0.0/0 Any NAT Note, by default there is no To Access firewall policy, so if you want traffic to be initiated from HQ to the wireless clients thought the VPN, you will need to create a To Access policy that permits access
2011 Aerohive Networks CONFIDENTIAL LAB: Create VPN Services Policy 4. Define Name and IP Settings 269 Under Optional Settings, expand IPsec VPN Certificate Authority Settings VPN Certificate Authority: Default_CA.pem VPN Server Certificate: AP-X_key_cert.pem VPN Server Cert Private Key: AP-X_key_cert.pem
Do not save yet... 2011 Aerohive Networks CONFIDENTIAL LAB: Create VPN Services Policy 5. Assign VPN Certificates for VPN Server 270 Expand Server-Client Credentials NOTE: These are VPN XAUTH credentials that get generated automatically for each Aerohive AP VPN Client and Aerohive AP VPN Server pair.
Nothing needs to be done here. This for monitoring, or for generating a new key or removing a key if an AP is lost or stolen. Do not save yet...
2011 Aerohive Networks CONFIDENTIAL LAB: Create VPN Services Policy How XAUTH Credentials are Used 271 The default IKE peer authentication method for the wireless VPN is "hybrid" In hybrid mode, The VPN server authenticates itself to the client with an RSA signature, which requires the server to have a server certificate, and the client must have the root CA certificate that signed the server certificate so it can validate the server The server authenticates the client using Xauth HiveManager generates a set of credentials (random string for username and passwords) for each Aerohive AP VPN client and Aerohive AP VPN server pair When the VPN client uses valid credentials to authenticate with the VPN server, the tunnel can be established If the credentials are removed from either the VPN client or VPN server, the tunnel cannot be established
2011 Aerohive Networks CONFIDENTIAL LAB: Create VPN Services Policy 6. View Advanced Server Options 272 Expand Advanced Server Options No changes are necessary for the following options | IKE Phase 1 Options |
| IKE Phase 2 Options | Check and select E Enable peer IKE ID validation: User FQDN HiveManager will look at the certificate, find the User FQDN, and configure a rule on the Aerohive AP client to force validation of the Aerohive AP server using the User FQDN. The Aerohive AP by default validates the Aerohive AP client using XAUTH, so this check enables two-way validation. Do not save yet...
2011 Aerohive Networks CONFIDENTIAL LAB: Create VPN Services Policy 7. Configure Advanced Client Options 273 Expand Advanced Client Options Select the traffic from the Aerohive AP to send though the tunnel. Check the boxes for: SNMP Traps RADIUS Active Directory LDAP Note: By default the VPN tunnel is used for user traffic, however, these options allow the Aerohive AP itself to send traffic it generates from itself based on the options selected. Check Enable NAT traversal Adds a UDP header with port 4500 on to the IPsec packets Do not save yet...
2011 Aerohive Networks CONFIDENTIAL LAB: Create VPN Services Policy 8. View Dead Peer Detection Settings 274 Dead Peer Detection is used for switching between Aerohive AP VPN Server 1 and Aerohive AP VPN Server 2 upon failure DPD Verifies IKE Phase 1 Send Heartbeat every 10 seconds (by default) If you miss one heartbeat, send at the Retry Interval instead of at the normal Interval settings If you miss the number of retries specified, failover to backup VPN server
AMRP Verifies end to end through GRE and VPN Tunnel Send Heartbeat every 10 seconds (by default) If you miss one heartbeat, send 1 at second intervals instead of at the normal Interval setting If you miss the number of retries specified, failover to backup VPN server Default DPD failover time: ~16 seconds
Default AMRP failover time: ~21 seconds 2011 Aerohive Networks CONFIDENTIAL LAB: Create VPN Services Policy 9. Save VPN Services Policy 275 Save the VPN Service Settings 2011 Aerohive Networks CONFIDENTIAL LAB: Create VPN Services Policy 10. Verify VPN Setting and Save Network Policy 276 Back in your Network Policy Ensure Layer 2 IPsec VPN is set to VPN-X Click Save, but do not Continue or Configure and update devices yet...
2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. Configuring Aerohive APs to be VPN Clients and VPN Servers AEROHIVE AP VPN ROLES AND UPDATING THE CONFIGURATION 278 2011 Aerohive Networks CONFIDENTIAL LAB: Assign Aerohive APs to VPN Roles 1. Modify Your A-Aerohive AP 279 Click the Configure and Update Devices bar Click to modify your A-Aerohive AP: X-A-######
2011 Aerohive Networks CONFIDENTIAL LAB: Assign Aerohive APs to VPN Roles 2. Assign VPN Service Role to Client 280 Scroll down, and in the Optional Settings Section Expand Services Settings Set the VPN Service Role to: Client
Click Save
2011 Aerohive Networks CONFIDENTIAL LAB: Assign Aerohive APs to VPN Roles 3. Modify Your B-Aerohive AP 281 In the Configure and Update Devices section Click to modify your B-Aerohive AP: X-B-######
The Key with the triangle pointing up is a VPN client icon 2011 Aerohive Networks CONFIDENTIAL LAB: Assign Aerohive APs to VPN Roles 4. Assign VPN Service Role to Server 282 Scroll down, and in the Optional Settings Section Expand Services Settings Set the VPN Service Role to: Server
Click Save
2011 Aerohive Networks CONFIDENTIAL In the Configure & Update Devices section Click the Name column to sort the APs Check to box next to your APs: X-A-######, X-B-###### Click Upload LAB: Assign Aerohive APs to VPN Roles 5. Upload the Configuration to Your Aerohive APs 283 The Key with the triangle pointing down is a VPN server icon 2011 Aerohive Networks CONFIDENTIAL LAB: Verify the Aerohive L2 VPN 1. Wait for Upload to Finish Then Verify VPN 284 From Monitor Devices All Devices If the Aerohive AP VPN Server and Client Icons are green, then you know the VPN is up. 2011 Aerohive Networks CONFIDENTIAL LAB: Verify the Aerohive L2 VPN 2. Aerohive device VPN Diagnostics 285 Go to Monitor Devices All Devices Select one of the VPN devices: X-A-Aerohive AP Click Utilities...Diagnostics Show IKE Event Verify that both Phase 1 an Phase 2 are successful 2011 Aerohive Networks CONFIDENTIAL LAB: Verify the Aerohive L2 VPN 3. Aerohive device VPN Diagnostics Phase 1 286 Select one of the VPN devices: X-A-Aerohive AP Click Tools...Diagnostics Show IKE Event Possible problems if Phase 1 fails: Certificate problems Incorrect Networking settings Incorrect NAT settings on external firewall Possible problems if Phase 2 fails: Mismatched transform sets between the client and server (encryption algorithm, hash algorithm, etc.) 2011 Aerohive Networks CONFIDENTIAL LAB: Verify the Aerohive L2 VPN 4. Aerohive device VPN Diagnostics Phase 1 287 Click Tools... Diagnostics Show IKE Event If you see that phase 1 failed due to a certificate problem Check the time on the Aerohive devices show clock show time Ensure you have the correct certificates loaded on the Aerohive APs in the VPN services policy 2011 Aerohive Networks CONFIDENTIAL LAB: Verify the Aerohive L2 VPN 5. Aerohive device VPN Diagnostics Phase 1 288 Click Tools... Diagnostics Show IKE Event If you see that phase 1 failed due to wrong network settings Check the IP settings in the VPN services policy Check the NAT settings on the external firewall 2011 Aerohive Networks CONFIDENTIAL LAB: Verify the Aerohive L2 VPN 6. Aerohive device VPN Diagnostics Phase 1 289 Click Utilities...Diagnostics Show IKE SA Phase 1 has completed successfully if you reach step #9 If Step #9 is not established then one of these problems exists: Certificate problems Incorrect Networking settings Incorrect NAT settings on external firewall
2011 Aerohive Networks CONFIDENTIAL LAB: Verify the Aerohive L2 VPN 7. Aerohive device VPN Diagnostics Phase 2 290 Click Utilities... Diagnostics Show IPsec SA Note: It is clear to see that a VPN is functional if you see the tunnel from the MGT0 IP of the VPN client to the (NAT) Address of the MGT0 of the VPN Server, and the reverse. Both use different SAs (Security Associations) State: Mature If Phase 2 fails: Check the encryption & hash settings on the VPN client and the VPN server
2011 Aerohive Networks CONFIDENTIAL LAB: Verify the Aerohive L2 VPN 8. View VPN Topology 291 Open your Network Policy, click the Configure Interfaces and User Access bar In the Layer 2 IPsec VPN section click VPN Topology 2011 Aerohive Networks CONFIDENTIAL LAB: Verify the Aerohive L2 VPN 9. View VPN Topology 292 When the Aerohive device icons are displayed in green with a green line between them, the VPN is up You can move your mouse over an icon for more details 2011 Aerohive Networks CONFIDENTIAL VPN Topology Example 293 Here is an example of a VPN topology with 12 Aerohive AP VPN clients and two Aerohive VPN servers for tunnel load sharing and redundancy 2011 Aerohive Networks CONFIDENTIAL NOTE: Layer-2 IPsec VPN VPN Server Side Firewall Rules 294 NOTE: In an IPsec VPN deployment, if you have a firewall protecting the VPN server, you will need rules similar to the following from the Internet to the IPsec VPN server: Source IP Destination IP Protocol Source Port Dest Port Action 0.0.0.0/0 1.2.1.2(NAT) 17(UDP) Any 4500(NAT-T) Permit 0.0.0.0/0 1.2.1.2(NAT) 17(UDP) Any 500 (IKE) Permit
VPN Client 2-A-Aerohive AP 10.5.2.?/24 Firewall NAT Rule 1.2.1.210.8.1.2 FW(NAT) 2.2.2.2 Gateway 10.5.2.1 Gateway 10.8.1.1 RADIUS 10.8.1.200 Tunnel Interface: 10.8.1.20 VPN server 10.8.1.2 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. Using Microsoft XP TESTING YOUR VPN ACCESS WITH 802.1X CLIENT (SUPPLICANT) 296 2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP For VPN Access 1. Connect to Secure Wireless Network 297 From the bottom task bar, and click the locate wireless networks icon Click Class-EAP-X Click Connect
NOTE: If this fails, there is a chance there is a certificate issue with the Hosted PC in VMware Please remedy by following the next slides
Wireless Network Icon 2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP For VPN Access 2. Add a wireless network 298 Only perform the next steps if the initial connection was not successful From the bottom task bar, click the locate wireless networks icon Select Open Network and Sharing Center Click Manage wireless Networks Click Add 2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP For VPN Access 3. Manually create a network profile 299 Click Manually create a network profile Network Name: Class-EAP-X Security type: WPA2-Enterprise Click Next 2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP For VPN Access 4. Change settings to authenticate as user 300 Click Change connection settings Click Security Click Advanced settings
2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP For VPN Access 5. Select Authentication Mode 301 Click E Specify authentication mode
Select User Authentication
Click OK
Click OK for the rest of the windows to save the settings
The PC should connect to the SSID automatically after a moment
2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP For VPN Access 6. View Active Clients 302 After associating with your SSID, you should see your connection in the active clients list in HiveManager Go to MonitorClientsActive Clients
IP Address: 10.8.20.# User Name: DOMAIN\user VLAN: 20 User Profile Attribute: 10
2011 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP For VPN Access Client Monitor - Successful Connection 303 Client Monitor showing successful authentication The RADIUS server IP 10.8.1.20, which is only accessible though the VPN tunnel 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. VPN LAB CLEANUP 305 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: VPN Lab Cleanup 1. Deselect Layer 2 IPsec VPN Policy To continue with the rest of the training labs, please remove the VPN settings so that traffic is not tunneled through the VPN Go to Configuration Select your Network Policy: WLAN-X and click OK Next to Layer 2 IPsec VPN click Choose Click to deselect your VPN profile Click OK In the Network Policy Click Save
306 Click to deselect VPN-X 2011 Aerohive Networks CONFIDENTIAL Lab: VPN Lab Cleanup 2. Change Employee-X User Profile to VLAN 10 307 Modify the Employee-X user profile to assign users to VLAN 10 which is in the DMZ
2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. TIME SETTINGS FOR HIVEMANAGER AND AEROHIVE APS 310 2011 Aerohive Networks CONFIDENTIAL Verify Time Settings 311 HiveManager and Aerohive APs should have up to date time settings, preferably by NTP Go to HomeAdministrationHiveManager Settings Next to System Date/Time click Settings 2011 Aerohive Networks CONFIDENTIAL Lab: Verify NTP Policy 1. Verify NTP Server object 312 Go to Configuration Select your Network Policy: WLAN-X and click OK Click Additional Settings Expand Management Server Settings Note: Upon first login to a new HiveManager system, an NTP server policy is automatically created with the same name as the original Hive name. However, for this lab, create a new NTP server policy. Next to NTP Server Click (Modify) Note: You should configure the NTP server to set the time zone and NTP server settings. This is important for any service that depends on time, such as VPN and RADIUS which use certificates, schedules, Private PSK validity, etc...
2011 Aerohive Networks CONFIDENTIAL Lab: Verify NTP Policy 2. Verify NTP Server Settings 313 Ensure the NTP Server is set: ntp1.aerohive.com Click Save or Cancel 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. Using Self Registration Captive Web Portal CONFIGURE GUEST ACCESS WITH PRIVATE PSK SELF REGISTRATION 315 2011 Aerohive Networks CONFIDENTIAL Private PSK Self Registration 316 1. A guest comes in and connects to a open registration SSID 2. They open their web browser and a captive web portal page appears 3. The guest enters their information and clicks register SSIDs: Class-Register (open) Class-Secure (WPA2-PSK) Guest Aerohive AP Connects to: Class-Register 2011 Aerohive Networks CONFIDENTIAL Private PSK Self Registration Secure Access 317 4. The captive web portal displays a unique Private PSK for the guest with instructions to connect to the secure SSID 5. The guest connects to the secure SSID and enters the Private PSK displayed on the captive web portal page 6. The guest will then be securely connected SSIDs: Class-Register (open) Class-Secure (WPA2-PSK) Guest Aerohive AP Connects to: Class-Secure 2011 Aerohive Networks CONFIDENTIAL Secure Guest Access with Private PSK Self Registration Goal for Lab 318 Generate a set of private PSKs The private PSKs will have a lifetime of 1day and new Private PSKs will be generated every day that last for 1 day These Private PSKs will be assigned to a single SSID The keys will be given out via a self- registration captive web portal 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 1. Modify your WLAN Policy to Create an SSID 319 To configure a Private PSK SSID Go to Configuration Select your Network Policy: WLAN-X and click OK Next to SSIDs, click Choose Click New
2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Secure Self-Registered Guest Access 2. Create a Private PSK SSID with Self Registration Profile Name: Class-Secure-X SSID: Class-Secure-X Under SSID Access Security select Private PSK Set maximum clients per private PSK to: 2 NOTE: This limits how many times a single Private PSK can be used in a Hive Check Enable private PSK self-registration Registration SSID: Class-Register-X 320 Click Save 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 4. Create a Private PSK SSID 321 Click to deselect the Class-EAP-X SSID Ensure the Class-Secure-X SSID is selected Click OK
Click to deselect Class-EAP-X Ensure Class-Secure-X is highlighted then click OK 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 5. Create a Private PSK User Group 322 Under Authentication, click <PPSK User Groups> Click New Click Click Click 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 6. Configure the Private PSK User Group 323 User Group Name: 1day-guest-0X
User Type: O Automatically generated private PSK users User Profile Attribute: 100 VLAN: <empty> Note: The VLAN is inherited from the user profile Do not save yet... NOTE: 0X=02-28 (Use 2 digits) 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 7. Configure the Private PSK User Group 324 User Name Prefix: 0X-1day Note: This is the prefix for all the Private PSKs that will be generated. If you create 100 PPSK accounts, then the guest accounts will be created as 0X-1day0001 though 0X-1day0100 Private PSK Secret: <Click Generate or enter random characters> Note: This secret never needs to be known or seen again. It is used to as a seed key to add more complexity to the automatically generated PSKs. Expand Private PSK Advanced Options 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 8. Configure Time Zone and PSK Validity Period 325 Password Length: 8 Note: If Private PSKs were being generated for corporate accounts, this should be a much larger password length. However, for guests, because they are entering the password on their mobile device from a printout or from an email, for administrative purposes, it is simpler to generate smaller length Private PSKs. Time Zone: <(GMT-08:00)-America> Note: This should be the time zone of where the Aerohive APs and clients are located in real life. PSK Validity Period: Recurring Check E Enable the automatic creation and rotation of private PSK users and their keys 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Secure Self-Registered Guest Access 9. Configure PPSK Rotation Schedule Private PSK Start Time: <Select 1 day ago: 00hr 00min> Note: The Private PSKs are generated every day at the hours and minutes specified here. Private PSK Lifetime: 1 day Note: Specifies how long a Private PSK will last Private PSK Rotation Interval: 1 day Note: Specifies how often new Private PSKs will be created. In this example, 1 day keys are created every day. Private PSK Rotations: 3650 times Note: Specifies how many times to rotate keys. (9999 is 27 years) Private PSK Users to Create per Rotation: 10 users Note: This should match the maximum number of guests you will assign to 1 day Private PSKs on a single day. In this lab, 10 Private PSKs will be automatically generated with the specified lifetime, rotation interval and number of rotations. Do not save yet...
326 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 10. Configure PSK character types and then save 327 Character types used in generated PSKs and manually created passwords: Check E Letters Uncheck E Digits Uncheck E Special Characters Click Save NOTE: Because these are daily PSKs, you can use upper and lower case letters to make it easy to type. If you mix in digits, the client may have problems with identifying the difference between letters and digits: 1, I, l, 0, O, for example. However, mixing in special characters is fine, but it may be more complicated for clients to enter in their mobile device. 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 11. Select the Private PSK User Group 328 Ensure your 1day-guest-X is highlighted Click OK 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 12. Select Your A Aerohive AP as a Private PSK Server 329 Under Authentication, click <Private PSK Server> Select your X-A-###### Aerohive AP and click OK Click Select your X-A- Aerohive AP 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 13. Create a Captive Web Portal for Self Registration 330 Under Authentication, click <Private PSK CWP> In the Choose CWP window, click New Click Click 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 14. Configure Self Registration Captive Web Portal 331 Name: CWP-Self-X Expand Captive Web Portal Login Page Settings Click Self-registration In the Captive Web Portal Success Page Options ensure No Redirection is selected so the Private PSK remains displayed on the captive web portal page Do not save yet... 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 15. Create a Guest User Profile 332 Under User Profile, click <Add/Remove> In the Choose User Profiles window, click New
2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 16. Configure Guest User Profile 333 Name: Guests-X Attribute Number: 100 NOTE: The attribute number must match the number defined in the private PSK group Network or VLAN-only Assignment: 8 Click Save 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 17. Assign User Profile to Self Registration SSID 334 Ensure the Guests-X user profile is selected (Highlighted) Click Save 2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 18. Verify Settings and Go To Update Devices 335
2011 Aerohive Networks CONFIDENTIAL Lab: Secure Self-Registered Guest Access 19. Update the Configuration 336 Select the Configure & Update Devices bar Check the box next to your AP X-A-###### Click Upload 2011 Aerohive Networks CONFIDENTIAL It is recommended that Complete Uploads be used for complex configuration changes In the Configure & Update Devices section Select the Filter: Current Policy Click Setting Lab: Secure Self-Registered Guest Access 20. Update the Configuration 337 337 2011 Aerohive Networks CONFIDENTIAL Select Complete Upload Select Activate after 5 seconds Click Save Lab: Secure Self-Registered Guest Access 21. Update the Configuration 338 338 2011 Aerohive Networks CONFIDENTIAL In the Configure & Update Devices section Select the Filter: Current Policy Click the Name column to sort the APs Check to box next to your A-Aerohive AP: X-A-###### Click Upload 339 Lab: Secure Self-Registered Guest Access 22. Update the Configuration 2012 Aerohive Networks Inc. TESTING GUEST ACCESS WITH PRIVATE PSK SELF REGISTRATION 340 2011 Aerohive Networks CONFIDENTIAL Lab: Test Guest Access with Self Registration 1. Connect to Class-Register SSID from Hosted PC 341 From the hosted PC, connect to the Class-Register-X SSID 2011 Aerohive Networks CONFIDENTIAL Lab: Test Guest Access with Self Registration 2. Open a Web Browser and Fill Out CWP Form 342 From the hosted PC, open a web browser, and attempt to connect to a web site A captive web portal will appear Fill in the form and click Register 2011 Aerohive Networks CONFIDENTIAL Lab: Test Guest Access with Self Registration 3. Connect to Class-Secure SSID from Hosted PC 343 After a moment, the Captive Web Portal will display a WPA/WPA2- Personal Key (Private PSK) From the hosted PC, connect to the Class-Secure-X SSID 2011 Aerohive Networks CONFIDENTIAL Lab: Test Guest Access with Self Registration 4. Enter the PSK for the Class-Secure SSID 344 Enter the Security Key displayed in the captive web portal window You will then be securely connected
2011 Aerohive Networks CONFIDENTIAL Lab: Test Guest Access with Self Registration 5. View Your Guest in Active Clients 345 From MonitorActive Clients, view your active client information 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. To Simplify the WLAN Policy Configuration When Different Settings for Aerohive APs are Needed at Different Locations AEROHIVE AP CLASSIFICATION EXAMPLES 347 2011 Aerohive Networks CONFIDENTIAL Question: How do define a single WLAN policy, but configure different settings? 348 For example, in the Network policy, you can only define one MGT interface VLAN profile But if the Aerohive APs are in different networks with different MGT VLANs, what can you do? GRE radius Router L2-Switch L2-Switch Interface mgt0: Classification Tag: Network Policy: MGT0 VLAN: 10.5.2.? radius WLAN-X 2 Aerohive AP Device Settings Interface mgt0: Classification Tag: Network Policy: MGT0 VLAN:
10.7.1.X GRE WLAN-X 100 Aerohive AP Device Settings 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Answer: HiveManager Device Classification Define a VLAN Object That is Variable With HiveManager Device Classification, you can create one VLAN object, but have it change based on a classifier tag (text field) assigned to a device, a hostname, or based on a topology map where a device resides For example, this VLAN object called: ap-vlans-2 is a policy that assigns VLAN 100 if the device has a text field classifier tag configured called: GRE; assigns VLAN 2, if a text field classifier tag on a device is configured with radius; and VLAN 1 if a device does not have any text field classifier tags (global). 349 2011 Aerohive Networks CONFIDENTIAL Answer: HiveManager Device Classification Devices Can Be Assigned to Textual Classifier Tags 350 To allow VLAN, IP address, or MAC OUI/Address object to be customized by specific APs or routers, you can specify Device Classification tags in the device configuration settings for an AP or router. You can define three tags, that can specify device function, services, or location for example Aerohive AP A Device Classification Settings Aerohive AP B Device Classification Settings 2011 Aerohive Networks CONFIDENTIAL Answer: HiveManager Device Classification Object Definition Changes Based on Tag 351 In this example, a Network Policy uses a VLAN object to define the MGT VLANs on APs.
HiveManager can assign different VLANs to a device or user profile based on device classification rules.
When HiveManager updates the configuration on Aerohive AP A, it will assign its MGT VLAN to 2, and Aerohive AP B will be assigned to 100
Aerohive AP A is a RADIUS server, so you can assign a tag like radius. Aerohive AP B is a GRE tunnel Terminator, so you can assign a tag like GRE. AP MGT VLAN Object Definition 2011 Aerohive Networks CONFIDENTIAL Answer: HiveManager Device Classification Supported Objects 352 Objects that support Device classification IP/Hostname Objects MAC Addresses/OUIs VLANs Multiple variables can be configured in one object , and the values assigned to the Aerohive AP can change based on Topology Map, Classifier Tag, or Hostname, 2011 Aerohive Networks CONFIDENTIAL Answer: HiveManager Device Classification Types of Classification 353 VLANs, IP Address Objects, MAC Address objects, and User Profile Attribute groups can have classification rules based on: Map Name Uses topology maps Aerohive AP Name Classifier Tag Requires tags are defined in the configuration of Aerohive APs Global Selected if no match is found for any of the other types You can mix and match, the first matching rule is used Global is checked as the last match even if it is defined first
2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Answer: HiveManager Device Classification Tag Selection - E or E If you specify multiple tags on a Aerohive AP, make sure the object is defined to match relevant tags and ignore the rest If you want to make this VLAN object match all Aerohive APs in HQ, you must define E Tag 1 as: HQ, but uncheck ETag 2 and E Tag 3 so they will be ignored
If you do not uncheck Tag 2 and Tag 3, you will have to match all three tags on each Aerohive AP 354 VLAN Object Definition Aerohive AP 1 Configuration Aerohive AP 2 Configuration 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. Change VLAN and IP address of Aerohive APs HIVEMANAGER DEVICE CLASSIFICATION LAB 356 2011 Aerohive Networks CONFIDENTIAL Using HiveManager Device Classification Tags To Set Aerohive AP MGT0 Interface VLANs 357 GRE radius Router L2-Switch L2-Switch Interface mgt0: Classification Tag: Network Policy: MGT0 VLAN: 10.5.2.X radius WLAN-X 2 Aerohive AP A Device Settings Interface mgt0: Classification Tag: Network Policy: MGT0 VLAN:
10.7.1.X GRE WLAN-X 100 Aerohive AP B Device Settings VLAN Object: ap-vlans-X VLAN ID: 1 Type: Global VLAN ID: 2 Type: Classifier Value: Tag 1: radius Tag 2: Tag 3: VLAN ID: 100 Type: Classifier Value: Tag 1: GRE Tag 2: Tag 3: Network Policy: WLAN-X MGT0 VLAN: ap-vlans-X Native VLAN: 1
2011 Aerohive Networks CONFIDENTIAL Lab: Using Classification Tags for MGT0 VLANs 1. Set Classification Tag on A-Aerohive AP 358 Set the Device classification tag on your A-Aerohive AP Go to Configuration Select your Network Policy: WLAN-X and click OK Go to the Configure & Update Devices bar Click the link for your A-Aerohive AP: X-A-###### 2011 Aerohive Networks CONFIDENTIAL Lab: Using Classification Tags for MGT0 VLANs 2. Set Classification Tag on A-Aerohive AP 359 Scroll down and expand Advanced Settings Uncheck Override MGT VLAN Note: This was set in the beginning of class to change the MGT VLAN of this AP, now you will use Device Classification to set the MGT VLAN. Set Device Classification as follows: Tag 1 radius Tag 2 Tag 3 Click Save NOTE: Tag values are case sensitive. The tag here will match the tag set for the MGT Interface VLAN as shown on the right. 2011 Aerohive Networks CONFIDENTIAL Lab: Using Classification Tags for MGT0 VLANs 3. Set Classification Tag on B-Aerohive AP 360 Set a Device Classification Tag for your B-Aerohive AP Click the link for your B-Aerohive AP X-B-###### Scroll down and expand Advanced Settings Enter a value: Tag 1 GRE Tag 2 Tag 3 Do not save yet... 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Using Classification Tags for MGT0 VLANs 4. Assign Aerohive AP-B to New Static IP Address Change the IP address of your B Aerohive AP so that it will match its new VLAN, which will be VLAN 100 because of device classification Expand Interface and Network Settings Optional Settings> Expand MGT0 Interface Settings MGT0 IP Address: 10.7.1.X Netmask: 255.255.255.0 Gateway: 10.7.1.1 Click Save 361 2011 Aerohive Networks CONFIDENTIAL Lab: Using Classification Tags for MGT0 VLANs 5. Modify Additional Settings 362 Configure MGT VLANs for Aerohive APs Go to the Configuration Interfaces & User Access section in your Network Policy Next to VLAN Settings click Modify 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Using Classification Tags for MGT0 VLANs 6. Change MGT VLAN for AP in Lab Network Create a MGT Interface VLAN policy that sets the MGT interface on an AP to VLAN 2 if it is going on an AP RADIUS server, and VLAN 100 if it is a GRE tunnel terminator, and VLAN 1 if it is not. Next to MGT Interface VLAN Click +
363 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Using Classification Tags for MGT0 VLANs 7. Create a VLAN object Using Classifiers 364 VLAN Name: ap-vlans-X VLAN ID: 2 Type: Classifier Check E Tag 1: radius Uncheck E Tag 2 Uncheck E Tag 3 Click Apply Do not save yet...
NOTE: All tags that are checked E must match a classifier tag on a Aerohive AP to be applied. They are AND-ed together not OR-ed. Click Apply 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Add an additional VLAN ID to the VLAN profile to identify devices with no classification tag set Click New VLAN ID: 1 Type: Global Click Apply Do not save yet... NOTE: When you see the Value, (T) = True, which is checked, and (F) = False is unchecked. Lab: Using Classification Tags for MGT0 VLANs 8. Create a Global VLAN 365 Click Apply 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Using Classification Tags for MGT0 VLANs 9. Create a VLAN object Using Classifiers 366 Add an additional VLAN ID to the VLAN profile to identify devices with a GRE device classification tag Click New VLAN ID: 100 Type: Classifier Check E Tag 1: GRE Uncheck E Tag 2 Uncheck E Tag 3 Click Apply Do not save yet...
Click Apply 2011 Aerohive Networks CONFIDENTIAL Lab: Using Classification Tags for MGT0 VLANs 10. Verify VLAN Profile and Save 367 Verify the VLAN profile You should have 3 VLANs in the object VLAN 1 Global VLAN 2 Classifier (T)tag1=radius; (F) tag2=;(F)tag3; VLAN 100 Classifier (T)tag1=GRE; (F) tag2=;(F)tag3; Click Save
In VLAN Settings, click Save
T = True Checked (Match Needed) F = False Unchecked (No Match Needed) 2011 Aerohive Networks CONFIDENTIAL In the Configure & Update Devices section Click the Name column to sort the APs Check to box next to your APs: X-A-######, X-B-###### Click Upload Lab: Using Classification Tags for MGT0 VLANs 11. Update the configuration of your Aerohive APs 368 NOTE: The update will take longer because the IP address is changing, and a new CAPWAP connection needs to be formed. 2011 Aerohive Networks CONFIDENTIAL Lab: Using Classification Tags for MGT0 VLANs 12. Verify IP addresses on Aerohive APs 369 Verify the IP address Settings on your Aerohive APs From MonitorAll Devices or brom the Configure & Update Devices bar in your Network Policy Configuration View the A Aerohive AP IP: 10.5.2.X and B Aerohive AP IP: 10.7.1.X NOTE: If a mistake was made, and the VLAN gets configured incorrectly, or your IP is not correct, it will take 15 minutes for the AP to revert back to its prior configuration and reconnect to HiveManager. After that you can fix your problem. 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. SECURE AND FAST ROAMING 371 371 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Roam Layer 2 Roaming User associates and authenticates and keys are distributed AP predicatively pushes keys and session state to one hop neighbors As client roams and associates with another AP the traffic continues uninterrupted
RADIUS Server 372 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Subnet A Subnet B Router GRE Tunnel Layer 3 Roaming Like Layer 2 roaming the Layer 3 roam predicatively pushes keys to one hop neighbors. In order to maintain IP connectivity a tunnel is created to home subnet. Tunnel continues to follow roaming user until sessions end then tunnel is terminated and the user accesses the local network 373 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. LAYER 3 ROAMING DETAILS 375 375 2011 Aerohive Networks CONFIDENTIAL Layer 3 Roaming Detailed Explanation 376 Aerohive AP Layer 3 roaming information is advertised in beacons and can be heard by Aerohive APs in the same Hive. Subnet 10.5.1.0/24 Floor 1 Subnet 10.6.1.0/24 Floor 2 10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24 Corp-Hive Corp-Hive
Aerohive APs can then communicate over the LAN using UDP Port 3000 Beacon IE: (Encrypted) Hive: Corp-Hive L3 roaming enabled Mgt0 IP: 10.5.1.13/24 Beacon IE: (Encrypted) Hive: Corp-Hive L3 roaming enabled Mgt0 IP: 10.6.1.7/24 Aerohive APs scan channels to locate layer 3 roaming neighbors and communicate with each other over the Ethernet network. 2011 Aerohive Networks CONFIDENTIAL Layer 3 Roaming Detailed Explanation 377 Subnet 10.5.1.0/24 Floor 1 Subnet 10.6.1.0/24 Floor 2 10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24 Corp-Hive Corp-Hive Send: DA for subnet: 10.5.1.0/24 10.5.1.11 Receive: DA for subnet: 10.5.1.0/24 10.5.1.11 Neighboring AP sends Aerohive AP DA information to neighboring subnets DA 2011 Aerohive Networks CONFIDENTIAL Layer 3 Roaming Detailed Communication 378 Subnet 10.5.1.0/24 Floor 1 Subnet 10.6.1.0/24 Floor 2 10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24 Corp-Hive Corp-Hive DA Send: Best tunnel endpoint for subnet: 10.5.1.0/24 10.5.1.12 Query DA: Least loaded AP for subnet: 10.5.1.0/24 Preparation for roaming by contacting DA for APs as the potential tunnel end points Aerohive APs preselect best APs in each subnet to be a tunnel endpoints
The tunnel is built only when a client eventually roams DA Received from DA: Best tunnel endpoint for subnet: 10.5.1.0/24 10.5.1.12 2011 Aerohive Networks CONFIDENTIAL Layer 3 Roaming Detailed Communication 379 As clients arrive on the new subnet, the Aerohive AP will use an existing tunnel for the client, or if that tunnel is heavily loaded, it can create a tunnel to another portal in the DNXP table. Subnet 10.5.1.0/24 Floor 1 Subnet 10.6.1.0/24 Floor 2 10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24 Corp-Hive Corp-Hive u1 eth0.1 10.5.1.1 eth0.2 10.5.10.1 eth0.1 10.6.1.1 eth0.2 10.6.10.1 u1 u1 u1 10.5.10.33/24 u1 10.5.10.33/24 u1 10.5.10.33/24 DNXP L3 10.5.1.12 Client Roaming Cache Update u1 DNXP GRE Tunnel Layer 2 roam Layer 3 roam The clients IP address is maintained u1 Session State & PMK u1 2011 Aerohive Networks CONFIDENTIAL Layer 3 Roaming Detailed Communication 380 Subnet 10.5.1.0/24 Floor 1 Subnet 10.6.1.0/24 Floor 2 10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24 Corp-Hive Corp-Hive Session State & PMK eth0.1 10.5.1.1 eth0.2 10.5.10.1 eth0.1 10.6.1.1 eth0.2 10.6.10.1 u1 u1 u1 u1 u1 10.5.10.33/24 DNXP L3 10.5.1.12 DNXP GRE Tunnel u1 u1 u1 DNXP L3 10.5.1.12 u1 2011 Aerohive Networks CONFIDENTIAL Layer 3 Roaming Local Subnet Connection 381 Based on the number of packets per minute sent to and received by the client, the Aerohive AP can be configured to disable the tunnels and de-auth the client so that it will reconnected and obtain an IP address from the local network. Subnet 10.5.1.0/24 Floor 1 Subnet 10.6.1.0/24 Floor 2 10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24 Corp-Hive Corp-Hive Session State & PMK eth0.1 10.5.1.1 eth0.2 10.5.10.1 eth0.1 10.6.1.1 eth0.2 10.6.10.1 u1 u1 u1 u1 DNXP GRE Tunnel u1 u1 u1 u1 u1 10.5.10.33/24 10.6.10.95/24 u1 De-auth 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. CONFIGURING DYNAMIC TUNNELING FOR LAYER 3 ROAMING 383 2011 Aerohive Networks CONFIDENTIAL Lab: Enable Layer 3 Roaming 1. Modify the Employee-X User Profile 384 To configure layer 3 roaming for a user profile Go to Configuration Select your Network Policy: WLAN-X and click OK Under Authentication click Guest-X
2011 Aerohive Networks CONFIDENTIAL Lab: Enable Layer 3 Roaming 2. In your user profile, create a tunnel policy 385 Layer 3 roaming is enabled per user profile by configuring a tunnel policy Under Optional Settings, Expand GRE Tunnels Select O GRE tunnel for roaming or station isolation and Click + 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Enable Layer 3 Roaming 2. Configure Layer 3 Roaming Policy Enable the ability to dynamically build tunnels for layer 3 roaming Name: L3-Roaming-X Tunnel Settings Select O Enable Dynamic tunneling for Layer 3 Roaming Unroaming Threshold: 60 seconds Number of packets per minute: 2000 Setting a value enables Unroaming Setting to 0 disables Click Save
386 If using Polycom phones, do not enable unroam because they never perform a new DHCP after they have been powered on Note: The number of packets per minute to select varies based on the number of devices, types of devices, and applications running on your network. 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Enable Layer 3 Roaming 3. Save user profile with L3 Roaming Policy Verify Layer 3 Roaming Policy is set Click Save
387 2011 Aerohive Networks CONFIDENTIAL Lab: Enable Layer 3 Roaming 4. Enable radio and set power on B Aerohive AP 388 Go to the Configure & Update Devices bar Click the link for your B-Aerohive AP: X-B-###### Set Admin state of 2.4 and 5 GHz radios to: Up Set Power of 2.4 and 5 GHz radios to: 1 Click Save
2011 Aerohive Networks CONFIDENTIAL In the Configure & Update Devices section Check to box next to your APs: X-A-######, X-B-###### Click Upload Lab: Enable Layer 3 Roaming 5. Update the configuration of your Aerohive APs 389 2011 Aerohive Networks CONFIDENTIAL Testing Layer 3 Roaming In Hosted Training Data Center 390 Unfortunately we cannot test layer 3 roaming in the hosted data center because The Aerohive APs are hard wired via coax to their clients The power level of the Aerohive APs has been set to 1 dBm so the clients can connect to their SSIDs. If we do not set the power to 1 dBm, the power is too high for the clients that are connected via coax Because the power is low, and the rest of the RF connections are terminated, testing in the remote lab is not possible If the instructor has time and the equipment, they can demonstrate layer 3 roaming locally in class 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. LAYER 3 ROAMING ANALYSIS 392 2011 Aerohive Networks CONFIDENTIAL Notes: Layer 3 Roaming View Roaming Neighbors 393 To see if Layer 3 neighbors are being discovered, go to Monitor All Devices Select the check box next to your B- Aerohive AP or A Aerohive AP then select Tools... Diagnostics Show DNXP Neighbors You can view the Aerohive APs Layer 2 and Layer 3 roaming neighbors View the State column to see L3 and L2 neighbors NOTE: It may take a few minutes to gather neighbor information during background scans, and you may not see your own neighbor AP in this hosted training rack, but you should see some neighbors. 2011 Aerohive Networks CONFIDENTIAL Layer 3 Roaming Testing in Hosted Lab 394 If you select the check box next to your Aerohive AP then select Tools Diagnostics Show DNXP Cache If a client is connect to the Aerohive AP, you can view the information that is being sent to the neighboring Aerohive APs The Tunnel-end is the Aerohive AP that will be the tunnel end point for DNXP after the client roams across subnet boundaries 1. Shows the MAC address of the client and their tunnel end point after roaming 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. Identity-based Tunnels USING GRE TUNNELS TO TUNNEL GUEST TRAFFIC TO A SECURE DMZ 396 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Identity-Based Tunnels With Identity-Based tunnels, client traffic can be tunneled directly to one or more Aerohive APs within a firewalled DMZ with access to the Internet The client in the internal network is assigned a VLAN and an IP address from the tunnel destination All client traffic is then tunneled to the Aerohive APs in the DMZ Traffic from clients is not permitted on the local network This is typically used in environments where VLANs are not supported at the access layer Note: Unlike IPsec, which supports NAT traversal, GRE tunnels cannot be NATed because GRE does not have port numbers 397 2011 Aerohive Networks CONFIDENTIAL Identity-Based Tunnels LAB Using Tag On DMZ VLAN 398 Hostname: Interface mgt0: WLAN Policy: X-A-000000 10.5.2.N/24 VLAN 2 WLAN-X Hostname: Interface mgt0: WLAN Policy: Tag1: X-B-000000 10.7.1.X/24 VLAN 1 WLAN-X DMZ-X WLAN Policy: WLAN-X Hive: Tunnel Policy: Tunnel Settings: Tunnel Destination: Tunnel Source: Tunnel Password: MGT0 VLAN: Native VLAN:
Class-X GRE-Tunnel-X Enable static identity-based-tunnel IP Range Start:10.7.1.X End:10.7.1.X 10.5.1.0/24 and 10.5.2.0/24 <random generated> 2 1
SSID: Captive Web Portal: Registration Type: User Profile: Attribute: VLAN: Tunnel Policy: Class-Guest-X CWP-Tunnel-X Use-Policy-Accept Role-Tunnel(1XX) 1XX 1XX GRE-Tunnel-X DMZ Network Guest Client Internal Network GRE Tunnel 10.5.2.N to 10.7.1.X Tunnel Destination Internet Class-GRE-X 10.7.1X.N/24 10.7.1X.1 SSID: IP: Gateway: 10.7.1.1 10.5.2.1 DHCP Settings for VLAN 1XX (01, 02, ..,13) network 10.7.1XX.0/24 ip range 10.7.1XX.100 to 10.7.1XX.199
Tunnel Source 2011 Aerohive Networks CONFIDENTIAL Lab: Use SSID to Tunnel Guest Traffic to DMZ 1. Create a New SSID 399 To configure a SSID for Guest Tunneling over GRE Go to Configuration Select your Network Policy: WLAN-X and click OK Next to SSIDs, click Choose Click New
2011 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Use SSID to Tunnel Guest Traffic to DMZ 2. Configure an SSID for GRE tunneling Profile Name: Class-GRE-X SSID: Class-GRE-X Under SSID Access Security select WPA/WPA2 PSK (Personal) Key Value & Confirm Value: aerohive123 Check Enable Captive Web Portal Click Save 400 2011 Aerohive Networks CONFIDENTIAL Lab: Use SSID to Tunnel Guest Traffic to DMZ 3. Select new Class-GRE SSID 401 Click to deselect Class-Secure-X SSID Ensure the Class-GRE-X SSID is selected Click OK Click to deselect Class-Secure-X Ensure Class-GRE-X is highlighted then click OK 2011 Aerohive Networks CONFIDENTIAL Lab: Use SSID to Tunnel Guest Traffic to DMZ 4. Create a Use Policy Captive Web Portal 402 Under Authentication, click <CWP> In Choose CWP, click New Click Click 2011 Aerohive Networks CONFIDENTIAL Lab: Use SSID to Tunnel Guest Traffic to DMZ 5. Configure Use Policy Captive Web Portal 403 Name: CWP-Guest-X Registration Type: Use Policy Acceptance Do not save yet...
Optional: Click here to customize the use policy page If you customize the use policy, you can enter or modify the text directly in the text box. 2011 Aerohive Networks CONFIDENTIAL Lab: Use SSID to Tunnel Guest Traffic to DMZ 6. Configure Use Policy Captive Web Portal 404 Expand Captive Web Portal Success page after successful login Select the option to O Redirect to the initially requested page or O Redirect to an external page and enter a URL Click Save 2011 Aerohive Networks CONFIDENTIAL Lab: Use SSID to Tunnel Guest Traffic to DMZ 7. Assign CWP and Configure SSID 405 Under User Profile click Add/Remove
2011 Aerohive Networks CONFIDENTIAL Lab: Use SSID to Tunnel Guest Traffic to DMZ 9. Create a user profile to tunnel traffic 406 Define a user profile to tunnel traffic to an AP in the DMZ Note: XX= 2 Digits (02,03, .. ,27,28) Name: GRE-users-1XX Attribute Number: 1XX Default VLAN: 1XX Note: This VLAN is encapsulated inside the GRE tunnel and sent to the tunnel destination where the VLAN must exist. Expand the GRE Tunnels Select GRE tunnel for roaming or station isolation Click + to create a GRE tunnel policy Note: The name, attribute number and default VLAN do not have to match but it looks nice if they do. 2011 Aerohive Networks CONFIDENTIAL Lab: Use SSID to Tunnel Guest Traffic to DMZ 10. Create a user profile to tunnel traffic 407 Configure the tunnel information for both sides of the tunnel in this policy Name: GRE-X Select Enable Static Identity-Based Tunnels Tunnel Destination IP Range Start: 10.7.1.X End: 10.7.1.X Note: You can specify a range of consecutive Aerohive APs if you have multiple Aerohive APs at the tunnel destination for redundancy and load sharing. Tunnel Source IPs or Subnets - Under Available IP Addresses Select 10.5.2.0/24 and 10.5.1.0/24 and click the > button Tunnel Authentication Click Generate Click Save 2011 Aerohive Networks CONFIDENTIAL Lab: Use SSID to Tunnel Guest Traffic to DMZ 11. Save the Use Profile 408 Back in the user profile Ensure Tunnel Policy is set to: GRE-X
Note: If you do configure firewall policies, be aware that your firewall policies are applied before your traffic is tunneled to the destination Aerohive AP. Also note that the IP address of your client will be from the remote network at the tunnel destination.
Click Save
2011 Aerohive Networks CONFIDENTIAL Lab: Use SSID to Tunnel Guest Traffic to DMZ 12. Save the Use Profile 409 Ensure the GRE-users-1XX user profile is selected (highlighted) Click Save Note: When a client associates with this SSID and completes the registration process, their traffic is tunneled to the destination Aerohive AP specified by the tunnel policy in the user profile. If a client associates with this SSID on the tunnel endpoint, the traffic is forwarded without tunneling. 2011 Aerohive Networks CONFIDENTIAL Lab: Use SSID to Tunnel Guest Traffic to DMZ 13. Verify settings and continue to configure devices 410 Verify the settings and click the Configure & Update Devices bar to configure the GRE server B-Aerohive AP for DHCP service 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. AEROHIVE AP DHCP SERVICE ON TUNNEL END POINT 412 2011 Aerohive Networks CONFIDENTIAL LAB: Configure DHCP Service for Guests 1. Save the Use Profile 413 In the Configure & Update Devices section, click the link for your B-Aerohive AP: X-B-##### 2011 Aerohive Networks CONFIDENTIAL LAB: Configure DHCP Service for Guests 2. Create a new DHCP Server Object 414 In the device configuration, scroll own and expand Service Settings In the DHCP Server & Relay section click + 2011 Aerohive Networks CONFIDENTIAL LAB: Configure DHCP Service for Guests 3. Configure DHCP Server for VLAN 1XX 415 To create a DHCP server and IP pool for VLAN 1XX Name: DHCP-1XX Interface: mgt0.1 IP Address: 10.7.1XX.2 Netmask: 255.255.255.0 VLAN ID: 1XX Please do not save yet... 2011 Aerohive Networks CONFIDENTIAL LAB: Configure DHCP Service for Guests 4. Configure DHCP Server for VLAN 1XX 416 Configure the IP pool and DHCP options Under IP Pool Start IP Address: 10.7.1XX.100 End IP Address: 10.7.1XX.199 Click Apply (Really, please click apply!) Under DHCP Server Options Default Gateway: 10.7.1XX.1 Note: The netmask is automatically inherited from the mgt0.X interface DNS Server 1 IP: 8.8.8.8 Click Save
Scroll up to click Save 2011 Aerohive Networks CONFIDENTIAL Copyright 2011 LAB: Configure DHCP Service for Guests 5. Assign your DHCP service to your B Aerohive AP Select your DHCP server object: DHCP-1XX and move it to the Selected List Scroll up to Save the settings for this Aerohive AP 417 2011 Aerohive Networks CONFIDENTIAL LAB: Configure DHCP Service for Guests 6. Update the configuration of your Aerohive APs 418 In the Configure & Update Devices section Check to box next to your APs: X-A-######, X-B-###### Click Upload Selected Network Policy 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. To Update GRE-Tunnel and DHCP Server Configuration TEST GUEST GRE TUNNEL ACCESS 420 2011 Aerohive Networks CONFIDENTIAL Identity-Based Tunnels LAB Using Tag On DMZ VLAN 421 Hostname: Interface mgt0: WLAN Policy: X-A-000000 10.5.2.N/24 VLAN 2 WLAN-X Hostname: Interface mgt0: WLAN Policy: Tag1: X-B-000000 10.7.1.X/24 VLAN 1 WLAN-X DMZ-X WLAN Policy: WLAN-X Hive: Tunnel Policy: Tunnel Settings: Tunnel Destination: Tunnel Source: Tunnel Password: MGT0 VLAN: Native VLAN:
Hive-Class-X GRE-X Enable static identity-based-tunnel IP Range Start:10.7.1.X End:10.7.1.X 10.5.1.0/24 and 10.5.2.0/24 <random generated> 2 1
SSID: Captive Web Portal: Registration Type: User Profile: Attribute: VLAN: Tunnel Policy: Class-GRE-X CWP-Tunnel-X Use-Policy-Accept Role-Tunnel(1XX) 1XX 1XX GRE-X DMZ Network Guest Client Internal Network GRE Tunnel 10.5.2.N to 10.7.1.X Tunnel Destination Internet Class-GRE-X 10.7.1X.N/24 10.7.1X.1 SSID: IP: Gateway: 10.7.1.1 10.5.2.1 DHCP Settings for VLAN 1XX (01, 02, ..,13) network 10.7.1XX.0/24 ip range 10.7.1XX.100 to 10.7.1XX.199
Tunnel Source 2011 Aerohive Networks CONFIDENTIAL LAB: Guest GRE Tunnel and DHCP Server 1. Connect to your Class-GRE-X SSID 422 On your remote hosted PC, connect to the SSID: Class-GRE-X Passphrase/Net work Key: aerohive123
2011 Aerohive Networks CONFIDENTIAL 423 Open a web browser and Browse to a decent web site: http://www.aerohive.com A captive web portal page will be displayed Fill out the web registration form Click Accept to agree to the Acceptable Use Policy LAB: Guest GRE Tunnel and DHCP Server 2. Agree to Acceptable Use Policy 2011 Aerohive Networks CONFIDENTIAL 424 Once the login is successful, you can access the network After a moment, you should automatically be redirected to the web page you initially requested or a URL you specified in the captive web portal LAB: Guest GRE Tunnel and DHCP Server 3. Verify Access To Internet 2011 Aerohive Networks CONFIDENTIAL 425 After associating with your SSID, you should see your connection in the active clients list in HiveManager Go to MonitorClientsActive Clients Your IP address should be from the 10.7.1XX.0/24 network Note the IP address, VLAN and user profile attribute VLAN: 1XX User Profile Attribute: 1XX
LAB: Guest GRE Tunnel and DHCP Server 4. View Active Clients list 2011 Aerohive Networks CONFIDENTIAL LAB: Guest GRE Tunnel and DHCP Server 5. View GRE Tunnel Information 426 From MonitorAll Devices Check the box next to your A Aerohive AP Click Tools...Diagnostic Show GRE Tunnel 2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. BONJOUR GATEWAY 428 2011 Aerohive Networks CONFIDENTIAL Bonjour Gateway Services 429 If you have a 3 rd party network You can create a bonjour only policy and put an AP (bonjour gateway) in your network If you have an Aerohive wireless network The Designated Access (DA) point for management network will be the bonjour gateway Enable bonjour gateway services in your network policies to ensure the designated access points get the bonjour gateway configuration Also if the DA is taken offline, you will want the bonjour gateway configuration ready to run on the new DA (which was the backup designated access point (BDA) Even with an Aerohive Wireless network If you want to have a dedicated access point for bonjour gateway services, create a bonjour only network policy and ensure the AP has a unique Hive name. If the AP is its own hive, it is the DA, and therefore will be the bonjour gateway. 2011 Aerohive Networks CONFIDENTIAL Router Aerohive Bonjour Gateway 430 Bonjour is a protocol that Apple devices use to advertise available services within a VLAN/subnet. Aerohive devices can function as Bonjour Gateways and forward service advertisements across VLAN/subnet boundaries Services in one VLAN or subnet then become available to users in other VLANs/subnets. Aerohive APs have Bonjour Gateway functionality built-in AirPlay AirPrint Printer: Bonjour Capable Wire or Wi-Fi Connected
Apple TV: Bonjour Capable Wire or Wi-Fi Connected iPhone or iPad Wi-Fi Connected 2011 Aerohive Networks CONFIDENTIAL Aerohive Bonjour Gateway 431 Without a Bonjour Gateway All devices using a Bonjour service must be on the same subnet Because the Bonjour devices and users in this example are on different subnets the iPad in this picture can not use Airplay to send its display to the Apple TV on VLAN 2, and the iPad can not use AirPrint to print to the printer on VLAN 2 Printer: Bonjour Capable Wire or Wi-Fi Connected IP: 10.5.2.20/24 VLAN 2
Apple TV: Bonjour Capable Wire or Wi-Fi Connected IP: 10.5.2.10/24 VLAN 2 Aerohive AP1 IP: 10.5.1.100/24 Mgmt VLAN 1 SSID: Device-WiFi Device VLAN 2 SSID: Corp-WiFi User VLAN 10
iPhone or iPad Wi-Fi Connected IP: 10.5.10.33/24 VLAN 10 AirPlay AirPrint X X Router 2011 Aerohive Networks CONFIDENTIAL Aerohive Bonjour Gateway 432 With a Bonjour Gateway The iPad in this picture for example on VLAN 10 can use Airplay to send its display to the Apple TV on VLAN 2, or user AirPrint to print to the printer on VLAN 2 Bonjour Gateways to do not route the bonjour traffic, they provide responses to Bonjour discovery requests from Bonjour client devices to services learned on different subnets Aerohive AP1 IP: 10.5.1.100/24 Mgmt VLAN 1 SSID: Device-WiFi Device VLAN 2 SSID: Corp-WiFi User VLAN 10
Apple TV: Bonjour Capable Wire or Wi-Fi Connected IP: 10.5.2.10/24 VLAN 2 iPhone or iPad Wi-Fi Connected IP: 10.5.10.33/24 VLAN 10 Router 2011 Aerohive Networks CONFIDENTIAL Bonjour Gateway Services 433 If you have a 3 rd party network You can create a bonjour only policy and put an AP (bonjour gateway) in your network If you have an Aerohive wireless network The Designated Access (DA) point for management network will be the bonjour gateway Enable bonjour gateway services in your network policies to ensure the designated access points get the bonjour gateway configuration Also if the DA is taken offline, you will want the bonjour gateway configuration ready to run on the new DA (which was the backup designated access point (BDA) Even with an Aerohive Wireless network If you want to have a dedicated access point for bonjour gateway services, create a bonjour only network policy and ensure the AP has a unique Hive name. If the AP is its own hive, it is the DA, and therefore will be the bonjour gateway. 2011 Aerohive Networks CONFIDENTIAL Bonjour Gateway Service 434 When bonjour gateway services are enabled, the AP will automatically probe the network to determine which VLANs are active by using DHCP discovery, and create a bonjour gateway device (bgd) IP interface for each VLAN Printer: Bonjour Capable Wire or Wi-Fi Connected
Apple TV: Bonjour Capable Wire or Wi-Fi Connected 802.1Q Aerohive AP1 int mgt0 IP 10.5.1.100/24 VLAN 1
int bgd0.2 IP 10.5.2.44/24 VLAN 2 int bgd0.3 IP 10.5.8.129/24 VLAN 8 int bgd0.4 IP 10.5.10.58/24 VLAN 10
DHCP Server 2011 Aerohive Networks CONFIDENTIAL Bonjour Gateway Service 435 When the AP detects a bonjour service on a VLAN, it will build a table of available services When a bonjour client device on a VLAN sends a bonjour discovery from a VLAN different than what a bonjour service is on, the AP if permitted by a filter rule will respond with the bonjour service information Printer: Bonjour Capable Wire or Wi-Fi Connected
Apple TV: Bonjour Capable Wire or Wi-Fi Connected Aerohive AP1 int mgt0 IP 10.5.1.100/24 VLAN 1
int bgd0.2 IP 10.5.2.44/24 VLAN 2 int bgd0.3 IP 10.5.8.129/24 VLAN 8 int bgd0.4 IP 10.5.10.58/24 VLAN 10
Router DHCP Server 2011 Aerohive Networks CONFIDENTIAL Bonjour Gateway Service 436 VLANs are unique within a single routed domain VLAN IDs may be reused in a network that is segmented by routers, common with VLAN 1 Aerohive bonjour gateway service supports unique VLANs throughout a network, and networks that reuse VLAN IDs for the bonjour gateway service Apple TV: Bonjour Capable Wire or Wi-Fi Connected AP1 int mgt0 IP 10.5.1.100/24 Mgt VLAN 1 SSID: Corp-WiFi User VLAN 10 802.1Q VLAN 1,10 Printer: Bonjour Capable Wire or Wi-Fi Connected AP2 int mgt0 IP 10.7.1.100/24 Mgt VLAN 1 SSID: Corp-WiFi User VLAN 50 Floor 1 Floor 2 Router1 VLAN 1, 10 Router2 VLAN 1, 50 Printer IP 10.7.1.150/24 VLAN 1 Apple TV IP 10.5.1.14/24 VLAN 1 802.1Q VLAN 1,50 VLAN 11 2011 Aerohive Networks CONFIDENTIAL Bonjour Gateway Service 437 APs in different subnets can automatically locate each other wirelessly, or can be set manually as L3 roaming neighbors In this case, AP1 is a local Bonjour Gateway Device (BGD), and AP2 is a remote Bonjour gateway device AP1 will advertise the Apple TV service to AP 2 so AP2 can respond to Bonjour discovery messages on its VLAN 1 and 50 Apple TV: Bonjour Capable Wire or Wi-Fi Connected AP1 int mgt0 IP 10.5.1.100/24 Mgt VLAN 1 SSID: Corp-WiFi User VLAN 10 802.1Q VLAN 1,10 Printer: Bonjour Capable Wire or Wi-Fi Connected AP2 int mgt0 IP 10.7.1.100/24 Mgt VLAN 1 SSID: Corp-WiFi User VLAN 50 Floor 1 Floor 2 Router1 VLAN 1, 10 Router2 VLAN 1, 50 Printer IP 10.7.1.150/24 VLAN 1 Apple TV IP 10.5.1.14/24 VLAN 1 802.1Q VLAN 1,50 VLAN 11 Local BGD Remote BGD for AP 2 2011 Aerohive Networks CONFIDENTIAL Bonjour Gateway Service 438 In this case, AP2 is a local Bonjour Gateway Device (BGD), and AP1 is a remote Bonjour gateway device AP2 will advertise the Printer service to AP 1 so AP1 can respond to Bonjour discovery messages on its VLAN 1 and 10 Apple TV: Bonjour Capable Wire or Wi-Fi Connected AP1 int mgt0 IP 10.5.1.100/24 Mgt VLAN 1 SSID: Corp-WiFi User VLAN 10 802.1Q VLAN 1,10 Printer: Bonjour Capable Wire or Wi-Fi Connected AP2 int mgt0 IP 10.7.1.100/24 Mgt VLAN 1 SSID: Corp-WiFi User VLAN 50 Floor 1 Floor 2 Router1 VLAN 1, 10 Router2 VLAN 1, 50 Printer IP 10.7.1.150/24 VLAN 1 Apple TV IP 10.5.1.14/24 VLAN 1 802.1Q VLAN 1,50 VLAN 11 Remote BGD for AP2 Local BGD 2011 Aerohive Networks CONFIDENTIAL Bonjour Browser Apps 439 You can download bonjour browser applications for your iPad or iPhones iTunes You can download bonjour browser application for your MacBook http://www.tildesoft.com You can also download a bonjour browser for Microsoft windows http://hobbyistsoftware.com/bonjourBr owser If you do not have bonjour running, you will need that as well. Bonjour comes with iTunes, possibly Skype, and some other programs on windows. (64bit windows link) http://supportdownload.apple.com/downlo ad.info.apple.com/Apple_Support_Area/Ap ple_Software_Updates/Mac_OS_X/downloa ds/061- 5788.20081215.5t9Uk/Bonjour64Setup.exe
2011 Aerohive Networks CONFIDENTIAL Show Bonjour Status 440 02-A-0c4980#show bonjour status Bonjour Gateway Status:Enabled Bonjour Gateway Debug: off Realm id: 08ea:440c:4980 Local BDD mgt0: IP(10.5.1.52/24), VLAN(1) MAC(08ea:440c:4980) Total 3 Local Attached VLANs: 2 10 1 Total Services: 5, Published Times: 5 Total 1 Remote BDDs: 1) 10.7.1.52/24 2011 Aerohive Networks CONFIDENTIAL Show Bonjour Interfaces 441 02-A-0c4980#show int State=Operational state; Chan=Channel; Radio=Radio profile; U=up; D=down; Name MAC addr Mode State Chan VLAN Radio Hive SSID ------- -------------- -------- ----- ---- ---- ---------- ---------- --------- Mgt0 08ea:440c:4980 - U - 1 - Training - Bgd0.1 08ea:440c:4980 - U - 2 - Training - Bgd0.2 08ea:440c:4980 - U - 10 - Training - 02-A-0c4980#show int bgd0.1 Admin state=enabled; Operational state=up; DHCP client=enabled; IP addr=10.5.2.52; Netmask=255.255.255.0; VLAN id=2; 02-A-0c4980#show int bgd0.2 Admin state=enabled; Operational state=up; DHCP client=enabled; IP addr=10.5.10.52; Netmask=255.255.255.0; VLAN id=10;
2011 Aerohive Networks CONFIDENTIAL View Bonjour Gateway Services Detailed Information 442 show bonjour status local detail 3) Name=Apple TV; Type=_airplay._tcp.; VLAN=2; IP=10.5.2.53; Port=7000; Netmask=255.255.255.0; Host=Apple-TV.local.; Flags=Add/Local/Completed/Filtered/(43); Service Create Time=Aug 30 16:33:35 2012; Last Time Update To Remote BDD=10 sec ago; Last Time Update From Remote BDD=N/A; BDD=0.0.0.0; Sdref=N/A; Service Published Iface(vlan) List=bgd0.3(10)(Done) bgd0.2(8)(Done) mgt0(1)(Done) ; TXT Length=75; TXT: "deviceid=B8:17:C2:CC:33:9F" "features=0x39f7" "model=AppleTV2,1" "srcvers=130.14" The Service Published Iface(vlan) lets you know that the service will be available on each of the interfaces(vlans) shown If you do not see the interfaces listed, then the service will not be available on other VLANs than the VLAN the service was received on VLAN ID Bonjour Service and IP Info 2011 Aerohive Networks CONFIDENTIAL Set the Clock! 443 Please make sure NTP is set on your APs. If your APs are not within a reasonable time, i.e. 1970, then Bonjour services will not work 02-A-0c4980#show clock 2012-08-29 22:16:16 Wednesday
2011 Aerohive Networks CONFIDENTIAL Bonjour Services Can Be Filtered By the Bonjour Gateway 444 03-A-471140#show bonjour service local Show Local Bonjour Gateway Service: No. VLAN Service-IP Port Type Name ============================================================= 1 2 10.5.2.103 49152 _raop._tcp. 98D6BB2A6F0F@Apple TV 2 2 10.5.2.103 7000 _airplay._tcp. Apple TV
Total 2 services. 03-A-471140#show bonjour service local filter Show Local Bonjour Gateway Service: No. VLAN Service-IP Port Type Name ============================================================= 1 2 10.5.2.103 7000 _airplay._tcp. Apple TV
2011 Aerohive Networks CONFIDENTIAL HiveManager Shows The Bonjour Services Reported By The Bonjour Gateways 445 MonitorBonjour Gateway 2011 Aerohive Networks CONFIDENTIAL BONJOUR GATEWAY LAB 446 2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 1. Verify No Bonjour Services on Hosted PC 447 From your Hosted PC Start the Bonjour Browser You will notice that no Bonjour Services are available Your PC is on VLAN 10, and the Apple TV is on VLAN 2, so the only way you can see the services is from a Bonjour Gateway
2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 2. Select Network Policy 448 To configure Bonjour Gateway Services Go to Configuration Select your Network Policy: WLAN-X and click OK
2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 3. Create a new Bonjour Gateway Profile 449 In your Network Policy: WLAN-X, next to Bonjour Gateway click Choose Click New 2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 4. Define Bonjour Profile Settings 450 Name: Bonjour-X Scan the following VLANs for services: 1-10 Note: We do not have any other VLANs on this network so it saves time to limit to your known VLANs VLANs are checked in parallel, so you can check all 4095 in a short period of time. The bonjour gateway is looking for any VLAN that returns a DHCP address. Ensure all the default services are selected Click Save
2011 Aerohive Networks CONFIDENTIAL In the Configure & Update Devices section Select the Filter: Current Policy Check to box next to your AP: X-A-###### Click Upload The changes will take effect immediately Lab: Bonjour Gateway 5. Update the configuration of your A-Aerohive AP Filter set to Current Policy 2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 6. Note MAC of DA AP and View Bonjour Gateway 452 Go to Monitor Note the MAC address of the AP (Node ID) this will be the bonjour gateway realm name Go to Monitor Bonjour Gateway In a minute you should your AP MAC as a realm Click the Realm name to see the bonjour services There is an Apple TV on the network with 2 bonjour services 2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 7. Verify Bonjour Services on Hosted PC 453 From your Hosted PC Start the Bonjour Browser You will see two services: _airplay.tcp (Apple TV) _raop._tcp.(98D6BB2A6F0F@Apple TV) Your PC is on VLAN 10, and the Apple TV is on VLAN 2, so the only way you can see the services is from a Bonjour Gateway Note: As long as one Bonjour Gateway in class is working everyone will see the services. We will use the CLI to see if yours is working or not.
2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 8. Use SSH Client to Access Your AP 454 From Monitor Aerohive APs Select your AP and click Utilities... SSH Client Click Connect Wait about 30 seconds
2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 9. Verify the DA is the Bonjour Gateway 455 Type: show amrp <Return> Find the IP address of the Designated AP (DA) of the management subnet From Monitor find the IP address of the DA access point and note the MAC address of the AP (Node ID) From Monitor-Bonjour Gateway: Verify the MAC address of the DA 2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 10. Instructor: Use SSH Client to Access the DA 456 From Monitor Aerohive APs Select the Designated AP (DA) and click Utilities... SSH Client Click Connect Wait about 30 seconds
2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 11. Instructor: Show Bonjour Service Local Detail 457 Type: show bonjour service local detail <Return> Locate the line with Apple TV;Type=_airplay._tcp and scroll the window to the right until you see Service Published Iface(vlan) The bonjour services are advertised out the bgd0.X interfaces listed bgd0.3 is vlan 10, bgd0.2 is vlan 8, and bgd0.1 is VLAN 1. It will not readvertise out the VLAN it was learned from which is VLAN 2 2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 12. Create Bonjour service filter 458 From your network policy: WLAN-X Click your bonjour policy: Bonjour-X
2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 13. Filter Out Unwanted Services 459 For the services, uncheck All Locate and check the box next to AirPlay Click Save and then Update the configuration of your AP
2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 14. Instructor: Use SSH Client to Access the DA 460 From Monitor Aerohive APs Select the Designated AP (DA) and click Utilities... SSH Client Click Connect Wait about 30 seconds
2011 Aerohive Networks CONFIDENTIAL Lab: Bonjour Gateway 15. Instructor: Show Bonjour Service Local Detail 461 Type: show bonjour service local Type: <Return> This shows all the services that have been learned Type: show bonjour service local filter Type: <Return> This shows all the services that make it through the filter
If the lab was done correctly, you should only see _airplay._tcp
2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. MOBILE DEVICE MANAGEMENT (MDM) ENFORCEMENT WITH JAMF (CASPER SUITE) FOR APPLE DEVICES 2011 Aerohive Networks CONFIDENTIAL MDM 464 Network-based MDM Access controls based on User, Device Type, Location Policy Enforcement QoS, Firewall, SLA, Time of Day Controls Now, Required Enrollment
Profile-based MDM Device Management and configuration App/Software Installation and Updates App and Feature Restrictions Policy Enforcement (device capabilities, passcode, etc) Content Distribution JAMF Software (for now)
2011 Aerohive Networks CONFIDENTIAL Aerohive and JAMF Software Together
465 Automatically Enroll and Re-Enroll Apple iOS Mobile Devices and OSX-based Macs Control User and Device Access to the Network and Network Resources Configure and Deploy Security and Configuration Profiles for Apple devices Manage iOS and Mac OS X Inventory Distribute App Store/Custom Apps and eBooks to iOS Devices
2011 Aerohive Networks CONFIDENTIAL Apple Management Components 466 2011 Aerohive Networks CONFIDENTIAL How Enrollment Check Works - Before 467 Device Joins the SSID and is placed in Walled Garden Able To Reach DHCP, DNS services + JSS and Apple Notification Servers AP Identifies the OS via DHCP Options If not iOS device, released from Walled Garden If iOS device, AP queries JSS whether device is enrolled Enrolled Devices Released From Walled Garden Un-enrolled iOS devices remain quarantined. All HTTP requests forwarded to JSS Enrollment Web Page
2011 Aerohive Networks CONFIDENTIAL How Enrollment Check Works - After 468 Once AP verifies enrollment is complete, walled garden opens Network access now dictated by rules of relevant User Profile Relevance based on User, Location, Device Type, Time, etc. 2011 Aerohive Networks CONFIDENTIAL Configure SSID 469
Create SSID Expand Advanced Enable MDM Enrollment Enable OS Object for iPod/iPhone/iPad or MacOS Enter URL of JSS Enter JSS Admin Credentials
2011 Aerohive Networks CONFIDENTIAL Set DHCP Options 470 Additional Settings > Service Settings > Management Options Click Modify Ensure Use DHCP Option 55 contents is selected Click Save
2011 Aerohive Networks CONFIDENTIAL Connect to Network and Enroll 471 Join iOS or Mac OS device to JAMF-protected network AP will perform enrollment check. Un-enrolled devices will be redirected to the JSS enrollment page
2011 Aerohive Networks CONFIDENTIAL Enrollment 472 Un-enrolled Apple Devices must enroll to gain access to the network Administrators may allow open enrollment or require authentication (works with external LDAP or JSS internal user database ) User must manually install Trust Certificate, MDM Profile (SCEP) JSS sends instructions to APNs that notify clients to do the following: Perform Inventory Request Install Self Service Web Clip (iOS only) Install Any Already-Assigned Settings, Restrictions Policies, or Apps
2011 Aerohive Networks CONFIDENTIAL How JSS and Apple Keep iOS Devices Up To Date On Any Network 473 After initial enrollment, managed iOS Devices maintain relationship with JSS Does not matter to which network device connects
2011 Aerohive Networks CONFIDENTIAL Apple Push Notification Service 474 2011 Aerohive Networks CONFIDENTIAL With JAMF Software, You Can 475 For OSX Devices Install Software Packages Configure Printers Run Scripts Set Device and Software Restrictions Set and Configure Passcodes Configure Networks Configure VPN Configure Exchange/IMAP/POP3 email Configure Directories Configure Security Settings Deploy Certificates Wipe or Lock Lost or Stolen Devices Collect Device Hardware and App Inventory Manage Device Encryption And More
For iOS Devices Deploy App Store or Custom Apps Publish eBooks Set Device Restrictions Set and configure Passcodes Configure Wi-Fi Networks and Security Configure VPN Configure Exchange/IMAP/POP3 email Configure LDAP, CALDAV, CardDAV Set Web Clips Deploy Certificates Wipe or Lock Lost or Stolen Devices Collect Device Hardware and App Inventory Deploy Self Service Web Clip And More 2011 Aerohive Networks CONFIDENTIAL Troubleshooting Scenario 1 476 Problem: Device is Not Captured in Walled Garden Things To Check:
Is the OS Detected Correctly?
Does JSS think the Device Already Enrolled?
2011 Aerohive Networks CONFIDENTIAL Is The Client OS Detected Correctly? 477 MDM Walled Garden is only applied to Apple Mobile Devices running iOS or Macs running OSX If OS not detected correctly, then device not kept in walled garden Using DHCP Option 55 iPod/iPhone/iPad Will be Detected as Apple iOS All versions of OSX are reported as Mac OS Using HTTP User Agent Devices Detected As: iPad iPhone iPod Mac OS
2011 Aerohive Networks CONFIDENTIAL Does JSS Think Device Is Already Enrolled? 478 You can query JSS manually to determine whether the JSS thinks a device is already enrolled. From HiveManager: Monitor > Clients >Active Clients Check Device to query, click Operation > Show MDM Enrollment
From CLI exec jss-check mobile-device <mac-address> enroll-status
2011 Aerohive Networks CONFIDENTIAL Troubleshooting Scenario 2 479 Problem: Device Never Gets Out of Walled Garden After Successful Enrollment
Things To Check: Can AP Connect To JSS? Does JSS Admin Account Have Correct Privilege Level? Is Enrollment Fully Complete?
2011 Aerohive Networks CONFIDENTIAL Can AP/BR Connect To JSS? 480
Things To Check Can AP contact JSS on port 8443/443? Is the SSID configured with correct JSS admin/password? Does JSS admin account have right privileges in JSS?
2011 Aerohive Networks CONFIDENTIAL JSS Admin Privileges 481 Aerohive Requires JSS Admin Has Minimal Privileges Login to JSS Settings > Accounts > {user} > Edit Account Privilege Tab No Privileges required API Privileges For iOS Mobile Devices = READ For MacOS Computers = READ
2011 Aerohive Networks CONFIDENTIAL Partial Enrollment 482 To be fully enrolled, device must complete inventory request In JSS, go to Inventory > Mobile Devices (or Computers) > Search Click Details on the Problematic Client A partially enrolled device will lack critical inventory information, specifically a MAC address To resolve, ensure clients can access APNs on TCP 5223 and the JSS on TCP 8443 or TCP 443 2011 Aerohive Networks CONFIDENTIAL Troubleshooting Scenario 3 483 JSS Thinks Device Is Enrolled, but I Know It Is Not. Device Bypasses Walled Garden When device Is de-enrolled By a user, the device attempts to notify JSS of de-enrollment If Device Can Not Notify JSS, MDM Profiles Are Removed Anyway Therefore, JSS Thinks Device Is Still Enrolled and client bypasses walled garden JSS conducts inventory on daily basis (depending on configuration) JSS will not mark de-enrolled device as missing for a long time Configurable Setting Have To Balance Risk of Scavenging Devices that have simply been off for awhile CUSTOMER SHOULD TALK TO JAMF FOR GUIDANCE/BEST PRACTICE
2011 Aerohive Networks CONFIDENTIAL Troubleshooting Scenario 4 484 JSS Knows Device Is Not Enrolled, but an already connected device still has Internet Access Aerohive checks enrollment status after device associates to the network De-auth the client from the network and clear caches Device should return to walled garden at next association
2011 Aerohive Networks CONFIDENTIAL Documentation 485 Configuration Guide Available in Help > Videos & Guides http://www.aerohive.com/330000/docs/help/english/5.1r1/re f/Aerohive_JAMF-MDM-Configuration-Guide_330083-01.pdf
Evaluation Guide Available Upon Request
5.1.r2 versions of each will be available soon
2011 Aerohive Networks CONFIDENTIAL QUESTIONS? 2012 Aerohive Networks Inc. THANK YOU 487