AAWC Class 5.1r1 Revf

2012 Aerohive Networks Inc.
HiveManager version 5.1

Instructor-led Training
AEROHIVE ADVANCED WLAN
CONFIGURATION (AAWC)
1
2011 Aerohive Networks CONFIDENTIAL
Copyright Notice
2
Copyright 2012 Aerohive Networks, Inc. All rights reserved.

Aerohive Networks, the Aerohive Networks logo, HiveOS, Hive AP,
Aerohive AP, Aerohive Device, HiveManager, and
GuestManager are trademarks of Aerohive Networks, Inc. All
other trademarks and registered trademarks are the property of
their respective companies.

Creating a WLAN Policy
and Managing Aerohive Devices
GETTING STARTED
3
Lab: Get Connected
1. Connect to class WLAN
4
Please connect to the SSID: aerohive-class
Network Key: aerohive123
You should get an IP in the 10.5.1.0/24 subnet
SSID:
Security:
Network Key:
Class-SSID
WPA/WPA2 Personal (PSK)
aerohive123
Guest
Client
VLAN 1
WLAN Policy: WLAN-Classroom
Internet
Mgt0 IP: 10.5.1.N/24 VLAN 1
Class-SSID
10.5.1.N/24
10.5.1.1
Connect to SSID:
IP:
Gateway:
Instructor PC
Lab: Get Connected
2. Get class files from instructor
5
From your PC open a web browser and for the URL type:
ftp://ftp:aerohive@10.5.#.#
(Ask Instructor for the IP address)
Username: ftp
Password: aerohive
You will find:
Courseware (pptx files)
If you do not have MS office 2003 or later, please download a PPTX
viewer from Microsoft
Topology map jpg images
Used for the planning tool and topology map lab
TightVNC(Windows) & RealVNC (Mac)
Please install the Viewer only This is used to connect to a hosted PC
User files for Private PSK in CSV format
This is for the Private PSK lab
Introductions
6
What is your name?
What is your organizations name?
How long have you worked in Wi-Fi?
How long have you used Aerohive?

Facilities Discussion
7
Course Material
Distribution
Course Times
Restrooms
Break room
Smoking Area
Break Schedule
Morning Break
Lunch Break
Afternoon Break
Aerohive Advanced WLAN
Configuration (AAWC) Course
Overview
8
Each student connects to HiveManager, a remote PC, and a Aerohive AP over the Internet
from their wireless enabled laptop in the classroom, and then performs hands on labs the cover
the following topics:

Overview of Aerohive Cooperative Control Architecture and Products
802.1X/EAP architecture overview
802.1X with external RADIUS
RADIUS attributes for user profile assignment
Using Client Monitor to troubleshoot 802.1X/EAP
HiveManager Certificate Authority
Aerohive devices as RADIUS servers that integrate with Active Directory for 802.1X user
authentication and credential caching
LDAP Attributes for user profile assignment
Aerohive devices as Layer 2 IPsec VPN client and VPN servers
Self registration guest management using PPSK
Device classification
Layer 3 roaming
Guest Management using GRE tunneling to a DMZ
Aerohive devices as a DHCP server
Bonjour Gateway
Mobile Device Management (MDM)

2 Day Hands on Class
Aerohive Instructor Led Training
9
Aerohive Education Services offers a complete curriculum that provides
you with the courses you will need as a customer or partner to properly
design, deploy, administer, and troubleshoot all Aerohive WLAN
solutions.
Aerohive Essentials WLAN Configuration (AEWC) First-level course
Aerohive Advanced WLAN Configuration (AAWC) Second-level course
Aerohive Routing WLAN Configuration (ABOD)- Branch on Demand
course
www.aerohive.com/training Aerohive Class Schedule

Wi-Fi Books Authored by Aerohive
Employees
10
CWNA Certified Wireless Network Administrator
Official Study Guide by David D. Coleman and David
A. Westcott
CWSP Certified Wireless Security Professional
Official Study Guide by David D. Coleman, David A.
Westcott, Bryan E. Harkins and Shawn M. Jackman
CWAP Certified Wireless Analysis Professional Official
Study Guide by David D. Coleman, David A. Westcott,
Ben Miller and Peter MacKenzie
802.11 Wireless Networks: The Definitive Guide,
Second Edition by Mathew Gast
802.11n: A Survival Guide by Mathew Gast
Aerohive
Employees
Aerohive Forums
11

Announcing Aerohives new online community HiveNation
Have a question, an idea or praise you want to share? Join the HiveNation
Community - a place where customers, evaluators, thought leaders and students
like yourselves can learn about Aerohive and our products while engaging with
like-minded individuals.
How do I join?
Visit http://community.aerohive.com/aerohive and sign up!

Aerohive Social Media
12
The HiveMind Blog:
http://blogs.aerohive.com

Follow us on Twitter: @Aerohive
Instructor: David Coleman: @mistermultipath
Instructor: Bryan Harkins: @80211University
Instructor: Gregor Vucajnk: @GregorVucajnk

Please feel free to tweet about #Aerohive training
during class.
Hosted Training Equipment
In Data Center
13
13
14 Aerohive Access Points with external antenna
connections and RF cables to connect to USB Wi-FI
for each virtual client in the ESXi Server
Access Points are connected from eth0 to a layer 2
PoE Switch (Yellow cables)
Access Points are connected from their console
port to a console server (White Cables)
Console server to permit SSH access into the serial
console of Aerohive Access Points
Layer 2 Managed PoE switch with 802.1Q
VLAN trunk support
Server running VMware ESXi with Dual Quad or Six
Core Intel Processors, 15000RPM 450MB or 600MB
redundant disks, 36 Gig RAM, 3 USB Ports Minimum
to connect to 3 USB hubs
Firewall with routing support, NAT, and multiple
Virtual Router Instances
Network Layout for Data Center
14
10.5.2.*/24
No Gateway
10.5.2.*/24
No Gateway
10.5.2.*/24
No Gateway
HiveManager
MGT 10.5.1.20/24

Win2008 AD Server
MGT 10.5.1.10/24
Linux Server
MGT 10.6.1.150./24

L3 Switch/Router/Firewall
eth0 10.5.1.1/24 VLAN 1
eth0.1 10.5.2.1/24 VLAN 2
eth0.2 10.5.8.1/24 VLAN 8
eth0.3 10.5.10.1/24 VLAN 10
eth1 10.6.1.1/24 (DMZ)
L2 Switch
Native VLAN 1
Aerohive AP Common Settings
Default Gateway: None
MGT0 VLAN 2
Native VLAN 1
LAN ports connected to
L2-Switch with 802.1Q
VLAN Trunks
X=2
X=3
X=N
X=2
X=3
X=N
Ethernet: 10.5.1.202/24
No Gateway
Wireless: 10.5.10.$/24
Gateway: 10.5.10.1
Ethernet: 10.5.1.203/24
No Gateway
Wireless: 10.5.V.X/24
Gateway: 10.5.V.1
Ethernet : 10.5.1.20N/24
No Gateway
Wireless: 10.5.V.X/24
Gateway: 10.5.V.1
14Client PCs
For Wireless Access
14 Aerohive AP 340s
Terminal Server
10.5.1.5/24
Services for Hosted Class
Win2008 AD Server:
- RADIUS(NPS)
- DNS
- DHCP
Linux Server:
- Web Server
- FTP Server

QUESTIONS?
INSTRUCTOR LOGIN
16
Instructor: Getting Started With Training
1. Authenticate With Firewall Authentication Server
17
For lab1 or lab2 https://training-auth.aerohive.com
For lab3 https://training-auth3.aerohive.com
Login with credentials provided by training@aerohive.com

Instructor ONLY: Getting Started With Training
2. Connect to the Hosted Training HiveManager
18
Securely browse to the appropriate
HiveManager for class
TRAINING LAB 1
https://training-hm1.aerohive.com
https://72.20.106.120
TRAINING LAB 2
https://72.20.106.66
TRAINING LAB 3
https://209.128.124.220
Supported Browsers:
Firefox, Internet Explorer, Chrome
Class Login Credentials:
Login: admin
Password: <instructor secret>
Note: In order to access the
HiveManager, someone at your
location needs to enter the training
firewall credentials given to them by
the instructor first
Instructor ONLY: Getting Started With Training
3. Agree to End User License Agreement
19
Click Agree to the End
user license agreement
Instructor ONLY: Getting Started
Only Seen at First Login...
20
Welcome Page Settings...
Hive Name: Class
NOTE: The Hive Name will
also be used as the name
for some of the
automatically created
quick start objects
New HiveManager
Password: <password for
HiveManager and Aerohive
Devices>
Quick Start SSID Password:
aerohive123
Time Zone:
<Your time zone>
Click Continue

NOTE: Setting the HiveManager
Password Here sets the Aerohive Device
Access Console SSID Key and the CLI
admin password. You can change some
of these settings individually by going to
HomeGlobal Settings
Copyright 2011
Quick Start Objects
Are Typically Name from the Hive Name
At first login, the
administrator is
prompted to fill out
settings for Hive
Name,
HiveManager
administrator
password, and a
Quick start SSID
password

HiveManager uses the Hive name to as
the name for automatically generated
quick start objects such as the DNS
service, NTP service, QoS Classification
profile, LLDP profile, ALG profile, etc.. that
will work in most cases without need for
modification. You can create your own
objects, or use the quick start ones.

21
Copyright 2011
Quick Start Objects Examples
For example,
a DNS service
object with the
name Class is
automatically
generated
an NTP service
object with the
name Class is
automatically
generated
These objects are
used when
configuring WLAN
and routing settings

22
HiveManager Administrator Privileges
Your Access Has Been Limited!
23
We love you, but we are going to limit your
access for class
Each of you will have your own HiveManager
administrator account with the following
privileges
Privileges are set in Admin Groups
HomeAdminstrationAdministrators
Admin Groups
You then create an administrator and assign to
an admin group
HomeAdministrationAdministrators
Administrators
QUESTIONS?
HiveManager version 5.1
Instructor-led Training
QUICK REVIEW OF AEROHIVE
PRODUCT LINE
25
AP110
Dual Radio 802.11n
2X Gig.E
-20 to 55C 0 to 40C
3x3:3
450 Mbps HP Radios
2x2:2 300 Mbps
11n High Power
Radios
1X Gig. E
-40 to 55C
TPM Security Chip
PoE (802.3af + 8023.at) and AC PoE (802.at)
N/A
Indoor Industrial Indoor Outdoor
Plenum & Dust
Proof
Plenum Rated
Water Proof (IP
68)
Aerohive Wi-Fi Platforms
AP121
AP330 AP350 AP170
1X Gig.E
2x2:2
300 Mbps Radios
2x2:2
300 Mbps
Radio
1-Radio
802.11n
USB for 3G Modem N/A
AP141 BR100
5X Fast.E
54Mbps
N/A
N/A
N/A
USB for Future Usage
1-Radio
802.11b/g/n
Physical & Virtual Access Console Virtual Access Console
Copyright 2011
Aerohive Routing Platforms
27
BR 100 BR 200
Aerohive AP 330 Aerohive AP 350
Single Radio Dual Radio
2X 10/100/1000 Ethernet
5-10 Mbps
FW/VPN
30-50Mbps FW/VPN
1x1 11bgn 3x3:3 450 Mbps 11abgn
5X 10/100
5X
10/100/1000
0 PoE PSE 0 PoE PSE 2X PoE PSE
*
* Also available as a non-Wi-Fi device
L3 IPSec
VPN
Gateway
(VMware)
~500 Mbps
VPN
1000
Tunnels
2 Virtual
Interfaces
HiveOS Virtual
Appliance

HiveOS Virtual Appliance
28
Supports the following
GRE Tunnel Gateway
L2 IPSec VPN Gateway
L3 IPSec VPN Gateway
RADIUS Authentication Server
RADIUS Relay Agent
Bonjour Gateway
Use a HiveOS Virtual Appliance instead of an AP when higher scalability
for these features are required

Function Scale
Layer 2 Tunnels 1024 Tunnels
RADIUS Local users per CVG 9999
# Users Cache (RADIUS Server) 1024
# Users simultaneous (RADIUS Server) 512
Express Mode
Optimized for ease of use
Uniform company-wide policy
One user profile per SSID
Enterprise Mode
Enterprise sophistication
Multiple Network policies
Multiple user profiles/SSID
HiveManager Appliance 2U
Redundant power& fans
HA redundancy
5000 APs
HiveManager Virtual Appliance
VMware ESX & Player
HA redundancy
1500 APs with minimum configuration

HiveManager 1U Appliance
HA redundancy
500 APs
HiveManager Online
Cloud-based SaaS management
HiveManager Form Factors
29
HiveManager Appliance 2U
Redundant power & fans
HA redundancy
5000 APs
HiveManager Virtual Appliance
VMware ESX & Player
HA redundancy
5000 APs with minimum configuration
HiveManager 1U Appliance
HA redundancy
500 APs
HiveManager Online
Cloud-based SaaS management
Topology Reporting Heat Maps SLA Compliance RF Planner SW, Config, & Policy
Guest Mgmt
QUESTIONS?
Essential When Generating Certificates,
Using Private PSK, Wireless VPN, User Manager,
Time-Based Authentication,
and Schedules
SET HIVEMANAGER
TIME SETTINGS
31
Instructor Only Set the Time and Time Zone
Set Manually or Use NTP for Time
32
To change time settings:
From HomeAdministration
HiveManager Settings
In the upper right corner of System Date/Time
click Settings
Instructor Only Set the Time and Time Zone
Set Manually or Use NTP for Time
Set the time zone
Set the date/time
manually or synchronize
with an NTP server
Click the Save icon
NOTE: The HiveManager
services will be restarted
After a minute, you
can log back into the
HiveManager
NOTE: In a later lab, you
will configure your APs to
update time from an NTP
Server as well.
33
Note: Aerohive has an NTP server
available with hostname
ntp1.aerohive.com
QUESTIONS?
Get Connected to
HiveManager
AEROHIVE ENTERPRISE MODE
35
Lab: Setting Up a Wireless Network
1. Connect to the Hosted Training HiveManager
36
Securely browse to the appropriate
HiveManager for class
TRAINING LAB 1
https://72.20.106.120
TRAINING LAB 2
https://72.20.106.66
TRAINING LAB 3
https://209.128.124.220
Supported Browsers:
Firefox, Internet Explorer, Chrome
Class Login Credentials:
Login: adminX
X = Student ID 2 - 29
Password: aerohive123
NOTE: In order to access the
HiveManager, someone at your
location needs to enter the
training firewall credentials given
to them by the instructor first.
2. Agree to End User License Agreement
37
Click Agree to the
End user license
agreement
QUESTIONS?
HELP SYSTEM
39
HiveManager Help
40
HiveManager provides a rich and powerful online help

Click Help on the top menu bar to get a menu of the
help options

Click
Help
Help System in HiveManager
41
When you click Help in the upper right hand corner of
the HiveManager Settings you have several options.
HiveManager Help
Context sensitive help based on where you are when you
select this option
Settings
Lets you specify a path to host the online help web pages
locally on your network
Videos and Guides
Contains links to all Aerohive documentation and
computer-based training modules
You can also download the web-based help system from
here as well
Check for Updates
Checks Aerohives latest code
About HiveManager
Help System in HiveManager
42
Web-based
Help Files
Deployment,
Quickstart, and
Mounting
Guides
CLI Reference
Guides
Online Training
Concept Check!
Just in case you forgot from AEWC!
43
1. Where can you download all of the
technical documentation and online
training videos about Aerohive products?

2. Can you download the entire help system
and store it on your own computer?

QUESTIONS?
Creating Your Wireless LAN
AEROHIVE ENTERPRISE MODE
45
Goal
46
The goal for this lab is to:
Clone your own network policy from a
default template
Create a WPA2 Personal SSID and push
the configuration to your Aerohive AP
Use a remotely hosted PC to test
connectivity to your new SSID

Network Policies
Three Sections
47
Network
Configuration
There are three
main panels, you
can click on a
panel header to
go to the panel
Clicking on the
Configure &
Update Devices
panel saves the
configuration, as
does save, or
Continue

1. Configure
Network Policy
2. Configure
Interface &
User Access
3. Configure &
Update
Devices
1. Find a Network Policy to Clone
48
Go to
Configuration
Select to highlight
the QuickStart-
Wireless-Only
Policy
Click the settings
icon: ^
^
Click Clone
2. Clone Initial Wireless Network Policy
49
Name:
WLAN-X
Hive: Class
Click Clone
3. Configure Network Policy
50
Click the
orange bar to
edit your
Network
Policy
Select to
highlight your
Network
Policy
Click ^
^
to
Edit
1. Click the
orange bar
2. Click ^
^
to
then select Edit

4. Ensure Class Hive and Wireless Only are Selected
51
Here you can set
the Hive, and
whether you want
Wireless Only, or
Wireless and
Routing
Hive: Class
Ensure
Wireless Only
is selected
NOTE: This class
focuses on
Wireless Only
deployments
Click Save
Click OK
For Configuring a
Set of Aerohive
Access Points
For Configuring a
Set of Aerohive
Routers and
Access Points that
connect through
the Aerohive
routers
Click OK
For Use With
Bonjour
Network Policy Types
52
Wireless Only Use when you have an AP only
deployment, or you require specific wireless policies
for APs in a mixed AP and router deployment
Wireless + Routing Use when you are managing
routers, or APs behind routers that do not require
different Network Policies than the router they
connect through
BR100
BR200
AP
AP
Internet
Internet
Small Branch Office
or Teleworker Site
Small to Medium Size Branch Office
that may have APs behind the router
Network Policy Types
53
Bonjour Only Policy
Recommended to deploy a Bonjour Gateway in 3
rd
Party networks
Bonjour Gateway Lab later in class

5. Configure Network Policy
54
All Network
Policy
Configuration is
done from the
Configure
Interface &
User Access
Panel
6. Create a New SSID
55
Network
Configuration
Next to SSIDs click
Choose
Then click New

7. Configure Employee SSID
56
SSID Profile: Class-PSK-X
X = 2 29 (Student ID)
SSID: Class-PSK-X
Select WPA/WPA2 PSK
(Personal)
Key Value: aerohive123
Confirm Value: aerohive123
Click Save
Click OK

IMPORTANT: For the SSID labs, please follow the
class naming convention.
8. Create a User Profile
57
To the right of
your SSID, under
User Profile, click
Add/Remove

Choose User
Profiles
Click New

9. Define User Profile Settings
58
Name:
Employee-X
Attribute
Number:10
Network or
VLAN-only
Assignment:
10
Click Save

REMEMBER: User Profiles are used for traffic management.
10. Choose User Profile and Continue
59
Ensure Employee-X
User Profile is
highlighted
Click Save
Click Continue
or click the bar to
Configure & Update
Devices
Hosted Training Lab
Network IP Summary
60
VPN Server
X-B-Aerohive
AP MGT0
10.8.1.X/24
VPN Client
X-A-Aerohive
AP MGT0:
10.5.2.#
Firewall NAT Rules
1.2.1.X10.8.1.X
FW(NAT)
2.2.2.2
Gateway
10.5.2.1
Gateway
10.8.1.1
Client PC

WLAN Branch Office Aerohive AP VPN Clients WLAN HQ Aerohive AP VPN Servers
# Address Learned though DHCP
RADIUS
10.8.1.200
11. Update the configuration of your Aerohive AP
61
From the Configure & Update Devices section,
modify your AP specific settings
Click the Name column to sort the APs
Click the link for your AP: X-A-######
12. Update the configuration of your A-Aerohive AP
62
Location:
<First-name_Last-name>
Topology Map: ..Classroom
Network Policy:
def-policy-template
Note: Leave this set to
default so you can see
how it is automatically set
to your new network policy
when you update the
configuration.
Set the power down to
1dBm on both radios
because the APs are
stacked in a rack in the
data center
2.4GHz(wifi0) Power: 1
5GHz (wifi1) Power: 1
Do not Click Save yet

13. Configure Settings on Your A-Aerohive AP
63
Under Optional Settings
Expand MGT0 interface settings
Uncheck E DHCP Client without fallback
Check Static IP
IP Address: 10.5.2.X
Netmask: 255.255.255.0
Gateway: 10.5.2.1
Do not Click Save yet
14. Configure Settings on Your A-Aerohive AP
64
Expand Advanced
Settings
Check Override
MGT VLAN: 2
Click Save
15. Update the configuration of your B-Aerohive
AP
65
From the Configure & Update Devices section,
modify your AP specific settings
Click the link for your AP: X-B-######
16. Update the configuration of your B-Aerohive AP
66
Location:
<First-name_Last-
name>
Topology Map:
<Empty>
Set the Admin State on
the 2.4 GHz and 5 GHz
radios to Down they
are not used for these
labs
Expand MGT0 Interface
Settings, and verify a
static IP address is set:
MGT0 IP Address:
10.8.1.X
Netmask:
255.255.255.0
Gateway: 10.8.1.1
Click Save

17. Update the configuration of both your
Aerohive APs
67
In the Configure & Update Devices section
Check to box next to your APs: X-A-###### and X-B-######
Click Upload and click Yes to change the network policy
Selected
Network
Policy
Copyright 2011
18. Update the configuration of both your APs
Click Reboot In the Confirm window
Click Yes

68
Click
Reboot
Click Yes
Because the filter is set by default to Current Policy/Default Policies,
you will only see devices assigned to your selected network policy, or
the def-policy-template (assigned to new devices)
19. Wait a minute for to complete the upload
69
Filter set by
default to
Current
Policy/Default
Policies
Selected
Network Policy
Set to None if
you want to
see all devices
20. Overview of Upload Settings
70
Click Settings
Overview of Update Settings
71
Complete Upload: The entire Aerohive AP
configuration is uploaded and a reboot is
required
Delta Upload: Only configuration changes are
uploaded and no reboot is required
The default is Auto- HiveManager is smart
enough to know if the upload is Complete or
Delta
The first upload is always a complete upload
If a Delta upload ever fails, best practice is to
select a Complete upload and force a reboot
Go to MonitorDevicesAll Devices for more
detailed information and tools
There are two display modes available for monitoring
devices
Display Device Status Information
Shows the current status of the device
21. Monitoring Devices (Display Device Status)
Set items
per page
Change column
settings
Turn off auto refresh if you
want to make changes
without interruption
If Audit is Red
exclamation point, click it
to see the difference
between HiveManager
and the device.
Display Device Configuration Settings
Shows the current configuration settings for the device
22. Monitoring Devices (Display Device Configuration)
73
Network
Policy
IP Settings
Change column
settings
When the device reboot is complete,
The Audit column will show two green squares
An Orange (Default DTLS) Alarm will be cleared and
the Alarm column should display green
The uptime will restart from 0 Min
Your AP will be ready for accepting clients
Also note that the MGT0 IP address of your A-
Aerohive AP will be in the 10.5.2.0/24 subnet

23. Monitoring Devices
74
For Your Information Outside US
Set the Country Code for World Mode Devices
75
IMPORTANT: The Class APs are
in the US, so please DO NOT
change the country code!
Note: Updating the country
code on an AP configures
the radios to meet
government requirements
for a country
You can update the country
by going to MonitorAll
Devices
Select all the devices that
within a single country
Click Update...
Update Country Code
Select the appropriate
country code
Click Upload
Repeat these steps if you
have devices in additional
countries
QUESTIONS?
TEST YOUR CONFIGURATION
USING THE HOSTED PC
77
Lab: Test Hosted Client Access to SSID
Test SSID Access at Hosted Site
78
SSID:
Authentication:
Encryption:
Preshared Key:
User Profile 1:
Attribute:
VLAN:
IP Firewall:
QoS:
Class-PSK-X
WPA or WPA2 Personal
TKIP or AES
aerohive123
Employee(10)-X
10
10
None
def-user-qos

Hosted PC
Student-X
VLANs 1-20
Mgt0 IP: 10.5.2.N/24 VLAN 1
WLAN Policy: WLAN-X
Internal Network
AD Server:
10.5.1.10

DHCP Settings:
(VLAN 10)
network 10.5.10.0/24
10.5.10.140 10.5.10.240

Internet
Connect to SSID:
IP:
Gateway:
Class-PSK-X
10.5.10.N/24
10.5.10.1
Use VNC client to access Hosted PC:
password: aerohive
1. For Windows: Use TightVNC client
79
If you are using a windows PC
Use TightVNC
TightVNC has good
compression so please use this
for class instead of any other
application
Start TightVNC
For Lab 1 or Lab 2
training-pcX.aerohive.com
For Lab 3
lab3-pcX.aerohive.com
Select O Low-bandwidth
connection
Click Connect
Password: aerohive.
Click OK

2. For Mac: Use the Real VNC client
80
If you are using a Mac
RealVNC has good
compression so please use this
for class instead of any other
application
Start RealVNC
For Lab 1 or Lab 2
training-pcX.aerohive.com
For Lab 3
lab3-pcX.aerohive.com
Click Connect
Password: aerohive.
Click OK

3. In case the PCs are not logged in
81
If you are not automatically
logged in to your PC
If you are using the web
browser client
Click the button to Send
Ctrl-Alt-Del
If you are using the
tightVNC client

Click to send a

control alt delete
Login: AH-LAB\user
Password: Aerohive1
Click the right arrow to login
4. Remove Wireless Networks on Hosted PC
82
From the bottom task bar, click the locate
wireless networks icon
Select Open Network and Sharing Center
Click Manage wireless Networks
Select a network, then click Remove
Repeat until all the networks are removed
Click [x] to close the window
5. Connect to Your Class-PSK-X SSID
83
Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
Click your SSID
Class-PSK-X
Click Connect
Security Key:
aerohive123
Click OK

6. View Active Clients List
84
After associating with your SSID, you should see your
connection in the active clients list in HiveManager
Go to MonitorClientsActive Clients
Your IP address should be from the 10.5.10.0/24
network

7. Add Additional Columns
85
To change the layout of the
columns in the Active Clients
list, you can click the
spreadsheet icon
Select VLAN and User Profile
Attribute from the Available
Columns list and click the right
arrow
With VLAN and User Profile
Attribute selected, click the Up
button so that the columns are
moved after Host Name
Click Save

Click to change
column layout
QUESTIONS?
THE CLIENT MONITOR TOOL
87
Client & Aerohive AP Layer 2
Handshakes
88
Lab: Client Monitor
1. Select a client to monitor
89
To start monitoring a clients
connection state go to:
MonitorClientsActive Clients
Select the check box next to a client
to monitor
Note: If your client does not appear, you
can skip this step for now
Click Operation...Client Monitor
Click Add Client
For class, ensure Associated Aerohive
AP is selected (Do not select All)
The MAC address of your client will
be selected
Note: You can manually enter a the
wireless client MAC address without
delimiters
Click Add
Click Client Monitor
Select your Aerohive
AP
Click Operation...
Click Add
Click Add New Client
Lab: Client Monitor
2. Start the client monitor
90
Check E Filter Probe
Note: This removes all the
probe requests and responses
you will see from clients and
APs so you can focus on
protocol connectivity
Click Start
Note: Your client will be
monitored until you click Stop.
You can leave this window,
and if you go back to
Operation...
Client Monitor, you will see the
list of all clients being
monitored
You can expand the window
by dragging the bottom right
corner
Select your client to see the
connection logs for your client
as they occur

1. Check E
Filter Probe
2. Click
Start
3. Drag bottom right
corner of window to
expand
Client Monitor Results
91
Throughout the labs, go to the client monitor for
your PC to view the ongoing results
4-way handshake
completes
Client is assigned IP
address from DHCP
QUESTIONS?
TIME SETTINGS FOR HIVEMANAGER
AND AEROHIVE APS
93
Verify Time Settings
94
HiveManager and Aerohive APs should have up to date time
settings, preferably by NTP
Go to HomeAdministrationHiveManager Settings
Next to System Date/Time click Settings
Lab: Create a NTP Policy
1. Create an NTP Server object
95
Go to Configuration
Select your Network
Policy: WLAN-X and
click OK
Click Additional Settings
Expand Management
Server Settings
Note: Upon first login to a
new HiveManager system,
an NTP server policy is
automatically created with
the same name as the
original Hive name.
However, for this lab,
create a new NTP server
policy.
Next to NTP Server
Click +
Note: You should configure the NTP
server to set the time zone and NTP
server settings. This is important for
any service that depends on time,
such as VPN and RADIUS which use
certificates, schedules, Private PSK
validity, etc...

2. Configure NTP Server Settings
96
Name: NTP-X
Time Zone: <Please
use the Pacific time
Zone>
Uncheck E Sync
clock with
HiveManager
NTP Server:
ntp1.aerohive.com
Click Apply
Did you click
Apply?
Click Save
3. Save your WLAN Policy
97
Back in your the Additional Settings
Ensure NTP server is set to: NTP-X
Click Save
QUESTIONS?
SECURE WIRELESS LANS
WITH IEEE 802.1X USING
PEAP AUTHENTICATION
99
IEEE 802.1X with EAP
100
Supplicant
Computer
Authentication
Server (RADIUS)
802.11 association
EAPoL-start
EAP-request/identity
EAP-response/identity (username)
RADIUS-access-request
EAP-request (challenge)
RADIUS-access-challenge
EAP-response (hashed resp.)
RADIUS-access-request
EAP-success
RADIUS-access-accept (PMK)
Access Granted
Access
Please!
Calculating key for
user
Access
blocked
Authenticator
(AP)
Calculating
my key
Extensible Authentication Protocol (EAP)
Comparison Chart
101
LAB: Secure WLAN Access With 802.1X/EAP
Using External RADIUS
102
Student-X
VLANs 1-20
Mgt0 IP: 10.5.2.N/24 VLAN 1
Network Policy: WLAN-X
AD Server:
10.5.1.10 NPS (2008)

DHCP Settings:
(VLAN 1)
network 10.5.1.0/24
10.5.1.140
10.5.1.240
(VLAN 10)
network 10.5.10.0/24
10.5.10.140
10.5.10.240

Internet
Connect to SSID:
IP:
Gateway:
Class-EAP-X
10.5.10.N/24
10.5.10.1
SSID:
Authentication:
Encryption:
Auth User Profile:
Attribute:
VLAN:
Default User Profile:
Attribute:
VLAN:

Class-EAP-X
WPA or WPA2 Personal
TKIP or AES
Employee-X
10 (RADIUS Attribute Returned)
10
Employee-Default-X
1000 (No RADIUS Attribute Returned)
8
Instructor Only: On Hosted RADIUS Server
Verify RADIUS Client Settings
103
For Aerohive APs
that are not VPN
clients, set the
RADIUS server to
accept RADIUS
messages from
the MGT0
interface IP on all
Aerohive APs
This class uses:
10.0.0.0/8
Shared Secret:
aerohive123
NOTE: Use a
stronger key in
real life!
On Hosted RADIUS Server
Configuring RADIUS Return Attributes
104
After successful
authentication by
users in the
AH-LAB\Wireless
Windows AD group,
RADIUS will return
three attribute value
pairs to assign the
Aerohive user profile.
Standard RADIUS
Attribute/Value Pairs Returned
Tunnel-Medium-Type: IPv4
Tunnel-Type: GRE
Tunnel-Pvt-Group-ID: 10
Lab: Secure WLAN Access With 802.1X/EAP
105
To configure a
802.1X/EAP SSID
for Secure Wireless
Access
Go to
Configuration
Select your
Network Policy:
WLAN-X and
click OK
Next to SSIDs,
click Choose
Click New

Copyright 2011
2. Configure a 802.1X/EAP SSID
Profile Name:
Class-EAP-X
SSID:
Class-EAP-X
Under SSID
Access Security
select
WPA/WPA2
802.1X
(Enterprise)
Click Save
106
3. Select new Class-EAP-X SSID
107
Click to
deselect the
Class-PSK-X SSID
Ensure the
Class-EAP-X
SSID
is selected
Click OK
Click to
deselect
Class-PSK-X
Ensure
Class-EAP-X is
highlighted then
click OK
4. Create a Use Policy Captive Web Portal
108
Under Authentication, click <RADIUS Settings>
In Choose RADIUS, click New
Click
Click
5. Define the External RADIUS Server
109
RADIUS Name:
RADIUS-X
IP Address/Domain
Name: 10.5.1.10
Shared Secret:
aerohive123
Confirm Secret:
aerohive123
Click Apply
Click Save
Click Apply
When Done!
6. Create a New User Profile
110
Under User Profile,
click Add/Remove

Click New
7. Define User Profile Settings
111
Name: Employee-Default-X

Attribute Number: 1000

Network or
VLAN-only Assignment: 8

Click Save

8. Assign User Profile as Default for the SSID
112
With the Default tab
selected, ensure the
Employee-Default-X
user profile is
highlighted
IMPORTANT: This user
profile will be
assigned if no
attribute value is
returned from RADIUS
after successful
authentication, or if
attribute value 1000 is
returned.
Click the Authentication
tab
Default Tab
Authentication Tab
9. Assign User Profile to be Returned by RADIUS Attribute
113
Select the
Authentication tab
Select (highlight)
Employee-X
NOTE: The (User Profile
Attribute) is appended
to the User Profile
Name
Click Save
Authentication Tab
10. Verify and Continue
114
Ensure Employee-Default-X and
Employee-X user profiles are
assigned to the
Class-EAP-X SSID
Click Continue
or click the bar to
Configure & Update
Devices
Select the Filter: Current Policy
Check to box next to your APs: X-A-######, X-B-######
Click Upload
115 115
Selected
Network
Policy
Current
Policy
QUESTIONS?
For Windows 7
Supplicants
CONFIGURING AND TESTING YOUR
802.1X SUPPLICANT
117
Lab: Testing 802.1X/EAP to External RADIUS
1. Connect to Secure Wireless Network
118
From the bottom task
bar, and click the locate
Click Class-EAP-X
Click Connect

NOTE: If this fails, there is a
chance there is a
certificate issue with the
Hosted PC in VMware
Please remedy by
following the next slides

Wireless
Network Icon
2. Add a wireless network
119
Only perform the next steps if the initial
connection was not successful
Click Add
3. Manually create a network profile
120
Click Manually create
a network profile
Network Name:
Class-EAP-X
Security type:
WPA2-Enterprise
Click Next
4. Change settings to authenticate as user
121
Click Change
connection settings
Click Security
Click Advanced Settings

5. Select Authentication Mode
122
Click E Specify authentication
mode

Select User Authentication

Click OK

Click OK for the rest of the
windows to save the settings

The PC should connect to the
SSID automatically after a
moment

6. View Active Clients
123
Go to MonitorClientActive Clients

User Name: DOMAIN\user
VLAN: 10
User Profile Attribute: 10

Example: Troubleshooting
Invalid User Profile Returned From RADIUS
124
From MonitorAll Devices
If you see an alarm when trying to authenticate with 802.1X/EAP,
click the alarm icon for details

This alarm specifies that an attribute was returned from the
RADIUS server that is not defined on the Aerohive AP In this case
50

Select the check box next to the alarm and then Click clear
Invalid User
Profile Returned
Default RADIUS attributes used for User Profile
assignment
125
By default, user profile
assignment by RADIUS
attributes uses these
Attribute/Value Pairs:
Tunnel-Type: GRE

Standard RADIUS
Attribute/Value Pairs Returned
Tunnel-Type: GRE
RADIUS Attribute Based User Profile
Assignment
126
User Profiles can be
assigned based upon
any returned RADIUS
attributes
The attributes can be
Standard or Custom

Standard RADIUS
Attribute
Standard RADIUS
Attribute
Client Monitor For 802.1X/EAP
Example of an invalid user account
127

SSL negotiation uses the
RADIUS server certificate
Shows IP of RADIUS server
At this point you know the AAA
certificates were installed correctly and
the server certificate validation done
by the client passed
The user is not in the user database.
View the AAA server settings and
ensure the correct user group is
selected, and the Aerohive AP is a
RADIUS server. Then update the
configuration of the Aerohive AP.
Client Monitor
Troubleshooting 802.1X
128
Client Monitor is the perfect tool to troubleshoot 802.1X/EAP
problems

More information can be found at:
http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/troubleshooting-
wi-fi-connectivity-with-hivemanager-tools
RADIUS Test
Built Into HiveManager
129
To test a RADIUS account
Go to Tools
Server Access Tests
RADIUS Test
RADIUS Server:
10.5.1.10
Aerohive AP RADIUS Client:
0X-A-######
Select ORADIUS
authentication server
Username: user
Password: Aerohive1

Click Test
You can even see the attribute
values that are returned
QUESTIONS?
RADIUS PROXY
131
132
For Aerohive APs
that are not VPN
clients, set the
RADIUS server to
accept RADIUS
messages from
the MGT0
interface IP on all
Aerohive APs
This class uses:
10.0.0.0/8
Shared Secret:
aerohive123
NOTE: Use a
stronger key in
real life!
RADIUS Proxy on Aerohive APs
133
Aerohive APs can be
RADIUS proxies
APs can set their
RADIUS server to be
the RADIUS proxy
AP
The RADIUS proxy
AP proxies the
authentication
requests to the
RADIUS server
A single IP can be
set on the RADIUS
server for all the APs
that need to
authenticate
RADIUS Server
10.5.1.10

AP RADIUS Proxy
& RADIUS Client
10.5.2.2
AP
RADIUS
Clients
AP
RADIUS
Clients
RADIUS
Client
Settings
Permit
10.5.2.2/32
Lab: Using Hive Devices as a RADIUS Proxy
1. Designating a RADIUS Proxy
134
From Configuration
click the Show Nav
Button on the left
Expand Advanced
Configuration
Click
Authentication
Click RADIUS Proxy
Then click the New
button
2011 Aerohive Networks CONFIDENTIAL 135
2. RADIUS Proxy Details
Use Proxy-X as the
Proxy Name
Click the + next to
RADIUS Server
Do not Save yet!
3. RADIUS Server Details
Use RADIUS-Server-X
as the RADIUS Name
Under Add New
RADIUS Server use the
dropdown arrow and
select 10.5.1.10
Server Type Auth/Acct
Enter and Confirm the
Shared Secret of
aerohive123
Select Server Role as
Primary
Click Apply
Click Save
Click
Apply
4. RADIUS Proxy Details
Use the dropdown
arrow next to Default
under Realm Name to
select RADIUS-Server-X
as your RADIUS Server
Set the Realm name to:
ah-lab.local
Ensure the Strip the
Realm name from
proxied access requests
check box is selected
Verify your settings
Click Apply
Do not Save yet
Click
Apply
5. RADIUS Proxy No need for RADIUS Clients
Though different Realms
can go to different
RADIUS servers, for this
lab, set them to:
RADIUS-Server-X
Note: When your APs and
AP RADIUS Proxy are in the
same hive, i.e. configured
with the same hive name,
then you do not need to
configure RADIUS clients on
the AP RADIUS proxy. This is
because the RADIUS client
and shared keys are
automatically generated
among APs in a Hive.
Click Save
6. Set AP to be RADIUS Proxy
139
Go to Monitor
Access Points
Aerohive APs
Check the box next to
your X-A-###### AP
Click Modify
expand Service Settings
Assign Device RADIUS
Proxy to: Proxy-X
Click Save

Note: A RADIUS
icon will appear
next to your AP
7. Select your Network Policy
140
To edit your SSID:
Go to Configuration
Select your
Network Policy:
WLAN-X and
click OK

8. Define the AAA client profile
141
Click
Click
9. Define the External RADIUS Server (Use the Proxy)
142
RADIUS Name:
RADIUS-Proxy-X
IP Address/Domain
Name: 10.5.2.X
No other settings
are needed as
long as the APs are
in the same Hive
Click Apply
Click Save
Click Apply
When Done!
143
assigned to the
Class-EAP-X SSID
Click Continue
or click the bar to
Configure & Update
Devices
It is recommended that Complete Uploads be used for complex
configuration changes
Click Settings
11. Complete Upload
144 144
Select Complete Upload
Select Activate after 5 seconds
Click Save
12. Complete Upload
145 145
Check to box next to your AP: X-A-######
Click Upload
Access points will reboot automatically
146 146
Selected
Network
Policy
Current
Policy
QUESTIONS?
For Windows 7
Supplicants
802.1X SUPPLICANT
148
149
Click Class-EAP-X
Click Connect

chance there is a
Hosted PC in VMware
Please remedy by

Wireless
Network Icon
150
Click Add
151
a network profile
Network Name:
Class-EAP-X
Security type:
WPA2-Enterprise
Click Next
152
Click Change
connection settings
Click Security

153
mode


Click OK


moment

154

VLAN: 10

QUESTIONS?
Required When Aerohive APs are Configured as RADIUS
Servers or VPN Servers
GENERATE AEROHIVE AP RADIUS
SERVER CERTIFICATES
156
Copyright 2011
HiveManager Root CA Certificate
Location and Uses
This root CA certificate is used to:
Sign the CSR (certificate signing
request) that the HiveManager
creates on behalf of the AP acting
as a RADIUS or VPN server
Validate Aerohive AP certificates
to remote client
802.1X clients (supplicants) will need
a copy of the CA Certificate in order
to trust the certificates on the
Aerohive AP RADIUS server(s)
Root CA Cert Name:
DefaultCA.pem
Root CA key Name:
Default_Key.pem

Note: The CA key is only ever used
or seen by HiveManager

To view certificates, go to: Configuration, click Show Nav, then go to
Advanced Configuration Keys and CertificatesCertificate Mgmt
157
Use the Existing HiveManager CA
Certificate, Do not Create a New One!
158
For this class, please do not create a new HiveManager
CA certificate, otherwise it will render all previous
certificates invalid.
On your own HiveManager, you can create your own HiveManager
CA certificate by going to: Configuration, Click Show Nav, then go to
Advanced ConfigurationKeys and CertificatesHiveManager CA
Remember this
password
LAB: Aerohive AP Server Certificate and
Key
1. Generate Aerohive AP Server
Certificate
159
Go to Configuration, click Show Nav
Advanced Configuration
Keys and CertificatesServer CSR
Common Name: server-X
Organizational Name: Company
Organization Unit: Department
Locality Name: City
State/Province: <2 Characters>
Country Code: <2 Characters>
Email Address: userX@ah-lab.com
Subject Alternative Name:
User FQDN: userX@ah-lab.com
Note: This lets you add an extra step of validating
the User FQDN in a certificate during IKE phase 1
for IPsec VPN. This way, the Aerohive AP needs a
valid signed certificate, and the correct user
FQDN.
Key Size: 1024
Password & Confirm: aerohive123
CSR File Name: AP-X
Click Create
Remember
Password
Enter AP-X
Notes Below
Key 2. Sign and Combine!
160
Select Sign by HiveManager CA
The HiveManager CA will sign the Aerohive AP Server
certificate
The validity period should be the same as or less than the
number of days the HiveManager CA Certificate is valid
Enter the Validity: 3650 approximately 10 years
Check Combine key and certificate into one file
Click OK

Enabling this setting helps
prevent certificate and key
mismatches when
configuring the RADIUS
settings
Use this option to send
a signing request to an
external certification
authority.
Key3. View Aerohive AP Certificate and
Key File
161
To view certificates,
go to:
Configuration, click
Show Nav
Then go to Advanced
Configuration
Keys and Certificates
Certificate Mgmt
The certificate and key
file name is:
AP-X_key_cert.pem
QUIZ Which CA signed this
Aerohive AP server key?

What devices need to install
the CA public cert?
QUESTIONS?
AEROHIVE AP RADIUS SERVER
WITH ACTIVE DIRECTORY
INTEGRATION
163
Aerohive AP RADIUS Server AD (Kerberos)
Integration The Goal
164
Aerohive Devices are configured as RADIUS servers to perform
all the 802.1X EAP operations
Aerohive AP RADIUS servers will be joined to the AD domain in
order to
Let the Aerohive APs perform local 802.1X EAP processing
Allow the Aerohive AP to access the AD user store in order
to authenticate users
Allow the Aerohive AP to cache credentials in case the AD
server is not accessible
During the configuration, one Aerohive AP is selected as the
test Aerohive AP to
Obtain domain information
Test joining a Aerohive AP to the domain, which performs
the actual join operation for that AP
Test user authentication
Perform LDAP browsing operations

QUESTIONS?
CREATING A DELEGATED
ADMINISTRATOR FOR JOINING
AEROHIVE AP RADIUS SERVERS TO
THE DOMAIN
166
Two Accounts Needed
167
Aerohive AP Admin Account
Used to Join Aerohive APs to the
domain
LDAP Query Account Used by
the Aerohive AP that functions
as a RADIUS server to perform
LDAP queries
Create a New Active Directory
Aerohive AP Administrator (Instructor Only)
168
On Windows 2008 AD Server
In your domain, select Users,
right click and select
NewUser
Note: The name used in this
example is not relevant, you can use
any name
First Name: Aerohive AP
Last Name: Admin
Full Name: Aerohive AP Admin
User Logon:
Aerohive APadmin @ah-
lab.local
Click Next

Create a New Active Directory
Aerohive AP Administrator (Instructor Only)
169
Enter a Password: Aerohive1
Confirm Password:
Aerohive1
Uncheck User must
change password at next
login
Uncheck User cannot
change password
Check Password never
expires
Uncheck Account is
disabled
Click Next
Click Finish
Aerohive AP Administrator
Group Membership
170
Locate and double click
the new Aerohive AP
Admin
Click Member Of
Note: Here you can see
that the Aerohive AP
Admin only needs to be a
member of Domain Users

Delegate Control of the Computer OU
to the Aerohive AP Admin (INSTRUCTOR ONLY)
171
Right Click the
Computers OU and
select Delegate
Control...
to the Aerohive AP Admin
172
Welcome to the Delegation of Control Wizard
Click Next
Users or Groups
Click Add
Type Aerohive AP Admin
Click OK
Click Next

173
Select Create a
custom task to
delegate
Click Next
174
For Active Directory
Object Type
Select Computer
Objects and leave the
rest of the default
settings
Check Create selected
objects in this folder
Click Next
For Permissions
Check Read
Check Write
And leave the rest of
the default settings
Click Next

175
Click Finish
QUESTIONS?
CONFIGURE ACTIVE DIRECTORY
SETTINGS
177
Active Directory Integration Types
178
APs use external RADIUS server that integrates with AD
Each AP is the authenticator for RADIUS, but EAP
processing/authentication occurs on the external
RADIUS server
APs use AP RADIUS server that integrates with AD
Each AP is the authenticator for RADIUS
EAP processing/authentication happens on
Aerohive APs that have RADIUS service configured
RADIUS Aerohive APs join AD domain
This gives them the ability to cache credentials
used to authenticate users in case the AD is no
longer reachable
Lab: Aerohive AP Active Directory Integration
179
To edit your SSID:
Go to Configuration
Select your
Network Policy:
WLAN-X and
click OK

Copyright 2011
To configure the Aerohive AP as a RADIUS server...
Select the Configure & Update Devices bar
Click the link for your A-Aerohive AP X-A-######

180
Lab: Aerohive AP Active Directory
Integration
3. Deselect the proxy object
181
Create a Aerohive AP RADIUS Service Object
Under Optional Settings, expand Service Settings
Next to Device RADIUS Proxy deselect the proxy
object created from the previous lab

Integration
4. Create a Aerohive AP RADIUS Service Object
182
Create a Aerohive AP RADIUS Service Object
Under Optional Settings, expand Service Settings
Next to Device RADIUS Service click +

Integration
5. Create a Aerohive AP RADIUS Service Object
183
Name: ap-radius-X
Expand Database
Settings
Uncheck Local
Database
Check External
Database
Under Active
Directory, click + to
define the RADIUS
Active Directory
Integration Settings

Integration
5. Select a Aerohive AP to Test AD Integration
184
Name: AD-X
Aerohive AP for Active Directory connection setup,
select your A Aerohive AP: X-A-#####
This will be used to test Active Directory integration
Once this Aerohive AP is working, it can be used as a
template for configuring other Aerohive AP RADIUS servers
with Active Directory integration
The IP settings for the selected Aerohive AP are gathered and
displayed
Integration
6. Modify DNS Settings for Test Aerohive AP
185
Set the DNS server to: 10.5.1.10
This DNS server should be the Active Directory DNS server or
an internal DNS server aware of the Active Directory domain
Click Update
This applies the DNS settings to the Network Policy and to the
Aerohive AP so that it can test Active Directory connectivity
Integration
7. Specify Domain and Retrieve Directory Information
186
Domain: ah-lab.local
Click Retrieve Directory Information
The Active Directory Server IP will be populated as well
as the BaseDN used for LDAP user lookups
8. Specify Domain and Retrieve Directory Information
187
Domain Admin: hiveapadmin(The delegated admin)
Password and Confirm Password: Aerohive1
Click Join
Check Save Credentials
NOTE: By saving credentials you can automatically join APs
to the domain without manual intervention
9. Specify A User to Perform LDAP User Searches
188
Domain User user@ah-lab.local (a standard domain user )
Password and Confirm Password: Aerohive1
Click Validate User
You should see the message: The user was successfully
authenticated.
These user credentials will remain and be used to
perform LDAP searches to locate user accounts during
authentication.
10. Save the AD Settings
189
Click Save
Integration
11. Save the RADIUS Settings
190
Select AD-X with
priority: Primary
Click Apply
Please make sure
you click apply
Do not save yet..
Integration
12. Save the RADIUS Settings
191
Enable the ability for
an AP RADIUS server to
cache user credentials
in the event that the
AD server is not
reachable, if the user
has previously
authenticated
Check Enable
RADIUS Server
Credentials Caching
Do not save yet...
Integration
13. Assign new Aerohive AP server certificate
192
Assign the Aerohive AP
RADIUS server to the
newly created AP
server certificate and
key
CA Cert File:
Default_CA.pem
Server Cert File:
AP-X_key_cert.pem
Server Key File:
AP-X_key_cert.pem
Key File Password &
confirm password:
aerohive123
Click Save
Integration
14. Save the AP Settings
193
Ensure that the
Aerohive AP
RADIUS Service is
set to: AP-RADIUS-
X
Click Save
NOTE: Your A-
Aerohive AP will
have an icon
displayed showing
that it is a RADIUS
server

QUESTIONS?
SSID FOR 802.1X/EAP AUTHENTICATION
USING AEROHIVE AP RADIUS WITH
AD KERBEROS INTEGRATION
195
Lab: Aerohive AP RADIUS w/ AD Integration
1. Edit your WLAN Policy and Add SSID Profile
196
Configure an SSID that
uses the 802.1X/EAP
with AD (Kerberos)
Integration
Select the Configure
Interfaces & User
Access bar
Next to SSIDs click
Choose
In Chose SSIDs
Select New

Copyright 2011
2. Configure a 802.1X/EAP SSID
Profile Name:
Class-AD-X
SSID:
Class-AD-X
Under SSID
Access Security
select
WPA/WPA2
802.1X
(Enterprise)
Click Save
197
Lab: Aerohive AP RADIUS w/ AD
Integration
3. Select new Class-AD-X SSID
198
Click to deselect
the Class-EAP-X
SSID
Ensure the
Class-AD-X SSID
is selected
Click OK
Click to
deselect
Class-EAP-X
Ensure
Class-AD-X is
highlighted then
click OK
Integration
199
Click
Click
5. Define the External RADIUS Server
200
RADIUS Name:
AP-RADIUS-X
IP Address/Domain
Name: 10.5.2.X
Leave the Shared
Secret Empty
NOTE: When the
Aerohive AP is a RADIUS
server, APs in the same
Hive automatically
generate a shared
secret
Click Apply
Click Save
Click Apply
When Done!
Integration
6. Select User Profiles
201
Verify that under Authentication, AP-RADIUS-X is
assigned
Under User Profile click Add/Remove
7. Assign User Profile as Default for the SSID
202
With the Default tab
select (highlight) the
Employee-Default-X
user profile
IMPORTANT: This user
profile will be assigned if
no attribute value is
returned from RADIUS
after successful
authentication, or if
attribute value 1000 is
returned.
Click the Authentication
tab
Default Tab
Authentication Tab
8. Assign User Profile to be Returned by RADIUS Attribute
203
In the Authentication
tab
Select (highlight)
Employee-X
NOTE: The (User
Profile Attribute) is
appended to the
User Profile Name
Click Save
Authentication Tab
Integration
204
assigned to the
Class-AD-X SSID
Click Continue
or click the bar to
Configure & Update
Devices
Check to box next to your A-Aerohive AP: X-A-######
Click Upload
205
Selected
Network Policy
ADDITIONAL AEROHIVE AP AD
INTEGRATION INFORMATION
206
Optional: Verify Aerohive AP Time
From the CLI of the Aerohive AP
207
From CLI of Aerohive AP
# show time
Timezone: GMT-8
# show clock
2011-07-13 11:14:45 Wednesday

Joining Aerohive APs to Active Directory
Computer OU = Wireless/Aerohive APs
208
From the AD server, you can
go to Active Directory Users
and Computers and see
when the Aerohive AP joins
the domain
If you specify an Active
Directory administrator
account in the AAA User
Directory Settings, then the
Aerohive AP will
automatically add itself to
the domain
If you did not specify an
Active Directory
administrator, you will have
to manually add your
Aerohive AP to the domain
much like you would do with
a computer

Click
Refresh
Select the
computer OU
Here you can see the
hostname of your Aerohive
AP
Join Aerohive AP RADIUS Server to Domain
209
Note: you performed this step for
your Aerohive AP in the
configuration, however, here is
how you do it for the rest of the
Aerohive AP RADIUS servers in your
network.
Go to Tools
Server Access Tests
AD/LDAP Test
Select RADIUS Server:
X-A-######
Select Test joining the
Aerohive AP to an Active
Directory domain
Select Active Directory
Domain: Primary
User Name: Aerohive
APadmin
Password: Aerohive1
Click Test
Aerohive AP Join
Success
Alternative: Join Aerohive AP RADIUS
Server to Domain using the Aerohive AP
CLI
210
02-A-064200# exec aaa net-join primary username
Aerohive APadmin password Aerohive1
(Note: The password will be hidden when typing )
Exec-Program output:
Joined '02-A-064200' to server 'ah-lab.local'
successful (NT_STATUS_OK)
If you have problems joining your AD server, you may need to enter the
Administrator account credentials to join the Aerohive AP to the domain
Go to the Wireless/Aerohive
APs OU to see the Aerohive
AP added as a computer in
the domain.
You may have to refresh the
screen to see the Aerohive
AP appear after joining the
Aerohive AP to the domain.
Troubleshooting
Joining a Aerohive AP to a Domain
211
Possible Cause: The
Administrator does not have
privileges to add a
computer/Aerohive AP to
this OU
Solution: Use an Administrator
with more privileges

Possible cause: The Aerohive
AP was previously added to a
different OU, and this
administrator does not have
privileges to remove the other
entry
Action: Delegate
administration of this OU to
allow the selected
administrator to add
computers to this OU
Here you can see that the
Aerohive AP has failed to
join the domain
Troubleshooting
Joining a Aerohive AP to a Domain
212
Possible Cause: The NTP Server
settings have not been
configured on the Aerohive AP
Solution: Configure the NTP
Server settings by going to your
WLAN Policy
Management Services
NTP Server

Here you can see that the
Aerohive AP time is not
accurate
Test the user account for your hosted PC
213
Select RADIUS Server:
X-A-######
Select Test Aerohive AP
credentials for Active
Directory Integration
User Name: user
Password: Aerohive1
Click Test

Kerberos authentication
passed for the user
QUESTIONS?
CLIENT ACCESS PREPARATION -
DISTRIBUTING CA CERTIFICATES
TO WIRELESS CLIENTS
215
LAB: Exporting CA Cert for Server Validation
1. Go to HiveManager from the Remote PC
216
From the VNC
connection to the
hosted PC, open a
connection to:
For HM 1 - https://hm1
Login with: adminX
password: aerohive123
NOTE: Here you are
accessing HiveManager
via the PCs Ethernet
connection

2. Download Default CA Certificate to the Remote PC
217
NOTE: The HiveManager Root
CA certificate should be
installed on the client PCs
that will be using the RADIUS
service on the Aerohive APs
for 802.1X authentication

From the Remote PC,
go to Configuration,
then click Show Nav,
Keys and Certificates
Certificate Mgmt
Select Default_CA.pem
Click Export
3. Rename HiveManager Default CA Cert
218
Export the public root
Default_CA.pem certificate
to the Desktop of your
hosted PC
This is NOT your Aerohive
AP server certificate, this
IS the HiveManager
public root CA certificate
Rename the extension of
the Default_CA.pem file to
Default_CA.cer
This way, the certificate
will automatically be
recognized by Microsoft
Windows
Click Save
Make the Certificate name:
Default_CA.cer
Save as type:
All Files
4. Install HiveManager Default CA Cert
219
Find the file that was just
exported to your hosted PC
Double-click the certificate
file on the Desktop:
Default_CA
Click Install Certificate

Issued to: HiveManager
This is the name of the certificate if you
wish to find it in the certificate store, or if
you want to select it in the windows
supplicant PEAP configuration.

5. Finish certification installation
220
In the Certificate
Import Wizard click
Next
Click O Place all
certificate in the
following store
Click Browse
6. Select Trusted Root Certification Authorities
221
Click Trusted Root
Certification Authorities
Click OK
Click Next
7. Finish Certificate Import
222
Click Finish
Click Yes
Click OK
8. Verify certificate is valid
223
Click OK to Close the
certificate
Double-click Default_CA to
reopen the certificate
You will see that the
certificate is valid and it valid
from a start and end date
Click the Details tab
9. View the Certificate Subject
224
In the details section, view
the certificate Subject
This Subject: HiveManager is
what will appear in the list of
trusted root certification
authorities in your supplicant
configured later in this lab.
Protected EAP (PEAP) Properties
In supplicant (802.1X client)
QUESTIONS?
For Windows 7
Supplicants
802.1X SUPPLICANT
226
Lab: Testing Aerohive AP RADIUS w/ AD Integration
227
On the hosted PC,
from the bottom
task bar, click the
wireless networks
icon
Click Class-AD-X
Click Connect
A windows
security alert
should appear,
click Details to
verify this
certificate if from
HiveManager,
then click
Connect

server-2 is the AP cert,
and HiveManager is the
trusted CA
If the Wireless Client Fails to Connect
228
Please remedy by
Otherwise, skip to the end
of this lab

Testing Aerohive AP RADIUS w/ AD
Integration
229
Click Add
Lab: Testing Aerohive AP RADIUS w/ AD
Integration
230
a network profile
Network Name:
Class-AD-X
Security type:
WPA2-Enterprise
Click Next
Integration
231
Click Change
connection settings
Click Security

Integration
232
mode


Click OK


moment

NOTE: User Profile Attribute is the Employee-Default-X user profile
for the SSID. This user profile is being assigned because no User
Profile Attribute Value was returned from RADIUS.
Integration
233
IP Address: 10.5.8.#
VLAN: 8

QUESTIONS?
MAPPING ACTIVE DIRECTORY
MEMBEROF ATTRIBUTE
TO USER PROFILES
235
Aerohive AP as a RADIUS Server - Using AD
Member Of for User Profile Assignment
236
In your WLAN policy, you defined an SSID with two user profiles
Employees(1000)-X Set if no RADIUS attribute is returned
This use profile for example is for general employee staff, and they get
assigned to VLAN 8
Employee(10)-X Set if a RADIUS attribute is returned
This user profile for example is for privileged employees, and they get
assigned to VLAN 10
Because the Aerohive AP RADIUS server is using AD to authenticate
the users, and AD does not return RADIUS attributes, how can we
assign users to different user profiles?
Though AD does not return RADIUS attributes, it does return other
attribute values, like memberOf which is a list of AD groups to which
the user belongs
Instructor Only: Confirm User is a
member of the Employee Groups
237
Right click the username user and
click Properties

Click on the Member Of tab

The user account user should be
assigned to all the groups for all the
students in class
Employee-1
Employee-2
..
Employee-29

Click OK
Lab: Use AD to Assign User Profile
1. Map memberOf attribute to user profile
238
From Configuration, Show Nav,
Authentication
Aerohive AP AAA Server Settings
AP-RADIUS-X
Expand Database Settings
Check E LDAP server attribute
Mapping
Select O Manually map LDAP user
groups to user profiles
LDAP User Group Attribute:
memberOf
Domain: dc=AH-LAB,dc=LOCAL
Click + to expand the LDAP tree
Lab: Use AD to Assign User Profile
2. Add group to user profile mapping
239
Expand the tree
structure to locate
Expand
CN=Users
Select
CN = Employee-X
For Maps to, from
the drop down list,
select the user
profile: Employee-X
Click Apply
The mapping
appears below the
LDAP directory
Click Save
Click the LDAP
Group
Map group to
Employee(10)-X
NOTE: The CN in Active Directory
does not have to match the name
of the user profile, this is just by
choice, not necessity.
Click Upload
Lab: Use AD to Assign User Profile SSID
240
Selected
Network Policy
4. Disconnect and Reconnect to the Class-AD SSID
241
To test the mapping
of the memberOf
attribute to your user
profile
Disconnect from the
Class-AD-X SSID
Connect to the
Class-AD-X SSID
5. Verify your active client settings
242
From MonitorClientsActive Clients
Your client should now be assigned to
VLAN: 10
NOTE: In the previous lab, without the
LDAP group mapping, the user was
assigned to attribute 1000 in VLAN 8
QUESTIONS?
Using Aerohive APs and IPsec VPN Clients
and IPsec VPN Servers to Provides VPN Connections
with Wireless LANs
WIRELESS VPN
244
Internet
Headquarters
Aerohive Layer 3 VPN
245
Remote Site
Notes Below
Layer 2 VPN client devices
BR-100 router

BR-200 router

AP 330/350
(router mode)

(L3 Gateway mode)
1500 tunnels

Note: Layer 3 VPNs are taught in the Aerohive Branch on Demand (ABOD) class
Internet
Headquarters
Aerohive Layer 2 VPN
246
Remote Site
Notes Below
Layer 2 VPN client devices
AP-100 series

AP-300 series

BR-100 (AP mode)
AP-300 series
128 tunnels

(L2 Gateway mode)
1500 tunnels

Wireless VPN Benefits
-For your reading pleasure-
247
Easy to Use
L2 IPsec VPN solution simplifies deployment, because it extends the local network across the VPN
without the need to dedicate subnets for each remote site and set up DHCP relays on branch routers or
firewalls
Automatic certificate creation and distribution for validating VPN devices
Profile-based Split Tunneling
Users and Services can be bridged locally or tunneled based on user profile
Flexible
Single mode of operation supports all deployments
Supported in all Aerohive AP platforms, Hardware Acceleration in 300 series
Multiple end point support
Backup VPN gateway support
Distributed Wireless VPN tunnel termination
Complete Functionality
Multiple AP Support with secure and fast roaming
Mesh Portals and Mesh Points supported
RADIUS, DHCP, NTLM, LDAP and NTP can selectively go to local or remote network
Rogue AP and rogue client detection, DoS prevention, Firewall, and QoS all occur locally on the remote
Aerohive AP
Economical
No license fees for wireless VPN, or any of the other features on the Aerohive APs
For the cost of an AP, you get wireless VPN servers
Please review the notes pages
Internet
Aerohive
AP1
VPN
Server
Aerohive
AP2
VPN
Server
Headquarters
DHCP Server
Corporate Wi-Fi Devices
VLAN 10 10.8.20.0/24
Corporate Wi-Fi Voice
VLAN 11 10.8.21.0/24
Teleworker Home Office
Please View Notes Below Slide
248
Work Laptop
SSID: Corp
10.8.20.51
Home PC
with Printer
192.168.1.5
Teleworker Home Office
Home Laptop
SSID: Home
192.168.1.6

IPsec
Primary and
Backup VPN
Tunnels
Work Phone
SSID: Voice
10.8.21.33
Internet
Provider
Gateway
192.168.1.1
Aerohive AP
5
VPN Client
192.168.1.2

DMZ
Notes Below
Aerohive AP4
VPN Client
192.168.1.6
Aerohive
AP3
VPN Client
192.168.1.5
Laptop
SSID: Corp
10.8.20.12

Phone
10.8.21.5
Branch Office
Guest Laptop
SSID: Guest
192.168.1.50
Printer
10.8.20.11
Desktop
10.8.20.10
Aerohive
AP1
VPN
Server
Aerohive
AP2
VPN
Server
Headquarters
DMZ
DHCP Server
Corporate Wi-Fi Devices
VLAN 10 10.8.20.0/24
Corporate Wi-Fi Voice
VLAN 11 10.8.21.0/24
Phone
SSID: Voice
10.8.21.33
Internet
Wired Wireless
IPsec
Primary and
Backup VPN
Tunnels
Gateway
192.168.1.1
Branch Office VPN with Bridging
249
QUESTIONS?
CONFIGURE 802.1X SSID
FOR WIRELESS VPN ACCESS
251
Wireless VPN Lab
Lab Network Diagram
252
Configure two Aerohive APs,
Aerohive AP-A will be a VPN client
Aerohive AP-B will be a VPN server
Client
10.8.1.X
10.5.2.<DHCP>
Aerohive AP-B
VPN Server
Aerohive AP-A
VPN Client
Hostname:
Hive:
Interface mgt0:
Interface tunnel0:
X-A-<6-digits of mac>
Class
10.5.2.<DHCP>/24 VLAN 2
10.8.1.X0
WLAN Policy: WLAN-X WLAN Policy: WLAN-X
Hostname:
Hive:
Interface mgt0:
IP Pool:
X-B-<6-digits of mac>
Class
10.8.1.X/24 VLAN 1
10.8.1. X0 - 10.8.1.X9

2.2.2.2
1.2.1.1
NAT Policy
1.2.1. X 10.8.1. X
NAPT Policy
ANY 2.2.2.2
AD 10.8.1.200
- VLAN 1
WEB 10.8.20.150
- VLAN 20
Wireless VPN Labs
Network IP Summary
253
VPN Server
X-B-Aerohive
AP MGT0
10.8.1.X/24

VPN Client
X-A-Aerohive AP
10.5.2.?/24
Firewall NAT Rules
1.2.1.X10.8.1.X
FW(NAT)
2.2.2.2
Gateway
10.5.2.1
Gateway
10.8.1.1
Client PC
10.8.20.?/24
GW: 10.8.20.1
DHCP Server VLAN 20
Net: 10.8.20.0/24
Pool: 10.8.20.150
- 10.8.20.200
Gateway: 10.8.20.1
Layer 3 IPsec VPN Tunnels - IP Headers
(10.5.2.?)2.2.2.2 1.2.1.X
Layer 2 GRE Tunnels - IP Headers
Tunnel0 10.8.1.X0 10.8.1.X
? Address Learned though DHCP
VPN Client Tunnel Address Pool
AP VPN 1: 10.8.1.X0 10.8.1.X9
RADIUS
10.8.1.200
tunnel0: 10.8.1.X0
254
For this class, the
tunnel IP pool assigned
to Aerohive AP VPN
clients is: 10.8.1.0/24
NOTE: Aerohive APs that are
VPN clients, the RADIUS server
must accept RADIUS
messages from an IP address
in the Tunnel IP address pool
assigned to each Aerohive
AP VPN client
Address: 10.0.0.0/8 will
include all IP addresses
that are needed
Shared Secret:
aerohive123
LAB: Configure Access for Wireless VPN
1. Select your Class-EAP-X SSID for VPN
255
Reassign your
Class-EAP-X SSID to
use for VPN
Next to SSIDs click
Choose
Click to deselect the
Class-AD-X SSID
Click to select
(highlight) the
Class-EAP-X SSID
Click OK

Click to
deselect
Class-AD-X
Ensure
Class-EAP-X is
highlighted then
click OK
2. Configure External RADIUS Server
256
Under Authentication, click <RADIUS-X>
Click
Click
3. Configure External RADIUS Server
257
Define RADIUS Server
Settings
for use with wireless
clients through the VPN
Click the radio button for
External RADIUS Server
Profile Name: VPN-RADIUS-X
Primary RADIUS Server:
10.8.1.200
Shared Secret: aerohive123
Confirm Secret: aerohive123
Click Apply
Did you click Apply?
Click Save

4. Modify Employee-X User Profile to be in VLAN 20
258
Modify the Employee-X user profile to assign
users to VLAN 20 which is in the DMZ

Under User Profile, click Employee-X

5. Change Employee-X VLAN to 20
259
Name: Employee-X


Change Network or
VLAN-only Assignment
to: 20

Click Save

6. Save the SSID Settings
260
Verify settings, then click Save

QUESTIONS?
CONFIGURE LAYER 2 IPSEC VPN
262
Wireless VPN Labs
Network IP Summary
263
VPN Server
X-B-Aerohive
AP MGT0
10.8.1.X/24

VPN Client
X-A-Aerohive AP
10.5.2.?/24
Firewall NAT Rules
1.2.1.X10.8.1.X
FW(NAT)
2.2.2.2
Gateway
10.5.2.1
Gateway
10.8.1.1
Client PC
10.8.20.?/24
GW: 10.8.20.1
DHCP Server VLAN 20
Net: 10.8.20.0/24
Pool: 10.8.20.150
- 10.8.20.200
Gateway: 10.8.20.1
Layer 3 IPsec VPN Tunnels - IP Headers
(10.5.2.?)2.2.2.2 1.2.1.X
Layer 2 GRE Tunnels - IP Headers
Tunnel0 10.8.1.X0 10.8.1.X9
? Address Learned though DHCP
VPN Client Tunnel Address Pool
AP VPN 1: 10.8.1.X0 10.8.1.X9
RADIUS
10.8.1.200
Tunnel Interface:
10.8.1.X0
Copyright 2011
Tunnel Traffic Header Overview
and Example
264
2.2.2.2 1.2.1.1
Internet
Aerohive AP
VPN Server
MGT0 10.8.1.2
MGT0 IP
Before NAT
1.2.1.2
After NAT
10.8.1.2
(NAT)1.2.1.2 10.8.1.2
MGT0 IP
10.5.2.100
NAT Traversal
UDP - Src & Dst Port 4500
Src Port Changes w/NAPT
Tunnel0
10.8.1.50
MGT0
10.8.1.2
IPsec (ESP) Tunnel

Encrypts GRE and
Client Traffic
GRE Tunnel
Encapsulates client
Layer 2 Traffic
Wireless Client
MAC: 0022.22aa.aa22
VLAN: 20
IP: 10.8.20.50
Corporate Server
MAC: 0011.11bb.bb11
VLAN: 20
IP: 10.8.20.150
Client Traffic
10.8.20.50
0022.22aa.aa22
VLAN Tag: 20
Layer 2 Client Data
Client Traffic
10.8.20.150
0011.11bb.bb11
VLAN Tag: 20
(NAPT) ANY 2.2.2.2
FW: Public IP
2.2.2.2
AP: Private IP
10.5.2.100
FW: Public IP
1.2.1.2
Aerohive AP 1
VPN Client
MGT0 10.5.2.100
Tunnel0 10.8.1.50
Branch
Office
Corporate
Headquarters
1
2
3
4
8
7
6
5
LAB: Create VPN Services Policy
1. Create a Layer 2 IPsec VPN Policy
265
To create a
Layer 2 IPsec
VPN Policy
Next to Layer 2
IPsec VPN,
click Choose
Click New

2. Define Name and IP Settings
266
Profile Name: VPN-X
For Aerohive AP VPN Server 1,
select your B Aerohive AP: X-B-
######
This will fill in the Server MGT0 IP
Address and the MGT0 Default
Gateway
Server Public IP: 1.2.1.X
NOTE: It is recommended that the
following VPN client tunnel IP address
pool is in the same subnet as the MGT0
interface of Aerohive AP VPN server.
Client Tunnel IP Address Pool Start:
10.8.1.X0
Client Tunnel IP Address Pool End:
10.8.1.X9
Client Tunnel IP Address Netmask:
255.255.255.0
Do not save yet...
267
Go to User Profiles for Traffic
Management
Next to: Employee-X
Select Enabled
Select the radio button for
Split Tunnel
NOTE: Split tunnel uses the
built-in stateful firewall
policy to determine which
traffic should be sent to
the Internet, and which
traffic should go through
the tunnel.

Do not save yet...
Split Tunnel Firewall Policy
Automatically Created
268
When you select the option to use split tunnel to local subnet and
Internet, the following policy gets created on the Aerohive AP
The following policy will not be displayed in HiveManager
From Access Firewall Policy
Source IP Destination IP Service Action
0.0.0.0/0 0.0.0.0/0 DHCP-Server Permit (tunnel)
0.0.0.0/0 10.5.2.0/24 Any NAT
0.0.0.0/0 10.0.0.0/8 Any Permit (tunnel)
0.0.0.0/0 0.0.0.0/0 Any NAT
Note, by default there is no To Access firewall policy, so if you
want traffic to be initiated from HQ to the wireless clients
thought the VPN, you will need to create a To Access policy that
permits access

269
Under Optional Settings,
expand IPsec VPN
Certificate Authority
Settings
VPN Certificate Authority:
Default_CA.pem
VPN Server Certificate:
AP-X_key_cert.pem
VPN Server Cert
Private Key:
AP-X_key_cert.pem

Do not save yet...
5. Assign VPN Certificates for VPN Server
270
Expand
Server-Client Credentials
NOTE: These are VPN XAUTH
credentials that get
generated automatically for
each Aerohive AP VPN Client
and Aerohive AP VPN Server
pair.

Nothing needs to be done
here. This for monitoring, or
for generating a new key or
removing a key if an AP is lost
or stolen.
Do not save yet...

How XAUTH Credentials are Used
271
The default IKE peer authentication method for the wireless VPN is
"hybrid"
In hybrid mode,
The VPN server authenticates itself to the client with an RSA
signature, which requires the server to have a server certificate, and
the client must have the root CA certificate that signed the server
certificate so it can validate the server
The server authenticates the client using Xauth
HiveManager generates a set of credentials (random string for
username and passwords) for each Aerohive AP VPN client and
Aerohive AP VPN server pair
When the VPN client uses valid credentials to authenticate
with the VPN server, the tunnel can be established
If the credentials are removed from either the VPN client or VPN
server, the tunnel cannot be established

6. View Advanced Server Options
272
Expand Advanced Server Options
No changes are necessary for the
following options
| IKE Phase 1 Options |

| IKE Phase 2 Options |
Check and select E Enable peer
IKE ID validation: User FQDN
HiveManager will look at the
certificate, find the User FQDN, and
configure a rule on the Aerohive AP
client to force validation of the
Aerohive AP server using the User
FQDN. The Aerohive AP by default
validates the Aerohive AP client using
XAUTH, so this check enables two-way
validation.
Do not save yet...

7. Configure Advanced Client Options
273
Expand Advanced Client Options
Select the traffic from the
Aerohive AP to send though
the tunnel.
Check the boxes for:
SNMP Traps
RADIUS
Active Directory
LDAP
Note: By default the VPN tunnel is
used for user traffic, however,
these options allow the Aerohive
AP itself to send traffic it generates
from itself based on the options
selected.
Check Enable NAT traversal
Adds a UDP header with port 4500
on to the IPsec packets
Do not save yet...

8. View Dead Peer Detection Settings
274
Dead Peer Detection is used for switching between Aerohive AP VPN
Server 1 and Aerohive AP VPN Server 2 upon failure
DPD Verifies IKE Phase 1
Send Heartbeat every 10 seconds (by default)
If you miss one heartbeat, send at the Retry Interval instead of at the
normal Interval settings
If you miss the number of retries specified, failover to backup VPN server

AMRP Verifies end to end through GRE and VPN Tunnel
Send Heartbeat every 10 seconds (by default)
If you miss one heartbeat, send 1 at second intervals instead of at the
normal Interval setting
If you miss the number of retries specified, failover to backup VPN server
Default DPD failover time:
~16 seconds

Default AMRP failover time:
~21 seconds
9. Save VPN Services Policy
275
Save the VPN Service
Settings
10. Verify VPN Setting and Save Network Policy
276
Back in your
Network Policy
Ensure Layer 2
IPsec VPN is set
to VPN-X
Click Save, but
do not
Continue or
Configure and
update devices
yet...

QUESTIONS?
Configuring Aerohive APs to be
VPN Clients and VPN Servers
AEROHIVE AP VPN ROLES
AND UPDATING THE
CONFIGURATION
278
LAB: Assign Aerohive APs to VPN Roles
1. Modify Your A-Aerohive AP
279
Click the Configure and Update Devices bar
Click to modify your A-Aerohive AP: X-A-######

2. Assign VPN Service Role to Client
280
Scroll down, and in the
Optional Settings Section
Expand Services Settings
Set the VPN Service
Role to: Client

Click Save

3. Modify Your B-Aerohive AP
281
In the Configure and Update Devices section
Click to modify your B-Aerohive AP: X-B-######

The Key with the
triangle pointing up
is a VPN client icon
4. Assign VPN Service Role to Server
282
Scroll down, and in the
Optional Settings Section
Expand Services Settings
Set the VPN Service
Role to: Server

Click Save

Click Upload
5. Upload the Configuration to Your Aerohive APs
283
The Key with the
triangle pointing down
is a VPN server icon
LAB: Verify the Aerohive L2 VPN
1. Wait for Upload to Finish Then Verify VPN
284
From Monitor Devices All Devices
If the Aerohive AP VPN Server and Client Icons are
green, then you know the VPN is up.
2. Aerohive device VPN Diagnostics
285
Go to Monitor Devices All Devices
Select one of the VPN devices: X-A-Aerohive AP
Click Utilities...Diagnostics Show IKE Event
Verify that both Phase 1 an Phase 2 are successful
3. Aerohive device VPN Diagnostics Phase 1
286
Select one of the VPN devices: X-A-Aerohive AP
Click Tools...Diagnostics Show IKE Event
Possible problems if Phase 1 fails:
Certificate problems
Incorrect Networking settings
Incorrect NAT settings on external firewall
Possible problems if Phase 2 fails:
Mismatched transform sets between the client and
server (encryption algorithm, hash algorithm, etc.)
287
Click Tools...
Diagnostics
Show IKE Event
If you see that phase 1
failed due to a
certificate problem
Check the time on
the Aerohive devices
show clock
show time
Ensure you have the
correct certificates
loaded on the
Aerohive APs in the
VPN services policy
288
Click Tools...
Diagnostics
Show IKE Event
If you see that
phase 1 failed due
to wrong network
settings
Check the IP
settings in the
VPN services
policy
Check the NAT
settings on the
external firewall
289
Click
Utilities...Diagnostics
Show IKE SA
Phase 1 has completed
successfully if you reach
step #9
If Step #9 is not
established then one of
these problems exists:
Certificate problems
Incorrect Networking
settings
Incorrect NAT settings on
external firewall

290
Click Utilities...
Diagnostics
Show IPsec SA
Note: It is clear to see that a
VPN is functional if you see
the tunnel from the MGT0 IP
of the VPN client to the
(NAT) Address of the MGT0
of the VPN Server, and the
reverse. Both use different
SAs (Security Associations)
State: Mature
If Phase 2 fails: Check the
encryption & hash settings
on the VPN client and the
VPN server

8. View VPN Topology
291
Open your Network Policy, click the Configure Interfaces and
User Access bar
In the Layer 2 IPsec VPN section click VPN Topology
9. View VPN Topology
292
When the Aerohive device icons are displayed in green
with a green line between them, the VPN is up
You can move your mouse over an icon for more details
VPN Topology Example
293
Here is an example of
a VPN topology with
12 Aerohive AP VPN
clients and two
Aerohive VPN servers
for tunnel load
sharing and
redundancy
NOTE: Layer-2 IPsec VPN
VPN Server Side Firewall Rules
294
NOTE: In an IPsec VPN deployment, if you
have a firewall protecting the VPN server,
you will need rules similar to the following
from the Internet to the IPsec VPN server:
Source IP Destination IP Protocol Source Port Dest Port Action
0.0.0.0/0 1.2.1.2(NAT) 17(UDP) Any 4500(NAT-T) Permit
0.0.0.0/0 1.2.1.2(NAT) 17(UDP) Any 500 (IKE) Permit

VPN Client
2-A-Aerohive AP
10.5.2.?/24
Firewall NAT Rule
1.2.1.210.8.1.2
FW(NAT)
2.2.2.2
Gateway
10.5.2.1
Gateway
10.8.1.1
RADIUS
10.8.1.200
Tunnel Interface:
10.8.1.20
VPN
server
10.8.1.2
QUESTIONS?
Using Microsoft XP
TESTING YOUR VPN ACCESS
WITH 802.1X CLIENT (SUPPLICANT)
296
Lab: Testing 802.1X/EAP For VPN Access
297
Click Class-EAP-X
Click Connect

chance there is a
Hosted PC in VMware
Please remedy by

Wireless
Network Icon
298
Click Add
299
a network profile
Network Name:
Class-EAP-X
Security type:
WPA2-Enterprise
Click Next
300
Click Change
connection settings
Click Security
Click Advanced settings

301
mode


Click OK


moment

302

VLAN: 20

Client Monitor - Successful Connection
303
Client Monitor showing successful authentication
The RADIUS server IP 10.8.1.20, which is only accessible though the VPN tunnel
QUESTIONS?
VPN LAB CLEANUP
305
Copyright 2011
Lab: VPN Lab Cleanup
1. Deselect Layer 2 IPsec VPN Policy
To continue with the rest of the training labs, please remove
the VPN settings so that traffic is not tunneled through the VPN
Go to Configuration
Select your Network
Policy: WLAN-X and
click OK
Next to Layer 2 IPsec
VPN click Choose
Click to deselect your
VPN profile
Click OK
In the Network Policy
Click Save

306
Click to
deselect
VPN-X
2. Change Employee-X User Profile to VLAN 10
307
Modify the Employee-X user profile to assign
users to VLAN 10 which is in the DMZ

Under User Profile, click Employee-X

3. Change Employee-X VLAN to 10
308
Name: Employee-X


Change Network or
VLAN-only Assignment
to: 10

Click Save

QUESTIONS?
TIME SETTINGS FOR HIVEMANAGER
AND AEROHIVE APS
310
Verify Time Settings
311
HiveManager and Aerohive APs should have up to date time
settings, preferably by NTP
Go to HomeAdministrationHiveManager Settings
Next to System Date/Time click Settings
Lab: Verify NTP Policy
1. Verify NTP Server object
312
Go to Configuration
Select your Network
Policy: WLAN-X and
click OK
Click Additional Settings
Expand Management
Server Settings
Note: Upon first login to a
new HiveManager system,
an NTP server policy is
automatically created with
the same name as the
original Hive name.
However, for this lab,
create a new NTP server
policy.
Next to NTP Server
Click (Modify)
Note: You should configure the NTP
server to set the time zone and NTP
server settings. This is important for
any service that depends on time,
such as VPN and RADIUS which use
certificates, schedules, Private PSK
validity, etc...

Lab: Verify NTP Policy
2. Verify NTP Server Settings
313
Ensure the NTP
Server is set:
ntp1.aerohive.com
Click Save or
Cancel
QUESTIONS?
Using Self Registration Captive Web Portal
CONFIGURE GUEST ACCESS
WITH PRIVATE PSK SELF
REGISTRATION
315
Private PSK Self Registration
316
1. A guest comes in
and connects to
a open
registration SSID
2. They open their
web browser
and a captive
web portal page
appears
3. The guest enters
their information
and clicks
register
SSIDs:
Class-Register (open)
Class-Secure (WPA2-PSK)
Guest
Aerohive AP
Connects to:
Class-Register
Private PSK Self Registration
Secure Access
317
4. The captive web
portal displays a
unique Private
PSK for the guest
with instructions
to connect to
the secure SSID
5. The guest
connects to the
secure SSID and
enters the Private
PSK displayed on
the captive web
portal page
6. The guest will
then be securely
connected
SSIDs:
Class-Register (open)
Class-Secure (WPA2-PSK)
Guest
Aerohive AP
Connects to:
Class-Secure
Secure Guest Access with Private PSK
Self Registration Goal for Lab
318
Generate a set of private PSKs
The private PSKs will have a lifetime of
1day and new Private PSKs will be
generated every day that last for 1 day
These Private PSKs will be assigned to a
single SSID
The keys will be given out via a self-
registration captive web portal
Lab: Secure Self-Registered Guest Access
1. Modify your WLAN Policy to Create an SSID
319
To configure a
Private PSK SSID
Go to Configuration
Select your Network
Policy: WLAN-X and
click OK
Next to SSIDs,
click Choose
Click New

Copyright 2011
2. Create a Private PSK SSID with Self Registration
Profile Name:
Class-Secure-X
SSID:
Class-Secure-X
Under SSID Access
Security select
Private PSK
Set maximum clients per
private PSK to: 2
NOTE: This limits how many
times a single Private PSK
can be used in a Hive
Check Enable private
PSK self-registration
Registration SSID:
Class-Register-X
320
Click Save
4. Create a Private PSK SSID
321
Click to deselect the
Class-EAP-X SSID
Ensure the
Class-Secure-X SSID
is selected
Click OK

Click to deselect
Class-EAP-X
Ensure
Class-Secure-X
is highlighted then
click OK
5. Create a Private PSK User Group
322
Under Authentication, click <PPSK User Groups>
Click New
Click
Click
Click
6. Configure the Private PSK User Group
323
User Group Name:
1day-guest-0X

User Type:
O Automatically
generated private PSK
users
VLAN: <empty>
Note: The VLAN is inherited from
the user profile
Do not save yet...
NOTE: 0X=02-28
(Use 2 digits)
7. Configure the Private PSK User Group
324
User Name Prefix: 0X-1day
Note: This is the prefix for all the Private PSKs that will be
generated.
If you create 100 PPSK accounts, then the guest accounts will be
created as 0X-1day0001 though
0X-1day0100
Private PSK Secret:
<Click Generate or enter random characters>
Note: This secret never needs to be known or seen again. It is
used to as a seed key to add more complexity to the
automatically generated PSKs.
Expand Private PSK Advanced Options
8. Configure Time Zone and PSK Validity Period
325
Password Length: 8
Note: If Private PSKs were being
generated for corporate accounts,
this should be a much larger
password length. However, for
guests, because they are entering
the password on their mobile
device from a printout or from an
email, for administrative purposes, it
is simpler to generate smaller length
Private PSKs.
Time Zone: <(GMT-08:00)-America>
Note: This should be the time zone
of where the Aerohive APs and
clients are located in real life.
PSK Validity Period: Recurring
Check E Enable the automatic
creation and rotation of private
PSK users and their keys
Copyright 2011
9. Configure PPSK Rotation Schedule
Private PSK Start Time:
<Select 1 day ago:
00hr 00min>
Note: The Private PSKs are
generated every day at the hours
and minutes specified here.
Private PSK Lifetime: 1 day
Note: Specifies how long a Private PSK will last
Private PSK Rotation Interval: 1 day
Note: Specifies how often new Private PSKs will be created. In this example, 1 day keys are created
every day.
Private PSK Rotations: 3650 times
Note: Specifies how many times to rotate keys. (9999 is 27 years)
Private PSK Users to Create per Rotation: 10 users
Note: This should match the maximum number of guests you will assign to 1 day Private PSKs on a
single day. In this lab, 10 Private PSKs will be automatically generated with the specified lifetime,
rotation interval and number of rotations.
Do not save yet...

326
10. Configure PSK character types and then save
327
Character types used
in generated PSKs and
manually created
passwords:
Check E Letters
Uncheck E Digits
Uncheck E Special
Characters
Click Save
NOTE: Because these are daily PSKs, you
can use upper and lower case letters to
make it easy to type. If you mix in digits,
the client may have problems with
identifying the difference between letters
and digits: 1, I, l, 0, O, for example.
However, mixing in special characters is
fine, but it may be more complicated for
clients to enter in their mobile device.
11. Select the Private PSK User Group
328
Ensure your 1day-guest-X is highlighted
Click OK
12. Select Your A Aerohive AP as a Private PSK
Server
329
Under Authentication, click <Private PSK Server>
Select your X-A-###### Aerohive AP and click OK
Click
Select your
X-A-
Aerohive
AP
13. Create a Captive Web Portal for Self Registration
330
Under Authentication, click <Private PSK CWP>
In the Choose CWP window, click New
Click
Click
14. Configure Self Registration Captive Web Portal
331
Name: CWP-Self-X
Expand Captive Web
Portal Login Page
Settings
Click Self-registration
In the Captive Web
Portal Success Page
Options ensure No
Redirection is selected
so the Private PSK
remains displayed on
the captive web
portal page
Do not save yet...
15. Create a Guest User Profile
332
Under User Profile, click <Add/Remove>
In the Choose User Profiles window, click New

16. Configure Guest User Profile
333
Name: Guests-X
Attribute Number:
100
NOTE: The
attribute number
must match the
number defined in
the private PSK
group
Network or
VLAN-only
Assignment: 8
Click Save
17. Assign User Profile to Self Registration SSID
334
Ensure the Guests-X
user profile is selected
(Highlighted)
Click Save
18. Verify Settings and Go To Update Devices
335

19. Update the Configuration
336
Select the Configure & Update Devices bar
Check the box next to your AP X-A-######
Click Upload
It is recommended that Complete Uploads be used for complex configuration changes
Click Setting
337 337
Select Complete Upload
Select Activate after 5 seconds
Click Save
338 338
Check to box next to your A-Aerohive AP: X-A-######
Click Upload
339
TESTING GUEST ACCESS WITH
PRIVATE PSK SELF REGISTRATION
340
Lab: Test Guest Access with Self Registration
1. Connect to Class-Register SSID from Hosted PC
341
From the hosted PC, connect
to the
Class-Register-X SSID
2. Open a Web Browser and Fill Out CWP Form
342
From the hosted
PC, open a web
browser, and
attempt to
connect to a
web site
A captive web
portal will
appear
Fill in the form
and click
Register
3. Connect to Class-Secure SSID from Hosted PC
343
After a moment, the
Captive Web Portal will
display a WPA/WPA2-
Personal Key
(Private PSK)
From the hosted PC,
connect to the
Class-Secure-X SSID
4. Enter the PSK for the Class-Secure SSID
344
Enter the Security Key
displayed in the captive
web portal window
You will then be securely
connected

5. View Your Guest in Active Clients
345
From MonitorActive Clients, view your active client
information
QUESTIONS?
To Simplify the WLAN Policy
Configuration When Different Settings for Aerohive APs
are Needed at Different Locations
AEROHIVE AP CLASSIFICATION
EXAMPLES
347
Question: How do define a single WLAN
policy, but configure different settings?
348
For example, in the
Network policy, you
can only define one
MGT interface VLAN
profile
But if the Aerohive APs
are in different
networks with different
MGT VLANs, what can
you do?
GRE
radius
Router
L2-Switch
L2-Switch
Interface mgt0:
Classification Tag:
Network Policy:
MGT0 VLAN:
10.5.2.?
radius
WLAN-X
2
Aerohive AP Device Settings
Interface mgt0:
Classification Tag:
Network Policy:
MGT0 VLAN:

10.7.1.X
GRE
WLAN-X
100
Aerohive AP Device Settings
Copyright 2011
Answer: HiveManager Device Classification
Define a VLAN Object That is Variable
With HiveManager Device
Classification, you can create
one VLAN object, but have it
change based on a classifier
tag (text field) assigned to a
device, a hostname, or
based on a topology map
where a device resides
For example, this VLAN object
called: ap-vlans-2 is a policy that
assigns VLAN 100 if the device has a
text field classifier tag configured
called: GRE; assigns VLAN 2, if a text
field classifier tag on a device is
configured with radius; and VLAN 1
if a device does not have any text
field classifier tags (global).
349
Devices Can Be Assigned to Textual Classifier Tags
350
To allow VLAN, IP
address, or MAC
OUI/Address object
to be customized by
specific APs or
routers, you can
specify Device
Classification tags in
the device
configuration
settings for an AP or
router.
You can define
three tags, that can
specify device
function, services, or
location for example
Aerohive AP A Device
Classification Settings
Aerohive AP B Device
Classification Settings
Object Definition Changes Based on Tag
351
In this example, a
Network Policy uses a
VLAN object to
define the MGT
VLANs on APs.

HiveManager can
assign different VLANs
to a device or user
profile based on
device classification
rules.

When HiveManager
updates the
configuration on
Aerohive AP A, it will
assign its MGT VLAN
to 2, and Aerohive AP
B will be assigned to
100

Aerohive AP A is a
RADIUS
server, so you can
assign a tag like radius.
Aerohive AP B is a GRE
tunnel
Terminator, so you can
assign a tag like GRE.
AP MGT VLAN Object Definition
Supported Objects
352
Objects that support
Device classification
IP/Hostname Objects
MAC Addresses/OUIs
VLANs
Multiple variables can
be configured in one
object , and the values
assigned to the Aerohive
AP can change based
on
Topology Map,
Classifier Tag,
or Hostname,
Types of Classification
353
VLANs, IP Address Objects, MAC
Address objects, and User Profile
Attribute groups can have
classification rules based on:
Map Name
Uses topology maps
Aerohive AP Name
Classifier Tag
Requires tags are defined in the
configuration of Aerohive APs
Global
Selected if no match is found for
any of the other types
You can mix and match, the first
matching rule is used
Global is checked as the last
match even if it is defined first

Copyright 2011
Tag Selection - E or E
If you specify multiple tags on a Aerohive AP, make
sure the object is defined to match relevant tags
and ignore the rest
If you want to make this VLAN object match all
Aerohive APs in HQ, you must define E Tag 1 as:
HQ, but uncheck ETag 2 and E Tag 3 so they will
be ignored

If you do not uncheck Tag 2 and Tag 3, you will
have to match all three tags on each Aerohive AP
354
VLAN Object Definition Aerohive AP 1 Configuration
Aerohive AP 2 Configuration
QUESTIONS?
Change VLAN and IP address of Aerohive APs
HIVEMANAGER DEVICE
CLASSIFICATION LAB
356
Using HiveManager Device Classification Tags
To Set Aerohive AP MGT0 Interface VLANs
357
GRE
radius
Router
L2-Switch
L2-Switch
Interface mgt0:
Classification Tag:
Network Policy:
MGT0 VLAN:
10.5.2.X
radius
WLAN-X
2
Aerohive AP A Device Settings
Interface mgt0:
Classification Tag:
Network Policy:
MGT0 VLAN:

10.7.1.X
GRE
WLAN-X
100
Aerohive AP B Device Settings
VLAN Object: ap-vlans-X
VLAN ID: 1
Type: Global
VLAN ID: 2
Type: Classifier
Value: Tag 1: radius
Tag 2:
Tag 3:
VLAN ID: 100
Type: Classifier
Value: Tag 1: GRE
Tag 2:
Tag 3:
Network Policy: WLAN-X
MGT0 VLAN: ap-vlans-X
Native VLAN: 1

Lab: Using Classification Tags for MGT0 VLANs
1. Set Classification Tag on A-Aerohive AP
358
Set the Device classification tag on your A-Aerohive AP
Go to Configuration
Select your Network
Policy: WLAN-X and click OK
Go to the Configure & Update Devices bar
Click the link for your
A-Aerohive AP: X-A-######
2. Set Classification Tag on A-Aerohive AP
359
Scroll down and expand
Advanced Settings
Uncheck Override
MGT VLAN
Note: This was set in the
beginning of class to
change the MGT VLAN of
this AP, now you will use
Device Classification to set
the MGT VLAN.
Set Device Classification
as follows:
Tag 1 radius
Tag 2
Tag 3
Click Save
NOTE: Tag values are case
sensitive. The tag here will
match the tag set for the
MGT Interface VLAN as
shown on the right.
3. Set Classification Tag on B-Aerohive AP
360
Set a Device
Classification Tag for
your B-Aerohive AP
Click the link for your
B-Aerohive AP
X-B-######
Scroll down and
expand Advanced
Settings
Enter a value:
Tag 1 GRE
Tag 2
Tag 3
Do not save yet...
Copyright 2011
4. Assign Aerohive AP-B to New Static IP Address
Change the IP
address of your B
Aerohive AP so
that it will match
its new VLAN,
which will be
VLAN 100
because of
device
classification
Expand
Interface and
Network Settings
Optional Settings> Expand MGT0
Interface Settings MGT0 IP Address:
10.7.1.X
Netmask: 255.255.255.0
Gateway: 10.7.1.1
Click Save
361
5. Modify Additional Settings
362
Configure MGT VLANs
for Aerohive APs
Go to the
Configuration
Interfaces & User
Access section in
your Network Policy
Next to VLAN
Settings click Modify
Copyright 2011
6. Change MGT VLAN for AP in Lab Network
Create a MGT Interface VLAN policy that sets the
MGT interface on an AP to VLAN 2 if it is going on
an AP RADIUS server, and VLAN 100 if it is a GRE
tunnel terminator, and VLAN 1 if it is not.
Next to MGT
Interface
VLAN Click +

363
Copyright 2011
7. Create a VLAN object Using Classifiers
364
VLAN Name:
ap-vlans-X
VLAN ID: 2
Type: Classifier
Check E Tag 1: radius
Uncheck E Tag 2
Uncheck E Tag 3
Click Apply
Do not save yet...

NOTE: All tags that are
checked E must match a
classifier tag on a Aerohive
AP to be applied. They are
AND-ed together not
OR-ed.
Click
Apply
Copyright 2011
Add an additional VLAN
ID to the VLAN profile to
identify devices with no
classification tag set
Click New
VLAN ID: 1
Type: Global
Click Apply
Do not save yet...
NOTE: When you see the
Value, (T) = True, which is
checked, and (F) = False
is unchecked.
8. Create a Global VLAN
365
Click
Apply
Copyright 2011
9. Create a VLAN object Using Classifiers
366
Add an additional VLAN
ID to the VLAN profile to
identify devices with a
GRE device classification
tag
Click New
VLAN ID: 100
Type: Classifier
Check E Tag 1: GRE
Uncheck E Tag 2
Uncheck E Tag 3
Click Apply
Do not save yet...

Click
Apply
10. Verify VLAN Profile and Save
367
Verify the VLAN profile
You should have 3
VLANs in the object
VLAN 1 Global
VLAN 2 Classifier
(T)tag1=radius;
(F) tag2=;(F)tag3;
VLAN 100 Classifier
(T)tag1=GRE;
(F) tag2=;(F)tag3;
Click Save

In VLAN Settings,
click Save

T = True
Checked
(Match Needed)
F = False
Unchecked
(No Match Needed)
Click Upload
11. Update the configuration of your Aerohive APs
368
NOTE: The update will take longer because the IP address is
changing, and a new CAPWAP connection needs to be formed.
12. Verify IP addresses on Aerohive APs
369
Verify the IP address Settings on your Aerohive APs
From MonitorAll Devices or brom the Configure & Update
Devices bar in your Network Policy Configuration
View the A Aerohive AP IP: 10.5.2.X and
B Aerohive AP IP: 10.7.1.X
NOTE: If a mistake was made, and the VLAN gets configured
incorrectly, or your IP is not correct, it will take 15 minutes for the
AP to revert back to its prior configuration and reconnect to
HiveManager. After that you can fix your problem.
QUESTIONS?
SECURE AND FAST ROAMING
371
371
Copyright 2011
Roam
Layer 2 Roaming
User associates and
authenticates and keys
are distributed
AP predicatively pushes
keys and session state to
one hop neighbors
As client roams and
associates with another
AP the traffic continues
uninterrupted

RADIUS Server
372
Copyright 2011
Subnet A
Subnet B
Router
GRE Tunnel
Layer 3 Roaming
Like Layer 2 roaming the
Layer 3 roam predicatively
pushes keys to one hop
neighbors.
In order to maintain IP
connectivity a tunnel is
created to home subnet.
Tunnel continues to follow
roaming user until sessions
end then tunnel is terminated
and the user accesses the
local network
373
QUESTIONS?
LAYER 3 ROAMING DETAILS
375
375
Layer 3 Roaming
Detailed Explanation
376
Aerohive AP Layer 3
roaming information is
advertised in beacons
and can be heard by
Aerohive APs in the
same Hive.
Subnet 10.5.1.0/24
Floor 1
Subnet 10.6.1.0/24
Floor 2
10.5.1.11/24
10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-Hive Corp-Hive

Aerohive APs can then
communicate over the LAN using
UDP Port 3000
Beacon IE: (Encrypted)
Hive: Corp-Hive
L3 roaming enabled
Mgt0 IP: 10.5.1.13/24
Beacon IE: (Encrypted)
Hive: Corp-Hive
L3 roaming enabled
Mgt0 IP: 10.6.1.7/24
Aerohive APs scan
channels to locate
layer 3 roaming
neighbors and
communicate with
each other over the
Ethernet network.
Layer 3 Roaming
Detailed Explanation
377
Subnet 10.5.1.0/24
Floor 1
Subnet 10.6.1.0/24
Floor 2
10.5.1.11/24
10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-Hive Corp-Hive
Send:
DA for
subnet: 10.5.1.0/24
10.5.1.11
Receive:
DA for
subnet: 10.5.1.0/24
10.5.1.11
Neighboring AP sends
Aerohive AP DA information
to neighboring subnets
DA
Layer 3 Roaming
Detailed Communication
378
Subnet 10.5.1.0/24
Floor 1
Subnet 10.6.1.0/24
Floor 2
10.5.1.11/24
10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-Hive Corp-Hive
DA Send:
Best tunnel endpoint
for subnet: 10.5.1.0/24
10.5.1.12
Query DA:
Least loaded AP for
subnet: 10.5.1.0/24
Preparation for roaming by
contacting DA for APs as the
potential tunnel end points
Aerohive APs preselect best
APs in each subnet to be a
tunnel endpoints

The tunnel is built only when
a client eventually roams
DA
Received from DA:
Best tunnel endpoint
for subnet: 10.5.1.0/24
10.5.1.12
Layer 3 Roaming
379
As clients arrive on the
new subnet, the
Aerohive AP will use an
existing tunnel for the
client, or if that tunnel is
heavily loaded, it can
create a tunnel to
another portal in the
DNXP table.
Subnet 10.5.1.0/24
Floor 1
Subnet 10.6.1.0/24
Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-Hive Corp-Hive
u1
eth0.1 10.5.1.1
eth0.2 10.5.10.1
eth0.1 10.6.1.1
eth0.2 10.6.10.1
u1 u1 u1
10.5.10.33/24
u1
10.5.10.33/24
u1
10.5.10.33/24
DNXP
L3 10.5.1.12
Client Roaming
Cache Update
u1
DNXP
GRE Tunnel
Layer 2
roam
Layer 3
roam
The clients IP address is maintained
u1
Session State
& PMK
u1
Layer 3 Roaming
380
Subnet 10.5.1.0/24
Floor 1
Subnet 10.6.1.0/24
Floor 2
10.5.1.11/24
10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-Hive Corp-Hive
Session State
& PMK
eth0.1 10.5.1.1
eth0.2 10.5.10.1
eth0.1 10.6.1.1
eth0.2 10.6.10.1
u1
u1
u1 u1
u1
10.5.10.33/24
DNXP
L3 10.5.1.12
DNXP
GRE Tunnel
u1 u1 u1
DNXP
L3 10.5.1.12
u1
Layer 3 Roaming
Local Subnet Connection
381
Based on the number of packets
per minute sent to and received by
the client, the Aerohive AP can be
configured to disable the tunnels
and de-auth the client so that it will
reconnected and obtain an IP
address from the local network.
Subnet 10.5.1.0/24
Floor 1
Subnet 10.6.1.0/24
Floor 2
10.5.1.11/24
10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-Hive
Corp-Hive
Session State
& PMK
eth0.1 10.5.1.1
eth0.2 10.5.10.1
eth0.1 10.6.1.1
eth0.2 10.6.10.1
u1
u1
u1 u1
DNXP
GRE Tunnel
u1 u1 u1 u1
u1
10.5.10.33/24 10.6.10.95/24
u1
De-auth
QUESTIONS?
CONFIGURING DYNAMIC
TUNNELING FOR
LAYER 3 ROAMING
383
Lab: Enable Layer 3 Roaming
1. Modify the Employee-X User Profile
384
To configure layer 3
roaming for a user
profile
Go to
Configuration
Select your
Network Policy:
WLAN-X and
click OK
Under
Authentication
click Guest-X

2. In your user profile, create a tunnel policy
385
Layer 3 roaming is
enabled per user
profile by configuring
a tunnel policy
Under Optional
Settings,
Expand GRE Tunnels
Select O GRE tunnel
for roaming or
station isolation and
Click +
Copyright 2011
2. Configure Layer 3 Roaming Policy
Enable the ability to
dynamically build tunnels
for layer 3 roaming
Name: L3-Roaming-X
Tunnel Settings
Select O Enable
Dynamic tunneling for
Layer 3 Roaming
Unroaming Threshold: 60
seconds
Number of packets per
minute: 2000
Setting a value enables
Unroaming
Setting to 0 disables
Click Save

386
If using Polycom
phones, do not enable
unroam because they
never perform a new
DHCP after they have
been powered on
Note: The number of packets per minute to select
varies based on the number of devices, types of
devices, and applications running on your network.
Copyright 2011
3. Save user profile with L3 Roaming Policy
Verify Layer 3 Roaming Policy is set
Click Save

387
4. Enable radio and set power on B Aerohive AP
388
Go to the
Configure &
Update
Devices bar
Click the link
for your
B-Aerohive
AP:
X-B-######
Set Admin
state of 2.4
and 5 GHz
radios to: Up
Set Power of
2.4 and 5 GHz
radios to: 1
Click Save

Check to box next to your
APs: X-A-######, X-B-######
Click Upload
389
Testing Layer 3 Roaming
In Hosted Training Data Center
390
Unfortunately we cannot test layer 3 roaming in the
hosted data center because
The Aerohive APs are hard wired via coax to their
clients
The power level of the Aerohive APs has been set to
1 dBm so the clients can connect to their SSIDs. If we
do not set the power to 1 dBm, the power is too high
for the clients that are connected via coax
Because the power is low, and the rest of the RF connections are
terminated, testing in the remote lab is not possible
If the instructor has time and the equipment, they can
demonstrate layer 3 roaming locally in class
QUESTIONS?
LAYER 3 ROAMING
ANALYSIS
392
Notes: Layer 3 Roaming
View Roaming Neighbors
393
To see if Layer 3
neighbors are being
discovered, go to
Monitor
All Devices
Select the check box
next to your B-
Aerohive AP or A
Aerohive AP then
select Tools...
Diagnostics
Show DNXP Neighbors
You can view the
Aerohive APs Layer
2 and Layer 3
roaming neighbors
View the State
column to see L3
and L2 neighbors
NOTE: It may take a few minutes to gather neighbor
information during background scans, and you may
not see your own neighbor AP in this hosted training
rack, but you should see some neighbors.
Layer 3 Roaming
Testing in Hosted Lab
394
If you select the check box
next to your Aerohive AP
then select Tools
Diagnostics
Show DNXP Cache
If a client is connect to
the Aerohive AP, you
can view the
information that is
being sent to the
neighboring Aerohive
APs
The Tunnel-end is the
Aerohive AP that will
be the tunnel end
point for DNXP after
the client roams across
subnet boundaries
1. Shows the MAC address of
the client and their tunnel end
point after roaming
QUESTIONS?
Identity-based Tunnels
USING GRE TUNNELS TO TUNNEL
GUEST TRAFFIC TO A SECURE DMZ
396
Copyright 2011
Identity-Based Tunnels
With Identity-Based tunnels, client traffic can be tunneled directly to one
or more Aerohive APs within a firewalled DMZ with access to the Internet
The client in the internal network is assigned a VLAN and an IP address
from the tunnel destination
All client traffic is then tunneled to the Aerohive APs in the DMZ
Traffic from clients is not permitted on the local network
This is typically used in environments where VLANs are not supported at
the access layer
Note: Unlike
IPsec, which
supports NAT
traversal, GRE
tunnels cannot
be NATed
because GRE
does not have
port numbers
397
Identity-Based Tunnels LAB
Using Tag On DMZ VLAN
398
Hostname:
Interface mgt0:
WLAN Policy:
X-A-000000
10.5.2.N/24 VLAN 2
WLAN-X
Hostname:
Interface mgt0:
WLAN Policy:
Tag1:
X-B-000000
10.7.1.X/24 VLAN 1
WLAN-X
DMZ-X
WLAN Policy: WLAN-X
Hive:
Tunnel Policy:
Tunnel Settings:
Tunnel Destination:
Tunnel Source:
Tunnel Password:
MGT0 VLAN:
Native VLAN:

Class-X
GRE-Tunnel-X
Enable static identity-based-tunnel
IP Range Start:10.7.1.X End:10.7.1.X
10.5.1.0/24 and 10.5.2.0/24
<random generated>
2
1

SSID:
Captive Web Portal:
Registration Type:
User Profile:
Attribute:
VLAN:
Tunnel Policy:
Class-Guest-X
CWP-Tunnel-X
Use-Policy-Accept
Role-Tunnel(1XX)
1XX
1XX
GRE-Tunnel-X
DMZ Network
Guest
Client
Internal Network
GRE Tunnel
10.5.2.N to 10.7.1.X
Tunnel Destination
Internet
Class-GRE-X
10.7.1X.N/24
10.7.1X.1
SSID:
IP:
Gateway:
10.7.1.1 10.5.2.1
DHCP Settings
for VLAN 1XX (01, 02, ..,13)
network 10.7.1XX.0/24
ip range 10.7.1XX.100 to
10.7.1XX.199

Tunnel Source
Lab: Use SSID to Tunnel Guest Traffic to DMZ
399
To configure a
SSID for Guest
Tunneling over
GRE
Go to
Configuration
Select your
Network Policy:
WLAN-X and
click OK
Next to SSIDs,
click Choose
Click New

Copyright 2011
2. Configure an SSID for GRE tunneling
Profile Name:
Class-GRE-X
SSID:
Class-GRE-X
Under SSID Access
Security select
WPA/WPA2 PSK
(Personal)
Key Value &
Confirm Value:
aerohive123
Check Enable
Captive Web
Portal
Click Save
400
3. Select new Class-GRE SSID
401
Click to deselect
Class-Secure-X
SSID
Ensure the
Class-GRE-X SSID
is selected
Click OK
Click to deselect
Class-Secure-X
Ensure
Class-GRE-X is
highlighted then
click OK
402
Under Authentication, click <CWP>
In Choose CWP, click New
Click
Click
5. Configure Use Policy Captive Web Portal
403
Name:
CWP-Guest-X
Registration Type:
Use Policy
Acceptance
Do not save yet...

Optional: Click here
to customize the
use policy page
If you customize the
use policy, you can
enter or modify the
text directly in the
text box.
6. Configure Use Policy Captive Web Portal
404
Expand Captive
Web Portal Success
page after
successful login
Select the option to
O Redirect to the
initially requested
page
or
O Redirect to an
external page
and enter a URL
Click Save
7. Assign CWP and Configure SSID
405
Under User Profile
click Add/Remove

9. Create a user profile to tunnel traffic
406
Define a user profile to tunnel
traffic to an AP in the DMZ
Note: XX= 2 Digits (02,03, .. ,27,28)
Name: GRE-users-1XX
Attribute Number: 1XX
Default VLAN: 1XX
Note: This VLAN is encapsulated
inside the GRE tunnel and sent to
the tunnel destination where the
VLAN must exist.
Expand the GRE Tunnels
Select GRE tunnel for
roaming or station isolation
Click + to create a GRE
tunnel policy
Note: The name, attribute number
and default VLAN do not have to
match but it looks nice if they do.
10. Create a user profile to tunnel traffic
407
Configure the tunnel information for
both sides of the tunnel in this policy
Name: GRE-X
Select Enable Static Identity-Based
Tunnels
Tunnel Destination
IP Range Start: 10.7.1.X End: 10.7.1.X
Note: You can specify a range of
consecutive Aerohive APs if you have
multiple Aerohive APs at the tunnel
destination for redundancy and load
sharing.
Tunnel Source IPs or Subnets -
Under Available IP Addresses
Select 10.5.2.0/24 and 10.5.1.0/24
and click the > button
Tunnel Authentication
Click Generate
Click Save
11. Save the Use Profile
408
Back in the user profile
Ensure Tunnel Policy is
set to: GRE-X

Note: If you do configure
firewall policies, be aware
that your firewall policies
are applied before your
traffic is tunneled to the
destination Aerohive AP.
Also note that the IP
address of your client will
be from the remote
network at the tunnel
destination.

Click Save

409
Ensure the GRE-users-1XX
user profile is selected
(highlighted)
Click Save
Note: When a client
associates with this SSID and
completes the registration
process, their traffic is
tunneled to the destination
Aerohive AP specified by the
tunnel policy in the user
profile. If a client associates
with this SSID on the tunnel
endpoint, the traffic is
forwarded without tunneling.
13. Verify settings and continue to configure devices
410
Verify the settings
and click the
Configure &
Update Devices
bar to configure
the GRE server
B-Aerohive AP for
DHCP service
QUESTIONS?
AEROHIVE AP DHCP SERVICE
ON TUNNEL END POINT
412
LAB: Configure DHCP Service for Guests
413
In the Configure &
Update Devices
section, click the
link for your
B-Aerohive AP:
X-B-#####
2. Create a new DHCP Server Object
414
In the device
configuration,
scroll own and
expand Service
Settings
In the DHCP Server
& Relay section
click +
3. Configure DHCP Server for VLAN 1XX
415
To create a DHCP server
and IP pool for VLAN
1XX
Name:
DHCP-1XX
Interface: mgt0.1
IP Address: 10.7.1XX.2
Netmask: 255.255.255.0
VLAN ID: 1XX
Please do not save yet...
4. Configure DHCP Server for VLAN 1XX
416
Configure the IP pool and
DHCP options
Under IP Pool
Start IP Address:
10.7.1XX.100
End IP Address:
10.7.1XX.199
Click Apply
(Really, please click apply!)
Under DHCP Server Options
Default Gateway:
10.7.1XX.1
Note: The netmask is
automatically inherited from
the mgt0.X interface
DNS Server 1 IP: 8.8.8.8
Click Save

Scroll up
to click
Save
Copyright 2011
5. Assign your DHCP service to your B Aerohive
AP
Select your DHCP
server object:
DHCP-1XX and move
it to the Selected List
Scroll up to Save the
settings for this
Aerohive AP
417
418
Check to box next to your APs:
X-A-######, X-B-######
Click Upload
Selected
Network Policy
QUESTIONS?
To Update GRE-Tunnel and DHCP Server Configuration
TEST GUEST GRE TUNNEL ACCESS
420
Identity-Based Tunnels LAB
Using Tag On DMZ VLAN
421
Hostname:
Interface mgt0:
WLAN Policy:
X-A-000000
10.5.2.N/24 VLAN 2
WLAN-X
Hostname:
Interface mgt0:
WLAN Policy:
Tag1:
X-B-000000
10.7.1.X/24 VLAN 1
WLAN-X
DMZ-X
WLAN Policy: WLAN-X
Hive:
Tunnel Policy:
Tunnel Settings:
Tunnel Destination:
Tunnel Source:
Tunnel Password:
MGT0 VLAN:
Native VLAN:

Hive-Class-X
GRE-X
Enable static identity-based-tunnel
IP Range Start:10.7.1.X End:10.7.1.X
10.5.1.0/24 and 10.5.2.0/24
<random generated>
2
1

SSID:
Captive Web Portal:
Registration Type:
User Profile:
Attribute:
VLAN:
Tunnel Policy:
Class-GRE-X
CWP-Tunnel-X
Use-Policy-Accept
Role-Tunnel(1XX)
1XX
1XX
GRE-X
DMZ Network
Guest
Client
Internal Network
GRE Tunnel
10.5.2.N to 10.7.1.X
Tunnel Destination
Internet
Class-GRE-X
10.7.1X.N/24
10.7.1X.1
SSID:
IP:
Gateway:
10.7.1.1 10.5.2.1
DHCP Settings
for VLAN 1XX (01, 02, ..,13)
network 10.7.1XX.0/24
ip range 10.7.1XX.100 to
10.7.1XX.199

Tunnel Source
LAB: Guest GRE Tunnel and DHCP Server
1. Connect to your Class-GRE-X SSID
422
On your remote
hosted PC,
connect to the
SSID:
Class-GRE-X
Passphrase/Net
work Key:
aerohive123

Open a web browser and Browse
to a decent web site:
http://www.aerohive.com
A captive web portal page will
be displayed
Fill out the web registration form
Click Accept to agree to the
Acceptable Use Policy
2. Agree to Acceptable Use Policy
Once the login is successful, you
can access the network
After a moment, you should
automatically be redirected to the
web page you initially requested
or a URL you specified in the
captive web portal
3. Verify Access To Internet
Your IP address should be from the 10.7.1XX.0/24
network
Note the IP address, VLAN and user profile attribute
VLAN: 1XX
User Profile Attribute: 1XX

4. View Active Clients list
5. View GRE Tunnel Information
426
From MonitorAll Devices
Check the box next to
your A Aerohive AP
Click Tools...Diagnostic
Show GRE Tunnel
QUESTIONS?
BONJOUR GATEWAY
428
Bonjour Gateway Services
429
If you have a 3
rd
party network
You can create a bonjour only policy and put an AP (bonjour
gateway) in your network
If you have an Aerohive wireless network
The Designated Access (DA) point for management network will
be the bonjour gateway
Enable bonjour gateway services in your network policies to
ensure the designated access points get the bonjour gateway
configuration
Also if the DA is taken offline, you will want the bonjour gateway
configuration ready to run on the new DA (which was the
backup designated access point (BDA)
Even with an Aerohive Wireless network
If you want to have a dedicated access point for bonjour
gateway services, create a bonjour only network policy and
ensure the AP has a unique Hive name. If the AP is its own hive,
it is the DA, and therefore will be the bonjour gateway.
Router
Aerohive Bonjour Gateway
430
Bonjour is a protocol
that Apple devices use
to advertise available
services within a
VLAN/subnet.
Aerohive devices can
function as Bonjour
Gateways and forward
service advertisements
across VLAN/subnet
boundaries
Services in one VLAN or
subnet then become
available to users in
other VLANs/subnets.
Aerohive APs
have Bonjour
Gateway
functionality
built-in
AirPlay
AirPrint
Printer: Bonjour Capable
Wire or Wi-Fi Connected

Apple TV:
Bonjour Capable
iPhone or iPad
Wi-Fi Connected
431
Without a Bonjour
Gateway
All devices using a
Bonjour service must be
on the same subnet
Because the Bonjour
devices and users in
this example are on
different subnets
the iPad in this picture
can not use Airplay to
send its display to the
Apple TV on VLAN 2, and
the iPad can not use
AirPrint to print to the
printer on VLAN 2
IP: 10.5.2.20/24 VLAN 2

Apple TV: Bonjour Capable
IP: 10.5.2.10/24 VLAN 2
Aerohive AP1
IP: 10.5.1.100/24
Mgmt VLAN 1
SSID: Device-WiFi
Device VLAN 2
SSID: Corp-WiFi
User VLAN 10

iPhone or iPad
Wi-Fi Connected
IP: 10.5.10.33/24
VLAN 10
AirPlay
AirPrint
X
X
Router
432
With a Bonjour
Gateway
The iPad in this picture for
example on VLAN 10 can
use Airplay to send its
display to the Apple TV on
VLAN 2,
or user AirPrint to print to
the printer on VLAN 2
Bonjour Gateways to
do not route the
bonjour traffic, they
provide responses to
Bonjour discovery
requests from Bonjour
client devices to
services learned on
different subnets
Aerohive AP1
IP: 10.5.1.100/24
Mgmt VLAN 1
SSID: Device-WiFi
Device VLAN 2
SSID: Corp-WiFi
User VLAN 10

AirPlay
AirPrint
IP: 10.5.2.20/24 VLAN 2

Apple TV: Bonjour Capable
IP: 10.5.2.10/24 VLAN 2
iPhone or iPad
Wi-Fi Connected
IP: 10.5.10.33/24
VLAN 10
Router
Bonjour Gateway Services
433
If you have a 3
rd
party network
You can create a bonjour only policy and put an AP (bonjour
gateway) in your network
If you have an Aerohive wireless network
The Designated Access (DA) point for management network will
be the bonjour gateway
Enable bonjour gateway services in your network policies to
ensure the designated access points get the bonjour gateway
configuration
Also if the DA is taken offline, you will want the bonjour gateway
configuration ready to run on the new DA (which was the
backup designated access point (BDA)
Even with an Aerohive Wireless network
If you want to have a dedicated access point for bonjour
gateway services, create a bonjour only network policy and
ensure the AP has a unique Hive name. If the AP is its own hive,
it is the DA, and therefore will be the bonjour gateway.
Bonjour Gateway Service
434
When bonjour gateway
services are enabled,
the AP will
automatically probe
the network to
determine which
VLANs are active by
using DHCP discovery,
and create a bonjour
gateway device
(bgd) IP interface for
each VLAN

Apple TV:
Bonjour Capable
802.1Q
Aerohive AP1
int mgt0
IP 10.5.1.100/24
VLAN 1

int bgd0.2
IP 10.5.2.44/24
VLAN 2
int bgd0.3
IP 10.5.8.129/24
VLAN 8
int bgd0.4
IP 10.5.10.58/24
VLAN 10

Router
DHCP Scopes
10.5.1.0/24 VLAN 1
10.5.2.0/24 VLAN 2
10.5.8.0/24 VLAN 8
10.5.10.0/24 VLAN 10

DHCP
Server
435
When the AP detects a
bonjour service on a
VLAN, it will build a table
of available services
When a bonjour client
device on a VLAN sends
a bonjour discovery from
a VLAN different than
what a bonjour service is
on, the AP if permitted by
a filter rule will respond
with the bonjour service
information

Apple TV:
Bonjour Capable
Aerohive AP1
int mgt0
IP 10.5.1.100/24
VLAN 1

int bgd0.2
IP 10.5.2.44/24
VLAN 2
int bgd0.3
IP 10.5.8.129/24
VLAN 8
int bgd0.4
IP 10.5.10.58/24
VLAN 10

802.1Q
DHCP Scopes
10.5.1.0/24 VLAN 1
10.5.2.0/24 VLAN 2
10.5.8.0/24 VLAN 8
10.5.10.0/24 VLAN 10

Router
DHCP
Server
436
VLANs are unique within a single routed domain
VLAN IDs may be reused in a network that is segmented by
routers, common with VLAN 1
Aerohive bonjour gateway service supports unique VLANs
throughout a network, and networks that reuse VLAN IDs for the
bonjour gateway service
Apple TV:
Bonjour Capable
AP1
int mgt0
IP 10.5.1.100/24
Mgt VLAN 1
SSID: Corp-WiFi
User VLAN 10
802.1Q
VLAN 1,10
Printer:
Bonjour Capable
AP2
int mgt0
IP 10.7.1.100/24
Mgt VLAN 1
SSID: Corp-WiFi
User VLAN 50
Floor 1 Floor 2
Router1
VLAN 1, 10
Router2
VLAN 1, 50
Printer
IP 10.7.1.150/24
VLAN 1
Apple TV
IP 10.5.1.14/24
VLAN 1
802.1Q
VLAN 1,50
VLAN 11
437
APs in different subnets can automatically locate each other
wirelessly, or can be set manually as L3 roaming neighbors
In this case, AP1 is a local Bonjour Gateway Device (BGD), and
AP2 is a remote Bonjour gateway device
AP1 will advertise the Apple TV service to AP 2 so AP2 can
respond to Bonjour discovery messages on its VLAN 1 and 50
Apple TV:
Bonjour Capable
AP1
int mgt0
IP 10.5.1.100/24
Mgt VLAN 1
SSID: Corp-WiFi
User VLAN 10
802.1Q
VLAN 1,10
Printer:
Bonjour Capable
AP2
int mgt0
IP 10.7.1.100/24
Mgt VLAN 1
SSID: Corp-WiFi
User VLAN 50
Floor 1 Floor 2
Router1
VLAN 1, 10
Router2
VLAN 1, 50
Printer
IP 10.7.1.150/24
VLAN 1
Apple TV
IP 10.5.1.14/24
VLAN 1
802.1Q
VLAN 1,50
VLAN 11
Local BGD Remote BGD
for AP 2
438
In this case, AP2 is a local Bonjour Gateway Device (BGD), and
AP1 is a remote Bonjour gateway device
AP2 will advertise the Printer service to AP 1 so AP1 can respond
to Bonjour discovery messages on its VLAN 1 and 10
Apple TV:
Bonjour Capable
AP1
int mgt0
IP 10.5.1.100/24
Mgt VLAN 1
SSID: Corp-WiFi
User VLAN 10
802.1Q
VLAN 1,10
Printer:
Bonjour Capable
AP2
int mgt0
IP 10.7.1.100/24
Mgt VLAN 1
SSID: Corp-WiFi
User VLAN 50
Floor 1 Floor 2
Router1
VLAN 1, 10
Router2
VLAN 1, 50
Printer
IP 10.7.1.150/24
VLAN 1
Apple TV
IP 10.5.1.14/24
VLAN 1
802.1Q
VLAN 1,50
VLAN 11
Remote BGD
for AP2
Local BGD
Bonjour Browser Apps
439
You can download bonjour browser
applications for your iPad or iPhones
iTunes
You can download bonjour browser
application for your MacBook
http://www.tildesoft.com
You can also download a bonjour browser
for Microsoft windows
http://hobbyistsoftware.com/bonjourBr
owser
If you do not have bonjour running, you
will need that as well. Bonjour comes with
iTunes, possibly Skype, and some other
programs on windows. (64bit windows
link)
http://supportdownload.apple.com/downlo
ad.info.apple.com/Apple_Support_Area/Ap
ple_Software_Updates/Mac_OS_X/downloa
ds/061-
5788.20081215.5t9Uk/Bonjour64Setup.exe

Show Bonjour Status
440
02-A-0c4980#show bonjour status
Bonjour Gateway Status:Enabled
Bonjour Gateway Debug: off
Realm id: 08ea:440c:4980
Local BDD mgt0: IP(10.5.1.52/24), VLAN(1)
MAC(08ea:440c:4980)
Total 3 Local Attached VLANs: 2 10 1
Total Services: 5, Published Times: 5
Total 1 Remote BDDs:
1) 10.7.1.52/24
Show Bonjour Interfaces
441
02-A-0c4980#show int
State=Operational state; Chan=Channel;
Radio=Radio profile; U=up; D=down;
Name MAC addr Mode State Chan VLAN Radio Hive SSID
------- -------------- -------- ----- ---- ---- ---------- ---------- ---------
Mgt0 08ea:440c:4980 - U - 1 - Training -
Bgd0.1 08ea:440c:4980 - U - 2 - Training -
Bgd0.2 08ea:440c:4980 - U - 10 - Training -
02-A-0c4980#show int bgd0.1
Admin state=enabled; Operational state=up;
DHCP client=enabled;
IP addr=10.5.2.52; Netmask=255.255.255.0;
VLAN id=2;
02-A-0c4980#show int bgd0.2
Admin state=enabled; Operational state=up;
DHCP client=enabled;
IP addr=10.5.10.52; Netmask=255.255.255.0;
VLAN id=10;

View Bonjour Gateway Services
Detailed Information
442
show bonjour status local detail
3) Name=Apple TV; Type=_airplay._tcp.; VLAN=2;
IP=10.5.2.53; Port=7000; Netmask=255.255.255.0;
Host=Apple-TV.local.;
Flags=Add/Local/Completed/Filtered/(43); Service
Create Time=Aug 30 16:33:35 2012; Last Time Update To
Remote BDD=10 sec ago; Last Time Update From Remote
BDD=N/A; BDD=0.0.0.0; Sdref=N/A; Service Published
Iface(vlan) List=bgd0.3(10)(Done) bgd0.2(8)(Done)
mgt0(1)(Done) ; TXT Length=75; TXT:
"deviceid=B8:17:C2:CC:33:9F" "features=0x39f7"
"model=AppleTV2,1" "srcvers=130.14"
The Service Published Iface(vlan) lets you know that the service
will be available on each of the interfaces(vlans) shown
If you do not see the interfaces listed, then the service will not be
available on other VLANs than the VLAN the service was
received on
VLAN
ID
Bonjour Service
and IP Info
Set the Clock!
443
Please make sure NTP is set on your APs. If your APs are not within
a reasonable time, i.e. 1970, then Bonjour services will not work
02-A-0c4980#show clock
2012-08-29 22:16:16 Wednesday

Bonjour Services Can Be Filtered By the
Bonjour Gateway
444
03-A-471140#show bonjour service local
Show Local Bonjour Gateway Service:
No. VLAN Service-IP Port Type Name
=============================================================
1 2 10.5.2.103 49152 _raop._tcp. 98D6BB2A6F0F@Apple TV
2 2 10.5.2.103 7000 _airplay._tcp. Apple TV

Total 2 services.
03-A-471140#show bonjour service local filter
Show Local Bonjour Gateway Service:
No. VLAN Service-IP Port Type Name
=============================================================
1 2 10.5.2.103 7000 _airplay._tcp. Apple TV

HiveManager Shows The Bonjour Services
Reported By The Bonjour Gateways
445
MonitorBonjour Gateway
BONJOUR GATEWAY LAB
446
Lab: Bonjour Gateway
1. Verify No Bonjour Services on Hosted PC
447
From your Hosted PC
Start the Bonjour Browser
You will notice that no Bonjour
Services are available
Your PC is on VLAN 10, and the Apple
TV is on VLAN 2, so the only way you
can see the services is from a
Bonjour Gateway

2. Select Network Policy
448
To configure Bonjour
Gateway Services
Go to Configuration
Select your Network
Policy: WLAN-X and
click OK

3. Create a new Bonjour Gateway Profile
449
In your Network
Policy: WLAN-X,
next to Bonjour
Gateway click
Choose
Click New
4. Define Bonjour Profile Settings
450
Name: Bonjour-X
Scan the following VLANs
for services: 1-10
Note: We do not have
any other VLANs on this
network so it saves time
to limit to your known
VLANs
VLANs are checked in
parallel, so you can
check all 4095 in a short
period of time.
The bonjour gateway is
looking for any VLAN that
returns a DHCP address.
Ensure all the default
services are selected
Click Save

Click Upload The changes will take effect immediately
5. Update the configuration of your A-Aerohive AP
Filter set to
Current
Policy
6. Note MAC of DA AP and View Bonjour Gateway
452
Go to Monitor
Note the MAC
address of the AP
(Node ID) this will be
the bonjour gateway
realm name
Go to Monitor
Bonjour Gateway
In a minute you should
your AP MAC as a
realm
Click the Realm name
to see the bonjour
services
There is an Apple TV
on the network with 2
bonjour services
7. Verify Bonjour Services on Hosted PC
453
From your Hosted PC
Start the Bonjour Browser
You will see two services:
_airplay.tcp (Apple TV)
_raop._tcp.(98D6BB2A6F0F@Apple TV)
Your PC is on VLAN 10, and the Apple
TV is on VLAN 2, so the only way you
can see the services is from a
Bonjour Gateway
Note: As long as one Bonjour Gateway
in class is working everyone will see the
services. We will use the CLI to see if
yours is working or not.

8. Use SSH Client to Access Your AP
454
From Monitor
Aerohive APs
Select your AP and
click Utilities...
SSH Client
Click Connect
Wait about 30
seconds

9. Verify the DA is the Bonjour Gateway
455
Type: show amrp <Return>
Find the IP address of the
Designated AP (DA) of the
management subnet
From Monitor find the IP
address of the DA access
point and note the MAC
address of the AP (Node ID)
From Monitor-Bonjour
Gateway: Verify the MAC
address of the DA
10. Instructor: Use SSH Client to Access the DA
456
From Monitor
Aerohive APs
Select the Designated
AP (DA) and click
Utilities...
SSH Client
Click Connect
Wait about 30
seconds

11. Instructor: Show Bonjour Service Local Detail
457
Type: show bonjour service local detail
<Return>
Locate the line with Apple TV;Type=_airplay._tcp and scroll the
window to the right until you see Service Published Iface(vlan)
The bonjour services are advertised out the bgd0.X interfaces listed
bgd0.3 is vlan 10, bgd0.2 is vlan 8, and bgd0.1 is VLAN 1. It will not
readvertise out the VLAN it was learned from which is VLAN 2
12. Create Bonjour service filter
458
From your network
policy: WLAN-X
Click your bonjour
policy: Bonjour-X

13. Filter Out Unwanted Services
459
For the services, uncheck All
Locate and check the box
next to AirPlay
Click Save and then Update
the configuration of your AP

14. Instructor: Use SSH Client to Access the DA
460
From Monitor
Aerohive APs
Select the Designated
AP (DA) and click
Utilities...
SSH Client
Click Connect
Wait about 30
seconds

15. Instructor: Show Bonjour Service Local Detail
461
Type: show bonjour service local
Type: <Return>
This shows all the services that have been learned
Type: show bonjour service local filter
Type: <Return>
This shows all the services that make it through the
filter

If the lab was done correctly, you should only see _airplay._tcp

QUESTIONS?
MOBILE DEVICE MANAGEMENT
(MDM) ENFORCEMENT WITH
JAMF (CASPER SUITE)
FOR APPLE DEVICES
MDM
464
Network-based MDM
Access controls based on User, Device Type, Location
Policy Enforcement QoS, Firewall, SLA, Time of Day Controls
Now, Required Enrollment

Profile-based MDM
Device Management and configuration
App/Software Installation and Updates
App and Feature Restrictions
Policy Enforcement (device capabilities, passcode, etc)
Content Distribution
JAMF Software (for now)

Aerohive and JAMF Software Together

465
Automatically Enroll and Re-Enroll Apple iOS Mobile Devices and
OSX-based Macs
Control User and Device Access to the Network and Network
Resources
Configure and Deploy Security and Configuration Profiles for
Apple devices
Manage iOS and Mac OS X Inventory
Distribute App Store/Custom Apps and eBooks to iOS Devices

Apple Management Components
466
How Enrollment Check Works - Before
467
Device Joins the SSID and is placed in Walled Garden
Able To Reach DHCP, DNS services + JSS and Apple Notification Servers
AP Identifies the OS via DHCP Options
If not iOS device, released from Walled Garden
If iOS device, AP queries JSS whether device is enrolled
Enrolled Devices Released From Walled Garden
Un-enrolled iOS devices remain quarantined. All HTTP requests forwarded to JSS
Enrollment Web Page

How Enrollment Check Works - After
468
Once AP verifies enrollment is complete, walled garden opens
Network access now dictated by rules of relevant User Profile
Relevance based on User, Location, Device Type, Time, etc.
Configure SSID
469

Create SSID
Expand Advanced
Enable MDM Enrollment
Enable OS Object for
iPod/iPhone/iPad or
MacOS
Enter URL of JSS
Enter JSS Admin
Credentials

Set DHCP Options
470
Additional Settings > Service Settings > Management Options
Click Modify
Ensure Use DHCP Option 55 contents is selected
Click Save

Connect to Network and Enroll
471
Join iOS or Mac OS device to JAMF-protected network
AP will perform enrollment check.
Un-enrolled devices will be redirected to the JSS enrollment
page

Enrollment
472
Un-enrolled Apple Devices must enroll to gain access to the network
Administrators may allow open enrollment or require authentication (works
with external LDAP or JSS internal user database )
User must manually install Trust Certificate, MDM Profile (SCEP)
JSS sends instructions to APNs that notify clients to do the following:
Perform Inventory Request
Install Self Service Web Clip (iOS only)
Install Any Already-Assigned Settings, Restrictions Policies, or Apps

How JSS and Apple Keep iOS Devices
Up To Date On Any Network
473
After initial enrollment, managed iOS Devices maintain
relationship with JSS
Does not matter to which network device connects

Apple Push Notification Service
474
With JAMF Software, You Can
475
For OSX Devices
Install Software Packages
Configure Printers
Run Scripts
Set Device and Software Restrictions
Set and Configure Passcodes
Configure Networks
Configure VPN
Configure Exchange/IMAP/POP3 email
Configure Directories
Configure Security Settings
Deploy Certificates
Wipe or Lock Lost or Stolen Devices
Collect Device Hardware and App
Inventory
Manage Device Encryption
And More

For iOS Devices
Deploy App Store or Custom Apps
Publish eBooks
Set Device Restrictions
Set and configure Passcodes
Configure Wi-Fi Networks and Security
Configure VPN
Configure Exchange/IMAP/POP3
email
Configure LDAP, CALDAV, CardDAV
Set Web Clips
Deploy Certificates
Wipe or Lock Lost or Stolen Devices
Collect Device Hardware and App
Inventory
Deploy Self Service Web Clip
And More
Troubleshooting Scenario 1
476
Problem: Device is Not Captured in Walled Garden
Things To Check:

Is the OS Detected Correctly?

Does JSS think the Device Already Enrolled?

Is The Client OS Detected Correctly?
477
MDM Walled Garden is only applied to Apple Mobile Devices
running iOS or Macs running OSX
If OS not detected correctly, then device not kept in walled
garden
Using DHCP Option 55
iPod/iPhone/iPad Will be Detected as Apple iOS
All versions of OSX are reported as Mac OS
Using HTTP User Agent
Devices Detected As:
iPad
iPhone
iPod
Mac OS

Does JSS Think Device Is Already Enrolled?
478
You can query JSS manually to determine whether the JSS thinks
a device is already enrolled.
From HiveManager:
Monitor > Clients >Active Clients
Check Device to query, click Operation > Show MDM
Enrollment

From CLI
exec jss-check mobile-device <mac-address> enroll-status

479
Problem: Device Never Gets Out of Walled Garden After
Successful Enrollment

Things To Check:
Can AP Connect To JSS?
Does JSS Admin Account Have Correct Privilege Level?
Is Enrollment Fully Complete?

Can AP/BR Connect To JSS?
480

2012-08-14 13:06:56 err ah_auth: [JSS] enroll parse response failed.(rc=8)
2012-08-14 13:06:56 err ah_auth: [JSS] parse response xmlfile failed.
2012-08-14 13:06:56 info ah_cli: admin:<exec jss-check mobile-device A4D1:D243:1A35 enroll-status >

Things To Check
Can AP contact JSS on port 8443/443?
Is the SSID configured with correct JSS admin/password?
Does JSS admin account have right privileges in JSS?

JSS Admin Privileges
481
Aerohive Requires JSS Admin Has Minimal Privileges
Login to JSS
Settings > Accounts > {user} > Edit Account
Privilege Tab
No Privileges required
API Privileges
For iOS Mobile Devices = READ
For MacOS Computers = READ

Partial Enrollment
482
To be fully enrolled, device must complete inventory request
In JSS, go to Inventory > Mobile Devices (or Computers) >
Search
Click Details on the Problematic Client
A partially enrolled device will lack critical inventory information,
specifically a MAC address
To resolve, ensure clients can access APNs on TCP 5223 and the
JSS on TCP 8443 or TCP 443
483
JSS Thinks Device Is Enrolled, but I Know It Is Not. Device
Bypasses Walled Garden
When device Is de-enrolled By a user, the device attempts to
notify JSS of de-enrollment
If Device Can Not Notify JSS, MDM Profiles Are Removed
Anyway
Therefore, JSS Thinks Device Is Still Enrolled and client bypasses walled
garden
JSS conducts inventory on daily basis (depending on configuration)
JSS will not mark de-enrolled device as missing for a long time
Configurable Setting Have To Balance Risk of Scavenging Devices that have simply
been off for awhile
CUSTOMER SHOULD TALK TO JAMF FOR GUIDANCE/BEST PRACTICE

484
JSS Knows Device Is Not Enrolled, but an already connected
device still has Internet Access
Aerohive checks enrollment status after device associates to
the network
De-auth the client from the network and clear caches
Device should return to walled garden at next association

Documentation
485
Configuration Guide Available in Help > Videos & Guides
http://www.aerohive.com/330000/docs/help/english/5.1r1/re
f/Aerohive_JAMF-MDM-Configuration-Guide_330083-01.pdf

Evaluation Guide Available Upon Request

5.1.r2 versions of each will be available soon

QUESTIONS?
THANK YOU
487

AAWC Class 5.1r1 Revf

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

AAWC Class 5.1r1 Revf

Încărcat de

Drepturi de autor:

Formate disponibile

2012 Aerohive Networks Inc.

HiveManager version 5.1

S-ar putea să vă placă și