acwp aerohive configuration guide
DESCRIPTION
Aerohive configuration guide.TRANSCRIPT
© 2014 Aerohive Networks Inc.
Instructor-led Training
AEROHIVE CERTIFIED WIRELESS PROFESSIONAL
(ACWP)
1
© 2014 Aerohive Networks CONFIDENTIAL
Welcome
2
• Introductions
•Facilities Discussion
•Course Overview
•Extra Training Resources
•Questions
© 2014 Aerohive Networks CONFIDENTIAL 3
Introductions
•What is your name?•What is your organizations name?•How long have you worked in Wi-Fi?
•Are you currently using Aerohive?
© 2014 Aerohive Networks CONFIDENTIAL 4
Facilities Discussion
• Course Material Distribution
• Course Times
• Restrooms
• Break room
• Smoking Area
• Break Schedule› Morning Break› Lunch Break› Afternoon Break
© 2014 Aerohive Networks CONFIDENTIAL 5
Aerohive Advanced WLAN Configuration (ACWP) – Course OverviewEach student connects to HiveManager, a remote PC, and a Aerohive AP over the Internet from their wireless enabled laptop in the classroom, and then performs hands on labs the cover the following topics:
• 802.1X/EAP architecture overview• 802.1X with external RADIUS• RADIUS attributes for user profile assignment• Using Client Monitor to troubleshoot 802.1X/EAP• HiveManager Certificate Authority• Aerohive devices as RADIUS servers that integrate with LDAP• Client Management – Device on-boarding using 802.1X• Client Management – Device on-boarding using PPSK• Layer 2 IPsec VPN client and VPN servers• Device classification• Layer 3 roaming configuration and troubleshooting• Guest Management using GRE tunneling to a DMZ
2 Day Hands on Class
© 2014 Aerohive Networks CONFIDENTIAL 6
Aerohive CBT Learning
http://www.aerohive.com/cbt
© 2014 Aerohive Networks CONFIDENTIAL 7
Aerohive Education on YouTube
http://www.youtube.com/playlist?list=PLqSW15RTj6DtEbdPCGIm0Kigvrscbj-Vz
Learn the basics of Wi-Fi and more….
© 2014 Aerohive Networks CONFIDENTIAL 8
The 20 Minute Getting Started VideoExplains the Details
Please view the Aerohive Getting Started Videos:
http://www.aerohive.com/330000/docs/help/english/cbt/Start.htm
© 2014 Aerohive Networks CONFIDENTIAL 9
Aerohive Technical Documentation
All the latest technical documentation is available for download at:
http://www.aerohive.com/techdocs
© 2014 Aerohive Networks CONFIDENTIAL 10
Aerohive Instructor Led Training
• Aerohive Education Services offers a complete curriculum that provides you with the courses you will need as a customer or partner to properly design, deploy, administer, and troubleshoot all Aerohive WLAN solutions.
• Aerohive Certified WLAN Administrator (ACWA) – First-level course
• Aerohive Cerified WLAN Professional (ACWP) – Second-level course
• Aerohive Certified Network Professional (ACNP) – Switching/Routing course
• www.aerohive.com/training – Aerohive Class Schedule
© 2014 Aerohive Networks CONFIDENTIAL 11
Over 20 books about networking have been writtenby Aerohive Employees
CWNA Certified Wireless Network Administrator Official Study Guide by David D. Coleman and David A. Westcott
CWSP Certified Wireless Security Professional Official Study Guide by David D. Coleman, David A. Westcott, Bryan E. Harkins and Shawn M. Jackman
CWAP Certified Wireless Analysis Professional Official Study Guide by David D. Coleman, David A. Westcott, Ben Miller and Peter MacKenzie
802.11 Wireless Networks: The Definitive Guide, Second Edition by Matthew Gast
802.11n: A Survival Guide by Matthew Gast
Aerohive Employees
802.11ac: A Survival Guide by Matthew Gast
Over 20 books about networking have been written by Aerohive Employees
© 2014 Aerohive Networks CONFIDENTIAL
Aerohive Exams and Certifications
12
• Aerohive Certified Wireless Administrator (ACWA) is a first- level certification that validates your knowledge and understanding about Aerohive Network’s WLAN Cooperative Control Architecture. (Based upon Instructor Led Course)
• Aerohive Certified Wireless Professional (ACWP) is the second-level certification that validates your knowledge and understanding about Aerohive advanced configuration and troubleshooting. (Based upon Instructor Led Course)
• Aerohive Certified Network Professional (ACNP) is another second-level certification that validates your knowledge about Aerohive switching and branch routing. (Based upon Instructor Led Course)
© 2014 Aerohive Networks CONFIDENTIAL
Aerohive Forums
13
• Aerohive’s online community – HiveNationHave a question, an idea or praise you want to share? Join the HiveNation Community - a place where customers, evaluators, thought leaders and students like yourselves can learn about Aerohive and our products while engaging with like-minded individuals.
• Please, take a moment and register during class if you are not already a member of HiveNation.Go to http://community.aerohive.com/aerohive and sign up!
© 2014 Aerohive Networks CONFIDENTIAL 14
Aerohive Social Media
The HiveMind Blog:http://blogs.aerohive.com
Follow us on Twitter: @AerohiveInstructor: David Coleman: @mistermultipathInstructor: Bryan Harkins: @80211UniversityInstructor: Gregor Vucajnk: @GregorVucajnkInstructor: Metka Dragos: @MetkaDragos
Please feel free to tweet about #Aerohive training during class.
© 2014 Aerohive Networks CONFIDENTIAL 15Copyright ©2011
Aerohive Technical Support – General
I want to talk to somebody live. Call us at 408-510-6100 / Option 2. We also provide service toll-free from within the US & Canada by dialing (866) 365-9918. Aerohive has Support Engineers in the US, China, and the UK, providing coverage 24 hours a day.
Support Contracts are sold on a yearly basis, with discounts for multi-year purchases. Customers can purchase Support in either 8x5 format or in a 24 hour format.
How do I buy Technical Support?
I have different expiration dates on several Entitlement keys, may I combine all my support so it all expires on the same date?
Your Aerohive Sales Rep can help you set-up Co-Term, which allows you to select matching expiration dates for all your support.
© 2014 Aerohive Networks CONFIDENTIAL 16Copyright ©2011
Aerohive Technical Support – The Americas
Aerohive Technical Support is available 24 hours a day. This can be via the Aerohive Support Portal or by calling. For the Support Portal, an authorized customer can open a Support Case. Communication is managed via the portal with new messages and replies. Once the issue is resolved, the case is closed, and can be retrieved at any time in the future.
How do I reach Technical Support?
I want to talk to somebody live. For those who wish to speak with an engineer call us
at 408-510-6100 / Option 2. We also provide service toll-free from within the US & Canada by dialing (866) 365-9918.I need an RMA in The AmericasAn RMA is generated via the Support Portal, or by calling our Technical Support group. After troubleshooting, should the unit require repair, we will overnight* a replacement to the US and Canada. Other countries are international. If the unit is DOA, it’s replaced with a brand new item, if not it is replaced with a like new reburbished item.
*Restrictions may apply: time of day, location, etc.
© 2014 Aerohive Networks CONFIDENTIAL 17Copyright ©2011
Aerohive Technical Support – International
Aerohive international Partners provide dedicated Technical Support to their customers. The Partner has received specialized training on Aerohive Networks’ product line, and has access to 24 hour Internal Aerohive Technical Support via the Support Portal, or by calling 408-510-6100 / Option 2.
How Do I get Technical Support outside The Americas?
World customer’s defective units are quickly replaced by our Partners, and Aerohive replaces the Partner’s stock once it arrives at our location. Partners are responsible for all shipping charges, duties, taxes, etc.
I need an RMA internationally
© 2014 Aerohive Networks CONFIDENTIAL
Copyright Notice
18
Copyright © 2014 Aerohive Networks, Inc. All rights reserved.
Aerohive Networks, the Aerohive Networks logo, HiveOS, Aerohive AP, HiveManager, and GuestManager are trademarks of Aerohive Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
Classroom SSID
Data Center setup
CLASSROOM & DATA CENTER
20
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Get Connected1. Connect to class WLAN
21
• Please connect to the SSID: aerohive-class
• Network Key: aerohive123
SSID:Security:
Network Key:
Class-SSIDWPA/WPA2 Personal (PSK)aerohive123
GuestClient
VLAN 1
WLAN Policy: WLAN-Classroom
Internet
Mgt0 IP: 10.5.1.N/24 VLAN 1
Class-SSID10.5.1.N/2410.5.1.1
Connect to SSID:IP:
Gateway:
Instructor PC
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Aerohive Training Remote Lab
22
Aerohive Access Points using external antenna connections and RF cables to
connect to USB Wi-Fi client cards(Black cables)
Access Points are connected from eth0 to Aerohive Managed Switches
with 802.1Q VLAN trunk support providing PoE to
the APs (Yellow cables)
Firewall with routing support, NAT, and multiple Virtual Router Instances
Access Points are connected from their console port to a console server
(White Cables)
Console server to permit SSH access into the serial console of Aerohive
Access Points
Server running VMware ESXi running Active Directory, RADIUS, NPS and hosting the virtual clients used for
testing configurations to support the labs
© 2014 Aerohive Networks CONFIDENTIAL
Network Layout for Data Center
23
10.5.2.*/24No Gateway
10.5.2.*/24No Gateway
10.5.2.*/24No Gateway
HiveManagerMGT 10.5.1.20/24
Win2008 AD ServerMGT 10.5.1.10/24Linux ServerMGT 10.6.1.150./24
L3 Switch/Router/Firewalleth0 10.5.1.1/24 VLAN 1eth0.1 10.5.2.1/24 VLAN 2eth0.2 10.5.8.1/24 VLAN 8eth0.3 10.5.10.1/24 VLAN 10eth1 10.6.1.1/24 (DMZ)
L2 SwitchNative VLAN 1
Aerohive AP Common SettingsDefault Gateway: NoneMGT0 VLAN 2Native VLAN 1LAN ports connected to L2-Switch with 802.1Q VLAN Trunks
X=2
X=3
X=N
X=2
X=3
X=N
Ethernet: 10.5.1.202/24 No GatewayWireless: 10.5.10.$/24 Gateway: 10.5.10.1
Ethernet: 10.5.1.203/24 No GatewayWireless: 10.5.V.X/24 Gateway: 10.5.V.1
Ethernet : 10.5.1.20N/24 No GatewayWireless: 10.5.V.X/24 Gateway: 10.5.V.1
14 Client PCsFor Wireless Access
14 Aerohive AP 340s
Terminal Server10.5.1.5/24
Services for Hosted ClassWin2008 AD Server: - RADIUS(NPS) - DNS - DHCPLinux Server: - Web Server - FTP Server
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
Get Connected to HiveManager
AEROHIVE ENTERPRISE MODE
25
© 2014 Aerohive Networks CONFIDENTIAL
Connect to the Hosted Training HiveManager
26
• Securely browse to the assigned HiveManager for class
› TRAINING LAB 1https://training-hm1.aerohive.comhttps://72.20.106.120
› TRAINING LAB 2https://training-hm2.aerohive.comhttps://72.20.106.66
› TRAINING LAB 3https://training-hm3.aerohive.comhttps://209.128.124.220
› TRAINING LAB 4https://training-hm4.aerohive.comhttps://203.214.188.200
› TRAINING LAB 5https://training-hm5.aerohive.comhttps://209.128.124.230
• Supported Browsers:› Firefox, Internet Explorer, Chrome, Safari
• Class Login Credentials:› Login: adminX
X = Student ID 2 - 29› Password: aerohive123
NOTE: In order to access the HiveManager, someone at your location needs to enter the training firewall credentials given to them by the instructor first.
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Setting Up a Wireless NetworkLAB Goals
27
• Connect to HiveManager to create a simple Network Policy with static PSK security.
• Define Static IP addresses for the student access point and VPN gateway.
• Update the devices
• Connect to the hosted PC and test the wireless connectivity.
• Each student creates a client monitor for future troubleshooting.
• Proceed to the advanced labs.
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network 1. Creating a new Network Policy
28
• Go to Configuration
• Click the New Button
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network 2. Building your Initial Wireless Network Policy
29
• Name: WLAN-X
• Select: Wireless Access and Bonjour Gateway
• Click Create
Only the Wireless Access and Bonjour Gateway Profiles are used in this class. Switching and Branch Routing are covered in another course. For information about that class visit: http://aerohive.com/support/technical-training/training-schedule for dates and registration.
© 2014 Aerohive Networks CONFIDENTIAL
Network Policy Types
30
• Wireless Access – Use when you have an AP only deployment, or you require specific wireless policies for APs in a mixed AP and router deployment
• Branch Routing– Use when you are managing routers, or APs behind routers that do not require different Network Policies than the router they connect through
BR100
BR200
AP
AP
Mesh
PoEPoE
InternetInternet
Small Branch Office or Teleworker Site Small to Medium Size Branch Office
that may have APs behind the router
3G/4G LTE3G/4G
LTE
© 2014 Aerohive Networks CONFIDENTIAL
• Switching› Used to manage wired traffic using Aerohive switches
• Bonjour Gateway› Recommended to deploy a Bonjour Gateway in 3rd Party networks
› Bonjour Gateway Lab later in class
Network Policy Types
31
Internet
3G/4G LTE
AP
AP
PoE
SR2024
AP
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network3. Create a New SSID Profile
32
Network Configuration
• Next to SSIDs click Choose
• Then click New
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network4. Configure a PSK Employee SSID
33
• SSID Profile: Class-PSK-XX = 2 – 29 (Student ID)
• SSID: Class-PSK-X• Select WPA/WPA2 PSK
(Personal)• Key Value: aerohive123• Confirm Value: aerohive123• Click Save• Click OK
IMPORTANT: For the SSID labs, please follow the class naming convention.
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network5. Create a User Profile
34
• To the right of your SSID, under User Profile, click Add/Remove
• In Choose User Profiles Click New
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network6. Define User Profile Settings
35
• Name: Employee-X• Attribute Number: 10
• Network or VLAN-only Assignment: 10
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network7. Choose User Profile and Continue
36
• Ensure Employee-XUser Profile is highlighted
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network8. Save the Network Policy
37
• Click the Configure & Update Devices bar or click the Continue button
Note: The Save button saves your Network Policy. The Continue Button saves your Network Policy and allows you to proceed to the Configure and Update Devices area simultaneously.
© 2014 Aerohive Networks CONFIDENTIAL
Hosted Training LabNetwork IP Summary
38
HiveOS-VA-0X
MGT010.200.2.X/24
VPN ClientX-A-AerohiveAP MGT0:10.5.2.#
Firewall NAT Rules1.2.1.X10.8.1.X
FW(NAT)2.2.2.2
Gateway10.5.2.1
Gateway 10.200.2.1
Client PC
WLAN Branch Office – Aerohive AP VPN Clients
# – Address Learned though DHCP
RADIUS10.200.2.250
WLAN HQ – L2 VPN Gateway-VPN Servers
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network9. Update the configuration of your Aerohive AP
39
From the Configure & Update Devices section, modify your AP specific settings• Display Filter: None• Click the Name column to sort the APs• Click the link for your 0X-A-######
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network10. Update the configuration of your A-Aerohive AP
40
• Topology Map: Data Center_Class-Lab or Classroom
• Select your WLAN-X Network Policy
• Set the power levels:
› 2.4GHz(wifi0) Power: 1
› 5GHz(wifi1) Power: 1
• Do not click Save yet
VERY IMPORTANT: We need to leave the power set to 1dBm on both radios because the APs are stacked in a rack in the data center
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network12. Configure Settings on Your A-Aerohive AP
41
Under Optional Settings
• Expand MGT0 interface settings› Select 8Static IP› IP Address: 10.5.2.X› Netmask: 255.255.255.0› Gateway: 10.5.2.1
• Do not Click Save yet
We are assigning the AP a static IP address because the AP will function as a RADIUS server in a later lab. Whenever Aerohive devices function as a server, they must have a static IP address. Best practice is to assign the device with the static IP address prior to configuring a Network Policy that requires an Aerohive device to function as a server.
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network12. Configure Settings on Your A-Aerohive AP
42
Under Optional Settings
• Expand Advanced Settings› Check Override MGT VLAN: 2
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network13. Update the configuration of your HiveOS-VA
43
From the Configure & Update Devices section, modify your HiveOS-VA specific settings• Display Filter: None• Click the Name column to sort the devices• Click the link for your VA: HiveOS-VA-0X
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network14. Update the configuration of your HiveOS-VA
44
• Set the Device Function to L2 VPN Gateway• Select your WLAN-X Network Policy• Expand MGT0 Interface Settings, and assign the VPN gateway a static IP
address:› MGT0 IP Address: 10.200.2.X› Netmask: 255.255.255.0› Gateway: 10.200.2.1
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network15. Update the configuration of your AP & VA
45
In the Configure & Update Devices section• Click the Name column to sort the devices• Check the box next to your AP: X-A-######• Check the box next to your L2 VPN Gateway: HiveOS-VA-0X
© 2014 Aerohive Networks CONFIDENTIAL 46
• Select Update
• Update Devices
• Click Update
• Click OK in the Reboot Warning window
Lab: Setting Up a Wireless Network16. Update the configuration of AP & VA
The first Update is automatically a complete update.
For this class, ALL subsequent Updates should be Complete configuration updates, unless directed otherwise.
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Setting Up a Wireless Network17. Update the configuration of AP & VA
• The devices will reboot
47
© 2014 Aerohive Networks CONFIDENTIAL
• Go to MonitorDevicesAll Devices for more detailed information and tools
Lab: Setting Up a Wireless Network18. Monitoring Devices
Set items per page
Change column settings
Turn off auto refresh if you want to make changes
without interruption
If Audit is Red Exclamation Point, click it to see the difference between HiveManager
and the device.
48
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
TEST YOUR CONFIGURATIONUSING THE HOSTED PC
50
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSIDTest SSID Access at Hosted Site
51
SSID:Authentication:
Encryption:Preshared Key:User Profile 1:
Attribute:VLAN:
IP Firewall:QoS:
Class-PSK-X WPA or WPA2 PersonalTKIP or AESaerohive123Employee(10)-X1010Nonedef-user-qos
Hosted PCStudent-0X VLANs 1-20
Mgt0 IP: 10.5.2.N/24 VLAN 1
WLAN Policy: WLAN-X
Internal Network
AD Server:10.5.1.10
DHCP Settings: (VLAN 10) network 10.5.10.0/24 10.5.10.140 – 10.5.10.240
Internet
Connect to SSID:IP:
Gateway:
Class-PSK-X 10.5.10.N/2410.5.10.1
Use VNC client to access Hosted PC:password: aerohive123
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID1. For Windows: Use TightVNC client
52
• If you are using a windows PC› Use TightVNC › TightVNC has good compression so
please use this for class instead of any other application
• Start TightVNC
› For Lab 1
› lab1-pcX.aerohive.com
› For Lab 2
› lab2-pcX.aerohive.com
› For Lab 3lab3-pcX.aerohive.com
› For Lab 4lab4-pcX.aerohive.com
› For Lab 5lab5-pc0X.aerohive.com
› Select Low-bandwidth connection
› Click Connect
› Password: aerohive123123
› Click OK
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID2. For Mac: Use the Real VNC client
53
• If you are using a Mac› RealVNC has good compression so
please use this for class instead of any other application
• Start RealVNC
› For Lab 1
› lab1-pcX.aerohive.com
› For Lab 2
› lab2-pcX.aerohive.com
› For Lab 3lab3-pcX.aerohive.com
› For Lab 4lab4-pcX.aerohive.com
› For Lab 5lab5-pc0X.aerohive.com
› Select Low-bandwidth connection
› Click Connect
› Password: aerohive123123
› Click OK
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID3. In case the PCs are not logged in
54
If you are not automatically logged in to your PC
• If you are using the web browser client› Click the button to Send Ctrl-Alt-Del
• If you are using the tightVNC client
• Click to send a
control alt delete
• Login: AH-LAB\user
• Password: Aerohive1
• Click the right arrow to login
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID4. Connect to Your Class-PSK-X SSID
55
• Single-click the wireless icon on the bottom right corner of the windows task bar
• Click your SSIDClass-PSK-X
• Click Connect› Security Key: aerohive123
› Click OK
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID5. In case the PCs are not logged in
56
If you are not automatically logged in to your PC
• If you are using the web browser client› Click the button to Send Ctrl-Alt-Del
• If you are using the TightVNC client
• Click to send a
control alt delete
• Login: AH-LAB\user
• Password: Aerohive1
• Click the right arrow to login
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID6. Go to the Windows 8 Desktop view
57
From the Windows 8 start screen, click on the Desktop icon
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID7. Connect to Your Class-PSK-0X SSID
58
• Single-click the wireless icon on the bottom right corner of the windows task bar
• Click your SSIDClass-PSK-X
• Click Connect› Security Key: aerohive123
› Click Next
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID8. View Active Clients List
59
• After associating with your SSID, you should see your connection in the active clients list in HiveManager› Go to MonitorClientsWireless Clients
• Your IP address should be from the 10.5.10.0/24 network
• VLAN: 10
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID9. Add Additional Columns
60
• To change the layout of the columns in the Active Clients list, you can click the spreadsheet icon
• Select User Profile Attribute from the Available Columns list and click the right arrow
• With User Profile Attribute selected, click the Up button so that the column is moved after Host Name
• Click Save
Click to change column layout
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
THE CLIENT MONITOR TOOL
62
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Client Monitor1. Select a client to monitor
63
• To start monitoring a clients connection state go to: MonitorClientsActive Clients
• Select the check box next your client to monitor Note: If your client does not appear, you can skip this step for now
• Click Operation...Client Monitor
• For class, ensure your Associated Aerohive AP is selected (Do not select All)
• The MAC address of your client will be selectedNote: You can manually enter a the wireless client MAC address without delimiters
• Write down your clients MAC address
• Note: Remember the Client MAC address for the next step in the lab.
• Click Add
Click Client Monitor
Click Operation...
Click Add New Client
Click Add
Select your Aerohive AP
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Client Monitor2. Start the client monitor
64
• Check Filter ProbeNote: This removes all the probe requests and responses you will see from clients and APs so you can focus on protocol connectivity
• Click StartNote: Your client will be monitored until you click Stop.You can leave this window, and if you go back to Operation...Client Monitor, you will see the list of all clients being monitored
• You can expand the window by dragging the bottom right corner
• Select your client to see the connection logs for your client as they occur
1. Check Filter Probe
2. Click Start
3. Drag bottom right corner of window to
expand
© 2014 Aerohive Networks CONFIDENTIAL
Client Monitor Results
65
Throughout the labs, go to the client monitor for your PC to view the ongoing results
4-way handshake completes
Client is assigned IP address from DHCP
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
TIME SETTINGS FOR HIVEMANAGERAND AEROHIVE DEVICES
67
© 2014 Aerohive Networks CONFIDENTIAL
Verify On-Premise HiveManager Time Settings
68
• HiveManager and Aerohive Devices should have up to date time settings, preferably by NTP (HMOL Time Settings are automatic).
• Go to HomeAdministrationHiveManager Settings
• Next to System Date/Time click Settings
Aerohive devices use Private PSKs and certificates which are time limited credentials. Therefore, it is imperative that the HiveManager Time Settings be in proper synchronization with your network. The use of an NTP server is highly recommended.
© 2014 Aerohive Networks CONFIDENTIAL 69
• Go to Configuration
• Select your Network Policy: WLAN-X and click OK
• Next to Additional Settings Click Edit
• Expand Management Server SettingsNote: Upon first login to a new HiveManager system, an NTP server policy is automatically created with the same name as the User name. However, the object should be edited with the proper time zones.
• Next to NTP Server› Click the + Icon
Aerohive devices use Private PSKs and certificates which are time limited credentials. Even more important than the HiveManager Time Settings, Aerohive Device Clock Settings must be properly synchronized. The use of an NTP server is MANDATORY.
Verify Device Time Settings
© 2014 Aerohive Networks CONFIDENTIAL 70
• Name the service NTP-X
• Time Zone: <Please use the Pacific time Zone>
• Uncheck Sync clock with HiveManager
• NTP Server: ntp1.aerohive.com
• Click Apply
• Click Save
Verify Device Time Settings
MANDATORY: You must change the time zone to match the time zone where your Aerohive Devices reside. Do this BEFORE you configure the rest of your Network Policy.
Instructor note: When using Lab #4 the Time Zone MUST be set to (GMT +10 Australia/Sydney)
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
SECURE WIRELESS LANSWITH IEEE 802.1X USING PEAP AUTHENTICATION
72
© 2014 Aerohive Networks CONFIDENTIAL
IEEE 802.1X with EAP
73
SupplicantComputer
AuthenticationServer (RADIUS)
802.11 association
EAPoL-start
EAP-request/identity
EAP-response/identity (username) RADIUS-access-request
EAP-request (challenge)
RADIUS-access-challenge
EAP-response (hashed resp.)
RADIUS-access-request
EAP-success RADIUS-access-accept (PMK)
Access Granted
AccessPlease
!
Calculating key for user…
Accessblocked
Authenticator(AP)
Calculatingmy key…
© 2014 Aerohive Networks CONFIDENTIAL
Extensible Authentication Protocol (EAP)Comparison Chart
74
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Secure WLAN Access With 802.1X/EAP LAB Goals
75
• Configure a Network Policy for 802.1X/EAP Enterprise security where APs communicate with an external RADIUS server
• Define multiple user profiles leveraging RADIUS attributes
• Connect to the hosted PC and test the 802.1X/EAP authentication
• Troubleshoot authentication problems with Client Monitor.
• Verify user profile assignment using RADIUS attributes.
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Secure WLAN Access With 802.1X/EAPUsing External RADIUS
76
Student-0XVLANs 1-20
Mgt0 IP: 10.5.2.N/24 VLAN 1Network Policy: WLAN-0X
AD Server:10.5.1.10 NPS (2008)
DHCP Settings: (VLAN 1) network 10.5.2.0/24 10.5.2.140 – 10.5.2.240 (VLAN 10) network 10.5.10.0/24 10.5.10.140 – 10.5.10.240
Internet
Connect to SSID:IP:
Gateway:
Class-EAP-X10.5.10.N/2410.5.10.1
SSID:Authentication:
Encryption:Auth User Profile:
Attribute:VLAN:
Default User Profile:Attribute:
VLAN:
Class-EAP-XWPA or WPA2 PersonalTKIP or AESEmployee-X10 (RADIUS Attribute Returned)10Employee-Default-X1000 (No RADIUS Attribute Returned)8
© 2014 Aerohive Networks CONFIDENTIAL
Instructor Only: On Hosted RADIUS ServerVerify RADIUS Client Settings
77
• Set the RADIUS server to accept RADIUS messages from the MGT0 interface IP on all Aerohive devices that function as authenticators
• This class uses:10.5.2.0/24
• Shared Secret:aerohive123NOTE: Use a stronger key in real life!
© 2014 Aerohive Networks CONFIDENTIAL
Instructor Only: On Hosted RADIUS ServerVerify RADIUS Client Settings
78
• RADIUS clients often get confused with the Wi-Fi clients (supplicants)
• RADIUS clients are devices that communicate with a RADIUS server using the RADIUS protocol
• RADIUS clients are the authenticators in an 802.1X/EAP framework
• The term “RADIUS clients” is also synonymous with the term NAS clients.
© 2014 Aerohive Networks CONFIDENTIAL
On Hosted RADIUS ServerConfiguring RADIUS Return Attributes
79
• After successful authentication by users in the AH-LAB\Wireless Windows AD group, RADIUS will return three attribute value pairs to assign the Aerohive user profile.
Standard RADIUS Attribute/Value Pairs ReturnedTunnel-Medium-Type: IPv4 Tunnel-Type: GRETunnel-Pvt-Group-ID: 10
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Secure WLAN Access With 802.1X/EAP1. Create a New SSID
80
To configure a 802.1X/EAP SSID for Secure Wireless Access
• Go to Configuration
• Select your Network Policy: WLAN-X and click OK
• Next to SSIDs, click Choose
• Click New
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Secure WLAN Access With 802.1X/EAP2. Configure a 802.1X/EAP SSID
• Profile Name: Class-EAP-X
• SSID: Class-EAP-X
• Under SSID Access Security select WPA/WPA2 802.1X (Enterprise)
• Click Save
81
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Secure WLAN Access With 802.1X/EAP3. Select new Class-EAP-X SSID
82
• Click to deselect the Class-PSK-X SSID
• Ensure the Class-EAP-X SSIDis selected
• Click OK
Click to deselect
Class-PSK-X
Ensure Class-EAP-X is highlighted then
click OK
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Secure WLAN Access With 802.1X/EAP4. Create a RADIUS object
83
• Under Authentication, click <RADIUS Settings>
• In Choose RADIUS, click New
ClickClick
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Secure WLAN Access With 802.1X/EAP 5. Define the External RADIUS Server
84
• RADIUS Name:RADIUS-X
• IP Address/Domain Name: 10.5.1.10
• Shared Secret: aerohive123
• Confirm Secret: aerohive123
• Click Apply
• Click Save
Click Apply When Done!
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Secure WLAN Access With 802.1X/EAP6. Create a New User Profile
85
• Under User Profile, click Add/Remove
• Click New
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Secure WLAN Access With 802.1X/EAP7. Define User Profile Settings
86
• Name: Employee-Default-X• Attribute Number: 1000• Network or VLAN-only Assignment: 8
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Secure WLAN Access With 802.1X/EAP8. Assign User Profile as Default for the SSID
87
• With the Default > tab selected, ensure the Employee-Default-X user profile is highlighted› IMPORTANT: This user profile will be assigned if no attribute value is returned from RADIUS after successful authentication, or if attribute value 1000 is returned.
• Click the Authentication tab
Default Tab
Authentication Tab
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Secure WLAN Access With 802.1X/EAP9. Assign User Profile to be Returned by RADIUS Attribute
88
• Select the Authentication > tab
• Select (highlight)Employee-X› Important: This User Profile will be assigned if there are matching RADIUS attributes returned from a RADIUS server. You can have as many as 63 unique User Profiles.
• Click Save
Authentication Tab
NOTE: The (User Profile Attribute) is appended to the User Profile Name
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Secure WLAN Access With 802.1X/EAP 10. Verify and Continue
89
• Ensure Employee-Default-X and Employee-X user profiles are assigned to the Class-EAP-X SSID
• Click Continue to Configure & Update Devices
© 2014 Aerohive Networks CONFIDENTIAL 90
In the Configure & Update Devices section• Select the Current Policy filter• Check the box next to your AP: X-A-######
• Click Update
Lab: Secure WLAN Access With 802.1X/EAP 11. Update the AP Configuration
© 2014 Aerohive Networks CONFIDENTIAL 91
• Select Update Devices
• Select Perform a complete configuration update for all selected devices
• Click Update
• Click OK in the Reboot Warning window
For this class, ALL Updates from this point should be Complete configuration updates unless otherwise directed.
Lab: Secure WLAN Access With 802.1X/EAP12. Update the AP configuration
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Secure WLAN Access with 802.1X/EAP13. Update the AP configuration
• Your new configuration will upload
• The AP will reboot
92
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
For Windows 7Supplicants
CONFIGURING AND TESTING YOUR802.1X SUPPLICANT
94
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing 802.1X/EAP to External RADIUS1. Connect to Secure Wireless Network
95
• From the bottom task bar, and click the locate wireless networks icon
• Click Class-EAP-X
• Click Connect
Wireless Network Icon
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing 802.1X/EAP to External RADIUS2. Connect to Secure Wireless Network
96
• Single-click the wireless icon on the bottom right corner of the windows task bar
• Click Class-EAP-X
• Click Connect
•Select Use my Windows user account
• Click OK
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing 802.1X/EAP to External RADIUS3. View Wireless Clients
97
• After associating with your SSID, you should see your connection in the active clients list in HiveManager› Go to MonitorClientsWireless Clients
• User Name: DOMAIN\user
• User Profile Attribute: 10
• VLAN: 10
You were assigned to this User Profile based on a returning RADIUS attribute
© 2014 Aerohive Networks CONFIDENTIAL
User Profile Assignment via RADIUS attributes
98
• User Profiles can be assigned based upon returned RADIUS attributes
• As many as 63 different groups of users can be assigned to different VLANs, firewall policies, SLA policies, time-based policies, etc.
Leveraging RADIUS attributes for User Profile assignment means you only need to have a single SSID for all your employees. Although you can transmit as many as 16 SSIDs per radio, best practices dictate no more than 3-4. Excessive SSIDs create L2 overhead and degrades performance. A common strategy is to have three SSIDs: Employees, Voice and Guests.
© 2014 Aerohive Networks CONFIDENTIAL
Default RADIUS attributes used for User Profile assignment
99
Note: By default, user profile assignment by RADIUS attributes uses these Attribute/Value Pairs:
Tunnel-Medium-Type: IPv4
Tunnel-Type: GRE
Tunnel-Pvt-Group-ID: 10
Standard RADIUS Attribute/Value Pairs ReturnedTunnel-Medium-Type: IPv4 Tunnel-Type: GRETunnel-Pvt-Group-ID: 10
© 2014 Aerohive Networks CONFIDENTIAL
User Profile Assignment via RADIUS attributes
100
• User Profiles can be assigned based upon any returned RADIUS attributes
• The attributes can be Standard or Custom
Standard RADIUS Attribute
Custom RADIUS Attribute
© 2014 Aerohive Networks CONFIDENTIAL
Example: TroubleshootingInvalid User Profile attribute returned from RADIUS
101
• From MonitorAll Devices
• If you see an alarm when trying to authenticate with 802.1X/EAP, click the alarm icon for details
• This alarm specifies that an incorrect attribute was returned from the RADIUS server that is not defined on the Aerohive AP – In this case 50
Invalid User Profile Returned
© 2014 Aerohive Networks CONFIDENTIAL
Client Monitor – For 802.1X/EAPExample of an invalid user account
102
SSL negotiation uses the RADIUS server certificate
Shows IP of RADIUS server
At this point you know the AAA certificates were installed correctly and the server certificate validation done by the client passed
The user is not in the user database. View the AAA server settings and ensure the correct user group is selected, and the Aerohive AP is a RADIUS server. Then update the configuration of the Aerohive AP.
© 2014 Aerohive Networks CONFIDENTIAL
Client Monitor Troubleshooting 802.1X
103
Client Monitor is the perfect tool to troubleshoot 802.1X/EAP problems
More information can be found at:http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/troubleshooting-wi-fi-connectivity-with-hivemanager-tools
© 2014 Aerohive Networks CONFIDENTIAL
RADIUS Test Built Into HiveManager
104
To test a RADIUS account
• Go to ToolsServer Access TestsRADIUS Test
• RADIUS Server: 10.5.1.10
• Aerohive AP RADIUS Client: 0X-A-######
• Select RADIUS authentication server
• Username: user
• Password: Aerohive1
• Click Test
You can even see the attribute values that are returned
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
RADIUS PROXY
106
© 2014 Aerohive Networks CONFIDENTIAL
Instructor Only: On Hosted RADIUS ServerVerify RADIUS Client Settings
107
• Set the RADIUS server to accept RADIUS messages from the MGT0 interface IP on all Aerohive devices that function as authenticators
• This class uses:10.5.2.0/24
• Shared Secret:aerohive123NOTE: Use a stronger key in real life!
© 2014 Aerohive Networks CONFIDENTIAL
RADIUS Proxy on Aerohive APs
108
• Aerohive devices can be RADIUS proxies› APs can set their RADIUS server to be the RADIUS proxy AP
› The RADIUS proxy AP proxies the authentication requests to the RADIUS server
› A single IP can be set on the RADIUS server for all the APs that need to authenticate
RADIUS Server10.5.1.10
AP RADIUS Proxy & RADIUS Client10.5.2.2
APRADIUSClients
APRADIUSClients
RADIUSClient SettingsPermit 10.5.2.2/32
Note: Aerohive APs, switches, BR-200 branch routers and VA gateways can all function as a RADIUS proxy.
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Using Hive Devices as a RADIUS ProxyLAB Goals
109
• Define one Aerohive AP as a RADIUS proxy that will forward RADIUS packets to an external RADIUS server
• Avoid the RADIUS client licensing restrictions imposed by some RADIUS vendors
• Connect to the hosted PC and test the 802.1X/EAP authentication
• Troubleshoot any authentication problems with Client Monitor.
• Verify user profile assignment using RADIUS attributes.
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Using Hive Devices as a RADIUS Proxy1. Designating a RADIUS Proxy
110
• Click Configuration
• Expand Advanced Configuration
• Click Authentication
• Click RADIUS Proxy
• Then click the New button
© 2014 Aerohive Networks CONFIDENTIAL 111
Lab: Using Hive Devices as a RADIUS Proxy 2. RADIUS Proxy Details
• Use Proxy-X as the Proxy Name
• Click the + next to RADIUS Server
• Do NOT save yet!
© 2014 Aerohive Networks CONFIDENTIAL 112
Lab: Using Hive Devices as a RADIUS Proxy3. RADIUS Server Details
• Use RADIUS-Server-X as the RADIUS Name
• Under Add New RADIUS Server use the dropdown arrow and select 10.5.1.10
• Server Type Auth/Acct
• Enter and Confirm the Shared Secret of aerohive123
• Select Server Role as Primary
• Click Apply
• Click Save
Click Apply
© 2014 Aerohive Networks CONFIDENTIAL 113
Lab: Using Hive Devices as a RADIUS Proxy4. RADIUS Proxy Details
• Use the dropdown arrow next to Default under Realm Name to select RADIUS-Server-X as your RADIUS Server
• Set the Realm name to: ah-lab.local
• Ensure the Strip the Realm name from proxied access requests check box is selected
• Verify your settings
• Click Apply
• Do NOT save yet
Click Apply
© 2014 Aerohive Networks CONFIDENTIAL 114
Lab: Using Hive Devices as a RADIUS Proxy5. RADIUS Proxy – No need for RADIUS Clients
• Though different Realms can go to different RADIUS servers, for this lab, set them to: RADIUS-Server-X
• Click Save
Note: When your APs and AP-RADIUS Proxy are in the same hive, i.e. configured with the same hive name, then you do not need to configure RADIUS clients on the AP RADIUS proxy. This is because the RADIUS client and shared keys are automatically generated among APs in a Hive.
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Using Hive Devices as a RADIUS Proxy6. Set AP to be RADIUS Proxy
115
• Go to MonitorAccess PointsAerohive APs
• Check the box next to your X-A-###### AP
• Click the Modify button
• Under Optional Settings› expand Service Settings
• Assign Device RADIUS Proxy to: Proxy-X
• Click Save
Note: A RADIUSicon will appear next to your AP in
monitor view
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Using Hive Devices as a RADIUS Proxy7. Select your Network Policy
116
To edit your SSID:
Go to Configuration
• Select your Network Policy: WLAN-X and click OK
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Using Hive Devices as a RADIUS Proxy8. Define the AAA client profile
117
• Under Authentication, click RADIUS-X
• In Choose RADIUS, click New
ClickClick
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Using Hive Devices as a RADIUS Proxy9. Define the External RADIUS Server (Use the Proxy)
118
• RADIUS Name:RADIUS-Proxy-X
• IP Address/Domain Name: 10.5.2.X
• No other settings are needed as long as the APs are in the same Hive
• Click Apply
• Click Save
Click Apply When Done!
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Using Hive Devices as a RADIUS Proxy10. Verify and Continue
119
• Ensure Employee-Default-X and Employee-X user profiles are assigned to the Class-EAP-X SSID
• Click Continue or click the bar toConfigure & Update Devices
© 2014 Aerohive Networks CONFIDENTIAL 120
In the Configure & Update Devices section• Select the Current Policy filter• Check the box next to your AP: X-A-######
• Click Update
Lab: Using Hive Devices as a RADIUS Proxy11. Update the AP Configuration
© 2014 Aerohive Networks CONFIDENTIAL 121
• Select Update Devices
• Select Perform a complete configuration update for all selected devices
• Click Update
• Click OK in the Reboot Warning window
For this class, ALL Updates from this point should be Complete configuration updates unless otherwise directed.
Lab: Using Hive Devices as a RADIUS Proxy11. Update the AP Configuration
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Using Hive Devices as a RADIUS Proxy13. Update the AP configuration
• Your new configuration will upload
• The AP will reboot
122
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
For Windows 7Supplicants
CONFIGURING AND TESTING YOUR802.1X SUPPLICANT
124
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing 802.1X/EAP via RADIUS Proxy1. Connect to Secure Wireless Network
125
• From the bottom task bar, and click the locate wireless networks icon
• Click Class-EAP-X
• Click Connect
Wireless Network Icon
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing 802.1X/EAP via RADIUS Proxy2. Connect to Secure Wireless Network
126
• From the bottom task bar, and click the locate wireless networks icon
• Click Class-EAP-X
• Click Connect
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing 802.1X/EAP View RADIUS Proxy3. View Wireless Clients
127
• After associating with your SSID, you should see your connection in the active clients list in HiveManager› Go to MonitorClientWireless Clients
• User Name: DOMAIN\user
• User Profile Attribute: 10
• VLAN: 10
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
Required When Aerohive APs are Configured as RADIUS Servers or VPN Servers
GENERATE AEROHIVE AP RADIUSSERVER CERTIFICATES
129
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
HiveManager Root CA CertificateLocation and Uses
• This root CA certificate is used to:› Sign the CSR (certificate signing request)
that the HiveManager creates on behalf of the AP acting as a RADIUS or VPN server
› Validate Aerohive AP certificates to remote client802.1X clients (supplicants) will need a copy of the CA Certificate in order to trust the certificates on the Aerohive AP RADIUS server(s)
• Root CA Cert Name: Default_CA.pem
• Root CA key Name: Default_key.pem
Note: The CA key is only ever used or seen by HiveManager
• To view certificates, go to: Configuration, then go to Advanced Configuration Keys and CertificatesCertificate Mgmt
130
© 2014 Aerohive Networks CONFIDENTIAL
Use the Existing HiveManager CA Certificate, Do not Create a New One!
131
• For this class, please do not create a new HiveManager CA certificate, otherwise it will render all previous certificates invalid.
• On your own HiveManager, you can create your own HiveManager CA certificate by going to: Configuration, then go toAdvanced ConfigurationKeys and CertificatesHiveManager CA
Only the Super User admin should have access rights to create the root HiveManager CA certificate.
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Aerohive Device - Server Certificates1. Generate Server Certificate
132
• Go to ConfigurationAdvanced ConfigurationKeys and CertificatesServer CSR
• Common Name: server-X
• Organizational Name: Company
• Organization Unit: Department
• Locality Name: City
• State/Province: <2 Characters>
• Country Code: <2 Characters>
• Email Address: [email protected]• Subject Alternative Name:
User FQDN: [email protected]: This lets you add an extra step of validating the User FQDN in a certificate during IKE phase 1 for IPsec VPN. This way, the Aerohive AP needs a valid signed certificate, and the correct user FQDN.
• Key Size: 2048
• Password & Confirm: aerohive123
• CSR File Name: AP-X
• Click CreateNotes Below
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Aerohive Device - Server Certificates2. Sign and Combine!
133
• Select Sign by HiveManager CA
› The HiveManager CA will sign the Aerohive AP Server certificate
• The validity period should be the same as or less than the number of days the HiveManager CA Certificate is valid
› Enter the Validity: 3650 – approximately 10 years
• Check Combine key and certificate into one file
• Click OK
Enabling this setting helps prevent certificate and key mismatches when configuring the RADIUS settings
Use this option to send a signing request to an external certification authority.
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Aerohive Device – Server Certificates 3. View the Certificate and Key File
134
• To view certificates, go to:ConfigurationAdvanced ConfigurationKeys and CertificatesCertificate Mgmt
• The certificate and key file name is:AP-X_key_cert.pem
• QUIZ – Which CA signed this Aerohive AP server key?
What devices need to install the CA public cert?
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
AEROHIVE AP RADIUS SERVER
WITH ACTIVE DIRECTORY INTEGRATION
136
© 2014 Aerohive Networks CONFIDENTIAL
Aerohive Devices as RADIUS servers
137
PrimaryAP-RADIUS ServerAuthentication Server
AP-RADIUS ClientsAuthenticators
LDAP Server(Active Directory)10.5.1.10
BackupAP-RADIUS ServerAuthentication Server
Wi-Fi ClientsSupplicants
EAP request
RADIUS communications
LDAPquery
Aerohive Devices can be configured as RADIUS servers and can be configured to fully integrate with any kind of LDAP including Active Directory.
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Aerohive Devices as RADIUS serversLAB Goals
138
• Configure an Aerohive AP as a RADIUS server to perform all the 802.1X/EAP operations
• Aerohive devices that function as RADIUS servers will be joined to the AD domain in order to› Let the Aerohive APs perform local 802.1X/EAP processing
› Allow the Aerohive AP to access the AD user store in order to authenticate users
› Allow the Aerohive AP to cache credentials in case the AD server is not accessible
Note: Aerohive APs, switches, BR-200 branch routers and VA gateways can all function as a RADIUS server
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Aerohive Devices as RADIUS serversLAB Goals
139
• During the configuration, one Aerohive device is selected as the RADIUS server to › Obtain domain information› Join the Aerohive AP to the domain, which performs the actual join operation for that AP
› Test user authentication› Perform LDAP browsing operations
• Connect to the hosted PC and test the 802.1X/EAP authentication
• Troubleshoot any authentication problems with Client Monitor.
• Verify user profile assignment using LDAP attributes.
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
CREATING A DELEGATED ADMINISTRATOR FOR JOINING AEROHIVE AP-RADIUS SERVERS TO THE DOMAIN
141
© 2014 Aerohive Networks CONFIDENTIAL
Two Domain Accounts Needed
142
•Aerohive AP Admin Account – Used to Join Aerohive APs to the domain
•LDAP Query Account – Used by the Aerohive AP that functions as a RADIUS server to perform LDAP queries
© 2014 Aerohive Networks CONFIDENTIAL
Create a New Active Directory Aerohive AP Administrator (Instructor Only)
143
On Windows 2008 AD Server
• In your domain, select Users, right click and select NewUser
Note: The name used in this example is not relevant, you can use any name
• First Name: HiveAP
• Last Name: Admin
• Full Name: HiveAPAdmin
• User Logon: [email protected]
• Click Next
© 2014 Aerohive Networks CONFIDENTIAL
Create a New Active Directory Aerohive AP Administrator (Instructor Only)
144
• Enter a Password: Aerohive1
• Confirm Password: Aerohive1
• Uncheck User must change password at next login
• Uncheck User cannot change password
• Check Password never expires
• Uncheck Account is disabled
• Click Next• Click Finish
© 2014 Aerohive Networks CONFIDENTIAL
Aerohive AP Administrator Group Membership
145
• Locate and double click the new Aerohive AP Admin
• Click Member OfNote: Here you can see that the Aerohive AP Admin only needs to be a member of Domain Users
© 2014 Aerohive Networks CONFIDENTIAL
Delegate Control of the Computer OUto the Aerohive AP Admin (INSTRUCTOR ONLY)
146
• Right Click the Computers OU and select Delegate Control...
© 2014 Aerohive Networks CONFIDENTIAL
Delegate Control of the Computer OUto the Aerohive AP Admin
147
• Welcome to the Delegation of Control Wizard› Click Next
• Users or Groups› Click Add› Type Aerohive AP Admin› Click OK› Click Next
© 2014 Aerohive Networks CONFIDENTIAL
Delegate Control of the Computer OUto the Aerohive AP Admin
148
• Select Create a custom task to delegate
• Click Next
© 2014 Aerohive Networks CONFIDENTIAL
Delegate Control of the Computer OUto the Aerohive AP Admin
149
• For Active Directory Object Type› Select Computer Objects and leave the rest of the default settings
› Check Create selected objects in this folder
› Click Next• For Permissions
› Check Read› Check Write› And leave the rest of the default settings
• Click Next
© 2014 Aerohive Networks CONFIDENTIAL
Delegate Control of the Computer OUto the Aerohive AP Admin
150
• Click Finish
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
CONFIGURE AN AEROHIVE AP AS A RADIUS SERVER
152
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers1. Select your Network Policy
153
To edit your SSID:
Go to Configuration
• Select your Network Policy: WLAN-X and click OK
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Aerohive Devices as RADIUS servers2. Modify your AP settings
To configure the Aerohive AP as a RADIUS server...
• Click Continue to go to Configure and Update Devices
• Select the Filter: Current Policy
• Click the link for your Aerohive AP: 0X-A-######
154
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers3. Deselect the proxy object
155
Create a Aerohive AP RADIUS Service Object• Under Optional Settings, expand Service Settings
• Next to Device RADIUS Proxy deselect the proxy object created from the previous lab
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers4. Create a Aerohive AP RADIUS Service Object
156
Create a Aerohive AP RADIUS Service Object• Under Optional Settings, expand Service Settings
• Next to Device RADIUS Service click +
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers5. Create a Aerohive AP RADIUS Service Object
157
• Name: AP-RADIUS-X• Expand Database Settings
• Uncheck Local Database
• Check External Database
• Under Active Directory, click + to define the RADIUS Active Directory Integration Settings
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers6. Select a Aerohive AP to test AD Integration
158
• Name: AD-X
• Aerohive AP for Active Directory connection setup,select your A Aerohive AP: 0X-A-#####› This will be used to test Active Directory integration
› Once this Aerohive AP is configured for AD setup, it can be used as a template for configuring other Aerohive AP RADIUS servers with Active Directory integration
• The IP settings for the selected Aerohive AP are gathered and displayed
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers7. Modify DNS settings for test Aerohive AP
159
• Set the DNS server to: 10.5.1.10› This DNS server should be the Active Directory DNS server or an internal DNS server aware of the Active Directory domain
• Click Update › This applies the DNS settings to the Network Policy and to the Aerohive AP so that it can test Active Directory connectivity
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers8. Specify Domain and retrieve Directory Information
160
• Domain: ah-lab.local
• Click Retrieve Directory Information› The Active Directory Server IP will be populated as well as the BaseDN used for LDAP user lookups
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers9. Specify Domain and retrieve Directory Information
161
• Domain Admin: hiveapadmin(The delegated admin)• Password and Confirm Password: Aerohive1• Check Save Credentials• Click Join
NOTE: By saving credentials you can automatically join APs to the domain without manual intervention
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers10. Specify a user to perform LDAP user searches
162
• Domain User [email protected] (a standard domain user )
• Password and Confirm Password: Aerohive1• Click Validate User
› You should see the message: The user was successfully authenticated.
› These user credentials will remain and be used to perform LDAP searches to locate user accounts during authentication.
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers11. Save the AD settings
163
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers12. Save the RADIUS settings
164
• Select AD-X with priority: Primary
• Click Apply …Please make sure you click Apply
• Do not save yet..
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers13. Save the RADIUS settings
165
Enable the ability for an AP-RADIUS server to cache user credentials in the event that the AD server is not reachable, if the user has previously authenticated
• Check Enable RADIUS Server Credential Caching
• Expand RADIUS Settings
• Do not save yet...
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers14. Assign new Aerohive AP server certificate
166
Assign the Aerohive AP RADIUS server to the newly created AP server certificate and key• CA Cert File: Default_CA.pem
• Server Cert File: AP-X_key_cert.pem
• Server Key File: AP-X_key_cert.pem
• Key File Password & confirm password: aerohive123
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers15. Save the AP Settings
167
• Ensure that the Aerohive AP RADIUS Service is set to: AP-RADIUS-X
• Click Save
NOTE: Your Aerohive AP will have an icon displayed showing that it is a RADIUS server
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
SSID FOR 802.1X/EAP AUTHENTICATIONUSING AEROHIVE AP RADIUS WITH AD KERBEROS INTEGRATION
169
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers1. Edit your WLAN Policy and Add SSID Profile
170
Configure an SSID that uses the 802.1X/EAP with AD (Kerberos) Integration
• Select the Configure Interfaces & User Access bar
• Next to SSIDs click Choose
• In Chose SSIDs› Select New
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Aerohive Devices as RADIUS servers2. Configure a 802.1X/EAP SSID
• Profile Name: Class-AD-X
• SSID: Class-AD-X
• Under SSID Access Security select WPA/WPA2 802.1X (Enterprise)
• Click Save
171
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers3. Select new Class-AD-X SSID
172
• Click to deselect the Class-EAP-X SSID
• Ensure the Class-AD-X SSIDis selected
• Click OK
Click to deselect
Class-EAP-0X
Ensure Class-AD-0X is highlighted then
click OK
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers4. Create an AAA RADIUS client object
173
• Under Authentication, click <RADIUS Settings>
• In Choose RADIUS, click New
ClickClick
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers5. Define the External RADIUS Server
174
• RADIUS Name:AP-RADIUS-X
• IP Address/Domain Name: 10.5.2.X
• Leave the Shared Secret EmptyNOTE: When the Aerohive AP is a RADIUS server, APs in the same Hive automatically generate a shared secret.
• Click Apply
• Click Save
Click Apply When Done!
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers6. Select User Profiles
175
• Verify that under Authentication, AP-RADIUS-X is assigned
• Under User Profile click Add/Remove
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers7. Assign User Profile as Default for the SSID
176
• With the Default >tab select (highlight) theEmployee-Default-X user profile
• IMPORTANT: This user profile will be assigned if no attribute value is returned from RADIUS after successful authentication, or if attribute value 1000 is returned.
• Click the Authentication tab
Default Tab
Authentication Tab
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers8. Assign User Profile to be Returned by RADIUS Attribute
177
• In the Authentication > tab
• Select (highlight)Employee-X› NOTE: The (User Profile Attribute) is appended to the User Profile Name
• Click Save
Authentication Tab
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Aerohive Devices as RADIUS servers9. Verify and Continue
178
• Ensure Employee-Default-X and Employee-X user profiles are assigned to the Class-AD-X SSID
• Click Continue
© 2014 Aerohive Networks CONFIDENTIAL 179
In the Configure & Update Devices section• Select the Current Policy filter• Check the box next to your AP: X-A-######
• Click Update
Lab: Aerohive Devices as RADIUS servers10. Update the AP Configuration
© 2014 Aerohive Networks CONFIDENTIAL 180
• Select Update Devices
• Select Perform a complete configuration update for all selected devices
• Click Update
• Click OK in the Reboot Warning window
For this class, ALL Updates from this point should be Complete configuration updates unless otherwise directed.
Lab: Aerohive Devices as RADIUS servers11. Update the AP configuration
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Aerohive Devices as RADIUS servers12. Update the AP configuration
• Your new configuration will upload
• The AP will reboot
181
© 2014 Aerohive Networks CONFIDENTIAL
ADDITIONAL AEROHIVE AP AD INTEGRATION INFORMATION
182
© 2014 Aerohive Networks CONFIDENTIAL
Optional: Verify Aerohive AP TimeFrom the CLI of the Aerohive AP
183
• From CLI of Aerohive AP
# show time
Timezone: GMT-8
# show clock
2011-07-13 11:14:45 Wednesday
© 2014 Aerohive Networks CONFIDENTIAL
Joining Aerohive APs to Active DirectoryComputer OU = Wireless/Aerohive APs
184
• From the AD server, you can go to Active Directory Users and Computers and see when the Aerohive AP joins the domain
• If you specify an Active Directory administrator account in the AAA User Directory Settings, then the Aerohive AP will automatically add itself to the domain
• If you did not specify an Active Directory administrator, you will have to manually add your Aerohive AP to the domain much like you would do with a computer
Click Refresh
Select the computer OU
Here you can see the hostname of your Aerohive AP
© 2014 Aerohive Networks CONFIDENTIAL
Join Aerohive AP RADIUS Server to Domain
185
Note: you performed this step for your Aerohive AP in the configuration, however, here is how you do it for the rest of the Aerohive AP RADIUS servers in your network.
• Go to ToolsServer Access TestsAD/LDAP Test
• Select RADIUS Server:X-A-######
• Select Test joining the Aerohive AP to an Active Directory domain
• Active Directory Domain: Primary
• User Name: hiveapadmin• Password: Aerohive1• Click Test
© 2014 Aerohive Networks CONFIDENTIAL
Troubleshooting –Joining a Aerohive AP to a Domain
186
• Possible Cause: The Administrator does not have privileges to add a computer/Aerohive AP to this OU
• Solution: Use an Administrator with more privileges
• Possible cause: The Aerohive AP was previously added to a different OU, and this administrator does not have privileges to remove the other entry
• Solution: Delegate administration of this OU to allow the selected administrator to add computers to this OU
Here you can see that the Aerohive AP has failed to join the domain
© 2014 Aerohive Networks CONFIDENTIAL
Troubleshooting –Joining a Aerohive AP to a Domain
187
• Possible Cause: The NTP Server settings have not been configured on the Aerohive AP
• Solution: Configure the NTP Server settings by going to your WLAN PolicyManagement ServicesNTP Server
Here you can see that the Aerohive AP time is not accurate
© 2014 Aerohive Networks CONFIDENTIAL
Test the user account for your hosted PC
188
• Select RADIUS Server:0X-A-######
• Select Test Aerohive AP credentials for Active Directory Integration
• User Name: user
• Password: Aerohive1
• Click Test
Kerberos authentication passed for the user
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
CLIENT ACCESS PREPARATION -DISTRIBUTING CA CERTIFICATESTO WIRELESS CLIENTS
190
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation1. Go to HiveManager from the Remote PC
191
• From the VNC connection to the hosted PC, open a local connection to HiveManager
• For HiveManager:10.5.1.20
• Login with: adminX
• password: aerohive123
NOTE: You are accessing HiveManager via the PC’s Ethernet connection
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation2. Download Default CA Certificate to the Remote PC
192
NOTE: The HiveManager Root CA certificate should be installed on the client PCs that will be using the RADIUS service on the Aerohive APs for 802.1X authentication
• From the Remote PC,go to Configuration Advanced ConfigurationKeys and Certificates Certificate Mgmt
• Select Default_CA.pem
• Click Export
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation3. Rename HiveManager Default CA Cert
193
• Export the public root Default_CA.pem certificate to the Desktop of your hosted PC› This is NOT your Aerohive AP server certificate, this IS the HiveManager public root CA certificate
• Rename the extension of the Default_CA.pem file to Default_CA.cer › This way, the certificate will automatically be recognized by Microsoft Windows
• Click Save
Make the Certificate name:Default_CA.cer
Save as type: All Files
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation4. Install HiveManager Default CA Cert
194
• Find the file that was just exported to your hosted PC
• Double-click the certificate file on the Desktop: Default_CA
• Click Open
• Click Install Certificate
Issued to: HiveManagerThis is the name of the certificate if you wish to find it in the certificate store, or if you want to select it in the windows supplicant PEAP configuration.
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation1. Finish certification installation
195
• In the Certificate Import Wizard click Next
• Click Place all certificates in the following store
• Click Browse
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation2. Select Trusted Root Certification Authorities
196
• Click Trusted Root Certification Authorities
• Click OK
• Click Next
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation3. Finish Certificate Import
197
• Click Finish
• Click Yes
• Click OK
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation4. Verify certificate is valid
198
• Click OK to Close the certificate
• Double-click Default_CA to reopen the certificate
• You will see that the certificate is valid and it valid from a start and end date
• Click the Details tab
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation5. View the Certificate Subject
199
• In the details section, view the certificate Subject
• This Subject: HiveManager is what will appear in the list of trusted root certification authorities in your supplicant configured later in this lab. Protected EAP (PEAP)
PropertiesIn supplicant (802.1X client)
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
For Windows 7Supplicants
CONFIGURING AND TESTING YOUR802.1X SUPPLICANT
201
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing AP-RADIUS w/ AD Integration1. Connect to Secure Wireless Network
202
On the hosted PC, from the bottom task bar, click the wireless networks icon • Click Class-AD-X• Click Connect • A windows security alert should appear, click Details to verify this certificate if from HiveManager, then click Connect
server-2 is the AP cert, and HiveManager is the
trusted CA
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing Aerohive AP RADIUS w/ AD Integration2. Connect to Secure Wireless Network
203
On the hosted PC, from the bottom task bar, click the wireless networks icon • Click Class-AD-X• Click Connect • Click Use my Windows user account
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing Aerohive AP RADIUS w/ AD Integration3. Connect to Secure Wireless Network
204
• When prompted about the server certificate Click Connect
• Notice that you are now connected (this may take a few moments)
© 2014 Aerohive Networks CONFIDENTIAL
NOTE: User Profile Attribute is the Employee-Default-X user profile for the SSID. This user profile is being assigned because no User Profile Attribute Value was returned from RADIUS.
Lab: Testing AP-RADIUS w/ AD Integration4. View Active Clients
205
• After associating with your SSID, you should see your connection in the active clients list in HiveManager› Go to MonitorClientWireless Clients
• IP Address: 10.5.8.#• User Name: DOMAIN\user• VLAN: 8User Profile Attribute: 1000
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
MAPPING ACTIVE DIRECTORY MEMBEROF ATTRIBUTETO USER PROFILES
207
© 2014 Aerohive Networks CONFIDENTIAL
Aerohive AP as a RADIUS Server - Using AD Member Of for User Profile Assignment
208
• In your WLAN policy, you defined an SSID with two user profiles› Employee-Default-X – Set if no RADIUS attribute is returned
»This use profile for example is for general employee staff, and they get assigned to VLAN 8
› Employee-X – Set if a RADIUS attribute is returned»This user profile for example is for privileged employees, and they get
assigned to VLAN 10
• Because the Aerohive AP RADIUS server is using AD to authenticate the users, and AD does not return RADIUS attributes, how can we assign users to different user profiles?
• Though AD does not return RADIUS attributes, it does return other attribute values, like memberOf which is a list of AD groups to which the user belongs
© 2014 Aerohive Networks CONFIDENTIAL
Instructor Only: Confirm User is a member of the Wireless AD Group
209
• Right click the username “user” and click Properties
• Click on the MemberOf tab
• Each user account should be assigned to the Wireless AD Group
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use AD to Assign User Profile1. Map memberOf attribute to user profile
210
• From Configuration, Advanced ConfigurationAuthentication Aerohive AAA Server Settings
• Click on the AP-RADIUS-X link
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use AD to Assign User Profile2. Map memberOf attribute to user profile
211
• Expand Database Settings
• Check LDAP server attribute Mapping
• Select Manually map LDAP user groups to user profiles
• LDAP User Group Attribute: memberOf
• Domain: dc=AH-LAB,dc=LOCAL
• Click + to expand the LDAP tree
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use AD to Assign User Profile2. Add AD group to User Profile mapping
212
• Expand the tree structure to locate› Expand CN=Users
› SelectCN = Wireless
• For Maps to, from the drop down list, select the user profile: Employee-X
• Click Apply• The mapping appears below the LDAP directory
• Click Save
Click the LDAP Group
Map group to Employee(10)-X
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use AD to Assign User Profile SSID3. Update the configuration of your Aerohive AP
213
Go to Configuration
• Select your Network Policy: WLAN-X and click OK
• Click on the Continue button to go to the Configure and Update Device panel
© 2014 Aerohive Networks CONFIDENTIAL 214
In the Configure & Update Devices section• Select the Current Policy filter• Check the box next to your AP: X-A-######
• Click Update
Lab: Use AD to Assign User Profile SSID4. Update the configuration of your Aerohive AP
© 2014 Aerohive Networks CONFIDENTIAL 215
• Select Update Devices
• A complete upload is not needed this time
• Click Update
Lab: Use AD to Assign User Profile SSID5. Update the configuration of your Aerohive AP
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Use AD to Assign User Profile SSID6. Delta Upload
• The Delta Configuration will upload
216
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use AD to Assign User Profile SSID7. Disconnect and Reconnect to the Class-AD SSID
217
To test the mapping of the memberOf attribute to your user profile
• Disconnect from the Class-AD-X SSID
• Connect to the Class-AD-X SSID
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use AD to Assign User Profile SSID8. Disconnect and Reconnect to the Class-AD SSID
218
To test the mapping of the memberOf attribute to your user profile
• Disconnect from the Class-AD-X SSID
• Connect to the Class-AD-X SSID
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use AD to Assign User Profile SSID9. Verify your active client settings
219
• From MonitorClientsWireless Clients› Your client should now be assigned to
»IP Address: 10.5.10.#»User Profile Attribute: 10»VLAN: 10
NOTE: In the previous lab, without the LDAP group mapping, the user was assigned to attribute 1000 in VLAN 8
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
AEROHIVE CLIENT MANAGEMENT
Aerohive’s
Instructor-led Training
© 2014 Aerohive Networks CONFIDENTIAL
Is the device a Corporate or Personally owned client?
222
Can you tell the difference between these two iPads?
Company Issued Device• Owned and Managed by IT• Provided for a Specific
Purpose• Enables New Working
Models
Personal Device• Employee-owned and
Managed• Wide Range of Potential
Devices• Improves Employee
Satisfaction and Productivity
© 2014 Aerohive Networks CONFIDENTIAL
How Aerohive Solves the Problem
Mobile user connects to corporate SSID with username and password
1
User is authenticated against Active Directory or other user store such as LDAP
2
AP checks to see if device is already enrolled with HiveManager client management
3
If device is not enrolled, it is redirected to enrollment URL to acquire a custom device certificate and secure profile based on whether it is personal or corporate issued device in the MAC address list
5
6
Device is reconnected to the SAME SSID with a custom device certificate
Corp
802.1X
SSID Corp 802.1X
SSID
HiveManager withClient Management
7 Policy is applied based on all available context, including: identity, device type, device ownership, location, and time
Device is checked against a list of known corporate devices (MAC addresses) imported by IT admin
4
223
© 2014 Aerohive Networks CONFIDENTIAL
Client Management ConceptsCustomer Issued or Bring Your Own Device (BYOD) ?
224
• Is a device Company Issued Device(CID) or is the device brought from home Bring Your Own Device (BYOD)?
• Enter MAC addresses of devices to automatically select Corporate Issued Devices
• Or the user decide during Enrollment
© 2014 Aerohive Networks CONFIDENTIAL
Client Management ConceptsUser profile reassignment Options
225
• Client Management automatically detects and reassigns devices to new user profiles based upon BYOD or CID ownership.
• BYOD or CID ownership applies to iOS, MacOS, Android and Chromebook devices.
• Policy decisions can be made based on OS and domain for User Profile reassignment of other operating systems such as Windows or Blackberry.
Note: You can still mix in other devices that are not supported by Client Management
© 2014 Aerohive Networks CONFIDENTIAL
Client Management Overview
• Support for the following solutions:› Single SSID based onboarding: requiring 802.1X on the SSID› Single SSID based onboarding for PPSK: requires an initial static
PSK› Two SSIDs based onboarding:
» Open (for provisioning)
» Second SSID using PPSK (for secured access)
• Support both HMOL and on-premises HM
• Requires 6.1r3 HiveOS or later on APs
• Supports Mac OS X, iOS, Android devices and Chrome OS (Chrome Books)
226
© 2014 Aerohive Networks CONFIDENTIAL
Firewall Considerations by theDevice types and Ports used
227
Source Destination Service (Protocol and Port)
Apple Client Devices Apple Push Notification Service (APNS) 17.0.0.0/8
TCP 5223
TCP 5223, 5229, 5330Android & Chromebook Devices
Google GCM Servers
HiveManager Client Management Service(onboard.aerohive.com)
HTTPS 443
Access Points Client Management Service(onboard.aerohive.com)
HTTPS 443
Access Points Apple Push Notification Service (APNS) 17.0.0.0/8
TCP 5223
© 2014 Aerohive Networks CONFIDENTIAL
Enable Client Management in HiveManager
228
• Enable Client Management
• Test is an HTTPS test to the Client Management Cluster which verifies all Client Management services are working
• Do this for On-Premise and HMOL
• For On-Premise you will also have to retrieve the Customer ID
© 2014 Aerohive Networks CONFIDENTIAL
LAB: CLIENT MANAGEMENT USING 802.1X
© 2014 Aerohive Networks CONFIDENTIAL
Scenario
Your Enterprise Customer is using 802.1X/EAP security. Employees are permitted to bring their own devices to work to access the company network and internet. The new requirements include:• Company Issued Devices (CID) such as iPads will receive the
Company profile.
• All mobile device cameras must be disabled for security purposes.
• Employee Personal Devices (BYOD) will receive the Personal profile.
• Employee Personal Devices will have a firewall policy that restricts access to corporate resources but allows access to a gateway to the Internet.
230
© 2014 Aerohive Networks CONFIDENTIAL
• Go to Configuration
• Select your Network Policy and click OK
• Click on the link for the Class-AD-X SSID
231
Lab: Client Management using 802.1X1. Edit the network policy
© 2014 Aerohive Networks CONFIDENTIAL
• Check Enable Client Management
• Click Save
232
Lab: Client Management using 802.1X2. Enable client management
© 2014 Aerohive Networks CONFIDENTIAL
• User Profile: Add/Remove
• Click New
233
Lab: Client Management using 802.1X3. Create a CID user profile
© 2014 Aerohive Networks CONFIDENTIAL
• Name: BYOD-X
• Attribute: 800
• VLAN: 10
• Do NOT click Save yet
Lab: Client Management using 802.1X4. Create a BYOD user profile
234
© 2014 Aerohive Networks CONFIDENTIAL 235
Lab: Client Management using 802.1X5. Assign a restrictive firewall policy
• Under Optional Settings, expand Firewalls
• IP Firewall Policy From-Access Guest-Internet Access Firewall Policy
• Default Action: Permit
• Click Save
• Click Save again
© 2014 Aerohive Networks CONFIDENTIAL 236
Note: Firewall Policy
The guest firewall policy is a default policy that can be used to restrict BYOD devices away the internal networks where corporate resources reside. Access to a gateway to the Internet can still be permitted.
© 2014 Aerohive Networks CONFIDENTIAL 237
• Click New to create a CID user profile
• Name: CID-X
• Attribute Number: 200
• Default VLAN: 10
• Click Save
• Click Save again
Lab: Client Management using 802.1X6. Create a CID user profile
© 2014 Aerohive Networks CONFIDENTIAL 238
Lab: Client Management using 802.1X7. Edit the Employee-X user profile
• Click the Employee-X user profile to edit
© 2014 Aerohive Networks CONFIDENTIAL
• Optional Settings: Expand Client Classification Policy
• Check Enable user profile reassignment based on client classification rules
• Click New
239
Lab: Client Management using 802.1X8. Create a reassignment rule for the CID user profile
© 2014 Aerohive Networks CONFIDENTIAL
• Ownership: CID
• Reassigned User Profile: CID-X
• Click Apply
• Do NOT Save Yet
240
Lab: Client Management using 802.1X9. Create a reassignment rule for the CID user profile
© 2014 Aerohive Networks CONFIDENTIAL 241
• Click New
• Ownership: BYOD
• Reassigned User Profile: BYOD-X
• Click Apply
Lab: Client Management using 802.1X10. Create a reassignment rule for BYOD user profile
© 2014 Aerohive Networks CONFIDENTIAL
• Verify the reassignment rules
• Click Save
242
Lab: Client Management using 802.1X11. Verify the reassignment rules
© 2014 Aerohive Networks CONFIDENTIAL 243
Lab: Client Management using 802.1X12. Verify the reassignment rules
• Expand the Employee-X user profile
• Click Add/Remove to active the rules
All employees will authenticate via 802.1X/EAP and be assigned to VLAN 10. Employees will then use the correct device profile based upon their enrollment status.
© 2014 Aerohive Networks CONFIDENTIAL
• Check Enable user profile reassignment based on client classification rules
• Click Save244
Lab: Client Management using 802.1X13. Enable the reassignment rules
© 2014 Aerohive Networks CONFIDENTIAL
• Click Continue to save the network policy and proceed to configure and update.
245
Lab: Client Management using 802.1X14. Enable the reassignment rules
© 2014 Aerohive Networks CONFIDENTIAL
• Choose the Current Policy filter
• Click on the 0X-A-XXXX-AP to modify the configuration.
246
Lab: Client Management using 802.1X15. Edit your AP that is the RADIUS server
© 2014 Aerohive Networks CONFIDENTIAL
•Optional Settings Expand Service Settings
• Next to the Device RADIUS Service Click the modify icon to edit your AP-RADIUS-X object.
247
Lab: Client Management using 802.1X16. Edit your AP that is the RADIUS server
© 2014 Aerohive Networks CONFIDENTIAL
• Client Management is a cloud-based onboarding solution that requires you to use the Client Management Root certificate and server certificate and key file.
• These certificates can be used with any Aerohive Device that functions as a RADIUS server.
• A third-party RADIUS server can be used for 802.1X with Client Management, however you will need to export these same certificates and install them on the third-party RADIUS server.
248
Why new certificates?
© 2014 Aerohive Networks CONFIDENTIAL
Client Management also supports the import of third party certificates from an existing PKI.
249
Support for Third-Party Certificates
© 2014 Aerohive Networks CONFIDENTIAL
• Expand Database Settings to select the client management certificates
• CA Cert File: ClientMgmt_CA.crt
• Server Cert File: ClientMgmt-Radius-Server_Crt.crt
• Server Key File: ClientMgmt-Radius-Server_key.pem
• Remove the passwords from the previous lab
• Click Save
250
Lab: Client Management using 802.1X17. Edit your AP that is the RADIUS server
© 2014 Aerohive Networks CONFIDENTIAL
• Click Save
251
Lab: Client Management using 802.1X18. Save the AP specific settings
© 2014 Aerohive Networks CONFIDENTIAL
• Select your 0X-A-XXXX AP
• Click Update
• Click Update Devices
252
Lab: Client Management using 802.1X19. Upload the AP configuration
© 2014 Aerohive Networks CONFIDENTIAL 253
Lab: Client Management using 802.1X20. Upload the AP configuration
• Select Perform a complete configuration update
• Click Update
• Click OK
© 2014 Aerohive Networks CONFIDENTIAL 254
• Click on the Configure Interfaces & User Access bar
• Click on Client Management
The Client Management link is a direct connection to configure Client Management profiles.
Lab: Client Management using 802.1X21. Configuring Client Management
© 2014 Aerohive Networks CONFIDENTIAL
• Username: cm#[email protected] where # is the Lab number 1,2,3,4 or 5
• Password: Aerohive123
255
Lab: Client Management using 802.1X22. Configuring Client Management
© 2014 Aerohive Networks CONFIDENTIAL
• Click Configuration
256
Lab: Client Management using 802.1X23. Configuring Client Management
© 2014 Aerohive Networks CONFIDENTIAL 257
• Monitor Clients Active Clients or Wireless Clients
• New Column to display Client Management Enrollment
• Grey icon indicates the client is enrolled in CM
Client Management Data in HiveManager
© 2014 Aerohive Networks CONFIDENTIAL
Client Management Data in HiveManager
258
• Hover over the icon and it changes to Aerohive yellow
• Click on the popup and the admin is redirected to the CM server monitor view for the client
© 2014 Aerohive Networks CONFIDENTIAL
Client Management Data in HiveManager
259
• Click on the MAC address of the enrolled client device to see Client Management information in HiveManager
© 2014 Aerohive Networks CONFIDENTIAL 260
Client Management Useful Information and Tips
• There are two core types of profiles:› Enrollment profiles – these are the management profiles.
› Client profiles – these are the configuration profiles i.e. Restrictions, ActiveSync, etc.
• The relationship between User Profiles and UPIDs is a many to one relationship.
•Do not overload a single profile; divide the load among individual profiles based upon type (Restrictions, Web Clip, etc.) each using the same attribute value.
© 2014 Aerohive Networks CONFIDENTIAL 261
Lab: Client Management using 802.1X24. Configuring a BYOD Client Profile
You will now create client profiles to match the BYOD-X and CID-X user profiles.
• Click New.
© 2014 Aerohive Networks CONFIDENTIAL 262
Lab: Client Management using 802.1X25. Configuring a BYOD Client Profile camera removal
• Name: BYOD-X-No-Camera
• User Profile Attribute: 800
• Organization: Aerohive
• Security: User can remove profile
• Profile Lifetime on Client Devices: Do not delete the profile from the client device
• Click Restrictions
© 2014 Aerohive Networks CONFIDENTIAL 263
Lab: Client Management using 802.1X26. Enforcing Restrictions
• Turn ON Enforce Restrictions
• Uncheck ☐ Allow use of camera
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL 264
Lab: Client Management using 802.1X27. Configuring a BYOD Client Profile adding Web Clip
• Name: BYOD-X-Web Clip
• User Profile Attribute: 800
• Organization: Aerohive
• Security: User can remove profile
• Profile Lifetime on Client Devices: Do not delete the profile from the client device
• Click Web Clips
© 2014 Aerohive Networks CONFIDENTIAL 265
• Label: Student-X-Video
• URL: http://bit.ly/1cKAzfA
• Options: Precomposed Icon
• Click Save
Lab: Client Management using 802.1X28. Configuring a BYOD Client Profile adding Web Clip
© 2014 Aerohive Networks CONFIDENTIAL 266
Lab: Client Management using 802.1X29. Verifying the BYOD Client Profiles
• Verify your BYOD-X client profile
• Click New
© 2014 Aerohive Networks CONFIDENTIAL 267
Lab: Client Management using 802.1X30. Creating a CID Client Profile
• Name: CID-X
• User Profile Attribute: 200
• Organization: Aerohive
• Security: User can remove profile
• Profile Lifetime on Client Devices: Do not delete the profile from the client device
• Click Restrictions
© 2014 Aerohive Networks CONFIDENTIAL 268
Lab: Client Management using 802.1X31. Enforcing Restrictions
• Turn ON Enforce Restrictions
• Do NOT uncheck Allow use of camera
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL 269
Lab: Client Management using 802.1X32. Verifying Client Profiles
• Verify the BYOD and CID client profiles
© 2014 Aerohive Networks CONFIDENTIAL 270
iOS Client Profile Restrictions
Many more restrictions can be configured in your iOS Client Profiles.
© 2014 Aerohive Networks CONFIDENTIAL 271
iOS Client Profile Restrictions
Many more restrictions can be configured in your iOS Client Profiles.
© 2014 Aerohive Networks CONFIDENTIAL 272
iOS Client Profile Settings
• Other iOS client settings include› VPN› Exchange ActiveSync
› Web Clips› CalDav› CardDav› Email
© 2014 Aerohive Networks CONFIDENTIAL
OPTIONAL CLIENT MANAGEMENT INSTRUCTOR
DEMONSTRATION
Because our lab is in a remote location we cannot test the client management lab. If time permits, the instructor will
now demonstrate client management in class
Should students wish to participate with their personal devices in the demonstration, ensure that they select the BYOD profile. The Enrollment profile can be removed from their personal devices after class.
© 2014 Aerohive Networks CONFIDENTIAL 274
Lab: Client Onboarding Demo1. Connect to 802.1X SSID
On the instructor iOS device and/or student iOS devices:
• Go to Settings Wi-Fi
• Click on the CM-802.1X-Demo SSID
• Username: demoX (Where X = student number) (Instructor is demo1)
• Password: aerohive123
© 2014 Aerohive Networks CONFIDENTIAL 275
Lab: Client Onboarding Demo2. Connect to the 802.1X SSID
• Click the Accept button to accept the certificate
• Verify that you are connected to the CM-802.1X-Demo SSID
© 2014 Aerohive Networks CONFIDENTIAL 276
Lab: Client Onboarding Demo3. Continue with client onboarding
• Open your browser and try to connect to a web site
• You will be redirected to the Client Management captive web portal for onboarding
© 2014 Aerohive Networks CONFIDENTIAL 277
Lab: Client Onboarding Demo4. Continue with client onboarding
Specify the device ownership
Personal Devices (BYOD) will automatically be selected.
• Check View and agree to the terms of use
• Click Enroll My Device
Company-Issued Devices (CID) would automatically be selected if this device’s MAC address is configured in Client Management.
© 2014 Aerohive Networks CONFIDENTIAL 278
Lab: Client Onboarding Demo5. Continue with client onboarding EXAMPLE
Specify the device ownership
Company-Issued Devices (CID) will automatically be selected if the device’s MAC address is already configured in Client Management.
© 2014 Aerohive Networks CONFIDENTIAL 279
Lab: Client Onboarding Demo6. Install the Client Enrollment profile
• The Enrollment process will begin.
• Click the Install button to install the Enrollment Profile
• Read the disclaimer warning and click Install.
• Enter your device passcode if prompted.
© 2014 Aerohive Networks CONFIDENTIAL 280
Lab: Client Onboarding Demo7. Install the Client Enrollment profile
• Click Done and the selected profile will begin to install.
© 2014 Aerohive Networks CONFIDENTIAL 281
Lab: Client Onboarding Demo8. Install the Client Enrollment profile
• Client Management verifies and installs the Wi-Fi profile
• The device is successfully enrolled
© 2014 Aerohive Networks CONFIDENTIAL 282
Lab: Client Onboarding Demo9. Client is enrolled
• Browser begins redirection
• Redirection is completed
© 2014 Aerohive Networks CONFIDENTIAL 283
Lab: Client Onboarding Demo10. Client is enrolled
• During the onboarding process an Enrollment profile is installed.
• A Wi-Fi profile is installed.
• The needed certificate is installed.
• The client device disconnects and reconnects to the 802.1X SSID. This is not visible to the user.
© 2014 Aerohive Networks CONFIDENTIAL 284
Lab: Client Onboarding Demo11. Client is enrolled
• Go to Settings General Profiles
• Expand the profiles.
• Verify Certificates.
• Verify Restrictions.
• Verify that the camera icon is not on your device.
© 2014 Aerohive Networks CONFIDENTIAL
MONITORING
© 2014 Aerohive Networks CONFIDENTIAL
Verify enrolled clients in HiveManager
• Monitor Clients Wireless Clients
• All BYOD devices will be in VLAN 10 because CM sent attribute 800 to the AP and the user was assigned to the corresponding user profile
• ALL CID devices will be in VLAN 10 because CM sent attribute 200 to the AP and the user was assigned to the corresponding user profile
286
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Monitor enrolled devices in Client Management
• From Home in Client Management you can view reported device data.
• Placing your cursor over a chart reveals more information.• Clicking on a chart will take you to the location in Client
Management from which the information was gathered.58
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Monitor enrolled devices in Client Management
• Go to Monitor Clients
• Verify BYOD and CID ownership as prescribed.
• Click on a any clients name for device specific information and you are taken to Client Info for that device.
59
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Monitor enrolled devices in Client Management
• Information reported from the client is displayed.
• View the enrolled clients settings
• The client location is based on the client’s public IP address, not GPS location.
60
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Monitor enrolled devices in Client Management
• Great detail about the client device is available.
• Scroll down
• Click on the Apps tab to view the installed applications of the client.
• Click through some of the other tabs to see more information about the client.
61
© 2014 Aerohive Networks CONFIDENTIAL
CUSTOMIZATION
© 2014 Aerohive Networks CONFIDENTIAL
Client Management End User UI Customization
• Client HTTP proxies can also be configured if necessary to allow the devices to reach the cloud based Client Management service.
• Manual mode allows you to specify the proxy information.
• Automatic allows the device to learn proxy requirements from the DHCP options.
63
© 2014 Aerohive Networks CONFIDENTIAL
Client Management End User UI Customization
• This UI is what your end users will see on their devices.
• The whole page is customizable, including:
› Company logo
› Images
› Terms of Use
› Most texts
64
© 2014 Aerohive Networks CONFIDENTIAL
Client Management End User UI Customization
• The Admin Account configuration allows you to create new Client Management administrators in different admin groups.
› Admin
› Monitor
› Operator65
© 2014 Aerohive Networks CONFIDENTIAL
Client Management End User UI Customization
• Client Data Wipe Options -CID, BYOD or Both can be selected
• Number of Devices per User – Limits the number of devices a user can enroll from 1 to 100 devices per user.
66
© 2014 Aerohive Networks CONFIDENTIAL
CID List Import
From Configuration Company-Issued Devices, you can select Import to bulk import the list of devices to which the CID Profile should be applied, Export the list or even create an entry manually if so desired.
67
© 2014 Aerohive Networks CONFIDENTIAL
OPTIONAL LAB: CLIENT MANAGEMENT
PPSK – SINGLE SSID
© 2014 Aerohive Networks CONFIDENTIAL
Scenario
Your Enterprise Customer is using PPSK security. Employees are permitted to bring their own devices to work to access the Internet. Security requirements include:• Company Issued Devices (CID) such as iPads will be
segmented into a separate VLAN/subnet.
• All mobile device cameras must be disabled for security purposes.
• Employee Personal Devices (BYOD) will be segmented into a different VLAN/subnet than the CID devices.
• Employee Personal Devices will have a firewall policy that restricts access to corporate resources but allows access to a gateway to the Internet.
298
© 2014 Aerohive Networks CONFIDENTIAL 299
• Go to Configuration and select your WLAN-X Network Policy
• Next to SSIDs click Choose
• Click New
Lab: Client Management with PPSK – 1 SSID1. Creating an SSID
© 2014 Aerohive Networks CONFIDENTIAL 300
• Profile Name: CM-PPSK-X
• SSID: CM-PPSK-X
• Select Private PSK
• Enable Self-Registration to request a Private PSK
• Enable Client Management
Lab: Client Management with PPSK – 1 SSID2. Create an SSID and enable Client Management
© 2014 Aerohive Networks CONFIDENTIAL 301
• Allow users to register themselves on this SSID
• Registration Key: aerohive123
• Click Save
• Ensure that the SSID is highlighted and click OK
Lab: Client Management with PPSK – 1 SSID3. Create an SSID – self register with single SSID
© 2014 Aerohive Networks CONFIDENTIAL 302
•Click <PSK User Group>
•Then click New
Lab: Client Management with PPSK – 1 SSID4. Create a PPSK User Group
© 2014 Aerohive Networks CONFIDENTIAL 303
• User Profile Attribute: 10
• User Name Prefix: 0X-
• Click the Generate button to create the Private PSK Secret which is a seed key.
• Do NOT save yet
Lab: Client Management with PPSK – 1 SSID5. Create a PPSK User Group
• User Group Name: CM-PPSK-X
• Select Automatically generated private PSK users
© 2014 Aerohive Networks CONFIDENTIAL 304
Using 63 character full strength PPSKs protects against brute-force dictionary attacks. The attacks would take many years.
• Password Length: 63
• Click Save
• Ensure that the user group is highlighted and click OK
Lab: Client Management with PPSK – 1 SSID6. Define the strength of the PPSKs
© 2014 Aerohive Networks CONFIDENTIAL 305
• Click <Private PSK Server>
• Highlight your 0X-AP and click OK
Aerohive APs and BR-200 routers can all function as a PPSK server.
Lab: Client Management with PPSK – 1 SSID7. Designate a Private PSK Server
© 2014 Aerohive Networks CONFIDENTIAL 306
• Click <Private PSK CWP>
• Then click New
Lab: Client Management with PPSK – 1 SSID8. Create a Captive Web Portal profile
© 2014 Aerohive Networks CONFIDENTIAL 307
• Name: CM-CWP-X
• Expand: Captive Web Portal Login Page Settings
• Verify Authentication is selected
• Click Save
• Click OK
Lab: Client Management with PPSK – 1 SSID9. Create a Captive Web Portal profile
© 2014 Aerohive Networks CONFIDENTIAL 308
• Click <Private PSK RADIUS settings>
• Highlight the AP-RADIUS-X device that has been pre-configured as a RADIUS server
• Click OK
Lab: Client Management with PPSK – 1 SSID10. Designate a RADIUS server
© 2014 Aerohive Networks CONFIDENTIAL 309
• Click Add/Remove
• From the Default > tab select the Employee-X User Profile
• Check Enable User Profile reassignment...
• Click Save
Lab: Client Management with PPSK – 1 SSID11. Create User Profiles
© 2014 Aerohive Networks CONFIDENTIAL 310
• Expand the Employee-X user profile• Verify the reassignment User Profiles
All employees will authenticate via PPSK and be assigned to VLAN 10. Employees using company issued iPads (CID) and employees using their own devices (BYOD) will be assigned the correct profiles based upon their enrollment.
Lab: Client Management with PPSK – 1 SSID12. Verifying your user profile reassignment rules
© 2014 Aerohive Networks CONFIDENTIAL
• Click Save to save the network policy and proceed to configure and update.
311
Lab: Client Management with PPSK – 1 SSID13. Save the network policy and continue
© 2014 Aerohive Networks CONFIDENTIAL
• Go to Configuration
• From the NAV pane expand Advanced Configuration
• Expand Authentication
• Select Local Users
• Click the Bulk button
312
Lab: Client Management with PPSK – 1 SSID14. Create the PPSKs
© 2014 Aerohive Networks CONFIDENTIAL
• Create Users Under Group: CM-PPSK-X
• Number of New Users: 10
• Click Create
313
Lab: Client Management with PPSK – 1 SSID15. Create the PPSKs
© 2014 Aerohive Networks CONFIDENTIAL
• Click on (Clear Text PSK)
• Examine the 63 character PPSKS
314
Lab: Client Management with PPSK – 1 SSID16. Examine the PPSKs
© 2014 Aerohive Networks CONFIDENTIAL
• Click Monitor
• Go to Devices > Access Points > Aerohive APs
• Select your 0X-A-XXXX-AP
• Click Update to upload the new configuration
315
Lab: Client Management with PPSK – 1 SSID17. Update the AP configuration
© 2014 Aerohive Networks CONFIDENTIAL
• Click Update
• Select Update Devices
316
Lab: Client Management with PPSK – 1 SSID18. Update the AP configuration
© 2014 Aerohive Networks CONFIDENTIAL 317
• Select Perform a complete configuration update
• Click Update
• Click OK
Lab: Client Management with PPSK – 1 SSID20. Update the AP configuration
© 2014 Aerohive Networks CONFIDENTIAL 318
Lab: Client Management with PPSK – 1 SSID21. Verify the configuration update
© 2014 Aerohive Networks CONFIDENTIAL
CLIENT MANAGEMENT INSTRUCTOR
DEMONSTRATION
Because our lab is in a remote location we cannot test the client management lab. If time permits, the instructor will
now demonstrate client management in class
Should students wish to participate with their personal devices in the demonstration, ensure that they select the BYOD profile. The Enrollment profile can be removed from their personal devices after class.
© 2014 Aerohive Networks CONFIDENTIAL 320
Lab: Client Onboarding Demo1. Connect to PPSK SSID
On the instructor iOS device and/or student iOS devices:
• Go to Settings Wi-Fi
• Click on the CM-PPSK-Demo SSID
• Passphrase: aerohive123
© 2014 Aerohive Networks CONFIDENTIAL 321
Lab: Client Onboarding Demo2. Connect to the PPSK SSID
• Verify that you are connected to the CM-PPSK-Demo SSID
© 2014 Aerohive Networks CONFIDENTIAL 322
Lab: Client Onboarding Demo3. Continue with client onboarding
• Open a browser and type a URL
• You will be redirected to a Captive Web Portal for authentication
• Username: demoX› X=Student number› 1=Instructor number
• Password: aerohive123
© 2014 Aerohive Networks CONFIDENTIAL 323
Lab: Client Onboarding Demo4. Continue with client onboarding
• You will be redirected to the Client Management captive web portal for onboarding
© 2014 Aerohive Networks CONFIDENTIAL 324
Lab: Client Onboarding Demo5. Continue with client onboarding
Specify the device ownership
Personal Devices (BYOD) will automatically be selected.
• Check View and agree to the terms of use
• Click Enroll My Device
Company-Issued Devices (CID) would automatically be selected if this device’s MAC address is configured in Client Management.
© 2014 Aerohive Networks CONFIDENTIAL 325
Lab: Client Onboarding Demo6. Continue with client onboarding EXAMPLE
Specify the device ownership
Company-Issued Devices (CID) will automatically be selected if the device’s MAC address is already configured in Client Management.
© 2014 Aerohive Networks CONFIDENTIAL 326
Lab: Client Onboarding Demo7. Install the Client Enrollment profile
• The Enrollment process will begin.
• Click the Install button to install the Enrollment Profile
• Read the disclaimer warning and click Install.
• Enter your device passcode if prompted.
© 2014 Aerohive Networks CONFIDENTIAL 327
Lab: Client Onboarding Demo8. Install the Client Enrollment profile
• Click Done and the selected profile will begin to install.
© 2014 Aerohive Networks CONFIDENTIAL 328
Lab: Client Onboarding Demo9. Install the Client Enrollment profile
• Client Management verifies and installs the Wi-Fi profile
• The device is successfully enrolled
© 2014 Aerohive Networks CONFIDENTIAL 329
Lab: Client Onboarding Demo10. Client is enrolled
• Browser begins redirection
• Redirection is completed
© 2014 Aerohive Networks CONFIDENTIAL 330
Lab: Client Onboarding Demo11. Client is enrolled
• During the onboarding process an Enrollment profile is installed.
• A Wi-Fi profile is installed.
• The client device disconnects and reconnects to the PPSK SSID using an unique 63 character PPSK for the device. This process is not visible to the user.
© 2014 Aerohive Networks CONFIDENTIAL 331
Lab: Client Onboarding Demo12. Client is enrolled
• Go to Settings General Profiles
• Expand the profiles.
• Verify Certificates.
• Verify Restrictions.
• Verify that the camera icon is not on your device.
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
Using Aerohive APs and IPsec VPN Clientsand IPsec VPN Servers to Provides VPN Connections with Wireless LANs
WIRELESS VPN
333
© 2014 Aerohive Networks CONFIDENTIAL
Internet
Headquarters
Aerohive Layer 2 VPN
334
Remote Site
Notes Below
Layer 2 VPN client devices
AP-100 series
AP-300 series
BR-100 (AP mode)
AP-300 series128 tunnels
HiveOS Virtual Appliance (L2 Gateway mode)1024 tunnels
Layer 2 VPN server devices
© 2014 Aerohive Networks CONFIDENTIAL
Internet
Headquarters
Aerohive Layer 3 VPN
335
Remote Site
Notes Below
Layer 3 VPN client devices
BR-100 router
BR-200 router
AP 330/350(router mode)
Aerohive switch(router mode) (Excluding the 2148)
HiveOS Virtual Appliance (L3 Gateway mode)1024 tunnels
Layer 3 VPN server
Note: Layer 3 VPNs are discussed and used in the Aerohive Certified Network Professional (ACNP) class.
© 2014 Aerohive Networks CONFIDENTIAL
Wireless VPN Benefits -For your reading pleasure-
336
• Easy to Use
› L2 IPsec VPN solution simplifies deployment, because it extends the local network across the VPN without the need to dedicate subnets for each remote site and set up DHCP relays on branch routers or firewalls
› Automatic certificate creation and distribution for validating VPN devices
› Profile-based Split Tunneling
» Users and Services can be bridged locally or tunneled based on user profile
• Flexible
› Single mode of operation supports all deployments
› Supported in all Aerohive AP platforms, Hardware Acceleration in 300 series
› Multiple end point support
» Backup VPN gateway support
» Distributed Wireless VPN tunnel termination
• Complete Functionality
› Multiple AP Support with secure and fast roaming
› Mesh Portals and Mesh Points supported
› RADIUS, DHCP, NTLM, LDAP and NTP can selectively go to local or remote network
› Rogue AP and rogue client detection, DoS prevention, Firewall, and QoS all occur locally on the remote Aerohive AP
• Economical
› No license fees for wireless VPN, or any of the other features on the Aerohive APs
› For the cost of an AP, you get wireless VPN servers
Please review the notes pages
© 2014 Aerohive Networks CONFIDENTIAL
Internet Aerohive VA-1VPN Server
Aerohive VA-2VPN Server
Headquarters
DHCP Server Corporate Wi-Fi DevicesVLAN 10 10.8.20.0/24Corporate Wi-Fi VoiceVLAN 11 10.8.21.0/24
Teleworker Home OfficePlease View Notes Below Slide
337
Work LaptopSSID: Corp10.8.20.51
Home PC with Printer192.168.1.5
Teleworker Home Office
Home LaptopSSID: Home192.168.1.6
IPsecPrimary andBackup VPN Tunnels
Work PhoneSSID: Voice10.8.21.33
Internet ProviderGateway192.168.1.1
Aerohive AP 5VPN Client192.168.1.2
DMZ
Notes Below
© 2014 Aerohive Networks CONFIDENTIAL
Aerohive AP4VPN Client192.168.1.6
Aerohive AP3VPN Client192.168.1.5Laptop
SSID: Corp10.8.20.12
Phone10.8.21.5
Branch Office
Guest LaptopSSID: Guest192.168.1.50
Printer10.8.20.11
Desktop10.8.20.10
Aerohive VA-1VPN Server
Aerohive VA-2VPN Server
Headquarters
DMZ
DHCP Server Corporate Wi-Fi DevicesVLAN 10 10.8.20.0/24Corporate Wi-Fi VoiceVLAN 11 10.8.21.0/24
PhoneSSID: Voice10.8.21.33
Internet
WiredWireless
IPsecPrimary andBackup VPN Tunnels
Gateway192.168.1.1
Branch Office VPN with Bridging
338
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Tunnel Traffic Header Overviewand Example
339
2.2.2.2 1.2.2.1Internet
HiveOS VAVPN ServerMGT0 10.200.2.
MGT0 IPBefore NAT1.2.1.2After NAT10.8.1.2
(NAT)1.2.2.2 10.200.2.2
MGT0 IP10.5.2.100
NAT Traversal
UDP - Src & Dst Port 4500Src Port Changes w/NAPT
Tunnel010.8.1.50
MGT010.8.1.2
IPsec (ESP) Tunnel
Encrypts GRE and Client Traffic
GRE Tunnel
Encapsulates client Layer 2 Traffic
Wireless ClientMAC: 0022.22aa.aa22VLAN: 20IP: 10.8.20.50
Corporate ServerMAC: 0011.11bb.bb11VLAN: 20IP: 10.8.20.150
Client Traffic10.8.20.500022.22aa.aa22 VLAN Tag: 20
Layer 2 Client DataClient Traffic10.8.20.1500011.11bb.bb11 VLAN Tag: 20
(NAPT) ANY 2.2.2.2
FW: Public IP2.2.2.2AP: Private IP10.5.2.100
FW: Public IP1.2.1.2
Aerohive AP 1VPN ClientMGT0 10.5.2.100Tunnel0 10.8.1.50
Branch Office
Corporate Headquarters
1
2
3
4
8
7
6
5
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
CONFIGURE 802.1X SSID FOR WIRELESS VPN ACCESS
341
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Layer 2 VPN with Aerohive DevicesLAB Goals
342
• Configure Network Policy for 802.1X/EAP authentication. Wi-Fi clients will authenticate to an external RADIUS server through a VPN tunnel.
• Create a site-to-site Layer 2 VPN between an Aerohive AP and a Hive-OS VPN Gateway.
• Define a split-tunnel firewall policy for user traffic
• Define which management traffic traverses though the VPN tunnel
• Use VPN diagnostics tools to troubleshoot IPSec/IKE Phase 1 and Phase 2 problems
• Connect to the hosted PC and test the 802.1X/EAP authentication though the VPN tunnel
© 2014 Aerohive Networks CONFIDENTIAL
Wireless Layer 2 VPN LabNetwork Diagram and IP Summary
343
VPN ServerHiveOS-VA-0XAP MGT010.200.2.X/24
VPN ClientX-A-Aerohive AP10.5.2.?/24
Firewall NAT Rules1.2.2.X10.200.2.X
FW(NAT)2.2.2.2
Gateway10.5.2.1
Gateway 10.200.2.1
Wi-Fi Client10.200.2.?/24GW: 10.200.2.1
DHCP Server VLAN 1 Net: 10.200.2.0/24 Pool: 10.200.2.150 - 10.200.2.200 Gateway: 10.200.2.1
Layer 3 IPsec VPN Tunnels - IP Headers(10.5.2.?)2.2.2.2 1.2.1.X
WLAN Branch Office – Aerohive AP VPN Clients WLAN HQ – Aerohive AP VPN Servers
Layer 2 GRE Tunnels - IP HeadersTunnel0 tunnel0: 10.200.2.1XX10.200.2.X
? – Address Learned though DHCPVPN Client Device Tunnel Address PoolAP VPN 1: 10.200.2.101 – 10.200.208
RADIUS10.200.2.250
tunnel0: 10.200.2.1XX
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Configure Access for Wireless VPN1. Select your Class-EAP-X SSID for VPN
344
Reassign your Class-EAP-X SSID to use for VPN
• Next to SSIDs click Choose
• Click to deselect all other SSIDs
• Click to select (highlight) the Class-EAP-X SSID
• Click OK
Click to deselect
all other SSIDs
Ensure Class-EAP-X is highlighted then
click OK
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Configure Access for Wireless VPN2. Configure External RADIUS Server
345
• Under Authentication, click RADIUS-X
• In Choose RADIUS, click New
Click
Click
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Configure Access for Wireless VPN3. Configure External RADIUS Server
346
Define RADIUS Server Settings for use with wireless clients through the VPN
• Click the radio button forExternal RADIUS Server
• Profile Name: VPN-RADIUS-X
• Primary RADIUS Server: 10.200.2.250
• Shared Secret: aerohive123
• Confirm Secret: aerohive123
• Click Apply › Did you click Apply?
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Configure Access for Wireless VPN4. Modify Employee-X User Profile to be in VLAN 1
347
Modify the Employee-X user profile to assign users to VLAN 1 which is in the DMZ
• Under User Profile, click Employee-X
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Configure Access for Wireless VPN5. Change Employee-X VLAN to 1
348
• Name: Employee-X
• Attribute Number: 10
• Change the VLAN assignment to: 1› Note: This is the user VLAN that will be available through the VPN tunnel. Users will be assigned to this after 802.1X/EAP authentication
• Do NOT save yet
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Configure Access for Wireless VPN6. Change Employee-X VLAN to 1
349
• Under Optional Settings
• Expand Client Classification Policy
• Deselect Enable user profile reassignment based on client classification rules› Note: If this is left as configured from a previous lab, user traffic will not use the tunnel.
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Configure Access for Wireless VPN7. Save the SSID Settings
350
• Verify settings, then click Save
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
CONFIGURE LAYER 2 IPSEC VPN
352
© 2014 Aerohive Networks CONFIDENTIAL
Wireless VPN Lab - ReviewNetwork Diagram and IP Summary
353
VPN ServerHiveOS-VA-0XAP MGT010.200.2.X/24
VPN ClientX-A-Aerohive AP10.5.2.?/24
Firewall NAT Rules1.2.2.X10.200.2.X
FW(NAT)2.2.2.2
Gateway10.5.2.1
Gateway 10.200.2.1
Wi-Fi Client10.200.2.?/24GW: 10.200.2.1
DHCP Server VLAN 1 Net: 10.200.2.0/24 Pool: 10.200.2.150 - 10.200.2.200 Gateway: 10.200.2.1
Layer 3 IPsec VPN Tunnels - IP Headers(10.5.2.?)2.2.2.2 1.2.1.X
WLAN Branch Office – Aerohive AP VPN Clients WLAN HQ – Aerohive AP VPN Servers
Layer 2 GRE Tunnels - IP HeadersTunnel0 tunnel0: 10.200.2.1XX10.200.2.X
? – Address Learned though DHCPVPN Client Device Tunnel Address PoolAP VPN 1: 10.200.2.101 – 10.200.208
RADIUS10.200.2.250
tunnel0: 10.200.2.1XX
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Create VPN Services Policy1. Create a Layer 2 IPsec VPN Policy
354
To create a Layer 2 IPsec VPN Policy
• Next to Layer 2 IPsec VPN, click Choose
• Click New
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Create VPN Services Policy 2. Define Name and server IP Settings
355
• Profile Name: VPN-X• For Aerohive AP VPN Server 1,select your server: HiveOS-VA-0X
• This will fill in the Server MGT0 IP Address and the MGT0 Default Gateway
• Enter the server Public IP: 1.2.2.X
Do not save yet...
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Create VPN Services Policy 3. Create the Aerohive VPN client device pool
356
NOTE: It is recommended that the following VPN client tunnel IP address pool is in the same subnet as the MGT0 interface of Aerohive VPN server.
These are the GRE tunnel endpoint addresses for the Aerohive AP that functions as a VPN client. These are NOT IP addresses for the users.
• Client Tunnel IP Address Pool Start: 10.200.2.X0• Client Tunnel IP Address Pool End: 10.200.2.X9• Client Tunnel IP Address Netmask: 255.255.255.0
Do not save yet...
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Create VPN Services Policy 4. Define Split Tunnel Policy
357
• Go to User Profiles for Traffic Management
• Next to: Employee-X › Select Enabled› Select the radio button for Split Tunnel»NOTE: Split tunnel uses the built-in stateful firewall policy to determine which traffic should be sent to the Internet, and which traffic should go through the tunnel.
Do not save yet...
© 2014 Aerohive Networks CONFIDENTIAL
Split Tunnel Firewall PolicyAutomatically Created
358
When you select the option to use split tunnel to local subnet and Internet, the following policy gets created on the Aerohive AP for all the user traffic defined by the User Profile.
The following policy will not be displayed in HiveManager
From Access Firewall Policy
Source IP Destination IP Service Action
0.0.0.0/0 0.0.0.0/0 DHCP-Server Permit (tunnel)
0.0.0.0/0 10.5.2.0/24 Any NAT
0.0.0.0/0 10.0.0.0/8 Any Permit (tunnel)
0.0.0.0/0 172.16.0.0/12 Any Permit (tunnel)
0.0.0.0/0 192.168.0.0/16 Any Permit (tunnel)
0.0.0.0/0 0.0.0.0/0 Any NAT
Note: You can also create custom split-tunnel firewall policies for user traffic.
© 2014 Aerohive Networks CONFIDENTIAL
Split Tunnel Firewall PolicyManually Created
359
The private networks defined by the automatically created split-tunnel firewall policy might conflict with available networks at the remote site. You can always manually create a split tunnel firewall policy.• Next to: Employee-X
› Select Enabled› Select the radio button for Tunnel All Traffic
• Create a custom From-Access split-tunnel firewall policy in the appropriate User Profile
© 2014 Aerohive Networks CONFIDENTIAL
Tunnell All User TrafficTunnel All
360
Some corporations may have a security policy that does not allow for split-tunneling of user traffic. All user traffic destined for the Internet might first have to pass through the corporate content filter solution.• Next to: Employee-X
› Select Enabled› Select the radio buttonfor Tunnel All Traffic
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Create VPN Services Policy 5. Assign VPN Certificates for VPN Server
361
• Under Optional Settings, expand IPsec VPN Certificate Authority Settings
• VPN Certificate Authority: Default_CA.pem
• VPN Server Certificate: AP-X_key_cert.pem
• VPN Server Cert Private Key: AP-X_key_cert.pem
Do not save yet...
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Create VPN Services Policy 6. Review XAUTH Credentials
362
• Expand Server-Client CredentialsNOTE: These are VPN xAuth credentials that get generated automatically for each Aerohive AP VPN Client and Aerohive VPN Server pair.
• Nothing needs to be done here. This for monitoring, or for generating a new key or removing a key if an AP is lost or stolen.
Do not save yet...
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Create VPN Services Policy How XAUTH Credentials are Used
363
• The default IKE peer authentication method for the wireless VPN is "hybrid"
• In hybrid mode,
› The VPN server authenticates itself to the client with an RSA signature, which requires the server to have a server certificate, and the client must have the root CA certificate that signed the server certificate so it can validate the server
• The server authenticates the client using xAuth
› HiveManager generates a set of xAuth credentials (random string for username and passwords) for each Aerohive AP VPN client and Aerohive AP VPN server pair
› When the VPN client uses valid credentials to authenticate with the VPN server, the tunnel can be established
› If the credentials are removed from either the VPN client or VPN server, the tunnel cannot be established
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Create VPN Services Policy 7. View Advanced Server Options
364
• Expand Advanced Server Options
• No changes are necessary for the following options| IKE Phase 1 Options |
| IKE Phase 2 Options |
• Check Enable peer IKE ID validation: User FQDNNOTE: HiveManager will look at the certificate, find the User FQDN, and configure a rule on the Aerohive AP client to force validation of the Aerohive VPN server using the User FQDN. The server by default validates the Aerohive AP client using XAUTH, so this check enables two-way validation.
Do not save yet...
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Create VPN Services Policy 8. Configure Advanced Client Options
365
• Expand Advanced Client Options› Select the management traffic from the Aerohive AP to send though the tunnel.
› Check the boxes for:»Syslog»RADIUS
Note: By default the VPN tunnel is used for user traffic, however, these options allow the Aerohive AP itself to send management traffic it generates based on the options selected.
› Check Enable NAT traversalAdds a UDP header with port 4500 on to the IPsec packets
Do not save yet...
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Create VPN Services Policy 9. View Dead Peer Detection Settings
366
• Dead Peer Detection is used for switching between Aerohive VPN Server 1 and Aerohive VPN Server 2 upon failure› DPD Verifies IKE Phase 1
» Send Heartbeat every 10 seconds (by default)» If you miss one heartbeat, send at the Retry Interval instead of at the
normal Interval settings» If you miss the number of retries specified, failover to backup VPN
server
› AMRP Verifies end to end through GRE and VPN Tunnel» Send Heartbeat every 10 seconds (by default)» If you miss one heartbeat, send 1 at second intervals instead of at the
normal Interval setting» If you miss the number of retries specified, failover to backup VPN
server
Default DPD failover time:~16 seconds
Default AMRP failover time:~21 seconds
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Create VPN Services Policy 10. Save VPN Services Policy
367
• Click Save to save the VPN Service Settings
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Create VPN Services Policy 11. Verify VPN Setting and Save Network Policy
368
Back in your Network Policy
• Ensure Layer 2 IPsec VPN is set to VPN-X
• Click Continue
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
Configuring Aerohive APs to be
VPN Clients and VPN Servers
AEROHIVE DEVICE VPN ROLESAND UPDATING THE
CONFIGURATION
370
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Assign Aerohive devices to VPN Roles1. Modify Your A-Aerohive AP
371
In the Configure & Update Devices section• Select the Filter: Current Policy• Click to modify your Aerohive AP: X-A-######
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Assign Aerohive devices to VPN Roles2. Assign VPN Service Role to Client
372
• Scroll down, and in the Optional Settings Section› Expand Services Settings
› Deselect Device RADIUS Service
› Set the VPN Service Role to: Client
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Assign Aerohive devices to VPN Roles3. Modify HiveOS Virtual Appliance (VA)
373
In the Configure and Update Devices section:
• Click to modify your VPN Gateway: HiveOS-VA-0X
The Key with the triangle pointing up is a VPN client icon
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Assign Aerohive devices to VPN Roles4. Assign VPN Service Role to Server
374
• Scroll down, and in the Optional Settings Section› Expand Services Settings› Set the VPN Service Role to: Server
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
In the Configure & Update Devices section:• Check the box next to your VPN client & server
X-A-######, HiveOS-VA-0X
LAB: Assign Aerohive devices to VPN Roles5. Upload the Configuration to Your Aerohive devices
375
The Key with the triangle pointing down is a VPN server icon
© 2014 Aerohive Networks CONFIDENTIAL 376
• Select Update Devices
• Select Perform a complete configuration update for all selected devices
• Click Update
• In the Reboot Warning window Click OK
For this class, ALL Updates should be Complete configuration updates unless otherwise instructed
LAB: Assign Aerohive devices to VPN Roles6. Upload the Configuration to Your Aerohive devices
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Use AD to Assign User Profile SSID7. Upload the Configuration to Your Aerohive devices
• The devices will reboot
377
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Verify the Aerohive L2 VPN1. Wait for Upload to Finish Then Verify VPN
378
• From Monitor Devices All Devices› If the Aerohive AP VPN Server and Client Icons are green, then you know the VPN tunnel is up.
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Verify the Aerohive L2 VPN2. Aerohive device VPN Diagnostics
379
• Go to Monitor Devices All Devices
• Select one of the VPN devices: X-A-Aerohive AP
• Click Utilities...Diagnostics Show IKE Event
• Verify that both Phase 1 an Phase 2 are successful
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Verify the Aerohive L2 VPN3. Aerohive device VPN Diagnostics – Phase 1
380
• Select one of the VPN devices: X-A-Aerohive AP
• Click Utilities...Diagnostics Show IKE Event
Possible problems if Phase 1 fails:
• Certificate problems
• Incorrect Networking settings
• Incorrect NAT settings on external firewall
Possible problems if Phase 2 fails:
• Mismatched transform sets between the client and server (encryption algorithm, hash algorithm, etc.)
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Verify the Aerohive L2 VPN4. Aerohive device VPN Diagnostics – Phase 1
381
• Click Utilities...DiagnosticsShow IKE Event
• If you see that phase 1 failed due to a certificate problem› Check the time on
the Aerohive devices» show clock
» show time
› Ensure you have the correct certificates loaded on the Aerohive APs in the VPN services policy
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Verify the Aerohive L2 VPN5. Aerohive device VPN Diagnostics – Phase 1
382
• Click Utilities...DiagnosticsShow IKE Event
• If you see that phase 1 failed due to wrong network settings› Check the IP
settings in the VPN services policy
› Check the NAT settings on the external firewall
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Verify the Aerohive L2 VPN6. Aerohive device VPN Diagnostics – Phase 1
383
• Click Utilities...Diagnostics Show IKE SA
• Phase 1 has completed successfully if you reach step #9
• If Step #9 is not established then one of these problems exists:Certificate problemsIncorrect Networking
settingsIncorrect NAT settings
on external firewall
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Verify the Aerohive L2 VPN7. Aerohive device VPN Diagnostics – Phase 2
384
• Click Utilities...DiagnosticsShow IPsec SA
Note: It is clear to see that a VPN is functional if you see the tunnel from the MGT0 IP of the VPN client to the (NAT) Address of the MGT0 of the VPN Server, and the reverse. Both use different SAs (Security Associations)
› State: Mature
• If Phase 2 fails: Check the encryption & hash settings on the VPN client and the VPN server
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Verify the Aerohive L2 VPN8. View VPN Topology
385
• Open your Network Policy, click the Configure Interfaces and User Access bar
• In the Layer 2 IPsec VPN section click VPN Topology
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Verify the Aerohive L2 VPN9. View VPN Topology
386
• When the Aerohive device icons are displayed in green with a green line between them, the VPN is up
• You can move your mouse over an icon for more details
© 2014 Aerohive Networks CONFIDENTIAL
VPN Topology Example
387
• Here is an example of a VPN topology with 12 Aerohive AP VPN clients and two Aerohive VPN servers for tunnel load sharing and redundancy
© 2014 Aerohive Networks CONFIDENTIAL
NOTE: Layer-2 IPsec VPN VPN Server Side Firewall Rules
388
NOTE: In an IPsec VPN deployment, if you have a firewall protecting the VPN server,you will need rules similar to the followingfrom the Internet to the IPsec VPN server:
Source IP Destination IP Protocol Source Port Dest Port Action
0.0.0.0/0 1.2.1.2(NAT) 17(UDP) Any 4500(NAT-T) Permit0.0.0.0/0 1.2.1.2(NAT) 17(UDP) Any 500 (IKE) Permit
VPN Client2-A-Aerohive AP10.5.2.?/24
Firewall NAT Rule1.2.1.210.200.2.2
FW(NAT)2.2.2.2
Gateway10.5.2.1
Gateway 10.200.1.1
RADIUS10.200.2.250
Tunnel Interface:10.8.1.20
VPN server10.200.2.2
© 2014 Aerohive Networks Inc.
Using Microsoft XP
TESTING YOUR VPN ACCESSWITH 802.1X CLIENT (SUPPLICANT)
389
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing 802.1X/EAP For VPN Access1. Connect to Secure Wireless Network
390
• From the bottom task bar, and click the locate wireless networks icon
• Click Class-EAP-X
• Click Connect
Wireless Network Icon
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing 802.1X/EAP to External RADIUS2. Connect to Secure Wireless Network
391
• From the bottom task bar, and click the locate wireless networks icon
• Click Class-EAP-X
• Click Connect
NOTE: If this fails, there is a chance there is a certificate issue with the Hosted PC in VMware.
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing 802.1X/EAP For VPN Access3. View Wireless Clients
392
• After associating with your SSID, you should see your connection in the active clients list in HiveManager› Go to MonitorClientsActive Clients
• IP Address: 10.200.2.X
• User Name: DOMAIN\user
• VLAN: 1
• User Profile Attribute: 10
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing 802.1X/EAP For VPN Access Client Monitor - Successful Connection
393
• Client Monitor showing successful authentication
• The RADIUS server IP 10.200.2.250, which is only accessible though the VPN tunnel
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
VPN LAB CLEANUP
395
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: VPN Lab Cleanup1. Deselect Layer 2 IPsec VPN Policy
To continue with the rest of the training labs, please remove the VPN settings so that traffic is not tunneled through the VPN
• Go to Configuration • Select your Network Policy: WLAN-X and click OK
• Next to Layer 2 IPsec VPN click Choose
• Click to deselect your VPN-X profile
• Click OK• In the Network Policy Click Save
396
Click to deselectVPN-X
© 2014 Aerohive Networks CONFIDENTIAL
Lab: VPN Lab Cleanup2. Change Employee-0X User Profile to VLAN 10
397
Modify the Employee-X user profile to assign users to VLAN 10 which is in the DMZ
Under User Profile, click Employee-X
© 2014 Aerohive Networks CONFIDENTIAL
Lab: VPN Lab Cleanup3. Change Employee-X VLAN to 10
398
• Name: Employee-X
• Attribute Number: 10
• Change Network or VLAN-only Assignment to: 10
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
To Simplify the WLAN Policy
Configuration When Different Settings for Aerohive Devices are Needed at Different Locations
AEROHIVE DEVICE CLASSIFICATIONEXAMPLES
400
© 2014 Aerohive Networks CONFIDENTIAL
Question: How do define a single WLAN policy, but configure different settings?
401
• For example, in the Network policy, you can only define one MGT interface VLAN profile
• But if the Aerohive APs are in different networks with different MGT VLANs, what can you do?
GREradius
Router
L2-Switch L2-Switch
Interface mgt0:Classification Tag:
Network Policy:MGT0 VLAN:
10.5.2.?radiusWLAN-X2
Aerohive AP Device Settings
Interface mgt0:Classification Tag:
Network Policy:MGT0 VLAN:
10.7.1.XGREWLAN-X100
Aerohive AP Device Settings
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Answer: HiveManager Device ClassificationDefine a VLAN Object That is Variable
• With HiveManager Device Classification, you can create one VLAN object, but have it change based on a device tag (text field) assigned to a device, a hostname, or based on a topology map where a device resides
• For example, this VLAN object called: ap-vlans-2 is a policy that assigns VLAN 100 if the device has a text field device tag configured called: GRE; assigns VLAN 2, if a text field device tag on a device is configured with radius; and VLAN 1 if a device does not have any text field device tags (global).
402
© 2014 Aerohive Networks CONFIDENTIAL
Answer: HiveManager Device ClassificationDevices Can Be Assigned to Textual Classifier Tags
403
• To allow a VLAN object , IP object or device template object to be customized by specific Aerohive devices, you can specify Device Classification tags in the device configuration settings for any Aerohive device.
• You can define three tags, that can specify device function, services, or location for example
Aerohive AP A Device Classification Settings
Aerohive AP B Device Classification Settings
© 2014 Aerohive Networks CONFIDENTIAL
Answer: HiveManager Device ClassificationObject Definition Changes Based on Tag
404
In this example, a Network Policy uses a VLAN object to define the MGT VLANs on APs.
HiveManager can assign different VLANs to a device or user profile based on device classification rules.
When HiveManager updates the configuration on Aerohive AP A, it will assign its MGT VLAN to 2, and Aerohive AP B will be assigned to 100
Aerohive AP A is a RADIUS server, so you can assign a tag like radius.
Aerohive AP B is a GRE tunnel terminator, so you can assign a tag like GRE.
AP MGT VLAN Object Definition
© 2014 Aerohive Networks CONFIDENTIAL
Answer: HiveManager Device ClassificationSupported Objects
405
• Objects that support Device classification› IP/Hostname Objects
› MAC Addresses/OUIs
› VLANs› Device templates
• Multiple variables can be configured in one object, and the values assigned to the Aerohive device can change based on› Topology Map› Device Tags› Hostname
© 2014 Aerohive Networks CONFIDENTIAL
Answer: HiveManager Device ClassificationTypes of Classification
406
• VLANs, IP Address Objects, MAC Address objects, and User Profile Attribute groups can have classification rules based on:› Topology Map Name
»Uses topology maps
› Device Name› Device Tag
»Requires tags are defined in the configuration of Aerohive APs
› Global»Selected if no match is found for
any of the other types
• You can mix and match
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Answer: HiveManager Device ClassificationTag Selection• If you specify multiple tags on a Aerohive AP, make sure the object is defined to match relevant tags and ignore the rest
• If you want to make this VLAN object match all Aerohive APs in HQ, you must define Tag 1 as: HQ, but deselect Tag 2 and Tag 3 so they will be ignored
• If you do not uncheck Tag 2 and Tag 3, you will have to match all three tags on each Aerohive AP
407
VLAN Object Definition
Aerohive AP 1 Configuration Aerohive AP 2 Configuration
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Device Classification- How are the rules evaluated?
You can drag and drop the VLAN rules to change the order of priority
408
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Device Classification Customization
Device Tag Labels names can be changed• Home Administration HiveManager Settings Edit Custom Tab Labels
409
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Device Classification – Use CasesVLAN Objects
• VLAN objects support device classification› Use Case #1 – device classification with VLAN objects can be used to assign user VLANs (Example in upcoming lab)
› Use Case #2 – device classification with VLAN objects can be used to assign management VLANs to Aerohive devices
410
User VLANs 10, 20User VLANS 8, 16
Router
L2-Switch L2-SwitchArea1 Area2
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
• IP objects support device classification› Use Case #1 – device classification with IP objects can be used for server assignment
› Use Case #2 – device classification with IP objects can be used in firewall policies
411
Device Classification – Use CasesIP Objects
© 2014 Aerohive Networks CONFIDENTIAL 412
AP
PoE
APAP
PoE
SR2024P
AP
Distribution
Access/Edge
HiveManager – SR2024P as switch device template • HiveManager Device Templates
are used to assign switches and routers at the same site or different sites to a common set of port settings
• For example: ports 1-2 are 802.1Q ports for APs, ports 3-6 are for phones, etc…
Device Classification – Use CasesDevice Templates
SR2024P
© 2014 Aerohive Networks CONFIDENTIAL 413
PoE
APAP
PoE
AP
SR2024P as Switch Default Sites
Default Site DeviceClassificationTag: Small Site
SR2024P as Switch
Small Sites
Device Templates support device classification• Configure a default Device
Template for one location• Configure multiple Device
Templates for other locations• Configure device classification
tags to have different device templates for different devices
Device Classification – Use CasesDevice Templates
SR2024P
SR2024P
© 2014 Aerohive Networks CONFIDENTIAL 414
• Captive web portals can forward users to custom destinations after authentication based on the classifier tags assigned to the Aerohive device.
• Users can be forwarded to different web sites based upon successful or failed authentication as well.
Device Classification – Use CasesCaptive Web Portal Selection by Classifier Tags
© 2014 Aerohive Networks CONFIDENTIAL 415
• Traditionally, users would all be forwarded to the same URL.
• Using classified URL objects, which you can create, you can forward users to the desired locations based upon your specific requirements.
Device Classification – Use CasesCaptive Web Portal Selection by Classifier Tags
© 2014 Aerohive Networks CONFIDENTIAL 416
Tag1 = SFO
Tag1 = SJC
Device Classification – Use CasesCaptive Web Portal Selection by Classifier Tags
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Device ClassificationLAB Goals
417
• Use device classification with VLAN objects to assign user VLANs
• Create a VLAN object with multiple VLANs
• Define device classification rules for the user VLANs
• Assign device classifier tags to an AP
• From the hosted PC test the wireless connectivity and verify the VLAN assignment
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs
418
User VLANs 10, 20User VLANS 8, 16
Router
L2-Switch L2-Switch
Network Policy: School
SSID: Teacher
SSID: Student
VLAN 8
VLAN 10
VLAN 16
VLAN 20
Area1
Tag: Area1
Area2
Tag: Area2
Tag: Area1
Tag: Area2
User Profile: Teacher
User Profile: Student
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs1. Creating a new Network Policy
419
• Go to Configuration
• Click the New Button
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs2. Building your Initial Wireless Network Policy
420
• Name: School-X
• Select: Wireless Access and Bonjour Gateway
• Click Create
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs3. Create a New SSID Profile
421
Network Configuration
• Next to SSIDs click Choose
• Then click New
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs4. Configure a PSK Employee SSID
422
• SSID Profile: Teacher-XX = 2 – 29 (Student ID)
• SSID: Teacher-X• Select WPA/WPA2 PSK
(Personal)
• Key Value: aerohive123
• Confirm Value: aerohive123• Click Save• Click OK
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs5. Create a User Profile
423
• To the right of your SSID, under User Profile, click Add/Remove
• In Choose User Profiles Click New
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs6. Define User Profile Settings
424
• Name: Teacher-X• Attribute Number: 50• Default VLAN: Select +
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs7. Create VLAN rules using device classifiers
425
• VLAN Name: Teacher-VLANS-X• VLAN ID: 1 • Type: Global• Click New
Click
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs8. Create VLAN rules using device classifiers
426
• VLAN ID: 8 • Type: Device Tags• Tag1: Area1• Click Apply
Click
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs9. Create VLAN rules using device classifiers
427
• VLAN ID: 10 • Type: Device Tags
• Tag1: Area2• Click Apply• Do NOT save yet
NOTE: When you see the Value: (T) = True, tag is used(F) = False, tag is not used
Click Apply
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs10. Create VLAN rules using device classifiers
428
You can drag and drop the VLAN rules to change the order of priority
• Click on the
Edit icon
You can edit or remove rules and view conflicts.• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs11. Save your user profile
429
• Click Save• Verify your user profile is selected and click Save
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs12. Set Classification Tag on A-HiveAP
430
• Click Continue to navigate to configure and update devices
© 2014 Aerohive Networks CONFIDENTIAL 431
• Choose the None filter• Check the box next to your AP X-A-######
• Click Modify
Lab: Use Classification Tags for User VLANs13. Set Classification Tag on A-HiveAP
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs14. Assign Tag1 to your AP
432
Assign the device classifier tag to your access point• Device Classification Select Tag1• From the drop-down box select: Area1• Click Save
© 2014 Aerohive Networks CONFIDENTIAL 433
Lab: Use Classification Tags for User VLANs15. Update the Configuration
• Select Update Devices
• Select Perform a complete configuration update for all selected devices
• Click Update
• Click OK in the Reboot Warning window
For this class, ALL Updates from this point should be Complete configuration updates unless otherwise directed.
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Secure Guest Access with Private PSK16. Update the AP configuration
• Your new configuration will upload
• The AP will reboot
434
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs16. Connect your Wi-Fi client on the hosted PC
435
• Single-click the wireless icon on the bottom right corner of the windows task bar
• Click your SSIDTeacher-X
• Click Connect› Security Key: aerohive123
› Click OK
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs17. Verify the client VLAN
436
•Monitor Clients Wireless Clients
• Verify that your client is in VLAN 8
• Device classification using Tag1 worked!
© 2014 Aerohive Networks CONFIDENTIAL 437
• Choose the Current Policy filter• Check the box next to your AP X-A-######
• Click Modify
Lab: Use Classification Tags for User VLANs18. Reset Classification Tag on A-HiveAP
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs19. Set Classification Tag on the Aerohive AP
438
Assign the device classifier tag to your access point• In Tag1 from the drop-down box select: Area2• Click Save
© 2014 Aerohive Networks CONFIDENTIAL 439
• Select Update Devices
• A complete upload is not needed this time
• Click Update
Lab: Use Classification Tags for User VLANs20. Update the configuration of your Aerohive AP
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Use Classification Tags for User VLANs21. Delta Upload
• The Delta Configuration will upload
440
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs22. Disconnect and reconnect your Wi-Fi client
441
• Single-click the wireless icon on the bottom right corner of the windows task bar
• Right-click your SSIDTeacher-X
• Click Disconnect
• Click your SSIDTeacher-X
• Click Connect
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use Classification Tags for User VLANs23. Verify the client VLAN
442
•Monitor Clients Wireless Clients
• Verify that your client is in VLAN 10
• Device classification using Tag2 worked!
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
SECURE AND FAST ROAMING
444 444
© 2014 Aerohive Networks CONFIDENTIAL 445
Roaming Basics
AP #1 AP #2
Roaming client station
802.3 Ethernet backbone
Note: The decision when to roam is determined by the client station not the AP
BSSID #1
BSSID #2
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Roam
Layer 2 Roaming
• User associates and authenticates and keys are distributed
• AP predicatively pushes keys and session state to one hop neighbors
• As client roams and associates with another AP the traffic continues uninterrupted
RADIUS Server
446
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Subnet A Subnet B
Router
GRE Tunnel
Layer 3 Roaming
Like Layer 2 roaming the Layer 3 roam predicatively pushes keys to one hop neighbors.
In order to maintain IP connectivity a tunnel is created to home subnet.
Tunnel continues to follow roaming user until sessions end then tunnel is terminated and the user accesses the local network
447
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
AEROHIVE LAYER 3 ROAMING
449 449
© 2014 Aerohive Networks CONFIDENTIAL
Layer 3 RoamingDetailed Explanation
450
Aerohive AP Layer 3 roaming information is advertised in beacons and can be heard by Aerohive APs in the same Hive.
Subnet 10.5.1.0/24Floor 1
Subnet 10.6.1.0/24Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-HiveCorp-Hive
Aerohive APs can then communicate over the LAN using
UDP Port 3000
Beacon IE: (Encrypted)Hive: Corp-HiveL3 roaming enabledMgt0 IP: 10.5.1.13/24
Beacon IE: (Encrypted)Hive: Corp-HiveL3 roaming enabledMgt0 IP: 10.6.1.7/24
Aerohive APs scan channels to locate layer 3 roaming neighbors and communicate with each other over the Ethernet network.
© 2014 Aerohive Networks CONFIDENTIAL
Layer 3 RoamingDetailed Explanation
451
Subnet 10.5.1.0/24Floor 1
Subnet 10.6.1.0/24Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-HiveCorp-Hive
Send:DA forsubnet: 10.5.1.0/2410.5.1.11
Receive: DA forsubnet: 10.5.1.0/2410.5.1.11
Neighboring AP sends Aerohive AP DA information
to neighboring subnets
DA
© 2014 Aerohive Networks CONFIDENTIAL
Layer 3 RoamingDetailed Communication
452
Subnet 10.5.1.0/24Floor 1
Subnet 10.6.1.0/24Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-HiveCorp-Hive
DA Send:Best tunnel endpointfor subnet: 10.5.1.0/2410.5.1.12
Query DA:Least loaded AP forsubnet: 10.5.1.0/24
Preparation for roaming bycontacting DA for APs as the potential tunnel end points
Aerohive APs preselect best APs in each subnet to be a tunnel endpoints
The tunnel is built only when a client eventually roams
DA
Received from DA:Best tunnel endpointfor subnet: 10.5.1.0/2410.5.1.12
© 2014 Aerohive Networks CONFIDENTIAL
Layer 3 RoamingDetailed Communication
453
As clients arrive on the new subnet, the Aerohive AP will use an existing tunnel for the client, or if that tunnel is heavily loaded, it can create a tunnel to another portal in the DNXP table.
Subnet 10.5.1.0/24Floor 1
Subnet 10.6.1.0/24Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-HiveCorp-Hive
u1
eth0.1 10.5.1.1eth0.2 10.5.10.1
eth0.1 10.6.1.1eth0.2 10.6.10.1
u1u1u1
10.5.10.33/24
u1
10.5.10.33/24
u1
10.5.10.33/24
DNXPL3 10.5.1.12
Client Roaming Cache Update
u1
DNXPGRE Tunnel
Layer 2 roam
Layer 3 roam
The clients IP address is maintained
u1
Session State& PMK
u1
© 2014 Aerohive Networks CONFIDENTIAL
Layer 3 RoamingDetailed Communication
454
Subnet 10.5.1.0/24Floor 1
Subnet 10.6.1.0/24Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-HiveCorp-Hive
Session State& PMK
eth0.1 10.5.1.1eth0.2 10.5.10.1
eth0.1 10.6.1.1eth0.2 10.6.10.1
u1
u1
u1u1
u1
10.5.10.33/24
DNXPL3 10.5.1.12
DNXPGRE Tunnel
u1u1 u1
DNXPL3 10.5.1.12
u1
© 2014 Aerohive Networks CONFIDENTIAL
Layer 3 RoamingLocal Subnet Connection
455
Based on the number of packets per minute sent to and received by the client, the Aerohive AP can be configured to disable the tunnels and de-auth the client so that it will reconnected and obtain an IP address from the local network.
Subnet 10.5.1.0/24Floor 1
Subnet 10.6.1.0/24Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-HiveCorp-Hive
Session State& PMK
eth0.1 10.5.1.1eth0.2 10.5.10.1
eth0.1 10.6.1.1eth0.2 10.6.10.1
u1
u1
u1u1
DNXPGRE Tunnel
u1u1 u1u1
u1
10.5.10.33/2410.6.10.95/24
u1
De-auth
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
CONFIGURING DYNAMIC TUNNELING FOR LAYER 3 ROAMING
457
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Enable Layer 3 Roaming 1. Modify the Employee-X User Profile
458
To configure layer 3 roaming for a user profile
• Go to Configuration
• Select your Network Policy: School-X and click OK
• Under User Profile click Teacher-X
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Enable Layer 3 Roaming2. In your user profile, create a tunnel policy
459
Layer 3 roaming is enabled per user profile by configuring a tunnel policy
• Go to Optional Settings
• Expand GRE Tunnels
• Select GRE tunnel for roaming or station isolation and › Click +
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Enable Layer 3 Roaming2. Configure Layer 3 Roaming Policy
Enable the ability to dynamically build tunnels for layer 3 roaming
• Name: L3-Roaming-X
– Tunnel Settings –
• Select Enable Dynamic tunneling for Layer 3 Roaming
• Unroaming Threshold: 60 seconds
• Number of packets per minute: 2000› Setting a value enables
Unroaming› Setting the value to 0
disables Unroaming
• Click Save
460
Note: The number of packets per minute to select varies based on the number of devices, types of devices, and applications running on your network. In my local network for example, my idle PC sends and receives about 500 packets per minute. Running a voice call from a soft client my PC sends and receives about 4000 packets per minute. So I have chosen to unroam if I my PC does not receive 2000 packets per minute in one minute time frame, which means my tunnel should remain during a voice call or file transfer.
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Enable Layer 3 Roaming3. Save user profile with L3 Roaming Policy
• Verify your L3-Roaming-X Policy is set
• Click Save
• Save your Network Policy
461
© 2014 Aerohive Networks CONFIDENTIAL
Testing Layer 3 RoamingIn Hosted Training Data Center
462
• Unfortunately we cannot test layer 3 roaming in the hosted data center because› The Aerohive APs are hard wired via coax to their clients
› The power level of the Aerohive APs has been set to 1 dBm so the clients can connect to their SSIDs. If we do not set the power to 1 dBm, the power is too high for the clients that are connected via coax»Because the power is low, and the rest of the RF connections are
terminated, testing in the remote lab is not possible
• If the instructor has time and the equipment, they can demonstrate layer 3 roaming locally in class
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
LAYER 3 ROAMING TROUBLESHOOTING
464
© 2014 Aerohive Networks CONFIDENTIAL
Layer 3 Roaming TroubleshootingWhat if the APs cannot hear each other?
465
Aerohive AP Layer 3 roaming information is advertised in beacons and can be heard by Aerohive APs in the same Hive.
Subnet 10.5.1.0/24Floor 1
Subnet 10.6.1.0/24Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-HiveCorp-Hive
Beacon IE: (Encrypted)Hive: Corp-HiveL3 roaming enabledMgt0 IP: 10.5.1.13/24
Beacon IE: (Encrypted)Hive: Corp-HiveL3 roaming enabledMgt0 IP: 10.6.1.7/24
How will Layer 3 roaming work if APs cannot hear Layer 3 neighbors?
I can’t hear you!
© 2014 Aerohive Networks CONFIDENTIAL
Layer 3 Roaming TroubleshootingView Roaming Neighbors
466
• To see if Layer 3 neighbors are being discovered, go to MonitorAccess PointsAerohive AP
• Select the Aerohive AP and go to…UtilitiesDiagnosticsShow DNXP Neighbors› You can view the
Aerohive APs Layer 2 and Layer 3 roaming neighbors
› View the State column to see L3 and L2 neighborsNOTE: It may take a few minutes to gather neighbor
information during background scans, and you may not see your own neighbor AP in this hosted training rack, but you should see some neighbors.
© 2014 Aerohive Networks CONFIDENTIAL
Layer 3 Roaming TroubleshootingCreate Static Neighbor Relationships
467
• MonitorAccess PointsAerohive AP
• Select the Aerohive AP and click Modify
• From Optional Settings, expand Roaming Threshold› Select any APs that
need to be static L3 neighbors
› Use the > button to move the APs to the right column
NOTE: This setting only takes effect when the APs function as portals and Layer 3 roaming is enabled.
© 2014 Aerohive Networks CONFIDENTIAL
Layer 3 Roaming TroubleshootingView active tunnels
468
If you select the check box next to your Aerohive AP then select UtilitiesDiagnosticsShow DNXP Cache
If a client is connected to the Aerohive AP, you can then view the information that is being sent to the neighboring Aerohive APs
The Tunnel-end is the Aerohive AP that will be the tunnel end point for DNXP after the client roams across subnet boundaries
Shows the MAC address of the client and their tunnel end point after roaming
© 2014 Aerohive Networks CONFIDENTIAL469
VOICE ENTERPRISEStandardized Fast Secure Roaming
• The fast and secure roaming mechanism that most vendors have supported for many years is Opportunistic Key Caching (OKC)
• OKC has been a “defacto” roaming standard but not an official standard. Many devices do not support OKC including Apple iOS devices prior to iOS 6.0
• Voice Enterprise is the Wi-Fi Alliance certification based on the IEEE 802.11r fast secure roaming standard
Roam
RADIUS Server
Note: So far 13 vendor APs have been certified for Voice Enterprise. 4 of those APs are Aerohive APs:AP121 AP141 AP330 AP350
© 2014 Aerohive Networks CONFIDENTIAL 470
VOICE ENTERPRISEStandardized Fast Secure Roaming
To enable Voice Enterprise, go to:
• SSID profile Advanced Optional Settings
• Check Enable Voice Enterprise
• As of today, not many client devices support Voice Enterprise
• VoWiFi vendors most likely to support first
Voice Enterprise mechanisms are supposed to be backward compatible with older devices. However, the drivers of older client devices may have trouble associating to an SSID with Voice Enterprise enabled. Therefore, a separate SSID only for newer devices that support 802.11r and Voice Enterprise might be required.
© 2014 Aerohive Networks CONFIDENTIAL 471
iOS Devices and Fast Secure Roaming
• iOS 6.0 and iOS 7.0 devices support 802.11r fast secure roaming mechanisms
• Older iOS devices do not support 802.11r and do not support OKC
iPhones and iPads using iOS 5.0 and older never supported Opportunistic Key Caching (OKC). The devices work fine with 802.1X/EAP but will have to re-authenticate every time a device roams. If time sensitive applications such as video streaming or FaceTime are being used, performance will be interrupted. To provide fast secure roaming for these devices use Private PSK (PPSK).
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
Identity-based Tunnels
USING GRE TUNNELS TO TUNNEL GUEST TRAFFIC TO A SECURE DMZ
473
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Identity-Based Tunnels
• With Identity-Based tunnels, client traffic can be tunneled directly to one or more HiveOS Virtual Appliances within a firewalled DMZ with access to the Internet› The client in the internal network is assigned a VLAN and an IP address from
the tunnel destination› All client traffic is then tunneled to one or more HiveOS Virtual Appliances in
the DMZ› Traffic from clients is not permitted on the local network
• This is typically used in environments where VLANs are not supported at the access layer
474
Note: Unlike IPsec, which supports NAT traversal, GRE tunnels cannot be NATed because GRE does not have port numbers
© 2014 Aerohive Networks CONFIDENTIAL
Identity-Based Tunnels LABUsing Tag On DMZ VLAN
475
Hostname:Interface mgt0:
WLAN Policy:
X-A-00000010.5.1.N/24 VLAN 1WLAN-X
Hostname:Interface mgt0:
WLAN Policy:
X-HiveOS VA10.200.2.X/24 VLAN 1WLAN-X
WLAN Policy: WLAN-0X
Hive:Tunnel Policy:
Tunnel Settings:Tunnel Destination:
Tunnel Source:Tunnel Password:
MGT0 VLAN:Native VLAN:
Class-XGRE-Tunnel-XEnable static identity-based-tunnelIP Range Start:10.200.2.X End:10.200.2.X10.5.1.0/24 and 10.5.2.0/24<random generated>11
SSID:Captive Web Portal:
Registration Type:User Profile:
Attribute:VLAN:
Tunnel Policy:
Class-Guest-XCWP-Tunnel-XUse-Policy-AcceptRole-Tunnel(200)2001GRE-Tunnel-X
DMZ Network
GuestClient
Internal Network
GRE Tunnel10.5.2.N to 10200.2.X
Tunnel Destination
Internet
Class-GRE-X10.200.2.N/2410.200.2.1
SSID:IP:
Gateway:
10.200.2.110.5.2.1
DHCP Settingsfor VLAN 1 network 10.200.2.0/24 ip range 10.200.2.100 to 10.200.2.199 Tunnel Source
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ 1. Create a New SSID
476
• Go to Configuration
• Select your Network Policy: WLAN-X and click OK
• Next to SSIDs, click Choose
• Click New
© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Use SSID to Tunnel Guest Traffic to DMZ2. Configure an SSID for GRE tunneling
• Profile Name: Class-GRE-X
• SSID: Class-GRE-X
• Under SSID Access Security select WPA/WPA2 PSK (Personal)
• Key Value & Confirm Value: aerohive123
• Check Enable Captive Web Portal
• Click Save
477
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ3. Select new Class-GRE SSID
478
• Ensure the Class-GRE-X SSIDis selected
• Click to deselect all other SSIDs
• Click OK
Click to deselectother SSID profiles
Ensure Class-GRE-X is highlighted then
click OK
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ4. Create a Use Policy Captive Web Portal
479
• Under Authentication, click <CWP>
• In Choose CWP, click New
Click
Click
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ5. Configure Use Policy Captive Web Portal
480
• Name: CWP-Guest-X
• Registration Type: Use Policy Acceptance
Do not save yet...
Optional: Click here to customize the use policy page
If you customize the use policy, you can enter or modify the text directly in the
text box.
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ6. Configure Use Policy Captive Web Portal
481
• Expand Captive Web Portal Success Page Settings
• Select the option to Redirect to the initially requested pageor Redirect to an external page and enter a URL
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ7. Assign CWP and Configure SSID
482
• Under User Profileclick Add/Remove
• Click New
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ9. Create a user profile to tunnel traffic
483
Define a user profile to tunnel traffic to an AP in the DMZ
• Name: GRE-Users-X• Attribute Number: 100• Default VLAN: 1• Expand GRE Tunnels• Select GRE tunnel for roaming or station isolation
• Click + to create a GRE tunnel policy
Note: This VLAN is encapsulated inside the GRE tunnel and sent to the tunnel destination where the VLAN must exist.
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ10. Create a user profile to tunnel traffic
484
Configure the tunnel information for both sides of the tunnel in this policy
• Name: GRE-X• Select Enable Static
Identity-Based TunnelsTunnel Destination –• IP Address: 10.200.2.X
Note: You can specify a range of consecutive HiveAPs if you have multiple HiveAPs at the tunnel destination for redundancy and load sharing.
Tunnel Source IPs or Subnets -• Under Available IP Addresses
› Select 10.5.2.0/24 and 10.5.1.0/24 and click the > button
• Tunnel Authentication› Click Generate
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ11. Save the Use Profile
485
Back in the user profile
• Ensure Tunnel Policy is set to: GRE-X
Note: If you do configure firewall policies, be aware that your firewall policies are applied before your traffic is tunneled to the destination HiveAP. Also note that the IP address of your client will be from the remote network at the tunnel destination.
• Click Save
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ12. Save the Use Profile
486
• Ensure the GRE-Users-X user profile is selected (highlighted)
• Click Save
Note: When a client associates with this SSID and completes the registration process, their traffic is tunneled to the destination HiveAP specified by the tunnel policy in the user profile. If a client associates with this SSID on the tunnel endpoint, the traffic is forwarded without tunneling.
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ13. Verify settings and continue to configure devices
487
• Verify the settings
• Click Continue
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ14. Modify your AP
488
• Choose the None filter
• Click the link for your X-A-###### access point
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ15. Modify your AP – Change Management VLAN
489
• Optional Settings
• Expand MGT0 Interface Settings: 8 DHCP Client without Fallback
• DHCP Timeout: 20
© 2014 Aerohive Networks CONFIDENTIAL
Lab: Use SSID to Tunnel Guest Traffic to DMZ16. Modify your AP – Change Management VLAN
490
• Optional Settings
• Expand Advanced Settings
• Uncheck ☐ Override MGT VLAN
• Click: Save
The Management VLAN will default back to VLAN 1
© 2014 Aerohive Networks CONFIDENTIAL 491
In the Configure & Update Devices section• Check the box next to your AP: X-A-######• Check the box next to your VA: HiveOS-VA-0X
Lab: Use SSID to Tunnel Guest Traffic to DMZ19. Update the configuration of your devices
© 2014 Aerohive Networks CONFIDENTIAL 492
For this class, ALL Updates should be Complete configuration updates unless otherwise directed
Lab: Use SSID to Tunnel Guest Traffic to DMZ20. Update the configuration of your devices
• Select Update Devices
• Select Perform a complete configuration update for all selected devices
• Click Update
• Click OK in the Reboot Warning window
© 2014 Aerohive Networks Inc.
To Update GRE-Tunnel and DHCP Server Configuration
TEST GUEST GRE TUNNEL ACCESS
493
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Guest GRE Tunnel 1. Connect to your Class-GRE-X SSID
494
• On your remote hosted PC, connect to the SSID: Class-GRE-X
• Passphrase/Network Key: aerohive123
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Guest GRE Tunnel 2. Connect to your Class-GRE-X SSID
495
• On your remote hosted PC, connect to the SSID: Class-GRE-X
• Passphrase/Network Key: aerohive123
© 2014 Aerohive Networks CONFIDENTIAL 496
• Open a web browser and Browse to a decent web site: http://www.aerohive.com
• A captive web portal page will be displayed
• Fill out the web registration form
• Click Accept to agree to the Acceptable Use Policy
LAB: Guest GRE Tunnel 3. Agree to Acceptable Use Policy
© 2014 Aerohive Networks CONFIDENTIAL 497
• Once the login is successful, you can access the network
• After a moment, you should automatically be redirected to the web page you initially requested or a URL you specified in the captive web portal
LAB: Guest GRE Tunnel 4. Verify Access To Internet
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Guest GRE Tunnel 5. Verify DMZ VLAN and Client IP address
498
•Monitor Clients Wireless Clients
• The Guest client should have a 10.200.2.X address
• User Profile Attribute: 100
• VLAN: 1
© 2014 Aerohive Networks CONFIDENTIAL
LAB: Guest GRE Tunnel 6. View GRE Tunnel Information
499
• From MonitorAll Devices• Check the box next to your AP: X-A-######
• Click UtilitiesDiagnosticsShow GRE Tunnel
• Verify the static GRE tunnel
© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2014 Aerohive Networks Inc.
THANK YOU
501