acwp aerohive configuration guide

© 2014 Aerohive Networks Inc.

Instructor-led Training

AEROHIVE CERTIFIED WIRELESS PROFESSIONAL

(ACWP)

1

© 2014 Aerohive Networks CONFIDENTIAL

Welcome

2

• Introductions

•Facilities Discussion

•Course Overview

•Extra Training Resources

•Questions

© 2014 Aerohive Networks CONFIDENTIAL 3

Introductions

•What is your name?•What is your organizations name?•How long have you worked in Wi-Fi?

•Are you currently using Aerohive?


Facilities Discussion

• Course Material Distribution

• Course Times

• Restrooms

• Break room

• Smoking Area

• Break Schedule› Morning Break› Lunch Break› Afternoon Break


Aerohive Advanced WLAN Configuration (ACWP) – Course OverviewEach student connects to HiveManager, a remote PC, and a Aerohive AP over the Internet from their wireless enabled laptop in the classroom, and then performs hands on labs the cover the following topics:

• 802.1X/EAP architecture overview• 802.1X with external RADIUS• RADIUS attributes for user profile assignment• Using Client Monitor to troubleshoot 802.1X/EAP• HiveManager Certificate Authority• Aerohive devices as RADIUS servers that integrate with LDAP• Client Management – Device on-boarding using 802.1X• Client Management – Device on-boarding using PPSK• Layer 2 IPsec VPN client and VPN servers• Device classification• Layer 3 roaming configuration and troubleshooting• Guest Management using GRE tunneling to a DMZ

2 Day Hands on Class


Aerohive CBT Learning

http://www.aerohive.com/cbt

http://www.aerohive.com/cbt


Aerohive Education on YouTube

http://www.youtube.com/playlist?list=PLqSW15RTj6DtEbdPCGIm0Kigvrscbj-Vz

Learn the basics of Wi-Fi and more….

http://www.youtube.com/playlist?list=PLqSW15RTj6DtEbdPCGIm0Kigvrscbj-Vz


The 20 Minute Getting Started VideoExplains the Details

Please view the Aerohive Getting Started Videos:

http://www.aerohive.com/330000/docs/help/english/cbt/Start.htm




Aerohive Technical Documentation

All the latest technical documentation is available for download at:

http://www.aerohive.com/techdocs

http://www.aerohive.com/techdocs


Aerohive Instructor Led Training

• Aerohive Education Services offers a complete curriculum that provides you with the courses you will need as a customer or partner to properly design, deploy, administer, and troubleshoot all Aerohive WLAN solutions.

• Aerohive Certified WLAN Administrator (ACWA) – First-level course

• Aerohive Cerified WLAN Professional (ACWP) – Second-level course

• Aerohive Certified Network Professional (ACNP) – Switching/Routing course

• www.aerohive.com/training – Aerohive Class Schedule

http://www.aerohive.com/training


Over 20 books about networking have been writtenby Aerohive Employees

CWNA Certified Wireless Network Administrator Official Study Guide by David D. Coleman and David A. Westcott

CWSP Certified Wireless Security Professional Official Study Guide by David D. Coleman, David A. Westcott, Bryan E. Harkins and Shawn M. Jackman

CWAP Certified Wireless Analysis Professional Official Study Guide by David D. Coleman, David A. Westcott, Ben Miller and Peter MacKenzie

802.11 Wireless Networks: The Definitive Guide, Second Edition by Matthew Gast

802.11n: A Survival Guide by Matthew Gast

Aerohive Employees

802.11ac: A Survival Guide by Matthew Gast

Over 20 books about networking have been written by Aerohive Employees


Aerohive Exams and Certifications

12

• Aerohive Certified Wireless Administrator (ACWA) is a first- level certification that validates your knowledge and understanding about Aerohive Network’s WLAN Cooperative Control Architecture. (Based upon Instructor Led Course)

• Aerohive Certified Wireless Professional (ACWP) is the second-level certification that validates your knowledge and understanding about Aerohive advanced configuration and troubleshooting. (Based upon Instructor Led Course)

• Aerohive Certified Network Professional (ACNP) is another second-level certification that validates your knowledge about Aerohive switching and branch routing. (Based upon Instructor Led Course)


Aerohive Forums

13

• Aerohive’s online community – HiveNationHave a question, an idea or praise you want to share? Join the HiveNation Community - a place where customers, evaluators, thought leaders and students like yourselves can learn about Aerohive and our products while engaging with like-minded individuals.

• Please, take a moment and register during class if you are not already a member of HiveNation.Go to http://community.aerohive.com/aerohive and sign up!

http://community.aerohive.com/aerohive




Aerohive Social Media

The HiveMind Blog:http://blogs.aerohive.com

Follow us on Twitter: @AerohiveInstructor: David Coleman: @mistermultipathInstructor: Bryan Harkins: @80211UniversityInstructor: Gregor Vucajnk: @GregorVucajnkInstructor: Metka Dragos: @MetkaDragos

Please feel free to tweet about #Aerohive training during class.

http://blogs.aerohive.com/

© 2014 Aerohive Networks CONFIDENTIAL 15Copyright ©2011

Aerohive Technical Support – General

I want to talk to somebody live. Call us at 408-510-6100 / Option 2. We also provide service toll-free from within the US & Canada by dialing (866) 365-9918. Aerohive has Support Engineers in the US, China, and the UK, providing coverage 24 hours a day.

Support Contracts are sold on a yearly basis, with discounts for multi-year purchases. Customers can purchase Support in either 8x5 format or in a 24 hour format.

How do I buy Technical Support?

I have different expiration dates on several Entitlement keys, may I combine all my support so it all expires on the same date?

Your Aerohive Sales Rep can help you set-up Co-Term, which allows you to select matching expiration dates for all your support.


Aerohive Technical Support – The Americas

Aerohive Technical Support is available 24 hours a day. This can be via the Aerohive Support Portal or by calling. For the Support Portal, an authorized customer can open a Support Case. Communication is managed via the portal with new messages and replies. Once the issue is resolved, the case is closed, and can be retrieved at any time in the future.

How do I reach Technical Support?

I want to talk to somebody live. For those who wish to speak with an engineer call us

at 408-510-6100 / Option 2. We also provide service toll-free from within the US & Canada by dialing (866) 365-9918.I need an RMA in The AmericasAn RMA is generated via the Support Portal, or by calling our Technical Support group. After troubleshooting, should the unit require repair, we will overnight* a replacement to the US and Canada. Other countries are international. If the unit is DOA, it’s replaced with a brand new item, if not it is replaced with a like new reburbished item.

*Restrictions may apply: time of day, location, etc.


Aerohive Technical Support – International

Aerohive international Partners provide dedicated Technical Support to their customers. The Partner has received specialized training on Aerohive Networks’ product line, and has access to 24 hour Internal Aerohive Technical Support via the Support Portal, or by calling 408-510-6100 / Option 2.

How Do I get Technical Support outside The Americas?

World customer’s defective units are quickly replaced by our Partners, and Aerohive replaces the Partner’s stock once it arrives at our location. Partners are responsible for all shipping charges, duties, taxes, etc.

I need an RMA internationally


Copyright Notice

18

Copyright © 2014 Aerohive Networks, Inc. All rights reserved.

Aerohive Networks, the Aerohive Networks logo, HiveOS, Aerohive AP, HiveManager, and GuestManager are trademarks of Aerohive Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.


QUESTIONS?


Classroom SSID

Data Center setup

CLASSROOM & DATA CENTER

20


Lab: Get Connected1. Connect to class WLAN

21

• Please connect to the SSID: aerohive-class

• Network Key: aerohive123

SSID:Security:

Network Key:

Class-SSIDWPA/WPA2 Personal (PSK)aerohive123

GuestClient

VLAN 1

WLAN Policy: WLAN-Classroom

Internet

Mgt0 IP: 10.5.1.N/24 VLAN 1

Class-SSID10.5.1.N/2410.5.1.1

Connect to SSID:IP:

Gateway:

Instructor PC

© 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011

Aerohive Training Remote Lab

22

Aerohive Access Points using external antenna connections and RF cables to

connect to USB Wi-Fi client cards(Black cables)

Access Points are connected from eth0 to Aerohive Managed Switches

with 802.1Q VLAN trunk support providing PoE to

the APs (Yellow cables)

Firewall with routing support, NAT, and multiple Virtual Router Instances

Access Points are connected from their console port to a console server

(White Cables)

Console server to permit SSH access into the serial console of Aerohive

Access Points

Server running VMware ESXi running Active Directory, RADIUS, NPS and hosting the virtual clients used for

testing configurations to support the labs


Network Layout for Data Center

23

10.5.2.*/24No Gateway



HiveManagerMGT 10.5.1.20/24

Win2008 AD ServerMGT 10.5.1.10/24Linux ServerMGT 10.6.1.150./24

L3 Switch/Router/Firewalleth0 10.5.1.1/24 VLAN 1eth0.1 10.5.2.1/24 VLAN 2eth0.2 10.5.8.1/24 VLAN 8eth0.3 10.5.10.1/24 VLAN 10eth1 10.6.1.1/24 (DMZ)

L2 SwitchNative VLAN 1

Aerohive AP Common SettingsDefault Gateway: NoneMGT0 VLAN 2Native VLAN 1LAN ports connected to L2-Switch with 802.1Q VLAN Trunks

X=2

X=3

X=N

X=2

X=3

X=N

Ethernet: 10.5.1.202/24 No GatewayWireless: 10.5.10.$/24 Gateway: 10.5.10.1

Ethernet: 10.5.1.203/24 No GatewayWireless: 10.5.V.X/24 Gateway: 10.5.V.1

Ethernet : 10.5.1.20N/24 No GatewayWireless: 10.5.V.X/24 Gateway: 10.5.V.1

14 Client PCsFor Wireless Access

14 Aerohive AP 340s

Terminal Server10.5.1.5/24

Services for Hosted ClassWin2008 AD Server: - RADIUS(NPS) - DNS - DHCPLinux Server: - Web Server - FTP Server


QUESTIONS?


Get Connected to HiveManager

AEROHIVE ENTERPRISE MODE

25


Connect to the Hosted Training HiveManager

26

• Securely browse to the assigned HiveManager for class

› TRAINING LAB 1https://training-hm1.aerohive.comhttps://72.20.106.120





• Supported Browsers:› Firefox, Internet Explorer, Chrome, Safari

• Class Login Credentials:› Login: adminX

X = Student ID 2 - 29› Password: aerohive123

NOTE: In order to access the HiveManager, someone at your location needs to enter the training firewall credentials given to them by the instructor first.

https://72.20.106.120/

https://72.20.106.120/

https://72.20.106.120/

https://72.20.106.66/

https://72.20.106.66/

https://203.214.188.220/

https://209.128.124.220/

https://209.128.124.220/

https://209.128.188.200/

https://209.128.188.200/

https://209.128.188.200/

https://209.128.124.230/

https://209.128.124.220/

https://209.128.124.220/


LAB: Setting Up a Wireless NetworkLAB Goals

27

• Connect to HiveManager to create a simple Network Policy with static PSK security.

• Define Static IP addresses for the student access point and VPN gateway.

• Update the devices

• Connect to the hosted PC and test the wireless connectivity.

• Each student creates a client monitor for future troubleshooting.

• Proceed to the advanced labs.


Lab: Setting Up a Wireless Network 1. Creating a new Network Policy

28

• Go to Configuration

• Click the New Button


Lab: Setting Up a Wireless Network 2. Building your Initial Wireless Network Policy

29

• Name: WLAN-X

• Select: Wireless Access and Bonjour Gateway

• Click Create

Only the Wireless Access and Bonjour Gateway Profiles are used in this class. Switching and Branch Routing are covered in another course. For information about that class visit: http://aerohive.com/support/technical-training/training-schedule for dates and registration.

http://aerohive.com/support/technical-training/training-schedule




Network Policy Types

30

• Wireless Access – Use when you have an AP only deployment, or you require specific wireless policies for APs in a mixed AP and router deployment

• Branch Routing– Use when you are managing routers, or APs behind routers that do not require different Network Policies than the router they connect through

BR100

BR200

AP

AP

Mesh

PoEPoE

InternetInternet

Small Branch Office or Teleworker Site Small to Medium Size Branch Office

that may have APs behind the router

3G/4G LTE3G/4G

LTE


• Switching› Used to manage wired traffic using Aerohive switches

• Bonjour Gateway› Recommended to deploy a Bonjour Gateway in 3rd Party networks

› Bonjour Gateway Lab later in class

Network Policy Types

31

Internet

3G/4G LTE

AP

AP

PoE

SR2024

AP


Lab: Setting Up a Wireless Network3. Create a New SSID Profile

32

Network Configuration

• Next to SSIDs click Choose

• Then click New


Lab: Setting Up a Wireless Network4. Configure a PSK Employee SSID

33

• SSID Profile: Class-PSK-XX = 2 – 29 (Student ID)

• SSID: Class-PSK-X• Select WPA/WPA2 PSK

(Personal)• Key Value: aerohive123• Confirm Value: aerohive123• Click Save• Click OK

IMPORTANT: For the SSID labs, please follow the class naming convention.


Lab: Setting Up a Wireless Network5. Create a User Profile

34

• To the right of your SSID, under User Profile, click Add/Remove

• In Choose User Profiles Click New


Lab: Setting Up a Wireless Network6. Define User Profile Settings

35

• Name: Employee-X• Attribute Number: 10

• Network or VLAN-only Assignment: 10

• Click Save


Lab: Setting Up a Wireless Network7. Choose User Profile and Continue

36

• Ensure Employee-XUser Profile is highlighted

• Click Save


Lab: Setting Up a Wireless Network8. Save the Network Policy

37

• Click the Configure & Update Devices bar or click the Continue button

Note: The Save button saves your Network Policy. The Continue Button saves your Network Policy and allows you to proceed to the Configure and Update Devices area simultaneously.


Hosted Training LabNetwork IP Summary

38

HiveOS-VA-0X

MGT010.200.2.X/24

VPN ClientX-A-AerohiveAP MGT0:10.5.2.#

Firewall NAT Rules1.2.1.X10.8.1.X

FW(NAT)2.2.2.2

Gateway10.5.2.1

Gateway 10.200.2.1

Client PC

WLAN Branch Office – Aerohive AP VPN Clients

# – Address Learned though DHCP

RADIUS10.200.2.250

WLAN HQ – L2 VPN Gateway-VPN Servers


Lab: Setting Up a Wireless Network9. Update the configuration of your Aerohive AP

39

From the Configure & Update Devices section, modify your AP specific settings• Display Filter: None• Click the Name column to sort the APs• Click the link for your 0X-A-######


Lab: Setting Up a Wireless Network10. Update the configuration of your A-Aerohive AP

40

• Topology Map: Data Center_Class-Lab or Classroom

• Select your WLAN-X Network Policy

• Set the power levels:

› 2.4GHz(wifi0) Power: 1

› 5GHz(wifi1) Power: 1

• Do not click Save yet

VERY IMPORTANT: We need to leave the power set to 1dBm on both radios because the APs are stacked in a rack in the data center


Lab: Setting Up a Wireless Network12. Configure Settings on Your A-Aerohive AP

41

Under Optional Settings

• Expand MGT0 interface settings› Select 8Static IP› IP Address: 10.5.2.X› Netmask: 255.255.255.0› Gateway: 10.5.2.1

• Do not Click Save yet

We are assigning the AP a static IP address because the AP will function as a RADIUS server in a later lab. Whenever Aerohive devices function as a server, they must have a static IP address. Best practice is to assign the device with the static IP address prior to configuring a Network Policy that requires an Aerohive device to function as a server.


Lab: Setting Up a Wireless Network12. Configure Settings on Your A-Aerohive AP

42

Under Optional Settings

• Expand Advanced Settings› Check Override MGT VLAN: 2

• Click Save


Lab: Setting Up a Wireless Network13. Update the configuration of your HiveOS-VA

43

From the Configure & Update Devices section, modify your HiveOS-VA specific settings• Display Filter: None• Click the Name column to sort the devices• Click the link for your VA: HiveOS-VA-0X


Lab: Setting Up a Wireless Network14. Update the configuration of your HiveOS-VA

44

• Set the Device Function to L2 VPN Gateway• Select your WLAN-X Network Policy• Expand MGT0 Interface Settings, and assign the VPN gateway a static IP

address:› MGT0 IP Address: 10.200.2.X› Netmask: 255.255.255.0› Gateway: 10.200.2.1

• Click Save


Lab: Setting Up a Wireless Network15. Update the configuration of your AP & VA

45

In the Configure & Update Devices section• Click the Name column to sort the devices• Check the box next to your AP: X-A-######• Check the box next to your L2 VPN Gateway: HiveOS-VA-0X


• Select Update

• Update Devices

• Click Update

• Click OK in the Reboot Warning window

Lab: Setting Up a Wireless Network16. Update the configuration of AP & VA

The first Update is automatically a complete update.

For this class, ALL subsequent Updates should be Complete configuration updates, unless directed otherwise.


Lab: Setting Up a Wireless Network17. Update the configuration of AP & VA

• The devices will reboot

47


• Go to MonitorDevicesAll Devices for more detailed information and tools

Lab: Setting Up a Wireless Network18. Monitoring Devices

Set items per page

Change column settings

Turn off auto refresh if you want to make changes

without interruption

If Audit is Red Exclamation Point, click it to see the difference between HiveManager

and the device.

48


QUESTIONS?


TEST YOUR CONFIGURATIONUSING THE HOSTED PC

50


Lab: Test Hosted Client Access to SSIDTest SSID Access at Hosted Site

51

SSID:Authentication:

Encryption:Preshared Key:User Profile 1:

Attribute:VLAN:

IP Firewall:QoS:

Class-PSK-X WPA or WPA2 PersonalTKIP or AESaerohive123Employee(10)-X1010Nonedef-user-qos

Hosted PCStudent-0X VLANs 1-20

Mgt0 IP: 10.5.2.N/24 VLAN 1

WLAN Policy: WLAN-X

Internal Network

AD Server:10.5.1.10

DHCP Settings: (VLAN 10) network 10.5.10.0/24 10.5.10.140 – 10.5.10.240

Internet

Connect to SSID:IP:

Gateway:

Class-PSK-X 10.5.10.N/2410.5.10.1

Use VNC client to access Hosted PC:password: aerohive123


Lab: Test Hosted Client Access to SSID1. For Windows: Use TightVNC client

52

• If you are using a windows PC› Use TightVNC › TightVNC has good compression so

please use this for class instead of any other application

• Start TightVNC

› For Lab 1

› lab1-pcX.aerohive.com

› For Lab 2


› For Lab 3lab3-pcX.aerohive.com


› For Lab 5lab5-pc0X.aerohive.com

› Select Low-bandwidth connection

› Click Connect

› Password: aerohive123123

› Click OK


Lab: Test Hosted Client Access to SSID2. For Mac: Use the Real VNC client

53

• If you are using a Mac› RealVNC has good compression so

please use this for class instead of any other application

• Start RealVNC

› For Lab 1


› For Lab 2




› For Lab 5lab5-pc0X.aerohive.com

› Select Low-bandwidth connection

› Click Connect

› Password: aerohive123123

› Click OK


Lab: Test Hosted Client Access to SSID3. In case the PCs are not logged in

54

If you are not automatically logged in to your PC

• If you are using the web browser client› Click the button to Send Ctrl-Alt-Del

• If you are using the tightVNC client

• Click to send a

control alt delete

• Login: AH-LAB\user

• Password: Aerohive1

• Click the right arrow to login


Lab: Test Hosted Client Access to SSID4. Connect to Your Class-PSK-X SSID

55

• Single-click the wireless icon on the bottom right corner of the windows task bar

• Click your SSIDClass-PSK-X

• Click Connect› Security Key: aerohive123

› Click OK


Lab: Test Hosted Client Access to SSID5. In case the PCs are not logged in

56

If you are not automatically logged in to your PC

• If you are using the web browser client› Click the button to Send Ctrl-Alt-Del

• If you are using the TightVNC client

• Click to send a

control alt delete

• Login: AH-LAB\user


• Click the right arrow to login


Lab: Test Hosted Client Access to SSID6. Go to the Windows 8 Desktop view

57

From the Windows 8 start screen, click on the Desktop icon


Lab: Test Hosted Client Access to SSID7. Connect to Your Class-PSK-0X SSID

58


• Click your SSIDClass-PSK-X


› Click Next


Lab: Test Hosted Client Access to SSID8. View Active Clients List

59

• After associating with your SSID, you should see your connection in the active clients list in HiveManager› Go to MonitorClientsWireless Clients

• Your IP address should be from the 10.5.10.0/24 network

• VLAN: 10


Lab: Test Hosted Client Access to SSID9. Add Additional Columns

60

• To change the layout of the columns in the Active Clients list, you can click the spreadsheet icon

• Select User Profile Attribute from the Available Columns list and click the right arrow

• With User Profile Attribute selected, click the Up button so that the column is moved after Host Name

• Click Save

Click to change column layout


QUESTIONS?


THE CLIENT MONITOR TOOL

62


Lab: Client Monitor1. Select a client to monitor

63

• To start monitoring a clients connection state go to: MonitorClientsActive Clients

• Select the check box next your client to monitor Note: If your client does not appear, you can skip this step for now

• Click Operation...Client Monitor

• For class, ensure your Associated Aerohive AP is selected (Do not select All)

• The MAC address of your client will be selectedNote: You can manually enter a the wireless client MAC address without delimiters

• Write down your clients MAC address

• Note: Remember the Client MAC address for the next step in the lab.

• Click Add

Click Client Monitor

Click Operation...

Click Add New Client

Click Add

Select your Aerohive AP


Lab: Client Monitor2. Start the client monitor

64

• Check Filter ProbeNote: This removes all the probe requests and responses you will see from clients and APs so you can focus on protocol connectivity

• Click StartNote: Your client will be monitored until you click Stop.You can leave this window, and if you go back to Operation...Client Monitor, you will see the list of all clients being monitored

• You can expand the window by dragging the bottom right corner

• Select your client to see the connection logs for your client as they occur

1. Check Filter Probe

2. Click Start

3. Drag bottom right corner of window to

expand


Client Monitor Results

65

Throughout the labs, go to the client monitor for your PC to view the ongoing results

4-way handshake completes

Client is assigned IP address from DHCP


QUESTIONS?


TIME SETTINGS FOR HIVEMANAGERAND AEROHIVE DEVICES

67


Verify On-Premise HiveManager Time Settings

68

• HiveManager and Aerohive Devices should have up to date time settings, preferably by NTP (HMOL Time Settings are automatic).

• Go to HomeAdministrationHiveManager Settings

• Next to System Date/Time click Settings

Aerohive devices use Private PSKs and certificates which are time limited credentials. Therefore, it is imperative that the HiveManager Time Settings be in proper synchronization with your network. The use of an NTP server is highly recommended.



• Select your Network Policy: WLAN-X and click OK

• Next to Additional Settings Click Edit

• Expand Management Server SettingsNote: Upon first login to a new HiveManager system, an NTP server policy is automatically created with the same name as the User name. However, the object should be edited with the proper time zones.

• Next to NTP Server› Click the + Icon

Aerohive devices use Private PSKs and certificates which are time limited credentials. Even more important than the HiveManager Time Settings, Aerohive Device Clock Settings must be properly synchronized. The use of an NTP server is MANDATORY.

Verify Device Time Settings


• Name the service NTP-X

• Time Zone: <Please use the Pacific time Zone>

• Uncheck Sync clock with HiveManager

• NTP Server: ntp1.aerohive.com

• Click Apply

• Click Save

Verify Device Time Settings

MANDATORY: You must change the time zone to match the time zone where your Aerohive Devices reside. Do this BEFORE you configure the rest of your Network Policy.

Instructor note: When using Lab #4 the Time Zone MUST be set to (GMT +10 Australia/Sydney)


QUESTIONS?


SECURE WIRELESS LANSWITH IEEE 802.1X USING PEAP AUTHENTICATION

72


IEEE 802.1X with EAP

73

SupplicantComputer

AuthenticationServer (RADIUS)

802.11 association

EAPoL-start

EAP-request/identity

EAP-response/identity (username) RADIUS-access-request

EAP-request (challenge)

RADIUS-access-challenge

EAP-response (hashed resp.)

RADIUS-access-request

EAP-success RADIUS-access-accept (PMK)

Access Granted

AccessPlease

!

Calculating key for user…

Accessblocked

Authenticator(AP)

Calculatingmy key…


Extensible Authentication Protocol (EAP)Comparison Chart

74


LAB: Secure WLAN Access With 802.1X/EAP LAB Goals

75

• Configure a Network Policy for 802.1X/EAP Enterprise security where APs communicate with an external RADIUS server

• Define multiple user profiles leveraging RADIUS attributes

• Connect to the hosted PC and test the 802.1X/EAP authentication

• Troubleshoot authentication problems with Client Monitor.

• Verify user profile assignment using RADIUS attributes.


LAB: Secure WLAN Access With 802.1X/EAPUsing External RADIUS

76

Student-0XVLANs 1-20

Mgt0 IP: 10.5.2.N/24 VLAN 1Network Policy: WLAN-0X

AD Server:10.5.1.10 NPS (2008)

DHCP Settings: (VLAN 1) network 10.5.2.0/24 10.5.2.140 – 10.5.2.240 (VLAN 10) network 10.5.10.0/24 10.5.10.140 – 10.5.10.240

Internet

Connect to SSID:IP:

Gateway:

Class-EAP-X10.5.10.N/2410.5.10.1

SSID:Authentication:

Encryption:Auth User Profile:

Attribute:VLAN:

Default User Profile:Attribute:

VLAN:

Class-EAP-XWPA or WPA2 PersonalTKIP or AESEmployee-X10 (RADIUS Attribute Returned)10Employee-Default-X1000 (No RADIUS Attribute Returned)8


Instructor Only: On Hosted RADIUS ServerVerify RADIUS Client Settings

77

• Set the RADIUS server to accept RADIUS messages from the MGT0 interface IP on all Aerohive devices that function as authenticators

• This class uses:10.5.2.0/24

• Shared Secret:aerohive123NOTE: Use a stronger key in real life!



78

• RADIUS clients often get confused with the Wi-Fi clients (supplicants)

• RADIUS clients are devices that communicate with a RADIUS server using the RADIUS protocol

• RADIUS clients are the authenticators in an 802.1X/EAP framework

• The term “RADIUS clients” is also synonymous with the term NAS clients.


On Hosted RADIUS ServerConfiguring RADIUS Return Attributes

79

• After successful authentication by users in the AH-LAB\Wireless Windows AD group, RADIUS will return three attribute value pairs to assign the Aerohive user profile.

Standard RADIUS Attribute/Value Pairs ReturnedTunnel-Medium-Type: IPv4 Tunnel-Type: GRETunnel-Pvt-Group-ID: 10


Lab: Secure WLAN Access With 802.1X/EAP1. Create a New SSID

80

To configure a 802.1X/EAP SSID for Secure Wireless Access



• Next to SSIDs, click Choose

• Click New


Lab: Secure WLAN Access With 802.1X/EAP2. Configure a 802.1X/EAP SSID

• Profile Name: Class-EAP-X

• SSID: Class-EAP-X

• Under SSID Access Security select WPA/WPA2 802.1X (Enterprise)

• Click Save

81


Lab: Secure WLAN Access With 802.1X/EAP3. Select new Class-EAP-X SSID

82

• Click to deselect the Class-PSK-X SSID

• Ensure the Class-EAP-X SSIDis selected

• Click OK

Click to deselect

Class-PSK-X

Ensure Class-EAP-X is highlighted then

click OK


Lab: Secure WLAN Access With 802.1X/EAP4. Create a RADIUS object

83

• Under Authentication, click <RADIUS Settings>

• In Choose RADIUS, click New

ClickClick


Lab: Secure WLAN Access With 802.1X/EAP 5. Define the External RADIUS Server

84

• RADIUS Name:RADIUS-X

• IP Address/Domain Name: 10.5.1.10

• Shared Secret: aerohive123

• Confirm Secret: aerohive123

• Click Apply

• Click Save

Click Apply When Done!


Lab: Secure WLAN Access With 802.1X/EAP6. Create a New User Profile

85

• Under User Profile, click Add/Remove

• Click New


Lab: Secure WLAN Access With 802.1X/EAP7. Define User Profile Settings

86

• Name: Employee-Default-X• Attribute Number: 1000• Network or VLAN-only Assignment: 8

• Click Save


Lab: Secure WLAN Access With 802.1X/EAP8. Assign User Profile as Default for the SSID

87

• With the Default > tab selected, ensure the Employee-Default-X user profile is highlighted› IMPORTANT: This user profile will be assigned if no attribute value is returned from RADIUS after successful authentication, or if attribute value 1000 is returned.

• Click the Authentication tab

Default Tab

Authentication Tab


Lab: Secure WLAN Access With 802.1X/EAP9. Assign User Profile to be Returned by RADIUS Attribute

88

• Select the Authentication > tab

• Select (highlight)Employee-X› Important: This User Profile will be assigned if there are matching RADIUS attributes returned from a RADIUS server. You can have as many as 63 unique User Profiles.

• Click Save

Authentication Tab

NOTE: The (User Profile Attribute) is appended to the User Profile Name


Lab: Secure WLAN Access With 802.1X/EAP 10. Verify and Continue

89

• Ensure Employee-Default-X and Employee-X user profiles are assigned to the Class-EAP-X SSID

• Click Continue to Configure & Update Devices


In the Configure & Update Devices section• Select the Current Policy filter• Check the box next to your AP: X-A-######

• Click Update

Lab: Secure WLAN Access With 802.1X/EAP 11. Update the AP Configuration


• Select Update Devices

• Select Perform a complete configuration update for all selected devices

• Click Update


For this class, ALL Updates from this point should be Complete configuration updates unless otherwise directed.

Lab: Secure WLAN Access With 802.1X/EAP12. Update the AP configuration


Lab: Secure WLAN Access with 802.1X/EAP13. Update the AP configuration

• Your new configuration will upload

• The AP will reboot

92


QUESTIONS?


For Windows 7Supplicants

CONFIGURING AND TESTING YOUR802.1X SUPPLICANT

94


Lab: Testing 802.1X/EAP to External RADIUS1. Connect to Secure Wireless Network

95

• From the bottom task bar, and click the locate wireless networks icon

• Click Class-EAP-X

• Click Connect

Wireless Network Icon



96



• Click Connect

•Select Use my Windows user account

• Click OK


Lab: Testing 802.1X/EAP to External RADIUS3. View Wireless Clients

97

• After associating with your SSID, you should see your connection in the active clients list in HiveManager› Go to MonitorClientsWireless Clients

• User Name: DOMAIN\user

• User Profile Attribute: 10

• VLAN: 10

You were assigned to this User Profile based on a returning RADIUS attribute


User Profile Assignment via RADIUS attributes

98

• User Profiles can be assigned based upon returned RADIUS attributes

• As many as 63 different groups of users can be assigned to different VLANs, firewall policies, SLA policies, time-based policies, etc.

Leveraging RADIUS attributes for User Profile assignment means you only need to have a single SSID for all your employees. Although you can transmit as many as 16 SSIDs per radio, best practices dictate no more than 3-4. Excessive SSIDs create L2 overhead and degrades performance. A common strategy is to have three SSIDs: Employees, Voice and Guests.


Default RADIUS attributes used for User Profile assignment

99

Note: By default, user profile assignment by RADIUS attributes uses these Attribute/Value Pairs:

Tunnel-Medium-Type: IPv4

Tunnel-Type: GRE

Tunnel-Pvt-Group-ID: 10

Standard RADIUS Attribute/Value Pairs ReturnedTunnel-Medium-Type: IPv4 Tunnel-Type: GRETunnel-Pvt-Group-ID: 10


User Profile Assignment via RADIUS attributes

100

• User Profiles can be assigned based upon any returned RADIUS attributes

• The attributes can be Standard or Custom

Standard RADIUS Attribute

Custom RADIUS Attribute


Example: TroubleshootingInvalid User Profile attribute returned from RADIUS

101

• From MonitorAll Devices

• If you see an alarm when trying to authenticate with 802.1X/EAP, click the alarm icon for details

• This alarm specifies that an incorrect attribute was returned from the RADIUS server that is not defined on the Aerohive AP – In this case 50

Invalid User Profile Returned


Client Monitor – For 802.1X/EAPExample of an invalid user account

102

SSL negotiation uses the RADIUS server certificate

Shows IP of RADIUS server

At this point you know the AAA certificates were installed correctly and the server certificate validation done by the client passed

The user is not in the user database. View the AAA server settings and ensure the correct user group is selected, and the Aerohive AP is a RADIUS server. Then update the configuration of the Aerohive AP.


Client Monitor Troubleshooting 802.1X

103

Client Monitor is the perfect tool to troubleshoot 802.1X/EAP problems

More information can be found at:http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/troubleshooting-wi-fi-connectivity-with-hivemanager-tools

http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/troubleshooting-wi-fi-connectivity-with-hivemanager-tools

http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/troubleshooting-wi-fi-connectivity-with-hivemanager-tools


RADIUS Test Built Into HiveManager

104

To test a RADIUS account

• Go to ToolsServer Access TestsRADIUS Test

• RADIUS Server: 10.5.1.10

• Aerohive AP RADIUS Client: 0X-A-######

• Select RADIUS authentication server

• Username: user


• Click Test

You can even see the attribute values that are returned


QUESTIONS?


RADIUS PROXY

106



107

• Set the RADIUS server to accept RADIUS messages from the MGT0 interface IP on all Aerohive devices that function as authenticators

• This class uses:10.5.2.0/24

• Shared Secret:aerohive123NOTE: Use a stronger key in real life!


RADIUS Proxy on Aerohive APs

108

• Aerohive devices can be RADIUS proxies› APs can set their RADIUS server to be the RADIUS proxy AP

› The RADIUS proxy AP proxies the authentication requests to the RADIUS server

› A single IP can be set on the RADIUS server for all the APs that need to authenticate

RADIUS Server10.5.1.10

AP RADIUS Proxy & RADIUS Client10.5.2.2

APRADIUSClients

APRADIUSClients

RADIUSClient SettingsPermit 10.5.2.2/32

Note: Aerohive APs, switches, BR-200 branch routers and VA gateways can all function as a RADIUS proxy.


LAB: Using Hive Devices as a RADIUS ProxyLAB Goals

109

• Define one Aerohive AP as a RADIUS proxy that will forward RADIUS packets to an external RADIUS server

• Avoid the RADIUS client licensing restrictions imposed by some RADIUS vendors


• Troubleshoot any authentication problems with Client Monitor.

• Verify user profile assignment using RADIUS attributes.


Lab: Using Hive Devices as a RADIUS Proxy1. Designating a RADIUS Proxy

110

• Click Configuration

• Expand Advanced Configuration

• Click Authentication

• Click RADIUS Proxy

• Then click the New button


Lab: Using Hive Devices as a RADIUS Proxy 2. RADIUS Proxy Details

• Use Proxy-X as the Proxy Name

• Click the + next to RADIUS Server

• Do NOT save yet!


Lab: Using Hive Devices as a RADIUS Proxy3. RADIUS Server Details

• Use RADIUS-Server-X as the RADIUS Name

• Under Add New RADIUS Server use the dropdown arrow and select 10.5.1.10

• Server Type Auth/Acct

• Enter and Confirm the Shared Secret of aerohive123

• Select Server Role as Primary

• Click Apply

• Click Save

Click Apply


Lab: Using Hive Devices as a RADIUS Proxy4. RADIUS Proxy Details

• Use the dropdown arrow next to Default under Realm Name to select RADIUS-Server-X as your RADIUS Server

• Set the Realm name to: ah-lab.local

• Ensure the Strip the Realm name from proxied access requests check box is selected

• Verify your settings

• Click Apply

• Do NOT save yet

Click Apply


Lab: Using Hive Devices as a RADIUS Proxy5. RADIUS Proxy – No need for RADIUS Clients

• Though different Realms can go to different RADIUS servers, for this lab, set them to: RADIUS-Server-X

• Click Save

Note: When your APs and AP-RADIUS Proxy are in the same hive, i.e. configured with the same hive name, then you do not need to configure RADIUS clients on the AP RADIUS proxy. This is because the RADIUS client and shared keys are automatically generated among APs in a Hive.


Lab: Using Hive Devices as a RADIUS Proxy6. Set AP to be RADIUS Proxy

115

• Go to MonitorAccess PointsAerohive APs

• Check the box next to your X-A-###### AP

• Click the Modify button

• Under Optional Settings› expand Service Settings

• Assign Device RADIUS Proxy to: Proxy-X

• Click Save

Note: A RADIUSicon will appear next to your AP in

monitor view


Lab: Using Hive Devices as a RADIUS Proxy7. Select your Network Policy

116

To edit your SSID:

Go to Configuration



Lab: Using Hive Devices as a RADIUS Proxy8. Define the AAA client profile

117

• Under Authentication, click RADIUS-X


ClickClick


Lab: Using Hive Devices as a RADIUS Proxy9. Define the External RADIUS Server (Use the Proxy)

118

• RADIUS Name:RADIUS-Proxy-X

• IP Address/Domain Name: 10.5.2.X

• No other settings are needed as long as the APs are in the same Hive

• Click Apply

• Click Save



Lab: Using Hive Devices as a RADIUS Proxy10. Verify and Continue

119

• Ensure Employee-Default-X and Employee-X user profiles are assigned to the Class-EAP-X SSID

• Click Continue or click the bar toConfigure & Update Devices



• Click Update

Lab: Using Hive Devices as a RADIUS Proxy11. Update the AP Configuration




• Click Update



Lab: Using Hive Devices as a RADIUS Proxy11. Update the AP Configuration


Lab: Using Hive Devices as a RADIUS Proxy13. Update the AP configuration



122


QUESTIONS?




124


Lab: Testing 802.1X/EAP via RADIUS Proxy1. Connect to Secure Wireless Network

125



• Click Connect



Lab: Testing 802.1X/EAP via RADIUS Proxy2. Connect to Secure Wireless Network

126



• Click Connect


Lab: Testing 802.1X/EAP View RADIUS Proxy3. View Wireless Clients

127

• After associating with your SSID, you should see your connection in the active clients list in HiveManager› Go to MonitorClientWireless Clients



• VLAN: 10


QUESTIONS?


Required When Aerohive APs are Configured as RADIUS Servers or VPN Servers

GENERATE AEROHIVE AP RADIUSSERVER CERTIFICATES

129


HiveManager Root CA CertificateLocation and Uses

• This root CA certificate is used to:› Sign the CSR (certificate signing request)

that the HiveManager creates on behalf of the AP acting as a RADIUS or VPN server

› Validate Aerohive AP certificates to remote client802.1X clients (supplicants) will need a copy of the CA Certificate in order to trust the certificates on the Aerohive AP RADIUS server(s)

• Root CA Cert Name: Default_CA.pem

• Root CA key Name: Default_key.pem

Note: The CA key is only ever used or seen by HiveManager

• To view certificates, go to: Configuration, then go to Advanced Configuration Keys and CertificatesCertificate Mgmt

130


Use the Existing HiveManager CA Certificate, Do not Create a New One!

131

• For this class, please do not create a new HiveManager CA certificate, otherwise it will render all previous certificates invalid.

• On your own HiveManager, you can create your own HiveManager CA certificate by going to: Configuration, then go toAdvanced ConfigurationKeys and CertificatesHiveManager CA

Only the Super User admin should have access rights to create the root HiveManager CA certificate.


LAB: Aerohive Device - Server Certificates1. Generate Server Certificate

132

• Go to ConfigurationAdvanced ConfigurationKeys and CertificatesServer CSR

• Common Name: server-X

• Organizational Name: Company

• Organization Unit: Department

• Locality Name: City

• State/Province: <2 Characters>

• Country Code: <2 Characters>

• Email Address: [email protected]• Subject Alternative Name:

User FQDN: [email protected]: This lets you add an extra step of validating the User FQDN in a certificate during IKE phase 1 for IPsec VPN. This way, the Aerohive AP needs a valid signed certificate, and the correct user FQDN.

• Key Size: 2048

• Password & Confirm: aerohive123

• CSR File Name: AP-X

• Click CreateNotes Below


LAB: Aerohive Device - Server Certificates2. Sign and Combine!

133

• Select Sign by HiveManager CA

› The HiveManager CA will sign the Aerohive AP Server certificate

• The validity period should be the same as or less than the number of days the HiveManager CA Certificate is valid

› Enter the Validity: 3650 – approximately 10 years

• Check Combine key and certificate into one file

• Click OK

Enabling this setting helps prevent certificate and key mismatches when configuring the RADIUS settings

Use this option to send a signing request to an external certification authority.


LAB: Aerohive Device – Server Certificates 3. View the Certificate and Key File

134

• To view certificates, go to:ConfigurationAdvanced ConfigurationKeys and CertificatesCertificate Mgmt

• The certificate and key file name is:AP-X_key_cert.pem

• QUIZ – Which CA signed this Aerohive AP server key?

What devices need to install the CA public cert?


QUESTIONS?


AEROHIVE AP RADIUS SERVER

WITH ACTIVE DIRECTORY INTEGRATION

136


Aerohive Devices as RADIUS servers

137

PrimaryAP-RADIUS ServerAuthentication Server

AP-RADIUS ClientsAuthenticators

LDAP Server(Active Directory)10.5.1.10

BackupAP-RADIUS ServerAuthentication Server

Wi-Fi ClientsSupplicants

EAP request

RADIUS communications

LDAPquery

Aerohive Devices can be configured as RADIUS servers and can be configured to fully integrate with any kind of LDAP including Active Directory.


LAB: Aerohive Devices as RADIUS serversLAB Goals

138

• Configure an Aerohive AP as a RADIUS server to perform all the 802.1X/EAP operations

• Aerohive devices that function as RADIUS servers will be joined to the AD domain in order to› Let the Aerohive APs perform local 802.1X/EAP processing

› Allow the Aerohive AP to access the AD user store in order to authenticate users

› Allow the Aerohive AP to cache credentials in case the AD server is not accessible

Note: Aerohive APs, switches, BR-200 branch routers and VA gateways can all function as a RADIUS server


LAB: Aerohive Devices as RADIUS serversLAB Goals

139

• During the configuration, one Aerohive device is selected as the RADIUS server to › Obtain domain information› Join the Aerohive AP to the domain, which performs the actual join operation for that AP

› Test user authentication› Perform LDAP browsing operations


• Troubleshoot any authentication problems with Client Monitor.

• Verify user profile assignment using LDAP attributes.


QUESTIONS?


CREATING A DELEGATED ADMINISTRATOR FOR JOINING AEROHIVE AP-RADIUS SERVERS TO THE DOMAIN

141


Two Domain Accounts Needed

142

•Aerohive AP Admin Account – Used to Join Aerohive APs to the domain

•LDAP Query Account – Used by the Aerohive AP that functions as a RADIUS server to perform LDAP queries


Create a New Active Directory Aerohive AP Administrator (Instructor Only)

143

On Windows 2008 AD Server

• In your domain, select Users, right click and select NewUser

Note: The name used in this example is not relevant, you can use any name

• First Name: HiveAP

• Last Name: Admin

• Full Name: HiveAPAdmin

• User Logon: [email protected]

• Click Next


Create a New Active Directory Aerohive AP Administrator (Instructor Only)

144

• Enter a Password: Aerohive1

• Confirm Password: Aerohive1

• Uncheck User must change password at next login

• Uncheck User cannot change password

• Check Password never expires

• Uncheck Account is disabled

• Click Next• Click Finish


Aerohive AP Administrator Group Membership

145

• Locate and double click the new Aerohive AP Admin

• Click Member OfNote: Here you can see that the Aerohive AP Admin only needs to be a member of Domain Users


Delegate Control of the Computer OUto the Aerohive AP Admin (INSTRUCTOR ONLY)

146

• Right Click the Computers OU and select Delegate Control...


Delegate Control of the Computer OUto the Aerohive AP Admin

147

• Welcome to the Delegation of Control Wizard› Click Next

• Users or Groups› Click Add› Type Aerohive AP Admin› Click OK› Click Next



148

• Select Create a custom task to delegate

• Click Next



149

• For Active Directory Object Type› Select Computer Objects and leave the rest of the default settings

› Check Create selected objects in this folder

› Click Next• For Permissions

› Check Read› Check Write› And leave the rest of the default settings

• Click Next



150

• Click Finish


QUESTIONS?


CONFIGURE AN AEROHIVE AP AS A RADIUS SERVER

152


Lab: Aerohive Devices as RADIUS servers1. Select your Network Policy

153

To edit your SSID:

Go to Configuration



Lab: Aerohive Devices as RADIUS servers2. Modify your AP settings

To configure the Aerohive AP as a RADIUS server...

• Click Continue to go to Configure and Update Devices

• Select the Filter: Current Policy

• Click the link for your Aerohive AP: 0X-A-######

154


Lab: Aerohive Devices as RADIUS servers3. Deselect the proxy object

155

Create a Aerohive AP RADIUS Service Object• Under Optional Settings, expand Service Settings

• Next to Device RADIUS Proxy deselect the proxy object created from the previous lab


Lab: Aerohive Devices as RADIUS servers4. Create a Aerohive AP RADIUS Service Object

156

Create a Aerohive AP RADIUS Service Object• Under Optional Settings, expand Service Settings

• Next to Device RADIUS Service click +


Lab: Aerohive Devices as RADIUS servers5. Create a Aerohive AP RADIUS Service Object

157

• Name: AP-RADIUS-X• Expand Database Settings

• Uncheck Local Database

• Check External Database

• Under Active Directory, click + to define the RADIUS Active Directory Integration Settings


Lab: Aerohive Devices as RADIUS servers6. Select a Aerohive AP to test AD Integration

158

• Name: AD-X

• Aerohive AP for Active Directory connection setup,select your A Aerohive AP: 0X-A-#####› This will be used to test Active Directory integration

› Once this Aerohive AP is configured for AD setup, it can be used as a template for configuring other Aerohive AP RADIUS servers with Active Directory integration

• The IP settings for the selected Aerohive AP are gathered and displayed


Lab: Aerohive Devices as RADIUS servers7. Modify DNS settings for test Aerohive AP

159

• Set the DNS server to: 10.5.1.10› This DNS server should be the Active Directory DNS server or an internal DNS server aware of the Active Directory domain

• Click Update › This applies the DNS settings to the Network Policy and to the Aerohive AP so that it can test Active Directory connectivity


Lab: Aerohive Devices as RADIUS servers8. Specify Domain and retrieve Directory Information

160

• Domain: ah-lab.local

• Click Retrieve Directory Information› The Active Directory Server IP will be populated as well as the BaseDN used for LDAP user lookups


Lab: Aerohive Devices as RADIUS servers9. Specify Domain and retrieve Directory Information

161

• Domain Admin: hiveapadmin(The delegated admin)• Password and Confirm Password: Aerohive1• Check Save Credentials• Click Join

NOTE: By saving credentials you can automatically join APs to the domain without manual intervention


Lab: Aerohive Devices as RADIUS servers10. Specify a user to perform LDAP user searches

162

• Domain User [email protected] (a standard domain user )

• Password and Confirm Password: Aerohive1• Click Validate User

› You should see the message: The user was successfully authenticated.

› These user credentials will remain and be used to perform LDAP searches to locate user accounts during authentication.


Lab: Aerohive Devices as RADIUS servers11. Save the AD settings

163

• Click Save


Lab: Aerohive Devices as RADIUS servers12. Save the RADIUS settings

164

• Select AD-X with priority: Primary

• Click Apply …Please make sure you click Apply

• Do not save yet..


Lab: Aerohive Devices as RADIUS servers13. Save the RADIUS settings

165

Enable the ability for an AP-RADIUS server to cache user credentials in the event that the AD server is not reachable, if the user has previously authenticated

• Check Enable RADIUS Server Credential Caching

• Expand RADIUS Settings

• Do not save yet...


Lab: Aerohive Devices as RADIUS servers14. Assign new Aerohive AP server certificate

166

Assign the Aerohive AP RADIUS server to the newly created AP server certificate and key• CA Cert File: Default_CA.pem

• Server Cert File: AP-X_key_cert.pem

• Server Key File: AP-X_key_cert.pem

• Key File Password & confirm password: aerohive123

• Click Save


Lab: Aerohive Devices as RADIUS servers15. Save the AP Settings

167

• Ensure that the Aerohive AP RADIUS Service is set to: AP-RADIUS-X

• Click Save

NOTE: Your Aerohive AP will have an icon displayed showing that it is a RADIUS server


QUESTIONS?


SSID FOR 802.1X/EAP AUTHENTICATIONUSING AEROHIVE AP RADIUS WITH AD KERBEROS INTEGRATION

169


Lab: Aerohive Devices as RADIUS servers1. Edit your WLAN Policy and Add SSID Profile

170

Configure an SSID that uses the 802.1X/EAP with AD (Kerberos) Integration

• Select the Configure Interfaces & User Access bar


• In Chose SSIDs› Select New


Lab: Aerohive Devices as RADIUS servers2. Configure a 802.1X/EAP SSID

• Profile Name: Class-AD-X

• SSID: Class-AD-X

• Under SSID Access Security select WPA/WPA2 802.1X (Enterprise)

• Click Save

171


Lab: Aerohive Devices as RADIUS servers3. Select new Class-AD-X SSID

172

• Click to deselect the Class-EAP-X SSID

• Ensure the Class-AD-X SSIDis selected

• Click OK

Click to deselect

Class-EAP-0X

Ensure Class-AD-0X is highlighted then

click OK


Lab: Aerohive Devices as RADIUS servers4. Create an AAA RADIUS client object

173

• Under Authentication, click <RADIUS Settings>


ClickClick


Lab: Aerohive Devices as RADIUS servers5. Define the External RADIUS Server

174

• RADIUS Name:AP-RADIUS-X

• IP Address/Domain Name: 10.5.2.X

• Leave the Shared Secret EmptyNOTE: When the Aerohive AP is a RADIUS server, APs in the same Hive automatically generate a shared secret.

• Click Apply

• Click Save



Lab: Aerohive Devices as RADIUS servers6. Select User Profiles

175

• Verify that under Authentication, AP-RADIUS-X is assigned

• Under User Profile click Add/Remove


Lab: Aerohive Devices as RADIUS servers7. Assign User Profile as Default for the SSID

176

• With the Default >tab select (highlight) theEmployee-Default-X user profile

• IMPORTANT: This user profile will be assigned if no attribute value is returned from RADIUS after successful authentication, or if attribute value 1000 is returned.

• Click the Authentication tab

Default Tab

Authentication Tab


Lab: Aerohive Devices as RADIUS servers8. Assign User Profile to be Returned by RADIUS Attribute

177

• In the Authentication > tab

• Select (highlight)Employee-X› NOTE: The (User Profile Attribute) is appended to the User Profile Name

• Click Save

Authentication Tab


Lab: Aerohive Devices as RADIUS servers9. Verify and Continue

178

• Ensure Employee-Default-X and Employee-X user profiles are assigned to the Class-AD-X SSID

• Click Continue



• Click Update

Lab: Aerohive Devices as RADIUS servers10. Update the AP Configuration




• Click Update



Lab: Aerohive Devices as RADIUS servers11. Update the AP configuration


Lab: Aerohive Devices as RADIUS servers12. Update the AP configuration



181


ADDITIONAL AEROHIVE AP AD INTEGRATION INFORMATION

182


Optional: Verify Aerohive AP TimeFrom the CLI of the Aerohive AP

183

• From CLI of Aerohive AP

# show time

Timezone: GMT-8

# show clock

2011-07-13 11:14:45 Wednesday


Joining Aerohive APs to Active DirectoryComputer OU = Wireless/Aerohive APs

184

• From the AD server, you can go to Active Directory Users and Computers and see when the Aerohive AP joins the domain

• If you specify an Active Directory administrator account in the AAA User Directory Settings, then the Aerohive AP will automatically add itself to the domain

• If you did not specify an Active Directory administrator, you will have to manually add your Aerohive AP to the domain much like you would do with a computer

Click Refresh

Select the computer OU

Here you can see the hostname of your Aerohive AP


Join Aerohive AP RADIUS Server to Domain

185

Note: you performed this step for your Aerohive AP in the configuration, however, here is how you do it for the rest of the Aerohive AP RADIUS servers in your network.

• Go to ToolsServer Access TestsAD/LDAP Test

• Select RADIUS Server:X-A-######

• Select Test joining the Aerohive AP to an Active Directory domain

• Active Directory Domain: Primary

• User Name: hiveapadmin• Password: Aerohive1• Click Test


Troubleshooting –Joining a Aerohive AP to a Domain

186

• Possible Cause: The Administrator does not have privileges to add a computer/Aerohive AP to this OU

• Solution: Use an Administrator with more privileges

• Possible cause: The Aerohive AP was previously added to a different OU, and this administrator does not have privileges to remove the other entry

• Solution: Delegate administration of this OU to allow the selected administrator to add computers to this OU

Here you can see that the Aerohive AP has failed to join the domain


Troubleshooting –Joining a Aerohive AP to a Domain

187

• Possible Cause: The NTP Server settings have not been configured on the Aerohive AP

• Solution: Configure the NTP Server settings by going to your WLAN PolicyManagement ServicesNTP Server

Here you can see that the Aerohive AP time is not accurate


Test the user account for your hosted PC

188

• Select RADIUS Server:0X-A-######

• Select Test Aerohive AP credentials for Active Directory Integration

• User Name: user


• Click Test

Kerberos authentication passed for the user


QUESTIONS?


CLIENT ACCESS PREPARATION -DISTRIBUTING CA CERTIFICATESTO WIRELESS CLIENTS

190


LAB: Exporting CA Cert for Server Validation1. Go to HiveManager from the Remote PC

191

• From the VNC connection to the hosted PC, open a local connection to HiveManager

• For HiveManager:10.5.1.20

• Login with: adminX

• password: aerohive123

NOTE: You are accessing HiveManager via the PC’s Ethernet connection


LAB: Exporting CA Cert for Server Validation2. Download Default CA Certificate to the Remote PC

192

NOTE: The HiveManager Root CA certificate should be installed on the client PCs that will be using the RADIUS service on the Aerohive APs for 802.1X authentication

• From the Remote PC,go to Configuration Advanced ConfigurationKeys and Certificates Certificate Mgmt

• Select Default_CA.pem

• Click Export


LAB: Exporting CA Cert for Server Validation3. Rename HiveManager Default CA Cert

193

• Export the public root Default_CA.pem certificate to the Desktop of your hosted PC› This is NOT your Aerohive AP server certificate, this IS the HiveManager public root CA certificate

• Rename the extension of the Default_CA.pem file to Default_CA.cer › This way, the certificate will automatically be recognized by Microsoft Windows

• Click Save

Make the Certificate name:Default_CA.cer

Save as type: All Files


LAB: Exporting CA Cert for Server Validation4. Install HiveManager Default CA Cert

194

• Find the file that was just exported to your hosted PC

• Double-click the certificate file on the Desktop: Default_CA

• Click Open

• Click Install Certificate

Issued to: HiveManagerThis is the name of the certificate if you wish to find it in the certificate store, or if you want to select it in the windows supplicant PEAP configuration.


LAB: Exporting CA Cert for Server Validation1. Finish certification installation

195

• In the Certificate Import Wizard click Next

• Click Place all certificates in the following store

• Click Browse


LAB: Exporting CA Cert for Server Validation2. Select Trusted Root Certification Authorities

196

• Click Trusted Root Certification Authorities

• Click OK

• Click Next


LAB: Exporting CA Cert for Server Validation3. Finish Certificate Import

197

• Click Finish

• Click Yes

• Click OK


LAB: Exporting CA Cert for Server Validation4. Verify certificate is valid

198

• Click OK to Close the certificate

• Double-click Default_CA to reopen the certificate

• You will see that the certificate is valid and it valid from a start and end date

• Click the Details tab


LAB: Exporting CA Cert for Server Validation5. View the Certificate Subject

199

• In the details section, view the certificate Subject

• This Subject: HiveManager is what will appear in the list of trusted root certification authorities in your supplicant configured later in this lab. Protected EAP (PEAP)

PropertiesIn supplicant (802.1X client)


QUESTIONS?




201


Lab: Testing AP-RADIUS w/ AD Integration1. Connect to Secure Wireless Network

202

On the hosted PC, from the bottom task bar, click the wireless networks icon • Click Class-AD-X• Click Connect • A windows security alert should appear, click Details to verify this certificate if from HiveManager, then click Connect

server-2 is the AP cert, and HiveManager is the

trusted CA


Lab: Testing Aerohive AP RADIUS w/ AD Integration2. Connect to Secure Wireless Network

203

On the hosted PC, from the bottom task bar, click the wireless networks icon • Click Class-AD-X• Click Connect • Click Use my Windows user account


Lab: Testing Aerohive AP RADIUS w/ AD Integration3. Connect to Secure Wireless Network

204

• When prompted about the server certificate Click Connect

• Notice that you are now connected (this may take a few moments)


NOTE: User Profile Attribute is the Employee-Default-X user profile for the SSID. This user profile is being assigned because no User Profile Attribute Value was returned from RADIUS.

Lab: Testing AP-RADIUS w/ AD Integration4. View Active Clients

205

• After associating with your SSID, you should see your connection in the active clients list in HiveManager› Go to MonitorClientWireless Clients

• IP Address: 10.5.8.#• User Name: DOMAIN\user• VLAN: 8User Profile Attribute: 1000


QUESTIONS?


MAPPING ACTIVE DIRECTORY MEMBEROF ATTRIBUTETO USER PROFILES

207


Aerohive AP as a RADIUS Server - Using AD Member Of for User Profile Assignment

208

• In your WLAN policy, you defined an SSID with two user profiles› Employee-Default-X – Set if no RADIUS attribute is returned

»This use profile for example is for general employee staff, and they get assigned to VLAN 8

› Employee-X – Set if a RADIUS attribute is returned»This user profile for example is for privileged employees, and they get

assigned to VLAN 10

• Because the Aerohive AP RADIUS server is using AD to authenticate the users, and AD does not return RADIUS attributes, how can we assign users to different user profiles?

• Though AD does not return RADIUS attributes, it does return other attribute values, like memberOf which is a list of AD groups to which the user belongs


Instructor Only: Confirm User is a member of the Wireless AD Group

209

• Right click the username “user” and click Properties

• Click on the MemberOf tab

• Each user account should be assigned to the Wireless AD Group


Lab: Use AD to Assign User Profile1. Map memberOf attribute to user profile

210

• From Configuration, Advanced ConfigurationAuthentication Aerohive AAA Server Settings

• Click on the AP-RADIUS-X link


Lab: Use AD to Assign User Profile2. Map memberOf attribute to user profile

211

• Expand Database Settings

• Check LDAP server attribute Mapping

• Select Manually map LDAP user groups to user profiles

• LDAP User Group Attribute: memberOf

• Domain: dc=AH-LAB,dc=LOCAL

• Click + to expand the LDAP tree


Lab: Use AD to Assign User Profile2. Add AD group to User Profile mapping

212

• Expand the tree structure to locate› Expand CN=Users

› SelectCN = Wireless

• For Maps to, from the drop down list, select the user profile: Employee-X

• Click Apply• The mapping appears below the LDAP directory

• Click Save

Click the LDAP Group

Map group to Employee(10)-X


Lab: Use AD to Assign User Profile SSID3. Update the configuration of your Aerohive AP

213

Go to Configuration


• Click on the Continue button to go to the Configure and Update Device panel



• Click Update




• A complete upload is not needed this time

• Click Update



Lab: Use AD to Assign User Profile SSID6. Delta Upload

• The Delta Configuration will upload

216


Lab: Use AD to Assign User Profile SSID7. Disconnect and Reconnect to the Class-AD SSID

217

To test the mapping of the memberOf attribute to your user profile

• Disconnect from the Class-AD-X SSID

• Connect to the Class-AD-X SSID


Lab: Use AD to Assign User Profile SSID8. Disconnect and Reconnect to the Class-AD SSID

218

To test the mapping of the memberOf attribute to your user profile

• Disconnect from the Class-AD-X SSID

• Connect to the Class-AD-X SSID


Lab: Use AD to Assign User Profile SSID9. Verify your active client settings

219

• From MonitorClientsWireless Clients› Your client should now be assigned to

»IP Address: 10.5.10.#»User Profile Attribute: 10»VLAN: 10

NOTE: In the previous lab, without the LDAP group mapping, the user was assigned to attribute 1000 in VLAN 8


QUESTIONS?


AEROHIVE CLIENT MANAGEMENT

Aerohive’s

Instructor-led Training


Is the device a Corporate or Personally owned client?

222

Can you tell the difference between these two iPads?

Company Issued Device• Owned and Managed by IT• Provided for a Specific

Purpose• Enables New Working

Models

Personal Device• Employee-owned and

Managed• Wide Range of Potential

Devices• Improves Employee

Satisfaction and Productivity


How Aerohive Solves the Problem

Mobile user connects to corporate SSID with username and password

1

User is authenticated against Active Directory or other user store such as LDAP

2

AP checks to see if device is already enrolled with HiveManager client management

3

If device is not enrolled, it is redirected to enrollment URL to acquire a custom device certificate and secure profile based on whether it is personal or corporate issued device in the MAC address list

5

6

Device is reconnected to the SAME SSID with a custom device certificate

Corp

802.1X

SSID Corp 802.1X

SSID

HiveManager withClient Management

7 Policy is applied based on all available context, including: identity, device type, device ownership, location, and time

Device is checked against a list of known corporate devices (MAC addresses) imported by IT admin

4

223


Client Management ConceptsCustomer Issued or Bring Your Own Device (BYOD) ?

224

• Is a device Company Issued Device(CID) or is the device brought from home Bring Your Own Device (BYOD)?

• Enter MAC addresses of devices to automatically select Corporate Issued Devices

• Or the user decide during Enrollment


Client Management ConceptsUser profile reassignment Options

225

• Client Management automatically detects and reassigns devices to new user profiles based upon BYOD or CID ownership.

• BYOD or CID ownership applies to iOS, MacOS, Android and Chromebook devices.

• Policy decisions can be made based on OS and domain for User Profile reassignment of other operating systems such as Windows or Blackberry.

Note: You can still mix in other devices that are not supported by Client Management


Client Management Overview

• Support for the following solutions:› Single SSID based onboarding: requiring 802.1X on the SSID› Single SSID based onboarding for PPSK: requires an initial static

PSK› Two SSIDs based onboarding:

» Open (for provisioning)

» Second SSID using PPSK (for secured access)

• Support both HMOL and on-premises HM

• Requires 6.1r3 HiveOS or later on APs

• Supports Mac OS X, iOS, Android devices and Chrome OS (Chrome Books)

226


Firewall Considerations by theDevice types and Ports used

227

Source Destination Service (Protocol and Port)

Apple Client Devices Apple Push Notification Service (APNS) 17.0.0.0/8

TCP 5223

TCP 5223, 5229, 5330Android & Chromebook Devices

Google GCM Servers

HiveManager Client Management Service(onboard.aerohive.com)

HTTPS 443

Access Points Client Management Service(onboard.aerohive.com)

HTTPS 443

Access Points Apple Push Notification Service (APNS) 17.0.0.0/8

TCP 5223


Enable Client Management in HiveManager

228

• Enable Client Management

• Test is an HTTPS test to the Client Management Cluster which verifies all Client Management services are working

• Do this for On-Premise and HMOL

• For On-Premise you will also have to retrieve the Customer ID


LAB: CLIENT MANAGEMENT USING 802.1X


Scenario

Your Enterprise Customer is using 802.1X/EAP security. Employees are permitted to bring their own devices to work to access the company network and internet. The new requirements include:• Company Issued Devices (CID) such as iPads will receive the

Company profile.

• All mobile device cameras must be disabled for security purposes.

• Employee Personal Devices (BYOD) will receive the Personal profile.

• Employee Personal Devices will have a firewall policy that restricts access to corporate resources but allows access to a gateway to the Internet.

230



• Select your Network Policy and click OK

• Click on the link for the Class-AD-X SSID

231

Lab: Client Management using 802.1X1. Edit the network policy


• Check Enable Client Management

• Click Save

232

Lab: Client Management using 802.1X2. Enable client management


• User Profile: Add/Remove

• Click New

233

Lab: Client Management using 802.1X3. Create a CID user profile


• Name: BYOD-X

• Attribute: 800

• VLAN: 10

• Do NOT click Save yet

Lab: Client Management using 802.1X4. Create a BYOD user profile

234


Lab: Client Management using 802.1X5. Assign a restrictive firewall policy

• Under Optional Settings, expand Firewalls

• IP Firewall Policy From-Access Guest-Internet Access Firewall Policy

• Default Action: Permit

• Click Save

• Click Save again


Note: Firewall Policy

The guest firewall policy is a default policy that can be used to restrict BYOD devices away the internal networks where corporate resources reside. Access to a gateway to the Internet can still be permitted.


• Click New to create a CID user profile

• Name: CID-X

• Attribute Number: 200

• Default VLAN: 10

• Click Save

• Click Save again

Lab: Client Management using 802.1X6. Create a CID user profile


Lab: Client Management using 802.1X7. Edit the Employee-X user profile

• Click the Employee-X user profile to edit


• Optional Settings: Expand Client Classification Policy

• Check Enable user profile reassignment based on client classification rules

• Click New

239

Lab: Client Management using 802.1X8. Create a reassignment rule for the CID user profile


• Ownership: CID

• Reassigned User Profile: CID-X

• Click Apply

• Do NOT Save Yet

240

Lab: Client Management using 802.1X9. Create a reassignment rule for the CID user profile


• Click New

• Ownership: BYOD

• Reassigned User Profile: BYOD-X

• Click Apply

Lab: Client Management using 802.1X10. Create a reassignment rule for BYOD user profile


• Verify the reassignment rules

• Click Save

242

Lab: Client Management using 802.1X11. Verify the reassignment rules


Lab: Client Management using 802.1X12. Verify the reassignment rules

• Expand the Employee-X user profile

• Click Add/Remove to active the rules

All employees will authenticate via 802.1X/EAP and be assigned to VLAN 10. Employees will then use the correct device profile based upon their enrollment status.


• Check Enable user profile reassignment based on client classification rules

• Click Save244

Lab: Client Management using 802.1X13. Enable the reassignment rules


• Click Continue to save the network policy and proceed to configure and update.

245

Lab: Client Management using 802.1X14. Enable the reassignment rules


• Choose the Current Policy filter

• Click on the 0X-A-XXXX-AP to modify the configuration.

246

Lab: Client Management using 802.1X15. Edit your AP that is the RADIUS server


•Optional Settings Expand Service Settings

• Next to the Device RADIUS Service Click the modify icon to edit your AP-RADIUS-X object.

247



• Client Management is a cloud-based onboarding solution that requires you to use the Client Management Root certificate and server certificate and key file.

• These certificates can be used with any Aerohive Device that functions as a RADIUS server.

• A third-party RADIUS server can be used for 802.1X with Client Management, however you will need to export these same certificates and install them on the third-party RADIUS server.

248

Why new certificates?


Client Management also supports the import of third party certificates from an existing PKI.

249

Support for Third-Party Certificates


• Expand Database Settings to select the client management certificates

• CA Cert File: ClientMgmt_CA.crt

• Server Cert File: ClientMgmt-Radius-Server_Crt.crt

• Server Key File: ClientMgmt-Radius-Server_key.pem

• Remove the passwords from the previous lab

• Click Save

250



• Click Save

251

Lab: Client Management using 802.1X18. Save the AP specific settings


• Select your 0X-A-XXXX AP

• Click Update

• Click Update Devices

252

Lab: Client Management using 802.1X19. Upload the AP configuration


Lab: Client Management using 802.1X20. Upload the AP configuration

• Select Perform a complete configuration update

• Click Update

• Click OK


• Click on the Configure Interfaces & User Access bar

• Click on Client Management

The Client Management link is a direct connection to configure Client Management profiles.

Lab: Client Management using 802.1X21. Configuring Client Management


• Username: cm#[email protected] where # is the Lab number 1,2,3,4 or 5


255



• Click Configuration

256



• Monitor Clients Active Clients or Wireless Clients

• New Column to display Client Management Enrollment

• Grey icon indicates the client is enrolled in CM

Client Management Data in HiveManager



258

• Hover over the icon and it changes to Aerohive yellow

• Click on the popup and the admin is redirected to the CM server monitor view for the client



259

• Click on the MAC address of the enrolled client device to see Client Management information in HiveManager


Client Management Useful Information and Tips

• There are two core types of profiles:› Enrollment profiles – these are the management profiles.

› Client profiles – these are the configuration profiles i.e. Restrictions, ActiveSync, etc.

• The relationship between User Profiles and UPIDs is a many to one relationship.

•Do not overload a single profile; divide the load among individual profiles based upon type (Restrictions, Web Clip, etc.) each using the same attribute value.


Lab: Client Management using 802.1X24. Configuring a BYOD Client Profile

You will now create client profiles to match the BYOD-X and CID-X user profiles.

• Click New.


Lab: Client Management using 802.1X25. Configuring a BYOD Client Profile camera removal

• Name: BYOD-X-No-Camera


• Organization: Aerohive

• Security: User can remove profile

• Profile Lifetime on Client Devices: Do not delete the profile from the client device

• Click Restrictions


Lab: Client Management using 802.1X26. Enforcing Restrictions

• Turn ON Enforce Restrictions

• Uncheck ☐ Allow use of camera

• Click Save


Lab: Client Management using 802.1X27. Configuring a BYOD Client Profile adding Web Clip

• Name: BYOD-X-Web Clip





• Click Web Clips


• Label: Student-X-Video

• URL: http://bit.ly/1cKAzfA

• Options: Precomposed Icon

• Click Save

Lab: Client Management using 802.1X28. Configuring a BYOD Client Profile adding Web Clip

http://bit.ly/1cKAzfA

http://bit.ly/1cKAzfA


Lab: Client Management using 802.1X29. Verifying the BYOD Client Profiles

• Verify your BYOD-X client profile

• Click New


Lab: Client Management using 802.1X30. Creating a CID Client Profile

• Name: CID-X





• Click Restrictions


Lab: Client Management using 802.1X31. Enforcing Restrictions

• Turn ON Enforce Restrictions

• Do NOT uncheck Allow use of camera

• Click Save


Lab: Client Management using 802.1X32. Verifying Client Profiles

• Verify the BYOD and CID client profiles


iOS Client Profile Restrictions

Many more restrictions can be configured in your iOS Client Profiles.


iOS Client Profile Settings

• Other iOS client settings include› VPN› Exchange ActiveSync

› Web Clips› CalDav› CardDav› Email


OPTIONAL CLIENT MANAGEMENT INSTRUCTOR

DEMONSTRATION

Because our lab is in a remote location we cannot test the client management lab. If time permits, the instructor will

now demonstrate client management in class

Should students wish to participate with their personal devices in the demonstration, ensure that they select the BYOD profile. The Enrollment profile can be removed from their personal devices after class.


Lab: Client Onboarding Demo1. Connect to 802.1X SSID

On the instructor iOS device and/or student iOS devices:

• Go to Settings Wi-Fi

• Click on the CM-802.1X-Demo SSID

• Username: demoX (Where X = student number) (Instructor is demo1)

• Password: aerohive123


Lab: Client Onboarding Demo2. Connect to the 802.1X SSID

• Click the Accept button to accept the certificate

• Verify that you are connected to the CM-802.1X-Demo SSID


Lab: Client Onboarding Demo3. Continue with client onboarding

• Open your browser and try to connect to a web site

• You will be redirected to the Client Management captive web portal for onboarding



Specify the device ownership

Personal Devices (BYOD) will automatically be selected.

• Check View and agree to the terms of use

• Click Enroll My Device

Company-Issued Devices (CID) would automatically be selected if this device’s MAC address is configured in Client Management.


Lab: Client Onboarding Demo5. Continue with client onboarding EXAMPLE


Company-Issued Devices (CID) will automatically be selected if the device’s MAC address is already configured in Client Management.


Lab: Client Onboarding Demo6. Install the Client Enrollment profile

• The Enrollment process will begin.

• Click the Install button to install the Enrollment Profile

• Read the disclaimer warning and click Install.

• Enter your device passcode if prompted.



• Click Done and the selected profile will begin to install.



• Client Management verifies and installs the Wi-Fi profile

• The device is successfully enrolled


Lab: Client Onboarding Demo9. Client is enrolled

• Browser begins redirection

• Redirection is completed



• During the onboarding process an Enrollment profile is installed.

• A Wi-Fi profile is installed.

• The needed certificate is installed.

• The client device disconnects and reconnects to the 802.1X SSID. This is not visible to the user.



• Go to Settings General Profiles

• Expand the profiles.

• Verify Certificates.

• Verify Restrictions.

• Verify that the camera icon is not on your device.


MONITORING


Verify enrolled clients in HiveManager

• Monitor Clients Wireless Clients

• All BYOD devices will be in VLAN 10 because CM sent attribute 800 to the AP and the user was assigned to the corresponding user profile

• ALL CID devices will be in VLAN 10 because CM sent attribute 200 to the AP and the user was assigned to the corresponding user profile

286


Monitor enrolled devices in Client Management

• From Home in Client Management you can view reported device data.

• Placing your cursor over a chart reveals more information.• Clicking on a chart will take you to the location in Client

Management from which the information was gathered.58



• Go to Monitor Clients

• Verify BYOD and CID ownership as prescribed.

• Click on a any clients name for device specific information and you are taken to Client Info for that device.

59



• Information reported from the client is displayed.

• View the enrolled clients settings

• The client location is based on the client’s public IP address, not GPS location.

60



• Great detail about the client device is available.

• Scroll down

• Click on the Apps tab to view the installed applications of the client.

• Click through some of the other tabs to see more information about the client.

61


CUSTOMIZATION


Client Management End User UI Customization

• Client HTTP proxies can also be configured if necessary to allow the devices to reach the cloud based Client Management service.

• Manual mode allows you to specify the proxy information.

• Automatic allows the device to learn proxy requirements from the DHCP options.

63



• This UI is what your end users will see on their devices.

• The whole page is customizable, including:

› Company logo

› Images

› Terms of Use

› Most texts

64



• The Admin Account configuration allows you to create new Client Management administrators in different admin groups.

› Admin

› Monitor

› Operator65



• Client Data Wipe Options -CID, BYOD or Both can be selected

• Number of Devices per User – Limits the number of devices a user can enroll from 1 to 100 devices per user.

66


CID List Import

From Configuration Company-Issued Devices, you can select Import to bulk import the list of devices to which the CID Profile should be applied, Export the list or even create an entry manually if so desired.

67


OPTIONAL LAB: CLIENT MANAGEMENT

PPSK – SINGLE SSID


Scenario

Your Enterprise Customer is using PPSK security. Employees are permitted to bring their own devices to work to access the Internet. Security requirements include:• Company Issued Devices (CID) such as iPads will be

segmented into a separate VLAN/subnet.

• All mobile device cameras must be disabled for security purposes.

• Employee Personal Devices (BYOD) will be segmented into a different VLAN/subnet than the CID devices.

• Employee Personal Devices will have a firewall policy that restricts access to corporate resources but allows access to a gateway to the Internet.

298


• Go to Configuration and select your WLAN-X Network Policy


• Click New

Lab: Client Management with PPSK – 1 SSID1. Creating an SSID


• Profile Name: CM-PPSK-X

• SSID: CM-PPSK-X

• Select Private PSK

• Enable Self-Registration to request a Private PSK

• Enable Client Management

Lab: Client Management with PPSK – 1 SSID2. Create an SSID and enable Client Management


• Allow users to register themselves on this SSID

• Registration Key: aerohive123

• Click Save

• Ensure that the SSID is highlighted and click OK

Lab: Client Management with PPSK – 1 SSID3. Create an SSID – self register with single SSID


•Click <PSK User Group>

•Then click New

Lab: Client Management with PPSK – 1 SSID4. Create a PPSK User Group



• User Name Prefix: 0X-

• Click the Generate button to create the Private PSK Secret which is a seed key.

• Do NOT save yet

Lab: Client Management with PPSK – 1 SSID5. Create a PPSK User Group

• User Group Name: CM-PPSK-X

• Select Automatically generated private PSK users


Using 63 character full strength PPSKs protects against brute-force dictionary attacks. The attacks would take many years.

• Password Length: 63

• Click Save

• Ensure that the user group is highlighted and click OK

Lab: Client Management with PPSK – 1 SSID6. Define the strength of the PPSKs


• Click <Private PSK Server>

• Highlight your 0X-AP and click OK

Aerohive APs and BR-200 routers can all function as a PPSK server.

Lab: Client Management with PPSK – 1 SSID7. Designate a Private PSK Server


• Click <Private PSK CWP>

• Then click New

Lab: Client Management with PPSK – 1 SSID8. Create a Captive Web Portal profile


• Name: CM-CWP-X

• Expand: Captive Web Portal Login Page Settings

• Verify Authentication is selected

• Click Save

• Click OK

Lab: Client Management with PPSK – 1 SSID9. Create a Captive Web Portal profile


• Click <Private PSK RADIUS settings>

• Highlight the AP-RADIUS-X device that has been pre-configured as a RADIUS server

• Click OK

Lab: Client Management with PPSK – 1 SSID10. Designate a RADIUS server


• Click Add/Remove

• From the Default > tab select the Employee-X User Profile

• Check Enable User Profile reassignment...

• Click Save

Lab: Client Management with PPSK – 1 SSID11. Create User Profiles


• Expand the Employee-X user profile• Verify the reassignment User Profiles

All employees will authenticate via PPSK and be assigned to VLAN 10. Employees using company issued iPads (CID) and employees using their own devices (BYOD) will be assigned the correct profiles based upon their enrollment.

Lab: Client Management with PPSK – 1 SSID12. Verifying your user profile reassignment rules


• Click Save to save the network policy and proceed to configure and update.

311

Lab: Client Management with PPSK – 1 SSID13. Save the network policy and continue



• From the NAV pane expand Advanced Configuration

• Expand Authentication

• Select Local Users

• Click the Bulk button

312

Lab: Client Management with PPSK – 1 SSID14. Create the PPSKs


• Create Users Under Group: CM-PPSK-X

• Number of New Users: 10

• Click Create

313

Lab: Client Management with PPSK – 1 SSID15. Create the PPSKs


• Click on (Clear Text PSK)

• Examine the 63 character PPSKS

314

Lab: Client Management with PPSK – 1 SSID16. Examine the PPSKs


• Click Monitor

• Go to Devices > Access Points > Aerohive APs

• Select your 0X-A-XXXX-AP

• Click Update to upload the new configuration

315

Lab: Client Management with PPSK – 1 SSID17. Update the AP configuration


• Click Update


316



• Select Perform a complete configuration update

• Click Update

• Click OK



Lab: Client Management with PPSK – 1 SSID21. Verify the configuration update


CLIENT MANAGEMENT INSTRUCTOR

DEMONSTRATION

Because our lab is in a remote location we cannot test the client management lab. If time permits, the instructor will

now demonstrate client management in class

Should students wish to participate with their personal devices in the demonstration, ensure that they select the BYOD profile. The Enrollment profile can be removed from their personal devices after class.


Lab: Client Onboarding Demo1. Connect to PPSK SSID

On the instructor iOS device and/or student iOS devices:

• Go to Settings Wi-Fi

• Click on the CM-PPSK-Demo SSID

• Passphrase: aerohive123


Lab: Client Onboarding Demo2. Connect to the PPSK SSID

• Verify that you are connected to the CM-PPSK-Demo SSID



• Open a browser and type a URL

• You will be redirected to a Captive Web Portal for authentication

• Username: demoX› X=Student number› 1=Instructor number

• Password: aerohive123



• You will be redirected to the Client Management captive web portal for onboarding




Personal Devices (BYOD) will automatically be selected.

• Check View and agree to the terms of use

• Click Enroll My Device

Company-Issued Devices (CID) would automatically be selected if this device’s MAC address is configured in Client Management.


Lab: Client Onboarding Demo6. Continue with client onboarding EXAMPLE


Company-Issued Devices (CID) will automatically be selected if the device’s MAC address is already configured in Client Management.



• The Enrollment process will begin.

• Click the Install button to install the Enrollment Profile

• Read the disclaimer warning and click Install.

• Enter your device passcode if prompted.



• Click Done and the selected profile will begin to install.



• Client Management verifies and installs the Wi-Fi profile

• The device is successfully enrolled



• Browser begins redirection

• Redirection is completed



• During the onboarding process an Enrollment profile is installed.

• A Wi-Fi profile is installed.

• The client device disconnects and reconnects to the PPSK SSID using an unique 63 character PPSK for the device. This process is not visible to the user.



• Go to Settings General Profiles

• Expand the profiles.

• Verify Certificates.

• Verify Restrictions.

• Verify that the camera icon is not on your device.


QUESTIONS?


Using Aerohive APs and IPsec VPN Clientsand IPsec VPN Servers to Provides VPN Connections with Wireless LANs

WIRELESS VPN

333


Internet

Headquarters

Aerohive Layer 2 VPN

334

Remote Site

Notes Below

Layer 2 VPN client devices

AP-100 series

AP-300 series

BR-100 (AP mode)

AP-300 series128 tunnels

HiveOS Virtual Appliance (L2 Gateway mode)1024 tunnels

Layer 2 VPN server devices


Internet

Headquarters

Aerohive Layer 3 VPN

335

Remote Site

Notes Below

Layer 3 VPN client devices

BR-100 router

BR-200 router

AP 330/350(router mode)

Aerohive switch(router mode) (Excluding the 2148)

HiveOS Virtual Appliance (L3 Gateway mode)1024 tunnels

Layer 3 VPN server

Note: Layer 3 VPNs are discussed and used in the Aerohive Certified Network Professional (ACNP) class.


Wireless VPN Benefits -For your reading pleasure-

336

• Easy to Use

› L2 IPsec VPN solution simplifies deployment, because it extends the local network across the VPN without the need to dedicate subnets for each remote site and set up DHCP relays on branch routers or firewalls

› Automatic certificate creation and distribution for validating VPN devices

› Profile-based Split Tunneling

» Users and Services can be bridged locally or tunneled based on user profile

• Flexible

› Single mode of operation supports all deployments

› Supported in all Aerohive AP platforms, Hardware Acceleration in 300 series

› Multiple end point support

» Backup VPN gateway support

» Distributed Wireless VPN tunnel termination

• Complete Functionality

› Multiple AP Support with secure and fast roaming

› Mesh Portals and Mesh Points supported

› RADIUS, DHCP, NTLM, LDAP and NTP can selectively go to local or remote network

› Rogue AP and rogue client detection, DoS prevention, Firewall, and QoS all occur locally on the remote Aerohive AP

• Economical

› No license fees for wireless VPN, or any of the other features on the Aerohive APs

› For the cost of an AP, you get wireless VPN servers

Please review the notes pages


Internet Aerohive VA-1VPN Server

Aerohive VA-2VPN Server

Headquarters

DHCP Server Corporate Wi-Fi DevicesVLAN 10 10.8.20.0/24Corporate Wi-Fi VoiceVLAN 11 10.8.21.0/24

Teleworker Home OfficePlease View Notes Below Slide

337

Work LaptopSSID: Corp10.8.20.51

Home PC with Printer192.168.1.5

Teleworker Home Office

Home LaptopSSID: Home192.168.1.6

IPsecPrimary andBackup VPN Tunnels

Work PhoneSSID: Voice10.8.21.33

Internet ProviderGateway192.168.1.1

Aerohive AP 5VPN Client192.168.1.2

DMZ

Notes Below


Aerohive AP4VPN Client192.168.1.6

Aerohive AP3VPN Client192.168.1.5Laptop

SSID: Corp10.8.20.12

Phone10.8.21.5

Branch Office

Guest LaptopSSID: Guest192.168.1.50

Printer10.8.20.11

Desktop10.8.20.10



Headquarters

DMZ

DHCP Server Corporate Wi-Fi DevicesVLAN 10 10.8.20.0/24Corporate Wi-Fi VoiceVLAN 11 10.8.21.0/24

PhoneSSID: Voice10.8.21.33

Internet

WiredWireless

IPsecPrimary andBackup VPN Tunnels

Gateway192.168.1.1

Branch Office VPN with Bridging

338


Tunnel Traffic Header Overviewand Example

339

2.2.2.2 1.2.2.1Internet

HiveOS VAVPN ServerMGT0 10.200.2.

MGT0 IPBefore NAT1.2.1.2After NAT10.8.1.2

(NAT)1.2.2.2 10.200.2.2

MGT0 IP10.5.2.100

NAT Traversal

UDP - Src & Dst Port 4500Src Port Changes w/NAPT

Tunnel010.8.1.50

MGT010.8.1.2

IPsec (ESP) Tunnel

Encrypts GRE and Client Traffic

GRE Tunnel

Encapsulates client Layer 2 Traffic

Wireless ClientMAC: 0022.22aa.aa22VLAN: 20IP: 10.8.20.50

Corporate ServerMAC: 0011.11bb.bb11VLAN: 20IP: 10.8.20.150

Client Traffic10.8.20.500022.22aa.aa22 VLAN Tag: 20

Layer 2 Client DataClient Traffic10.8.20.1500011.11bb.bb11 VLAN Tag: 20

(NAPT) ANY 2.2.2.2

FW: Public IP2.2.2.2AP: Private IP10.5.2.100

FW: Public IP1.2.1.2

Aerohive AP 1VPN ClientMGT0 10.5.2.100Tunnel0 10.8.1.50

Branch Office

Corporate Headquarters

1

2

3

4

8

7

6

5


QUESTIONS?


CONFIGURE 802.1X SSID FOR WIRELESS VPN ACCESS

341


LAB: Layer 2 VPN with Aerohive DevicesLAB Goals

342

• Configure Network Policy for 802.1X/EAP authentication. Wi-Fi clients will authenticate to an external RADIUS server through a VPN tunnel.

• Create a site-to-site Layer 2 VPN between an Aerohive AP and a Hive-OS VPN Gateway.

• Define a split-tunnel firewall policy for user traffic

• Define which management traffic traverses though the VPN tunnel

• Use VPN diagnostics tools to troubleshoot IPSec/IKE Phase 1 and Phase 2 problems

• Connect to the hosted PC and test the 802.1X/EAP authentication though the VPN tunnel


Wireless Layer 2 VPN LabNetwork Diagram and IP Summary

343

VPN ServerHiveOS-VA-0XAP MGT010.200.2.X/24

VPN ClientX-A-Aerohive AP10.5.2.?/24


FW(NAT)2.2.2.2

Gateway10.5.2.1

Gateway 10.200.2.1

Wi-Fi Client10.200.2.?/24GW: 10.200.2.1

DHCP Server VLAN 1 Net: 10.200.2.0/24 Pool: 10.200.2.150 - 10.200.2.200 Gateway: 10.200.2.1

Layer 3 IPsec VPN Tunnels - IP Headers(10.5.2.?)2.2.2.2 1.2.1.X

WLAN Branch Office – Aerohive AP VPN Clients WLAN HQ – Aerohive AP VPN Servers

Layer 2 GRE Tunnels - IP HeadersTunnel0 tunnel0: 10.200.2.1XX10.200.2.X

? – Address Learned though DHCPVPN Client Device Tunnel Address PoolAP VPN 1: 10.200.2.101 – 10.200.208

RADIUS10.200.2.250

tunnel0: 10.200.2.1XX


LAB: Configure Access for Wireless VPN1. Select your Class-EAP-X SSID for VPN

344

Reassign your Class-EAP-X SSID to use for VPN


• Click to deselect all other SSIDs

• Click to select (highlight) the Class-EAP-X SSID

• Click OK

Click to deselect

all other SSIDs

Ensure Class-EAP-X is highlighted then

click OK


LAB: Configure Access for Wireless VPN2. Configure External RADIUS Server

345

• Under Authentication, click RADIUS-X


Click

Click


LAB: Configure Access for Wireless VPN3. Configure External RADIUS Server

346

Define RADIUS Server Settings for use with wireless clients through the VPN

• Click the radio button forExternal RADIUS Server

• Profile Name: VPN-RADIUS-X

• Primary RADIUS Server: 10.200.2.250

• Shared Secret: aerohive123

• Confirm Secret: aerohive123

• Click Apply › Did you click Apply?

• Click Save


LAB: Configure Access for Wireless VPN4. Modify Employee-X User Profile to be in VLAN 1

347

Modify the Employee-X user profile to assign users to VLAN 1 which is in the DMZ

• Under User Profile, click Employee-X


LAB: Configure Access for Wireless VPN5. Change Employee-X VLAN to 1

348

• Name: Employee-X


• Change the VLAN assignment to: 1› Note: This is the user VLAN that will be available through the VPN tunnel. Users will be assigned to this after 802.1X/EAP authentication

• Do NOT save yet


LAB: Configure Access for Wireless VPN6. Change Employee-X VLAN to 1

349

• Under Optional Settings

• Expand Client Classification Policy

• Deselect Enable user profile reassignment based on client classification rules› Note: If this is left as configured from a previous lab, user traffic will not use the tunnel.

• Click Save


LAB: Configure Access for Wireless VPN7. Save the SSID Settings

350

• Verify settings, then click Save


QUESTIONS?


CONFIGURE LAYER 2 IPSEC VPN

352


Wireless VPN Lab - ReviewNetwork Diagram and IP Summary

353

VPN ServerHiveOS-VA-0XAP MGT010.200.2.X/24

VPN ClientX-A-Aerohive AP10.5.2.?/24


FW(NAT)2.2.2.2

Gateway10.5.2.1

Gateway 10.200.2.1

Wi-Fi Client10.200.2.?/24GW: 10.200.2.1

DHCP Server VLAN 1 Net: 10.200.2.0/24 Pool: 10.200.2.150 - 10.200.2.200 Gateway: 10.200.2.1

Layer 3 IPsec VPN Tunnels - IP Headers(10.5.2.?)2.2.2.2 1.2.1.X

WLAN Branch Office – Aerohive AP VPN Clients WLAN HQ – Aerohive AP VPN Servers

Layer 2 GRE Tunnels - IP HeadersTunnel0 tunnel0: 10.200.2.1XX10.200.2.X

? – Address Learned though DHCPVPN Client Device Tunnel Address PoolAP VPN 1: 10.200.2.101 – 10.200.208

RADIUS10.200.2.250

tunnel0: 10.200.2.1XX


LAB: Create VPN Services Policy1. Create a Layer 2 IPsec VPN Policy

354

To create a Layer 2 IPsec VPN Policy

• Next to Layer 2 IPsec VPN, click Choose

• Click New


LAB: Create VPN Services Policy 2. Define Name and server IP Settings

355

• Profile Name: VPN-X• For Aerohive AP VPN Server 1,select your server: HiveOS-VA-0X

• This will fill in the Server MGT0 IP Address and the MGT0 Default Gateway

• Enter the server Public IP: 1.2.2.X

Do not save yet...


LAB: Create VPN Services Policy 3. Create the Aerohive VPN client device pool

356

NOTE: It is recommended that the following VPN client tunnel IP address pool is in the same subnet as the MGT0 interface of Aerohive VPN server.

These are the GRE tunnel endpoint addresses for the Aerohive AP that functions as a VPN client. These are NOT IP addresses for the users.

• Client Tunnel IP Address Pool Start: 10.200.2.X0• Client Tunnel IP Address Pool End: 10.200.2.X9• Client Tunnel IP Address Netmask: 255.255.255.0

Do not save yet...


LAB: Create VPN Services Policy 4. Define Split Tunnel Policy

357

• Go to User Profiles for Traffic Management

• Next to: Employee-X › Select Enabled› Select the radio button for Split Tunnel»NOTE: Split tunnel uses the built-in stateful firewall policy to determine which traffic should be sent to the Internet, and which traffic should go through the tunnel.

Do not save yet...


Split Tunnel Firewall PolicyAutomatically Created

358

When you select the option to use split tunnel to local subnet and Internet, the following policy gets created on the Aerohive AP for all the user traffic defined by the User Profile.

The following policy will not be displayed in HiveManager

From Access Firewall Policy

Source IP Destination IP Service Action

0.0.0.0/0 0.0.0.0/0 DHCP-Server Permit (tunnel)

0.0.0.0/0 10.5.2.0/24 Any NAT

0.0.0.0/0 10.0.0.0/8 Any Permit (tunnel)



0.0.0.0/0 0.0.0.0/0 Any NAT

Note: You can also create custom split-tunnel firewall policies for user traffic.


Split Tunnel Firewall PolicyManually Created

359

The private networks defined by the automatically created split-tunnel firewall policy might conflict with available networks at the remote site. You can always manually create a split tunnel firewall policy.• Next to: Employee-X

› Select Enabled› Select the radio button for Tunnel All Traffic

• Create a custom From-Access split-tunnel firewall policy in the appropriate User Profile


Tunnell All User TrafficTunnel All

360

Some corporations may have a security policy that does not allow for split-tunneling of user traffic. All user traffic destined for the Internet might first have to pass through the corporate content filter solution.• Next to: Employee-X

› Select Enabled› Select the radio buttonfor Tunnel All Traffic


LAB: Create VPN Services Policy 5. Assign VPN Certificates for VPN Server

361

• Under Optional Settings, expand IPsec VPN Certificate Authority Settings

• VPN Certificate Authority: Default_CA.pem

• VPN Server Certificate: AP-X_key_cert.pem

• VPN Server Cert Private Key: AP-X_key_cert.pem

Do not save yet...


LAB: Create VPN Services Policy 6. Review XAUTH Credentials

362

• Expand Server-Client CredentialsNOTE: These are VPN xAuth credentials that get generated automatically for each Aerohive AP VPN Client and Aerohive VPN Server pair.

• Nothing needs to be done here. This for monitoring, or for generating a new key or removing a key if an AP is lost or stolen.

Do not save yet...


LAB: Create VPN Services Policy How XAUTH Credentials are Used

363

• The default IKE peer authentication method for the wireless VPN is "hybrid"

• In hybrid mode,

› The VPN server authenticates itself to the client with an RSA signature, which requires the server to have a server certificate, and the client must have the root CA certificate that signed the server certificate so it can validate the server

• The server authenticates the client using xAuth

› HiveManager generates a set of xAuth credentials (random string for username and passwords) for each Aerohive AP VPN client and Aerohive AP VPN server pair

› When the VPN client uses valid credentials to authenticate with the VPN server, the tunnel can be established

› If the credentials are removed from either the VPN client or VPN server, the tunnel cannot be established


LAB: Create VPN Services Policy 7. View Advanced Server Options

364

• Expand Advanced Server Options

• No changes are necessary for the following options| IKE Phase 1 Options |

| IKE Phase 2 Options |

• Check Enable peer IKE ID validation: User FQDNNOTE: HiveManager will look at the certificate, find the User FQDN, and configure a rule on the Aerohive AP client to force validation of the Aerohive VPN server using the User FQDN. The server by default validates the Aerohive AP client using XAUTH, so this check enables two-way validation.

Do not save yet...


LAB: Create VPN Services Policy 8. Configure Advanced Client Options

365

• Expand Advanced Client Options› Select the management traffic from the Aerohive AP to send though the tunnel.

› Check the boxes for:»Syslog»RADIUS

Note: By default the VPN tunnel is used for user traffic, however, these options allow the Aerohive AP itself to send management traffic it generates based on the options selected.

› Check Enable NAT traversalAdds a UDP header with port 4500 on to the IPsec packets

Do not save yet...


LAB: Create VPN Services Policy 9. View Dead Peer Detection Settings

366

• Dead Peer Detection is used for switching between Aerohive VPN Server 1 and Aerohive VPN Server 2 upon failure› DPD Verifies IKE Phase 1

» Send Heartbeat every 10 seconds (by default)» If you miss one heartbeat, send at the Retry Interval instead of at the

normal Interval settings» If you miss the number of retries specified, failover to backup VPN

server

› AMRP Verifies end to end through GRE and VPN Tunnel» Send Heartbeat every 10 seconds (by default)» If you miss one heartbeat, send 1 at second intervals instead of at the

normal Interval setting» If you miss the number of retries specified, failover to backup VPN

server

Default DPD failover time:~16 seconds

Default AMRP failover time:~21 seconds


LAB: Create VPN Services Policy 10. Save VPN Services Policy

367

• Click Save to save the VPN Service Settings


LAB: Create VPN Services Policy 11. Verify VPN Setting and Save Network Policy

368

Back in your Network Policy

• Ensure Layer 2 IPsec VPN is set to VPN-X

• Click Continue


QUESTIONS?


Configuring Aerohive APs to be

VPN Clients and VPN Servers

AEROHIVE DEVICE VPN ROLESAND UPDATING THE

CONFIGURATION

370


LAB: Assign Aerohive devices to VPN Roles1. Modify Your A-Aerohive AP

371

In the Configure & Update Devices section• Select the Filter: Current Policy• Click to modify your Aerohive AP: X-A-######


LAB: Assign Aerohive devices to VPN Roles2. Assign VPN Service Role to Client

372

• Scroll down, and in the Optional Settings Section› Expand Services Settings

› Deselect Device RADIUS Service

› Set the VPN Service Role to: Client

• Click Save


LAB: Assign Aerohive devices to VPN Roles3. Modify HiveOS Virtual Appliance (VA)

373

In the Configure and Update Devices section:

• Click to modify your VPN Gateway: HiveOS-VA-0X

The Key with the triangle pointing up is a VPN client icon


LAB: Assign Aerohive devices to VPN Roles4. Assign VPN Service Role to Server

374

• Scroll down, and in the Optional Settings Section› Expand Services Settings› Set the VPN Service Role to: Server

• Click Save


In the Configure & Update Devices section:• Check the box next to your VPN client & server

X-A-######, HiveOS-VA-0X

LAB: Assign Aerohive devices to VPN Roles5. Upload the Configuration to Your Aerohive devices

375

The Key with the triangle pointing down is a VPN server icon




• Click Update

• In the Reboot Warning window Click OK

For this class, ALL Updates should be Complete configuration updates unless otherwise instructed

LAB: Assign Aerohive devices to VPN Roles6. Upload the Configuration to Your Aerohive devices


Lab: Use AD to Assign User Profile SSID7. Upload the Configuration to Your Aerohive devices

• The devices will reboot

377


LAB: Verify the Aerohive L2 VPN1. Wait for Upload to Finish Then Verify VPN

378

• From Monitor Devices All Devices› If the Aerohive AP VPN Server and Client Icons are green, then you know the VPN tunnel is up.


LAB: Verify the Aerohive L2 VPN2. Aerohive device VPN Diagnostics

379

• Go to Monitor Devices All Devices

• Select one of the VPN devices: X-A-Aerohive AP

• Click Utilities...Diagnostics Show IKE Event

• Verify that both Phase 1 an Phase 2 are successful


LAB: Verify the Aerohive L2 VPN3. Aerohive device VPN Diagnostics – Phase 1

380

• Select one of the VPN devices: X-A-Aerohive AP

• Click Utilities...Diagnostics Show IKE Event

Possible problems if Phase 1 fails:

• Certificate problems

• Incorrect Networking settings

• Incorrect NAT settings on external firewall

Possible problems if Phase 2 fails:

• Mismatched transform sets between the client and server (encryption algorithm, hash algorithm, etc.)



381

• Click Utilities...DiagnosticsShow IKE Event

• If you see that phase 1 failed due to a certificate problem› Check the time on

the Aerohive devices» show clock

» show time

› Ensure you have the correct certificates loaded on the Aerohive APs in the VPN services policy



382

• Click Utilities...DiagnosticsShow IKE Event

• If you see that phase 1 failed due to wrong network settings› Check the IP

settings in the VPN services policy

› Check the NAT settings on the external firewall



383

• Click Utilities...Diagnostics Show IKE SA

• Phase 1 has completed successfully if you reach step #9

• If Step #9 is not established then one of these problems exists:Certificate problemsIncorrect Networking

settingsIncorrect NAT settings

on external firewall



384

• Click Utilities...DiagnosticsShow IPsec SA

Note: It is clear to see that a VPN is functional if you see the tunnel from the MGT0 IP of the VPN client to the (NAT) Address of the MGT0 of the VPN Server, and the reverse. Both use different SAs (Security Associations)

› State: Mature

• If Phase 2 fails: Check the encryption & hash settings on the VPN client and the VPN server


LAB: Verify the Aerohive L2 VPN8. View VPN Topology

385

• Open your Network Policy, click the Configure Interfaces and User Access bar

• In the Layer 2 IPsec VPN section click VPN Topology


LAB: Verify the Aerohive L2 VPN9. View VPN Topology

386

• When the Aerohive device icons are displayed in green with a green line between them, the VPN is up

• You can move your mouse over an icon for more details


VPN Topology Example

387

• Here is an example of a VPN topology with 12 Aerohive AP VPN clients and two Aerohive VPN servers for tunnel load sharing and redundancy


NOTE: Layer-2 IPsec VPN VPN Server Side Firewall Rules

388

NOTE: In an IPsec VPN deployment, if you have a firewall protecting the VPN server,you will need rules similar to the followingfrom the Internet to the IPsec VPN server:

Source IP Destination IP Protocol Source Port Dest Port Action

0.0.0.0/0 1.2.1.2(NAT) 17(UDP) Any 4500(NAT-T) Permit0.0.0.0/0 1.2.1.2(NAT) 17(UDP) Any 500 (IKE) Permit

VPN Client2-A-Aerohive AP10.5.2.?/24

Firewall NAT Rule1.2.1.210.200.2.2

FW(NAT)2.2.2.2

Gateway10.5.2.1

Gateway 10.200.1.1

RADIUS10.200.2.250

Tunnel Interface:10.8.1.20

VPN server10.200.2.2


Using Microsoft XP

TESTING YOUR VPN ACCESSWITH 802.1X CLIENT (SUPPLICANT)

389


Lab: Testing 802.1X/EAP For VPN Access1. Connect to Secure Wireless Network

390



• Click Connect




391



• Click Connect

NOTE: If this fails, there is a chance there is a certificate issue with the Hosted PC in VMware.


Lab: Testing 802.1X/EAP For VPN Access3. View Wireless Clients

392

• After associating with your SSID, you should see your connection in the active clients list in HiveManager› Go to MonitorClientsActive Clients

• IP Address: 10.200.2.X


• VLAN: 1



Lab: Testing 802.1X/EAP For VPN Access Client Monitor - Successful Connection

393

• Client Monitor showing successful authentication

• The RADIUS server IP 10.200.2.250, which is only accessible though the VPN tunnel


QUESTIONS?


VPN LAB CLEANUP

395


Lab: VPN Lab Cleanup1. Deselect Layer 2 IPsec VPN Policy

To continue with the rest of the training labs, please remove the VPN settings so that traffic is not tunneled through the VPN

• Go to Configuration • Select your Network Policy: WLAN-X and click OK

• Next to Layer 2 IPsec VPN click Choose

• Click to deselect your VPN-X profile

• Click OK• In the Network Policy Click Save

396

Click to deselectVPN-X


Lab: VPN Lab Cleanup2. Change Employee-0X User Profile to VLAN 10

397

Modify the Employee-X user profile to assign users to VLAN 10 which is in the DMZ

Under User Profile, click Employee-X


Lab: VPN Lab Cleanup3. Change Employee-X VLAN to 10

398

• Name: Employee-X


• Change Network or VLAN-only Assignment to: 10

• Click Save


QUESTIONS?


To Simplify the WLAN Policy

Configuration When Different Settings for Aerohive Devices are Needed at Different Locations

AEROHIVE DEVICE CLASSIFICATIONEXAMPLES

400


Question: How do define a single WLAN policy, but configure different settings?

401

• For example, in the Network policy, you can only define one MGT interface VLAN profile

• But if the Aerohive APs are in different networks with different MGT VLANs, what can you do?

GREradius

Router

L2-Switch L2-Switch

Interface mgt0:Classification Tag:

Network Policy:MGT0 VLAN:

10.5.2.?radiusWLAN-X2

Aerohive AP Device Settings

Interface mgt0:Classification Tag:

Network Policy:MGT0 VLAN:

10.7.1.XGREWLAN-X100

Aerohive AP Device Settings


Answer: HiveManager Device ClassificationDefine a VLAN Object That is Variable

• With HiveManager Device Classification, you can create one VLAN object, but have it change based on a device tag (text field) assigned to a device, a hostname, or based on a topology map where a device resides

• For example, this VLAN object called: ap-vlans-2 is a policy that assigns VLAN 100 if the device has a text field device tag configured called: GRE; assigns VLAN 2, if a text field device tag on a device is configured with radius; and VLAN 1 if a device does not have any text field device tags (global).

402


Answer: HiveManager Device ClassificationDevices Can Be Assigned to Textual Classifier Tags

403

• To allow a VLAN object , IP object or device template object to be customized by specific Aerohive devices, you can specify Device Classification tags in the device configuration settings for any Aerohive device.

• You can define three tags, that can specify device function, services, or location for example

Aerohive AP A Device Classification Settings

Aerohive AP B Device Classification Settings


Answer: HiveManager Device ClassificationObject Definition Changes Based on Tag

404

In this example, a Network Policy uses a VLAN object to define the MGT VLANs on APs.

HiveManager can assign different VLANs to a device or user profile based on device classification rules.

When HiveManager updates the configuration on Aerohive AP A, it will assign its MGT VLAN to 2, and Aerohive AP B will be assigned to 100

Aerohive AP A is a RADIUS server, so you can assign a tag like radius.

Aerohive AP B is a GRE tunnel terminator, so you can assign a tag like GRE.

AP MGT VLAN Object Definition


Answer: HiveManager Device ClassificationSupported Objects

405

• Objects that support Device classification› IP/Hostname Objects

› MAC Addresses/OUIs

› VLANs› Device templates

• Multiple variables can be configured in one object, and the values assigned to the Aerohive device can change based on› Topology Map› Device Tags› Hostname


Answer: HiveManager Device ClassificationTypes of Classification

406

• VLANs, IP Address Objects, MAC Address objects, and User Profile Attribute groups can have classification rules based on:› Topology Map Name

»Uses topology maps

› Device Name› Device Tag

»Requires tags are defined in the configuration of Aerohive APs

› Global»Selected if no match is found for

any of the other types

• You can mix and match


Answer: HiveManager Device ClassificationTag Selection• If you specify multiple tags on a Aerohive AP, make sure the object is defined to match relevant tags and ignore the rest

• If you want to make this VLAN object match all Aerohive APs in HQ, you must define Tag 1 as: HQ, but deselect Tag 2 and Tag 3 so they will be ignored

• If you do not uncheck Tag 2 and Tag 3, you will have to match all three tags on each Aerohive AP

407

VLAN Object Definition

Aerohive AP 1 Configuration Aerohive AP 2 Configuration


Device Classification- How are the rules evaluated?

You can drag and drop the VLAN rules to change the order of priority

408


Device Classification Customization

Device Tag Labels names can be changed• Home Administration HiveManager Settings Edit Custom Tab Labels

409


Device Classification – Use CasesVLAN Objects

• VLAN objects support device classification› Use Case #1 – device classification with VLAN objects can be used to assign user VLANs (Example in upcoming lab)

› Use Case #2 – device classification with VLAN objects can be used to assign management VLANs to Aerohive devices

410

User VLANs 10, 20User VLANS 8, 16

Router

L2-Switch L2-SwitchArea1 Area2


• IP objects support device classification› Use Case #1 – device classification with IP objects can be used for server assignment

› Use Case #2 – device classification with IP objects can be used in firewall policies

411

Device Classification – Use CasesIP Objects


AP

PoE

APAP

PoE

SR2024P

AP

Distribution

Access/Edge

HiveManager – SR2024P as switch device template • HiveManager Device Templates

are used to assign switches and routers at the same site or different sites to a common set of port settings

• For example: ports 1-2 are 802.1Q ports for APs, ports 3-6 are for phones, etc…

Device Classification – Use CasesDevice Templates

SR2024P


PoE

APAP

PoE

AP

SR2024P as Switch Default Sites

Default Site DeviceClassificationTag: Small Site

SR2024P as Switch

Small Sites

Device Templates support device classification• Configure a default Device

Template for one location• Configure multiple Device

Templates for other locations• Configure device classification

tags to have different device templates for different devices

Device Classification – Use CasesDevice Templates

SR2024P

SR2024P


• Captive web portals can forward users to custom destinations after authentication based on the classifier tags assigned to the Aerohive device.

• Users can be forwarded to different web sites based upon successful or failed authentication as well.

Device Classification – Use CasesCaptive Web Portal Selection by Classifier Tags


• Traditionally, users would all be forwarded to the same URL.

• Using classified URL objects, which you can create, you can forward users to the desired locations based upon your specific requirements.



Tag1 = SFO

Tag1 = SJC



LAB: Device ClassificationLAB Goals

417

• Use device classification with VLAN objects to assign user VLANs

• Create a VLAN object with multiple VLANs

• Define device classification rules for the user VLANs

• Assign device classifier tags to an AP

• From the hosted PC test the wireless connectivity and verify the VLAN assignment


Lab: Use Classification Tags for User VLANs

418

User VLANs 10, 20User VLANS 8, 16

Router

L2-Switch L2-Switch

Network Policy: School

SSID: Teacher

SSID: Student

VLAN 8

VLAN 10

VLAN 16

VLAN 20

Area1

Tag: Area1

Area2

Tag: Area2

Tag: Area1

Tag: Area2

User Profile: Teacher

User Profile: Student


Lab: Use Classification Tags for User VLANs1. Creating a new Network Policy

419


• Click the New Button


Lab: Use Classification Tags for User VLANs2. Building your Initial Wireless Network Policy

420

• Name: School-X

• Select: Wireless Access and Bonjour Gateway

• Click Create


Lab: Use Classification Tags for User VLANs3. Create a New SSID Profile

421

Network Configuration


• Then click New


Lab: Use Classification Tags for User VLANs4. Configure a PSK Employee SSID

422

• SSID Profile: Teacher-XX = 2 – 29 (Student ID)

• SSID: Teacher-X• Select WPA/WPA2 PSK

(Personal)

• Key Value: aerohive123

• Confirm Value: aerohive123• Click Save• Click OK


Lab: Use Classification Tags for User VLANs5. Create a User Profile

423

• To the right of your SSID, under User Profile, click Add/Remove

• In Choose User Profiles Click New


Lab: Use Classification Tags for User VLANs6. Define User Profile Settings

424

• Name: Teacher-X• Attribute Number: 50• Default VLAN: Select +


Lab: Use Classification Tags for User VLANs7. Create VLAN rules using device classifiers

425

• VLAN Name: Teacher-VLANS-X• VLAN ID: 1 • Type: Global• Click New

Click



426

• VLAN ID: 8 • Type: Device Tags• Tag1: Area1• Click Apply

Click



427

• VLAN ID: 10 • Type: Device Tags

• Tag1: Area2• Click Apply• Do NOT save yet

NOTE: When you see the Value: (T) = True, tag is used(F) = False, tag is not used

Click Apply



428

You can drag and drop the VLAN rules to change the order of priority

• Click on the

Edit icon

You can edit or remove rules and view conflicts.• Click Save


Lab: Use Classification Tags for User VLANs11. Save your user profile

429

• Click Save• Verify your user profile is selected and click Save


Lab: Use Classification Tags for User VLANs12. Set Classification Tag on A-HiveAP

430

• Click Continue to navigate to configure and update devices


• Choose the None filter• Check the box next to your AP X-A-######

• Click Modify

Lab: Use Classification Tags for User VLANs13. Set Classification Tag on A-HiveAP


Lab: Use Classification Tags for User VLANs14. Assign Tag1 to your AP

432

Assign the device classifier tag to your access point• Device Classification Select Tag1• From the drop-down box select: Area1• Click Save


Lab: Use Classification Tags for User VLANs15. Update the Configuration



• Click Update




Lab: Secure Guest Access with Private PSK16. Update the AP configuration



434


Lab: Use Classification Tags for User VLANs16. Connect your Wi-Fi client on the hosted PC

435


• Click your SSIDTeacher-X


› Click OK


Lab: Use Classification Tags for User VLANs17. Verify the client VLAN

436

•Monitor Clients Wireless Clients

• Verify that your client is in VLAN 8

• Device classification using Tag1 worked!


• Choose the Current Policy filter• Check the box next to your AP X-A-######

• Click Modify

Lab: Use Classification Tags for User VLANs18. Reset Classification Tag on A-HiveAP


Lab: Use Classification Tags for User VLANs19. Set Classification Tag on the Aerohive AP

438

Assign the device classifier tag to your access point• In Tag1 from the drop-down box select: Area2• Click Save



• A complete upload is not needed this time

• Click Update

Lab: Use Classification Tags for User VLANs20. Update the configuration of your Aerohive AP


Lab: Use Classification Tags for User VLANs21. Delta Upload

• The Delta Configuration will upload

440


Lab: Use Classification Tags for User VLANs22. Disconnect and reconnect your Wi-Fi client

441


• Right-click your SSIDTeacher-X

• Click Disconnect

• Click your SSIDTeacher-X

• Click Connect


Lab: Use Classification Tags for User VLANs23. Verify the client VLAN

442


• Verify that your client is in VLAN 10

• Device classification using Tag2 worked!


QUESTIONS?


SECURE AND FAST ROAMING

444 444


Roaming Basics

AP #1 AP #2

Roaming client station

802.3 Ethernet backbone

Note: The decision when to roam is determined by the client station not the AP

BSSID #1

BSSID #2


Roam

Layer 2 Roaming

• User associates and authenticates and keys are distributed

• AP predicatively pushes keys and session state to one hop neighbors

• As client roams and associates with another AP the traffic continues uninterrupted

RADIUS Server

446


Subnet A Subnet B

Router

GRE Tunnel

Layer 3 Roaming

Like Layer 2 roaming the Layer 3 roam predicatively pushes keys to one hop neighbors.

In order to maintain IP connectivity a tunnel is created to home subnet.

Tunnel continues to follow roaming user until sessions end then tunnel is terminated and the user accesses the local network

447


QUESTIONS?


AEROHIVE LAYER 3 ROAMING

449 449


Layer 3 RoamingDetailed Explanation

450

Aerohive AP Layer 3 roaming information is advertised in beacons and can be heard by Aerohive APs in the same Hive.

Subnet 10.5.1.0/24Floor 1


10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24

Corp-HiveCorp-Hive

Aerohive APs can then communicate over the LAN using

UDP Port 3000

Beacon IE: (Encrypted)Hive: Corp-HiveL3 roaming enabledMgt0 IP: 10.5.1.13/24


Aerohive APs scan channels to locate layer 3 roaming neighbors and communicate with each other over the Ethernet network.


Layer 3 RoamingDetailed Explanation

451



10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24

Corp-HiveCorp-Hive

Send:DA forsubnet: 10.5.1.0/2410.5.1.11

Receive: DA forsubnet: 10.5.1.0/2410.5.1.11

Neighboring AP sends Aerohive AP DA information

to neighboring subnets

DA


Layer 3 RoamingDetailed Communication

452



10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24

Corp-HiveCorp-Hive

DA Send:Best tunnel endpointfor subnet: 10.5.1.0/2410.5.1.12

Query DA:Least loaded AP forsubnet: 10.5.1.0/24

Preparation for roaming bycontacting DA for APs as the potential tunnel end points

Aerohive APs preselect best APs in each subnet to be a tunnel endpoints

The tunnel is built only when a client eventually roams

DA

Received from DA:Best tunnel endpointfor subnet: 10.5.1.0/2410.5.1.12



453

As clients arrive on the new subnet, the Aerohive AP will use an existing tunnel for the client, or if that tunnel is heavily loaded, it can create a tunnel to another portal in the DNXP table.



10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24

Corp-HiveCorp-Hive

u1

eth0.1 10.5.1.1eth0.2 10.5.10.1

eth0.1 10.6.1.1eth0.2 10.6.10.1

u1u1u1

10.5.10.33/24

u1

10.5.10.33/24

u1

10.5.10.33/24

DNXPL3 10.5.1.12

Client Roaming Cache Update

u1

DNXPGRE Tunnel

Layer 2 roam

Layer 3 roam

The clients IP address is maintained

u1

Session State& PMK

u1



454



10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24

Corp-HiveCorp-Hive

Session State& PMK

eth0.1 10.5.1.1eth0.2 10.5.10.1

eth0.1 10.6.1.1eth0.2 10.6.10.1

u1

u1

u1u1

u1

10.5.10.33/24

DNXPL3 10.5.1.12

DNXPGRE Tunnel

u1u1 u1

DNXPL3 10.5.1.12

u1


Layer 3 RoamingLocal Subnet Connection

455

Based on the number of packets per minute sent to and received by the client, the Aerohive AP can be configured to disable the tunnels and de-auth the client so that it will reconnected and obtain an IP address from the local network.



10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24

Corp-HiveCorp-Hive

Session State& PMK

eth0.1 10.5.1.1eth0.2 10.5.10.1

eth0.1 10.6.1.1eth0.2 10.6.10.1

u1

u1

u1u1

DNXPGRE Tunnel

u1u1 u1u1

u1

10.5.10.33/2410.6.10.95/24

u1

De-auth


QUESTIONS?


CONFIGURING DYNAMIC TUNNELING FOR LAYER 3 ROAMING

457


Lab: Enable Layer 3 Roaming 1. Modify the Employee-X User Profile

458

To configure layer 3 roaming for a user profile


• Select your Network Policy: School-X and click OK

• Under User Profile click Teacher-X


Lab: Enable Layer 3 Roaming2. In your user profile, create a tunnel policy

459

Layer 3 roaming is enabled per user profile by configuring a tunnel policy

• Go to Optional Settings

• Expand GRE Tunnels

• Select GRE tunnel for roaming or station isolation and › Click +


Lab: Enable Layer 3 Roaming2. Configure Layer 3 Roaming Policy

Enable the ability to dynamically build tunnels for layer 3 roaming

• Name: L3-Roaming-X

– Tunnel Settings –

• Select Enable Dynamic tunneling for Layer 3 Roaming

• Unroaming Threshold: 60 seconds

• Number of packets per minute: 2000› Setting a value enables

Unroaming› Setting the value to 0

disables Unroaming

• Click Save

460

Note: The number of packets per minute to select varies based on the number of devices, types of devices, and applications running on your network. In my local network for example, my idle PC sends and receives about 500 packets per minute. Running a voice call from a soft client my PC sends and receives about 4000 packets per minute. So I have chosen to unroam if I my PC does not receive 2000 packets per minute in one minute time frame, which means my tunnel should remain during a voice call or file transfer.


Lab: Enable Layer 3 Roaming3. Save user profile with L3 Roaming Policy

• Verify your L3-Roaming-X Policy is set

• Click Save

• Save your Network Policy

461


Testing Layer 3 RoamingIn Hosted Training Data Center

462

• Unfortunately we cannot test layer 3 roaming in the hosted data center because› The Aerohive APs are hard wired via coax to their clients

› The power level of the Aerohive APs has been set to 1 dBm so the clients can connect to their SSIDs. If we do not set the power to 1 dBm, the power is too high for the clients that are connected via coax»Because the power is low, and the rest of the RF connections are

terminated, testing in the remote lab is not possible

• If the instructor has time and the equipment, they can demonstrate layer 3 roaming locally in class


QUESTIONS?


LAYER 3 ROAMING TROUBLESHOOTING

464


Layer 3 Roaming TroubleshootingWhat if the APs cannot hear each other?

465

Aerohive AP Layer 3 roaming information is advertised in beacons and can be heard by Aerohive APs in the same Hive.



10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24

Corp-HiveCorp-Hive



How will Layer 3 roaming work if APs cannot hear Layer 3 neighbors?

I can’t hear you!


Layer 3 Roaming TroubleshootingView Roaming Neighbors

466

• To see if Layer 3 neighbors are being discovered, go to MonitorAccess PointsAerohive AP

• Select the Aerohive AP and go to…UtilitiesDiagnosticsShow DNXP Neighbors› You can view the

Aerohive APs Layer 2 and Layer 3 roaming neighbors

› View the State column to see L3 and L2 neighborsNOTE: It may take a few minutes to gather neighbor

information during background scans, and you may not see your own neighbor AP in this hosted training rack, but you should see some neighbors.


Layer 3 Roaming TroubleshootingCreate Static Neighbor Relationships

467

• MonitorAccess PointsAerohive AP

• Select the Aerohive AP and click Modify

• From Optional Settings, expand Roaming Threshold› Select any APs that

need to be static L3 neighbors

› Use the > button to move the APs to the right column

NOTE: This setting only takes effect when the APs function as portals and Layer 3 roaming is enabled.


Layer 3 Roaming TroubleshootingView active tunnels

468

If you select the check box next to your Aerohive AP then select UtilitiesDiagnosticsShow DNXP Cache

If a client is connected to the Aerohive AP, you can then view the information that is being sent to the neighboring Aerohive APs

The Tunnel-end is the Aerohive AP that will be the tunnel end point for DNXP after the client roams across subnet boundaries

Shows the MAC address of the client and their tunnel end point after roaming

© 2014 Aerohive Networks CONFIDENTIAL469

VOICE ENTERPRISEStandardized Fast Secure Roaming

• The fast and secure roaming mechanism that most vendors have supported for many years is Opportunistic Key Caching (OKC)

• OKC has been a “defacto” roaming standard but not an official standard. Many devices do not support OKC including Apple iOS devices prior to iOS 6.0

• Voice Enterprise is the Wi-Fi Alliance certification based on the IEEE 802.11r fast secure roaming standard

Roam

RADIUS Server

Note: So far 13 vendor APs have been certified for Voice Enterprise. 4 of those APs are Aerohive APs:AP121 AP141 AP330 AP350

http://www.wi-fi.org/certified-products-results?cid=&op=Search&org=0&category=5&start_date%5Bdate%5D=&end_date%5Bdate%5D=&capabilities%5B61%5D=61&form_build_id=form-6WfOCqAOYafM5JvcVQ24X9bO_yvoRYrr1axnS0cr9sM&form_id=wifi_cert_api_advanced_search_form


VOICE ENTERPRISEStandardized Fast Secure Roaming

To enable Voice Enterprise, go to:

• SSID profile Advanced Optional Settings

• Check Enable Voice Enterprise

• As of today, not many client devices support Voice Enterprise

• VoWiFi vendors most likely to support first

Voice Enterprise mechanisms are supposed to be backward compatible with older devices. However, the drivers of older client devices may have trouble associating to an SSID with Voice Enterprise enabled. Therefore, a separate SSID only for newer devices that support 802.11r and Voice Enterprise might be required.


iOS Devices and Fast Secure Roaming

• iOS 6.0 and iOS 7.0 devices support 802.11r fast secure roaming mechanisms

• Older iOS devices do not support 802.11r and do not support OKC

iPhones and iPads using iOS 5.0 and older never supported Opportunistic Key Caching (OKC). The devices work fine with 802.1X/EAP but will have to re-authenticate every time a device roams. If time sensitive applications such as video streaming or FaceTime are being used, performance will be interrupted. To provide fast secure roaming for these devices use Private PSK (PPSK).


QUESTIONS?


Identity-based Tunnels

USING GRE TUNNELS TO TUNNEL GUEST TRAFFIC TO A SECURE DMZ

473


Identity-Based Tunnels

• With Identity-Based tunnels, client traffic can be tunneled directly to one or more HiveOS Virtual Appliances within a firewalled DMZ with access to the Internet› The client in the internal network is assigned a VLAN and an IP address from

the tunnel destination› All client traffic is then tunneled to one or more HiveOS Virtual Appliances in

the DMZ› Traffic from clients is not permitted on the local network

• This is typically used in environments where VLANs are not supported at the access layer

474

Note: Unlike IPsec, which supports NAT traversal, GRE tunnels cannot be NATed because GRE does not have port numbers


Identity-Based Tunnels LABUsing Tag On DMZ VLAN

475

Hostname:Interface mgt0:

WLAN Policy:

X-A-00000010.5.1.N/24 VLAN 1WLAN-X

Hostname:Interface mgt0:

WLAN Policy:

X-HiveOS VA10.200.2.X/24 VLAN 1WLAN-X

WLAN Policy: WLAN-0X

Hive:Tunnel Policy:

Tunnel Settings:Tunnel Destination:

Tunnel Source:Tunnel Password:

MGT0 VLAN:Native VLAN:

Class-XGRE-Tunnel-XEnable static identity-based-tunnelIP Range Start:10.200.2.X End:10.200.2.X10.5.1.0/24 and 10.5.2.0/24<random generated>11

SSID:Captive Web Portal:

Registration Type:User Profile:

Attribute:VLAN:

Tunnel Policy:

Class-Guest-XCWP-Tunnel-XUse-Policy-AcceptRole-Tunnel(200)2001GRE-Tunnel-X

DMZ Network

GuestClient

Internal Network

GRE Tunnel10.5.2.N to 10200.2.X

Tunnel Destination

Internet

Class-GRE-X10.200.2.N/2410.200.2.1

SSID:IP:

Gateway:

10.200.2.110.5.2.1

DHCP Settingsfor VLAN 1 network 10.200.2.0/24 ip range 10.200.2.100 to 10.200.2.199 Tunnel Source


Lab: Use SSID to Tunnel Guest Traffic to DMZ 1. Create a New SSID

476



• Next to SSIDs, click Choose

• Click New


Lab: Use SSID to Tunnel Guest Traffic to DMZ2. Configure an SSID for GRE tunneling

• Profile Name: Class-GRE-X

• SSID: Class-GRE-X

• Under SSID Access Security select WPA/WPA2 PSK (Personal)

• Key Value & Confirm Value: aerohive123

• Check Enable Captive Web Portal

• Click Save

477


Lab: Use SSID to Tunnel Guest Traffic to DMZ3. Select new Class-GRE SSID

478

• Ensure the Class-GRE-X SSIDis selected

• Click to deselect all other SSIDs

• Click OK

Click to deselectother SSID profiles

Ensure Class-GRE-X is highlighted then

click OK


Lab: Use SSID to Tunnel Guest Traffic to DMZ4. Create a Use Policy Captive Web Portal

479

• Under Authentication, click <CWP>

• In Choose CWP, click New

Click

Click


Lab: Use SSID to Tunnel Guest Traffic to DMZ5. Configure Use Policy Captive Web Portal

480

• Name: CWP-Guest-X

• Registration Type: Use Policy Acceptance

Do not save yet...

Optional: Click here to customize the use policy page

If you customize the use policy, you can enter or modify the text directly in the

text box.


Lab: Use SSID to Tunnel Guest Traffic to DMZ6. Configure Use Policy Captive Web Portal

481

• Expand Captive Web Portal Success Page Settings

• Select the option to Redirect to the initially requested pageor Redirect to an external page and enter a URL

• Click Save


Lab: Use SSID to Tunnel Guest Traffic to DMZ7. Assign CWP and Configure SSID

482

• Under User Profileclick Add/Remove

• Click New


Lab: Use SSID to Tunnel Guest Traffic to DMZ9. Create a user profile to tunnel traffic

483

Define a user profile to tunnel traffic to an AP in the DMZ

• Name: GRE-Users-X• Attribute Number: 100• Default VLAN: 1• Expand GRE Tunnels• Select GRE tunnel for roaming or station isolation

• Click + to create a GRE tunnel policy

Note: This VLAN is encapsulated inside the GRE tunnel and sent to the tunnel destination where the VLAN must exist.


Lab: Use SSID to Tunnel Guest Traffic to DMZ10. Create a user profile to tunnel traffic

484

Configure the tunnel information for both sides of the tunnel in this policy

• Name: GRE-X• Select Enable Static

Identity-Based TunnelsTunnel Destination –• IP Address: 10.200.2.X

Note: You can specify a range of consecutive HiveAPs if you have multiple HiveAPs at the tunnel destination for redundancy and load sharing.

Tunnel Source IPs or Subnets -• Under Available IP Addresses

› Select 10.5.2.0/24 and 10.5.1.0/24 and click the > button

• Tunnel Authentication› Click Generate

• Click Save


Lab: Use SSID to Tunnel Guest Traffic to DMZ11. Save the Use Profile

485

Back in the user profile

• Ensure Tunnel Policy is set to: GRE-X

Note: If you do configure firewall policies, be aware that your firewall policies are applied before your traffic is tunneled to the destination HiveAP. Also note that the IP address of your client will be from the remote network at the tunnel destination.

• Click Save


Lab: Use SSID to Tunnel Guest Traffic to DMZ12. Save the Use Profile

486

• Ensure the GRE-Users-X user profile is selected (highlighted)

• Click Save

Note: When a client associates with this SSID and completes the registration process, their traffic is tunneled to the destination HiveAP specified by the tunnel policy in the user profile. If a client associates with this SSID on the tunnel endpoint, the traffic is forwarded without tunneling.


Lab: Use SSID to Tunnel Guest Traffic to DMZ13. Verify settings and continue to configure devices

487

• Verify the settings

• Click Continue


Lab: Use SSID to Tunnel Guest Traffic to DMZ14. Modify your AP

488

• Choose the None filter

• Click the link for your X-A-###### access point


Lab: Use SSID to Tunnel Guest Traffic to DMZ15. Modify your AP – Change Management VLAN

489

• Optional Settings

• Expand MGT0 Interface Settings: 8 DHCP Client without Fallback

• DHCP Timeout: 20


Lab: Use SSID to Tunnel Guest Traffic to DMZ16. Modify your AP – Change Management VLAN

490

• Optional Settings

• Expand Advanced Settings

• Uncheck ☐ Override MGT VLAN

• Click: Save

The Management VLAN will default back to VLAN 1


In the Configure & Update Devices section• Check the box next to your AP: X-A-######• Check the box next to your VA: HiveOS-VA-0X

Lab: Use SSID to Tunnel Guest Traffic to DMZ19. Update the configuration of your devices


For this class, ALL Updates should be Complete configuration updates unless otherwise directed

Lab: Use SSID to Tunnel Guest Traffic to DMZ20. Update the configuration of your devices



• Click Update



To Update GRE-Tunnel and DHCP Server Configuration

TEST GUEST GRE TUNNEL ACCESS

493


LAB: Guest GRE Tunnel 1. Connect to your Class-GRE-X SSID

494

• On your remote hosted PC, connect to the SSID: Class-GRE-X

• Passphrase/Network Key: aerohive123


LAB: Guest GRE Tunnel 2. Connect to your Class-GRE-X SSID

495

• On your remote hosted PC, connect to the SSID: Class-GRE-X

• Passphrase/Network Key: aerohive123


• Open a web browser and Browse to a decent web site: http://www.aerohive.com

• A captive web portal page will be displayed

• Fill out the web registration form

• Click Accept to agree to the Acceptable Use Policy

LAB: Guest GRE Tunnel 3. Agree to Acceptable Use Policy


• Once the login is successful, you can access the network

• After a moment, you should automatically be redirected to the web page you initially requested or a URL you specified in the captive web portal

LAB: Guest GRE Tunnel 4. Verify Access To Internet


LAB: Guest GRE Tunnel 5. Verify DMZ VLAN and Client IP address

498


• The Guest client should have a 10.200.2.X address


• VLAN: 1


LAB: Guest GRE Tunnel 6. View GRE Tunnel Information

499

• From MonitorAll Devices• Check the box next to your AP: X-A-######

• Click UtilitiesDiagnosticsShow GRE Tunnel

• Verify the static GRE tunnel


QUESTIONS?


THANK YOU

501

acwp aerohive configuration guide

Technology

aerohive training

aerohive ap

aerohive wlan solutions

aerohive class schedule

aerohive education services

wireless networks

david coleman

gregorvucajnk instructor