Upload
rhoda-reynolds
View
225
Download
0
Tags:
Embed Size (px)
Citation preview
2008Confidential
2010
Advanced WLAN ConfigurationVersion 3.5r1
1
2008Confidential
2010
Copyright Notice
Copyright © 2010 Aerohive Networks, Inc. All rights reserved.
Aerohive Networks, the Aerohive Networks logo, HiveOS, HiveAP, HiveManager, and GuestManager are trademarks of Aerohive Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.
2
2008Confidential
2010
Getting Started
3
2008Confidential
2010
Lab: Get Connected1. Connect to class WLAN
Please connect to the SSID: Class-Guest Network Key: aerohive123 You should get an IP in the 10.5.1.0/24 subnet
4
SSID:Security:
Network Key:
Class-GuestWPA/WPA2 Personal (PSK)aerohive123
GuestClient
VLAN 1
WLAN Policy: WLAN-Classroom
Internet
Mgt0 IP: 10.5.1.N/24 VLAN 1
Class-Guest10.5.1.N/2410.5.1.1
Connect to SSID:IP:
Gateway:
Instructor PC
2008Confidential
2010
Lab: Get Connected2. Get class files from instructor
From your PC open a web browser and for the URL type:ftp://ftp:[email protected].? (Ask Instructor for the IP address)
– Username: ftp– Password: aerohive
You will find:– Courseware (pptx files)
• If you do not have MS office 2003 or later, please download a PPTX viewer from Microsoft
– Topology map jpg images• Used for the planning tool and topology map lab
– Tight VNC • Please install the Viewer only – This is used to connect to a hosted PC
– User files for Private PSK in CSV format• This is for the Private PSK lab
– Putty SSH Client (If you don’t have an SSH client already)• SSHv2 is used to access the console server to access the CLI of your AP
5
2008Confidential
2010
Lab: Get Connected1. Connect to Hosted HiveManager
Securely browse to HiveManager https://training-hm1.aerohive.com
orhttps://72.20.106.120
Supported Browsers:– Firefox– Internet Explorer– Chrome
Default Login Credentials:– Login: adminX
X = Student ID 2 - 15– Password: aerohive123
6
2008Confidential
2010
Lab: Get Connected4. Certificate error - Continue to the website
If prompted, accept the certificate permanently or add the security exception or continue to the website
Note: (Do not perform this operation in the classroom)In your own company you can import your own HiveManager certificate going to: HomeAdministrationHiveManager Services
– Check Update HTTPS Certificate– You can generate a self-signed certificate or import a third-party
certificate– Click Update
7
2008Confidential
2010
Lab: Get Connected5. Connect to class WLAN
Click Agree to the End user license agreement
8
2008Confidential
2010
Lab: Get Connected6. The dashboard appears
From the dashboard you can get a summary of your WLAN The dashboard is customizable This dashboard will be covered in more detail later in this course
9
Click blue bar and drag to move widget to new
location on screen
Select widgets to see
Click to hide left menu bar
2008Confidential
2010
HiveManager Help
HiveManager provides a rich and powerful online help Click Help… on the top menu bar to get a menu of
the help options There is a help box on the right side of the guided
configuration
A link to Help also exists in the Start Here screen
10
2008Confidential
2010
Help System in HiveManager
If you click Help in the upper right hand corner of the HiveManager Settings
– HiveManager Help• Context sensitive help based on where
you are when you select this option
– Settings• Lets you specify a path to host the online
help web pages locally on your network
– Videos and Guides• Contains links to all Aerohive
documentation and computer-based training modules
• You can also download the web-based help system from here as well
– Check for Updates• Checks Aerohive’s latest code
– About HiveManager
11
Web-basedHelp Files
Deployment, Quickstart,
ad Mounting Guides
CLI Reference
Guides
Online Training
2008Confidential
2010
Help: Context Sensitive
Context sensitive help can be viewed in any configuration window
By default your PC must be connect to the Internet to view the help files unless you have downloaded them and hosted on your own web server
12
2008Confidential
2010
Help: Navigation
13
Global Search
Click here togo to the home page
Search on Current Page
2008Confidential
2010
Help: Global Search
14
You can enter multiple words
for a global search
Click the relevant section
The help is automatically expanded when the search
strings are found. Each word in the list is highlighted in
different color
2008Confidential
2010
Help: Search For Words Within Pages
Search for an exact word or phrase match within a page– This is a complete word match, not a partial word match
15
Enter word here to highlight on page
Adds or removes highlighting
2008Confidential
2010
Help: Files Location
Help files are referenced from the Internet If Internet access is not available when you manage your HiveManager,
download the web-based help files from the Videos & Guides section on the help menu, and store them on your own local web server
Then specify a path to your own hosted web pages and click update
16
Here you can specify a path to locally hosted help files
2008Confidential
2010
Creating a WLAN Policy
and Managing HiveAPs
Getting Started
17
2008Confidential
2010
Connect To HiveManager(In case you walked in late!)
Securely browse to HiveManager https://training-hm1.aerohive.com
orhttps://70.20.106.120
Supported Browsers:– Firefox– Internet Explorer
Default Login Credentials:– Login: adminX
X = Student ID 2 - 15– Password: aerohive123
18
2008Confidential
2010
Access Your Hosted HiveAP
19
Use Putty or your favorite SSH tool to SSH to training-console.aerohive.com
– Ports 7002 though 7015
Note: Student IDs are 2 though 15 so the SSH port number corresponds to the student ID: 7002 though 7015
You will first see the Terminal Server Login, just press enter:
Login as: <enter>X-A-001122 login: adminPassword: aerohive123
Note: For Mac OSX or Linux use:ssh -l admin training-console.aerohive.com –p 700X
2008Confidential
2010
Access Your Hosted HiveAP
20
Use Putty or your favorite SSH tool to SSH to training-console.aerohive.com
– Ports 7022 though 7035
Note: Student IDs are 2 though 15 so the SSH port number corresponds to the student ID: 7022 though 7035
You will first see the Terminal Server Login, just press enter:
Login as: <enter>X-A-001122 login: adminPassword: aerohive123
Note: For Mac OSX or Linux use:ssh -l admin training-console.aerohive.com –p 700X
2008Confidential
2010
Set HiveManagerTime Settings
Essential When Generating Certificates,Using Private PSK, Wireless VPN, User Manager, Time-Based Authentication,
and Schedules21
2008Confidential
2010
Set the Time and Time Zone(Instructor Only)
Go to HomeAdministrationHiveManager Settings For System Date/Time click Settings
22
2008Confidential
2010
Set the Time and Time Zone(Instructor Only)
Time Zone: <Time Zone of HiveManager> Set the date/time manually or synchronize with an NTP server Click to save and update
Note:The HiveManager services will be restarted
After a minute, you can log back into the HiveManager
23
2008Confidential
2010
Quick Start
Aerohive Base WLAN PolicyCreation
24
2008Confidential
2010
Lab: Create Base WLAN Policy1. Add a new WLAN policy
Go to ConfigurationGuided ConfigurationWLAN Policies
Click New
Enter a WLAN Policy Name: WLAN-X
Go to next slide
25
2008Confidential
2010
Lab: Create Base WLAN Policy 2. Create a New Hive
Click + to create a new Hive
Hive: Hive-X Modify Encryption
Protection – Select Automatically
generate Password Save your Hive
26
2008Confidential
2010
Lab: Create Base WLAN Policy 3. Create an SSID SSID
– WLAN Policy –
SSID Profiles Click: Add/Remove SSID
Profile Click + to create a new
SSID Profile
Go to next slide
27
2008Confidential
2010
Lab: Create Base WLAN Policy 4. Configure SSID
– SSID Profile – Profile Name: Class-PSK-X SSID: Class-PSK-X
Note: The profile name typically matches the SSID unless you want different settings for the same SSID in different locations.
SSID Access Security Select: WPA/WPA2
PSK (Personal)– Use Default WPA/WPA2
PSK Settings Key Value: aerohive123 Confirm Value: aerohive123
User Profile for Traffic Mgmt Click + to create a new user
profile
28
IMPORTANT: For the SSID labs, please follow the class naming convention. SSIDs are broadcasted over the air so we do not want to people to accidentally connect
2008Confidential
2010
Lab: Create Base WLAN Policy 5. Create User Profile for Employees
– SSID/User Profile –
Name: Employee(10)-X Attribute Number: 10 Default VLAN: 1 Click Apply
Ensure your user profile is selected
Click Save to save the SSID
29
2008Confidential
2010
Lab: Create Base WLAN Policy 6. Configure SSID
– WLAN Policy –
SSID Profiles Select your SSID:
Class-PSK-X from the Available SSID Profiles list:and use the right arrow button‘ >’ to move it to the Selected SSID Profiles list
Click Apply
Really – Make sure you click Apply
Do not save the WLANpolicy, go tothe next slide
30
Note: The WLAN policy must be assigned to one or more HiveAPs for it to take affect
2008Confidential
2010
Lab: Create Base WLAN Policy7. Create an NTP Server object
Configure the NTP server to configure the time zone and NTP server settings. This is important for any service that depends on time, such as VPN and RADIUS which use certificates, schedules, Private PSK validity, etc... From your WLAN policy
under the Optional Settings
Expand Management Server Settings
Next to NTP Server– Click +
31
2008Confidential
2010
Lab: Create Base WLAN Policy8. Configure NTP Server Settings
Name: Time-X Time Zone: <Please use
the time zone for the location of the class>
Uncheck Sync click with HiveManager
NTP Server: pool.ntp.org Click Apply
– Did you click Apply? Click Save
32
2008Confidential
2010
Lab: Create Base WLAN Policy9. Save your WLAN Policy
Back in your WLAN policy Ensure NTP server is set
to: Time-X Click Save
33
2008Confidential
2010
Lab: Create Base WLAN Policy 10. Verify Your WLAN Policy
After saving your WLAN policy, you can review the settings here by looking at the columns for your WLAN policy
• Hive• SSID Profiles
When done, click Monitor to go to the list of HiveAPs
Go to next slide
34
2008Confidential
2010
Provision HiveAPsWith Base WLAN Policy
35
2008Confidential
2010
Wireless VPN LabNetwork IP Summary
VPN ServerX-B-HiveAP MGT010.8.1.X/24
VPN ClientX-A-HiveAP10.5.1.?
Firewall NAT Rules1.1.1.X10.8.1.X
FW(NAT)2.2.2.2
Gateway10.5.1.1
Gateway 10.8.1.1
Client PC 10.8.20.?/24GW: 10.8.20.1
DHCP Server VLAN 20 Net: 10.8.20.0/24 Pool: 10.8.20.150 - 10.8.20.200 Gateway: 10.8.20.1
Layer 3 IPsec VPN Tunnels - IP Headers(10.5.1.?)2.2.2.2 1.1.1.2
WLAN Branch Office – HiveAP VPN Clients WLAN HQ – HiveAP VPN Servers
Layer 2 GRE Tunnels - IP HeadersTunnel0 10.8.1.X0 10.8.1.X
? – Address Learned though DHCPVPN Client Tunnel Address PoolAP VPN 1: 10.8.1.X0 – 10.8.1.X9
36
RADIUS10.8.1.200
2008Confidential
2010
Configure Your HiveAP-A (X-A-######)
37
2008Confidential
2010
Lab: Provision Two HiveAPs1. Modify your HiveAP-A
Click the Config radio button near the top of the screen
to see the configuration view
Note that HiveAPs are set to default WLAN policy and Hive
Select the check box next to your HiveAPX-A-###### and click Modify
38
2008Confidential
2010
Lab: Provision Two HiveAPs2. Modify settings for your HiveAP-A
Configure the HiveAP settings and WLAN Policy
Location: <First-name_Last-name>
For WLAN Policy select: WLAN-X
Topology Map: ..Classroom
Select: Use both radios for client access
2.4GHz(wifi0) Power: 1 5GHz (wifi1) Power: 1 Click Save
39
Note: Because the APs are stacked on top of each other in a hosted rack and are connected via coax to the hosted PCs, please set the power level to 1. In a real deployment you can leave the power set to auto and ACSP will determine the appropriate power setting
2008Confidential
2010
Configure Your HiveAP-B (X-B-######)
40
2008Confidential
2010
Lab: Provision Two HiveAPs 3. Select and Modify your HiveAP-B
Verify the settings for your X-B-HiveAP by looking at the columns
Select the check box next to your HiveAPX-B-###### and click Modify
41
2008Confidential
2010
Lab: Provision Two HiveAPs 4. Modify Settings for Your HiveAP-B
Location: <First-name_Last-name>
For WLAN Policy select: WLAN-X
– Assigning your HiveAP to a WLAN policy is how the HiveAP will inherit a majority of its configuration settings
Topology Map: ..Classroom
Select: Use both radios for client access
Do not save
Go to the next slide
42
2008Confidential
2010
Lab: Provision Two HiveAPs 5. Set Power and Static IP Address for HiveAP-B
2.4GHz(wifi0) Power: 1 5GHz (wifi1) Power: 1
This HiveAP will be a VPN server, so you will need to give it a static IP address:
[Optional Settings] Expand Interface and
Networks Settings– Uncheck DHCP Client
Enabled– IP: 10.8.1.X– Mask: 255.255.255.0– Gateway: 10.8.1.1
Click SaveGo to the next slide
43
2008Confidential
2010
Lab: Provision Two HiveAPs 6. View configuration and monitor status
Verify the settings for your X-B-HiveAP by looking at the columns You can click Monitor view to see that the HiveAPs and HiveManager are
not in sync. The green square and red triangle con shows that
You can click the Host Name column header to sort the HiveAPs by hostname
44
2008Confidential
2010
For Your Information Outside USSet the Country Code for World Mode HiveAPs
Note: Please do not perform in this class unless told to do so by your instructor!
Updating the country code on a HiveAP configures the radios to meet government requirements for a country
You can update the country by going to MonitorAccess PointsNew HiveAPs
Select all the HiveAPs Click Update...
Update Country Code Select the appropriate country
code Click Upload
45
2008Confidential
2010
Lab: Provision Two HiveAPs 7. Update the Configuration on Your HiveAPs
Select the check box next to your two HiveAPs Click UpdateUpload and Activation Configuration
46
2008Confidential
2010
Lab: Provision Two HiveAPs 8. Update the Configuration on Your HiveAP
Go to ConfigurationGuided Configuration
Click Settings Change Activation time to:
Activate after [ 5 ] Seconds– This is because mesh is not
being used, and therefore you do not have to worry about cutting off connectivity to a mesh HiveAP
Click the Save Icon – These settings will remain for
all subsequent uploads Do not save Go to the next slide
47
2008Confidential
2010
Lab: Provision Two HiveAPs 9. Update the Configuration on Your HiveAPs
You can view the configuration that will be sent to the HiveAP if that interests you
– Right click the hostname of the HiveAP
– Select View Configuration– After reviewing, close the
configuration window by clicking the [x]
Click Upload to update the configuration on your HiveAPs
Go to the next slide
48
2008Confidential
2010
Lab: Provision Two HiveAPs 10. View The HiveAP Update Results
You will be taken to the results page so you can view the status of your update
If you leave this screen, you can go back by going to: MonitorAccess PointsHiveAP Update Results
49
2008Confidential
2010
Lab: Provision Two HiveAPs 11. Monitor HiveAP Status
Go to MonitorAccess PointsHiveAPs Your HiveAP will have moved from the New HiveAPs list to the Managed
HiveAPs list When the Audit column icon turns to two green squares And the Uptime changes back from 0, the first update is complete
50
Note: You can expand or collapse the New HiveAPs list
by clicking here
2008Confidential
2010
Test Access to SSID UsedIn Base WLAN Policy
51
2008Confidential
2010
Test Base WLAN Policy
52
SSID:Authentication:
Encryption:Preshared Key:User Profile 1:
Attribute:VLAN:
IP Firewall:QoS:
Class-PSK-XWPA or WPA2 PersonalTKIP or AESaerohive123Employee(10)-X101Nonedef-user-qos
Hosted PCStudent-X VLANs 1-20
Mgt0 IP: 10.5.1.N/24 VLAN 1
WLAN Policy: WLAN-X
Internal Network
AD Server:10.5.1.10
DHCP Settings: (VLAN 1) network 10.5.1.0/24 10.5.1.140 – 10.5.1.240
Internet
Connect to SSID:IP:
Gateway:
Class-PSK-X10.5.1.N/2410.5.1.1
2008Confidential
2010
Access Your Hosted Client PC Using the web for PC, Mac, or Linux
http://training-pcX.aerohive.com:5800 Click Options:
– Specify Encoding: Tight– Click Close
VNC Authentication– Password: aerohive– Click OK
53
2008Confidential
2010
Access Your Hosted Client PCUsing the TightVNC Application
If you are using a windows PC and you do not have Java installed, you can install the TightVNC client application
– TightVNC has good compression so please use TightVNC for class instead of any other application
Start TightVNC – VNC Host:
training-pcX.aerohive.com– Click Connect
– Password: aerohive 54
2008Confidential
2010
If you are not logged inLogin to Hosted PC
Click to send a
control alt delete
Login: user Password: Aerohive1
55
2008Confidential
2010
Lab: Test Base WLAN Policy1. Connect to the Class-PSK-X SSID
From the hosted PC– Double-click the
wireless connection icon on the bottom right of the task bar
– Connect to your SSID: Class-PSK-X
– Passphrase/Network Key: aerohive123
– Click Connect
56
x
2008Confidential
2010
Lab: Test Base WLAN Policy 2. View Active Clients List
After associating with your SSID, you should see your connection in the active clients list in HiveManager
– Go to MonitorClientsActive Clients Your IP address should be from the 10.5.1.0/24 network To change the layout of the columns in the Active Clients list, you
can click the icon with a pencil in it:
57
Click here to modify the displayed columns
2008Confidential
2010
Lab: Test Base WLAN Policy3. Modify Columns in the Active Clients List
For this class, you can add the User Profile Attribute, VLAN and BSSID
Move them right after channel in the Select Columns list
Click Save
You should now see:– BSSID: <MAC Address>
User Profile Attribute: 10– VLAN: 1
58
2008Confidential
2010
Using RADIUS for Authentication
Create SSID UsingWPA/WPA2 Enterprise (802.1X)
59
2008Confidential
2010
LAB: Secure WLAN Access TestWith 802.1X Diagram
60
Student-XVLANs 1-20
Mgt0 IP: 10.5.1.N/24 VLAN 1
WLAN Policy: WLAN-X
AD (IAS-RADIUS) Server:10.5.1.10
DHCP Settings: (VLAN 1) network 10.5.1.0/24 10.5.1.140 – 10.5.1.240 (VLAN 10) network 10.5.10.0/24 10.5.10.140 – 10.5.10.240
Internet
Connect to SSID:IP:
Gateway:
Class-802.1X-X10.5.10.N/2410.5.10.1
SSID:Authentication:
Encryption:User Profile 1:
Attribute:VLAN:
IP FW From Access:IP FW To Access :
User Profile 2:Attribute:
VLAN:IP FW From Access:
IP FW To Access:
Class-802.1X-XWPA or WPA2 PersonalTKIP or AESEmployee(10)-X10 (RADIUS Attribute Returned)1FromClient-X(Default Deny)Employee-Default1000 (No RADIUS Attribute Returned)10Employee-Default(Default Deny)
2008Confidential
2010
On Local RADIUS ServerConfiguring RADIUS Clients
For HiveAPs that are not VPN clients, set the RADIUS server to accept RADIUS messages from the MGT0 interface IP on all HiveAPs
This class uses:10.5.1.0/24
Click Next
61
2008Confidential
2010
On Local RADIUS ServerConfiguring RADIUS Clients
Set the shared secret to secure the communication between the HiveAPs and RADIUS server
This class uses:aerohive123
Note: For a real network, please use a longer, more secure key
62
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X1. Edit your WLAN Policy and Add SSID Profile
An 802.1X capable SSID and related settings can be configured from your WLAN Policy
Go to ConfigurationWLAN Policies
Edit WLAN-X Under SSID Profiles click
Add/Remove SSID Profile Create a new SSID Profile
– Click +
Go to Next Slide
63
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X2. Configure SSID and RADIUS Server
Profile Name: Class-802.1X-X SSID: Class-802.1X-X SSID Access Security
– Select: WPA/WPA2 802.1X (Enterprise)
Next to RADIUS Server– Click +
Go to Next Slide
64
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X3. Configure RADIUS Server
Define RADIUS Server Settings Click the radio button for:
External RADIUS Server Profile Name: RADIUS-X Primary RADIUS Server:
10.5.1.10 Shared Secret: aerohive123 Confirm Secret: aerohive123 Click Apply Go to Next Slide
65
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X4. Configure SSID with RADIUS and User Profile
Back in your SSID Configuration Make sure your RADIUS server
is selected: RADIUS-X Specify User Profile assigned if
not attribute is returned from RADIUS after successful authentication: Employees(1000)Note: This user profile was created by the Instructor
Specify User Profiles assigned via attributes returned from RADIUS after successful authentication: Employee(10)-X
Save your SSID Go to Next Slide
66
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X5. Remove Existing SSID and Add New SSID
To clean up the air in the data center, remove all other SSID profiles from the selected SSID profiles list using the << button
– You should have no SSID Profiles listed under the Selected SSID Profiles list
From the Available SSID Profiles, select Class-802.1X-X and use the > button to move it to the Selected SSID Profiles List
Click Apply ---- Please please, please click apply! Go to Next Slide
67
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X6. Verify Configuration and Save WLAN Policy
Verify your 802.1X SSID is listed under the SSID profiles and that your SSID is mapped to two different user profiles:Employees(1000) and Employee(10)-X
Save your WLAN Policy
From the WLAN policysummary you can verify yourSSID Class-802.1X-X isassigned to your WLAN Policy
68
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X 7. Update delta configuration of your HiveAP
69
From MonitorHiveAPs Select both of your
HiveAPs X-A-HiveAP X-B-HiveAP
Select Update...Upload and Activate Configuration
If you want to see the delta configuration, click the link for your HiveAP
– Close the View Configuration window after viewing the delta configuration changes
Click Upload
Click HiveAP link to view delta configuration
2008Confidential
2010
Configuring and Testing Your802.1X Supplicant
For Microsoft XP and VistaSupplicants
70
2008Confidential
2010
Connect to 802.1X SSID(First Attempt Will Fail)
On the remote hosted PC From the Microsoft
Wireless client:– Click Class-802.1X-X– Click Connect
Note: The connection will fail because Windows XP defaults Smart Card or Other Certificates (EAP-TLS), instead of PEAP
– However, the SSID entry will be created, so all you have to do is modify it
Click Change Advanced Settings
71
2008Confidential
2010
72
Microsoft Wireless Network Client802.1X Supplicant Configuration
View your Wireless Connections then click to Change advanced settings
In the Wireless network properties window enter the following:
– Change EAP Type to: Protected EAP (PEAP) Click OK
72
2008Confidential
2010
SSID Should Now Be Connected
Your Client will automatically connect to the Class-802.1X-X SSID
73
2008Confidential
2010
View Active Clients
After associating with your SSID, you should see your connection in the active clients list in HiveManager
– Go to MonitorClientActive Clients
User Name: AHDEMO\user BSSID: <The MAC address for your AP’s SSID> VLAN: 1 User Profile Attribute: 10
74
2008Confidential
2010
Example: TroubleshootingInvalid User Profile Returned From RADIUS
From MonitorAccess PointsHiveAPs (Monitor View) If you see an alarm when trying to perform 802.1X, click the alarm icon
This alarm specifies that an attribute was returned from the RADIUS server that is not defined on the HiveAP – In this case 50
Select the check box next to the alarm and then Click clear
75
2008Confidential
2010
Generate HiveAP RADIUSServer Certificates
Required When HiveAPs are Configured as RADIUS Servers or VPN Servers
76
2008Confidential
2010
LAB: Generate a Root CA Certificate for HiveManager (Instructor Only)
Go to ConfigurationAdvanced Configuration Keys and CertificatesHiveManager CA
Fill in the requested information and choose a secure password Click Create
Remember this password
77
2008Confidential
2010
HiveManager Root CA CertificateLocation and Uses
To view certificates, go to:ConfigurationAdvanced ConfigurationKeys and CertificatesCertificate Mgmt
This root CA certificate is used to:– Sign the CSR (certificate signing
request) that the HiveManager creates on behalf of the AP acting as a RADIUS or VPN server
– Validate HiveAP certificates to remote client• 802.1X clients (supplicants) will
need a copy of the CA Certificate in order to trust the certificates on the HiveAP RADIUS server(s)
Root CA Cert Name: “AerohiveHMCA.pem”
Root CA key Name: hm_key.pem
78
2008Confidential
2010
LAB: HiveAP Server Certificate and Key1. Generate HiveAP Server Certificate
Go to ConfigurationAdvanced ConfigurationKeys and CertificatesServer CSR
Common Name: HiveAP-Server-X Note: This is usually the FQDN of the HiveAP
Organizational Name: Company Organization Unit: Department Locality Name: City State/Province: <2 Characters> Country Code: <2 Characters> Email Address: [email protected] Subject Alternative Name: <Leave empty>
Note: This is used if you want to generate unique certificates for each HiveAP VPN server, and you want to have HiveAP VPN clients validate one of these fields. See notes below the slide.
Key Size: 1024 Password & Confirm: aerohive123 CSR File Name: HiveAP-X Click Create
Remember Password
79
Enter HiveAP-X
Notes Below
2008Confidential
2010
LAB: HiveAP Server Certificate and Key 2. Sign and Combine!
Select Sign by HiveManager CA– The HiveManager CA will sign the HiveAP Server certificate
The validity period should be the same as or less than the number of days the HiveManager CA Certificate is valid
– Validity: 1826 (5 years + leap day) Check Combine key and certificate into one file Click OK
80
Enabling this setting helps prevent certificate and key mismatches when configuring the RADIUS settings
2008Confidential
2010
LAB: HiveAP Server Certificate and Key3. View HiveAP Certificate and Key File
To view certificates, go to:ConfigurationAdvanced ConfigurationKeys and CertificatesCertificate Mgmt
The certificate and key file name is:HiveAP-X_key_cert.pem
81
2008Confidential
2010
Using HiveAPs and IPsec VPN Clientsand IPsec VPN Servers to Provides VPN
Connections with Wireless LANs
Wireless VPNVersion 3.5r1
82
2008Confidential
2010
Wireless VPN Overview-For your reading pleasure-
Aerohive’s Wireless VPN delivers a simple and cost effective solution for mobile workers in remote locations like branch offices, teleworker home offices, and conference centers, to securely access corporate resources through a layer 2 IPsec VPN. Built upon Aerohive’s cooperative control architecture, Aerohive’s wireless VPN has the advantages of being implemented on a highly resilient architecture utilizing best path forwarding, policy enforcement at the edge with user-based QoS and firewall policy, and branch office services including DHCP and RADIUS, which are centrally managed using HiveManager–Aerohive’s WLAN management platform.
Aerohive’s Wireless VPN solution allows workers in remote offices using wireless or Ethernet connected laptops, desktops, and phones to directly access their corporate network through a secure layer 2 IPsec VPN. This gives workers access to resources as if they were physically attached to the corporate network, and still have direct access to local branch or home office devices, like printers and file servers that may or may not be corporate resources. This is made possible with best path forwarding, split tunneling, and NAT technology. To protect corporate resources, stations that are attached to the branch office that do not meet policy specifications for the VPN, will not be able to access the corporate network or locally attached corporate devices.
83
2008Confidential
2010
Wireless VPN Benefits -For your reading pleasure-
Easy to Use– L2 IPsec VPN solution simplifies deployment, because it extends the local network across the
VPN without the need to dedicate subnets for each remote site and set up DHCP relays on branch routers or firewalls
– Automatic certificate creation and distribution for validating VPN devices– Profile-based Split Tunneling
• Users and Services can be bridged locally or tunneled based on user profile
Flexible– Single mode of operation supports all deployments – Supported in all HiveAP platforms, Hardware Acceleration in 300 series– Multiple end point support
• Backup VPN gateway support • Distributed Wireless VPN tunnel termination
Complete Functionality – Multiple AP Support with secure and fast roaming– Mesh Portals and Mesh Points supported– RADIUS, DHCP, NTLM, LDAP and NTP can selectively go to local or remote network– Rogue AP and rogue client detection, DoS prevention, Firewall, and QoS all occur locally on the
remote HiveAP Economical
– No license fees for wireless VPN, or any of the other features on the HiveAPs– For the cost of an AP, you get wireless VPN servers
84
2008Confidential
2010
InternetHiveAP1VPN Server
HiveAP2VPN Server
Headquarters
DHCP Server Corporate Wi-Fi DevicesVLAN 10 10.5.10.0/24Corporate Wi-Fi VoiceVLAN 11 10.5.11.0/24
Teleworker Home OfficePlease View Notes Below Slide
85
Work LaptopSSID: Corp10.5.10.51
Home PC with Printer192.168.1.5
Teleworker Home Office
Home LaptopSSID: Home192.168.1.6
IPsecPrimary andBackup VPN Tunnels
Work PhoneSSID: Voice10.5.11.33
Internet ProviderGateway192.168.1.1
HiveAP 5VPN Client192.168.1.2
DMZ
Notes Below
2008Confidential
2010
HiveAP4VPN Client192.168.1.6
HiveAP3VPN Client192.168.1.5Laptop
SSID: Corp10.5.10.12
Phone10.5.11.5
Branch Office
Guest LaptopSSID: Guest192.168.1.50
Printer10.5.10.11
Desktop10.5.10.10
HiveAP1VPN Server
HiveAP2VPN Server
Headquarters
DMZ
DHCP Server Corporate Wi-Fi DevicesVLAN 10 10.5.10.0/24Corporate Wi-Fi VoiceVLAN 11 10.5.11.0/24
PhoneSSID: Voice10.5.11.33
Internet
WiredWireless
IPsecPrimary andBackup VPN Tunnels
Gateway192.168.1.1
Branch Office VPN with Bridging
86
2008Confidential
2010
Create VPN Services Policy
87
2008Confidential
2010
Wireless VPN LabLab Network Diagram
Configure two HiveAPs, – HiveAP-A will be a VPN client– HiveAP-B will be a VPN server
Client
10.8.1.X10.5.1.<DHCP> HiveAP-B
VPN Server
HiveAP-AVPN Client
Hostname:Hive:
Interface mgt0:Interface tunnel0:
X-A-<6-digits of mac>Hive-X10.5.1.<DHCP> /24 VLAN 110.8.1.X0
WLAN Policy: WLAN-X WLAN Policy: WLAN-X
Hostname:Hive:
Interface mgt0:VPN:
IP Pool:
X-B-<6-digits of mac>Hive-X10.8.1.X/24 VLAN 1
10.8.1. X0 - 10.8.1.X9
2.2.2.2 1.1.1.1
NAT Policy1.1.1. X 10.8.1. X
NAPT PolicyANY 2.2.2.2
AD 10.8.1.200 - VLAN 1 WEB 10.8.20.150 - VLAN 20
88
2008Confidential
2010
Wireless VPN LabsNetwork IP Summary
VPN ServerX-B-HiveAP MGT010.8.1.X/24
VPN ClientX-A-HiveAP10.5.1.?/24
Firewall NAT Rules1.1.1.X10.8.1.X
FW(NAT)2.2.2.2
Gateway10.5.1.1
Gateway 10.8.1.1
Client PC 10.8.20.?/24GW: 10.8.20.1
DHCP Server VLAN 20 Net: 10.8.20.0/24 Pool: 10.8.20.150 - 10.8.20.200 Gateway: 10.8.20.1
Layer 3 IPsec VPN Tunnels - IP Headers(10.5.1.?)2.2.2.2 1.1.1.2
WLAN Branch Office – HiveAP VPN Clients WLAN HQ – HiveAP VPN Servers
Layer 2 GRE Tunnels - IP HeadersTunnel0 10.8.1.X0 10.8.1.X
? – Address Learned though DHCPVPN Client Tunnel Address PoolAP VPN 1: 10.8.1.X0 – 10.8.1.X9
89
RADIUS10.8.1.200
2008Confidential
2010
LAB: Create VPN Services Policy1. Create VPN Policy
Modify your WLAN PolicyConfigurationWLAN Policies WLAN-X
| Optional Settings |
VPN Service Settings– VPN Service: Click +
to create a new VPN services policy
Go to Next Slide
90
2008Confidential
2010
LAB: Create VPN Services Policy 2. Define Name and IP Settings
Profile Name: VPN-X Server Public IP: 1.1.1.X Server MGT0 IP Address: 10.8.1.X VPN Client Tunnel Interface Pool:
Note: It is recommended that the pool is in the same subnet as the MGT0 interface of HiveAP VPN server. This pool is used for GRE tunnel IP addresses on HiveAP VPN clients.
– Client Tunnel IP Address Pool Start: 10.8.1.X0
– Client Tunnel IP Address pool End: 10.8.1.X9
– Client Tunnel IP Address Netmask: 255.255.255.0
Go to Next Slide
91
2008Confidential
2010
LAB: Create VPN Services Policy 3. Assign VPN Certificates for VPN Server
IPsec VPN Certification Authority Settings:– VPN Certificate Authority:
AerohiveHMCA.pem– VPN Certificate:
HiveAP-X_key_cert.pem– VPN Cert Private Key:
HiveAP-X_key_cert.pem Optional Settings
– VPN Client Credentials: These are VPN XAUTH credentials that get generated automatically. A unique credential gets created for each tunnel interface IP address in the tunnel interface address pool.• Nothing needs to be done here
Go to Next Slide
92
2008Confidential
2010
LAB: Create VPN Services Policy How XAUTH Credentials are Used
The default IKE peer authentication method for the wireless VPN is "hybrid"
In hybrid mode, – The VPN server authenticates itself to the client with an RSA
signature, which requires the server to have a server certificate, and the client must have the root CA certificate that signed the server certificate so it can validate the server
The server authenticates the client using Xauth– HiveManager generates a set of credentials (random string for
username and passwords) for each HiveAP VPN client and HiveAP VPN server pair
– When the VPN client uses valid credentials to authenticate with the VPN server, the tunnel can be established
– If the credentials are removed from either the VPN client or VPN server, the tunnel cannot be established
93
2008Confidential
2010
LAB: Create VPN Services Policy 4. View Advanced Server Options
Expand Advanced Server Options
No changes are necessary for the following options
| IKE Phase 1 Options |
| IKE Phase 2 Options |
Enable peer IKE ID validation
Go to Next Slide
94
2008Confidential
2010
LAB: Create VPN Services Policy 5. Configure Advanced Client Options
Expand Advanced Client Options– Set HiveAP VPN Client to use DNS
Server through tunnel: 10.5.1.10| Management Traffic Tunnel Options|
– Determine which traffic from the HiveAP to send though the tunnel• SNMP Traps• RADIUS
Note: Set these so that RADIUS messages and SNMP traps generated from the HiveAP VPN clients are sent though the VPN tunnel to the servers on the HQ network| Client IKE Settings |
– Check Enable NAT traversalAdds a UDP header with port 4500 on to the IPsec packets
Go to Next Slide95
2008Confidential
2010
For Redundancy: Dead Peer Detectionand AMRP Heartbeat Settings
Used for switching between HiveAP VPN Server 1 and HiveAP VPN Server 2 upon failure
– DPD Verifies IKE Phase 1• Send Heartbeat every 10 seconds (by default)• If you miss one heartbeat, send at the Retry Interval instead of at the
normal Interval settings• If you miss the number of retries specified, failover to backup VPN server
– AMRP Verifies end to end through GRE and VPN Tunnel• Send Heartbeat every 10 seconds (by default)• If you miss one heartbeat, send 1 at second intervals instead of at the
normal Interval setting• If you miss the number of retries specified, failover to backup VPN server
Default DPD failover time:~16 seconds
Default AMRP failover time:~21 seconds
96
2008Confidential
2010
LAB: Create VPN Services Policy 6. Save VPN Services Policy
Save the VPN Service Settings
97
2008Confidential
2010
LAB: Create VPN Services Policy 7. Modify SSID to Add New User VPN Policy
Back in your WLAN Policy Ensure your VPN Service
Policy is set to VPN-X
Do not save your WLAN policy at this time
Go to the next slide
98
2008Confidential
2010
Configure 802.1X SSID for Wireless VPN Access
99
2008Confidential
2010
Wireless VPN LabsNetwork IP Summary
VPN ServerX-B-HiveAP MGT010.8.1.X/24
VPN ClientX-A-HiveAP10.5.1.?/24
Firewall NAT Rules1.1.1.X10.8.1.X
FW(NAT)2.2.2.2
Gateway10.5.1.1
Gateway 10.8.1.1
Client PC 10.8.20.?/24GW: 10.8.20.1
DHCP Server VLAN 20 Net: 10.8.20.0/24 Pool: 10.8.20.150 - 10.8.20.200 Gateway: 10.8.20.1
Layer 3 IPsec VPN Tunnels - IP Headers(10.5.1.?)2.2.2.2 1.1.1.X
WLAN Branch Office – HiveAP VPN Clients WLAN HQ – HiveAP VPN Servers
Layer 2 GRE Tunnels - IP HeadersTunnel0 10.8.1.X0 10.8.1.X9
? – Address Learned though DHCPVPN Client Tunnel Address PoolAP VPN 1: 10.8.1.X0 – 10.8.1.X9
100
RADIUS10.8.1.200
Tunnel Interface:10.8.1.X0
2008Confidential
2010
Tunnel Traffic Header Overview
101
2.2.2.2 1.1.1.1Internet
HiveAP VPN ServerMGT0 10.8.1.2
MGT0 IPBefore NAT1.1.1.2After NAT10.8.1.2
(NAT)1.1.1.2 10.8.1.2
MGT0 IP10.5.1.100
NAT Traversal
UDP - Src & Dst Port 4500Src Port Changes w/NAPT
Tunnel010.8.1.50
MGT010.8.1.2
IPsec (ESP) Tunnel
Encrypts GRE and Client Traffic
GRE Tunnel
Encapsulates client Layer 2 Traffic
Wireless ClientMAC: 0022.22aa.aa22VLAN: 20IP: 10.8.20.50
Corporate ServerMAC: 0011.11bb.bb11VLAN: 20IP: 10.8.20.150
Client Traffic10.8.20.500022.22aa.aa22 VLAN Tag: 20
Layer 2 Client DataClient Traffic10.8.20.1500011.11bb.bb11 VLAN Tag: 20
(NAPT) ANY 2.2.2.2
FW: Public IP2.2.2.2AP: Private IP10.5.1.100
FW: Public IP1.1.1.2
HiveAP 1VPN ClientMGT0 10.5.1.100Tunnel0 10.8.1.50
Branch Office
Corporate Headquarters
1
2
3
4
8
7
6
5
2008Confidential
2010
Instructor Only: On Local RADIUS ServerConfiguring HiveAP RADIUS Clients
For HiveAPs that are VPN clients, set the RADIUS server to accept RADIUS messages from the Tunnel IP address pool set up on the HiveAP VPN server to assign to HiveAP VPN clients
For this class, the tunnel IP pool assigned to HiveAP VPN clients is :10.8.1.0/24
Click Next
102
2008Confidential
2010
Instructor Only: On Local RADIUS ServerConfiguring HiveAP RADIUS Clients
Set the shared secret to secure the communication between the HiveAPs and RADIUS server
– For this class use:aerohive123
Click Finish
Note: For a real network, please use a more secure key
103
2008Confidential
2010
LAB: Configure SSID for Wireless VPN1. Create New RADIUS Server Object for SSID
Configure a new RADIUS server for your SSID, that is accessible through the VPN
From inside your WLAN policy click the link to modify your SSID: Class-802.1X-X
104
2008Confidential
2010
LAB: Configure SSID for Wireless VPN2. Configure RADIUS Server Object
Define RADIUS Server Settings for use with wireless clients through the VPN
Next to RADIUS Server, click +
Click the radio button forExternal RADIUS Server
Profile Name: RADIUS-VPN-X Primary RADIUS Server:
10.8.1.200 Shared Secret: aerohive123 Confirm Secret: aerohive123 Click Apply to save the new
RADIUS object Do not save, go to next slide
105
2008Confidential
2010
LAB: Configure SSID for Wireless VPN3. Modify Employee User Profile
Select the Employee(10)-X user profile from the Selected user profile list
Click the Modify Icon:
106
2008Confidential
2010
LAB: Create VPN Services Policy 4. Change VLAN and Add VPN Settings
Set the User Profile to use the VPN and a new VLAN
Assign the Default VLAN: 20
| Optional Settings | Expand GRE or VPN
Tunnels Select: VPN tunnel for
client traffic| Split Tunnel |
– Select Split Tunnel with NAT to Local Subnet and Internet
Click Save
107
2008Confidential
2010
LAB: Configure SSID for Wireless VPN5. Save your SSID
Save your SSID
108
2008Confidential
2010
Split Tunnel Firewall PolicyAutomatically Created
When you select the option to use split tunnel to local subnet and Internet, the following policy gets created on the HiveAP
– The following policy will not be displayed in HiveManager
From Access Firewall Policy
Source IP Destination IP Service Action
0.0.0.0/0 0.0.0.0/0 DHCP-Server Permit (tunnel)
0.0.0.0/0 10.5.1.0/24 Any NAT
0.0.0.0/0 10.0.0.0/8 Any Permit (tunnel)
0.0.0.0/0 172.16.0.0/12 Any Permit (tunnel)
0.0.0.0/0 192.168.0.0/16 Any Permit (tunnel)
0.0.0.0/0 0.0.0.0/0 Any NAT
– Note, by default there is no To Access firewall policy, so if you want traffic to be initiated from HQ to the wireless clients thought the VPN, you will need to create a To Access policy that permits access
109
2008Confidential
2010
LAB: Create VPN Services Policy 6. Verify VPN Settings and Save WLAN Policy
Back in the WLAN Policy
Expand VPN Service Settings
– Ensure the Employee(10)-X user profile is set to use VPN Tunnel and that it is set to Yes for Split Local Traffic (Split Tunnel)
Click Save
110
2008Confidential
2010
Configuring HiveAPs to be
VPN Clients and VPN Servers
HiveAP VPN RolesAnd Updating the Configuration
111
2008Confidential
2010
LAB: Assign HiveAPs to VPN Roles1. Modify Your HiveAP-A and Make VPN Client
From MonitorHiveAPs Modify your HiveAP-A:
X-A-######
| Optional Settings | Expand Services Settings
– VPN Service Role: Client
Click Save
112
2008Confidential
2010
LAB: Assign HiveAPs to VPN Roles2. Modify Your HiveAP-B and Make VPN Server
From MonitorHiveAPs Modify your HiveAP-B:
X-B-######
| Optional Settings | Expand SSID Allocation
– (Optional) Clear the check boxes to disable the SSIDs on this HiveAP VPN server
Expand Services Settings– VPN Service Role:
Server
Click Save
113
2008Confidential
2010
LAB: Assign HiveAPs to VPN Roles 3. Verify HiveAP Roles
You will now see icons specifying whether the HiveAP is a VPN client or
VPN Server
The up and down arrows next to the keys are red when the VPN is not establish
– The VPN will be established after updating the configuration of the HiveAPs
114
2008Confidential
2010
LAB: Assign HiveAPs to VPN Roles 4. Update Delta Configuration and VPN Certs
115
From MonitorHiveAPs Select both of your
HiveAPs X-A-HiveAP X-B-HiveAP
Select Update...Upload and Activate Configuration
If you want to see the delta configuration, click the link for your HiveAP
– Close the View Configuration window after viewing the delta configuration changes
Click Upload
Click HiveAP link to view delta configuration
2008Confidential
2010
LAB: Assign HiveAPs to VPN Roles 5. View Update Results
After a successful update, you can move your mouse over the Description to see what was updated
– Here you should see that the VPN Certificates and Keys and the Configuration has been updated
116
2008Confidential
2010
LAB: Assign HiveAPs to VPN Roles 6. Monitor Status of VPN HiveAPs
From MonitorHiveAPs you can see that the VPN is up because the up and down arrows are green
117
2008Confidential
2010
LAB: Assign HiveAPs to VPN Roles 7. HiveAP VPN Diagnostics
View VPN TunnelDiagnostic Commands
Select one of theVPN HiveAPs X-A-HiveAP
Click ToolsDiagnosticsShow IPSec SA
Note: It is clear to see that a VPN is functional if you see the tunnel from the MGT0 IP of the VPN client to the (NAT) Address of the MGT0 of the VPN Server, and the reverse. Both use different SAs (Security Associations)
– State: Mature118
2008Confidential
2010
Diagnostics Show IKE Event
Click ToolsDiagnosticsShow IKE Event
If you see that phase 1 failed due to a certificate problem
– Check the time on the HiveAPs• show clock• show time
– Ensure you have the correct certificates loaded on the HiveAPs in the VPN services policy
119
2008Confidential
2010
LAB: Assign HiveAPs to VPN Roles 8. HiveAP VPN Topology
You can view the VPN topology by going to: ConfigurationAdvanced ConfigurationSecurity PoliciesVPN Services
– Click View for your VPN – If you move your mouse over
the HiveAP icons you can see how long the tunnel has been established
– If the icons are green, the tunnel is established– If the icons are red, the tunnel is down
120
2008Confidential
2010
VPN Topology Example
Here is an example of a VPN topology with 12 HiveAP VPN clients and two HiveAP VPN servers for tunnel load sharing and redundancy
121
2008Confidential
2010
Testing Your VPN AccessWith 802.1X Client (Supplicant)
Using Microsoft XP
122
2008Confidential
2010
If Your Remote PC IS Connected From the Previous Lab
Note: If you have not set up your 802.1X supplicant on the hosted client PC, please refer to the 802.1X section earlier in this training
Disconnect from:Class-802.1X-X
Then reconnect to:Class-802.1X-X
Make sure you can connect
123
2008Confidential
2010
Verify Status of Wireless ClientAnd VPN Connection from PC
Once your wireless client is connected to Class-802.1X-X
Verify your IP address by opening a command prompt and typing ipconfig /all
If the Ethernet adapter Wireless Network Connection is set to: 10.8.20.N
– Then you are connected through the tunnel to VLAN 20
– Great Job!!!
124
2008Confidential
2010
Test your hosted PCs VPN Connection
From your hosted PC, open a browser and connect to:http://10.8.20.150
If this works, your hosted PC is going though the VPN on VLAN 20
125
2008Confidential
2010
Check Status of Wireless Client
From MonitorClientsActive Clients– Locate the client on the remote hosted PC, and see if it is connected
with a 10.8.20.N IP address
126
2008Confidential
2010
To View the XAUTH Credentials
Go to ConfigurationAdvanced ConfigurationSecurity PoliciesVPN Services
If an AP gets lost or stolen, you can remove the credential and push the configuration to the HiveAP VPN server
– That will prevent the VPN client from building a tunnel to the VPN server
You can also generate new credentials and push them out to the HiveAP VPN servers and clients
127
Xauth credentials are automatically assigned to HiveAP VPN clients that are assigned to this VPN services policy
2008Confidential
2010
Please remote the VPN tunnel configuration from the Employee(10) User
Profile and change the VLAN before continuing to the next labs
VPN Lab Clean-up
128
2008Confidential
2010
Lab: VPN Lab Cleanup1. Change VLAN and Disable Tunnel
From ConfigurationUser Profiles
Select your Employee(10)-X user profile
Set the default VLAN to: 10
Under Optional SettingsGRE or VPN Tunnels
– Set the option for:No tunnel
Click SaveNote: We do not need to update the configuration at this time. You will update the configuration in the next lab.
129
2008Confidential
2010
Lab: VPN Lab Cleanup2. Remove Tunnel Roles from HiveAPs
From MonitorAccess PointsHiveAPs
Select the check box next to both of your HiveAPs
– X-A-######– X-B-######
Set VPN Service Role: None Click Save
130
2008Confidential
2010
To Simplify the WLAN Policy
Configuration When Different Settings for HiveAPs are Needed at Different Locations
HiveAP ClassificationExamples
2008Confidential
2010
Question: How do define a single WLAN policy, but configure different settings?
For example, in the WLAN policy, you can only define one MGT interface VLAN
But if the HiveAPs are in different networks with different MGT0 VLANs, what can you do?
132
DMZ-XArea-X
Router
L2-Switch L2-Switch
Interface mgt0:Classification Tag:
WLAN Policy:MGT0 VLAN:
10.5.2.?Area-1WLAN-X2
HiveAP Device Settings
Interface mgt0:Classification Tag:
WLAN Policy:MGT0 VLAN:
10.8.1.XDMZWLAN-X1
HiveAP Device Settings
2008Confidential
2010
Answer: HiveAP ClassificationDefine an Object That is Variable
133
HiveAP Classification Tag Settings: This WLAN policy
is assigned to HiveAP 1 and HiveAP 2:
HiveAP 1 Configuration
HiveAP 2 ConfigurationVLAN Object Definition
2008Confidential
2010
HiveAP ClassificationTag Selection
If you specify multiple tags on a HiveAP, make sure the object is defined to match
If you want to make this VLAN object match all HiveAPs in HQ, you must define Tag 1 as: HQ, but uncheck Tag 2 and Tag 3 so they will be ignored
If you do not uncheck Tag 2 and Tag 3, you will have to match all three tags on each HiveAP
134
VLAN Object Definition
HiveAP 1 Configuration
HiveAP 2 Configuration
2008Confidential
2010
Object That Support HiveAP Classification
Objects that support HiveAP classification
– IP/Hostname Objects– MAC Addresses/OUIs– VLANs– User Profile Attribute
Groups These objects can be
configured once, but the values assigned to the HiveAP change based on the HiveAPs
– Topology Map– Classifier Tag– IP Address– Hostname
135
2008Confidential
2010
HiveAP ClassificationTypes
VLANs, IP Address Objects, MAC Address objects, and User Profile Attribute groups can have classification rules based on:
– Map Name• Uses topology maps
– HiveAP Name– Classifier Tag
• Requires tags are defined in the configuration of HiveAPs
– Global• Selected if no match is found for
any of the other types You can mix and match, the first
matching rule is used– Global is checked as the last
match even if it is defined first136
2008Confidential
2010
WLAN Policy Example 1 - PSKUsing Classification Tags for VLANs
137
DMZInside
Router
L2-Switch L2-Switch
Interface mgt0:Classification Tag:
WLAN Policy:MGT0 VLAN:
10.5.2.?InsideWLAN-X2
HiveAP Device Settings
Interface mgt0:Classification Tag:
WLAN Policy:MGT0 VLAN:
10.8.1.XDMZWLAN-X1
HiveAP Device Settings
VLAN ID: 2 Type: Classifier Tag Value: Tag 1: HQ
Tag 2: Bldg1Tag 3: Trusted
VLAN ID: 1 Type: Global
VLAN Object: X-MGT0-VLANs
* Global VLAN is set, but it will not be used in this lab
WLAN Policy: WLAN-X
MGT0 VLAN: X-MGT0-VLANsNative VLAN: 1
2008Confidential
2010
Lab: HiveAP Classification1. Assign Classification Tag to HiveAP-A
From MonitorHiveAPs– Select the check box
next to your HiveAP-AX-A-###### and click Modify
Expand Advanced Settings
| HiveAP Classification | Enter a value:
Tag 1 – HQTag 2 – Bldg1Tag 3 – TrustedNote: You change these settings for a group of HiveAPs if you select multiple HiveAPs before editing them
Click Save
138
..
2008Confidential
2010
Lab: HiveAP Classification2. Assign Classification Tag to HiveAP-B
From MonitorHiveAPs– Select the check box
next to your HiveAP-BX-B-###### and click Modify
Expand Advanced Settings
| HiveAP Classification | Enter a value:
Tag 1 – HQTag 2 – Bldg1Tag 3 – DMZNote: You change these settings for a group of HiveAPs if you select multiple HiveAPs before editing them
Click Save
139
..
2008Confidential
2010
Lab: HiveAP Classification 3. In your WLAN Policy Create a New VLAN
The VLAN for the MGT0 interface on a HiveAP is assigned via the WLAN policy
Go to ConfigurationWLAN Policies Edit WLAN-X Next to MGT interface VLAN, Click + Go to Next Slide
140
2008Confidential
2010
Lab: HiveAP Classification 4. Create a VLAN Policy for MGT0 VLANs
VLAN Name: X-MGT0-VLANs– VLAN ID: 2– Type: Classifier– Value:
• Uncheck Tag 1: <empty>• Uncheck Tag 2: <empty>• Check Tag 3: Trusted
– Click Apply (Do not save) Click New
– VLAN ID: 1– Type: Global– Click Apply
Note: HiveAPs in the DMZ use VLAN 1, which will match the global define here Save your VLAN object
141
..
2008Confidential
2010
Lab: HiveAP Classification 5. Assign MGT0 Interface VLAN to New VLAN
In your WLAN Policy, verify the MGT0 Interface VLAN is set to: X-MGT0-VLANs
The Native (untagged) VLAN should still be set to: 1 Save your WLAN Policy
142
2008Confidential
2010
Lab: HiveAP Classification 6. View Configuration Audit
Click the mismatch icon for your HiveAP-A to see the configuration changes
You should see that the MGT0 interface is being set to VLAN 2 If you click the mismatch icon for HiveAP-B, you will not see a change in
the VLAN, because it is already set to use VLAN 1
143
2008Confidential
2010
Lab: HiveAP Classification 7. Update Delta Configuration
144
From MonitorHiveAPs Select both of your
HiveAPs X-A-HiveAP X-B-HiveAP
Select Update...Upload and Activate Configuration
If you want to see the delta configuration, click the link for your HiveAP
– Close the View Configuration window after viewing the delta configuration changes
Click Upload
Click HiveAP link to view delta configuration
2008Confidential
2010
Lab: HiveAP Classification 8. View Update Results
After a successful update, you can move your mouse over the Description to see what was updated
145
2008Confidential
2010
Lab: HiveAP Classification 9. View the New IP Address for your HiveAP
From MonitorHiveAPs– Verify that the new IP address for your HiveAP
is in the subnet: 10.5.2.0/24
Note: It may take up to a moment to reflect the changes
146
New IP Address in VLAN 2
2008Confidential
2010
HiveAP ClassificationExample
2008Confidential
2010
Using Classification Tags for VLANsExample
148
Hive:MGT0 VLAN:
SSID1:Network Security:
SSID 2:Network Security:
SSID 2:Network Security:
Hive-CampusVLAN-HiveAPs
Student-WiFiWPA/WPA2With PSKTKIP or AESFaculty-WiFiWPA/WPA2With PSKTKIP or AESVoice-WiFiWPA/WPA2With PSKTKIP or AES
Area-2
StudentClient
HiveAP VLAN: 2 User VLANs: 3 - 5
10.1.3.10
WLAN Policy Settings: Campus-Policy
Area-1
Router
L2-Switch L2-Switch HiveAP VLAN: 6User VLANs: 7 - 9
Interface mgt0:Classification Tag:
WLAN Policy:
DHCP-ClientArea-1Campus-Policy
HiveAP Device Settings
Interface mgt0:Classification Tag:
WLAN Policy:
DHCP-ClientArea-2Campus-Policy
HiveAP Device Settings
VLAN-HiveAPsClassifier Tag:Classifier Tag:
VLAN-StudentsClassifier Tag:Classifier Tag:VLAN-Faculty
Classifier Tag:Classifier Tag:
VLAN-VoiceClassifier Tag:Classifier Tag:
Area-1 – VLAN 2Area-2 – VLAN 6
Area-1 – VLAN 3Area-2 – VLAN 7
Area-1 – VLAN 4Area-2 – VLAN 8
Area-1 – VLAN 5Area-2 – VLAN 9
VLAN Network Objects
Native VLAN:
User Profile:Attribute:
Tunnel Policy:VLAN
User Profile:Attribute:
Tunnel Policy:VLAN :
User Profile:Attribute:
Tunnel Policy:VLAN :
1
Students100L3-RoamingVLAN-StudentsFaculty101L3-RoamingVLAN-FacultyVoice102L3-RoamingVLAN-Voice* Set global VLAN must be set, but it will not be used
StudentClient
10.1.7.10
2008Confidential
2010
HiveAPs as RADIUS Servers
149
2008Confidential
2010
Local User Database
150
2008Confidential
2010
LAB: Create Local User Database
Used for IEEE 802.1X and for Captive Web Portal Authentication The local user database is used as a primary or backup user store for
the HiveAP RADIUS server for IEEE 802.1X EAP-PEAP, EAP-TTLS, or EAP-TLS authentication
It is highly beneficial for branch or small office deployments that require a local user database
The local user database can also be used as a backup to authentication with Active Directory
If the Active Directory service is unavailable, the local database can automatically be used
151
2008Confidential
2010
LAB: HiveAP as RADIUS Server 1. Create a Local User Group
Go to ConfigurationAdvanced ConfgurationAuthenticationLocal User Groups and click New
User Group Name: group(10)-0X (X is 2 digits=01, 02, .. , 14, 15) User Attribute: 10 VLAN ID: <Leave blank, will inherit from user profile> Re-auth Time: 1800 Click Save
152
As a theft protection mechanism, if Save in DRAM only is selected, the user database will be erased if the AP is powered off or rebooted and it will automatically get it from HiveManager.
2008Confidential
2010
LAB: HiveAP as a RADIUS Server 2. Manually Create a Local User
Go to ConfigurationAdvanced ConfigurationAuthenticationLocal Users and click New
User Group: group(10)-0X Username: user-X Password: aerohive123 Confirm Password: aerohive123 Description: 0X-rad Click Save
153
Entering a description makes it easier to filter/search for users in the user list. For example, later you will filter on “0X-rad” to find all the users you have created
and imported in this lab.
2008Confidential
2010
LAB: HiveAP as a RADIUS Server3. Prepare your user file to import
154
From the list of files you downloaded from the instructor, locate and edit your Company-X-radius-users.csv file. (You can edit with a spreadsheet program or notepad) Modify the first user entry and make up a
username and enter your real email address so that you can send yourself the PSK
Save the file (The file must end with .csv)
user login name
User Type1 = RADIUS
UserUser Group
Name
Set the passwords for the user accounts
Description
Lines that start with a # are
commended out
2008Confidential
2010
LAB: HiveAP as a RADIUS Server4. Import your user list file
Go to ConfigurationAdvancedConfigurationAuthenticationLocal Users
Click Import Browse for your modified RADIUS user list file in .csv format Click Import
Please make sure you are in local users, NOT local user groups
Make sure you do not have any errors
and ensure all 5 users were imported
2008Confidential
2010
LAB: HiveAP as a RADIUS Server5. Use the filter to find your users
Apply a filter to view your Private PSK users Go to ConfigurationAuthenticationLocal Users Click Filter Enter the first part of the description: 0X-rad
(Where 0X is your two digit student ID 02 -15) Click Search Go to next slide
156
2008Confidential
2010
LAB: HiveAP as a RADIUS Server6. View your list of RADIUS user accounts
Here you can see the user you created as well as the users you imported from the CSV file
Later, the user group will be assigned to a RADIUS server on a HiveAP The HiveAP will be able to authenticate all the users in the user groups
assigned to the HiveAP RADIUS server using IEEE 802.1X/EAP or authenticated Captive web portal
157
2008Confidential
2010
Using a RADIUS User Database on a HiveAP for Authentication
Create SSID UsingWPA/WPA2 Enterprise (802.1X)
158
2008Confidential
2010
LAB: HiveAP as a RADIUS ServerWith 802.1X/EAP SSID Diagram
159
Student-XVLANs 1-20
Mgt0 IP: 10.5.2.N/24 VLAN 2RADIUS Server
WLAN Policy: WLAN-X
AD DHCP Server: 10.5.1.10
DHCP Settings: (VLAN 1) network 10.5.1.0/24 10.5.1.140 – 10.5.1.240 (VLAN 2) network 10.5.2.0/24 10.5.2.140 – 10.5.2.240 (VLAN 8) network 10.5.8.0/24 10.5.8.140 – 10.5.8.240 (VLAN 10) network 10.5.10.0/24 10.5.10.140 – 10.5.10.240
Internet
Connect to SSID:IP:
Gateway:
Class-802.1X-X10.5.10.N/2410.5.10.1
SSID:Authentication:
Encryption:
User Profile 1:Attribute:
VLAN:
User Profile 2:Attribute:
VLAN:
Class-802.1Xb-XWPA or WPA2 PersonalTKIP or AES
Employee(10)-X10 (RADIUS Attribute Returned)10
(Employee-Default)1000 (No RADIUS Attribute Returned)8
2008Confidential
2010
LAB: HiveAP as a RADIUS Server1. Edit your WLAN Policy and Add SSID Profile
An 802.1X capable SSID and related settings can be configured from your WLAN Policy
Go to ConfigurationWLAN Policies
Edit WLAN-X Under SSID Profiles click
Add/Remove SSID Profile Create a new SSID Profile
– Click +
Go to Next Slide
160
2008Confidential
2010
LAB: HiveAP as a RADIUS Server2. Configure SSID and RADIUS Server
Profile Name: Class-802.1X-Xb SSID: Class-802.1X-Xb SSID Access Security
– Select: WPA/WPA2 802.1X (Enterprise)
Next to RADIUS Server– Click +
Go to Next Slide
161
2008Confidential
2010
LAB: HiveAP as a RADIUS Server 3. Define Settings for HiveAP RADIUS Server
Select the radio button for HiveAP RADIUS server Note: Defining RADIUS within an SSID, instead of defining the profile objects separately before modifying the SSID, has the advantage of automatically creating two profiles, a AAA Client Settings profile, and a HiveAP AAA Server Settings profile, and it ensures they are configured correctly for each other
Profile Name: AP-RADIUS-X Primary RADIUS Server: 10.5.2.X
| Available Local User Groups |– Select your user group(10)-X
and click the > button to move it to the Selected Local User Groups
Click Apply Do not save – go to next slide
162
2008Confidential
2010
LAB: HiveAP as RADIUS Server 4. Assign user profiles and save
The RADIUS Server should now be set to: AP-RADIUS-XUnder User Profiles for Traffic Management
– User profile assigned if no attribute is returned:Employees(1000)
– User profile assigned via attributes returned from RADIUS... select:Employee(10)-X
Note: If you have multiple groups assigned to the HiveAP RADIUS server, each group can assign a different user profile attribute, and therefore in that case, you can define more user profiles here.
Click Save163
2008Confidential
2010
To clean up the air in the data center, remove all other SSID profiles from the selected SSID profiles list using the << button
– You should have no SSID Profiles listed under the Selected SSID Profiles list
From the Available SSID Profiles, select Class-802.1X-Xb and use the > button to move it to the Selected SSID Profiles List
Click Apply ---- Please, please, please click apply! Then Save your WLAN policy
LAB: HiveAP as RADIUS Server5. Remove Existing SSID and Add New SSID
164
2008Confidential
2010
LAB: HiveAP as a RADIUS Server 6. View Certificate Assigned to RADIUS Server
Go to ConfigurationAdvanced ConfigurationAuthenticationHiveAP AAA Server Settings
Modify your RADIUS Server Object: AP-RADIUS-X
Note: By default, the HM-Default-Server Cert and Key are selected which works if you did not create a new HiveAP root CA certificate. In an earlier lab, a new HiveManager Root CA certificate was created, therefore the default certificates signed by the old HiveManager Root CA key will no longer work.
Do not save – go to next slide
165
2008Confidential
2010
LAB: HiveAP as a RADIUS Server 7. Change Certificate Used by RADIUS Server
Assign your AAA RADIUS Server to use:
– CA Cert File:AerohiveHMCA.pem
– Server Cert File:HiveAP-X_key_cert.pem
– Server Key File:HiveAP-X_key_cert.pem
Note: The key and cert were generated as a combined certificate in an earlier lab.
– Key File Password:aerohive123
– Confirm Password:aerohive123
Save the RADIUS Server profile
166
2008Confidential
2010
Go to Access PointsManaged HiveAPs and Modify your HiveAP-A:X-A-######
Under Optional Settings– Expand Interface and
network settings• Uncheck [ ] DHCP client
Enable• IP Address: 10.5.2.X• Netmask:255.255.255.0• Gateway: 10.5.2.1
Note: This lab assumes the HiveAP MGT0 interface is in VLAN 2, which was assigned in the previous HiveAP classification lab
Click Save167
LAB: HiveAP as a RADIUS Server 8. Configure a Static IP for the RADIUS HiveAP
2008Confidential
2010
LAB: HiveAP as a RADIUS Server 9. Assign HiveAP to be RADIUS Server
Assign the RADIUS Server Object to the HiveAP designated as the RADIUS server
Under Optional Settings, expand Service Settings
Set HiveAP RADIUS service to: AP-RADIUS-X
Remove the VPN Service Role by setting to: NoneOtherwise RADIUS traffic may be tunneled from settings in previous labs.
Click Save
168
2008Confidential
2010
LAB: HiveAP as a RADIUS Server 10. Update Delta Configuration and RADIUS Certs
169
From MonitorHiveAPs Select both of your
HiveAPs X-A-HiveAP X-B-HiveAP
Select Update...Upload and Activate Configuration
If you want to see the delta configuration, click the link for your HiveAP
– Close the View Configuration window after viewing the delta configuration changes
Click Upload
Click HiveAP-A link to view delta configuration
2008Confidential
2010
LAB: HiveAP as a RADIUS Server 11. Update Delta Configuration and RADIUS Certs
After a successful update, you can move your mouse over the description to see what was updated
– Here you should see that the AAA Certificates and Keys, the user database, and the Configuration have been updated
170
2008Confidential
2010
Client Access Preparation -Distributing CA Certificates
to Wireless Clients
171
2008Confidential
2010
LAB: Export the HiveManager CA Root Certificate on the Remote PC
Note: The HiveManager Root CA certificate should be installed on the client PCs that will be using the RADIUS service on the HiveAPs for 802.1X authentication
From the VNC connection to the student PC, open a connection to: https://hivemanager
Login with: adminX password: aerohive123 Go to Configuration
Keys and Certificates Certificate Mgmt
Select AerohiveHMCA.pem Click Export
172
2008Confidential
2010
LAB: Export the HiveManager CA Root Certificate
Select a directory on your remote PC to export the AerohiveHMCA.pem certificate
Rename the extension of the AerohiveHMCA.pem file to AerohiveHMCA.pem.cer.
– This way, the certificate will automatically be recognized by Microsoft Windows
173
Add .cer extension to the end of the file name so it can be recognized by windows
2008Confidential
2010
LAB: Install AerohiveHMCA Certificateon Wireless Client PC
Find the file that was just exported to your client PC
Double-click the certificate file Click Install Certificate
174
Issued to: hm-training.ahdemo.localThis is the name of the certificate if you wish to find it in the certificate store, or if you want to select it in the windows supplicant PEAP configuration.
2008Confidential
2010
LAB: Install AerohiveHMCA Certificateon Wireless Client PC
In the certificate install wizard window click Next
Click Automatically select the certificate store based on the type of certificate
Click Next If prompted, click OK on
the Do you want to install this certificate message
Click Finish
175
2008Confidential
2010
LAB: Verify AerohiveHMCA Certificate is Valid
If you double-click the certificate now, if you go to the Certification Path tab, you will see that the certificate is OK
You can also check the Valid From date in the Details tab
– If the date on the HiveManager is wrong, or has the wrong time zone, this date may be invalid
176
2008Confidential
2010
Configuring and Testing Your802.1X Supplicant
For Microsoft XP and VistaSupplicants
177
2008Confidential
2010
Lab: Testing 802.1X to HiveAP RADIUS1. Connect to Class-802.1X-Xb SSID
From the wireless client on the hosted PC
– Click Class-802.1X-Xb– Click Connect
***This connection will fail, but it will create an SSID on the client that you can modify to edit the settings to change the auth from smart card or other certificates to Protected EAP
178
2008Confidential
2010
179
Lab: Testing 802.1X to HiveAP RADIUS2. Configure 802.1X Supplicant (802.1X Client)
View your Wireless Connections then click to Change advanced settings
In the Wireless network properties window enter the following:
– Change EAP Type to: Protected EAP (PEAP) Click OK
179
2008Confidential
2010
Lab: Testing 802.1X to HiveAP RADIUS3. Enter credentials for 802.1X
Note: Because we are using VPN, the “Enter Credentials” window most likely will not appear. Click the wireless icon once and the window should appear. You may have to move the Wireless network connection window out of the way if it is on top.
Enter the user name: user-X Password: aerohive123 Click OK Wait a second then click the
wireless icon again Click OK to validate the certificate
180
cv
Because of the VNC connectionClick here for the credentials window to appear. You may have to try several times.
cv
2008Confidential
2010
Lab: Testing 802.1X to HiveAP RADIUS4. Verify that you are connected to the SSID
Your Client will connect to the Class-802.1X-Xb SSID
181
2008Confidential
2010
Lab: Testing 802.1X to HiveAP RADIUS5. View Active Clients
After associating with your SSID, you should see your connection in the active clients list in HiveManager
– Go to MonitorClientActive Clients
User Name: user-X BSSID: <The MAC address for your AP’s SSID> VLAN: 10 User Profile Attribute: 10
182
2008Confidential
2010
Client MonitorExample of an invalid user account
183
SSL negotiation uses the RADIUS server certificate
Shows IP of RADIUS server
At this point you know the aaa certificates were installed correctly and the server certificate validation done by the client passed
The user is not in the user database. View the AAA server settings and ensure the correct user group is selected, and the HiveAP is a RADIUS server. Then update the configuration of the HiveAP.
2008Confidential
2010
RADIUS Test Built Into HiveManager
To test a RADIUS account Go to ToolsRADIUS Test RADIUS Server:
0X-A-###### HiveAP RADIUS Client:
0X-A-###### Select RADIUS
authentication server Username: user-X Password: aerohive123 Click Test
184
. .
After fixing the problem and running the test again, the authentication was successful
The user is not in the user database. View the AAA server settings and ensure the correct user group is selected, and the HiveAP is a RADIUS server. Then update the configuration of the HiveAP.
2008Confidential
2010
HiveAP RADIUS Server With Active Directory Integration
185
2008Confidential
2010
Create a New Active Directory Administrator–(Instructor Only)
On Windows 2003 AD Server In your domain, select Users,
right click and select NewUserNote: The name used in this example is not relevant, you can use any name
First Name: HiveAP Last Name: Admin Full Name: HiveAP Admin User Logon:
hiveapadmin @ahdemo.local Click Next
186
2008Confidential
2010
Create a New Active Directory HiveAP Administrator –(Instructor Only)
Enter a Password: Aerohive1 Confirm Password: Aerohive1 Uncheck User must change
password at next login Uncheck User cannot change
password Check Password never
expires Uncheck Account is disabled Click Next Click Finish
187
2008Confidential
2010
HiveAP Administrator Group Membership
If you view the HiveAP Admin properties, you can see that the HiveAP Admin only needs to be a member of Domain Users
188
2008Confidential
2010
Optionally Create an OrganizationalUnit Where HiveAPs Can Be Added
In order for HiveAPs to authenticate users with Active Directory, each HiveAP will be dynamically added to the domain as a computer
In order to organize the domain, you can create an organization unit (OU) where HiveAPs can be added
Select your domain ahdemo.local right click and select NewOrganizational Unit Enter a name: Wireless then click OK
189
2008Confidential
2010
Optionally Create OrganizationalUnits Where HiveAPs Can Be Added
Optionally you can create more OUs (sub directories) to further organize the wireless networking
Select the Wireless OU Right click and select:
NewOrganizational Unit Enter a name: HiveAPs Click OK
– This will be used as the computer store for HiveAPs
190
2008Confidential
2010
Delegate Control of Wireless OUto the HiveAP Admin (INSTRUCTOR ONLY)
Right Click the Wireless OU and select Delegate Control...
191
2008Confidential
2010
Delegate Control of Wireless OUto the HiveAP Admin
Welcome to the Delegation of Control Wizard– Click Next
Users or Groups– Add HiveAP Admin– Click Next
192
2008Confidential
2010
Delegate Control of Wireless OUto the HiveAP Admin
Select Create a custom task to delegate
Click Next
193
2008Confidential
2010
Delegate Control of Wireless OUto the HiveAP Admin
For Active Directory Object Type
– Select Computer Objects and leave the rest of the default settings
– Check Create selected objects in this folder
– Click Next For Permissions
– Check Read– Check Write– And leave the rest of the
default settings Click Next
194
2008Confidential
2010
Delegate Control of Wireless OUto the HiveAP Admin
Click Finish
195
2008Confidential
2010
Configure Active Directory Settings
196
2008Confidential
2010
Lab: AD Settings Configuration1. Configure AD Settings
From ConfigurationAdvanced ConfigurationAuthenticationAAA User Directory SettingsNote: In 3.5r1, this header was called AAA Server Settings
Click New Name: AD-X Select: Active Directory Active Directory Server: 10.5.1.10 Domain: AHDEMO Full Name: ahdemo.local BindDN Name:
[email protected] BindDN Password: Aerohive1 Go to next slide
197
2008Confidential
2010
Lab: AD Settings Configuration2. Configure AD Settings - Continued
Admin User Name: (Leave Empty for Class)Note: This step is optional from HiveManager. This step can be performed directly from the HiveAP if someone is security conscious about storing an Administrator password for Active Directory in HiveManager. The screen shot had it filled in so you can see the syntax
Computer OU: Wireless/HiveAPsNote: The HiveAP Admin was given access to this OU
Click Save
198
2008Confidential
2010
Lab: AD Settings Configuration3. Configure HiveAP RADIUS with AD Settings
Go to ConfigurationAdvanced ConfigurationAuthenticationHiveAP AAA Server Settings
Modify AP-RADIUS-X Uncheck Local Database, Under Optional Settings, expand
Database Access Settings Check Active Directory Select AD-X with priority:
Primary Click Apply …Please make sure
you click apply Click Save
199
2008Confidential
2010
SSID for 802.1XUsing HiveAP RADIUS with
AD Integration
200
2008Confidential
2010
LAB: HiveAP RADIUS w/ AD Integration1. Edit your WLAN Policy and Add SSID Profile
An 802.1X capable SSID and related settings can be configured from your WLAN Policy
Go to ConfigurationWLAN Policies
Edit WLAN-X Under SSID Profiles click
Add/Remove SSID Profile Under Available SSID
Profiles– Click +
Go to Next Slide
201
2008Confidential
2010
LAB: HiveAP RADIUS w/ AD Integration2. Configure SSID and Create RADIUS Server
Profile Name: Class-802.1X-Xc SSID: Class-802.1X-Xc SSID Access Security
– Select: WPA/WPA2 802.1X (Enterprise)
Next to: Select RADIUS Servers for 802.1X….
– Select: AP-RADIUS-X(Defined in a previous lab)
Go to Next Slide
202
2008Confidential
2010
LAB: HiveAP RADIUS w/ AD Integration3. Assign user profile settings
Specify User Profile assigned if not attribute is returned from RADIUS after successful authentication: Employees(1000)(This user profile was created by the Instructor)
Specify User Profiles assigned via attributes returned from RADIUS after successful authentication: Employee(10)-X
Click Save Go to Next Slide
203
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X5. Remove Existing SSID and Add New SSID
To clean up the air in the data center, remove all other SSID profiles from the selected SSID profiles list using the << button
– You should have no SSID Profiles listed under the Selected SSID Profiles list
From the Available SSID Profiles, select Class-802.1X-X and use the > button to move it to the Selected SSID Profiles List
Click Apply ---- Please please, please click apply! Go to Next Slide
204
2008Confidential
2010
Verify the SSID:Class-802.1X-Xc is listed under the SSID profiles and that your SSID is mapped to two different user profiles:Employees(1000) and Employee(10)-X
Please make sure you have NTP Server settings defined under in the Management Server Settings section
Click Save
LAB: Secure WLAN Access With 802.1X6. Verify Configuration and Save WLAN Policy
205
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X 7. Update delta configuration of your HiveAP
206
From MonitorHiveAPs Select your HiveAP
X-A-HiveAP
Select Update...Upload and Activate Configuration
If you want to see the delta configuration, click the link for your HiveAP
– Close the View Configuration window after viewing the delta configuration changes
Click Upload
Click HiveAP link to view delta configuration
2008Confidential
2010
Optional: Verify HiveAP RADIUS ServiceFrom the CLI of the HiveAP
01-A-008b40# show aaa radius-serverAll local RADIUS server parameters:RADIUS-server: Enabledport: 1812Station-auth type: tls peap ttls leapCA: AerohiveHMCA.pemserver-cert: HiveAP-1_key_cert.pemprivate-key: HiveAP-1_key_cert.pemprivate-key-password: Encryptedremote retry period: 30 secslocal check period: 300 secsldap retry interval: 600 secsprimary active directory (active): admin user: server: 10.5.1.10 computers OU: Wireless/HiveAPs default domain info: netBOIS name ahdemo full domain name: ahdemo.localbindDN: [email protected]
If you want to verify the RADIUS server status on your HiveAP From the CLI of your
HiveAP type: show aaa radius-server
Take a look to see if the settings look similar to the settings displayed on the right
207
2008Confidential
2010
Optional: Verify HiveAP TimeFrom the CLI of the HiveAP
From CLI of HiveAP
# show timeTimezone: GMT-8
# show clock 2009-04-16 14:30:45 Thursday
208
2008Confidential
2010
Joining HiveAPs to Active DirectoryComputer OU = Wireless/HiveAPs
From the AD server, you can go to Active Directory Users and Computers and see when the HiveAP joins the domain
If you specify an Active Directory administrator account in the AAA User Directory Settings, then the HiveAP will automatically add itself to the domain
If you did not specify an Active Directory administrator, you will have to manually add your HiveAP to the domain much like you would do with a computer
209
Click Refresh
Select the computer OU you specified in the AAA User Directory Settings
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X 8. Join HiveAP RADIUS Server to Domain
Run the following test to join your HiveAP RADIUS server to the Active Directory Domain Go to Tools
AD/LDAP Test Select RADIUS Server:
X-A-###### Select Test joining the
HiveAP to an Active Directory domain
Select Active Directory Domain: Primary
User Name: hiveapadmin Password: Aerohive1 Click Test
210
Here you can see that the HiveAP is joined to the domain
2008Confidential
2010
Alternative: Join HiveAP RADIUS Server to Domain using the HiveAP CLI
02-A-064200# exec aaa net-join primary username hiveapadmin password Aerohive1
(Note: The password will be hidden when typing )
Exec-Program output:Joined '02-A-064200' to server 'ahdemo.local' successful (NT_STATUS_OK)
If you have problems joining your AD server, you may need to enter the Administrator account credentials to join the HiveAP to the domain
211
Go to the Wireless/HiveAPs OU to see the HiveAP added as a computer in the domain.You may have to refresh the screen to see the HiveAP appear after joining the HiveAP to the domain.
2008Confidential
2010
Troubleshooting –Joining a HiveAP to a Domain
Possible Cause: The Administrator does not have privileges to add a computer/HiveAP to this OU
Solution: Use an Administrator with more privileges
Possible cause: The HiveAP was previously added to a different OU, and this administrator does not have privileges to remove the other entry
Action: Delegate administration of this OU to allow the selected administrator to add computers to this OU
212
Here you can see that the HiveAP has failed to join the domain
2008Confidential
2010
Troubleshooting –Joining a HiveAP to a Domain
Possible Cause: The NTP Server settings have not been configured on the HiveAP
Solution: Configure the NTP Server settings by going to yourWLAN PolicyManagement ServicesNTP Server
213
Here you can see that the HiveAP time is not accurate
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X 9. Test the user account for your hosted PC
Select RADIUS Server:X-A-######
Select Test HiveAP credentials for Active Directory Integration
User Name: user Password: Aerohive1 Click Test
214
Kerberos authentication passed for the user
2008Confidential
2010
Note for Classroom Environment802.1X Supplicant Configuration
The first time you try to connect to your SSID, the connection will fail because Windows XP defaults to use Smart Card and Other Certificate instead of PEAP
215
X
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X 10. Configure Supplicant
From the hosted PC, connect to the Class-802.1X-Xc SSID
Wait a few seconds while the supplicant tries to validate identity
– Note: This will fail because windows XP uses Smart Card or Other Certificates instead of PEAP
To configure the network for PEAP, click Change advanced settings
Click the Wireless Networks tab Double-click the SSID:
Class-802.1X-Xc Click the Authentication tab
216
1. Click Change advanced settings
2. Select tab
3. Double-click
4. Select tab
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X 11. Configure supplicant to use PEAP
For the EAP type, select Protected EAP (PEAP)
Click Properties to see that you have enabled Validate the server certificate
Also, if click Configure... next to the authentication method, you can see that the client will automatically use the Windows logon name and password that was entered to log into the computer
Click OK until you have saved and existed from the supplicant configuration
217
Select Protected EAP (PEAP)
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X 12. Connect to SSID and Validate Certificate
Connect to your SSID
Because VNC is used, the pop up windows may not appear, click once on the wireless icon to get the Validate Certificate pop-up window
Click OK Your client should
now connect to the SSID
218
1. Click your SSID to connect
2. Because of VNC, you will have to click your mouse once on the wireless icon to see the Validate Certificate pop up
3. Click OK
2008Confidential
2010
LAB: Secure WLAN Access With 802.1X 13. View Active Client to Verify User Profile
Once you are connected, you can view the active clients list to see your user profile and VLAN information Go to MonitorClientsActive Clients
Note the user profile is the user profile assigned for the SSID if no RADIUS attribute is returned
– User Profile: 1000– VLAN: 8– IP Address: 10.5.8.#
In the next lab you will learn how to change the user profile for users in different Active Directory groups
219
User Profile Attribute Value
2008Confidential
2010
Mapping Active Directory memberOf Attribute
to User Profiles
220
2008Confidential
2010
HiveAP as a RADIUS Server Using AD Member Of for User Profile Assignment
221
EmployeeDavid VLANs 1-20
HiveAPRADIUS Server
AD DHCP Server: 10.5.1.10
Internet
Connect to SSID: Corp-802.1X
SSID: Corp-802.1X
Local User Group User Profile Attribute
CEO-Staff 100
IT-Staff 110
Sales 120
HiveAP RADIUS Server Settings
User Profile Attribute VLAN FW Policy
Employee-CEO 100 11 No restriction
Employee-IT 110 10 No restriction
Employee-Sales 120 8 Limited access
1. After validating the user credentials, the AD server returns thelist of a users AD groups via the Member Of attribute to the HiveAP RADIUS server
2. The Member Of must match a user group, which assigns the user profile attribute for the SSID
2008Confidential
2010
In your WLAN policy, you defined an SSID with two user profiles– Employees(1000) – Set if no RADIUS attribute is returned
• This use profile for example is for general employee staff, and they get assigned to VLAN 8
– Employee(10)-X – Set if a RADIUS attribute is returned• This user profile for example is for privileged employees, and they get
assigned to VLAN 10 Because the HiveAP RADIUS server is using AD to authenticate the
users, and AD does not return RADIUS attributes, how can we assign users to different user profiles?
Though AD does not return RADIUS attributes, it does return other attribute values, like memberOf which is a list of AD groups to which the user belongs
222
HiveAP as a RADIUS Server Using AD Member Of for User Profile Assignment
2008Confidential
2010
Instructor Only: Confirm User is a member of the Employee Groups
223
Right click the username “user” and click Properties
Click on the Member Of tab
The user account “user” should be assigned to all the groups for all the students in class
Employee-1Employee-2..Empoloyee-15
Click OK
2008Confidential
2010
REFERENCE: debug radiusdShows the memberOf attributes returned
When the user authenticates, the Active Directory server will return each of the user groups and if the RADIUS server has a matching group, the user will be assigned a user profile based on the user profile defined in the matching user group
Note: For the lab coming up next, every PC is logged in as “user”, but each student has their own HiveAP RADIUS server with only one user group defined, which will match one of the member Of groups returned
Debug output during client authentication shows member Of...2010-04-28 12:36:58 debug auto shared-secret 2570*, NAS 10.5.2.2, RADIUS srv 10.5.2.2
2010-04-28 12:36:58 debug rlm_ldap: performing user authorization for AHDEMO\user
2010-04-28 12:36:58 debug rlm_ldap: (re)connect to 10.5.1.10:389, authentication 0
2010-04-28 12:36:58 debug rlm_ldap: bind as [email protected]/****** to 10.5.1.10:389
2010-04-28 12:36:58 debug rlm_ldap: waiting for bind result ...
2010-04-28 12:36:58 debug rlm_ldap: Bind was successful
2010-04-28 12:36:58 debug rlm_ldap: performing search in dc=ahdemo,dc=local, with filter ([email protected])
2010-04-28 12:36:58 debug rlm_ldap: Adding memberOf as AH-FreeRADIUS-Group-Name = "CN=Employee-4,CN=Users,DC=ahdemo,DC=local"
2010-04-28 12:36:58 debug rlm_ldap: Adding memberOf as AH-FreeRADIUS-Group-Name = "CN=Employee-3,CN=Users,DC=ahdemo,DC=local"
2010-04-28 12:36:58 debug rlm_ldap: Adding memberOf as AH-FreeRADIUS-Group-Name = "CN=Employee-2,CN=Users,DC=ahdemo,DC=local"
224
2008Confidential
2010
Lab: Use AD to Assign User Profile1. Map memberOf attribute to user profile
From ConfigurationAdvanced ConfigurationAuthentication HiveAP AAA Server SettingsAP-RADIUS-X
Expand Database Access Settings Check LDAP server attribute
Mapping Select Map LDAP user groups
to local user groups LDAP User Group Attribute:
memberOf Under Available Local User
Groups, click + to create a new group
225
2008Confidential
2010
Lab: Use AD to Assign User Profile2. Create user group to map to memberOf group
Create a group that matches a group that the username: “user” is a member of
User Group Name: Employee-XNote: This group name must match a group returned by the AD server by the memberOf attribute
User Type: RADIUS users User Profile Attribute:10
Note: The user profile attribute is returned from the HiveAP RADIUS server if this is the matching group
Click Save
226
2008Confidential
2010
Lab: Use AD to Assign User Profile3. Map Employee-X user group to memberOf
Select the Employee-X user group and move it to the selected local user groups list
Click Save
227
2008Confidential
2010
Lab: Use AD to Assign User Profile 4. Update delta configuration of your HiveAP
228
From MonitorHiveAPs Select your HiveAP
X-A-HiveAP
Select Update...Upload and Activate Configuration
If you want to see the delta configuration, click the link for your HiveAP
– Close the View Configuration window after viewing the delta configuration changes
Click Upload
Click HiveAP link to view delta configuration
2008Confidential
2010
Lab: Use AD to Assign User Profile SSID5. Disconnect and Reconnect to Class-802.1X-Xc
To test the mapping of the memberOf attribute to your user profile
Disconnect from the Class-802.1X-Xc SSID
Connect to the Class-802.1X-Xc SSID
229
2008Confidential
2010
Lab: Use AD to Assign User Profile SSID6. Verify your active client settings
230
From MonitorClientsActive Clients– Your client should now be assigned to
• IP Address: 10.5.10.#• User Profile Attribute: 10• VLAN: 10
2008Confidential
2010
If you have problem…Troubleshooting
An extremely useful tool for this configuration is an LDAP browser, so you can confirm you are getting the right information from the Active Directory server: http://download.softerra.com/files/ldapbrowser26.msi
– It will show you what memberOf attribute is being returned for each user
Confirm the Local Group Name matches the Active Directory Group name exactly
– Sho run | include aaa debug radius comm debug radius excessive debug radius verbose debug console no debug console no debug radius
231
2008Confidential
2010
Secure and Fast Roaming
232
2008Confidential
2010
Roam
233
Layer 2 Roaming
User associates and authenticates and keys are distributed AP predicatively pushes keys and session state to one hop
neighbors As client roams and associates with another AP the traffic
continues uninterrupted
RADIUS Server
2008Confidential
2010
Subnet A Subnet B
Router
GRE Tunnel
234
Layer 3 Roaming
Like Layer 2 roaming the Layer 3 roam predicatively pushes keys to one hop neighbors.
In order to maintain IP connectivity a tunnel is created to home subnet.
Tunnel continues to follow roaming user until sessions end then tunnel is terminated and the user accesses the local network
2008Confidential
2010
Layer 3 Roaming Details
235
2008Confidential
2010
Layer 3 RoamingDetailed Explanation
236
Subnet 10.5.1.0/24Floor 1
Subnet 10.5.10.0/24Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-HiveCorp-Hive
HiveAPs can then communicate over the LAN using
UDP Port 3000
Beacon IE: (Encrypted)Hive: Corp-HiveL3 roaming enabledMgt0 IP: 10.5.1.13/24
Beacon IE: (Encrypted)Hive: Corp-HiveL3 roaming enabledMgt0 IP: 10.6.1.7/24
HiveAP Layer 3 roaming information is advertised in beacons and can be heard by HiveAPs in the same Hive.
HiveAPs scan channels to locate layer 3 roaming neighbors and communicate with each other over the Ethernet network.
2008Confidential
2010
Layer 3 RoamingDetailed Explanation
237
Subnet 10.5.1.0/24Floor 1
Subnet 10.6.1.0/24Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-HiveCorp-Hive
Send:DA forsubnet: 10.5.1.0/2410.5.1.11
Receive: DA forsubnet: 10.5.1.0/2410.5.1.11
Neighboring AP sends HiveAP DA information to
neighboring subnets
DA
2008Confidential
2010
Layer 3 RoamingDetailed Communication
238
Subnet 10.5.1.0/24Floor 1
Subnet 10.6.1.0/24Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-HiveCorp-Hive
DA Send:Best tunnel endpointfor subnet: 10.5.1.0/2410.5.1.12
Query DA:Least loaded AP forsubnet: 10.5.1.0/24
Preparation for roaming bycontacting DA for APs as the potential tunnel end points
HiveAPs preselect best APs in each subnet to be a tunnel endpoints
The tunnel is built only when a client eventually roams
DA
Received from DA:Best tunnel endpointfor subnet: 10.5.1.0/2410.5.1.12
2008Confidential
2010
Layer 3 RoamingDetailed Communication
As clients arrive on the new subnet, the HiveAP will use an existing tunnel for the client, or if that tunnel is heavily loaded, it can create a tunnel to another portal in the DNXP table.
239
Subnet 10.5.1.0/24Floor 1
Subnet 10.6.1.0/24Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-HiveCorp-Hive
u1
eth0.1 10.5.1.1eth0.2 10.5.10.1
eth0.1 10.6.1.1eth0.2 10.6.10.1
u1u1u1
10.5.10.33/24
u1
10.5.10.33/24
u1
10.5.10.33/24
DNXPL3 10.5.1.12
Client Roaming Cache Update
u1
DNXPGRE Tunnel
Layer 2 roam
Layer 3 roam
The clients IP address is maintained
u1
Session State& PMK
u1
2008Confidential
2010
Layer 3 RoamingDetailed Communication
240
Subnet 10.5.1.0/24Floor 1
Subnet 10.6.1.0/24Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-HiveCorp-Hive
Session State& PMK
eth0.1 10.5.1.1eth0.2 10.5.10.1
eth0.1 10.6.1.1eth0.2 10.6.10.1
u1
u1
u1u1
u1
10.5.10.33/24
DNXPL3 10.5.1.12
DNXPGRE Tunnel
u1u1 u1
DNXPL3 10.5.1.12
u1
2008Confidential
2010
Layer 3 RoamingLocal Subnet Connection
Based on the number of packets per minute sent to and received by the client, the HiveAP can be configured to disable the tunnels and de-auth the client so that it will reconnected and obtain an IP address from the local network.
241
Subnet 10.5.1.0/24Floor 1
Subnet 10.5.10.0/24Floor 2
10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24
Corp-HiveCorp-Hive
Session State& PMK
eth0.1 10.5.1.1eth0.2 10.5.10.1
eth0.1 10.6.1.1eth0.2 10.6.10.1
u1
u1
u1u1
DNXPGRE Tunnel
u1u1 u1u1
u1
10.5.10.33/2410.6.10.95/24
u1
De-auth
2008Confidential
2010
Configuring Dynamic Tunneling for Layer 3 Roaming
242
2008Confidential
2010
Lab: Enable Layer 3 Roaming1. In your user profile, create a tunnel policy
Layer 3 roaming is enabled per user profile by configuring a tunnel policy Edit your employee User
Profile by going to ConfigurationGuided ConfigurationUser Profiles
Edit Employee(10)-X Under Optional Settings
expand GRE or VPN Tunnels
Next to GRE tunnel for roaming or station isolation click +
Note: Tunnel policies are mutually exclusive. There is no need to enable more than one type of tunnel policy, so a radio button is used to select the type.
243
2008Confidential
2010
Lab: Enable Layer 3 Roaming2. Configure Layer 3 Roaming Policy
Enable the ability to dynamically build tunnels for layer 3 roaming Name: L3-Roaming-X Under Tunnel Settings Select Enable
Dynamic tunneling for Layer 3 Roaming
Unroaming Threshold: 60 seconds
Number of packets per minute: 2000
Click Save
Note: The number of packets per minute to select varies based on the number of devices, types of devices, and applications running on your network. In my local network for example, my idle PC sends and receives about 500 packets per minute. Running a voice call from a soft client my PC sends and receives about 4000 packets per minute. So I have chosen to unroam if I my PC does not receive 2000 packets per minute in one minute time frame, which means my tunnel should remain during a voice call or file transfer.
244
2008Confidential
2010
Lab: Enable Layer 3 Roaming3. Configure VLANs for User Profile
Ensure the Tunnel Policy is set to: L3-Roaming-X
Note: Because the user profile is applied to HiveAPs in different locations, such as the trusted network and the DMZ, you can use HiveAP classification to define one policy to set the user VLANs in each location
Next to Default VLAN, – Click+
245
2008Confidential
2010
Lab: Enable Layer 3 Roaming4. Configure the User VLANs
VLAN Name: 0X-Employee-VLANs– VLAN ID: 1– Type: Global– Click Apply (Do not save)
Click New– VLAN ID: 10– Type: Classifier– Value:
• Uncheck Tag 1: <empty>• Uncheck Tag 2: <empty>• Check Tag 3: Trusted
– Click Apply then Save
Note: Users that connect to HiveAPs in the trusted network will be assigned to VLAN 10, and in the DMZ or any other network, they will be assigned to VLAN 1
246
2008Confidential
2010
Lab: Enable Layer 3 Roaming5. Configure VLANs for User Profile
Ensure the Default VLAN is set to: L3-Roaming-X
Click Save
247
2008Confidential
2010
Lab: Enable Layer 3 Roaming6. Update delta configuration of your HiveAP
248
From MonitorHiveAPs Select both of your
HiveAPs X-A-HiveAP X-B-HiveAP
Select Update...Upload and Activate Configuration
If you want to see the delta configuration, click the link for your HiveAP
– Close the View Configuration window after viewing the delta configuration changes
Click Upload
Click HiveAP link to view delta configuration
2008Confidential
2010
Testing Layer 3 RoamingIn Hosted Data Center
Unfortunately we cannot test layer 3 roaming in the hosted data center because
– The HiveAPs are hard wired via coax to their clients– The power level of the HiveAPs has been set to 1 dBm so the clients
can connect to their SSIDs. If we do not set the power to 1 dBm, the power is too high for the clients that are connected via coax• Because the power is low, and the rest of the RF connections are
terminated, testing in the remote lab is not possible If the instructor has time and the equipment, they can demonstrate
layer 3 roaming locally in class
249
2008Confidential
2010
Layer 3 RoamingVerification Notes
250
2008Confidential
2010
Notes: Layer 3 Roaming View Roaming Neighbors
From MonitorAccess PointsHiveAPs
If you select the check box next to your HiveAP then select ToolsDiagnosticsShow DNXP Neighbors
– You can view the HiveAPs Layer 2 and Layer 3 roaming neighbors• View the State column
251
Shows whether a HiveAP is a layer 2 or layer 3 neighbor
2008Confidential
2010
Layer 3 Roaming Testing in Hosted Lab
If you select the check box next to your HiveAP then select ToolsDiagnosticsShow DNXP Cache
– If a client is connect to the HiveAP, you can view the information that is being sent to the neighboring HiveAPs
– The Tunnel-end is the HiveAP that will be the tunnel end point for DNXP after the client roams across subnet boundaries
252
1. Shows the MAC address of the client and their tunnel end point after roaming
2. This AP will be the tunnel end point for the 10.5.2.0/24 subnet until its tunnel load is too high
2008Confidential
2010
Note: Layer 3 Roaming/UnroamingEnsure Valid VLANs for MGT0
In this case the Employee VLAN is 1, but the HiveAP MGT0 interface VLAN differs whether the HiveAP is in the Trusted network or the DMZ using HiveAP classification
253
DMZ Network
Hive:Interface mgt0:
SSID:User Profile:
Attribute:Local VLAN:
Mobility:Classifier Tag 3:
Hive-Class-X10.5.2.X/24 VLAN 2Class-PSK-XEmployees(10)-X101 L3-Roaming-XTrusted
10.6.1.X
DHCP for DMZ VLAN 1{10.6.1.50-10.6.1.200}
Hive:Interface mgt0:
SSID:User Profile:
Attribute:Local VLAN:
Mobility:Classifier Tag 3:
Hive-Class-X10.6.1.X/24 VLAN 1Class-PSK-XEmployees(10)-X101 L3 Roaming-XDMZ
VLANs 1-20
10.5.2.X
WLAN Policy: Internal-Policy-X WLAN Policy: Internal-Policy-X
Trusted Network
Dynamic GRE Tunnel10.5.2.X to 10.6.1.X
DHCP for Internal VLAN 10{10.5.10.50-10.5.10.200}
L3 Roam VLAN1
2008Confidential
2010
Note: Layer 3 Roaming/UnroamingEnsure Valid VLANs for Users
Note: In order for unroaming to work, the VLAN for the user profile must be valid in all networks. To do this, you can configure HiveAP classification for the employee VLAN and set the VLAN in this example to 10 if it is in the trusted network, and 1 if it is in the DMZ.
254
DMZ Network
Hive:Interface mgt0:
SSID:User Profile:
Attribute:Local VLAN:
Mobility:Classifier Tag 3:
Hive-Class-X10.5.2.X/24 VLAN 2Class-PSK-XEmployees(10)-X10X-Employee-VLANs (10)L3-Roaming-XTrusted
10.6.1.X
DHCP for DMZ VLAN 1{10.6.1.50-10.6.1.200}
Hive:Interface mgt0:
SSID:User Profile:
Attribute:Local VLAN:
Mobility:Classifier Tag 3:
Hive-Class-X10.6.1.X/24 VLAN 1Class-PSK-XEmployees(10)-X10X-Employee-VLANs (1)L3 Roaming-XDMZ
VLANs 1-20
10.5.2.X
WLAN Policy: Internal-Policy-X WLAN Policy: Internal-Policy-X
Trusted Network
Dynamic GRE Tunnel10.5.2.X to 10.6.1.X
DHCP for Internal VLAN 10{10.5.10.50-10.5.10.200}
L3 Roam VLAN1
2008Confidential
2010
Services provided by HiveAPs
Identity-Based TunnelsWith Captive Web Portal and DHCP Server
255
2008Confidential
2010
Identity-Based Tunnels LABUsing Tag On DMZ VLAN
256
Hostname:Interface mgt0:
WLAN Policy:
X-A-00000010.5.1.N/24 VLAN 1WLAN-X
Hostname:Interface mgt0:
WLAN Policy:Tag1:
X-B-00000010.7.1.X/24 VLAN 1WLAN-XDMZ-X
WLAN Policy: WLAN-X
Hive:Tunnel Policy:
Tunnel Settings:Tunnel Destination:
Tunnel Source:Tunnel Password:
MGT0 VLAN:Native VLAN:
Hive-Class-XTunnel-XEnable static identity-based-tunnelIP Range Start:10.7.1.X End:10.7.1.X10.5.1.0/24 and 10.5.2.0/24aerohive123 21
SSID:Captive Web Portal:
Registration Type:User Profile:
Attribute:VLAN:
Tunnel Policy:
Class-Guest-XCWP-Tunnel-XUse-Policy-AcceptRole-Tunnel(1X)1X1XTunnel-X
DMZ Network
GuestClient
Internal Network
GRE Tunnel10.5.1.N to 10.7.1.X
Tunnel Destination
Internet
Class-Guest-X10.7.1X.N/2410.7.1X.1
SSID:IP:
Gateway:
10.7.1.110.5.2.1
DHCP Settingsfor VLAN 1X (X is 2 digits): network 10.7.1X.0/24 ip range 10.7.1X.100 to 10.7.1X.199 Tunnel Source
2008Confidential
2010
Lab: HiveAP Prep for Layer 3 Tests1. Assign HiveAP-B to New Static IP Address
From MonitorHiveAPs– Select the check box next to
your HiveAP-B:X-B-###### and click Modify
Expand Interface and Network Settings
Uncheck DHCP Client Enabled IP Address: 10.7.1.X Netmask: 255.255.255.0 Gateway: 10.7.1.1
Note: Your MGT0 VLAN will be set to VLAN 100 using HiveAP classification for this new subnet to work.
Please do not save Continue to Next Slide
257
2008Confidential
2010
Lab: HiveAP Prep for Layer 3 Tests2. Verify HiveAP Classification Tag is DMZ
Expand Advanced Settings
| HiveAP Classification |
Verify Tag 3 is set to:DMZ
*This was set in the HiveAP Classification Lab
Click Save
258
2008Confidential
2010
Lab: HiveAP Prep for Layer 3 Tests3. In WLAN Policy, Modify MGT0 VLAN
The VLAN for the MGT0 interface on a HiveAP is assigned via the WLAN policy
Go to ConfigurationGuided ConfigurationWLAN Policies Edit WLAN-X Next to MGT interface VLAN, Click (To Modify) Go to Next Slide
259
2008Confidential
2010
Lab: HiveAP Prep for Layer 3 Tests4. Add DMZ to VLAN 100
Add another VLAN entry Click New VLAN ID: 100
– Type: Classifier– Uncheck Tag 1– Uncheck Tag 2– Check Tag 3: DMZ– Click Apply
After clicking apply, Save your VLAN object
260
2008Confidential
2010
Lab: HiveAP Prep for Layer 3 Tests 5. Verify X-MGT0-VLANs is set to MGT0 Interface
In your WLAN Policy, verify the MGT0 Interface VLAN is set to: X-MGT0-VLANs
The Native (untagged) VLAN should still be set to: 1 Save your WLAN Policy
261
2008Confidential
2010
Lab: HiveAP Prep for Layer 3 Tests 6. Update Delta Configuration
262
From MonitorHiveAPs Select your HiveAP-B
X-B-HiveAP Select Update...
Upload and Activate Configuration
If you want to see the delta configuration, click the link for your HiveAP
– Close the View Configuration window after viewing the delta configuration changes
Click Upload Click HiveAP link to view delta configuration
2008Confidential
2010
Lab: HiveAP Prep for Layer 3 Tests 7. View Update Results
After a successful update, you can move your mouse over the Description to see what was updated
263
2008Confidential
2010
From MonitorHiveAPs– Verify that the new IP address for your HiveAP-B
is: 10.7.1.X/24
It may take up to a moment to reflect the changes
Lab: HiveAP Prep for Layer 3 Tests 8. View the New IP Address for your HiveAP
264
New IP Address in VLAN 100 (10.7.1.0/24)
2008Confidential
2010
Identity-Based TunnelsWith Captive Web Portal Configuration
265
2008Confidential
2010
Identity-Based Tunnels
If VLAN segmentation is not possible due to the network architecture at the access layer, guests can be tunneled, using the identity-based tunnel functionality, directly to one or more HiveAPs within a firewalled DMZ area, such as a lobby
The client in the internal network is assigned a VLAN and an IP address from the tunnel destination
All client traffic is then tunneled to the HiveAPs in the DMZ
266
2008Confidential
2010
Identity-Based Tunnels LABUsing Tag On DMZ VLAN
267
Hostname:Interface mgt0:
WLAN Policy:
X-A-00000010.5.2.N/24 VLAN 1WLAN-X
Hostname:Interface mgt0:
WLAN Policy:Tag1:
X-B-00000010.7.1.X/24 VLAN 1WLAN-XDMZ-XWLAN Policy: WLAN-X
Hive:Tunnel Policy:
Tunnel Settings:Tunnel Destination:
Tunnel Source:Tunnel Password:
MGT0 VLAN:Native VLAN:
Hive-Class-XGRE-Tunnel-XEnable static identity-based-tunnelIP Range Start:10.7.1.X End:10.7.1.X10.5.1.0/24 and 10.5.2.0/24<random generated>21
SSID:Captive Web Portal:
Registration Type:User Profile:
Attribute:VLAN:
Tunnel Policy:
Class-Guest-XCWP-Tunnel-XUse-Policy-AcceptRole-Tunnel(1XX)1XX1XXGRE-Tunnel-X
DMZ Network
GuestClient
Internal Network
GRE Tunnel10.5.1.N to 10.7.1.X
Tunnel Destination
Internet
Class-Guest-X10.7.1X.N/2410.7.1X.1
SSID:IP:
Gateway:
10.7.1.110.5.2.1
DHCP Settingsfor VLAN 1XX (01, 02, ..,13) network 10.7.1XX.0/24 ip range 10.7.1XX.100 to 10.7.1XX.199 Tunnel Source
2008Confidential
2010
LAB: Guest Access with CWP and Tunnels1. Edit your WLAN Policy and Add SSID Profile
To add an SSID to be used by guests
Go to ConfigurationWLAN Policies
Edit WLAN-X Under SSID Profiles click
Add/Remove SSID Profile Create a new SSID Profile
– Click + Go to Next Slide
268
2008Confidential
2010
LAB: Guest Access with CWP and Tunnels 2. Create a New Guest SSID
Profile Name: Class-Guest-X SSID: Class-Guest-X SSID Access Security
WPA/WPA2-PSK(Personal)Note: You can use any access security method in real life. It is common to use Private PSK for secure guest access or Open for non-secure guest access
Key Value and Confirm Value:aerohive123
Check Enable Captive Web Portal
Click + to create a new captive web portal
Go to Next Slide
269
2008Confidential
2010
LAB: Guest Access with CWP and Tunnels 3. Configure Captive Web Portal
Name: CWP-Guest-X Registration Type: Use Policy
Acceptance Click Customize Login Page to see
the use policy– You can edit text in the use
policy field, or replace it with your own using copy and paste
– You can click Preview to view the customized web page
– Click Save to save your customized Login Page settings
Please do not save the captive web portal at this time..Go to the next slide…
270
2008Confidential
2010
LAB: Guest Access with CWP and Tunnels 4. Configure Captive Web Portal
Expand the Captive Web Portal Success Page section
Click Customize Success Page
Select the option to Redirect to the initially requested page…Note: This will bring up the web page the client initially requested after they agree to the acceptable use policy
Click Save to save your captive web portal settings
Go to Next Slide
271
2008Confidential
2010
LAB: Guest Access with CWP and Tunnels 5. Assign CWP and Configure SSID
Back in your Guest SSID Config Ensure Captive Web Portal is
set to: CWP-Guest-X
Note: you can use Open, but that is much less secure
User Profiles for Traffic Management Under the heading –
User profile assigned to users that associate with this SSID
– Click + to create a new user profile
– Click More Settings…
Go to Next Slide
272
2008Confidential
2010
LAB: Guest Access with CWP and Tunnels 6. Create a user profile to tunnel traffic
Define a user profile to tunnel trafficNote: XX= 2 Digits (02,03, .. ,12,13)
Name: Role-Tunnel(1XX) Attribute Number: 1XX Default VLAN: 1XX
Note: This VLAN is encapsulated inside the GRE tunnel and sent to the tunnel destination where the VLAN must exist.
Note: The name, attribute number and default VLAN do not have to match.
Optional Settings Expand the GRE or VPN Tunnels
section Select GRE tunnel for roaming or
station isolation Click + to create a GRE tunnel
policy273
2008Confidential
2010
LAB: Guest Access with CWP and Tunnels 7. Configure tunnel settings
Configure the tunnel information for both sides of the tunnel in this policy
Name: GRE-Tunnel-X Select Enable Static Identity-Based
Tunnels Tunnel Destination –
Select IP Address: 10.7.1.X Note: You can specify a range of consecutive HiveAPs if you have multiple HiveAPs at the tunnel destination for redundancy and load sharing.
Available IP Addresses– Select 10.5.2.0/24 and 10.5.1.0/24
and click the > button Tunnel Authentication
– Click Generate Click Save
274
2008Confidential
2010
LAB: Guest Access with CWP and Tunnels 8. Create a user profile to tunnel traffic
Select the tunnel policy Tunnel policies: GRE-Tunnel-X
Note: If you do configure firewall policies, be aware that your firewall policies are applied before your traffic is tunneled to the destination HiveAP. Also note that the IP address of your client will be from the remote network at the tunnel destination.
Click Save
275
2008Confidential
2010
LAB: Guest Access with CWP and Tunnels 9. Assign user profile to SSID
Assign the user profile with the tunnel settings to this SSID
User Profile assigned to users that associate with this SSID:Role-Tunnel(1X X)
Make sure everything looks right… Click Save
Note: When a client associates with this SSID and completes the registration process, their traffic is tunneled to the destination HiveAP specified by the tunnel policy in the user profile. If a client associates with this SSID on the tunnel endpoint, the traffic is forwarded without tunneling
276
2008Confidential
2010
To clean up the air, remove all other SSID profiles from the selected SSID profiles list using the << button
– The SSID Profiles listed under the Selected SSID Profiles list is now empty
From the Available SSID Profiles, select Class-Guest-X and use the > button to move it to the Selected SSID Profiles List
Click Apply
**Really, please click apply Save the WLAN policy
LAB: Guest Access with CWP and Tunnels 10. Remove Existing SSID and Add New SSID
277
2008Confidential
2010
On Tunnel Endpoint
HiveAP DHCP ServiceOn Tunnel End Point
278
2008Confidential
2010
Identity-Based Tunnels LABUsing Tag On DMZ VLAN
279
Hostname:Interface mgt0:
WLAN Policy:
X-A-00000010.5.2.N/24 VLAN 1WLAN-X
Hostname:Interface mgt0:
WLAN Policy:Tag1:
X-B-00000010.7.1.X/24 VLAN 1WLAN-XDMZ-XWLAN Policy: WLAN-X
Hive:Tunnel Policy:
Tunnel Settings:Tunnel Destination:
Tunnel Source:Tunnel Password:
MGT0 VLAN:Native VLAN:
Hive-Class-XGRE-Tunnel-XEnable static identity-based-tunnelIP Range Start:10.7.1.X End:10.7.1.X10.5.1.0/24 and 10.5.2.0/24<random generated>21
SSID:Captive Web Portal:
Registration Type:User Profile:
Attribute:VLAN:
Tunnel Policy:
Class-Guest-XCWP-Tunnel-XUse-Policy-AcceptRole-Tunnel(1XX)1XX1XXGRE-Tunnel-X
DMZ Network
GuestClient
Internal Network
GRE Tunnel10.5.1.N to 10.7.1.X
Tunnel Destination
Internet
Class-Guest-X10.7.1X.N/2410.7.1X.1
SSID:IP:
Gateway:
10.7.1.110.5.2.1
DHCP Settingsfor VLAN 1XX (01, 02, ..,13) network 10.7.1XX.0/24 ip range 10.7.1XX.100 to 10.7.1XX.199 Tunnel Source
2008Confidential
2010
LAB: Configure DHCP Service for Guests1. Create DHCP Server for VLAN 1XX
To create a DHCP server and IP pool for VLAN 1XX
Go to ConfigurationAdvanced ConfigurationNetwork ObjectsDHCP Server & Relay
Name: DHCP-VLAN-1XX Interface: mgt0.X IP Address: 10.7.1XX.2 Netmask: 255.255.255.0 VLAN ID: 1XX
Please do not save, go to next slide…
280
2008Confidential
2010
LAB: Configure DHCP Service for Guests2. Configure IP Pool and Options
Configure the IP pool and DHCP options
Under IP Pool– Start IP Address:
10.7.1XX.100– End IP Address:
10.7.1XX.199 Click Apply
(Really, please click apply!) Under DHCP Server Options Default Gateway: 10.7.1XX.1
Note: The netmask is automatically inherited from the mgt0.X interface
DNS Server 1 IP: 10.5.1.10 Click Save
281
2008Confidential
2010
LAB: Configure DHCP Service for Guests3. Assign DHCP Server to Endpoint HiveAP
Because the clients will be tunneled to the HiveAP at the destination, the DHCP server should be at the destination
From MonitorHiveAPs Select your HiveAP-B: X-B-HiveAP Click Modify Expand SSID Allocation
– Clear the check boxes to disable the SSIDs on the 2.4GHz and 5GHz radios. Note: Though not necessary in a real deployment, for this lab, this will ensure all traffic is tunneled.
Expand Service Settings– Select your DHCP server object:
DHCP-VLAN-1XX and move it to the Selected List
Save the settings for this HiveAP
282
2008Confidential
2010
To Update GRE-Tunnel and DHCP Server Configuration
Update Configurationof HiveAPs
283
2008Confidential
2010
LAB: Guest GRE Tunnel and DHCP Server1. Update Configuration of HiveAPs
284
From MonitorHiveAPs Select both your HiveAPs:
X-A-HiveAP X-B-HiveAP
Select Update...Upload and Activate Configuration
If you want to see the delta configuration, click the link for your HiveAP
– Close the View Configuration window after viewing the delta configuration changes
Click UploadClick HiveAP link to view delta configuration
2008Confidential
2010
LAB: Guest GRE Tunnel and DHCP Server2. Monitor Update Results
Ensure that your update is successful From MonitorHiveAPs
– You can see an icon next to your HiveAP letting you know it is now a DHCP server
285
2008Confidential
2010
LAB: Guest GRE Tunnel and DHCP Server
3. Connect to your Class-Guest-X SSID
On your remote hosted PC, connect to the SSID: Class-Guest-X
Passphrase/Network Key: aerohive123
286
2008Confidential
2010
Open a web browser and Browse to a decent web site: http://www.aerohive.com
A captive web portal page will be displayed
Fill out the web registration form Click Accept to agree to the
Acceptable Use Policy
287
LAB: Guest GRE Tunnel and DHCP Server
4. Agree to Acceptable Use Policy
2008Confidential
2010
Once the login is successful, you can access the network
You should automatically be redirected to the web page you initially requested
288
LAB: Guest GRE Tunnel and DHCP Server
5. Verify Access To Internet
2008Confidential
2010
After associating with your SSID, you should see your connection in the active clients list in HiveManager
– Go to MonitorClientsActive Clients Your IP address should be from the 10.7.1XX.0/24 network Note the IP address, VLAN and user profile attribute
– VLAN: 1XX– User Profile Attribute: 1XX
289
LAB: Guest GRE Tunnel and DHCP Server
6. View Active Clients List
2008Confidential
2010290
LAB: Guest GRE Tunnel and DHCP Server
7. Verify Tunnel
2008Confidential
2010
Private PSKUser-Based Pre-Shared Keys and Policy
2008Confidential
2010
Lab: Secure WLAN Access With Private PSK Diagram
292
Student-XVLANs 1-20
Mgt0 IP: 10.5.2.N/24 VLAN 2
WLAN Policy: WLAN-X
AD (IAS) Server:10.5.1.10
DHCP Settings: (VLAN 1) network 10.5.1.0/24 10.5.1.140 – 10.5.1.240 (VLAN 2) network 10.5.2.0/24 10.5.2.140 – 10.5.1.240 (VLAN 8) network 10.5.8.0/24 10.5.8.140 – 10.5.8.240 (VLAN 10) network 10.5.11.0/24 10.5.10.140 – 10.5.10.240 (VLAN 11) network 10.5.11.0/24 10.5.11.140 – 10.5.11.240
Internet
Connect to SSID:IP:
Gateway:
Class-PPSK-X10.5.10.N/2410.5.10.1
SSID:SSID Type:
Authentication:Encryption:
User Group:Attribute:
User Profile:
Local Users:Create Users in Group:
30 Users with PSKs:
Class-PPSK-XPrivate PSKWPA or WPA2 PersonalTKIP or AES
PPSK-Corp-X10
Employee(10)-X
PPSK-Corp-XX-corp0001 X-corp0030 withautomatically created PSKs
2008Confidential
2010
SSIDs with WPA or WPA2 PersonalUse Pre Shared Keys (PSKs)
293
User 1
User 2
User 3
SSID: Corp-WiFiAuthentication: WPA2 Personal Shared Key: aSecretPhraseUser Profile: Employee-Profile
SSID: Corp-WiFiShared Key: aSecretPhrase
SSID: Corp-WiFiShared Key: aSecretPhrase
SSID: Corp-WiFiShared Key: aSecretPhrase
All users share the same key– If a user leaves or if a PC or portable device is lost, for security
reasons, the shared key should be changed, and every client will have to update the keys on their wireless clients
All users share the same network policy– Because all users share the same SSID with the same key, they will
also have the same network policies, such as their VLAN, because there have no way to uniquely identify users or types of users
AP
2008Confidential
2010
SSID with 802.1X/EAP Dynamically Create Pairwise Master Keys (PMKs)
294
User 1
User 2
User 3
SSID: Corp-WiFiAuthentication: WPA2 Enterprise (802.1X) - User 1 - PMK: d6#$%^98f.. - User 2 - PMK: 87fe@#$%a.. - User 3 - PMK: 90)356*&f..
SSID: Corp-WiFiPMK: d6#$%^98f..
SSID: Corp-WiFiPMK: 87fe@#$%a..
SSID: Corp-WiFiPMK: 90)356*&f..
With 802.1X, after a user successfully authenticates with RADIUS, a unique key is created for each user and AP pair called a PMK
– If a user leaves the company or a user loses a device, the user account can be disabled and passwords can be changed to prevent access to corporate resources
New PMKs are created every time user authenticates Users can have unique network policies
– Because users are identified by their user name, based on the user or group, they can be assigned to different network policies
AP RADIUS
2008Confidential
2010
Private Preshared Key (PSK) Allows creation of unique PSKs per user
Private PSKs are unique pre shared keys created for individual users on the same SSID
Client configuration is simple, just enter the SSID shared key for WPA or WPA2 personal (PSK)
– No 802.1X supplicant configuration is required– Works with devices that do not support 802.1X/EAP
You can automatically generate unique keys for users, and distribute via email, or any way you see fit
If a user leaves or a device is lost or stolen, the PSK for that user or device can simply be revoked
295
User 1
User 2
User 3
SSID: Corp-WiFiSSID Type: Private PSKAuthentication: WPA2 Personal - User 1 – Private PSK: d6#$%^98f.. - User 2 – Private PSK: 87fe@#$%a.. - User 3 – Private PSK: 90)356*&f..
SSID: Corp-WiFiKey: d6#$%^98f..
SSID: Corp-WiFiKey: 87fe@#$%a..
SSID: Corp-WiFiKey: 90)356*&f..
HiveAP
2008Confidential
2010
Private Preshared Key (PSK) Allows creation of unique PSKs per user
You can create network policies for individual users or groups of users including different VLANs, firewall policies, tunnels, and schedules
Fast roaming occurs without the need for opportunistic key caching
Private PSKs can be automatically generated using User Manager or GuestManager providing the ability for a lobby administrator to generate guests unique keys for secure guest access
296
User 1
User 2
User 3
SSID: Corp-WiFiSSID Type: Private PSKAuthentication: WPA2 Personal - User 1 – Private PSK: d6#$%^98f.. - User 2 – Private PSK: 87fe@#$%a.. - User 3 – Private PSK: 90)356*&f..
SSID: Corp-WiFiPSK: d6#$%^98f..
SSID: Corp-WiFiPSK: 87fe@#$%a..
SSID: Corp-WiFiPSK: 90)356*&f..
HiveAP
2008Confidential
2010
Private Preshared Key (PSK)Deployment Recommendations
Private PSK is recommended for augmenting WLAN deployments that authenticate clients with WPA or WPA2 Enterprise (802.1X/EAP), but have some devices that:
– Support WPA or WPA2 Personal, but do not support WPA or WPA2 Enterprise with 802.1X/EAP
– Do not support opportunistic key caching for seamless roaming
Recommended in place of using traditional PSKs for environments that do not have a WLAN deployment using WPA or WPA2 Enterprise with 802.1X/EAP
Recommended for secure guest access using User Manager or GuestManager for Private PSK creation
– An online training module for User Manager and Private PSKs can viewed by going to: www.aerohive.com/training/cbt
297
2008Confidential
2010
Configure Private PSKFor Secure Guest Access
298
2008Confidential
2010
Configuration Notes
Configure Time Service on HiveManager Configure Email Service on HiveManager Create User Manager Administrator and Operator Accounts Create Private PSK Groups and Private PSK Users Create Private PSK SSID and Captive Web Portal for Use Policy
Acceptance
299
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 1. Create Private PSK Group
Go to ConfigurationAdvanced ConfigurationAuthenticationLocal User Groups
Click New User Group Name:
PPSK-guests(100)-0X (0X=02-15)
User Type: Automatically generated private PSK users
User Profile Attribute: 100 VLAN: <empty>
Note: The VLAN is inherited from the user profile
Do not save, please go to the next slide
300
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 2. Configure User Name and Private PSK Secret
Private PSK Secret: <enter random characters>Note: This secret never needs to be known or seen again, it is used to add more complexity to the automatically generated PSKs.
User Name Prefix: 0X-guest Note: This is the prefix for all the Private PSKs that will be generated.If you create 100 PPSK accounts, then the guest accounts will be created as 0X-guest0001 though 0X-guest0100
Expand Private PSK Advanced Options
301
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 3. Configure Time Zone and Validity Period
Password Length: 8
Note: If Private PSKs were being generated for corporate accounts, this should be a much larger password length. However, for guests, because they are entering the password on their mobile device from a printout or from an email, for administrative purposes, it is better to generate smaller length PSKs.
Time Zone: <Local Time Zone>
Note: This should be the time zone of where the HiveAPs are located in real life, but for class, use your local class time zone
PSK Validity Period: Recurring Schedule: Click +302
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 4. Configure PPSK Recurrance Schedule
Schedule Name: daily-X Select Recurrent
Note: By selecting recurrent, the Private PSKs will be regenerated on a 24 hour basis. The guests will need to obtain a new PSK on a daily basis for network access.
Start Time 1: 00hr 00min
End Time : 23hr 59min
Note: By specifying a start and end time, the PSKs will only be functional between the start and end times.
Click Save
303
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 5. Configure PSK character types and then save
Character types used in generated PSKs and manually created passwords:
– Check Letters– Uncheck Digits– Uncheck Special Characters
Note: Because these are daily PSKs, you can use upper and lower case letters to make it easy to type. If you mix in digits, the client may have problems with identifying the difference between letters and digits: 1, I, l, 0, O, for example. However, mixing in special characters is fine, but it may be more complicated for clients to enter in their mobile device. Click Save304
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 6. Bulk Create 20 PPSK Daily User Accounts
Go to ConfigurationAdvanced ConfigurationAuthenticationLocal Users
Click the Bulk button Create User Under Group:
PPSK-guests(100)-X Number of New Users: 20 Click Create
305
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 7. Filter and View Private PSK Users
Apply a filter to view your Private PSK users
Go to ConfigurationAuthenticationLocal Users
Click Filter
Enter a part of a user name or description to locate the users you created
– 0X-guest– Click Search
Go to next slide
306
Click here to select or deselect all entries
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 8. View Clear Text PSKs or Obscure PSKs
You can view the PSKs for each Private PSK user in clear text, or you can chose to keep them obscured
Here you can also see the validity time of the PSKs
These accounts will be assigned to guests from the user manager interface
307
Click here to obscure the PSK
Click here to see the clear text PSK
2008Confidential
2010
Create a Guest SSIDSecured with Private PSK
308
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 9. Modify your WLAN Policy and Add an SSID
To configure a Private PSK SSID Go to ConfigurationWLAN Policies Edit your WLAN policy: WLAN-X Click Add/Remove SSID Profile
Under the Available SSID Profiles selection box - Click + Go to Next Slide
309
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 10. Configure SSID to use Private PSK
Profile Name:Class-Daily-X
SSID: Class-Daily-X Under SSID Access
Security select Private PSK
Uncheck Use Default Private PSK Settings
Click Options>>
310
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 11. Configure Private PSK Shared User Limit
In the Advanced Option section, limit the number of devices that can share a private PSK. For example, you may want to have one guest use their PC and their mobile phone or PDA. By default, there is no limit to the number of times a Private PSK can be shared. Check Private PSK
Shared User Limit: 2
Note: This means that within a Hive, a single Private PSK can only be used by two devices. Click Options<<
311
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 12. Create a Captive Web Portal
Select your Private PSK User Group: PPSK-guests(100)-X and click the right arrow > button
Check Enable Use Policy Acceptance CWP
– Then Click +
Note: This captive web portal will be used to ensure that guests agree to an acceptable use policy
312
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 13. Configure a Captive Web Portal
Name: CWP-Accept-X Registration Type:
Use Policy Acceptance
Note: In each section, you can click Customize… if you want to modify the default web pages or import your own pages.
Expand Captive Web Portal Success Page Settings
– Select Redirect to an external page: http://www.aerohive.com
Save your Captive Web Portal Settings
313
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 14. Create a user profile for guests
Back in the SSID ensure the Use Policy Acceptance CWP is selected as: CWP-Accept-X
Under Available Use Profiles– Click +
Name: Guests(100)-X Attribute Number: 100 Default VLAN: 8 Check Manage users for
this profile via User Manager Click Apply Go to next slide
314
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 15. Select user profile and save
Select the user profile that matches the attribute that will be returned based on the setting in the Private PSK user group Under Available User Profiles
select Guests(100)-X and click the right arrow button
Click Save Go to next slide
315
2008Confidential
2010
Under SSID Profiles click the << button to remove all existing SSIDs
Under Available SSID Profiles, select Class-Daily-X and click the > button to move it to Selected SSID Profiles
Click Apply then click Save
Lab: Secure Guest Access with Private PSK 16. Select SSID, Apply, then Save
316
2008Confidential
2010
Lab: Secure Guest Access with Private PSK 17. Update the configuration of your HiveAP
From MonitorAccess PointsHiveAPs
Select Your X-A-HiveAP Select Update...
Upload and Activate Configuration
Click Upload
317
2008Confidential
2010
User Manager Administration
318
2008Confidential
2010
User Manager Permissions Defined in Admin Groups
User Manager is a simplified interface into HiveManager that provides a simple interface for lobby operators to create secure guest accounts
User Manager is a free license
There are two types of permissions for user manager access, administrators and operators
319
2008Confidential
2010
User Manager Permissions Defined in Admin Groups
Here is an example of the permissions defined for user manager operators and administrators
320
User Manager Operator
User Manager Administrator
2008Confidential
2010
Lab: User Manager Administration1. Create a User Manager Operator
Create an operator account who will be able to log into the User Manager interface in HiveManager and generate guest accounts for secure access to the guest WLAN Email: [email protected] Name: lobby-X Password: aerohive123 Confirm Password: aerohive123 Check Limit operator access to
the selected Private PSK User Groups
– Select: PPSK-guests(100)-X Check Limit operator access to
the selected SSID Profiles– Select: Class-Daily-X
Click Save
321
2008Confidential
2010
Lab: User Manager Administration2. Create a User Manager Administrator
Create a User Manager administrator who will have access to generate reports based on guest access Email:
[email protected] Name: manager-X Password: aerohive123 Confirm Password:
aerohive123 Group Name:
User Manager Admin Click Save
322
2008Confidential
2010
User ManagerOperations
323
2008Confidential
2010
Lab: User Manager Operation1. Log in to the User Manager interface
Note: If you are logged in to HiveManager, you will need to log out, or you can use a different web browser so that you can log in with a different account
https://training-hm1.aerohive.com Login: lobby-X Password: aerohive123 Click Login
324
2008Confidential
2010
Lab: User Manager Operation1. Log in to the User Manager interface
Note: Pretend you just walked in the company door as a guest, and you are also the lobby administrator User Group:
PPSK-guests(100)-X Visitor Name:
<Your Name> Email Address:
<Your real email address> Visitor Company:
<Your Company> Sponsor: lobby-X SSID Name: Class-Daily-X Click Save
325
2008Confidential
2010
Lab: User Manager Operation2. Log in to the User Manager interface
Select the check box next to your guest account Click Email
– Note: For this to work, the guest will need a mobile networking device that can access email without Wi-Fi access, such as a mobile phone PDA device
Note: you also have the option to Print the account information and hand it to the guest
326
2008Confidential
2010
Lab: Test Secure Guest Access1. Connect to the Class-Daily-X SSID
From the Hosted PC– Connect to
Class-Daily-X Enter the private PSK
generated from user manager
Click OK
327
2008Confidential
2010
Lab: Test Secure Guest Access2. View Active Session Information
After associating with your SSID, you should see your connection in the active clients list in HiveManager
– Go to MonitorClientsActive Clients Your IP address should be from the 10.5.8.0/24 network Note the client information:
– Username: 0X-guest000N– VLAN: 8– User Profile Attribute: 100
328
2008Confidential
2010
Troubleshooting with Client MonitorExample of Invalid PSK
329
2008Confidential
2010
Troubleshooting
HiveAP Troubleshooting Commands
– Check the time and time zone• show clock• show timezone
– Check the Private PSK users and Private PSK groups• show auth private-psk
330
2008Confidential
2010
HiveAP Location Servers
With Client Watch Lists
Location Services
331
2008Confidential
2010
HiveAP Distributed Location Services
The HiveAPs can locate client devices in the WLAN
The HiveAP that has a client associated with it becomes the owner for the client
Neighboring HiveAPs report their RSSI information to the client to the owner
The HiveAP owner calculates a location and sends an aggregate report to HiveManager on a periodic basis
Note: More details are in the notes below and in the help
332
HiveManager
Topology Map
HiveAP A
HiveAP B
HiveAP CClient 1 Owner
Client 1
RSSIReport
RSSIReport RSSI
AggregatedReport
Client
2008Confidential
2010
Lab: HiveAP Location Services1. Create a HiveAP Location Service Policy
From ConfigurationGuided ConfigurationWLAN Policies, edit your WLAN Policy: WLAN-X
Ensure all the HiveAPs in the class are in the same hive
– Select Hive-Class Under Optional Settings
Expand Management Server Settings
Next to Location Server– Click +
333
2008Confidential
2010
Lab: HiveAP Location Services2. Configure Aerohive Location Server
Name: AP-Location-X Check Enable Location
Server Select Aerohive
Location Server Click Save
334
2008Confidential
2010
Lab: HiveAP Location Services3. Create a location watch list
Back in the WLAN policy, ensure the Location Server is: AP-Location-X
Next you will need to create or select a location watch list. This is a list of MAC addresses for clients which you want to have HiveAPs track location.
Because this class network is a small network, you will select the default All Client location watch list.
Next to Location Watch List, select the drop down list for All Clients Then Save your WLAN Policy
335
2008Confidential
2010
Lab: HiveAP Location Services4. Update the configuration of your HiveAP
From MonitorAccess PointsHiveAPs
Select Your X-A-HiveAP Select Update...
Upload and Activate Configuration
Click Upload
336
2008Confidential
2010
Note: Location Watch ListsCreating a Place Holder Watch List
If you do create your own location watch list, you must add at least one client MAC address entry which does not have to be valid at this time, so you can type: 000000000000
Click Apply then Save By doing this, you can then add
clients to the watch list from the Active Clients View
337
2008Confidential
2010
Note: Location Watch ListsAdd Active Clients to Watch List
From MonitorClientsActive Clients Select the check box next to the Active Clients you want to track Click Operation...Add to Watch Listwatch-X You will then need to upload and activate the configuration for your
HiveAP Note: For class, you want to use the All Clients watch list because ever
AP in class will need to track the same clients to get at least 3 APs to locate your client
338
2008Confidential
2010
Class Demonstration
Because the hosted clients are connected directly the class HiveAPs via Wi-Fi coax cable, the location services will not work very well because other HiveAPs will not see the neighboring clients
If the instructor has three or more HiveAPs, location services can be tested in the class
Just ensure the local classroom HiveAPs are added to the same topology map, are in the same Hive, and that they are placed accurately (or somewhat close to accurate) as the topology map reflects
339
2008Confidential
2010
Example: Client LocationOn Topology Map
340
Client
SelectClients
Client
2008Confidential
2010
DHCP Server and NAT Access
341
2008Confidential
2010
Using a HiveAP as a DHCP Server and NAT Gateway for Client Traffic
The client connects to the SSID: Class-NAT-X and obtains an IP address in the 10.5.5.0/24 network
The HiveAP creates a virtual interface for the default gateway 10.5.5.1 and responds to ARP
The traffic from the client is set to the HiveAP
The firewall rules assigned to the client by its user profile translate the traffic from the client to a source IP of the HiveAP’s MGT0 interface, then traffic is sent to the HiveAP’s default gateway
342
Student-XVLAN 1
Mgt0 IP: 10.5.2.N/24Gateway 10.5.2.1VLAN 1
SSID: Class-NAT-X User Profile: branch(5)-X Firewall Policy: NAT-XDHCP Settings: Mgt0.5 IP: 10.5.5.2/24
IP Pool 10.5.5.100 – 10.5.5.200
DHCP Options: Gateway: 10.5.5.1 NAT Support
Internet
Connect to SSID:IP:
Gateway:
Class-NAT-X10.5.5.N/2410.5.5.1
IP: 10.5.2.1
2008Confidential
2010
Lab: Create an SSID with NAT Access1. Modify your WLAN Policy
Go to ConfigurationGuided ConfigurationWLAN Policies
Click the link to modify your WLAN policy: WLAN-X
Go to next slide
343
2008Confidential
2010
Lab: Create an SSID with NAT Access2. Create a new SSID
– WLAN Policy –
SSID Profiles Click: Add/Remove SSID
Profile Click + to create a new
SSID Profile
Go to next slide
344
2008Confidential
2010
Lab: Create an SSID with NAT Access3. Configure the SSID and create a user profile
– SSID Profile – Profile Name: Class-NAT-X SSID: Class-NAT-X
SSID Access Security Select: WPA/WPA2
PSK (Personal)– Use Default WPA/WPA2
PSK Settings Key Value: aerohive123 Confirm Value: aerohive123
User Profile for Traffic Mgmt Click + to create a new user
profile Click More Settings...
345
2008Confidential
2010
Lab: Create an SSID with NAT Access4. Create User Profile for Branch Office Clients
– SSID > User Profile –
Name: Branch(5)-X Attribute Number: 5 Default VLAN: 5 Expand Firewalls Under IP Firewall Policy,
next to From-Access click +
346
2008Confidential
2010
Lab: Create an SSID with NAT Access5. Create a firewall rule for DHCP
Configure a firewall rule to permit the client to obtain an IP address via DHCP
Note: This rule must be configured without NAT, because DHCP requests cannot be NATed
Policy Name: NAT-X– Source IP: Any– Destination IP: Any – Service: DHCP-Server – Action: Permit
Click Apply and do not save, then go to the next slide
347
2008Confidential
2010
Lab: Create an SSID with NAT Access6. Create a firewall rule for NAT access
Configure a firewall rule to network address port translate (NAPT) the source IP address all traffic from the clients to the MGT0 interface of the HiveAP Under Policy Rule: Click New
– Source IP: Any– Destination IP: Any – Service: Any– Action: NAT
Click Apply and do not save, then go to the next slide
348
2008Confidential
2010
Lab: Create an SSID with NAT Access7. Verify firewall policy rules then save
Verify your firewall rules look like the following picture– Permit DHCP-Server (without NAT)– NAT all the rest of the traffic
Click Save
349
2008Confidential
2010
Lab: Create an SSID with NAT Access8. Assign Firewall Policy to User Profile
Back in your user profile under IP Firewall Policy From-Access: NAT-X To-Access: <Empty> Default-Action: Deny Click Save
350
2008Confidential
2010
Lab: Create an SSID with NAT Access9. Assign user profile to SSID then save
Make sure the new user profile is selected: branch(5)-X
Click Save
351
2008Confidential
2010
Lab: Create an SSID with NAT Access10. Assign SSID to WLAN policy then save
– WLAN Policy –
SSID Profiles Select your SSID:
Class-NAT-X from the Available SSID Profiles list:and use the right arrow button‘ >’ to move it to the Selected SSID Profiles list
Click Apply
Really – Make sure you click Apply
Click Save to saveyour WLAN policy
352
Note: The WLAN policy must be assigned to one or more HiveAPs for it to take affect
2008Confidential
2010
Requires a HiveAP 300 Series
until HiveOS version 3.5r2,
Which will support the 100 series
Configure DHCP ServerFor NATed IP Pools
353
2008Confidential
2010
Lab: Configure HiveAP DHCP Service1. Create a DHCP server object
Create a DHCP Server object for VLAN 5, which is the VLAN assigned by the Branch(5)-X user profile Name: DHCP-X Interface: mgt0.5 IP Address: 10.5.5.2 Netmask: 255.255.255.0 VLAN ID: 5 Leave default settings for the
rest of the options... IP Pools
– Start IP Address: 10.5.5.100– End IP Address: 10.5.5.200
Click Apply but do NOT save Go to the next slide...
354
Note: Everyone in class will configure the same IP addresses and pools, and that is OK because all traffic is locally processedby their own HiveAPs then NATed.
2008Confidential
2010
Lab: Configure HiveAP DHCP Service2. Define gateway IP and enable NAT support
Define default gateway and Enable NAT support Expand DHCP Server
Options– Default Gateway: 10.5.5.1
Expand Advanced– Enable NAT Support
Note: Even though a HiveAP is a layer 2 device, it will use one of its reserved MAC addresses and assign it to the default gateway specified in the DHCP server options allowing it to respond to ARP and act like a router
Click Save
355
2008Confidential
2010
Lab: Configure HiveAP DHCP Service3. Enable DHCP service on HiveAP
Enable DHCP server service on your HiveAP From Monitor
Access PointsHiveAPs
Select the checkbox next to your HiveAP: X-A-######
Click Modify
Under Optional SettingsDHCP Server & Relay
Expand Service Settings Select your DHCP Server object:
DHCP-X and click the > button to move it to the Selected Servers lists
Click Save
356
2008Confidential
2010
Lab: Configure HiveAP DHCP Service4. Upload and Activate Configuration
Select the checkbox next to your HiveAP: X-A-######
Click Update...Upload and Activate Configuration
Click Upload
357
2008Confidential
2010
Test DHCP Server and NAT Access
358
2008Confidential
2010
Lab: Test DHCP Server and NAT Access1. Connect to the NAT SSID
From the hosted PC, connect to the Class-NAT-X SSID
Network Key: aerohive123
Confirm network key:aerohive123
Click Connect
359
2008Confidential
2010
Lab: Test DHCP Server and NAT Access2. Verify IP and Internet Connectivity
From the hosted PC, open a CMD prompt and view your IP address ipconfig
Note: Your IP address should be in the 10.5.5.0/24 subnet
ping www -t(which is: 10.6.1.150)
360
2008Confidential
2010
Lab: Test DHCP Server and NAT Access3. Verify that IP session is being NATed
From the command line interface of your HiveAP, you can view the IP session information for active sessions to see if NAT is being performed
02-A-064200# show forwarding-engine ip-session protocol 1IP session table:
Ageout time (in ms)
Total entries: 2/8191
Id:2; Ageout:1036; Flags:0x8251; QOS:2; Up: 0 min 1 sec; InPol:NAT-1/2;
10.5.5.100/4112 -> 10.6.1.150/4112; Proto 1; Flg:0x0; Pkts:1 Bytes:60 Parent-MAC-Sess: 21
10.6.1.150/4112 -> 10.5.2.2/64511; Proto 1; Flg:0x0; Pkts:1 Bytes:60
Id:1; Ageout:36; Flags:0x8251; QOS:2; Up: 0 min 2 sec; InPol:NAT-1/2;
361
Traffic from the client: 10.5.5.100 is sent to the www server 10.6.1.150
Traffic from the www server: 10.6.1.150 is sent to 10.5.2.2 which is the IP address
of the MGT0 interface of the HiveAP.This means NAT is working.
When you are done, please stop
the continuous ping from the
hosted PC
2008Confidential
2010
Supplemental Courseware/Scratch Pad
362
2008Confidential
2010
AD Troubleshooting Using HiveAP CLI
363
2008Confidential
2010
LAB: Verify HiveAP Admin Account
exec aaa ldap-search username hiveapadminExec-Program output:Search user 'hiveapadmin' in basedn 'CN=Users,DC=ahdemo,DC=local' successful
364
2008Confidential
2010
LAB: Verify Wireless User Accounts
exec aaa ldap-search username userExec-Program output:Search user 'user' in basedn
'CN=Userss,DC=ahdemo,DC=local' failed In this case there was a type-o on the DN, not the extra s on Userss
exec aaa ldap-search username userExec-Program output:Search user 'user' in basedn
'CN=Users,DC=ahdemo,DC=local' successful
365
2008Confidential
2010
LAB: Verify NTLM AuthenticationWith Wireless User Account
exec aaa ntlm-auth username user2 password Aerohive1
2009-04-16 11:37:53 info admin:<exec aaa ntlm-auth username user2 password *** >
2009-04-16 11:37:53 debug samba-tools: Kerberos session setup successful
Exec-Program output:NT_STATUS_OK: Success (0x0)
366
2008Confidential
2010367
2008Confidential
2010
SSL Negotiation FailsInvalid CA Cert
This is an example that fails because the certificate was not installed or configured properly
368
2008Confidential
2010
Bridging Notes For HiveAPs
369
2008Confidential
2010
HiveAP Ethernet Interfaces in Bridge Mode
370
Corp LAN
2.4 GHzor 5 GHzmesh
SSID existon radio that is not used for meshEither 2.4 GHz or 5 GHz
One or both of the Ethernet ports can be in bridge mode with MAC learning.The HiveAP can learn 128 MAC addresses if an L2 switch is connected to the HiveAP eth0 or eth1 ports in bridge mode. You can also hard code the MAC addresses that are allowed on the port. * If you connect a router to the bridge port, then all traffic to the HiveAP would come from same MAC address, so in a sense we would support an unlimited number of wired clients.Wired clients show up in the active clients list as well in 3.5r1.
Loops are prevented, so a redundant configuration as show above is permitted. No spanning tree is needed. Ethernet interface in bridge mode can provide a captive web portal as well. Ethernet interfaces can also be in bridge-802.1Q mode to and allow trafficfrom any VLAN to go though the HiveAP. You can limit which VLANs are permitted as well.
2008Confidential
2010
Revoking Private PSK Accounts
371
2008Confidential
2010
Revoking Private PSK Users
If a user leaves the company, or if their device is lost or stolen, you can revoke a users key and de-authenticate any active client using the individual private PSK
Apply a filter to view your Private PSK users Go to ConfigurationAdvanced Configuration
AuthenticationLocal Users Check the box next to one or more users and click Remove Go to next slide
372
2008Confidential
2010
Update User DatabaseTo Revoke Private PSK Users
From Managed HiveAPs Select Your HiveAP Select Update...Upload User Database
373
2008Confidential
2010
Update User DatabaseTo Revoke Private PSK Users
374
Click Delta Upload (Compare with running config)
If you click the link for the hostname of your HiveAP you can see the user commands that will be sent to the HiveAP
Click Upload
NOTE: Once a client is revoked, it can never be activated again, the user will need to obtain a new Private PSK
2008Confidential
2010
CLI on HiveAPs Can Be UsedTo Verify Revoked Users
AH-0045d0# show auth private-pskInterface=wifi0.1; SSID=Class-PPSK-1; Protocol-suite=PSK-auto;Total entries: 30No. User Group PMK Valid---- ---------------- --------------- ---- -----1 01-corp0030 PPSK-Corp-01 e1d4 Yes2 01-corp0029 PPSK-Corp-01 7a61 Yes3 01-corp0028 PPSK-Corp-01 a975 Yes
...
24 01-corp0007 PPSK-Corp-01 4cf3 No25 01-corp0006 PPSK-Corp-01 e7c7 Yes26 01-corp0005 PPSK-Corp-01 8d07 Yes27 01-corp0004 PPSK-Corp-01 1964 No28 01-corp0003 PPSK-Corp-01 a4c5 Yes29 01-corp0002 PPSK-Corp-01 70c5 Yes30 01-corp0001 PPSK-Corp-01 c41b No
NOTE: Once a client is revoked, it can never be activated again, the user will need to obtain a new Private PSK
375
2008Confidential
2010
Revoked Private PSK Users Are Immediately De-Authenticated
To view the active clients, go to ClientsActive Clients The revoked clients will no longer be active
376
2008Confidential
2010
Wireless VPNTroubleshooting Commands
377
2008Confidential
2010
VPN CLI Commandsshow vpn ipsec sa
02-A-038cc0# show vpn ipsec saSA(Security Association) information as following:IPsec Security Association Information:10.5.1.150 [4500] 1.1.1.2 [4500] tunnel-id: 9 esp-udp mode=tunnel spi=101699633(0x060fd031) reqid=0(0x00000000) Encryption: aes-cbc Authentication: hmac-sha1 seq=0x00000000 replay=4 flags=0x20000000 state=mature created: Sep 3 10:58:51 2010 current: Sep 3 11:13:25 2010 diff: 874(s) hard: 3600(s) soft: 2880(s) last: Sep 3 10:58:51 2010 hard: 0(s) soft: 0(s) current: 141008(bytes) hard: 0(bytes) soft: 0(bytes) current: 668(pkts) hard: 0(pkts) soft: 0(pkts) failed: 0(pkts) replay: 0(pkts) replay window: 0(pkts) sadb_seq=1 pid=993 refcnt=01.1.1.2 [4500] 10.5.1.150 [4500] tunnel-id: 9 esp-udp mode=tunnel spi=49616501(0x02f51675) reqid=0(0x00000000) Encryption: aes-cbc Authentication: hmac-sha1 seq=0x00000000 replay=4 flags=0x20000000 state=mature created: Sep 3 10:58:51 2010 current: Sep 3 11:13:25 2010 diff: 874(s) hard: 3600(s) soft: 2880(s) last: Sep 3 10:58:51 2010 hard: 0(s) soft: 0(s) current: 116016(bytes) hard: 0(bytes) soft: 0(bytes) current: 1065(pkts) hard: 0(pkts) soft: 0(pkts) failed: 0(pkts) replay: 0(pkts) replay window: 0(pkts) sadb_seq=0 pid=993 refcnt=0
378
2008Confidential
2010
VPN CLI Commandsshow vpn ipsec-tunnel
02-A-038cc0# show vpn ipsec-tunnelIPsec Tunnel Duration:Source Destination Created Duration------------------------ ------------------------ -------------------- ----------------------------------------10.5.1.150[4500] 1.1.1.2[4500] 2010-09-03 10:58:51 0 days 0 hours 12 minutes 28 seconds
Total IPsec Tunnel Sessions: 1
Tunnel Statistic Information::Src IP Dst IP Pkts Bytes Auth-Err Other-Err SPI
Remaining-Lifetime------------------------ ------------------------ ---------- ---------- ---------- ---------- ----------
------------------10.5.1.150[4500] 1.1.1.2[4500] 605 130848 0 0 0x060fd031 2132(s)
rekey1.1.1.2[4500] 10.5.1.150[4500] 1027 112324 0 0 0x02f51675 2132(s)
rekey
379
2008Confidential
2010
VPN CLI Commandsshow amrp tunnel
02-A-038cc0# show amrp tunnelTotal 1 tunnelsDA - DNXP Access, DB - DNXP BackhaulIA - INXP Access, IB - INXP BackhaulVA - VPN Access, VB - VPN BackhaulNo. Peer Type client age TTL------------------------------------------------------------------------------- 1 10.8.1.2 VA 1 02:30:14
02-A-038cc0# show amrp tunnel 10.8.1.2VPN access tunnel <tunnel0 -> 10.8.1.2> age: 02:32:34 client count: 1 state: ESTABLISHED state age: 02:32:33 last echo request: 00:00:03 sec ago last echo reply: 00:00:03 sec ago heartbeat interval: 10 sec heartbeat fail retry: 10 flag: 0x3
380
2008Confidential
2010
VPN CLI Commandsshow vpn gre-tunnel
02-A-038cc0# show vpn gre-tunnelTunnel table:T=Type; Z=Zone; PN=policy numbers;Age Out=idle time of the tunnel since last receive packetTXs=TX packets; TXE=TX errors; RXs=RX packets; RXE=RX errors;Type: G=General route encapsulation; O=Other tunnel;Zone: A=Access; B=Backhaul;Total entries: 1
ID T Z PN Age Out Src IP Dst IP TXs TXE RXs RXE---- - - --- -------- --------------- --------------- -------- ---- -------- ----1 G A 1 109 10.8.1.20 10.8.1.2 36 0 23 0
381
2008Confidential
2010
VPN CLI Commandsshow vpn ike event (Failure Event)
03-A-0377c0# show vpn ike event2009-10-01 14:05:40:Peer failed phase 1 authentication
(certificate problem?)(10.5.1.151[4500]->1.1.1.2[4500])
2009-10-01 14:06:30:Peer not responding(10.5.1.151[4500]->1.1.1.2[4500])
2009-10-01 14:06:30:Phase 1 deleted(10.5.1.151[4500]->1.1.1.2[4500])
2009-10-01 14:06:31:Peer failed phase 1 authentication (certificate problem?)(10.5.1.151[4500]->1.1.1.2[4500])
In this case, the root CA certificate was not pushed to the AP, so it cannot validate the VPN server
382
2008Confidential
2010
VPN CLI Commandsshow vpn ike event (Failure Resolution)
04-A-04c000# show vpn ike event2010-09-03 17:48:39:Peer not responding(10.5.1.157[4500]->1.1.1.2[4500])2010-09-03 17:48:39:Phase 1 deleted(10.5.1.157[4500]->1.1.1.2[4500])2010-09-03 17:48:40:Peer failed phase 1 authentication (certificate problem?)
(10.5.1.157[4500]->1.1.1.2[4500])
Originally the wrong root CA certificate was sent to the HiveAP After updating the certificate by updating the configuration
– After typing clear ike sa, the VPN processes are restarted and the negotiation and the tunnel became established
04-A-04c000# clear vpn ike sa04-A-04c000# show vpn ike event2010-09-03 17:58:50:Phase 1 deleted(10.5.1.150[4500]->1.1.1.2[4500])2010-09-03 17:58:51:Phase 1 started(10.5.1.150[500]->1.1.1.2[500])2010-09-03 17:58:51:Phase 1 established(10.5.1.150[4500]->1.1.1.2[4500])2010-09-03 17:58:51:Xauth exchange start(10.5.1.150[4500]->1.1.1.2[4500])2010-09-03 17:58:51:Xauth exchange passed(10.5.1.150[4500]->1.1.1.2[4500])2010-09-03 17:58:51:Add security policy into kernel stack
done(10.5.1.150[4500>1.1.1.2[4500])2010-09-03 17:58:51:ISAKMP mode config done(10.5.1.150[4500]->1.1.1.2[4500])2010-09-03 17:58:51:Phase 2 started(10.5.1.150[4500]->1.1.1.2[4500])2010-09-03 17:58:51:Phase 2 established(10.5.1.150[4500]->1.1.1.2[4500])
383
2008Confidential
2010
Use Client MonitorTo View Connection Status
From MonitorActive ClientsOperationsClient Monitor Add the MAC address of a client to monitor its connection status
384