2008 Confidential 2010 Advanced WLAN Configuration Version 3.5r1 1

2008Confidential

2010

Advanced WLAN ConfigurationVersion 3.5r1

1

2008Confidential

2010

Copyright Notice

Copyright © 2010 Aerohive Networks, Inc. All rights reserved.

Aerohive Networks, the Aerohive Networks logo, HiveOS, HiveAP, HiveManager, and GuestManager are trademarks of Aerohive Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.

2

2008Confidential

2010

Getting Started

3

2008Confidential

2010

Lab: Get Connected1. Connect to class WLAN

Please connect to the SSID: Class-Guest Network Key: aerohive123 You should get an IP in the 10.5.1.0/24 subnet

4

SSID:Security:

Network Key:

Class-GuestWPA/WPA2 Personal (PSK)aerohive123

GuestClient

VLAN 1

WLAN Policy: WLAN-Classroom

Internet

Mgt0 IP: 10.5.1.N/24 VLAN 1

Class-Guest10.5.1.N/2410.5.1.1

Connect to SSID:IP:

Gateway:

Instructor PC

2008Confidential

2010

Lab: Get Connected2. Get class files from instructor

From your PC open a web browser and for the URL type:ftp://ftp:[email protected].? (Ask Instructor for the IP address)

– Username: ftp– Password: aerohive

You will find:– Courseware (pptx files)

• If you do not have MS office 2003 or later, please download a PPTX viewer from Microsoft

– Topology map jpg images• Used for the planning tool and topology map lab

– Tight VNC • Please install the Viewer only – This is used to connect to a hosted PC

– User files for Private PSK in CSV format• This is for the Private PSK lab

– Putty SSH Client (If you don’t have an SSH client already)• SSHv2 is used to access the console server to access the CLI of your AP

5

2008Confidential

2010

Lab: Get Connected1. Connect to Hosted HiveManager

Securely browse to HiveManager https://training-hm1.aerohive.com

orhttps://72.20.106.120

Supported Browsers:– Firefox– Internet Explorer– Chrome

Default Login Credentials:– Login: adminX

X = Student ID 2 - 15– Password: aerohive123

6

2008Confidential

2010

Lab: Get Connected4. Certificate error - Continue to the website

If prompted, accept the certificate permanently or add the security exception or continue to the website

Note: (Do not perform this operation in the classroom)In your own company you can import your own HiveManager certificate going to: HomeAdministrationHiveManager Services

– Check Update HTTPS Certificate– You can generate a self-signed certificate or import a third-party

certificate– Click Update

7

2008Confidential

2010

Lab: Get Connected5. Connect to class WLAN

Click Agree to the End user license agreement

8

2008Confidential

2010

Lab: Get Connected6. The dashboard appears

From the dashboard you can get a summary of your WLAN The dashboard is customizable This dashboard will be covered in more detail later in this course

9

Click blue bar and drag to move widget to new

location on screen

Select widgets to see

Click to hide left menu bar

2008Confidential

2010

HiveManager Help

HiveManager provides a rich and powerful online help Click Help… on the top menu bar to get a menu of

the help options There is a help box on the right side of the guided

configuration

A link to Help also exists in the Start Here screen

10

2008Confidential

2010

Help System in HiveManager

If you click Help in the upper right hand corner of the HiveManager Settings

– HiveManager Help• Context sensitive help based on where

you are when you select this option

– Settings• Lets you specify a path to host the online

help web pages locally on your network

– Videos and Guides• Contains links to all Aerohive

documentation and computer-based training modules

• You can also download the web-based help system from here as well

– Check for Updates• Checks Aerohive’s latest code

– About HiveManager

11

Web-basedHelp Files

Deployment, Quickstart,

ad Mounting Guides

CLI Reference

Guides

Online Training

2008Confidential

2010

Help: Context Sensitive

Context sensitive help can be viewed in any configuration window

By default your PC must be connect to the Internet to view the help files unless you have downloaded them and hosted on your own web server

12

2008Confidential

2010

Help: Navigation

13

Global Search

Click here togo to the home page

Search on Current Page

2008Confidential

2010

Help: Global Search

14

You can enter multiple words

for a global search

Click the relevant section

The help is automatically expanded when the search

strings are found. Each word in the list is highlighted in

different color

2008Confidential

2010

Help: Search For Words Within Pages

Search for an exact word or phrase match within a page– This is a complete word match, not a partial word match

15

Enter word here to highlight on page

Adds or removes highlighting

2008Confidential

2010

Help: Files Location

Help files are referenced from the Internet If Internet access is not available when you manage your HiveManager,

download the web-based help files from the Videos & Guides section on the help menu, and store them on your own local web server

Then specify a path to your own hosted web pages and click update

16

Here you can specify a path to locally hosted help files

2008Confidential

2010

Creating a WLAN Policy

and Managing HiveAPs

Getting Started

17

2008Confidential

2010

Connect To HiveManager(In case you walked in late!)

Securely browse to HiveManager https://training-hm1.aerohive.com

orhttps://70.20.106.120

Supported Browsers:– Firefox– Internet Explorer

Default Login Credentials:– Login: adminX

X = Student ID 2 - 15– Password: aerohive123

18

2008Confidential

2010

Access Your Hosted HiveAP

19

Use Putty or your favorite SSH tool to SSH to training-console.aerohive.com

– Ports 7002 though 7015

Note: Student IDs are 2 though 15 so the SSH port number corresponds to the student ID: 7002 though 7015

You will first see the Terminal Server Login, just press enter:

Login as: <enter>X-A-001122 login: adminPassword: aerohive123

Note: For Mac OSX or Linux use:ssh -l admin training-console.aerohive.com –p 700X

2008Confidential

2010

Access Your Hosted HiveAP

20

Use Putty or your favorite SSH tool to SSH to training-console.aerohive.com

– Ports 7022 though 7035

Note: Student IDs are 2 though 15 so the SSH port number corresponds to the student ID: 7022 though 7035

You will first see the Terminal Server Login, just press enter:

Login as: <enter>X-A-001122 login: adminPassword: aerohive123

Note: For Mac OSX or Linux use:ssh -l admin training-console.aerohive.com –p 700X

2008Confidential

2010

Set HiveManagerTime Settings

Essential When Generating Certificates,Using Private PSK, Wireless VPN, User Manager, Time-Based Authentication,

and Schedules21

2008Confidential

2010

Set the Time and Time Zone(Instructor Only)

Go to HomeAdministrationHiveManager Settings For System Date/Time click Settings

22

2008Confidential

2010

Set the Time and Time Zone(Instructor Only)

Time Zone: <Time Zone of HiveManager> Set the date/time manually or synchronize with an NTP server Click to save and update

Note:The HiveManager services will be restarted

After a minute, you can log back into the HiveManager

23

2008Confidential

2010

Quick Start

Aerohive Base WLAN PolicyCreation

24

2008Confidential

2010

Lab: Create Base WLAN Policy1. Add a new WLAN policy

Go to ConfigurationGuided ConfigurationWLAN Policies

Click New

Enter a WLAN Policy Name: WLAN-X

Go to next slide

25

2008Confidential

2010

Lab: Create Base WLAN Policy 2. Create a New Hive

Click + to create a new Hive

Hive: Hive-X Modify Encryption

Protection – Select Automatically

generate Password Save your Hive

26

2008Confidential

2010

Lab: Create Base WLAN Policy 3. Create an SSID SSID

– WLAN Policy –

SSID Profiles Click: Add/Remove SSID

Profile Click + to create a new

SSID Profile

Go to next slide

27

2008Confidential

2010

Lab: Create Base WLAN Policy 4. Configure SSID

– SSID Profile – Profile Name: Class-PSK-X SSID: Class-PSK-X

Note: The profile name typically matches the SSID unless you want different settings for the same SSID in different locations.

SSID Access Security Select: WPA/WPA2

PSK (Personal)– Use Default WPA/WPA2

PSK Settings Key Value: aerohive123 Confirm Value: aerohive123

User Profile for Traffic Mgmt Click + to create a new user

profile

28

IMPORTANT: For the SSID labs, please follow the class naming convention. SSIDs are broadcasted over the air so we do not want to people to accidentally connect

2008Confidential

2010

Lab: Create Base WLAN Policy 5. Create User Profile for Employees

– SSID/User Profile –

Name: Employee(10)-X Attribute Number: 10 Default VLAN: 1 Click Apply

Ensure your user profile is selected

Click Save to save the SSID

29

2008Confidential

2010

Lab: Create Base WLAN Policy 6. Configure SSID

– WLAN Policy –

SSID Profiles Select your SSID:

Class-PSK-X from the Available SSID Profiles list:and use the right arrow button‘ >’ to move it to the Selected SSID Profiles list

Click Apply

Really – Make sure you click Apply

Do not save the WLANpolicy, go tothe next slide

30

Note: The WLAN policy must be assigned to one or more HiveAPs for it to take affect

2008Confidential

2010

Lab: Create Base WLAN Policy7. Create an NTP Server object

Configure the NTP server to configure the time zone and NTP server settings. This is important for any service that depends on time, such as VPN and RADIUS which use certificates, schedules, Private PSK validity, etc... From your WLAN policy

under the Optional Settings

Expand Management Server Settings

Next to NTP Server– Click +

31

2008Confidential

2010

Lab: Create Base WLAN Policy8. Configure NTP Server Settings

Name: Time-X Time Zone: <Please use

the time zone for the location of the class>

Uncheck Sync click with HiveManager

NTP Server: pool.ntp.org Click Apply

– Did you click Apply? Click Save

32

2008Confidential

2010

Lab: Create Base WLAN Policy9. Save your WLAN Policy

Back in your WLAN policy Ensure NTP server is set

to: Time-X Click Save

33

2008Confidential

2010

Lab: Create Base WLAN Policy 10. Verify Your WLAN Policy

After saving your WLAN policy, you can review the settings here by looking at the columns for your WLAN policy

• Hive• SSID Profiles

When done, click Monitor to go to the list of HiveAPs

Go to next slide

34

2008Confidential

2010

Provision HiveAPsWith Base WLAN Policy

35

2008Confidential

2010

Wireless VPN LabNetwork IP Summary

VPN ServerX-B-HiveAP MGT010.8.1.X/24

VPN ClientX-A-HiveAP10.5.1.?

Firewall NAT Rules1.1.1.X10.8.1.X

FW(NAT)2.2.2.2

Gateway10.5.1.1

Gateway 10.8.1.1

Client PC 10.8.20.?/24GW: 10.8.20.1

DHCP Server VLAN 20 Net: 10.8.20.0/24 Pool: 10.8.20.150 - 10.8.20.200 Gateway: 10.8.20.1

Layer 3 IPsec VPN Tunnels - IP Headers(10.5.1.?)2.2.2.2 1.1.1.2

WLAN Branch Office – HiveAP VPN Clients WLAN HQ – HiveAP VPN Servers

Layer 2 GRE Tunnels - IP HeadersTunnel0 10.8.1.X0 10.8.1.X

? – Address Learned though DHCPVPN Client Tunnel Address PoolAP VPN 1: 10.8.1.X0 – 10.8.1.X9

36

RADIUS10.8.1.200

2008Confidential

2010

Configure Your HiveAP-A (X-A-######)

37

2008Confidential

2010

Lab: Provision Two HiveAPs1. Modify your HiveAP-A

Click the Config radio button near the top of the screen

to see the configuration view

Note that HiveAPs are set to default WLAN policy and Hive

Select the check box next to your HiveAPX-A-###### and click Modify

38

2008Confidential

2010

Lab: Provision Two HiveAPs2. Modify settings for your HiveAP-A

Configure the HiveAP settings and WLAN Policy

Location: <First-name_Last-name>

For WLAN Policy select: WLAN-X

Topology Map: ..Classroom

Select: Use both radios for client access

2.4GHz(wifi0) Power: 1 5GHz (wifi1) Power: 1 Click Save

39

Note: Because the APs are stacked on top of each other in a hosted rack and are connected via coax to the hosted PCs, please set the power level to 1. In a real deployment you can leave the power set to auto and ACSP will determine the appropriate power setting

2008Confidential

2010

Configure Your HiveAP-B (X-B-######)

40

2008Confidential

2010

Lab: Provision Two HiveAPs 3. Select and Modify your HiveAP-B

Verify the settings for your X-B-HiveAP by looking at the columns

Select the check box next to your HiveAPX-B-###### and click Modify

41

2008Confidential

2010

Lab: Provision Two HiveAPs 4. Modify Settings for Your HiveAP-B

Location: <First-name_Last-name>

For WLAN Policy select: WLAN-X

– Assigning your HiveAP to a WLAN policy is how the HiveAP will inherit a majority of its configuration settings

Topology Map: ..Classroom

Select: Use both radios for client access

Do not save

Go to the next slide

42

2008Confidential

2010

Lab: Provision Two HiveAPs 5. Set Power and Static IP Address for HiveAP-B

2.4GHz(wifi0) Power: 1 5GHz (wifi1) Power: 1

This HiveAP will be a VPN server, so you will need to give it a static IP address:

[Optional Settings] Expand Interface and

Networks Settings– Uncheck DHCP Client

Enabled– IP: 10.8.1.X– Mask: 255.255.255.0– Gateway: 10.8.1.1

Click SaveGo to the next slide

43

2008Confidential

2010

Lab: Provision Two HiveAPs 6. View configuration and monitor status

Verify the settings for your X-B-HiveAP by looking at the columns You can click Monitor view to see that the HiveAPs and HiveManager are

not in sync. The green square and red triangle con shows that

You can click the Host Name column header to sort the HiveAPs by hostname

44

2008Confidential

2010

For Your Information Outside USSet the Country Code for World Mode HiveAPs

Note: Please do not perform in this class unless told to do so by your instructor!

Updating the country code on a HiveAP configures the radios to meet government requirements for a country

You can update the country by going to MonitorAccess PointsNew HiveAPs

Select all the HiveAPs Click Update...

Update Country Code Select the appropriate country

code Click Upload

45

2008Confidential

2010

Lab: Provision Two HiveAPs 7. Update the Configuration on Your HiveAPs

Select the check box next to your two HiveAPs Click UpdateUpload and Activation Configuration

46

2008Confidential

2010

Lab: Provision Two HiveAPs 8. Update the Configuration on Your HiveAP

Go to ConfigurationGuided Configuration

Click Settings Change Activation time to:

Activate after [ 5 ] Seconds– This is because mesh is not

being used, and therefore you do not have to worry about cutting off connectivity to a mesh HiveAP

Click the Save Icon – These settings will remain for

all subsequent uploads Do not save Go to the next slide

47

2008Confidential

2010

Lab: Provision Two HiveAPs 9. Update the Configuration on Your HiveAPs

You can view the configuration that will be sent to the HiveAP if that interests you

– Right click the hostname of the HiveAP

– Select View Configuration– After reviewing, close the

configuration window by clicking the [x]

Click Upload to update the configuration on your HiveAPs


48

2008Confidential

2010

Lab: Provision Two HiveAPs 10. View The HiveAP Update Results

You will be taken to the results page so you can view the status of your update

If you leave this screen, you can go back by going to: MonitorAccess PointsHiveAP Update Results

49

2008Confidential

2010

Lab: Provision Two HiveAPs 11. Monitor HiveAP Status

Go to MonitorAccess PointsHiveAPs Your HiveAP will have moved from the New HiveAPs list to the Managed

HiveAPs list When the Audit column icon turns to two green squares And the Uptime changes back from 0, the first update is complete

50

Note: You can expand or collapse the New HiveAPs list

by clicking here

2008Confidential

2010

Test Access to SSID UsedIn Base WLAN Policy

51

2008Confidential

2010

Test Base WLAN Policy

52

SSID:Authentication:

Encryption:Preshared Key:User Profile 1:

Attribute:VLAN:

IP Firewall:QoS:

Class-PSK-XWPA or WPA2 PersonalTKIP or AESaerohive123Employee(10)-X101Nonedef-user-qos

Hosted PCStudent-X VLANs 1-20

Mgt0 IP: 10.5.1.N/24 VLAN 1

WLAN Policy: WLAN-X

Internal Network

AD Server:10.5.1.10

DHCP Settings: (VLAN 1) network 10.5.1.0/24 10.5.1.140 – 10.5.1.240

Internet

Connect to SSID:IP:

Gateway:

Class-PSK-X10.5.1.N/2410.5.1.1

2008Confidential

2010

Access Your Hosted Client PC Using the web for PC, Mac, or Linux

http://training-pcX.aerohive.com:5800 Click Options:

– Specify Encoding: Tight– Click Close

VNC Authentication– Password: aerohive– Click OK

53

http://training-pcx.aerohive.com:5800/



2008Confidential

2010

Access Your Hosted Client PCUsing the TightVNC Application

If you are using a windows PC and you do not have Java installed, you can install the TightVNC client application

– TightVNC has good compression so please use TightVNC for class instead of any other application

Start TightVNC – VNC Host:

training-pcX.aerohive.com– Click Connect

– Password: aerohive 54

2008Confidential

2010

If you are not logged inLogin to Hosted PC

Click to send a

control alt delete

Login: user Password: Aerohive1

55

2008Confidential

2010

Lab: Test Base WLAN Policy1. Connect to the Class-PSK-X SSID

From the hosted PC– Double-click the

wireless connection icon on the bottom right of the task bar

– Connect to your SSID: Class-PSK-X

– Passphrase/Network Key: aerohive123

– Click Connect

56

x

2008Confidential

2010

Lab: Test Base WLAN Policy 2. View Active Clients List

After associating with your SSID, you should see your connection in the active clients list in HiveManager

– Go to MonitorClientsActive Clients Your IP address should be from the 10.5.1.0/24 network To change the layout of the columns in the Active Clients list, you

can click the icon with a pencil in it:

57

Click here to modify the displayed columns

2008Confidential

2010

Lab: Test Base WLAN Policy3. Modify Columns in the Active Clients List

For this class, you can add the User Profile Attribute, VLAN and BSSID

Move them right after channel in the Select Columns list

Click Save

You should now see:– BSSID: <MAC Address>

User Profile Attribute: 10– VLAN: 1

58

2008Confidential

2010

Using RADIUS for Authentication

Create SSID UsingWPA/WPA2 Enterprise (802.1X)

59

2008Confidential

2010

LAB: Secure WLAN Access TestWith 802.1X Diagram

60

Student-XVLANs 1-20

Mgt0 IP: 10.5.1.N/24 VLAN 1

WLAN Policy: WLAN-X

AD (IAS-RADIUS) Server:10.5.1.10

DHCP Settings: (VLAN 1) network 10.5.1.0/24 10.5.1.140 – 10.5.1.240 (VLAN 10) network 10.5.10.0/24 10.5.10.140 – 10.5.10.240

Internet

Connect to SSID:IP:

Gateway:

Class-802.1X-X10.5.10.N/2410.5.10.1


Encryption:User Profile 1:

Attribute:VLAN:

IP FW From Access:IP FW To Access :

User Profile 2:Attribute:

VLAN:IP FW From Access:

IP FW To Access:

Class-802.1X-XWPA or WPA2 PersonalTKIP or AESEmployee(10)-X10 (RADIUS Attribute Returned)1FromClient-X(Default Deny)Employee-Default1000 (No RADIUS Attribute Returned)10Employee-Default(Default Deny)

2008Confidential

2010

On Local RADIUS ServerConfiguring RADIUS Clients

For HiveAPs that are not VPN clients, set the RADIUS server to accept RADIUS messages from the MGT0 interface IP on all HiveAPs

This class uses:10.5.1.0/24

Click Next

61

2008Confidential

2010

On Local RADIUS ServerConfiguring RADIUS Clients

Set the shared secret to secure the communication between the HiveAPs and RADIUS server

This class uses:aerohive123

Note: For a real network, please use a longer, more secure key

62

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X1. Edit your WLAN Policy and Add SSID Profile

An 802.1X capable SSID and related settings can be configured from your WLAN Policy

Go to ConfigurationWLAN Policies

Edit WLAN-X Under SSID Profiles click

Add/Remove SSID Profile Create a new SSID Profile

– Click +

Go to Next Slide

63

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X2. Configure SSID and RADIUS Server

Profile Name: Class-802.1X-X SSID: Class-802.1X-X SSID Access Security

– Select: WPA/WPA2 802.1X (Enterprise)

Next to RADIUS Server– Click +

Go to Next Slide

64

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X3. Configure RADIUS Server

Define RADIUS Server Settings Click the radio button for:

External RADIUS Server Profile Name: RADIUS-X Primary RADIUS Server:

10.5.1.10 Shared Secret: aerohive123 Confirm Secret: aerohive123 Click Apply Go to Next Slide

65

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X4. Configure SSID with RADIUS and User Profile

Back in your SSID Configuration Make sure your RADIUS server

is selected: RADIUS-X Specify User Profile assigned if

not attribute is returned from RADIUS after successful authentication: Employees(1000)Note: This user profile was created by the Instructor

Specify User Profiles assigned via attributes returned from RADIUS after successful authentication: Employee(10)-X

Save your SSID Go to Next Slide

66

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X5. Remove Existing SSID and Add New SSID

To clean up the air in the data center, remove all other SSID profiles from the selected SSID profiles list using the << button

– You should have no SSID Profiles listed under the Selected SSID Profiles list

From the Available SSID Profiles, select Class-802.1X-X and use the > button to move it to the Selected SSID Profiles List

Click Apply ---- Please please, please click apply! Go to Next Slide

67

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X6. Verify Configuration and Save WLAN Policy

Verify your 802.1X SSID is listed under the SSID profiles and that your SSID is mapped to two different user profiles:Employees(1000) and Employee(10)-X

Save your WLAN Policy

From the WLAN policysummary you can verify yourSSID Class-802.1X-X isassigned to your WLAN Policy

68

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X 7. Update delta configuration of your HiveAP

69

From MonitorHiveAPs Select both of your

HiveAPs X-A-HiveAP X-B-HiveAP

Select Update...Upload and Activate Configuration

If you want to see the delta configuration, click the link for your HiveAP

– Close the View Configuration window after viewing the delta configuration changes

Click Upload

Click HiveAP link to view delta configuration

2008Confidential

2010

Configuring and Testing Your802.1X Supplicant

For Microsoft XP and VistaSupplicants

70

2008Confidential

2010

Connect to 802.1X SSID(First Attempt Will Fail)

On the remote hosted PC From the Microsoft

Wireless client:– Click Class-802.1X-X– Click Connect

Note: The connection will fail because Windows XP defaults Smart Card or Other Certificates (EAP-TLS), instead of PEAP

– However, the SSID entry will be created, so all you have to do is modify it

Click Change Advanced Settings

71

2008Confidential

2010

72

Microsoft Wireless Network Client802.1X Supplicant Configuration

View your Wireless Connections then click to Change advanced settings

In the Wireless network properties window enter the following:

– Change EAP Type to: Protected EAP (PEAP) Click OK

72

2008Confidential

2010

SSID Should Now Be Connected

Your Client will automatically connect to the Class-802.1X-X SSID

73

2008Confidential

2010

View Active Clients


– Go to MonitorClientActive Clients

User Name: AHDEMO\user BSSID: <The MAC address for your AP’s SSID> VLAN: 1 User Profile Attribute: 10

74

2008Confidential

2010

Example: TroubleshootingInvalid User Profile Returned From RADIUS

From MonitorAccess PointsHiveAPs (Monitor View) If you see an alarm when trying to perform 802.1X, click the alarm icon

This alarm specifies that an attribute was returned from the RADIUS server that is not defined on the HiveAP – In this case 50

Select the check box next to the alarm and then Click clear

75

2008Confidential

2010

Generate HiveAP RADIUSServer Certificates

Required When HiveAPs are Configured as RADIUS Servers or VPN Servers

76

2008Confidential

2010

LAB: Generate a Root CA Certificate for HiveManager (Instructor Only)

Go to ConfigurationAdvanced Configuration Keys and CertificatesHiveManager CA

Fill in the requested information and choose a secure password Click Create

Remember this password

77

2008Confidential

2010

HiveManager Root CA CertificateLocation and Uses

To view certificates, go to:ConfigurationAdvanced ConfigurationKeys and CertificatesCertificate Mgmt

This root CA certificate is used to:– Sign the CSR (certificate signing

request) that the HiveManager creates on behalf of the AP acting as a RADIUS or VPN server

– Validate HiveAP certificates to remote client• 802.1X clients (supplicants) will

need a copy of the CA Certificate in order to trust the certificates on the HiveAP RADIUS server(s)

Root CA Cert Name: “AerohiveHMCA.pem”

Root CA key Name: hm_key.pem

78

2008Confidential

2010

LAB: HiveAP Server Certificate and Key1. Generate HiveAP Server Certificate

Go to ConfigurationAdvanced ConfigurationKeys and CertificatesServer CSR

Common Name: HiveAP-Server-X Note: This is usually the FQDN of the HiveAP

Organizational Name: Company Organization Unit: Department Locality Name: City State/Province: <2 Characters> Country Code: <2 Characters> Email Address: [email protected] Subject Alternative Name: <Leave empty>

Note: This is used if you want to generate unique certificates for each HiveAP VPN server, and you want to have HiveAP VPN clients validate one of these fields. See notes below the slide.

Key Size: 1024 Password & Confirm: aerohive123 CSR File Name: HiveAP-X Click Create

Remember Password

79

Enter HiveAP-X

Notes Below

2008Confidential

2010

LAB: HiveAP Server Certificate and Key 2. Sign and Combine!

Select Sign by HiveManager CA– The HiveManager CA will sign the HiveAP Server certificate

The validity period should be the same as or less than the number of days the HiveManager CA Certificate is valid

– Validity: 1826 (5 years + leap day) Check Combine key and certificate into one file Click OK

80

Enabling this setting helps prevent certificate and key mismatches when configuring the RADIUS settings

2008Confidential

2010

LAB: HiveAP Server Certificate and Key3. View HiveAP Certificate and Key File

To view certificates, go to:ConfigurationAdvanced ConfigurationKeys and CertificatesCertificate Mgmt

The certificate and key file name is:HiveAP-X_key_cert.pem

81

2008Confidential

2010

Using HiveAPs and IPsec VPN Clientsand IPsec VPN Servers to Provides VPN

Connections with Wireless LANs

Wireless VPNVersion 3.5r1

82

2008Confidential

2010

Wireless VPN Overview-For your reading pleasure-

Aerohive’s Wireless VPN delivers a simple and cost effective solution for mobile workers in remote locations like branch offices, teleworker home offices, and conference centers, to securely access corporate resources through a layer 2 IPsec VPN. Built upon Aerohive’s cooperative control architecture, Aerohive’s wireless VPN has the advantages of being implemented on a highly resilient architecture utilizing best path forwarding, policy enforcement at the edge with user-based QoS and firewall policy, and branch office services including DHCP and RADIUS, which are centrally managed using HiveManager–Aerohive’s WLAN management platform.

Aerohive’s Wireless VPN solution allows workers in remote offices using wireless or Ethernet connected laptops, desktops, and phones to directly access their corporate network through a secure layer 2 IPsec VPN. This gives workers access to resources as if they were physically attached to the corporate network, and still have direct access to local branch or home office devices, like printers and file servers that may or may not be corporate resources. This is made possible with best path forwarding, split tunneling, and NAT technology. To protect corporate resources, stations that are attached to the branch office that do not meet policy specifications for the VPN, will not be able to access the corporate network or locally attached corporate devices.

83

2008Confidential

2010

Wireless VPN Benefits -For your reading pleasure-

Easy to Use– L2 IPsec VPN solution simplifies deployment, because it extends the local network across the

VPN without the need to dedicate subnets for each remote site and set up DHCP relays on branch routers or firewalls

– Automatic certificate creation and distribution for validating VPN devices– Profile-based Split Tunneling

• Users and Services can be bridged locally or tunneled based on user profile

Flexible– Single mode of operation supports all deployments – Supported in all HiveAP platforms, Hardware Acceleration in 300 series– Multiple end point support

• Backup VPN gateway support • Distributed Wireless VPN tunnel termination

Complete Functionality – Multiple AP Support with secure and fast roaming– Mesh Portals and Mesh Points supported– RADIUS, DHCP, NTLM, LDAP and NTP can selectively go to local or remote network– Rogue AP and rogue client detection, DoS prevention, Firewall, and QoS all occur locally on the

remote HiveAP Economical

– No license fees for wireless VPN, or any of the other features on the HiveAPs– For the cost of an AP, you get wireless VPN servers

84

2008Confidential

2010

InternetHiveAP1VPN Server

HiveAP2VPN Server

Headquarters

DHCP Server Corporate Wi-Fi DevicesVLAN 10 10.5.10.0/24Corporate Wi-Fi VoiceVLAN 11 10.5.11.0/24

Teleworker Home OfficePlease View Notes Below Slide

85

Work LaptopSSID: Corp10.5.10.51

Home PC with Printer192.168.1.5

Teleworker Home Office

Home LaptopSSID: Home192.168.1.6

IPsecPrimary andBackup VPN Tunnels

Work PhoneSSID: Voice10.5.11.33

Internet ProviderGateway192.168.1.1

HiveAP 5VPN Client192.168.1.2

DMZ

Notes Below

2008Confidential

2010

HiveAP4VPN Client192.168.1.6

HiveAP3VPN Client192.168.1.5Laptop

SSID: Corp10.5.10.12

Phone10.5.11.5

Branch Office

Guest LaptopSSID: Guest192.168.1.50

Printer10.5.10.11

Desktop10.5.10.10

HiveAP1VPN Server

HiveAP2VPN Server

Headquarters

DMZ

DHCP Server Corporate Wi-Fi DevicesVLAN 10 10.5.10.0/24Corporate Wi-Fi VoiceVLAN 11 10.5.11.0/24

PhoneSSID: Voice10.5.11.33

Internet

WiredWireless

IPsecPrimary andBackup VPN Tunnels

Gateway192.168.1.1

Branch Office VPN with Bridging

86

2008Confidential

2010

Create VPN Services Policy

87

2008Confidential

2010

Wireless VPN LabLab Network Diagram

Configure two HiveAPs, – HiveAP-A will be a VPN client– HiveAP-B will be a VPN server

Client

10.8.1.X10.5.1.<DHCP> HiveAP-B

VPN Server

HiveAP-AVPN Client

Hostname:Hive:

Interface mgt0:Interface tunnel0:

X-A-<6-digits of mac>Hive-X10.5.1.<DHCP> /24 VLAN 110.8.1.X0

WLAN Policy: WLAN-X WLAN Policy: WLAN-X

Hostname:Hive:

Interface mgt0:VPN:

IP Pool:

X-B-<6-digits of mac>Hive-X10.8.1.X/24 VLAN 1

10.8.1. X0 - 10.8.1.X9

2.2.2.2 1.1.1.1

NAT Policy1.1.1. X 10.8.1. X

NAPT PolicyANY 2.2.2.2

AD 10.8.1.200 - VLAN 1 WEB 10.8.20.150 - VLAN 20

88

2008Confidential

2010

Wireless VPN LabsNetwork IP Summary


VPN ClientX-A-HiveAP10.5.1.?/24


FW(NAT)2.2.2.2

Gateway10.5.1.1

Gateway 10.8.1.1

Client PC 10.8.20.?/24GW: 10.8.20.1


Layer 3 IPsec VPN Tunnels - IP Headers(10.5.1.?)2.2.2.2 1.1.1.2


Layer 2 GRE Tunnels - IP HeadersTunnel0 10.8.1.X0 10.8.1.X


89

RADIUS10.8.1.200

2008Confidential

2010

LAB: Create VPN Services Policy1. Create VPN Policy

Modify your WLAN PolicyConfigurationWLAN Policies WLAN-X

| Optional Settings |

VPN Service Settings– VPN Service: Click +

to create a new VPN services policy

Go to Next Slide

90

2008Confidential

2010

LAB: Create VPN Services Policy 2. Define Name and IP Settings

Profile Name: VPN-X Server Public IP: 1.1.1.X Server MGT0 IP Address: 10.8.1.X VPN Client Tunnel Interface Pool:

Note: It is recommended that the pool is in the same subnet as the MGT0 interface of HiveAP VPN server. This pool is used for GRE tunnel IP addresses on HiveAP VPN clients.

– Client Tunnel IP Address Pool Start: 10.8.1.X0

– Client Tunnel IP Address pool End: 10.8.1.X9

– Client Tunnel IP Address Netmask: 255.255.255.0

Go to Next Slide

91

2008Confidential

2010

LAB: Create VPN Services Policy 3. Assign VPN Certificates for VPN Server

IPsec VPN Certification Authority Settings:– VPN Certificate Authority:

AerohiveHMCA.pem– VPN Certificate:

HiveAP-X_key_cert.pem– VPN Cert Private Key:

HiveAP-X_key_cert.pem Optional Settings

– VPN Client Credentials: These are VPN XAUTH credentials that get generated automatically. A unique credential gets created for each tunnel interface IP address in the tunnel interface address pool.• Nothing needs to be done here

Go to Next Slide

92

2008Confidential

2010

LAB: Create VPN Services Policy How XAUTH Credentials are Used

The default IKE peer authentication method for the wireless VPN is "hybrid"

In hybrid mode, – The VPN server authenticates itself to the client with an RSA

signature, which requires the server to have a server certificate, and the client must have the root CA certificate that signed the server certificate so it can validate the server

The server authenticates the client using Xauth– HiveManager generates a set of credentials (random string for

username and passwords) for each HiveAP VPN client and HiveAP VPN server pair

– When the VPN client uses valid credentials to authenticate with the VPN server, the tunnel can be established

– If the credentials are removed from either the VPN client or VPN server, the tunnel cannot be established

93

2008Confidential

2010

LAB: Create VPN Services Policy 4. View Advanced Server Options

Expand Advanced Server Options

No changes are necessary for the following options

| IKE Phase 1 Options |

| IKE Phase 2 Options |

Enable peer IKE ID validation

Go to Next Slide

94

2008Confidential

2010

LAB: Create VPN Services Policy 5. Configure Advanced Client Options

Expand Advanced Client Options– Set HiveAP VPN Client to use DNS

Server through tunnel: 10.5.1.10| Management Traffic Tunnel Options|

– Determine which traffic from the HiveAP to send though the tunnel• SNMP Traps• RADIUS

Note: Set these so that RADIUS messages and SNMP traps generated from the HiveAP VPN clients are sent though the VPN tunnel to the servers on the HQ network| Client IKE Settings |

– Check Enable NAT traversalAdds a UDP header with port 4500 on to the IPsec packets

Go to Next Slide95

2008Confidential

2010

For Redundancy: Dead Peer Detectionand AMRP Heartbeat Settings

Used for switching between HiveAP VPN Server 1 and HiveAP VPN Server 2 upon failure

– DPD Verifies IKE Phase 1• Send Heartbeat every 10 seconds (by default)• If you miss one heartbeat, send at the Retry Interval instead of at the

normal Interval settings• If you miss the number of retries specified, failover to backup VPN server

– AMRP Verifies end to end through GRE and VPN Tunnel• Send Heartbeat every 10 seconds (by default)• If you miss one heartbeat, send 1 at second intervals instead of at the

normal Interval setting• If you miss the number of retries specified, failover to backup VPN server

Default DPD failover time:~16 seconds

Default AMRP failover time:~21 seconds

96

2008Confidential

2010

LAB: Create VPN Services Policy 6. Save VPN Services Policy

Save the VPN Service Settings

97

2008Confidential

2010

LAB: Create VPN Services Policy 7. Modify SSID to Add New User VPN Policy

Back in your WLAN Policy Ensure your VPN Service

Policy is set to VPN-X

Do not save your WLAN policy at this time


98

2008Confidential

2010

Configure 802.1X SSID for Wireless VPN Access

99

2008Confidential

2010

Wireless VPN LabsNetwork IP Summary


VPN ClientX-A-HiveAP10.5.1.?/24


FW(NAT)2.2.2.2

Gateway10.5.1.1

Gateway 10.8.1.1

Client PC 10.8.20.?/24GW: 10.8.20.1


Layer 3 IPsec VPN Tunnels - IP Headers(10.5.1.?)2.2.2.2 1.1.1.X


Layer 2 GRE Tunnels - IP HeadersTunnel0 10.8.1.X0 10.8.1.X9


100

RADIUS10.8.1.200

Tunnel Interface:10.8.1.X0

2008Confidential

2010

Tunnel Traffic Header Overview

101

2.2.2.2 1.1.1.1Internet

HiveAP VPN ServerMGT0 10.8.1.2

MGT0 IPBefore NAT1.1.1.2After NAT10.8.1.2

(NAT)1.1.1.2 10.8.1.2

MGT0 IP10.5.1.100

NAT Traversal

UDP - Src & Dst Port 4500Src Port Changes w/NAPT

Tunnel010.8.1.50

MGT010.8.1.2

IPsec (ESP) Tunnel

Encrypts GRE and Client Traffic

GRE Tunnel

Encapsulates client Layer 2 Traffic

Wireless ClientMAC: 0022.22aa.aa22VLAN: 20IP: 10.8.20.50

Corporate ServerMAC: 0011.11bb.bb11VLAN: 20IP: 10.8.20.150

Client Traffic10.8.20.500022.22aa.aa22 VLAN Tag: 20

Layer 2 Client DataClient Traffic10.8.20.1500011.11bb.bb11 VLAN Tag: 20

(NAPT) ANY 2.2.2.2

FW: Public IP2.2.2.2AP: Private IP10.5.1.100

FW: Public IP1.1.1.2

HiveAP 1VPN ClientMGT0 10.5.1.100Tunnel0 10.8.1.50

Branch Office

Corporate Headquarters

1

2

3

4

8

7

6

5

2008Confidential

2010

Instructor Only: On Local RADIUS ServerConfiguring HiveAP RADIUS Clients

For HiveAPs that are VPN clients, set the RADIUS server to accept RADIUS messages from the Tunnel IP address pool set up on the HiveAP VPN server to assign to HiveAP VPN clients

For this class, the tunnel IP pool assigned to HiveAP VPN clients is :10.8.1.0/24

Click Next

102

2008Confidential

2010

Instructor Only: On Local RADIUS ServerConfiguring HiveAP RADIUS Clients

Set the shared secret to secure the communication between the HiveAPs and RADIUS server

– For this class use:aerohive123

Click Finish

Note: For a real network, please use a more secure key

103

2008Confidential

2010

LAB: Configure SSID for Wireless VPN1. Create New RADIUS Server Object for SSID

Configure a new RADIUS server for your SSID, that is accessible through the VPN

From inside your WLAN policy click the link to modify your SSID: Class-802.1X-X

104

2008Confidential

2010

LAB: Configure SSID for Wireless VPN2. Configure RADIUS Server Object

Define RADIUS Server Settings for use with wireless clients through the VPN

Next to RADIUS Server, click +

Click the radio button forExternal RADIUS Server

Profile Name: RADIUS-VPN-X Primary RADIUS Server:

10.8.1.200 Shared Secret: aerohive123 Confirm Secret: aerohive123 Click Apply to save the new

RADIUS object Do not save, go to next slide

105

2008Confidential

2010

LAB: Configure SSID for Wireless VPN3. Modify Employee User Profile

Select the Employee(10)-X user profile from the Selected user profile list

Click the Modify Icon:

106

2008Confidential

2010

LAB: Create VPN Services Policy 4. Change VLAN and Add VPN Settings

Set the User Profile to use the VPN and a new VLAN

Assign the Default VLAN: 20

| Optional Settings | Expand GRE or VPN

Tunnels Select: VPN tunnel for

client traffic| Split Tunnel |

– Select Split Tunnel with NAT to Local Subnet and Internet

Click Save

107

2008Confidential

2010

LAB: Configure SSID for Wireless VPN5. Save your SSID

Save your SSID

108

2008Confidential

2010

Split Tunnel Firewall PolicyAutomatically Created

When you select the option to use split tunnel to local subnet and Internet, the following policy gets created on the HiveAP

– The following policy will not be displayed in HiveManager

From Access Firewall Policy

Source IP Destination IP Service Action

0.0.0.0/0 0.0.0.0/0 DHCP-Server Permit (tunnel)

0.0.0.0/0 10.5.1.0/24 Any NAT

0.0.0.0/0 10.0.0.0/8 Any Permit (tunnel)



0.0.0.0/0 0.0.0.0/0 Any NAT

– Note, by default there is no To Access firewall policy, so if you want traffic to be initiated from HQ to the wireless clients thought the VPN, you will need to create a To Access policy that permits access

109

2008Confidential

2010

LAB: Create VPN Services Policy 6. Verify VPN Settings and Save WLAN Policy

Back in the WLAN Policy

Expand VPN Service Settings

– Ensure the Employee(10)-X user profile is set to use VPN Tunnel and that it is set to Yes for Split Local Traffic (Split Tunnel)

Click Save

110

2008Confidential

2010

Configuring HiveAPs to be

VPN Clients and VPN Servers

HiveAP VPN RolesAnd Updating the Configuration

111

2008Confidential

2010

LAB: Assign HiveAPs to VPN Roles1. Modify Your HiveAP-A and Make VPN Client

From MonitorHiveAPs Modify your HiveAP-A:

X-A-######

| Optional Settings | Expand Services Settings

– VPN Service Role: Client

Click Save

112

2008Confidential

2010

LAB: Assign HiveAPs to VPN Roles2. Modify Your HiveAP-B and Make VPN Server

From MonitorHiveAPs Modify your HiveAP-B:

X-B-######

| Optional Settings | Expand SSID Allocation

– (Optional) Clear the check boxes to disable the SSIDs on this HiveAP VPN server

Expand Services Settings– VPN Service Role:

Server

Click Save

113

2008Confidential

2010

LAB: Assign HiveAPs to VPN Roles 3. Verify HiveAP Roles

You will now see icons specifying whether the HiveAP is a VPN client or

VPN Server

The up and down arrows next to the keys are red when the VPN is not establish

– The VPN will be established after updating the configuration of the HiveAPs

114

2008Confidential

2010

LAB: Assign HiveAPs to VPN Roles 4. Update Delta Configuration and VPN Certs

115






Click Upload


2008Confidential

2010

LAB: Assign HiveAPs to VPN Roles 5. View Update Results

After a successful update, you can move your mouse over the Description to see what was updated

– Here you should see that the VPN Certificates and Keys and the Configuration has been updated

116

2008Confidential

2010

LAB: Assign HiveAPs to VPN Roles 6. Monitor Status of VPN HiveAPs

From MonitorHiveAPs you can see that the VPN is up because the up and down arrows are green

117

2008Confidential

2010

LAB: Assign HiveAPs to VPN Roles 7. HiveAP VPN Diagnostics

View VPN TunnelDiagnostic Commands

Select one of theVPN HiveAPs X-A-HiveAP

Click ToolsDiagnosticsShow IPSec SA

Note: It is clear to see that a VPN is functional if you see the tunnel from the MGT0 IP of the VPN client to the (NAT) Address of the MGT0 of the VPN Server, and the reverse. Both use different SAs (Security Associations)

– State: Mature118

2008Confidential

2010

Diagnostics Show IKE Event

Click ToolsDiagnosticsShow IKE Event

If you see that phase 1 failed due to a certificate problem

– Check the time on the HiveAPs• show clock• show time

– Ensure you have the correct certificates loaded on the HiveAPs in the VPN services policy

119

2008Confidential

2010

LAB: Assign HiveAPs to VPN Roles 8. HiveAP VPN Topology

You can view the VPN topology by going to: ConfigurationAdvanced ConfigurationSecurity PoliciesVPN Services

– Click View for your VPN – If you move your mouse over

the HiveAP icons you can see how long the tunnel has been established

– If the icons are green, the tunnel is established– If the icons are red, the tunnel is down

120

2008Confidential

2010

VPN Topology Example

Here is an example of a VPN topology with 12 HiveAP VPN clients and two HiveAP VPN servers for tunnel load sharing and redundancy

121

2008Confidential

2010

Testing Your VPN AccessWith 802.1X Client (Supplicant)

Using Microsoft XP

122

2008Confidential

2010

If Your Remote PC IS Connected From the Previous Lab

Note: If you have not set up your 802.1X supplicant on the hosted client PC, please refer to the 802.1X section earlier in this training

Disconnect from:Class-802.1X-X

Then reconnect to:Class-802.1X-X

Make sure you can connect

123

2008Confidential

2010

Verify Status of Wireless ClientAnd VPN Connection from PC

Once your wireless client is connected to Class-802.1X-X

Verify your IP address by opening a command prompt and typing ipconfig /all

If the Ethernet adapter Wireless Network Connection is set to: 10.8.20.N

– Then you are connected through the tunnel to VLAN 20

– Great Job!!!

124

2008Confidential

2010

Test your hosted PCs VPN Connection

From your hosted PC, open a browser and connect to:http://10.8.20.150

If this works, your hosted PC is going though the VPN on VLAN 20

125

2008Confidential

2010

Check Status of Wireless Client

From MonitorClientsActive Clients– Locate the client on the remote hosted PC, and see if it is connected

with a 10.8.20.N IP address

126

2008Confidential

2010

To View the XAUTH Credentials

Go to ConfigurationAdvanced ConfigurationSecurity PoliciesVPN Services

If an AP gets lost or stolen, you can remove the credential and push the configuration to the HiveAP VPN server

– That will prevent the VPN client from building a tunnel to the VPN server

You can also generate new credentials and push them out to the HiveAP VPN servers and clients

127

Xauth credentials are automatically assigned to HiveAP VPN clients that are assigned to this VPN services policy

2008Confidential

2010

Please remote the VPN tunnel configuration from the Employee(10) User

Profile and change the VLAN before continuing to the next labs

VPN Lab Clean-up

128

2008Confidential

2010

Lab: VPN Lab Cleanup1. Change VLAN and Disable Tunnel

From ConfigurationUser Profiles

Select your Employee(10)-X user profile

Set the default VLAN to: 10

Under Optional SettingsGRE or VPN Tunnels

– Set the option for:No tunnel

Click SaveNote: We do not need to update the configuration at this time. You will update the configuration in the next lab.

129

2008Confidential

2010

Lab: VPN Lab Cleanup2. Remove Tunnel Roles from HiveAPs

From MonitorAccess PointsHiveAPs

Select the check box next to both of your HiveAPs

– X-A-######– X-B-######

Set VPN Service Role: None Click Save

130

2008Confidential

2010

To Simplify the WLAN Policy

Configuration When Different Settings for HiveAPs are Needed at Different Locations

HiveAP ClassificationExamples

2008Confidential

2010

Question: How do define a single WLAN policy, but configure different settings?

For example, in the WLAN policy, you can only define one MGT interface VLAN

But if the HiveAPs are in different networks with different MGT0 VLANs, what can you do?

132

DMZ-XArea-X

Router

L2-Switch L2-Switch

Interface mgt0:Classification Tag:

WLAN Policy:MGT0 VLAN:

10.5.2.?Area-1WLAN-X2

HiveAP Device Settings



10.8.1.XDMZWLAN-X1


2008Confidential

2010

Answer: HiveAP ClassificationDefine an Object That is Variable

133

HiveAP Classification Tag Settings: This WLAN policy

is assigned to HiveAP 1 and HiveAP 2:

HiveAP 1 Configuration

HiveAP 2 ConfigurationVLAN Object Definition

2008Confidential

2010

HiveAP ClassificationTag Selection

If you specify multiple tags on a HiveAP, make sure the object is defined to match

If you want to make this VLAN object match all HiveAPs in HQ, you must define Tag 1 as: HQ, but uncheck Tag 2 and Tag 3 so they will be ignored

If you do not uncheck Tag 2 and Tag 3, you will have to match all three tags on each HiveAP

134

VLAN Object Definition



2008Confidential

2010

Object That Support HiveAP Classification

Objects that support HiveAP classification

– IP/Hostname Objects– MAC Addresses/OUIs– VLANs– User Profile Attribute

Groups These objects can be

configured once, but the values assigned to the HiveAP change based on the HiveAPs

– Topology Map– Classifier Tag– IP Address– Hostname

135

2008Confidential

2010

HiveAP ClassificationTypes

VLANs, IP Address Objects, MAC Address objects, and User Profile Attribute groups can have classification rules based on:

– Map Name• Uses topology maps

– HiveAP Name– Classifier Tag

• Requires tags are defined in the configuration of HiveAPs

– Global• Selected if no match is found for

any of the other types You can mix and match, the first

matching rule is used– Global is checked as the last

match even if it is defined first136

2008Confidential

2010

WLAN Policy Example 1 - PSKUsing Classification Tags for VLANs

137

DMZInside

Router

L2-Switch L2-Switch



10.5.2.?InsideWLAN-X2




10.8.1.XDMZWLAN-X1


VLAN ID: 2 Type: Classifier Tag Value: Tag 1: HQ

Tag 2: Bldg1Tag 3: Trusted

VLAN ID: 1 Type: Global

VLAN Object: X-MGT0-VLANs

* Global VLAN is set, but it will not be used in this lab

WLAN Policy: WLAN-X

MGT0 VLAN: X-MGT0-VLANsNative VLAN: 1

2008Confidential

2010

Lab: HiveAP Classification1. Assign Classification Tag to HiveAP-A

From MonitorHiveAPs– Select the check box

next to your HiveAP-AX-A-###### and click Modify

Expand Advanced Settings

| HiveAP Classification | Enter a value:

Tag 1 – HQTag 2 – Bldg1Tag 3 – TrustedNote: You change these settings for a group of HiveAPs if you select multiple HiveAPs before editing them

Click Save

138

..

2008Confidential

2010

Lab: HiveAP Classification2. Assign Classification Tag to HiveAP-B

From MonitorHiveAPs– Select the check box

next to your HiveAP-BX-B-###### and click Modify


| HiveAP Classification | Enter a value:

Tag 1 – HQTag 2 – Bldg1Tag 3 – DMZNote: You change these settings for a group of HiveAPs if you select multiple HiveAPs before editing them

Click Save

139

..

2008Confidential

2010

Lab: HiveAP Classification 3. In your WLAN Policy Create a New VLAN

The VLAN for the MGT0 interface on a HiveAP is assigned via the WLAN policy

Go to ConfigurationWLAN Policies Edit WLAN-X Next to MGT interface VLAN, Click + Go to Next Slide

140

2008Confidential

2010

Lab: HiveAP Classification 4. Create a VLAN Policy for MGT0 VLANs

VLAN Name: X-MGT0-VLANs– VLAN ID: 2– Type: Classifier– Value:

• Uncheck Tag 1: <empty>• Uncheck Tag 2: <empty>• Check Tag 3: Trusted

– Click Apply (Do not save) Click New

– VLAN ID: 1– Type: Global– Click Apply

Note: HiveAPs in the DMZ use VLAN 1, which will match the global define here Save your VLAN object

141

..

2008Confidential

2010

Lab: HiveAP Classification 5. Assign MGT0 Interface VLAN to New VLAN

In your WLAN Policy, verify the MGT0 Interface VLAN is set to: X-MGT0-VLANs

The Native (untagged) VLAN should still be set to: 1 Save your WLAN Policy

142

2008Confidential

2010

Lab: HiveAP Classification 6. View Configuration Audit

Click the mismatch icon for your HiveAP-A to see the configuration changes

You should see that the MGT0 interface is being set to VLAN 2 If you click the mismatch icon for HiveAP-B, you will not see a change in

the VLAN, because it is already set to use VLAN 1

143

2008Confidential

2010

Lab: HiveAP Classification 7. Update Delta Configuration

144






Click Upload


2008Confidential

2010

Lab: HiveAP Classification 8. View Update Results


145

2008Confidential

2010

Lab: HiveAP Classification 9. View the New IP Address for your HiveAP

From MonitorHiveAPs– Verify that the new IP address for your HiveAP

is in the subnet: 10.5.2.0/24

Note: It may take up to a moment to reflect the changes

146

New IP Address in VLAN 2

2008Confidential

2010

HiveAP ClassificationExample

2008Confidential

2010

Using Classification Tags for VLANsExample

148

Hive:MGT0 VLAN:

SSID1:Network Security:

SSID 2:Network Security:

SSID 2:Network Security:

Hive-CampusVLAN-HiveAPs

Student-WiFiWPA/WPA2With PSKTKIP or AESFaculty-WiFiWPA/WPA2With PSKTKIP or AESVoice-WiFiWPA/WPA2With PSKTKIP or AES

Area-2

StudentClient

HiveAP VLAN: 2 User VLANs: 3 - 5

10.1.3.10

WLAN Policy Settings: Campus-Policy

Area-1

Router

L2-Switch L2-Switch HiveAP VLAN: 6User VLANs: 7 - 9


WLAN Policy:

DHCP-ClientArea-1Campus-Policy



WLAN Policy:

DHCP-ClientArea-2Campus-Policy


VLAN-HiveAPsClassifier Tag:Classifier Tag:

VLAN-StudentsClassifier Tag:Classifier Tag:VLAN-Faculty

Classifier Tag:Classifier Tag:

VLAN-VoiceClassifier Tag:Classifier Tag:

Area-1 – VLAN 2Area-2 – VLAN 6




VLAN Network Objects

Native VLAN:

User Profile:Attribute:

Tunnel Policy:VLAN


Tunnel Policy:VLAN :


Tunnel Policy:VLAN :

1

Students100L3-RoamingVLAN-StudentsFaculty101L3-RoamingVLAN-FacultyVoice102L3-RoamingVLAN-Voice* Set global VLAN must be set, but it will not be used

StudentClient

10.1.7.10

2008Confidential

2010

HiveAPs as RADIUS Servers

149

2008Confidential

2010

Local User Database

150

2008Confidential

2010

LAB: Create Local User Database

Used for IEEE 802.1X and for Captive Web Portal Authentication The local user database is used as a primary or backup user store for

the HiveAP RADIUS server for IEEE 802.1X EAP-PEAP, EAP-TTLS, or EAP-TLS authentication

It is highly beneficial for branch or small office deployments that require a local user database

The local user database can also be used as a backup to authentication with Active Directory

If the Active Directory service is unavailable, the local database can automatically be used

151

2008Confidential

2010

LAB: HiveAP as RADIUS Server 1. Create a Local User Group

Go to ConfigurationAdvanced ConfgurationAuthenticationLocal User Groups and click New

User Group Name: group(10)-0X (X is 2 digits=01, 02, .. , 14, 15) User Attribute: 10 VLAN ID: <Leave blank, will inherit from user profile> Re-auth Time: 1800 Click Save

152

As a theft protection mechanism, if Save in DRAM only is selected, the user database will be erased if the AP is powered off or rebooted and it will automatically get it from HiveManager.

2008Confidential

2010

LAB: HiveAP as a RADIUS Server 2. Manually Create a Local User

Go to ConfigurationAdvanced ConfigurationAuthenticationLocal Users and click New

User Group: group(10)-0X Username: user-X Password: aerohive123 Confirm Password: aerohive123 Description: 0X-rad Click Save

153

Entering a description makes it easier to filter/search for users in the user list. For example, later you will filter on “0X-rad” to find all the users you have created

and imported in this lab.

2008Confidential

2010

LAB: HiveAP as a RADIUS Server3. Prepare your user file to import

154

From the list of files you downloaded from the instructor, locate and edit your Company-X-radius-users.csv file. (You can edit with a spreadsheet program or notepad) Modify the first user entry and make up a

username and enter your real email address so that you can send yourself the PSK

Save the file (The file must end with .csv)

user login name

User Type1 = RADIUS

UserUser Group

Name

Set the passwords for the user accounts

Description

Lines that start with a # are

commended out

2008Confidential

2010

LAB: HiveAP as a RADIUS Server4. Import your user list file

Go to ConfigurationAdvancedConfigurationAuthenticationLocal Users

Click Import Browse for your modified RADIUS user list file in .csv format Click Import

Please make sure you are in local users, NOT local user groups

Make sure you do not have any errors

and ensure all 5 users were imported

2008Confidential

2010

LAB: HiveAP as a RADIUS Server5. Use the filter to find your users

Apply a filter to view your Private PSK users Go to ConfigurationAuthenticationLocal Users Click Filter Enter the first part of the description: 0X-rad

(Where 0X is your two digit student ID 02 -15) Click Search Go to next slide

156

2008Confidential

2010

LAB: HiveAP as a RADIUS Server6. View your list of RADIUS user accounts

Here you can see the user you created as well as the users you imported from the CSV file

Later, the user group will be assigned to a RADIUS server on a HiveAP The HiveAP will be able to authenticate all the users in the user groups

assigned to the HiveAP RADIUS server using IEEE 802.1X/EAP or authenticated Captive web portal

157

2008Confidential

2010

Using a RADIUS User Database on a HiveAP for Authentication

Create SSID UsingWPA/WPA2 Enterprise (802.1X)

158

2008Confidential

2010

LAB: HiveAP as a RADIUS ServerWith 802.1X/EAP SSID Diagram

159

Student-XVLANs 1-20

Mgt0 IP: 10.5.2.N/24 VLAN 2RADIUS Server

WLAN Policy: WLAN-X

AD DHCP Server: 10.5.1.10

DHCP Settings: (VLAN 1) network 10.5.1.0/24 10.5.1.140 – 10.5.1.240 (VLAN 2) network 10.5.2.0/24 10.5.2.140 – 10.5.2.240 (VLAN 8) network 10.5.8.0/24 10.5.8.140 – 10.5.8.240 (VLAN 10) network 10.5.10.0/24 10.5.10.140 – 10.5.10.240

Internet

Connect to SSID:IP:

Gateway:

Class-802.1X-X10.5.10.N/2410.5.10.1


Encryption:


VLAN:


VLAN:

Class-802.1Xb-XWPA or WPA2 PersonalTKIP or AES

Employee(10)-X10 (RADIUS Attribute Returned)10

(Employee-Default)1000 (No RADIUS Attribute Returned)8

2008Confidential

2010

LAB: HiveAP as a RADIUS Server1. Edit your WLAN Policy and Add SSID Profile





– Click +

Go to Next Slide

160

2008Confidential

2010

LAB: HiveAP as a RADIUS Server2. Configure SSID and RADIUS Server

Profile Name: Class-802.1X-Xb SSID: Class-802.1X-Xb SSID Access Security


Next to RADIUS Server– Click +

Go to Next Slide

161

2008Confidential

2010

LAB: HiveAP as a RADIUS Server 3. Define Settings for HiveAP RADIUS Server

Select the radio button for HiveAP RADIUS server Note: Defining RADIUS within an SSID, instead of defining the profile objects separately before modifying the SSID, has the advantage of automatically creating two profiles, a AAA Client Settings profile, and a HiveAP AAA Server Settings profile, and it ensures they are configured correctly for each other

Profile Name: AP-RADIUS-X Primary RADIUS Server: 10.5.2.X

| Available Local User Groups |– Select your user group(10)-X

and click the > button to move it to the Selected Local User Groups

Click Apply Do not save – go to next slide

162

2008Confidential

2010

LAB: HiveAP as RADIUS Server 4. Assign user profiles and save

The RADIUS Server should now be set to: AP-RADIUS-XUnder User Profiles for Traffic Management

– User profile assigned if no attribute is returned:Employees(1000)

– User profile assigned via attributes returned from RADIUS... select:Employee(10)-X

Note: If you have multiple groups assigned to the HiveAP RADIUS server, each group can assign a different user profile attribute, and therefore in that case, you can define more user profiles here.

Click Save163

2008Confidential

2010



From the Available SSID Profiles, select Class-802.1X-Xb and use the > button to move it to the Selected SSID Profiles List

Click Apply ---- Please, please, please click apply! Then Save your WLAN policy

LAB: HiveAP as RADIUS Server5. Remove Existing SSID and Add New SSID

164

2008Confidential

2010

LAB: HiveAP as a RADIUS Server 6. View Certificate Assigned to RADIUS Server

Go to ConfigurationAdvanced ConfigurationAuthenticationHiveAP AAA Server Settings

Modify your RADIUS Server Object: AP-RADIUS-X

Note: By default, the HM-Default-Server Cert and Key are selected which works if you did not create a new HiveAP root CA certificate. In an earlier lab, a new HiveManager Root CA certificate was created, therefore the default certificates signed by the old HiveManager Root CA key will no longer work.

Do not save – go to next slide

165

2008Confidential

2010

LAB: HiveAP as a RADIUS Server 7. Change Certificate Used by RADIUS Server

Assign your AAA RADIUS Server to use:

– CA Cert File:AerohiveHMCA.pem

– Server Cert File:HiveAP-X_key_cert.pem

– Server Key File:HiveAP-X_key_cert.pem

Note: The key and cert were generated as a combined certificate in an earlier lab.

– Key File Password:aerohive123

– Confirm Password:aerohive123

Save the RADIUS Server profile

166

2008Confidential

2010

Go to Access PointsManaged HiveAPs and Modify your HiveAP-A:X-A-######

Under Optional Settings– Expand Interface and

network settings• Uncheck [ ] DHCP client

Enable• IP Address: 10.5.2.X• Netmask:255.255.255.0• Gateway: 10.5.2.1

Note: This lab assumes the HiveAP MGT0 interface is in VLAN 2, which was assigned in the previous HiveAP classification lab

Click Save167

LAB: HiveAP as a RADIUS Server 8. Configure a Static IP for the RADIUS HiveAP

2008Confidential

2010

LAB: HiveAP as a RADIUS Server 9. Assign HiveAP to be RADIUS Server

Assign the RADIUS Server Object to the HiveAP designated as the RADIUS server

Under Optional Settings, expand Service Settings

Set HiveAP RADIUS service to: AP-RADIUS-X

Remove the VPN Service Role by setting to: NoneOtherwise RADIUS traffic may be tunneled from settings in previous labs.

Click Save

168

2008Confidential

2010

LAB: HiveAP as a RADIUS Server 10. Update Delta Configuration and RADIUS Certs

169






Click Upload

Click HiveAP-A link to view delta configuration

2008Confidential

2010

LAB: HiveAP as a RADIUS Server 11. Update Delta Configuration and RADIUS Certs

After a successful update, you can move your mouse over the description to see what was updated

– Here you should see that the AAA Certificates and Keys, the user database, and the Configuration have been updated

170

2008Confidential

2010

Client Access Preparation -Distributing CA Certificates

to Wireless Clients

171

2008Confidential

2010

LAB: Export the HiveManager CA Root Certificate on the Remote PC

Note: The HiveManager Root CA certificate should be installed on the client PCs that will be using the RADIUS service on the HiveAPs for 802.1X authentication

From the VNC connection to the student PC, open a connection to: https://hivemanager

Login with: adminX password: aerohive123 Go to Configuration

Keys and Certificates Certificate Mgmt

Select AerohiveHMCA.pem Click Export

172

https://hivemanager/

2008Confidential

2010

LAB: Export the HiveManager CA Root Certificate

Select a directory on your remote PC to export the AerohiveHMCA.pem certificate

Rename the extension of the AerohiveHMCA.pem file to AerohiveHMCA.pem.cer.

– This way, the certificate will automatically be recognized by Microsoft Windows

173

Add .cer extension to the end of the file name so it can be recognized by windows

2008Confidential

2010

LAB: Install AerohiveHMCA Certificateon Wireless Client PC

Find the file that was just exported to your client PC

Double-click the certificate file Click Install Certificate

174

Issued to: hm-training.ahdemo.localThis is the name of the certificate if you wish to find it in the certificate store, or if you want to select it in the windows supplicant PEAP configuration.

2008Confidential

2010

LAB: Install AerohiveHMCA Certificateon Wireless Client PC

In the certificate install wizard window click Next

Click Automatically select the certificate store based on the type of certificate

Click Next If prompted, click OK on

the Do you want to install this certificate message

Click Finish

175

2008Confidential

2010

LAB: Verify AerohiveHMCA Certificate is Valid

If you double-click the certificate now, if you go to the Certification Path tab, you will see that the certificate is OK

You can also check the Valid From date in the Details tab

– If the date on the HiveManager is wrong, or has the wrong time zone, this date may be invalid

176

2008Confidential

2010

Configuring and Testing Your802.1X Supplicant

For Microsoft XP and VistaSupplicants

177

2008Confidential

2010

Lab: Testing 802.1X to HiveAP RADIUS1. Connect to Class-802.1X-Xb SSID

From the wireless client on the hosted PC

– Click Class-802.1X-Xb– Click Connect

***This connection will fail, but it will create an SSID on the client that you can modify to edit the settings to change the auth from smart card or other certificates to Protected EAP

178

2008Confidential

2010

179

Lab: Testing 802.1X to HiveAP RADIUS2. Configure 802.1X Supplicant (802.1X Client)

View your Wireless Connections then click to Change advanced settings

In the Wireless network properties window enter the following:

– Change EAP Type to: Protected EAP (PEAP) Click OK

179

2008Confidential

2010

Lab: Testing 802.1X to HiveAP RADIUS3. Enter credentials for 802.1X

Note: Because we are using VPN, the “Enter Credentials” window most likely will not appear. Click the wireless icon once and the window should appear. You may have to move the Wireless network connection window out of the way if it is on top.

Enter the user name: user-X Password: aerohive123 Click OK Wait a second then click the

wireless icon again Click OK to validate the certificate

180

cv

Because of the VNC connectionClick here for the credentials window to appear. You may have to try several times.

cv

2008Confidential

2010

Lab: Testing 802.1X to HiveAP RADIUS4. Verify that you are connected to the SSID

Your Client will connect to the Class-802.1X-Xb SSID

181

2008Confidential

2010

Lab: Testing 802.1X to HiveAP RADIUS5. View Active Clients


– Go to MonitorClientActive Clients

User Name: user-X BSSID: <The MAC address for your AP’s SSID> VLAN: 10 User Profile Attribute: 10

182

2008Confidential

2010

Client MonitorExample of an invalid user account

183

SSL negotiation uses the RADIUS server certificate

Shows IP of RADIUS server

At this point you know the aaa certificates were installed correctly and the server certificate validation done by the client passed

The user is not in the user database. View the AAA server settings and ensure the correct user group is selected, and the HiveAP is a RADIUS server. Then update the configuration of the HiveAP.

2008Confidential

2010

RADIUS Test Built Into HiveManager

To test a RADIUS account Go to ToolsRADIUS Test RADIUS Server:

0X-A-###### HiveAP RADIUS Client:

0X-A-###### Select RADIUS

authentication server Username: user-X Password: aerohive123 Click Test

184

. .

After fixing the problem and running the test again, the authentication was successful

The user is not in the user database. View the AAA server settings and ensure the correct user group is selected, and the HiveAP is a RADIUS server. Then update the configuration of the HiveAP.

2008Confidential

2010

HiveAP RADIUS Server With Active Directory Integration

185

2008Confidential

2010

Create a New Active Directory Administrator–(Instructor Only)

On Windows 2003 AD Server In your domain, select Users,

right click and select NewUserNote: The name used in this example is not relevant, you can use any name

First Name: HiveAP Last Name: Admin Full Name: HiveAP Admin User Logon:

hiveapadmin @ahdemo.local Click Next

186

2008Confidential

2010

Create a New Active Directory HiveAP Administrator –(Instructor Only)

Enter a Password: Aerohive1 Confirm Password: Aerohive1 Uncheck User must change

password at next login Uncheck User cannot change

password Check Password never

expires Uncheck Account is disabled Click Next Click Finish

187

2008Confidential

2010

HiveAP Administrator Group Membership

If you view the HiveAP Admin properties, you can see that the HiveAP Admin only needs to be a member of Domain Users

188

2008Confidential

2010

Optionally Create an OrganizationalUnit Where HiveAPs Can Be Added

In order for HiveAPs to authenticate users with Active Directory, each HiveAP will be dynamically added to the domain as a computer

In order to organize the domain, you can create an organization unit (OU) where HiveAPs can be added

Select your domain ahdemo.local right click and select NewOrganizational Unit Enter a name: Wireless then click OK

189

2008Confidential

2010

Optionally Create OrganizationalUnits Where HiveAPs Can Be Added

Optionally you can create more OUs (sub directories) to further organize the wireless networking

Select the Wireless OU Right click and select:

NewOrganizational Unit Enter a name: HiveAPs Click OK

– This will be used as the computer store for HiveAPs

190

2008Confidential

2010

Delegate Control of Wireless OUto the HiveAP Admin (INSTRUCTOR ONLY)

Right Click the Wireless OU and select Delegate Control...

191

2008Confidential

2010

Delegate Control of Wireless OUto the HiveAP Admin

Welcome to the Delegation of Control Wizard– Click Next

Users or Groups– Add HiveAP Admin– Click Next

192

2008Confidential

2010


Select Create a custom task to delegate

Click Next

193

2008Confidential

2010


For Active Directory Object Type

– Select Computer Objects and leave the rest of the default settings

– Check Create selected objects in this folder

– Click Next For Permissions

– Check Read– Check Write– And leave the rest of the

default settings Click Next

194

2008Confidential

2010


Click Finish

195

2008Confidential

2010

Configure Active Directory Settings

196

2008Confidential

2010

Lab: AD Settings Configuration1. Configure AD Settings

From ConfigurationAdvanced ConfigurationAuthenticationAAA User Directory SettingsNote: In 3.5r1, this header was called AAA Server Settings

Click New Name: AD-X Select: Active Directory Active Directory Server: 10.5.1.10 Domain: AHDEMO Full Name: ahdemo.local BindDN Name:

[email protected] BindDN Password: Aerohive1 Go to next slide

197

2008Confidential

2010

Lab: AD Settings Configuration2. Configure AD Settings - Continued

Admin User Name: (Leave Empty for Class)Note: This step is optional from HiveManager. This step can be performed directly from the HiveAP if someone is security conscious about storing an Administrator password for Active Directory in HiveManager. The screen shot had it filled in so you can see the syntax

Computer OU: Wireless/HiveAPsNote: The HiveAP Admin was given access to this OU

Click Save

198

2008Confidential

2010

Lab: AD Settings Configuration3. Configure HiveAP RADIUS with AD Settings

Go to ConfigurationAdvanced ConfigurationAuthenticationHiveAP AAA Server Settings

Modify AP-RADIUS-X Uncheck Local Database, Under Optional Settings, expand

Database Access Settings Check Active Directory Select AD-X with priority:

Primary Click Apply …Please make sure

you click apply Click Save

199

2008Confidential

2010

SSID for 802.1XUsing HiveAP RADIUS with

AD Integration

200

2008Confidential

2010

LAB: HiveAP RADIUS w/ AD Integration1. Edit your WLAN Policy and Add SSID Profile




Add/Remove SSID Profile Under Available SSID

Profiles– Click +

Go to Next Slide

201

2008Confidential

2010

LAB: HiveAP RADIUS w/ AD Integration2. Configure SSID and Create RADIUS Server

Profile Name: Class-802.1X-Xc SSID: Class-802.1X-Xc SSID Access Security


Next to: Select RADIUS Servers for 802.1X….

– Select: AP-RADIUS-X(Defined in a previous lab)

Go to Next Slide

202

2008Confidential

2010

LAB: HiveAP RADIUS w/ AD Integration3. Assign user profile settings

Specify User Profile assigned if not attribute is returned from RADIUS after successful authentication: Employees(1000)(This user profile was created by the Instructor)

Specify User Profiles assigned via attributes returned from RADIUS after successful authentication: Employee(10)-X

Click Save Go to Next Slide

203

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X5. Remove Existing SSID and Add New SSID



From the Available SSID Profiles, select Class-802.1X-X and use the > button to move it to the Selected SSID Profiles List

Click Apply ---- Please please, please click apply! Go to Next Slide

204

2008Confidential

2010

Verify the SSID:Class-802.1X-Xc is listed under the SSID profiles and that your SSID is mapped to two different user profiles:Employees(1000) and Employee(10)-X

Please make sure you have NTP Server settings defined under in the Management Server Settings section

Click Save

LAB: Secure WLAN Access With 802.1X6. Verify Configuration and Save WLAN Policy

205

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X 7. Update delta configuration of your HiveAP

206

From MonitorHiveAPs Select your HiveAP

X-A-HiveAP




Click Upload


2008Confidential

2010

Optional: Verify HiveAP RADIUS ServiceFrom the CLI of the HiveAP

01-A-008b40# show aaa radius-serverAll local RADIUS server parameters:RADIUS-server: Enabledport: 1812Station-auth type: tls peap ttls leapCA: AerohiveHMCA.pemserver-cert: HiveAP-1_key_cert.pemprivate-key: HiveAP-1_key_cert.pemprivate-key-password: Encryptedremote retry period: 30 secslocal check period: 300 secsldap retry interval: 600 secsprimary active directory (active): admin user: server: 10.5.1.10 computers OU: Wireless/HiveAPs default domain info: netBOIS name ahdemo full domain name: ahdemo.localbindDN: [email protected]

If you want to verify the RADIUS server status on your HiveAP From the CLI of your

HiveAP type: show aaa radius-server

Take a look to see if the settings look similar to the settings displayed on the right

207

2008Confidential

2010

Optional: Verify HiveAP TimeFrom the CLI of the HiveAP

From CLI of HiveAP

# show timeTimezone: GMT-8

# show clock 2009-04-16 14:30:45 Thursday

208

2008Confidential

2010

Joining HiveAPs to Active DirectoryComputer OU = Wireless/HiveAPs

From the AD server, you can go to Active Directory Users and Computers and see when the HiveAP joins the domain

If you specify an Active Directory administrator account in the AAA User Directory Settings, then the HiveAP will automatically add itself to the domain

If you did not specify an Active Directory administrator, you will have to manually add your HiveAP to the domain much like you would do with a computer

209

Click Refresh

Select the computer OU you specified in the AAA User Directory Settings

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X 8. Join HiveAP RADIUS Server to Domain

Run the following test to join your HiveAP RADIUS server to the Active Directory Domain Go to Tools

AD/LDAP Test Select RADIUS Server:

X-A-###### Select Test joining the

HiveAP to an Active Directory domain

Select Active Directory Domain: Primary

User Name: hiveapadmin Password: Aerohive1 Click Test

210

Here you can see that the HiveAP is joined to the domain

2008Confidential

2010

Alternative: Join HiveAP RADIUS Server to Domain using the HiveAP CLI

02-A-064200# exec aaa net-join primary username hiveapadmin password Aerohive1

(Note: The password will be hidden when typing )

Exec-Program output:Joined '02-A-064200' to server 'ahdemo.local' successful (NT_STATUS_OK)

If you have problems joining your AD server, you may need to enter the Administrator account credentials to join the HiveAP to the domain

211

Go to the Wireless/HiveAPs OU to see the HiveAP added as a computer in the domain.You may have to refresh the screen to see the HiveAP appear after joining the HiveAP to the domain.

2008Confidential

2010

Troubleshooting –Joining a HiveAP to a Domain

Possible Cause: The Administrator does not have privileges to add a computer/HiveAP to this OU

Solution: Use an Administrator with more privileges

Possible cause: The HiveAP was previously added to a different OU, and this administrator does not have privileges to remove the other entry

Action: Delegate administration of this OU to allow the selected administrator to add computers to this OU

212

Here you can see that the HiveAP has failed to join the domain

2008Confidential

2010

Troubleshooting –Joining a HiveAP to a Domain

Possible Cause: The NTP Server settings have not been configured on the HiveAP

Solution: Configure the NTP Server settings by going to yourWLAN PolicyManagement ServicesNTP Server

213

Here you can see that the HiveAP time is not accurate

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X 9. Test the user account for your hosted PC

Select RADIUS Server:X-A-######

Select Test HiveAP credentials for Active Directory Integration

User Name: user Password: Aerohive1 Click Test

214

Kerberos authentication passed for the user

2008Confidential

2010

Note for Classroom Environment802.1X Supplicant Configuration

The first time you try to connect to your SSID, the connection will fail because Windows XP defaults to use Smart Card and Other Certificate instead of PEAP

215

X

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X 10. Configure Supplicant

From the hosted PC, connect to the Class-802.1X-Xc SSID

Wait a few seconds while the supplicant tries to validate identity

– Note: This will fail because windows XP uses Smart Card or Other Certificates instead of PEAP

To configure the network for PEAP, click Change advanced settings

Click the Wireless Networks tab Double-click the SSID:

Class-802.1X-Xc Click the Authentication tab

216

1. Click Change advanced settings

2. Select tab

3. Double-click

4. Select tab

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X 11. Configure supplicant to use PEAP

For the EAP type, select Protected EAP (PEAP)

Click Properties to see that you have enabled Validate the server certificate

Also, if click Configure... next to the authentication method, you can see that the client will automatically use the Windows logon name and password that was entered to log into the computer

Click OK until you have saved and existed from the supplicant configuration

217

Select Protected EAP (PEAP)

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X 12. Connect to SSID and Validate Certificate

Connect to your SSID

Because VNC is used, the pop up windows may not appear, click once on the wireless icon to get the Validate Certificate pop-up window

Click OK Your client should

now connect to the SSID

218

1. Click your SSID to connect

2. Because of VNC, you will have to click your mouse once on the wireless icon to see the Validate Certificate pop up

3. Click OK

2008Confidential

2010

LAB: Secure WLAN Access With 802.1X 13. View Active Client to Verify User Profile

Once you are connected, you can view the active clients list to see your user profile and VLAN information Go to MonitorClientsActive Clients

Note the user profile is the user profile assigned for the SSID if no RADIUS attribute is returned

– User Profile: 1000– VLAN: 8– IP Address: 10.5.8.#

In the next lab you will learn how to change the user profile for users in different Active Directory groups

219

User Profile Attribute Value

2008Confidential

2010

Mapping Active Directory memberOf Attribute

to User Profiles

220

2008Confidential

2010

HiveAP as a RADIUS Server Using AD Member Of for User Profile Assignment

221

EmployeeDavid VLANs 1-20

HiveAPRADIUS Server

AD DHCP Server: 10.5.1.10

Internet

Connect to SSID: Corp-802.1X

SSID: Corp-802.1X

Local User Group User Profile Attribute

CEO-Staff 100

IT-Staff 110

Sales 120

HiveAP RADIUS Server Settings

User Profile Attribute VLAN FW Policy

Employee-CEO 100 11 No restriction

Employee-IT 110 10 No restriction

Employee-Sales 120 8 Limited access

1. After validating the user credentials, the AD server returns thelist of a users AD groups via the Member Of attribute to the HiveAP RADIUS server

2. The Member Of must match a user group, which assigns the user profile attribute for the SSID

2008Confidential

2010

In your WLAN policy, you defined an SSID with two user profiles– Employees(1000) – Set if no RADIUS attribute is returned

• This use profile for example is for general employee staff, and they get assigned to VLAN 8

– Employee(10)-X – Set if a RADIUS attribute is returned• This user profile for example is for privileged employees, and they get

assigned to VLAN 10 Because the HiveAP RADIUS server is using AD to authenticate the

users, and AD does not return RADIUS attributes, how can we assign users to different user profiles?

Though AD does not return RADIUS attributes, it does return other attribute values, like memberOf which is a list of AD groups to which the user belongs

222

HiveAP as a RADIUS Server Using AD Member Of for User Profile Assignment

2008Confidential

2010

Instructor Only: Confirm User is a member of the Employee Groups

223

Right click the username “user” and click Properties

Click on the Member Of tab

The user account “user” should be assigned to all the groups for all the students in class

Employee-1Employee-2..Empoloyee-15

Click OK

2008Confidential

2010

REFERENCE: debug radiusdShows the memberOf attributes returned

When the user authenticates, the Active Directory server will return each of the user groups and if the RADIUS server has a matching group, the user will be assigned a user profile based on the user profile defined in the matching user group

Note: For the lab coming up next, every PC is logged in as “user”, but each student has their own HiveAP RADIUS server with only one user group defined, which will match one of the member Of groups returned

Debug output during client authentication shows member Of...2010-04-28 12:36:58 debug auto shared-secret 2570*, NAS 10.5.2.2, RADIUS srv 10.5.2.2

2010-04-28 12:36:58 debug rlm_ldap: performing user authorization for AHDEMO\user

2010-04-28 12:36:58 debug rlm_ldap: (re)connect to 10.5.1.10:389, authentication 0

2010-04-28 12:36:58 debug rlm_ldap: bind as [email protected]/****** to 10.5.1.10:389

2010-04-28 12:36:58 debug rlm_ldap: waiting for bind result ...

2010-04-28 12:36:58 debug rlm_ldap: Bind was successful

2010-04-28 12:36:58 debug rlm_ldap: performing search in dc=ahdemo,dc=local, with filter ([email protected])

2010-04-28 12:36:58 debug rlm_ldap: Adding memberOf as AH-FreeRADIUS-Group-Name = "CN=Employee-4,CN=Users,DC=ahdemo,DC=local"



224

2008Confidential

2010

Lab: Use AD to Assign User Profile1. Map memberOf attribute to user profile

From ConfigurationAdvanced ConfigurationAuthentication HiveAP AAA Server SettingsAP-RADIUS-X

Expand Database Access Settings Check LDAP server attribute

Mapping Select Map LDAP user groups

to local user groups LDAP User Group Attribute:

memberOf Under Available Local User

Groups, click + to create a new group

225

2008Confidential

2010

Lab: Use AD to Assign User Profile2. Create user group to map to memberOf group

Create a group that matches a group that the username: “user” is a member of

User Group Name: Employee-XNote: This group name must match a group returned by the AD server by the memberOf attribute

User Type: RADIUS users User Profile Attribute:10

Note: The user profile attribute is returned from the HiveAP RADIUS server if this is the matching group

Click Save

226

2008Confidential

2010

Lab: Use AD to Assign User Profile3. Map Employee-X user group to memberOf

Select the Employee-X user group and move it to the selected local user groups list

Click Save

227

2008Confidential

2010

Lab: Use AD to Assign User Profile 4. Update delta configuration of your HiveAP

228

From MonitorHiveAPs Select your HiveAP

X-A-HiveAP




Click Upload


2008Confidential

2010

Lab: Use AD to Assign User Profile SSID5. Disconnect and Reconnect to Class-802.1X-Xc

To test the mapping of the memberOf attribute to your user profile

Disconnect from the Class-802.1X-Xc SSID

Connect to the Class-802.1X-Xc SSID

229

2008Confidential

2010

Lab: Use AD to Assign User Profile SSID6. Verify your active client settings

230

From MonitorClientsActive Clients– Your client should now be assigned to

• IP Address: 10.5.10.#• User Profile Attribute: 10• VLAN: 10

2008Confidential

2010

If you have problem…Troubleshooting

An extremely useful tool for this configuration is an LDAP browser, so you can confirm you are getting the right information from the Active Directory server: http://download.softerra.com/files/ldapbrowser26.msi

– It will show you what memberOf attribute is being returned for each user

Confirm the Local Group Name matches the Active Directory Group name exactly

– Sho run | include aaa debug radius comm debug radius excessive debug radius verbose debug console no debug console no debug radius

231

http://download.softerra.com/files/ldapbrowser26.msi

2008Confidential

2010

Secure and Fast Roaming

232

2008Confidential

2010

Roam

233

Layer 2 Roaming

User associates and authenticates and keys are distributed AP predicatively pushes keys and session state to one hop

neighbors As client roams and associates with another AP the traffic

continues uninterrupted

RADIUS Server

2008Confidential

2010

Subnet A Subnet B

Router

GRE Tunnel

234

Layer 3 Roaming

Like Layer 2 roaming the Layer 3 roam predicatively pushes keys to one hop neighbors.

In order to maintain IP connectivity a tunnel is created to home subnet.

Tunnel continues to follow roaming user until sessions end then tunnel is terminated and the user accesses the local network

2008Confidential

2010

Layer 3 Roaming Details

235

2008Confidential

2010

Layer 3 RoamingDetailed Explanation

236

Subnet 10.5.1.0/24Floor 1


10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24

Corp-HiveCorp-Hive

HiveAPs can then communicate over the LAN using

UDP Port 3000

Beacon IE: (Encrypted)Hive: Corp-HiveL3 roaming enabledMgt0 IP: 10.5.1.13/24

Beacon IE: (Encrypted)Hive: Corp-HiveL3 roaming enabledMgt0 IP: 10.6.1.7/24

HiveAP Layer 3 roaming information is advertised in beacons and can be heard by HiveAPs in the same Hive.

HiveAPs scan channels to locate layer 3 roaming neighbors and communicate with each other over the Ethernet network.

2008Confidential

2010

Layer 3 RoamingDetailed Explanation

237



10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24

Corp-HiveCorp-Hive

Send:DA forsubnet: 10.5.1.0/2410.5.1.11

Receive: DA forsubnet: 10.5.1.0/2410.5.1.11

Neighboring AP sends HiveAP DA information to

neighboring subnets

DA

2008Confidential

2010

Layer 3 RoamingDetailed Communication

238



10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24

Corp-HiveCorp-Hive

DA Send:Best tunnel endpointfor subnet: 10.5.1.0/2410.5.1.12

Query DA:Least loaded AP forsubnet: 10.5.1.0/24

Preparation for roaming bycontacting DA for APs as the potential tunnel end points

HiveAPs preselect best APs in each subnet to be a tunnel endpoints

The tunnel is built only when a client eventually roams

DA

Received from DA:Best tunnel endpointfor subnet: 10.5.1.0/2410.5.1.12

2008Confidential

2010


As clients arrive on the new subnet, the HiveAP will use an existing tunnel for the client, or if that tunnel is heavily loaded, it can create a tunnel to another portal in the DNXP table.

239



10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24

Corp-HiveCorp-Hive

u1

eth0.1 10.5.1.1eth0.2 10.5.10.1

eth0.1 10.6.1.1eth0.2 10.6.10.1

u1u1u1

10.5.10.33/24

u1

10.5.10.33/24

u1

10.5.10.33/24

DNXPL3 10.5.1.12

Client Roaming Cache Update

u1

DNXPGRE Tunnel

Layer 2 roam

Layer 3 roam

The clients IP address is maintained

u1

Session State& PMK

u1

2008Confidential

2010


240



10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24

Corp-HiveCorp-Hive

Session State& PMK

eth0.1 10.5.1.1eth0.2 10.5.10.1

eth0.1 10.6.1.1eth0.2 10.6.10.1

u1

u1

u1u1

u1

10.5.10.33/24

DNXPL3 10.5.1.12

DNXPGRE Tunnel

u1u1 u1

DNXPL3 10.5.1.12

u1

2008Confidential

2010

Layer 3 RoamingLocal Subnet Connection

Based on the number of packets per minute sent to and received by the client, the HiveAP can be configured to disable the tunnels and de-auth the client so that it will reconnected and obtain an IP address from the local network.

241



10.5.1.11/24 10.5.1.12/24 10.5.1.13/24 10.6.1.7/24 10.6.1.8/24 10.6.1.9/24

Corp-HiveCorp-Hive

Session State& PMK

eth0.1 10.5.1.1eth0.2 10.5.10.1

eth0.1 10.6.1.1eth0.2 10.6.10.1

u1

u1

u1u1

DNXPGRE Tunnel

u1u1 u1u1

u1

10.5.10.33/2410.6.10.95/24

u1

De-auth

2008Confidential

2010

Configuring Dynamic Tunneling for Layer 3 Roaming

242

2008Confidential

2010

Lab: Enable Layer 3 Roaming1. In your user profile, create a tunnel policy

Layer 3 roaming is enabled per user profile by configuring a tunnel policy Edit your employee User

Profile by going to ConfigurationGuided ConfigurationUser Profiles

Edit Employee(10)-X Under Optional Settings

expand GRE or VPN Tunnels

Next to GRE tunnel for roaming or station isolation click +

Note: Tunnel policies are mutually exclusive. There is no need to enable more than one type of tunnel policy, so a radio button is used to select the type.

243

2008Confidential

2010

Lab: Enable Layer 3 Roaming2. Configure Layer 3 Roaming Policy

Enable the ability to dynamically build tunnels for layer 3 roaming Name: L3-Roaming-X Under Tunnel Settings Select Enable

Dynamic tunneling for Layer 3 Roaming

Unroaming Threshold: 60 seconds

Number of packets per minute: 2000

Click Save

Note: The number of packets per minute to select varies based on the number of devices, types of devices, and applications running on your network. In my local network for example, my idle PC sends and receives about 500 packets per minute. Running a voice call from a soft client my PC sends and receives about 4000 packets per minute. So I have chosen to unroam if I my PC does not receive 2000 packets per minute in one minute time frame, which means my tunnel should remain during a voice call or file transfer.

244

2008Confidential

2010

Lab: Enable Layer 3 Roaming3. Configure VLANs for User Profile

Ensure the Tunnel Policy is set to: L3-Roaming-X

Note: Because the user profile is applied to HiveAPs in different locations, such as the trusted network and the DMZ, you can use HiveAP classification to define one policy to set the user VLANs in each location

Next to Default VLAN, – Click+

245

2008Confidential

2010

Lab: Enable Layer 3 Roaming4. Configure the User VLANs

VLAN Name: 0X-Employee-VLANs– VLAN ID: 1– Type: Global– Click Apply (Do not save)

Click New– VLAN ID: 10– Type: Classifier– Value:

• Uncheck Tag 1: <empty>• Uncheck Tag 2: <empty>• Check Tag 3: Trusted

– Click Apply then Save

Note: Users that connect to HiveAPs in the trusted network will be assigned to VLAN 10, and in the DMZ or any other network, they will be assigned to VLAN 1

246

2008Confidential

2010

Lab: Enable Layer 3 Roaming5. Configure VLANs for User Profile

Ensure the Default VLAN is set to: L3-Roaming-X

Click Save

247

2008Confidential

2010

Lab: Enable Layer 3 Roaming6. Update delta configuration of your HiveAP

248






Click Upload


2008Confidential

2010

Testing Layer 3 RoamingIn Hosted Data Center

Unfortunately we cannot test layer 3 roaming in the hosted data center because

– The HiveAPs are hard wired via coax to their clients– The power level of the HiveAPs has been set to 1 dBm so the clients

can connect to their SSIDs. If we do not set the power to 1 dBm, the power is too high for the clients that are connected via coax• Because the power is low, and the rest of the RF connections are

terminated, testing in the remote lab is not possible If the instructor has time and the equipment, they can demonstrate

layer 3 roaming locally in class

249

2008Confidential

2010

Layer 3 RoamingVerification Notes

250

2008Confidential

2010

Notes: Layer 3 Roaming View Roaming Neighbors


If you select the check box next to your HiveAP then select ToolsDiagnosticsShow DNXP Neighbors

– You can view the HiveAPs Layer 2 and Layer 3 roaming neighbors• View the State column

251

Shows whether a HiveAP is a layer 2 or layer 3 neighbor

2008Confidential

2010

Layer 3 Roaming Testing in Hosted Lab

If you select the check box next to your HiveAP then select ToolsDiagnosticsShow DNXP Cache

– If a client is connect to the HiveAP, you can view the information that is being sent to the neighboring HiveAPs

– The Tunnel-end is the HiveAP that will be the tunnel end point for DNXP after the client roams across subnet boundaries

252

1. Shows the MAC address of the client and their tunnel end point after roaming

2. This AP will be the tunnel end point for the 10.5.2.0/24 subnet until its tunnel load is too high

2008Confidential

2010

Note: Layer 3 Roaming/UnroamingEnsure Valid VLANs for MGT0

In this case the Employee VLAN is 1, but the HiveAP MGT0 interface VLAN differs whether the HiveAP is in the Trusted network or the DMZ using HiveAP classification

253

DMZ Network

Hive:Interface mgt0:

SSID:User Profile:

Attribute:Local VLAN:

Mobility:Classifier Tag 3:

Hive-Class-X10.5.2.X/24 VLAN 2Class-PSK-XEmployees(10)-X101 L3-Roaming-XTrusted

10.6.1.X

DHCP for DMZ VLAN 1{10.6.1.50-10.6.1.200}


SSID:User Profile:



Hive-Class-X10.6.1.X/24 VLAN 1Class-PSK-XEmployees(10)-X101 L3 Roaming-XDMZ

VLANs 1-20

10.5.2.X

WLAN Policy: Internal-Policy-X WLAN Policy: Internal-Policy-X

Trusted Network

Dynamic GRE Tunnel10.5.2.X to 10.6.1.X

DHCP for Internal VLAN 10{10.5.10.50-10.5.10.200}

L3 Roam VLAN1

2008Confidential

2010

Note: Layer 3 Roaming/UnroamingEnsure Valid VLANs for Users

Note: In order for unroaming to work, the VLAN for the user profile must be valid in all networks. To do this, you can configure HiveAP classification for the employee VLAN and set the VLAN in this example to 10 if it is in the trusted network, and 1 if it is in the DMZ.

254

DMZ Network


SSID:User Profile:



Hive-Class-X10.5.2.X/24 VLAN 2Class-PSK-XEmployees(10)-X10X-Employee-VLANs (10)L3-Roaming-XTrusted

10.6.1.X

DHCP for DMZ VLAN 1{10.6.1.50-10.6.1.200}


SSID:User Profile:



Hive-Class-X10.6.1.X/24 VLAN 1Class-PSK-XEmployees(10)-X10X-Employee-VLANs (1)L3 Roaming-XDMZ

VLANs 1-20

10.5.2.X

WLAN Policy: Internal-Policy-X WLAN Policy: Internal-Policy-X

Trusted Network

Dynamic GRE Tunnel10.5.2.X to 10.6.1.X

DHCP for Internal VLAN 10{10.5.10.50-10.5.10.200}

L3 Roam VLAN1

2008Confidential

2010

Services provided by HiveAPs

Identity-Based TunnelsWith Captive Web Portal and DHCP Server

255

2008Confidential

2010

Identity-Based Tunnels LABUsing Tag On DMZ VLAN

256

Hostname:Interface mgt0:

WLAN Policy:

X-A-00000010.5.1.N/24 VLAN 1WLAN-X


WLAN Policy:Tag1:

X-B-00000010.7.1.X/24 VLAN 1WLAN-XDMZ-X

WLAN Policy: WLAN-X

Hive:Tunnel Policy:

Tunnel Settings:Tunnel Destination:

Tunnel Source:Tunnel Password:

MGT0 VLAN:Native VLAN:

Hive-Class-XTunnel-XEnable static identity-based-tunnelIP Range Start:10.7.1.X End:10.7.1.X10.5.1.0/24 and 10.5.2.0/24aerohive123 21

SSID:Captive Web Portal:

Registration Type:User Profile:

Attribute:VLAN:

Tunnel Policy:

Class-Guest-XCWP-Tunnel-XUse-Policy-AcceptRole-Tunnel(1X)1X1XTunnel-X

DMZ Network

GuestClient

Internal Network

GRE Tunnel10.5.1.N to 10.7.1.X

Tunnel Destination

Internet

Class-Guest-X10.7.1X.N/2410.7.1X.1

SSID:IP:

Gateway:

10.7.1.110.5.2.1

DHCP Settingsfor VLAN 1X (X is 2 digits): network 10.7.1X.0/24 ip range 10.7.1X.100 to 10.7.1X.199 Tunnel Source

2008Confidential

2010

Lab: HiveAP Prep for Layer 3 Tests1. Assign HiveAP-B to New Static IP Address

From MonitorHiveAPs– Select the check box next to

your HiveAP-B:X-B-###### and click Modify

Expand Interface and Network Settings

Uncheck DHCP Client Enabled IP Address: 10.7.1.X Netmask: 255.255.255.0 Gateway: 10.7.1.1

Note: Your MGT0 VLAN will be set to VLAN 100 using HiveAP classification for this new subnet to work.

Please do not save Continue to Next Slide

257

2008Confidential

2010

Lab: HiveAP Prep for Layer 3 Tests2. Verify HiveAP Classification Tag is DMZ


| HiveAP Classification |

Verify Tag 3 is set to:DMZ

*This was set in the HiveAP Classification Lab

Click Save

258

2008Confidential

2010

Lab: HiveAP Prep for Layer 3 Tests3. In WLAN Policy, Modify MGT0 VLAN

The VLAN for the MGT0 interface on a HiveAP is assigned via the WLAN policy

Go to ConfigurationGuided ConfigurationWLAN Policies Edit WLAN-X Next to MGT interface VLAN, Click (To Modify) Go to Next Slide

259

2008Confidential

2010

Lab: HiveAP Prep for Layer 3 Tests4. Add DMZ to VLAN 100

Add another VLAN entry Click New VLAN ID: 100

– Type: Classifier– Uncheck Tag 1– Uncheck Tag 2– Check Tag 3: DMZ– Click Apply

After clicking apply, Save your VLAN object

260

2008Confidential

2010

Lab: HiveAP Prep for Layer 3 Tests 5. Verify X-MGT0-VLANs is set to MGT0 Interface

In your WLAN Policy, verify the MGT0 Interface VLAN is set to: X-MGT0-VLANs

The Native (untagged) VLAN should still be set to: 1 Save your WLAN Policy

261

2008Confidential

2010

Lab: HiveAP Prep for Layer 3 Tests 6. Update Delta Configuration

262

From MonitorHiveAPs Select your HiveAP-B

X-B-HiveAP Select Update...

Upload and Activate Configuration



Click Upload Click HiveAP link to view delta configuration

2008Confidential

2010

Lab: HiveAP Prep for Layer 3 Tests 7. View Update Results


263

2008Confidential

2010

From MonitorHiveAPs– Verify that the new IP address for your HiveAP-B

is: 10.7.1.X/24

It may take up to a moment to reflect the changes

Lab: HiveAP Prep for Layer 3 Tests 8. View the New IP Address for your HiveAP

264

New IP Address in VLAN 100 (10.7.1.0/24)

2008Confidential

2010

Identity-Based TunnelsWith Captive Web Portal Configuration

265

2008Confidential

2010

Identity-Based Tunnels

If VLAN segmentation is not possible due to the network architecture at the access layer, guests can be tunneled, using the identity-based tunnel functionality, directly to one or more HiveAPs within a firewalled DMZ area, such as a lobby

The client in the internal network is assigned a VLAN and an IP address from the tunnel destination

All client traffic is then tunneled to the HiveAPs in the DMZ

266

2008Confidential

2010


267


WLAN Policy:

X-A-00000010.5.2.N/24 VLAN 1WLAN-X


WLAN Policy:Tag1:

X-B-00000010.7.1.X/24 VLAN 1WLAN-XDMZ-XWLAN Policy: WLAN-X

Hive:Tunnel Policy:




Hive-Class-XGRE-Tunnel-XEnable static identity-based-tunnelIP Range Start:10.7.1.X End:10.7.1.X10.5.1.0/24 and 10.5.2.0/24<random generated>21



Attribute:VLAN:

Tunnel Policy:

Class-Guest-XCWP-Tunnel-XUse-Policy-AcceptRole-Tunnel(1XX)1XX1XXGRE-Tunnel-X

DMZ Network

GuestClient

Internal Network


Tunnel Destination

Internet


SSID:IP:

Gateway:

10.7.1.110.5.2.1

DHCP Settingsfor VLAN 1XX (01, 02, ..,13) network 10.7.1XX.0/24 ip range 10.7.1XX.100 to 10.7.1XX.199 Tunnel Source

2008Confidential

2010

LAB: Guest Access with CWP and Tunnels1. Edit your WLAN Policy and Add SSID Profile

To add an SSID to be used by guests




– Click + Go to Next Slide

268

2008Confidential

2010

LAB: Guest Access with CWP and Tunnels 2. Create a New Guest SSID

Profile Name: Class-Guest-X SSID: Class-Guest-X SSID Access Security

WPA/WPA2-PSK(Personal)Note: You can use any access security method in real life. It is common to use Private PSK for secure guest access or Open for non-secure guest access

Key Value and Confirm Value:aerohive123

Check Enable Captive Web Portal

Click + to create a new captive web portal

Go to Next Slide

269

2008Confidential

2010

LAB: Guest Access with CWP and Tunnels 3. Configure Captive Web Portal

Name: CWP-Guest-X Registration Type: Use Policy

Acceptance Click Customize Login Page to see

the use policy– You can edit text in the use

policy field, or replace it with your own using copy and paste

– You can click Preview to view the customized web page

– Click Save to save your customized Login Page settings

Please do not save the captive web portal at this time..Go to the next slide…

270

2008Confidential

2010

LAB: Guest Access with CWP and Tunnels 4. Configure Captive Web Portal

Expand the Captive Web Portal Success Page section

Click Customize Success Page

Select the option to Redirect to the initially requested page…Note: This will bring up the web page the client initially requested after they agree to the acceptable use policy

Click Save to save your captive web portal settings

Go to Next Slide

271

2008Confidential

2010

LAB: Guest Access with CWP and Tunnels 5. Assign CWP and Configure SSID

Back in your Guest SSID Config Ensure Captive Web Portal is

set to: CWP-Guest-X

Note: you can use Open, but that is much less secure

User Profiles for Traffic Management Under the heading –

User profile assigned to users that associate with this SSID

– Click + to create a new user profile

– Click More Settings…

Go to Next Slide

272

2008Confidential

2010

LAB: Guest Access with CWP and Tunnels 6. Create a user profile to tunnel traffic

Define a user profile to tunnel trafficNote: XX= 2 Digits (02,03, .. ,12,13)

Name: Role-Tunnel(1XX) Attribute Number: 1XX Default VLAN: 1XX

Note: This VLAN is encapsulated inside the GRE tunnel and sent to the tunnel destination where the VLAN must exist.

Note: The name, attribute number and default VLAN do not have to match.

Optional Settings Expand the GRE or VPN Tunnels

section Select GRE tunnel for roaming or

station isolation Click + to create a GRE tunnel

policy273

2008Confidential

2010

LAB: Guest Access with CWP and Tunnels 7. Configure tunnel settings

Configure the tunnel information for both sides of the tunnel in this policy

Name: GRE-Tunnel-X Select Enable Static Identity-Based

Tunnels Tunnel Destination –

Select IP Address: 10.7.1.X Note: You can specify a range of consecutive HiveAPs if you have multiple HiveAPs at the tunnel destination for redundancy and load sharing.

Available IP Addresses– Select 10.5.2.0/24 and 10.5.1.0/24

and click the > button Tunnel Authentication

– Click Generate Click Save

274

2008Confidential

2010

LAB: Guest Access with CWP and Tunnels 8. Create a user profile to tunnel traffic

Select the tunnel policy Tunnel policies: GRE-Tunnel-X

Note: If you do configure firewall policies, be aware that your firewall policies are applied before your traffic is tunneled to the destination HiveAP. Also note that the IP address of your client will be from the remote network at the tunnel destination.

Click Save

275

2008Confidential

2010

LAB: Guest Access with CWP and Tunnels 9. Assign user profile to SSID

Assign the user profile with the tunnel settings to this SSID

User Profile assigned to users that associate with this SSID:Role-Tunnel(1X X)

Make sure everything looks right… Click Save

Note: When a client associates with this SSID and completes the registration process, their traffic is tunneled to the destination HiveAP specified by the tunnel policy in the user profile. If a client associates with this SSID on the tunnel endpoint, the traffic is forwarded without tunneling

276

2008Confidential

2010

To clean up the air, remove all other SSID profiles from the selected SSID profiles list using the << button

– The SSID Profiles listed under the Selected SSID Profiles list is now empty

From the Available SSID Profiles, select Class-Guest-X and use the > button to move it to the Selected SSID Profiles List

Click Apply

**Really, please click apply Save the WLAN policy

LAB: Guest Access with CWP and Tunnels 10. Remove Existing SSID and Add New SSID

277

2008Confidential

2010

On Tunnel Endpoint

HiveAP DHCP ServiceOn Tunnel End Point

278

2008Confidential

2010


279


WLAN Policy:

X-A-00000010.5.2.N/24 VLAN 1WLAN-X


WLAN Policy:Tag1:

X-B-00000010.7.1.X/24 VLAN 1WLAN-XDMZ-XWLAN Policy: WLAN-X

Hive:Tunnel Policy:




Hive-Class-XGRE-Tunnel-XEnable static identity-based-tunnelIP Range Start:10.7.1.X End:10.7.1.X10.5.1.0/24 and 10.5.2.0/24<random generated>21



Attribute:VLAN:

Tunnel Policy:

Class-Guest-XCWP-Tunnel-XUse-Policy-AcceptRole-Tunnel(1XX)1XX1XXGRE-Tunnel-X

DMZ Network

GuestClient

Internal Network


Tunnel Destination

Internet


SSID:IP:

Gateway:

10.7.1.110.5.2.1

DHCP Settingsfor VLAN 1XX (01, 02, ..,13) network 10.7.1XX.0/24 ip range 10.7.1XX.100 to 10.7.1XX.199 Tunnel Source

2008Confidential

2010

LAB: Configure DHCP Service for Guests1. Create DHCP Server for VLAN 1XX

To create a DHCP server and IP pool for VLAN 1XX

Go to ConfigurationAdvanced ConfigurationNetwork ObjectsDHCP Server & Relay

Name: DHCP-VLAN-1XX Interface: mgt0.X IP Address: 10.7.1XX.2 Netmask: 255.255.255.0 VLAN ID: 1XX

Please do not save, go to next slide…

280

2008Confidential

2010

LAB: Configure DHCP Service for Guests2. Configure IP Pool and Options

Configure the IP pool and DHCP options

Under IP Pool– Start IP Address:

10.7.1XX.100– End IP Address:

10.7.1XX.199 Click Apply

(Really, please click apply!) Under DHCP Server Options Default Gateway: 10.7.1XX.1

Note: The netmask is automatically inherited from the mgt0.X interface

DNS Server 1 IP: 10.5.1.10 Click Save

281

2008Confidential

2010

LAB: Configure DHCP Service for Guests3. Assign DHCP Server to Endpoint HiveAP

Because the clients will be tunneled to the HiveAP at the destination, the DHCP server should be at the destination

From MonitorHiveAPs Select your HiveAP-B: X-B-HiveAP Click Modify Expand SSID Allocation

– Clear the check boxes to disable the SSIDs on the 2.4GHz and 5GHz radios. Note: Though not necessary in a real deployment, for this lab, this will ensure all traffic is tunneled.

Expand Service Settings– Select your DHCP server object:

DHCP-VLAN-1XX and move it to the Selected List

Save the settings for this HiveAP

282

2008Confidential

2010

To Update GRE-Tunnel and DHCP Server Configuration

Update Configurationof HiveAPs

283

2008Confidential

2010

LAB: Guest GRE Tunnel and DHCP Server1. Update Configuration of HiveAPs

284

From MonitorHiveAPs Select both your HiveAPs:

X-A-HiveAP X-B-HiveAP




Click UploadClick HiveAP link to view delta configuration

2008Confidential

2010

LAB: Guest GRE Tunnel and DHCP Server2. Monitor Update Results

Ensure that your update is successful From MonitorHiveAPs

– You can see an icon next to your HiveAP letting you know it is now a DHCP server

285

2008Confidential

2010

LAB: Guest GRE Tunnel and DHCP Server

3. Connect to your Class-Guest-X SSID

On your remote hosted PC, connect to the SSID: Class-Guest-X

Passphrase/Network Key: aerohive123

286

2008Confidential

2010

Open a web browser and Browse to a decent web site: http://www.aerohive.com

A captive web portal page will be displayed

Fill out the web registration form Click Accept to agree to the

Acceptable Use Policy

287


4. Agree to Acceptable Use Policy

2008Confidential

2010

Once the login is successful, you can access the network

You should automatically be redirected to the web page you initially requested

288


5. Verify Access To Internet

2008Confidential

2010


– Go to MonitorClientsActive Clients Your IP address should be from the 10.7.1XX.0/24 network Note the IP address, VLAN and user profile attribute

– VLAN: 1XX– User Profile Attribute: 1XX

289


6. View Active Clients List

2008Confidential

2010290


7. Verify Tunnel

2008Confidential

2010

Private PSKUser-Based Pre-Shared Keys and Policy

2008Confidential

2010

Lab: Secure WLAN Access With Private PSK Diagram

292

Student-XVLANs 1-20

Mgt0 IP: 10.5.2.N/24 VLAN 2

WLAN Policy: WLAN-X

AD (IAS) Server:10.5.1.10

DHCP Settings: (VLAN 1) network 10.5.1.0/24 10.5.1.140 – 10.5.1.240 (VLAN 2) network 10.5.2.0/24 10.5.2.140 – 10.5.1.240 (VLAN 8) network 10.5.8.0/24 10.5.8.140 – 10.5.8.240 (VLAN 10) network 10.5.11.0/24 10.5.10.140 – 10.5.10.240 (VLAN 11) network 10.5.11.0/24 10.5.11.140 – 10.5.11.240

Internet

Connect to SSID:IP:

Gateway:

Class-PPSK-X10.5.10.N/2410.5.10.1

SSID:SSID Type:

Authentication:Encryption:

User Group:Attribute:

User Profile:

Local Users:Create Users in Group:

30 Users with PSKs:

Class-PPSK-XPrivate PSKWPA or WPA2 PersonalTKIP or AES

PPSK-Corp-X10

Employee(10)-X

PPSK-Corp-XX-corp0001 X-corp0030 withautomatically created PSKs

2008Confidential

2010

SSIDs with WPA or WPA2 PersonalUse Pre Shared Keys (PSKs)

293

User 1

User 2

User 3

SSID: Corp-WiFiAuthentication: WPA2 Personal Shared Key: aSecretPhraseUser Profile: Employee-Profile

SSID: Corp-WiFiShared Key: aSecretPhrase



All users share the same key– If a user leaves or if a PC or portable device is lost, for security

reasons, the shared key should be changed, and every client will have to update the keys on their wireless clients

All users share the same network policy– Because all users share the same SSID with the same key, they will

also have the same network policies, such as their VLAN, because there have no way to uniquely identify users or types of users

AP

2008Confidential

2010

SSID with 802.1X/EAP Dynamically Create Pairwise Master Keys (PMKs)

294

User 1

User 2

User 3

SSID: Corp-WiFiAuthentication: WPA2 Enterprise (802.1X) - User 1 - PMK: d6#$%^98f.. - User 2 - PMK: 87fe@#$%a.. - User 3 - PMK: 90)356*&f..

SSID: Corp-WiFiPMK: d6#$%^98f..

SSID: Corp-WiFiPMK: 87fe@#$%a..

SSID: Corp-WiFiPMK: 90)356*&f..

With 802.1X, after a user successfully authenticates with RADIUS, a unique key is created for each user and AP pair called a PMK

– If a user leaves the company or a user loses a device, the user account can be disabled and passwords can be changed to prevent access to corporate resources

New PMKs are created every time user authenticates Users can have unique network policies

– Because users are identified by their user name, based on the user or group, they can be assigned to different network policies

AP RADIUS

2008Confidential

2010

Private Preshared Key (PSK) Allows creation of unique PSKs per user

Private PSKs are unique pre shared keys created for individual users on the same SSID

Client configuration is simple, just enter the SSID shared key for WPA or WPA2 personal (PSK)

– No 802.1X supplicant configuration is required– Works with devices that do not support 802.1X/EAP

You can automatically generate unique keys for users, and distribute via email, or any way you see fit

If a user leaves or a device is lost or stolen, the PSK for that user or device can simply be revoked

295

User 1

User 2

User 3

SSID: Corp-WiFiSSID Type: Private PSKAuthentication: WPA2 Personal - User 1 – Private PSK: d6#$%^98f.. - User 2 – Private PSK: 87fe@#$%a.. - User 3 – Private PSK: 90)356*&f..

SSID: Corp-WiFiKey: d6#$%^98f..

SSID: Corp-WiFiKey: 87fe@#$%a..

SSID: Corp-WiFiKey: 90)356*&f..

HiveAP

2008Confidential

2010

Private Preshared Key (PSK) Allows creation of unique PSKs per user

You can create network policies for individual users or groups of users including different VLANs, firewall policies, tunnels, and schedules

Fast roaming occurs without the need for opportunistic key caching

Private PSKs can be automatically generated using User Manager or GuestManager providing the ability for a lobby administrator to generate guests unique keys for secure guest access

296

User 1

User 2

User 3

SSID: Corp-WiFiSSID Type: Private PSKAuthentication: WPA2 Personal - User 1 – Private PSK: d6#$%^98f.. - User 2 – Private PSK: 87fe@#$%a.. - User 3 – Private PSK: 90)356*&f..

SSID: Corp-WiFiPSK: d6#$%^98f..

SSID: Corp-WiFiPSK: 87fe@#$%a..

SSID: Corp-WiFiPSK: 90)356*&f..

HiveAP

2008Confidential

2010

Private Preshared Key (PSK)Deployment Recommendations

Private PSK is recommended for augmenting WLAN deployments that authenticate clients with WPA or WPA2 Enterprise (802.1X/EAP), but have some devices that:

– Support WPA or WPA2 Personal, but do not support WPA or WPA2 Enterprise with 802.1X/EAP

– Do not support opportunistic key caching for seamless roaming

Recommended in place of using traditional PSKs for environments that do not have a WLAN deployment using WPA or WPA2 Enterprise with 802.1X/EAP

Recommended for secure guest access using User Manager or GuestManager for Private PSK creation

– An online training module for User Manager and Private PSKs can viewed by going to: www.aerohive.com/training/cbt

297

http://www.aerohive.com/training/cbt

2008Confidential

2010

Configure Private PSKFor Secure Guest Access

298

2008Confidential

2010

Configuration Notes

Configure Time Service on HiveManager Configure Email Service on HiveManager Create User Manager Administrator and Operator Accounts Create Private PSK Groups and Private PSK Users Create Private PSK SSID and Captive Web Portal for Use Policy

Acceptance

299

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 1. Create Private PSK Group

Go to ConfigurationAdvanced ConfigurationAuthenticationLocal User Groups

Click New User Group Name:

PPSK-guests(100)-0X (0X=02-15)

User Type: Automatically generated private PSK users

User Profile Attribute: 100 VLAN: <empty>

Note: The VLAN is inherited from the user profile

Do not save, please go to the next slide

300

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 2. Configure User Name and Private PSK Secret

Private PSK Secret: <enter random characters>Note: This secret never needs to be known or seen again, it is used to add more complexity to the automatically generated PSKs.

User Name Prefix: 0X-guest Note: This is the prefix for all the Private PSKs that will be generated.If you create 100 PPSK accounts, then the guest accounts will be created as 0X-guest0001 though 0X-guest0100

Expand Private PSK Advanced Options

301

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 3. Configure Time Zone and Validity Period

Password Length: 8

Note: If Private PSKs were being generated for corporate accounts, this should be a much larger password length. However, for guests, because they are entering the password on their mobile device from a printout or from an email, for administrative purposes, it is better to generate smaller length PSKs.

Time Zone: <Local Time Zone>

Note: This should be the time zone of where the HiveAPs are located in real life, but for class, use your local class time zone

PSK Validity Period: Recurring Schedule: Click +302

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 4. Configure PPSK Recurrance Schedule

Schedule Name: daily-X Select Recurrent

Note: By selecting recurrent, the Private PSKs will be regenerated on a 24 hour basis. The guests will need to obtain a new PSK on a daily basis for network access.

Start Time 1: 00hr 00min

End Time : 23hr 59min

Note: By specifying a start and end time, the PSKs will only be functional between the start and end times.

Click Save

303

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 5. Configure PSK character types and then save

Character types used in generated PSKs and manually created passwords:

– Check Letters– Uncheck Digits– Uncheck Special Characters

Note: Because these are daily PSKs, you can use upper and lower case letters to make it easy to type. If you mix in digits, the client may have problems with identifying the difference between letters and digits: 1, I, l, 0, O, for example. However, mixing in special characters is fine, but it may be more complicated for clients to enter in their mobile device. Click Save304

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 6. Bulk Create 20 PPSK Daily User Accounts

Go to ConfigurationAdvanced ConfigurationAuthenticationLocal Users

Click the Bulk button Create User Under Group:

PPSK-guests(100)-X Number of New Users: 20 Click Create

305

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 7. Filter and View Private PSK Users

Apply a filter to view your Private PSK users

Go to ConfigurationAuthenticationLocal Users

Click Filter

Enter a part of a user name or description to locate the users you created

– 0X-guest– Click Search

Go to next slide

306

Click here to select or deselect all entries

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 8. View Clear Text PSKs or Obscure PSKs

You can view the PSKs for each Private PSK user in clear text, or you can chose to keep them obscured

Here you can also see the validity time of the PSKs

These accounts will be assigned to guests from the user manager interface

307

Click here to obscure the PSK

Click here to see the clear text PSK

2008Confidential

2010

Create a Guest SSIDSecured with Private PSK

308

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 9. Modify your WLAN Policy and Add an SSID

To configure a Private PSK SSID Go to ConfigurationWLAN Policies Edit your WLAN policy: WLAN-X Click Add/Remove SSID Profile

Under the Available SSID Profiles selection box - Click + Go to Next Slide

309

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 10. Configure SSID to use Private PSK

Profile Name:Class-Daily-X

SSID: Class-Daily-X Under SSID Access

Security select Private PSK

Uncheck Use Default Private PSK Settings

Click Options>>

310

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 11. Configure Private PSK Shared User Limit

In the Advanced Option section, limit the number of devices that can share a private PSK. For example, you may want to have one guest use their PC and their mobile phone or PDA. By default, there is no limit to the number of times a Private PSK can be shared. Check Private PSK

Shared User Limit: 2

Note: This means that within a Hive, a single Private PSK can only be used by two devices. Click Options<<

311

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 12. Create a Captive Web Portal

Select your Private PSK User Group: PPSK-guests(100)-X and click the right arrow > button

Check Enable Use Policy Acceptance CWP

– Then Click +

Note: This captive web portal will be used to ensure that guests agree to an acceptable use policy

312

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 13. Configure a Captive Web Portal

Name: CWP-Accept-X Registration Type:

Use Policy Acceptance

Note: In each section, you can click Customize… if you want to modify the default web pages or import your own pages.

Expand Captive Web Portal Success Page Settings

– Select Redirect to an external page: http://www.aerohive.com

Save your Captive Web Portal Settings

313

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 14. Create a user profile for guests

Back in the SSID ensure the Use Policy Acceptance CWP is selected as: CWP-Accept-X

Under Available Use Profiles– Click +

Name: Guests(100)-X Attribute Number: 100 Default VLAN: 8 Check Manage users for

this profile via User Manager Click Apply Go to next slide

314

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 15. Select user profile and save

Select the user profile that matches the attribute that will be returned based on the setting in the Private PSK user group Under Available User Profiles

select Guests(100)-X and click the right arrow button

Click Save Go to next slide

315

2008Confidential

2010

Under SSID Profiles click the << button to remove all existing SSIDs

Under Available SSID Profiles, select Class-Daily-X and click the > button to move it to Selected SSID Profiles

Click Apply then click Save

Lab: Secure Guest Access with Private PSK 16. Select SSID, Apply, then Save

316

2008Confidential

2010

Lab: Secure Guest Access with Private PSK 17. Update the configuration of your HiveAP


Select Your X-A-HiveAP Select Update...


Click Upload

317

2008Confidential

2010

User Manager Administration

318

2008Confidential

2010

User Manager Permissions Defined in Admin Groups

User Manager is a simplified interface into HiveManager that provides a simple interface for lobby operators to create secure guest accounts

User Manager is a free license

There are two types of permissions for user manager access, administrators and operators

319

2008Confidential

2010

User Manager Permissions Defined in Admin Groups

Here is an example of the permissions defined for user manager operators and administrators

320

User Manager Operator

User Manager Administrator

2008Confidential

2010

Lab: User Manager Administration1. Create a User Manager Operator

Create an operator account who will be able to log into the User Manager interface in HiveManager and generate guest accounts for secure access to the guest WLAN Email: [email protected] Name: lobby-X Password: aerohive123 Confirm Password: aerohive123 Check Limit operator access to

the selected Private PSK User Groups

– Select: PPSK-guests(100)-X Check Limit operator access to

the selected SSID Profiles– Select: Class-Daily-X

Click Save

321

2008Confidential

2010

Lab: User Manager Administration2. Create a User Manager Administrator

Create a User Manager administrator who will have access to generate reports based on guest access Email:

[email protected] Name: manager-X Password: aerohive123 Confirm Password:

aerohive123 Group Name:

User Manager Admin Click Save

322

2008Confidential

2010

User ManagerOperations

323

2008Confidential

2010

Lab: User Manager Operation1. Log in to the User Manager interface

Note: If you are logged in to HiveManager, you will need to log out, or you can use a different web browser so that you can log in with a different account

https://training-hm1.aerohive.com Login: lobby-X Password: aerohive123 Click Login

324

https://training-hm1.aerohive.com/

https://training-hm1.aerohive.com/

2008Confidential

2010


Note: Pretend you just walked in the company door as a guest, and you are also the lobby administrator User Group:

PPSK-guests(100)-X Visitor Name:

<Your Name> Email Address:

<Your real email address> Visitor Company:

<Your Company> Sponsor: lobby-X SSID Name: Class-Daily-X Click Save

325

2008Confidential

2010


Select the check box next to your guest account Click Email

– Note: For this to work, the guest will need a mobile networking device that can access email without Wi-Fi access, such as a mobile phone PDA device

Note: you also have the option to Print the account information and hand it to the guest

326

2008Confidential

2010

Lab: Test Secure Guest Access1. Connect to the Class-Daily-X SSID

From the Hosted PC– Connect to

Class-Daily-X Enter the private PSK

generated from user manager

Click OK

327

2008Confidential

2010

Lab: Test Secure Guest Access2. View Active Session Information


– Go to MonitorClientsActive Clients Your IP address should be from the 10.5.8.0/24 network Note the client information:

– Username: 0X-guest000N– VLAN: 8– User Profile Attribute: 100

328

2008Confidential

2010

Troubleshooting with Client MonitorExample of Invalid PSK

329

2008Confidential

2010

Troubleshooting

HiveAP Troubleshooting Commands

– Check the time and time zone• show clock• show timezone

– Check the Private PSK users and Private PSK groups• show auth private-psk

330

2008Confidential

2010

HiveAP Location Servers

With Client Watch Lists

Location Services

331

2008Confidential

2010

HiveAP Distributed Location Services

The HiveAPs can locate client devices in the WLAN

The HiveAP that has a client associated with it becomes the owner for the client

Neighboring HiveAPs report their RSSI information to the client to the owner

The HiveAP owner calculates a location and sends an aggregate report to HiveManager on a periodic basis

Note: More details are in the notes below and in the help

332

HiveManager

Topology Map

HiveAP A

HiveAP B

HiveAP CClient 1 Owner

Client 1

RSSIReport

RSSIReport RSSI

AggregatedReport

Client

2008Confidential

2010

Lab: HiveAP Location Services1. Create a HiveAP Location Service Policy

From ConfigurationGuided ConfigurationWLAN Policies, edit your WLAN Policy: WLAN-X

Ensure all the HiveAPs in the class are in the same hive

– Select Hive-Class Under Optional Settings

Expand Management Server Settings

Next to Location Server– Click +

333

2008Confidential

2010

Lab: HiveAP Location Services2. Configure Aerohive Location Server

Name: AP-Location-X Check Enable Location

Server Select Aerohive

Location Server Click Save

334

2008Confidential

2010

Lab: HiveAP Location Services3. Create a location watch list

Back in the WLAN policy, ensure the Location Server is: AP-Location-X

Next you will need to create or select a location watch list. This is a list of MAC addresses for clients which you want to have HiveAPs track location.

Because this class network is a small network, you will select the default All Client location watch list.

Next to Location Watch List, select the drop down list for All Clients Then Save your WLAN Policy

335

2008Confidential

2010

Lab: HiveAP Location Services4. Update the configuration of your HiveAP


Select Your X-A-HiveAP Select Update...


Click Upload

336

2008Confidential

2010

Note: Location Watch ListsCreating a Place Holder Watch List

If you do create your own location watch list, you must add at least one client MAC address entry which does not have to be valid at this time, so you can type: 000000000000

Click Apply then Save By doing this, you can then add

clients to the watch list from the Active Clients View

337

2008Confidential

2010

Note: Location Watch ListsAdd Active Clients to Watch List

From MonitorClientsActive Clients Select the check box next to the Active Clients you want to track Click Operation...Add to Watch Listwatch-X You will then need to upload and activate the configuration for your

HiveAP Note: For class, you want to use the All Clients watch list because ever

AP in class will need to track the same clients to get at least 3 APs to locate your client

338

2008Confidential

2010

Class Demonstration

Because the hosted clients are connected directly the class HiveAPs via Wi-Fi coax cable, the location services will not work very well because other HiveAPs will not see the neighboring clients

If the instructor has three or more HiveAPs, location services can be tested in the class

Just ensure the local classroom HiveAPs are added to the same topology map, are in the same Hive, and that they are placed accurately (or somewhat close to accurate) as the topology map reflects

339

2008Confidential

2010

Example: Client LocationOn Topology Map

340

Client

SelectClients

Client

2008Confidential

2010

DHCP Server and NAT Access

341

2008Confidential

2010

Using a HiveAP as a DHCP Server and NAT Gateway for Client Traffic

The client connects to the SSID: Class-NAT-X and obtains an IP address in the 10.5.5.0/24 network

The HiveAP creates a virtual interface for the default gateway 10.5.5.1 and responds to ARP

The traffic from the client is set to the HiveAP

The firewall rules assigned to the client by its user profile translate the traffic from the client to a source IP of the HiveAP’s MGT0 interface, then traffic is sent to the HiveAP’s default gateway

342

Student-XVLAN 1

Mgt0 IP: 10.5.2.N/24Gateway 10.5.2.1VLAN 1

SSID: Class-NAT-X User Profile: branch(5)-X Firewall Policy: NAT-XDHCP Settings: Mgt0.5 IP: 10.5.5.2/24

IP Pool 10.5.5.100 – 10.5.5.200

DHCP Options: Gateway: 10.5.5.1 NAT Support

Internet

Connect to SSID:IP:

Gateway:

Class-NAT-X10.5.5.N/2410.5.5.1

IP: 10.5.2.1

2008Confidential

2010

Lab: Create an SSID with NAT Access1. Modify your WLAN Policy

Go to ConfigurationGuided ConfigurationWLAN Policies

Click the link to modify your WLAN policy: WLAN-X

Go to next slide

343

2008Confidential

2010

Lab: Create an SSID with NAT Access2. Create a new SSID

– WLAN Policy –

SSID Profiles Click: Add/Remove SSID

Profile Click + to create a new

SSID Profile

Go to next slide

344

2008Confidential

2010

Lab: Create an SSID with NAT Access3. Configure the SSID and create a user profile

– SSID Profile – Profile Name: Class-NAT-X SSID: Class-NAT-X

SSID Access Security Select: WPA/WPA2

PSK (Personal)– Use Default WPA/WPA2

PSK Settings Key Value: aerohive123 Confirm Value: aerohive123

User Profile for Traffic Mgmt Click + to create a new user

profile Click More Settings...

345

2008Confidential

2010

Lab: Create an SSID with NAT Access4. Create User Profile for Branch Office Clients

– SSID > User Profile –

Name: Branch(5)-X Attribute Number: 5 Default VLAN: 5 Expand Firewalls Under IP Firewall Policy,

next to From-Access click +

346

2008Confidential

2010

Lab: Create an SSID with NAT Access5. Create a firewall rule for DHCP

Configure a firewall rule to permit the client to obtain an IP address via DHCP

Note: This rule must be configured without NAT, because DHCP requests cannot be NATed

Policy Name: NAT-X– Source IP: Any– Destination IP: Any – Service: DHCP-Server – Action: Permit

Click Apply and do not save, then go to the next slide

347

2008Confidential

2010

Lab: Create an SSID with NAT Access6. Create a firewall rule for NAT access

Configure a firewall rule to network address port translate (NAPT) the source IP address all traffic from the clients to the MGT0 interface of the HiveAP Under Policy Rule: Click New

– Source IP: Any– Destination IP: Any – Service: Any– Action: NAT

Click Apply and do not save, then go to the next slide

348

2008Confidential

2010

Lab: Create an SSID with NAT Access7. Verify firewall policy rules then save

Verify your firewall rules look like the following picture– Permit DHCP-Server (without NAT)– NAT all the rest of the traffic

Click Save

349

2008Confidential

2010

Lab: Create an SSID with NAT Access8. Assign Firewall Policy to User Profile

Back in your user profile under IP Firewall Policy From-Access: NAT-X To-Access: <Empty> Default-Action: Deny Click Save

350

2008Confidential

2010

Lab: Create an SSID with NAT Access9. Assign user profile to SSID then save

Make sure the new user profile is selected: branch(5)-X

Click Save

351

2008Confidential

2010

Lab: Create an SSID with NAT Access10. Assign SSID to WLAN policy then save

– WLAN Policy –

SSID Profiles Select your SSID:

Class-NAT-X from the Available SSID Profiles list:and use the right arrow button‘ >’ to move it to the Selected SSID Profiles list

Click Apply

Really – Make sure you click Apply

Click Save to saveyour WLAN policy

352

Note: The WLAN policy must be assigned to one or more HiveAPs for it to take affect

2008Confidential

2010

Requires a HiveAP 300 Series

until HiveOS version 3.5r2,

Which will support the 100 series

Configure DHCP ServerFor NATed IP Pools

353

2008Confidential

2010

Lab: Configure HiveAP DHCP Service1. Create a DHCP server object

Create a DHCP Server object for VLAN 5, which is the VLAN assigned by the Branch(5)-X user profile Name: DHCP-X Interface: mgt0.5 IP Address: 10.5.5.2 Netmask: 255.255.255.0 VLAN ID: 5 Leave default settings for the

rest of the options... IP Pools

– Start IP Address: 10.5.5.100– End IP Address: 10.5.5.200

Click Apply but do NOT save Go to the next slide...

354

Note: Everyone in class will configure the same IP addresses and pools, and that is OK because all traffic is locally processedby their own HiveAPs then NATed.

2008Confidential

2010

Lab: Configure HiveAP DHCP Service2. Define gateway IP and enable NAT support

Define default gateway and Enable NAT support Expand DHCP Server

Options– Default Gateway: 10.5.5.1

Expand Advanced– Enable NAT Support

Note: Even though a HiveAP is a layer 2 device, it will use one of its reserved MAC addresses and assign it to the default gateway specified in the DHCP server options allowing it to respond to ARP and act like a router

Click Save

355

2008Confidential

2010

Lab: Configure HiveAP DHCP Service3. Enable DHCP service on HiveAP

Enable DHCP server service on your HiveAP From Monitor

Access PointsHiveAPs

Select the checkbox next to your HiveAP: X-A-######

Click Modify

Under Optional SettingsDHCP Server & Relay

Expand Service Settings Select your DHCP Server object:

DHCP-X and click the > button to move it to the Selected Servers lists

Click Save

356

2008Confidential

2010

Lab: Configure HiveAP DHCP Service4. Upload and Activate Configuration

Select the checkbox next to your HiveAP: X-A-######

Click Update...Upload and Activate Configuration

Click Upload

357

2008Confidential

2010

Test DHCP Server and NAT Access

358

2008Confidential

2010

Lab: Test DHCP Server and NAT Access1. Connect to the NAT SSID

From the hosted PC, connect to the Class-NAT-X SSID

Network Key: aerohive123

Confirm network key:aerohive123

Click Connect

359

2008Confidential

2010

Lab: Test DHCP Server and NAT Access2. Verify IP and Internet Connectivity

From the hosted PC, open a CMD prompt and view your IP address ipconfig

Note: Your IP address should be in the 10.5.5.0/24 subnet

ping www -t(which is: 10.6.1.150)

360

2008Confidential

2010

Lab: Test DHCP Server and NAT Access3. Verify that IP session is being NATed

From the command line interface of your HiveAP, you can view the IP session information for active sessions to see if NAT is being performed

02-A-064200# show forwarding-engine ip-session protocol 1IP session table:

Ageout time (in ms)

Total entries: 2/8191

Id:2; Ageout:1036; Flags:0x8251; QOS:2; Up: 0 min 1 sec; InPol:NAT-1/2;

10.5.5.100/4112 -> 10.6.1.150/4112; Proto 1; Flg:0x0; Pkts:1 Bytes:60 Parent-MAC-Sess: 21

10.6.1.150/4112 -> 10.5.2.2/64511; Proto 1; Flg:0x0; Pkts:1 Bytes:60

Id:1; Ageout:36; Flags:0x8251; QOS:2; Up: 0 min 2 sec; InPol:NAT-1/2;

361

Traffic from the client: 10.5.5.100 is sent to the www server 10.6.1.150

Traffic from the www server: 10.6.1.150 is sent to 10.5.2.2 which is the IP address

of the MGT0 interface of the HiveAP.This means NAT is working.

When you are done, please stop

the continuous ping from the

hosted PC

2008Confidential

2010

Supplemental Courseware/Scratch Pad

362

2008Confidential

2010

AD Troubleshooting Using HiveAP CLI

363

2008Confidential

2010

LAB: Verify HiveAP Admin Account

exec aaa ldap-search username hiveapadminExec-Program output:Search user 'hiveapadmin' in basedn 'CN=Users,DC=ahdemo,DC=local' successful

364

2008Confidential

2010

LAB: Verify Wireless User Accounts

exec aaa ldap-search username userExec-Program output:Search user 'user' in basedn

'CN=Userss,DC=ahdemo,DC=local' failed In this case there was a type-o on the DN, not the extra s on Userss

exec aaa ldap-search username userExec-Program output:Search user 'user' in basedn

'CN=Users,DC=ahdemo,DC=local' successful

365

2008Confidential

2010

LAB: Verify NTLM AuthenticationWith Wireless User Account

exec aaa ntlm-auth username user2 password Aerohive1

2009-04-16 11:37:53 info admin:<exec aaa ntlm-auth username user2 password *** >

2009-04-16 11:37:53 debug samba-tools: Kerberos session setup successful

Exec-Program output:NT_STATUS_OK: Success (0x0)

366

2008Confidential

2010367

2008Confidential

2010

SSL Negotiation FailsInvalid CA Cert

This is an example that fails because the certificate was not installed or configured properly

368

2008Confidential

2010

Bridging Notes For HiveAPs

369

2008Confidential

2010

HiveAP Ethernet Interfaces in Bridge Mode

370

Corp LAN

2.4 GHzor 5 GHzmesh

SSID existon radio that is not used for meshEither 2.4 GHz or 5 GHz

One or both of the Ethernet ports can be in bridge mode with MAC learning.The HiveAP can learn 128 MAC addresses if an L2 switch is connected to the HiveAP eth0 or eth1 ports in bridge mode. You can also hard code the MAC addresses that are allowed on the port. * If you connect a router to the bridge port, then all traffic to the HiveAP would come from same MAC address, so in a sense we would support an unlimited number of wired clients.Wired clients show up in the active clients list as well in 3.5r1.

Loops are prevented, so a redundant configuration as show above is permitted. No spanning tree is needed. Ethernet interface in bridge mode can provide a captive web portal as well. Ethernet interfaces can also be in bridge-802.1Q mode to and allow trafficfrom any VLAN to go though the HiveAP. You can limit which VLANs are permitted as well.

2008Confidential

2010

Revoking Private PSK Accounts

371

2008Confidential

2010

Revoking Private PSK Users

If a user leaves the company, or if their device is lost or stolen, you can revoke a users key and de-authenticate any active client using the individual private PSK

Apply a filter to view your Private PSK users Go to ConfigurationAdvanced Configuration

AuthenticationLocal Users Check the box next to one or more users and click Remove Go to next slide

372

2008Confidential

2010

Update User DatabaseTo Revoke Private PSK Users

From Managed HiveAPs Select Your HiveAP Select Update...Upload User Database

373

2008Confidential

2010

Update User DatabaseTo Revoke Private PSK Users

374

Click Delta Upload (Compare with running config)

If you click the link for the hostname of your HiveAP you can see the user commands that will be sent to the HiveAP

Click Upload

NOTE: Once a client is revoked, it can never be activated again, the user will need to obtain a new Private PSK

2008Confidential

2010

CLI on HiveAPs Can Be UsedTo Verify Revoked Users

AH-0045d0# show auth private-pskInterface=wifi0.1; SSID=Class-PPSK-1; Protocol-suite=PSK-auto;Total entries: 30No. User Group PMK Valid---- ---------------- --------------- ---- -----1 01-corp0030 PPSK-Corp-01 e1d4 Yes2 01-corp0029 PPSK-Corp-01 7a61 Yes3 01-corp0028 PPSK-Corp-01 a975 Yes

...

24 01-corp0007 PPSK-Corp-01 4cf3 No25 01-corp0006 PPSK-Corp-01 e7c7 Yes26 01-corp0005 PPSK-Corp-01 8d07 Yes27 01-corp0004 PPSK-Corp-01 1964 No28 01-corp0003 PPSK-Corp-01 a4c5 Yes29 01-corp0002 PPSK-Corp-01 70c5 Yes30 01-corp0001 PPSK-Corp-01 c41b No

NOTE: Once a client is revoked, it can never be activated again, the user will need to obtain a new Private PSK

375

2008Confidential

2010

Revoked Private PSK Users Are Immediately De-Authenticated

To view the active clients, go to ClientsActive Clients The revoked clients will no longer be active

376

2008Confidential

2010

Wireless VPNTroubleshooting Commands

377

2008Confidential

2010

VPN CLI Commandsshow vpn ipsec sa

02-A-038cc0# show vpn ipsec saSA(Security Association) information as following:IPsec Security Association Information:10.5.1.150 [4500] 1.1.1.2 [4500] tunnel-id: 9 esp-udp mode=tunnel spi=101699633(0x060fd031) reqid=0(0x00000000) Encryption: aes-cbc Authentication: hmac-sha1 seq=0x00000000 replay=4 flags=0x20000000 state=mature created: Sep 3 10:58:51 2010 current: Sep 3 11:13:25 2010 diff: 874(s) hard: 3600(s) soft: 2880(s) last: Sep 3 10:58:51 2010 hard: 0(s) soft: 0(s) current: 141008(bytes) hard: 0(bytes) soft: 0(bytes) current: 668(pkts) hard: 0(pkts) soft: 0(pkts) failed: 0(pkts) replay: 0(pkts) replay window: 0(pkts) sadb_seq=1 pid=993 refcnt=01.1.1.2 [4500] 10.5.1.150 [4500] tunnel-id: 9 esp-udp mode=tunnel spi=49616501(0x02f51675) reqid=0(0x00000000) Encryption: aes-cbc Authentication: hmac-sha1 seq=0x00000000 replay=4 flags=0x20000000 state=mature created: Sep 3 10:58:51 2010 current: Sep 3 11:13:25 2010 diff: 874(s) hard: 3600(s) soft: 2880(s) last: Sep 3 10:58:51 2010 hard: 0(s) soft: 0(s) current: 116016(bytes) hard: 0(bytes) soft: 0(bytes) current: 1065(pkts) hard: 0(pkts) soft: 0(pkts) failed: 0(pkts) replay: 0(pkts) replay window: 0(pkts) sadb_seq=0 pid=993 refcnt=0

378

2008Confidential

2010

VPN CLI Commandsshow vpn ipsec-tunnel

02-A-038cc0# show vpn ipsec-tunnelIPsec Tunnel Duration:Source Destination Created Duration------------------------ ------------------------ -------------------- ----------------------------------------10.5.1.150[4500] 1.1.1.2[4500] 2010-09-03 10:58:51 0 days 0 hours 12 minutes 28 seconds

Total IPsec Tunnel Sessions: 1

Tunnel Statistic Information::Src IP Dst IP Pkts Bytes Auth-Err Other-Err SPI

Remaining-Lifetime------------------------ ------------------------ ---------- ---------- ---------- ---------- ----------

------------------10.5.1.150[4500] 1.1.1.2[4500] 605 130848 0 0 0x060fd031 2132(s)

rekey1.1.1.2[4500] 10.5.1.150[4500] 1027 112324 0 0 0x02f51675 2132(s)

rekey

379

2008Confidential

2010

VPN CLI Commandsshow amrp tunnel

02-A-038cc0# show amrp tunnelTotal 1 tunnelsDA - DNXP Access, DB - DNXP BackhaulIA - INXP Access, IB - INXP BackhaulVA - VPN Access, VB - VPN BackhaulNo. Peer Type client age TTL------------------------------------------------------------------------------- 1 10.8.1.2 VA 1 02:30:14

02-A-038cc0# show amrp tunnel 10.8.1.2VPN access tunnel <tunnel0 -> 10.8.1.2> age: 02:32:34 client count: 1 state: ESTABLISHED state age: 02:32:33 last echo request: 00:00:03 sec ago last echo reply: 00:00:03 sec ago heartbeat interval: 10 sec heartbeat fail retry: 10 flag: 0x3

380

2008Confidential

2010

VPN CLI Commandsshow vpn gre-tunnel

02-A-038cc0# show vpn gre-tunnelTunnel table:T=Type; Z=Zone; PN=policy numbers;Age Out=idle time of the tunnel since last receive packetTXs=TX packets; TXE=TX errors; RXs=RX packets; RXE=RX errors;Type: G=General route encapsulation; O=Other tunnel;Zone: A=Access; B=Backhaul;Total entries: 1

ID T Z PN Age Out Src IP Dst IP TXs TXE RXs RXE---- - - --- -------- --------------- --------------- -------- ---- -------- ----1 G A 1 109 10.8.1.20 10.8.1.2 36 0 23 0

381

2008Confidential

2010

VPN CLI Commandsshow vpn ike event (Failure Event)

03-A-0377c0# show vpn ike event2009-10-01 14:05:40:Peer failed phase 1 authentication

(certificate problem?)(10.5.1.151[4500]->1.1.1.2[4500])

2009-10-01 14:06:30:Peer not responding(10.5.1.151[4500]->1.1.1.2[4500])

2009-10-01 14:06:30:Phase 1 deleted(10.5.1.151[4500]->1.1.1.2[4500])

2009-10-01 14:06:31:Peer failed phase 1 authentication (certificate problem?)(10.5.1.151[4500]->1.1.1.2[4500])

In this case, the root CA certificate was not pushed to the AP, so it cannot validate the VPN server

382

2008Confidential

2010

VPN CLI Commandsshow vpn ike event (Failure Resolution)

04-A-04c000# show vpn ike event2010-09-03 17:48:39:Peer not responding(10.5.1.157[4500]->1.1.1.2[4500])2010-09-03 17:48:39:Phase 1 deleted(10.5.1.157[4500]->1.1.1.2[4500])2010-09-03 17:48:40:Peer failed phase 1 authentication (certificate problem?)

(10.5.1.157[4500]->1.1.1.2[4500])

Originally the wrong root CA certificate was sent to the HiveAP After updating the certificate by updating the configuration

– After typing clear ike sa, the VPN processes are restarted and the negotiation and the tunnel became established

04-A-04c000# clear vpn ike sa04-A-04c000# show vpn ike event2010-09-03 17:58:50:Phase 1 deleted(10.5.1.150[4500]->1.1.1.2[4500])2010-09-03 17:58:51:Phase 1 started(10.5.1.150[500]->1.1.1.2[500])2010-09-03 17:58:51:Phase 1 established(10.5.1.150[4500]->1.1.1.2[4500])2010-09-03 17:58:51:Xauth exchange start(10.5.1.150[4500]->1.1.1.2[4500])2010-09-03 17:58:51:Xauth exchange passed(10.5.1.150[4500]->1.1.1.2[4500])2010-09-03 17:58:51:Add security policy into kernel stack

done(10.5.1.150[4500>1.1.1.2[4500])2010-09-03 17:58:51:ISAKMP mode config done(10.5.1.150[4500]->1.1.1.2[4500])2010-09-03 17:58:51:Phase 2 started(10.5.1.150[4500]->1.1.1.2[4500])2010-09-03 17:58:51:Phase 2 established(10.5.1.150[4500]->1.1.1.2[4500])

383

2008Confidential

2010

Use Client MonitorTo View Connection Status

From MonitorActive ClientsOperationsClient Monitor Add the MAC address of a client to monitor its connection status

384

Documents

2008 Confidential 2010 Advanced WLAN Configuration Version 3.5r1 1