Configuring Aerohive HiveAP NG - 8021x for Tesorion Immunity

Subject: Configuring Aerohive HiveAP - 802.1x for Tesorion Immunity

Classification: Public Author(s): Tesorion Version: 2020-05-28

Configuring Aerohive HiveAP - 802.1x for Tesorion Immunity - Public 2/34

Contents 1 PREAMBLE .............................................................................................................................................................. 3

2 LEGEND ..................................................................................................................................................................... 3

3 CONFIGURATION ............................................................................................................................................... 4

3.1 PREPARATION............................................................................................................................................................ 4 3.2 CREATE NETWORK POLICIES ............................................................................................................................ 6 3.3 CREATE SSIDS .......................................................................................................................................................... 8 3.4 SET UP RADIUS SERVER .................................................................................................................................. 10 3.5 CREATE USER PROFILE ...................................................................................................................................... 16 3.6 SET SNMP ............................................................................................................................................................... 20 3.7 SWITCH ON THE TRAFFIC FILTER .................................................................................................................. 32

4 ADD THE NETWORK HARDWARE TO TESORION IMMUNITY ....................................... 34


1 Preamble This manual describes how to configure network hardware in to prepare it for addition to Tesorion Immunity. This requires some knowledge of the network hardware and CLI access with appropriate privileges. Because of differences in software versions and initial configuration of the network hardware, Tesorion cannot guarantee the correct result in every possible scenario. When in doubt, consult the documentation of the network hardware or consult an expert. In rare cases, existing configuration on the network hardware can be overwritten by the described configuration.

2 Legend Italic: an element to be clicked on, for example a button, menu item, link, etc. Bold: The name of a value to adjust.


3 Configuration With this manual you can configure the Aerohive HiveAP so that it can be used in combination with Tesorion Immunity: an SSID with 802.1x functionality is configured. First the steps are discussed that you must go through on the interface of the Aerohive HiveAP. Finally, you will find in Chapter 3 how you can add your configured wireless controller (s) to Tesorion Immunity.

3.1 Preparation A few remarks in advance:

The web interface of the Aerohive HiveAP, also called the HiveManager, can be reached via https://cloud.aerohive.com/login#/login. By logging in here you enter the web interface.

If certain settings or options are not mentioned in this manual, this means that the factory settings are correct after a factory reset. You must leave these settings unchanged.

The HiveAPs to be configured must already be included in your HiveManager.

Your HiveManager must be in "Enterprise mode". You can set this in the following way:

1. Move the cursor to your profile at the top right. (See Figure 1) 2. Click on Global Settings. 3. Go to Organization Information. (See Figure 2) 4. Choose Enterprise behind Industry. 5. Click Apply.


Figure 1: Preparation

Figure 2: Preparation


3.2 Create Network Policies First of all, a Network Policy must be created. This policy will be linked to Tesorion Immunity at a later date.

1. Go to Configure at the top of the menu. (See Figure 3) 2. Click on "ADD NETWORK POLICY". 3. Select 'Wireless'. (See Figure 4) 4. Enter a descriptive name in 'Policy Name': 5. Press Save (bottom right).


Figure 3: Create Network Policies

Figure 4: Create Network Policies


3.3 Create SSIDs Next, an SSID must be created, to which the Network Policy will be linked.

1. Click Add and choose All other Networks (standard). (See Figure 5) 2. Enter the SSID data, SSID Broadcast Name is the name that is actually

displayed (See Figure 6). 3. Select Enterprise WPA / WPA2 / WPA3. 4. Key Management WPA2-802.1X. 5. Encryption Method CCMP (AES).


Figure 5: Create SSIDs

Figure 6: Create SSIDs


3.4 Set up RADIUS Server In the following steps, the SSID is linked to the Tesorion Immunity RADIUS server.

1. Continue on the same page with Authentication Settings. (See Figure 7) 2. Click on the plus behind 'Default RADIUS Server Group'. 3. Enter a descriptive name for the RADIUS Server Group Name (See Figure 8). 4. Click on the plus under External RADIUS Server.

(continued on the next page)


Figure 7: Set up RADIUS Server



6. Enter a descriptive name at Name (Figure 9). 7. Click on the plus after IP/Host Name and select IP Address. 8. Enter a descriptive name at Name (Figure 10). 9. Enter at IP Address the IP what has been agreed in the TIP. 10. Click on SAVE IP (bottom right). 11. The name of 'IP Address' (entered in Figure 10) is automatically filled in at

'IP/Host Name'. 12. Enter Shared Secret. You also use this in Tesorion Immunity (Figure 9). 13. Click on SAVE EXTERNAL RADIUS (bottom right).






You will return to the 'Configure RADIUS Server Group' screen, a RADIUS server has now been added to the overview.

14. Click on the gear next to RADIUS Server Group Description (Figure 11). 15. Enter the following data (Figure 12):

Retry Interval: 60. Accounting Interim Update Interval: 300. Permit Dynamic Change or Authorization Messages: Checked.

16. Click on SAVE RADIUS SETTINGS (bottom right). 17. In the next screen, click SAVE RADIUS (bottom right) again.





3.5 Create User Profile In the following steps, a User Profile is created and linked to VLAN.

1. Continue on the same page with User Access Settings. (See Figure 13) 2. Click on the plus behind 'Default User Profile'. 3. Enter a descriptive name for User Profile Name (Figure 14). 4. Click on VLAN after Connect to. 5. Click on the plus behind the field under Connect to.



Figure 13: Create User Profile



6. Enter a descriptive name at Name (Figure 15). 7. Enter the quarantine VLAN at VLAN ID. 8. Click on SAVE VLAN (bottom right). 9. Then click SAVE USER PROFILE again (Figure 16).





3.6 Set SNMP Additional settings for the SSID are made in the following steps.

1. Continue on the same page with Additional Settings. 2. Open Additional Settings. (See Figure 17) 3. Click on Customize behind "Optional Settings". 4. Make sure that Enable SNMP is checked (Figure 18). 5. Click on SAVE OPTIONAL SETTINGS.



Figure 17: Activate SNMP

Figure 18: Activate SNMP


6. Then click on the Additional Settings tab (Figure 19). 7. Click on SNMP Server in the left menu. 8. Click on OFF after 'SNMP Server' to enable the option.



Figure 19: Configure SNMP


9. Enter a descriptive name in Name (Figure 20). 10. Click Add. 11. Enter the following data (Figure 21):

SNMP Server: the IP address of the Tesorion Immunity server. If you

go through this manual during your Tesorion Immunity implementation week, for the IP address you must choose the IP Management Wireless from the Technical Implementation Plan. If this is not agreed, you choose the IP from which the Tesorion Immunity environment can reach your wireless concentrator via the shortest route.

Version: V2C. Operation: Get. Community: This is equivalent to a password. Enter a string that you

have defined. Remember what you enter here, this value must be entered later in Tesorion Immunity when managing the Access Points.

12. Click on SAVE (bottom right).






In the following steps, SNMP must be enabled on the uplink port of the access point:

13. Go to the Configure tab. (See Figure 22) 14. Under the Configure tab, click the Common Objects subtab. 15. Click Port Types on the left side of the page. 16. Select Uplink Port from the AP_ROUTER Device Series and click on the

double squares above Port Type Name. 17. Enter a name in the window behind Save As. (Figure 23) 18. Click on Clone to save the Port Type.






19. Go back to the Network Policies subtab. (See Figure 24) 20. Choose the newly created policy. 21. Go to the Device Templates tab. (See Figure 25) 22. Click Add to add the desired AP type. 23. Select the desired AP type from the list that appears.






24. Enter a suitable name for Template Name. (See Figure 26) 25. Go to Wired Interfaces at the bottom of the page. (See Figure 27) 26. Change the Port Type of the connected Wired Interface (s) to the previously

created Port Type. 27. Click on Edit (the square with pencil) behind the plus sign. 28. Go to VLAN Object in the window that appears. (See Figure 28) 29. For Native VLAN, enter the management VLAN of the AP (for example 1). 30. Now go to Traffic Filter Management. 31. Check Enable SNMP. 32. Click on SAVE PORT TYPE.






3.7 Turn on the Traffic Filter

1. Go to the Additional Settings tab. (See Figure 29) 2. Click Traffic Filter at the bottom left of the page. 3. Click on 'OFF' after 'Traffic Filter' to enable the option. (Figure 30) 4. Enter a descriptive name in Name. 5. Under 'HiveOS APs and Switches' check the options 'Enable SSH', 'Enable

Ping', 'Enable SNMP'. 6. Click Save (Figure 31)

All settings have now been made. Remember to roll it out to the relevant access points.


Figure 29: Switch on the Traffic Filter




4 Add the network hardware to Tesorion Immunity Add network hardware to Tesorion Immunity in order to make it possible to enable rollout mode on switches and start managing switches and their ports. After adding WLAN hardware, Tesorion Immunity will be able to respond to access requests right away.

1. Log in to Tesorion Immunity with an appropriately privileged administrator account.

2. Select Network hardware in the left-hand menu bar. 3. Select Add network hardware. 4. Fill out the form:

IP address: The network hardware’s IP address. SNMP version: The SNMP version as configured in section 3.6. SNMP community: The SNMP community as configured in section 3.6

or enter the SNMPv3 credentials.

5. Select Connect. 6. Select the appropriate Location. 7. Fill out any additionally required information, e.g. CLI credentials or a RADIUS

secret. 8. Select Add network hardware.

Documents

Configuring Aerohive HiveAP NG - 8021x for Tesorion Immunity