1. 2014 Aerohive Networks Inc. AEROHIVE CERTIFIED WIRELESS ADMINISTRATOR (ACWA) Aerohives Instructor-led Training

2. 2014 Aerohive Networks CONFIDENTIAL Welcome 2 Introductions Facilities Discussion Course Overview Extra Training Resources Questions 3. 2014 Aerohive Networks CONFIDENTIAL Introductions 3 What is your name? What is your organizations name? How long have you worked in Wi-Fi? Are you currently using Aerohive? 4. 2014 Aerohive Networks CONFIDENTIAL Facilities Discussion 4 Course Material Distribution Course Times Restrooms Break room Smoking Area Break Schedule Morning Break Lunch Break Afternoon Break 5. 2014 Aerohive Networks CONFIDENTIAL Aerohive Essentials WLAN Configuration (ACWA) Course Overview 5 Each student connects to HiveManager, a remote PC, and a Aerohive AP over the Internet from their wireless enabled laptop in the classroom, and then performs hands on labs the cover the following topics: Predictive modeling and WLAN design HiveManager overview Mobility solutions and Unified Policy Management HiveManager initial configuration Topology Maps: Real-time monitoring of AP coverage Scenario: Create a secure access network for employees Scenario: Create a secure access network for legacy devices using PPSK Secure WLAN Guest Management Scenario: Create a guest secure WLAN with unique user credentials Device specific settings Deployment optimization Device monitoring and troubleshooting Firmware updates Bring Your Own Device (BYOD) Auto-provisioning Cooperative Control Protocols 2 Day Hands on Class 6. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 Aerohive Training Remote Lab 6 Aerohive Access Points using external antenna connections and RF cables to connect to USB Wi-Fi client cards (Black cables) Access Points are connected from eth0 to Aerohive Managed Switches with 802.1Q VLAN trunk support providing PoE to the APs (Yellow cables) Firewall with routing support, NAT, and multiple Virtual Router Instances Access Points are connected from their console port to a console server (White Cables) Console server to permit SSH access into the serial console of Aerohive Access Points Server running VMware ESXi running Active Directory, RADIUS, NPS and hosting the virtual clients used for testing configurations to support the labs 7. 2014 Aerohive Networks CONFIDENTIAL Hosted Lab for Data Center 7 10.5.1.*/24 No Gateway 10.5.1.*/24 No Gateway 10.5.1.*/24 No Gateway HiveManager MGT 10.5.1.20/24 Win2008 AD Server MGT 10.5.1.10/24 Linux Server MGT 10.6.1.150./24 L3 Switch/Router/Firewall eth0 10.5.1.1/24 VLAN 1 eth0.1 10.5.2.1/24 VLAN 2 eth0.2 10.5.8.1/24 VLAN 8 eth0.3 10.5.10.1/24 VLAN 10 eth1 10.6.1.1/24 (DMZ) L2 Switch Native VLAN 1 Aerohive AP Common Settings in VLAN 1 Default Gateway: None MGT0 VLAN 1 Native VLAN 1 LAN ports connected to L2-Switch with 802.1Q VLAN Trunks X=2 X=3 X=N X=2 X=3 X=N Ethernet: 10.5.1.202/24 No Gateway Wireless: 10.5.10.X/24 Gateway: 10.5.10.1 Ethernet: 10.5.1.203/24 No Gateway Wireless: 10.5.10.X/24 Gateway: 10.5.10.1 Ethernet : 10.5.1.20N/24 No Gateway Wireless: 10.5.10.X/24 Gateway: 10.5.10.1 14 Client PCs For Wireless Access 14 Aerohive APs Terminal Server 10.5.1.5/24 Services for Hosted Class Win2008 AD Server: - RADIUS(IAS) - DNS - DHCP Linux Server: - Web Server - FTP Server 8. 2014 Aerohive Networks CONFIDENTIAL Aerohive CBT Learning 8 http://www.aerohive.com/cbt 9. 2014 Aerohive Networks CONFIDENTIAL Aerohive Education on YouTube 9 http://www.youtube.com/playlist?list=PLqSW15RTj6DtEbdPCGIm0Kigvrscbj-Vz Learn the basics of Wi-Fi and more. 10. 2014 Aerohive Networks CONFIDENTIAL The 20 Minute Getting Started Video Explains the Details 10 Please view the Aerohive Getting Started Videos: http://www.aerohive.com/330000/docs/help/english/cbt/Start.htm 11. 2014 Aerohive Networks CONFIDENTIAL Aerohive Technical Documentation 11 All the latest technical documentation is available for download at: http://www.aerohive.com/techdocs 12. 2014 Aerohive Networks CONFIDENTIAL Aerohive Instructor Led Training 12 Aerohive Education Services offers a complete curriculum that provides you with the courses you will need as a customer or partner to properly design, deploy, administer, and troubleshoot all Aerohive WLAN solutions. Aerohive Certified WLAN Administrator (ACWA) First-level course Aerohive Cerified WLAN Professional (ACWP) Second-level course Aerohive Certified Network Professional (ACNP) Switching/Routing course www.aerohive.com/training Aerohive Class Schedule 13. 2014 Aerohive Networks CONFIDENTIAL Over 20 books about networking have been written by Aerohive Employees 13 CWNA Certified Wireless Network Administrator Official Study Guide by David D. Coleman and David A. Westcott CWSP Certified Wireless Security Professional Official Study Guide by David D. Coleman, David A. Westcott, Bryan E. Harkins and Shawn M. Jackman CWAP Certified Wireless Analysis Professional Official Study Guide by David D. Coleman, David A. Westcott, Ben Miller and Peter MacKenzie 802.11 Wireless Networks: The Definitive Guide, Second Edition by Matthew Gast 802.11n: A Survival Guide by Matthew Gast Aerohive Employees 802.11ac: A Survival Guide by Matthew Gast Over 30 books about networking have been written by Aerohive Employees 14. 2014 Aerohive Networks CONFIDENTIAL Aerohive Exams and Certifications 14 Aerohive Certified Wireless Administrator (ACWA) is a first- level certification that validates your knowledge and understanding about Aerohive Networks WLAN Cooperative Control Architecture. (Based upon Instructor Led Course) Aerohive Certified Wireless Professional (ACWP) is the second-level certification that validates your knowledge and understanding about Aerohive advanced configuration and troubleshooting. (Based upon Instructor Led Course) Aerohive Certified Network Professional (ACNP) is another second-level certification that validates your knowledge about Aerohive switching and branch routing. (Based upon Instructor Led Course) 15. 2014 Aerohive Networks CONFIDENTIAL Aerohive Forums 15 Aerohives online community HiveNation Have a question, an idea or praise you want to share? Join the HiveNation Community - a place where customers, evaluators, thought leaders and students like yourselves can learn about Aerohive and our products while engaging with like-minded individuals. Please, take a moment and register during class if you are not already a member of HiveNation. Go to http://community.aerohive.com/aerohive and sign up! 16. 2014 Aerohive Networks CONFIDENTIAL Aerohive Social Media 16 The HiveMind Blog: http://blogs.aerohive.com Follow us on Twitter: @Aerohive Instructor: David Coleman: @mistermultipath Instructor: Bryan Harkins: @80211University Instructor: Gregor Vucajnk: @GregorVucajnk Instructor: Metka Dragos: @MetkaDragos Please feel free to tweet about #Aerohive training during class. 17. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 Aerohive Technical Support General 17 I want to talk to somebody live. Call us at 408-510-6100 / Option 2. We also provide service toll-free from within the US & Canada by dialing (866) 365-9918. Aerohive has Support Engineers in the US, China, and the UK, providing coverage 24 hours a day. Support Contracts are sold on a yearly basis, with discounts for multi-year purchases. Customers can purchase Support in either 8x5 format or in a 24 hour format. How do I buy Technical Support? I have different expiration dates on several Entitlement keys, may I combine all my support so it all expires on the same date? Your Aerohive Sales Rep can help you set-up Co-Term, which allows you to select matching expiration dates for all your support. 18. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 Aerohive Technical Support The Americas 18 Aerohive Technical Support is available 24 hours a day. This can be via the Aerohive Support Portal or by calling. For the Support Portal, an authorized customer can open a Support Case. Communication is managed via the portal with new messages and replies. Once the issue is resolved, the case is closed, and can be retrieved at any time in the future. How do I reach Technical Support? I want to talk to somebody live. For those who wish to speak with an engineer call us at 408- 510-6100 / Option 2. We also provide service toll-free from within the US & Canada by dialing (866) 365-9918. I need an RMA in The Americas An RMA is generated via the Support Portal, or by calling our Technical Support group. After troubleshooting, should the unit require repair, we will overnight* a replacement to the US and Canada. Other countries are international. If the unit is DOA, its replaced with a brand new item, if not it is replaced with a like new reburbished item. *Restrictions may apply: time of day, location, etc. 19. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 Aerohive Technical Support International 19 Aerohive international Partners provide dedicated Technical Support to their customers. The Partner has received specialized training on Aerohive Networks product line, and has access to 24 hour Internal Aerohive Technical Support via the Support Portal, or by calling 408-510-6100 / Option 2. How Do I get Technical Support outside The Americas? World customers defective units are quickly replaced by our Partners, and Aerohive replaces the Partners stock once it arrives at our location. Partners are responsible for all shipping charges, duties, taxes, etc. I need an RMA internationally 20. 2014 Aerohive Networks CONFIDENTIAL Copyright Notice 20 Copyright 2014 Aerohive Networks, Inc. All rights reserved. Aerohive Networks, the Aerohive Networks logo, HiveOS, Aerohive AP, HiveManager, and GuestManager are trademarks of Aerohive Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies. 21. 2014 Aerohive Networks CONFIDENTIAL 2014 Aerohive Networks CONFIDENTIAL QUESTIONS? 22. 2014 Aerohive Networks Inc. SECTION 1: PLANNING AND DESIGNING YOUR NETWORK 22 Aerohives Instructor-led Training 23. 2014 Aerohive Networks CONFIDENTIAL The Relationship between the OSI Model and Wi-Fi 23 Wi-Fi operates at layers one and two Wireless LANs provide access to the distribution systems of wired networks. This allows the users the ability to have connections to wired network resources. Session Application Network Transport Physical Presentation Data Link 24. 2014 Aerohive Networks CONFIDENTIAL Where Wi-Fi Fits into the OSI Model Physical Layer 24 Layer 1 ( Physical ) The medium through which Data is transferred 802.3 Uses Cables 802.11 RF Medium Key Term: Medium 25. 2014 Aerohive Networks CONFIDENTIAL Where Wi-Fi Fits into the OSI Model Data Link Layer 25 Layer 2 ( Data-Link ) The MAC sublayer manages access to the physical medium The LLC sublayer manages the flow of multiple simultaneous network protocols over the same network medium Devices operating no higher than Layer 2 include: network interface cards (NICs), Layer-2 Ethernet switches, and wireless access points Header with MAC addressing Trailer with CRC 3-7 Data 26. 2014 Aerohive Networks CONFIDENTIAL Amendments and Rates 26 DSSS Direct Sequencing Spread Spectrum FHSS Frequency Hopping Spread Spectrum OFDM Orthogonal Frequency Division Multiplexing HT High Throughput VHT Very High Throughput SISO Single Input, Single Output MIMO Multiple Input, Multiple Output Standard Supported Data Rates 2.4 GHz 5 GHz RF Technology Radios 802.11 legacy 1, 2 Mbps Yes No FHSS or DSSS SISO 802.11b 1, 2, 5.5 and 11 Mbps Yes No HR-DSSS SISO 802.11a 6 - 54 Mbps No Yes OFDM SISO 802.11g 6 - 54 Mbps Yes Yes OFDM SISO 802.11n 6 - 600 Mbps Yes Yes HT MIMO 802.11ac Up to 3.46 Gbps* No Yes VHT MIMO *First generation 802.11ac chipsets support up to 1.3 Gbps 27. 2014 Aerohive Networks CONFIDENTIAL Class Scenario 27 You have been tasked with designing the WLAN for a new building that has two floors, each 200 feet in length. Employees and Guests require high data rate connectivity. Your customer plans to implement a voice over WLAN solution in the future as well. This is an office environment although the customer has already purchased AP350s for the deployment. Many commercial products exist for predictive coverage planning. For example: AirMagnet, Ekahau and Tamosoft. For this deployment the customer is using Aerohives Free planner tool. 28. 2014 Aerohive Networks CONFIDENTIAL Defining the Lab 28 Information Gathering (Site Survey) Types of Environments Client device types to be used Applications to be used Expected Growth vs. Current Needs Aerohive Devices to be used Mounting Concerns Coverage vs. Capacity Planning Device Density Security Enterprise and Guest use Using the Aerohive Planning Tool Questions 29. 2014 Aerohive Networks CONFIDENTIAL Every Environment is different 29 Education K-12 Public and Private Schools University School Facilities Campus Housing Health Care Hospital Assisted Living Retail Stores Offices Warehousing Corporate Offices Logistics Ground Freight Air Freight Public Sector Emergency Services Civic Offices Outdoor Use Bridges Mesh Public Access Questions 30. 2014 Aerohive Networks CONFIDENTIAL Devices and Applications 30 Devices Laptops Wi-Fi Phones Wi-Fi Enabled Cell Phones Barcode Scanners Tablets Point of Sale Systems BYOD Infrastructure Access Points Switches Routers Applications Internet Only Point of Sale Applications Medical Applications Voice Mobile Applications Standardized Testing Productivity Applications Custom Applications Knowing the Device Types and Applications to be used will greatly assist you in planning and deploying successful networking solutions. 31. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 1. Connect to the Hosted Training HiveManager 31 Securely browse to the appropriate HiveManager for class TRAINING LAB 1 https://training-hm1.aerohive.com https://72.20.106.120 TRAINING LAB 2 https://training-hm2.aerohive.com https://72.20.106.66 TRAINING LAB 3 https://training-hm3.aerohive.com https://209.128.124.220 TRAINING LAB 4 https://training-hm4.aerohive.com https://203.214.188.200 TRAINING LAB 5 https://training-hm5.aerohive.com https://209.128.124.230 Supported Browsers: Firefox, Internet Explorer, Chrome, Safari Class Login Credentials: Login: adminX X = Student ID 2 - 29 Password: aerohive123 NOTE: In order to access the HiveManager, someone at your location needs to enter the training firewall credentials given to them by the instructor first. 32. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 2. formatting your Plan Building 32 Click on the Maps Tab Expand World in the Navigation Pane Expand Planner Maps in the Navigation Pane Expand 0X Plan Building (Where 0X is your Student Number) Click on Floor 1 33. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 3. Formatting your Plan Building 33 To scale the map, move one red crosshair over the far left of the building image and the other to the far right of the building image In the Scale Map Section, use the drop down arrow to select feet Enter a value of 200 feet and click the Update button 34. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 4. Formatting your Plan Building 34 Click on the Walls tab Click the Draw Perimeter button Click the upper left corner of your building image to begin tracing the perimeter of your floor Move the cursor + clockwise and click and release on each of the remaining corners When you are back to the first corner, double click to close the perimeter 35. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 5. Formatting your Plan Building 35 Click the drop down arrow next to Wall Type and select any of the material types you would like to use Click the / icon and trace over a few walls Click the drop down arrow next to Wall Type again and select another material type Click the / icon and trace over a few different walls 36. 2014 Aerohive Networks CONFIDENTIAL 802.11n, 802.11ac and MIMO radios 36 Aerohive AP 141 Aerohive AP 350 3x3:32x2:2 1x1:1 iPhone 3x3:3 Transmit Receive Spatial Streams 1x1:1 iPad 37. 2014 Aerohive Networks CONFIDENTIAL 2x2:2 300 Mbps 11n High Power Radios 1X Gig.E -40 to 55C PoE (802.3at) N/A Outdoor Water Proof (IP 68) Aerohive AP Platforms AP170 2X Gig E /w PoE Failover 3x3:3 450 + 1300 Mbps High Power Radios Dual Radio 802.11ac/n Plenum/Plenum Dust Proof -20 to 55C AP390 Indoor Industrial Dual Radio 802.11n AP230 Dual Radio 802.11n 2X Gig.E - 10/100 link aggregation -20 to 55C 0 to 40C 3x3:3 450 Mbps High Power Radios TPM Security Chip PoE (802.3af + 802.3at) and AC Power Indoor Industrial Indoor Plenum/D ust Plenum Rated AP121 AP330 AP350 1X Gig.E 2x2:2 300 Mbps High Power Radios USB for 3G/4G Modem AP141 USB for future use Indoor 2X Gig.E w/ link aggregation Plenum Rated 0 to 40C USB for future use AP370* * Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM 38. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 6. Formatting your Plan Building 38 Click the Planned APs tab Click the drop down arrow next to AP Type and select the AP350 Leave the Channel and Power settings as default Click the Add AP button 39. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 7. Formatting your Plan Building 39 Examine the predicted coverage provided by a single AP of the type you selected earlier Click and drag the AP to another location and observe the predicted coverage in the new location Click the Remove All APs button Click Yes to confirm the removal 40. 2014 Aerohive Networks CONFIDENTIAL dBm and mW conversions 40 Very Strong- Great - Weak- Do not care- No Signal- dBm milliwatts +30 dBm 1000 mW 1 Watt +20 dBm 100 mW 1/10th of 1 Watt +10 dBm 10 mW 1/100th of 1 Watt 0 dBm 1 mW 1/1,000th of 1 Watt 10 dBm .1 mW 1/10th of 1 milliwatt 20 dBm .01 mW 1/100th of 1 milliwatt 30 dBm .001 mW 1/1,000th of 1 milliwatt 40 dBm .0001 mW 1/10,000th of 1 milliwatt 50 dBm .00001 mW 1/100,000th of 1 milliwatt 60 dBm .000001 mW 1 millionth of 1 milliwatt 70 dBm .0000001 mW 1 ten-millionth of 1 milliwatt 80 dBm .00000001 mW 1 hundred-millionth of 1 milliwatt 90 dBm .000000001 mW 1 billionth of 1 milliwatt 95 dBm .0000000002511 mW Noise Floor Notes Below 41. 2014 Aerohive Networks CONFIDENTIAL 11Mbps DSSS 5.5Mbps DSSS 2Mbps DSSS 1Mbps DSSS Dynamic Rate Switching 41 Lowest Rate Higher Rate Higher Rate Highest Rate To use higher data rates a station requires a stronger signal from the AP. As stations move they adjust the data rate used in order to remain connected (moving away) or to achieve a better signal (moving closer). 42. 2014 Aerohive Networks CONFIDENTIAL Interference and Signal to Noise Ratio 42 Based on the SNR, the client and AP negotiate a data rate in which to send the packet, so the higher the SNR the better For good performance, the SNR should be greater than 20 dB For optimal performance, the SNR should be at least 25 dB Great Poor Signal Strength -70dBm -70dBm - Noise Level - (-95dBm) - (-80dBm) = SNR = 25dB = 10dB Notes Below 43. 2014 Aerohive Networks CONFIDENTIAL Planning Coverage for Different Scenarios 43 -80 dBm Basic Connectivity -70 dBm High Speed Connectivity -67 dBm Voice -62 dBm Location Tracking RTLS When planning you should always take into consideration future uses of Wi-Fi and projected growth. 44. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 8. Formatting your Plan Building 44 Click the Auto Placement Tab Using the drop down arrow next to Application, select Voice Ensure that the Signal Strength is set to -67 dBm Click the Auto Place APs button Observe the coverage patterns and move APs as needed to create a hole in the coverage if needed 45. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 9. Formatting your Plan Building 45 Click the Planned APs Tab Click the Add AP button Observe the new planned AP filling in a hole in coverage 46. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 10. Formatting your Plan Building 46 In the Navigation pane, right click on your Floor 1 and select Clone Name your Clone Floor 2 Click the Create button 47. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network Multiple Floors 47 What if there are multiple floors? Not all buildings are symmetrical. If you have multiple floors you can adjust the X and Y coordinates to align the floors. Use an anchor point such as an elevator shaft to align the floors. 48. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 11. Formatting your Plan Building 48 In the Navigation pane, click Floor 2 Click the Auto Placement Tab Click the Auto Place APs button Observe the device placement 49. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 12. Formatting your Plan Building 49 In the Navigation pane, click on 0X Plan Building (where 0X is your student number) Observe the placement and channel selection of the Planned APs on both floors Remember RF signals propagate in three dimensions not just two. Planning should take this into account for AP placement. 50. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 13. Formatting your Plan Building 50 Click Floor 1 and then click on the View Tab Uncheck RSSI and check Channels Change the Band to 2.4 GHz Observe the predicted channel coverage 51. 2014 Aerohive Networks CONFIDENTIAL 2.4 GHz Channels Used for 802.11b/g/n 51 Channels 1, 6, and 11 are the only non-overlapping channels between channels 1 and 11 Using channels that cause overlap may cause CRC and other wireless interference and errors If you are in a country that has channels 1 13 or 14 available, you may still want to use 1, 6, and 11 for compatibility with mobile users from other countries 52. 2014 Aerohive Networks CONFIDENTIAL Channel Reuse Pattern 52 In this plan only the non-overlapping channels of 1, 6 and 11 are used. 53. 2014 Aerohive Networks CONFIDENTIAL Adjacent Cell Interference 53 Improper designs use overlapping channels in the same physical area. 54. 2014 Aerohive Networks CONFIDENTIAL Co-Channel Interference/Cooperation 54 Improper design using the same channel on all APs in the same physical area. 55. 2014 Aerohive Networks CONFIDENTIAL Lab: Planning a Wireless Network 14. Formatting your Plan Building 55 Change the Band from 2.4 GHz to 5 GHz Observe the predicted channel coverage 56. 2014 Aerohive Networks CONFIDENTIAL 5 GHz Channels Used for 802.11a/n/ac 56 The 5 GHz spectrum has more non-overlapping channels available. Channels increment by 4 starting with channel 36. The available 5 GHz channels varies greatly by country and some are enabled if the AP complies with DFS. The 5 GHz UNII-2 and UNII-2 Extended are enabled with DFS compliance. 57. 2014 Aerohive Networks CONFIDENTIAL Channel Reuse Plan-5 GHz 57 8-channel reuse plan using the channels in the UNII-1 and UNII-3 58. 2014 Aerohive Networks CONFIDENTIAL Quick and Easy mounting scheme of the 300 series now on the 121/141 58 ALL AP121/141 and AP330/350 Mountings are identical All AP121/141 and AP330/350 Power Adaptor are identical Note: Always use the mounting security screw 59. 2014 Aerohive Networks CONFIDENTIAL New Accessory: Suspend mount kits 59 60. 2014 Aerohive Networks CONFIDENTIAL New Accessory: Plenum mount kit 60 61. 2014 Aerohive Networks CONFIDENTIAL Antenna Patterns and Gain 61 Aerohive AP 390, 350 &141 external omnidirectional antennas radiate equally in all directions, forming a toroidial (donut-shaped) pattern Aerohive AP 370, 330, 121, and 110 internal antennas form a cardioid (heart-shaped) pattern By using a directional antenna, the power that you see with a omnidirectional antenna can redistributed to provide more radiated power in a certain direction called gain In this case, the power is not increased, instead it is redistributed to provide more gain in a certain direction Aerohive AP350 Aerohive AP330, 121, 110 62. 2014 Aerohive Networks CONFIDENTIAL AP 141 MIMO Antenna Alignment 62 With external omnidirectional antennas, the positioning of the antennas helps with de-correlation of spatial streams, which is critical to maintaining high data rates. 63. 2014 Aerohive Networks CONFIDENTIAL AP 350 MIMO Antenna Alignment 63 With external omnidirectional antennas, the positioning of the antennas helps with de-correlation of spatial streams, which is critical to maintaining high data rates. 64. 2014 Aerohive Networks CONFIDENTIAL Indoor 5 GHz MIMO Patch Antenna 64 120 degree beamwidth 5 dBi gain 3x3 MIMO Patch Use with AP-350 Use with AP-141(middle connector not used with AP-141) For High User Density Deployments indoor Patch Antennas are recommended for sectorized coverage. For example the patch antennas can be mounted from the ceiling to provide unidirectional coverage in an auditorium. 65. 2014 Aerohive Networks CONFIDENTIAL Outdoor 5 GHz MIMO Patch Antenna 65 17 degree beamwidth 18 dBi gain 2x2 MIMO Patch Use with AP-170 Outdoor Patch Antennas are well suited for point to point connections between buildings. 66. 2014 Aerohive Networks CONFIDENTIAL 2014 Aerohive Networks CONFIDENTIAL QUESTIONS? 67. 2014 Aerohive Networks Inc. SECTION 2: HIVEMANAGER OVERVIEW 67 Aerohives Instructor-led Training 68. 2014 Aerohive Networks CONFIDENTIAL What is HiveManager? 68 We have completed the predictive model and have deployed and physically mounted the APs. Now we need a way to centrally manage the WLAN. We will us Aerohives network management server (NMS) called HiveManager. HiveManager can be used to monitor, configure and update the WLAN. HiveManager can be deployed as a public cloud solution or as a private cloud solution (on premise). The on premise HiveManager is available in different form factors. The Aerohive Devices use an IP discovery process to locate on premise HiveManagers. A redirector service is used to guide Aerohive Devices to the Public Cloud HiveManager. HiveManager uses CAPWAP as the protocol to monitor and manage Aerohive Devices. 69. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 HiveManager Form Factors 69 SW Config, & Policy, RF Planning, Reporting, SLA Compliance, Guest Management, Trouble Shooting, Spectrum Analysis HiveManager Online Scalable multi-tenant platform, Redundant data centers with diversity, Backup & Recovery, Zero touch device provisioning, Flexible expansion, On demand upgrades, Pay as you grow HiveManager On-Premise - VA VMware ESX & Player, HA redundancy, 5000 APs with minimum configuration HiveManager On-Premise Appliance Redundant power & fans, HA redundancy 8000 APs and devices 70. 2014 Aerohive Networks CONFIDENTIAL On-Premise Virtual Appliance 70 VMWare Server Hardware Requirements You can also install VMware Workstation or VMware Fusion (Mac version) on your computer, and then install HiveManager Virtual Appliance. Processor: Dual Core 2 GHz or better Memory: 3 GB dedicated to HiveManager Virtual Appliance; at least 1 GB for the computer hosting it Disk: 60 GB Dedicated to HiveManager Virtual Appliance Support for VMWare tools in version 6.1r3 and higher For more information please reference the HiveManager Virtual Appliance QuickStart Guide. 71. 2014 Aerohive Networks CONFIDENTIAL HiveManager Virtual Appliance Software 71 The HiveManager Virtual Appliance software is available from two sources: USB flash drive delivered to you by Aerohive Connect the drive to a USB port on your host or VMware ESXi server and follow the procedure for "Installing the HiveManager Virtual Appliance" on page 3 of the HiveManager Virtual Appliance QuickStart Guide to import the .ova file to your VMware ESXi server. Software download from the Aerohive Support Software Downloads portal Log in to the Aerohive Support Software Downloads portal, download the HiveManager Virtual Appliance OVA-formatted file to your local directory, and follow the procedure for "Installing the HiveManager Virtual Appliance" on page 3 of the HiveManager Virtual Appliance QuickStart Guide to import the .ova file to your VMware ESXi hypervisor server. 72. 2014 Aerohive Networks CONFIDENTIAL HiveManager Virtual Appliance Software 72 The .ova (Open Virtual Appliance) formatted files are available in both 32-bit and 64-bit format and are ready for import to your VMware EXSi hypervisor server. In the following example, the HiveManager release 6.1r3 files available on the Aerohive Support Software Downloads portal are shown: HM-6.1r3-32bit-ESXi6.1r3 HiveManager 32bit Virtual Appliance ESXi in Open Virtual Appliance format. HM-6.1r3-64bit-ESXi6.1r3 HiveManager 64bit Virtual Appliance ESXi in Open Virtual Appliance format. 73. 2014 Aerohive Networks CONFIDENTIAL On-Premise HiveManager Appliance 73 74. 2014 Aerohive Networks CONFIDENTIAL On-Premise HiveManager Databases 74 75. 2014 Aerohive Networks CONFIDENTIAL HiveManager Online (HMOL) 75 Customers can manage Aerohive Devices from the Cloud using their HMOL accounts. http://myhive.aerohive.com 76. 2014 Aerohive Networks CONFIDENTIAL MyHive Aerohive AP Redirection Server 76 MyHive is a secure site that allows you to log in once and then navigate to HiveManager Online The Redirector/Staging Server is built inside of your HMOL account New HMOL accounts will also have the ability for a 30-day free trial of ID Manager 77. 2014 Aerohive Networks CONFIDENTIAL HiveManager Online (HMOL) 77 The Super-User administrator for your HMOL account has the ability to create additional admins with other access rights 78. 2014 Aerohive Networks CONFIDENTIAL MyHive Aerohive device Redirector Server 78 The redirector is used to tie your devices to your HMOL account. From Monitor All Devices Device Inventory select Add 79. 2014 Aerohive Networks CONFIDENTIAL MyHive Aerohive device Redirector Server 79 Simply enter in the serial number of your APs, routers, switches and Virtual Appliances. Once the serial number is entered into the Redirector (Staging Server) your devices will now be permanently tied to your HMOL account. You can also import a CSV file with multiple serial numbers 80. 2014 Aerohive Networks CONFIDENTIAL MyHive Aerohive AP Redirection Server 80 Devices that have not yet made a CAPWAP connection with HMOL will display under the Unmanaged Devices tab. Once devices make a CAPWAP connection with HMOL, they will be displayed under Managed Devices. 81. 2014 Aerohive Networks CONFIDENTIAL HiveManager Online Aerohive Device Redirection Services For HiveManager Online 81 APs and Routers Aerohive Redirector at myhive.aerohive.com Serial numbers are entered into the redirector 82. 2014 Aerohive Networks CONFIDENTIAL On-Premise HiveManager Discovery APs, Routers and Switches Locate HiveManager Aerohive Devices 82 In order for Aerohive devices to communicate with an on-premise HiveManager, they must know the on- premise HiveManager IP address. The HiveManager address can be statically configured or dynamically learned. Static CLI configuration: capwap client server name ip address save config Dynamic IP discovery: DHCP options DNS query L2 broadcast (Can be disabled) Redirector On-Premise HiveManager 83. 2014 Aerohive Networks CONFIDENTIAL On-Premise HiveManager Discovery APs and Routers Locate HiveManager Aerohive Devices DHCP/DNS Server 1. DHCP Request 2. DHCP Response IP, Domain, & DHCP Options returned Optionally: Option 225 (HM Name): hm1.yourdomain Option 226 (HM IP): 2.1.1.10 3. If option 225 was received, then the device performs a DNS lookup for the HM name received, otherwise the device performs a DNS lookup for hivemanager.yourdomain. If option 226 was received, then the device sends the CAPWAP traffic to the IP address of HiveManager. 4. DNS Response for IP hivemanager.yourdomain or hm1.yourdomain = 2.1.1.10 (for example) 83 84. 2014 Aerohive Networks CONFIDENTIAL On-Premise HiveManager Discovery APs and Routers Locate HiveManager 5. CAPWAP UDP Port 12222 IP: 2.1.1.10 7. If no DHCP option or DNS option is returned, or no IP is found CAPWAP Broadcast UDP 12222 8. If no response CAPWAP Broadcast TCP 80 HiveManager 2.1.1.10 (example) May be a: HiveManager Online, HiveManager Virtual Appliance (VA) , or a 1U or 2U appliance. 6. If UDP fails: CAPWAP TCP Port 80 IP: 2.1.1.10 9. If no responses CAPWAP UDP Port 12222 to the IP address of staging.aerohive.com If no response, try CAPWAP TCP Port 80 to the IP address of staging.aerohive.com Aerohive Devices 85. 2014 Aerohive Networks CONFIDENTIAL Redirector Account for On-Premise HM Free account is available from Aerohive support 85 You can go to: myhive.aerohive.com Login with your redirector account provided by Aerohive You can redirect your devices to an on-premise HiveManager Ask Aerohive support for the required separate HiveManager redirection username account. 86. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 Redirector Account for On-Premise HM Configure Standalone HiveManager To add a standalone HiveManager account, click: Configure Standalone HM Enter a public hostname or IP address for your HiveManager Optionally change the Connection Protocol to TCP if required Click Save 86 87. 2014 Aerohive Networks CONFIDENTIAL Redirector Account for On-Premise HM Enter Device Serial Numbers 87 To add your device serial numbers so they can be redirected click Device Access Control List Click Enter ACL Category: Standalone HM Enter Your 14 digit serial numbers Click Save 00112233445566 00112233445567 00112233445568 00112233445569 88. 2014 Aerohive Networks CONFIDENTIAL HiveManager Online Aerohive On-Premise HiveManager Discovery APs, Routers and Switches Locate HiveManager 88 APs and Routers Your Private Cloud or Company HiveManager hm1.yourdomain Aerohive Redirector Redirect device to: hm1.yourdomain (Require a standalone redirector account) 12. Connect to HM returned from redirector: hm1.yourdomain 13. Finally, if the redirector is not configured, the complete discovery process is restarted. 89. 2014 Aerohive Networks CONFIDENTIAL HiveManager DNS A Record Example with Microsoft 2003 DNS 89 On your DNS server, create a DNS Host record with the IP address of the HiveManager A host record creates an A record, and can select the option to automatically create the reverse (PTR) record as well 90. 2014 Aerohive Networks CONFIDENTIAL Management protocols & device updates 90 HiveManager Aerohive Device to Aerohive Device management Traffic (Cooperative Control Protocols) AMRP, DNXP, INXP and ACSP Encrypted with the Hive Key Cooperative Control discussed later in class Aerohive Device to HiveManager management traffic CAPWAP - UDP port 12222 (default) or TCP ports 80, 443 (HTTP/HTTPS encapsulation) SCP - Port 22 Aerohive Devices 91. 2014 Aerohive Networks CONFIDENTIAL Aerohive Device Configuration Updates 91 Complete Upload DRAM Running Config Flash Permanent Storage 1. Over CAPWAP, HiveManager tells the Aerohive AP to SCP its config to its flash 2. Aerohive AP uses SCP to get the config file from HiveManager and store in flash 3. The Aerohive AP must be rebooted to activate the new configuration 1. Over CAPWAP HiveManager obtains configuration from Aerohive AP and compares with its database 2. Over CAPWAP HiveManager sends the delta configuration changes directly to RAM which are immediately activated, and the running configuration is then saved to flash Delta Upload DRAM Running Config Flash Permanent Storage 92. 2014 Aerohive Networks CONFIDENTIAL Cooperative Control Protocols In-depth information located in section 16 92 Hive Cooperative control for a group of Hive Devices that share the same Hive name and Hive password. There is no limit to the number of Hive Devices that can exist in a single Hive Aerohive APs in a Hive cooperate with each other using Aerohives cooperative control protocols: AMRP (Aerohive Mobility Routing Protocol) Layer 2 and Layer 3 Roaming, Load Balancing, Band Steering, Layer 2 GRE Tunnel Authentication and Keepalives DNXP (Dynamic Network Extensions Protocol) Dynamic GRE tunnels to support layer 3 roaming INXP (Identity-Based Network Extensions Protocol) GRE tunnels for guest tunnels ACSP (Automatic Channel Selection & Power) Protocol Radio Channel and Power Management 93. 2014 Aerohive Networks CONFIDENTIAL Lab: HiveManager Menu navigation 1. Connect to the Hosted Training HiveManager 93 Securely browse to the appropriate HiveManager for class TRAINING LAB 1 https://training-hm1.aerohive.com https://72.20.106.120 TRAINING LAB 2 https://training-hm2.aerohive.com https://72.20.106.66 TRAINING LAB 3 https://training-hm3.aerohive.com https://209.128.124.220 TRAINING LAB 4 https://training-hm4.aerohive.com https://203.214.188.200 TRAINING LAB 5 https://training-hm5.aerohive.com https://209.128.124.230 Supported Browsers: Firefox, Internet Explorer, Chrome, Safari Class Login Credentials: Login: adminX X = Student ID 2 - 29 Password: aerohive123 NOTE: In order to access the HiveManager, someone at your location needs to enter the training firewall credentials given to them by the instructor first. 94. 2014 Aerohive Networks CONFIDENTIAL Lab: HiveManager Menu Navigation 2. Dashboard 94 The HiveManager dashboard provides detailed visibility into wired and wireless network activity. From the dashboard, you can view comprehensive information by application, user, client device and operating system, and a wide variety of other options. 95. 2014 Aerohive Networks CONFIDENTIAL Lab: HiveManager Menu Navigation 3. Home 95 The Home section of the GUI is where you configure a number of fundamental HiveManager settings, such as the following: Express and Enterprise modes VHM (virtual HiveManager) settings HiveManager administrator accounts Settings for HiveManager time and network (including HA), admin access and session timeout, HTTPS, SSH/SCP, Aerohive product improvement program participation, and routing CAPWAP and e-mail notification settings, SNMP and TFTP services, and HiveManager administrator authentication options Click on the Home Tab 96. 2014 Aerohive Networks CONFIDENTIAL Lab: HiveManager Menu Navigation 4. Monitor 96 From the Monitor menu, you can view commonly needed information and link to more detailed information about all the Aerohive devices that have contacted HiveManager. With an On-Premise HiveManager, those listed in the Unconfigured Devices section are not under HiveManager management and those in the Configured Devices are being managed by HiveManager. When using HiveManager Online (HMOL) devices appear as Managed Devices or Unmanaged Devices to illustrate if devices are being managed by HiveManager or not. Click on the Monitor Tab 97. 2014 Aerohive Networks CONFIDENTIAL Lab: HiveManager Menu Navigation 5. Reports 97 Detailed reports can be created and customized using the information the Aerohive Devices deliver to HiveManager. Reports are covered in greater detail later in the class. Click on the Reports Tab 98. 2014 Aerohive Networks CONFIDENTIAL Lab: HiveManager Menu Navigation 6. Maps 98 Use the tools in the Maps section to plan network deployments, and or to track and monitor the operational status of managed devices. Maps can be used in pre-deployment for predictive modeling. Maps can be used in post-deployment for coverage visualization, troubleshooting, and client and rogue location tracking. Click on the Maps Tab 99. 2014 Aerohive Networks CONFIDENTIAL Lab: HiveManager Menu Navigation 7. Configuration 99 The Configuration Tab allows you access to the Guided Configuration. Here you build your Network Policies, and Configure and Update Devices. Click on the Configuration Tab 100. 2014 Aerohive Networks CONFIDENTIAL Lab: HiveManager Menu Navigation 8. Configuration 100 The Tools Tab allows you access additional testing and monitoring abilities. Here you can access such things as: The Planning Tool The Client Monitor The VLAN Probe The Device/Client Simulator The Server Access Tests Click on the Tools Tab 101. 2014 Aerohive Networks CONFIDENTIAL 2014 Aerohive Networks CONFIDENTIAL QUESTIONS? 102. 2014 Aerohive Networks Inc. SECTION 3. MOBILITY SOLUTIONS AND UNIFIED POLICY MANAGEMENT 102 Aerohives Instructor-led Training 103. 2014 Aerohive Networks CONFIDENTIAL 2x2:2 300 Mbps 11n High Power Radios 1X Gig.E -40 to 55C PoE (802.3at) N/A Outdoor Water Proof (IP 68) Aerohive AP Platforms AP170 2X Gig E /w PoE Failover 3x3:3 450 + 1300 Mbps High Power Radios Dual Radio 802.11ac/n Plenum/Plenum Dust Proof -20 to 55C AP390 Indoor Industrial Dual Radio 802.11n AP230 Dual Radio 802.11n 2X Gig.E - 10/100 link aggregation -20 to 55C 0 to 40C 3x3:3 450 Mbps High Power Radios TPM Security Chip PoE (802.3af + 802.3at) and AC Power Indoor Industrial Indoor Plenum/D ust Plenum Rated AP121 AP330 AP350 1X Gig.E 2x2:2 300 Mbps High Power Radios USB for 3G/4G Modem AP141 USB for future use Indoor 2X Gig.E w/ link aggregation Plenum Rated 0 to 40C USB for future use AP370* * Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM 104. 2014 Aerohive Networks CONFIDENTIAL 2014 Aerohive Networks CONFIDENTIAL Aerohive AP 230 Performance, Functionality & Economy 104 Performance Dual radio 802.11ac 3x3:3 - three spatial stream Radio 1 (802.11n + Turbo-QAM) 2.4GHz 802.11b/g/n: 3x3:3 Radio 2 (802.11ac) 5GHz 802.11a/n/ac: 3x3:3 with TxBF 256-QAM, Supports up to 80 MHz channel for 5 GHz Functionality Application Visibility AND Control at Gigabit speeds 2x Gig Ethernet ports with link aggregation HiveOS enterprise feature set Economy 3 Stream .11ac at ~ price of 2 stream .11n Full Wi-Fi functionality with existing PoE infrastructure Full .11n legacy support with improvements in mixed environments 105. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 Aerohive Routing Platforms 105 BR 100 BR 200 AP 330 AP 350 Single Radio Dual Radio 2X 10/100/1000 Ethernet 5-10 Mbps FW/VPN 30-50Mbps FW/VPN 1x1 11bgn 3x3:3 450 Mbps 11abgn 5X 10/100 5X 10/100/1000 0 PoE PSE0 PoE PSE 2X PoE PSE * * Also available as a non-Wi-Fi device L3 IPSec VPN Gateway ~500 Mbps VPN 4000/1024 Tunnels Physical/Vi rtual VPN Gateways 106. 2014 Aerohive Networks CONFIDENTIAL BR100 vs. BR200 106 BR100 BR200/BR200WP 5x FastEthernet 5x Gigabit Ethernet 1x1 11bgn (2.4Ghz) single radio 3x3:3 11abgn dual-band single radio (WP) No integrated PoE PoE (in WP model) No console port Console Port No Spectrum Analysis Integrated Spectrum Analysis (WP) No Wireless Intrusion Detection Full Aerohive WIPS (WP) No local RADIUS or AD integration Full Aerohive RADIUS, proxy, and AD No SNMP logging SNMP Support 107. 2014 Aerohive Networks CONFIDENTIAL Aerohive Switching Platforms 107 SR2124P SR2148P 24 Gigabit Ethernet 48 Gbps Ethernet 4 Ports 1G SFP Uplinks 4 Ports 10 G SFP/SFP+ Uplinks 24 PoE+ (408 W) 128 Gbps switch56Gbps switching 176 Gbps switch 48 PoE+ (779 W) Routing with 3G/4G USB support and Line rate switching Redundant Power Supply CapableSingle Power Supply 24 PoE+ (195 W) SR2024P Switching Only 108. 2014 Aerohive Networks CONFIDENTIAL VPN Gateway Virtual Appliance 108 Supports the following GRE Tunnel Gateway L2 IPSec VPN Gateway L3 IPSec VPN Gateway RADIUS Authentication Server RADIUS Relay Agent Bonjour Gateway DHCP server Use a VPN Gateway Virtual Appliance instead of an AP when higher scalability for these features are required Function Scale VPN Tunnels 1024 Tunnels RADIUS Local users per VPN Gateway 9999 # Users Cache (RADIUS Server) 1024 # Simultaneous (RADIUS Server) authentications 256 109. 2014 Aerohive Networks CONFIDENTIAL VPN Gateway Physical Appliance 109 Supports the following GRE Tunnel Gateway L2 IPSec VPN Gateway L3 IPSec VPN Gateway RADIUS Authentication Server RADIUS Relay Agent Bonjour Gateway DHCP server Use a VPN Gateway Appliance instead of an AP when higher scalability for these features are required Function Scale VPN Tunnels 4000 Tunnels RADIUS Local users per VPN Gateway 9999 # Users Cache (RADIUS Server) 1024 # Simultaneous (RADIUS Server) authentications 256 Ports: One 10/100/1000 WAN port Four LAN ports two support PoE 110. 2014 Aerohive Networks CONFIDENTIAL Aerohive Devices are assigned to Network Policy: Corp1 Note: A Aerohive Devices configured with the same Network Policy will be in the same Hive, and can use cooperative control protocols for mesh, dynamic RF, layer 2/3 fast secure roaming, VPN failover, etc.. Network Policy = Configuration Hive = Cooperative Control Protocols 110 Network Policy Corp1 SSID Voice SSID Employee SSID Guest User Profile IT Staff(9) User Profile Staff(10) User Profile Guests(8) User Profile Voice(2) Hive - Corp WIPS L2 IPsec VPN Location Services Access Console VLAN QoS Firewall L3 Roaming VLAN L3 Roaming OS/Domain SLA VLAN L3 Roaming OS/Domain SLA VLAN QoS Rate Limit Firewall Guest Tunnel Schedule OS/Domain 111. 2014 Aerohive Networks CONFIDENTIAL Network Policy Guided Configuration 111 Network Configuration There are three main panels, you can click on a panel header to go to the panel Clicking on the Configure & Update Devices panel saves the configuration, as does Save, or Continue 1. Configure Network Policy 2. Configure Interface & User Access 3. Configure & Update Devices 112. 2014 Aerohive Networks CONFIDENTIAL Setting Up a Wireless Network Building your Initial Unified Network Policy 112 Click on Configuration Under Choose Network Policy Click New 113. 2014 Aerohive Networks CONFIDENTIAL Setting Up a Wireless Network Building your Initial Unified Network Policy 113 Network Policies are used to assign the same basic configurations to multiple devices. One Network Policy can configure all device types. 114. 2014 Aerohive Networks CONFIDENTIAL Network Policy Types 114 Wireless Access Use when you have an AP only deployment, or you require specific wireless policies for APs in a mixed AP and router deployment Branch Routing Use when you are managing routers, or APs behind routers that do not require different Network Policies than the router they connect through BR100 BR200 AP AP Internet Internet Small Branch Office or Teleworker Site Small to Medium Size Branch Office that may have APs behind the router 115. 2014 Aerohive Networks CONFIDENTIAL Bonjour Gateway Allows Bonjour services to be seen in multiple subnets Switching Used to manage wired traffic using Aerohive Switches Network Policy Types 115 Internet AP AP PoE SR2024 AP 116. 2014 Aerohive Networks CONFIDENTIAL Unified Policy Management (Instructor Demo) 116 Students and Instructor should open and view and discuss the Network Policy called Wireless-Access-Demo. Students and Instructor should open and view and discuss the Network Policy called Wireless-Routing-Demo. Students and Instructor should open and view and discuss the Network Policy called Wireless-Switching-Demo. 117. 2014 Aerohive Networks CONFIDENTIAL 2014 Aerohive Networks CONFIDENTIAL QUESTIONS? 118. 2014 Aerohive Networks Inc. SECTION 4. HIVEMANAGER WELCOME AND INITIAL CONFIGURATION 118 Aerohives Instructor-led Training 119. 2014 Aerohive Networks CONFIDENTIAL Scenario: First Login and Test Configuration 119 Upon initial login, there is a set of Welcome screens for the Super-User Administrator. If you are new to HiveManager it is recommended to create a Test Network Policy within HiveManager. Then upload the network policy to some Aerohive Devices in a staging area for testing purposes. 120. 2014 Aerohive Networks CONFIDENTIAL Informational HiveManager Welcome Page -Only Seen at First Login- 120 Verify your Aerohive Device Inventory and the click Next 121. 2014 Aerohive Networks CONFIDENTIAL Informational HiveManager Welcome Page -Only Seen at First Login- 121 Welcome Page Settings... New HiveManager Password: Administrative Mode: Enterprise Mode Time Zone: Click FinishNote: Express mode is a legacy simplified configuration option. Enterprise mode is more robust and is recommended. 122. 2014 Aerohive Networks CONFIDENTIAL Informational HiveManager Welcome Page -Only Seen at First Login- 122 NOTE: Setting the HiveManager Password Here sets the default Aerohive AP Access Console SSID Key and the CLI admin password. You can change some of these settings individually by going to HomeDevice Management Settings 123. 2014 Aerohive Networks CONFIDENTIAL Informational HiveManager Initial Configuration 123 Device CLI passwords can be globally set from Home/Device Management Settings Individual managed device passwords can be set from Monitor/ Modify It is recommended that Aerohive Devices have a unique admin password for CLI login. 124. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 Informational HiveManager Initial Configuration At first login, the administrator is prompted to fill out settings for Username, the administrator password for HiveManager, and a Quick start SSID password HiveManager uses the Username as the name for automatically generated Quick Start objects such as the DNS service, NTP service, QoS Classification profile, LLDP profile, ALG profile, etc.. that will work in most cases without need for modification. You can create your own objects, or use the quick start ones. 124 125. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 Informational HiveManager Initial Configuration For example, a DNS service object with the name Class is automatically generated an NTP service object with the name Class is automatically generated These objects are used when configuring WLAN and routing settings 125 126. 2014 Aerohive Networks CONFIDENTIAL Informational HiveManager Initial Configuration 126 Note: Quick Start Objects are automatically created in every new Network Policy. The Object names will be based upon the name from the initial welcome screen. 127. 2014 Aerohive Networks CONFIDENTIAL Informational HiveManager Initial Configuration 127 The IP addresses for the QuickStart DNS object are Public DNS servers. It is recommended that you edit the QuickStart DNS object to use DNS server IP addresses that are relevant to your deployment. Do this BEFORE you configure the rest of your Network Policy. 128. 2014 Aerohive Networks CONFIDENTIAL Informational HiveManager Initial Configuration 128 The public Aerohive NTP server is used to set the clocks of your Aerohive Devices. You can edit this object to use a different NTP server. Mandatory: You must change the time zone to match the time zone where your Aerohive Devices reside. Do this BEFORE you configure the rest of your Network Policy. 129. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 1. Connect to the Hosted Training HiveManager 129 Securely browse to the appropriate HiveManager for class TRAINING LAB 1 https://training-hm1.aerohive.com https://72.20.106.120 TRAINING LAB 2 https://training-hm2.aerohive.com https://72.20.106.66 TRAINING LAB 3 https://training-hm3.aerohive.com https://209.128.124.220 TRAINING LAB 4 https://training-hm4.aerohive.com https://203.214.188.200 TRAINING LAB 5 https://training-hm5.aerohive.com https://209.128.124.230 Supported Browsers: Firefox, Internet Explorer, Chrome, Safari Class Login Credentials: Login: adminX X = Student ID 2 - 29 Password: aerohive123 NOTE: In order to access the HiveManager, someone at your location needs to enter the training firewall credentials given to them by the instructor first. 130. 2014 Aerohive Networks CONFIDENTIAL Aerohive Devices are assigned to Network Policy: Corp1 Note: A Aerohive Devices configured with the same Network Policy will be in the same Hive, and can use cooperative control protocols for mesh, dynamic RF, layer 2/3 fast secure roaming, VPN failover, etc.. Network Policy = Configuration Hive = Cooperative Control Protocols 130 Network Policy Corp1 SSID Voice SSID Employee SSID Guest User Profile IT Staff(9) User Profile Staff(10) User Profile Guests(8) User Profile Voice(2) Hive - Corp WIPS L2 IPsec VPN Location Services Access Console VLAN QoS Firewall L3 Roaming VLAN L3 Roaming OS/Domain SLA VLAN L3 Roaming OS/Domain SLA VLAN QoS Rate Limit Firewall Guest Tunnel Schedule OS/Domain 131. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 2. Configuring a Test Network Policy 131 Go to Configuration Click the New Button 132. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 3. Configuring a Test Network Policy 132 Name: Test-X Select: Wireless Access and Bonjour Gateway Click Create Only the Wireless Access and Bonjour Gateway Profiles are used in this class. Switching and Branch Routing are covered in another course. For information about that class visit: http://aerohive.com/support/technical-training/training- schedule for dates and registration. 133. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 4. Configuring a Test Network Policy 133 Network Configuration Next to SSIDs click Choose Then click New 134. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 5. Create an SSID Profile 134 SSID Profile: Corp-PSK-X X = 2 29 (Student ID) SSID: Corp-PSK-X Select WPA/WPA2 PSK (Personal) Key Value: aerohive123 Confirm Value: aerohive123 Click Save Click OK IMPORTANT: For the SSID labs, please follow the class naming convention. 135. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 6. Create a User Profile 135 To the right of your SSID, under User Profile, click Add/Remove In Choose User Profiles Click New 136. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 7. Create a User Profile 136 Name: Staff-X Attribute Number: 1 Default VLAN: 1 Click Save The attribute value and VLAN value do not need to match. However, it is recommended that the attribute values and VLAN values match each other when ever possible for clarity and uniform configuration. 137. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 8. Save the User Profile 137 Ensure Staff-X User Profile is highlighted Click Save 138. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 9. Save the Network Policy 138 Click the Configure & Update Devices bar or click the Continue button Note: The Save button saves your Network Policy. The Continue Button saves your Network Policy and allows you to proceed to the Configure and Update Devices area simultaneously. 139. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 10. Create a Display Filter 139 From the Configure & Update Devices section, click the + next to Filter to create a device display filter. 140. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 11. Create a Display Filter 140 Device Model: AP350 Host Name: 0X- Remember This Filter: 0X-APs Click Search Five APs will display 141. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 12. Upload the Network Policy 141 Select your 0X-A-xxxxxx access point and all of your 0X-SIMU-xxxxxxx access points Click the Update button Click Update Devices to push your Network Policy to your access points Click Yes in the Confirm window 142. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 13. Upload the Network Policy 142 Click the Update Button Click OK in the Reboot Warning window 143. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Creating a Test Network Policy 14. Upload the Network Policy Once the Update is pushed, you will see the Update Status and the devices rebooting. When the devices have rebooted and start reporting to HiveManager, you will see their new up time and that the configuration on the devices matches the expected configuration in HiveManager. 143 144. 2014 Aerohive Networks CONFIDENTIAL Overview of Update Settings 144 Complete Upload: The entire Aerohive AP configuration is uploaded and a reboot is required Delta Upload: Only configuration changes are uploaded and no reboot is required The default is Auto- HiveManager is smart enough to know if the upload is Complete or Delta The first upload is always a Complete Upload Should a Delta upload ever fail, best practice is to select a Complete upload and force a reboot. Also, a Complete Update is recommended when the configuration involves advanced security settings such as RADIUS. 145. 2014 Aerohive Networks CONFIDENTIAL Overview of Update Settings 145 The Auto option, which is set by default, performs a complete initial upload, requiring the device to reboot before activating the uploaded configuration. Following that, all subsequent uploads consist of delta configurations based on a comparison with the current configuration running on the device. Should a Delta upload ever fail, best practice is to select a Complete upload and force a reboot. Also, a Complete Update is recommended when the configuration involves advanced security settings such as RADIUS. 146. 2014 Aerohive Networks CONFIDENTIAL Because the filter is set by default to Current Policy/Default Policies, you will only see devices assigned to your selected network policy, or the def-policy-template (assigned to new devices) Lab: Creating a Test Network Policy 15. Review of Device Display Filters 146 Filter set by default to Current Policy/Default Policies Selected Network Policy Select None if you want to see all devices 147. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 16. Verify the Update Results 147 From ConfigurationDevicesDevice Update Results Review your update results Hover your cursor above the Description Review the pop-up window results Always review Device Update Results. The pop-up window often has good troubleshooting information should an update fail. 148. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 17. Verify the Update Results 148 HiveManager pushes firmware and configuration updates in stages: first to all online devices, and then automatically to any offline devices the next time they connect to HiveManager. If any devices are offline, the update results will display as Staged Once the devices re-establish CAPWAP connectivity, HiveManager will then re-attempt to upload the configuration until successful 149. 2014 Aerohive Networks CONFIDENTIAL Go to MonitorDevicesAll Devices for more detailed information Lab: Creating a Test Network Policy 18. Device Monitor View Set items per page Change column settings Turn off auto refresh if you want to make changes without interruption If Audit is Red Exclamation Point, click it to see the difference between HiveManager and the device. 149 150. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 19. Customize the Monitor View Columns 150 Click on the Edit Table Icon From Available Columns on the left select both MGT Interface VLAN and Native VLAN and move them to the Selected Columns on the right using the corresponding arrow button. Move both new options up until they are directly under IP Address Click Save Note: Both the Instructor and Students MUST perform this exercise. 151. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating a Test Network Policy 20. Audit Icon 151 Unconfigured Devices are Aerohive APs, Routers and other Aerohive devices that have discovered HiveManager for the first time. IP connectivity and CAPWAP connectivity are needed for discovery. Once Aerohive Devices have a configuration uploaded they become Configured Devices. The configuration on HiveManager does NOT match the configuration on the Aerohive Device The configuration on HiveManager MATCHES the configuration on the Aerohive Device 152. 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID Test SSID Access at Hosted Site 152 SSID: Authentication: Encryption: Preshared Key: User Profile 1: Attribute: VLAN: IP Firewall: QoS: Corp-PSK-X WPA or WPA2 Personal TKIP or AES aerohive123 Staff-X 1 1 None def-user-qos Hosted PC Student-X VLANs 1-20 Mgt0 IP: 10.5.1.N/24 VLAN 1 Network Policy: Test-X Internal Network AD Server: 10.5.1.10 DHCP Settings: (VLAN 1) network 10.5.1.0/24 10.5.1.140 10.5.1.240 Internet Connect to SSID: IP: Gateway: Corp-PSK-X 10.5.1.N/24 10.5.1.1 Use VNC client to access Hosted PC: password: aerohive123 153. 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 1. For Windows: Use TightVNC client 153 If you are using a windows PC Use TightVNC TightVNC has good compression so please use this for class instead of any other application Start TightVNC For Lab 1 lab1-pcX.aerohive.com For Lab 2 lab2-pcX.aerohive.com For Lab 3 lab3-pcX.aerohive.com For Lab 4 lab4-pcX.aerohive.com For Lab 5 lab5-pcX.aerohive.com Select Low-bandwidth connection Click Connect Password: aerohive123123 Click OK 154. 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 2. For Mac: Use the Real VNC client 154 If you are using a Mac RealVNC has good compression so please use this for class instead of any other application Start RealVNC For Lab 1 lab1-pcX.aerohive.com For Lab 2 lab2-pcX.aerohive.com For Lab 3 lab3-pcX.aerohive.com For Lab 4 lab4-pcX.aerohive.com For Lab 5 lab5-pcX.aerohive.com Click Connect Password: aerohive123. Click OK 155. 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 3. Connect to Your Class-PSK-X SSID 155 Single-click the wireless icon on the bottom right corner of the windows task bar Click your SSID Corp-PSK-X Click Connect Security Key: aerohive123 Click OK 156. 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 4. View Active Clients List 156 After associating with your SSID, you should see your connection in the active clients list in HiveManager Go to MonitorClientsWireless Clients Your IP address should be from the 10.5.1.0/24 network 157. 2014 Aerohive Networks CONFIDENTIAL 2014 Aerohive Networks CONFIDENTIAL QUESTIONS? 158. 2014 Aerohive Networks Inc. SECTION 5. CONFIGURING ACCESS POINTS FOR MAPS AND MONITORING 158 Aerohives Instructor-led Training 159. 2014 Aerohive Networks CONFIDENTIAL Design Implementation 159 Now that the initial planning and testing phases are completed, you are ready to begin creating the framework for your live deployment. To accomplish the remaining goals you will: Clone your predictive model maps you created earlier Add your APs to Floor 1 of your cloned maps Position the APs as required for the needed coverage 160. 2014 Aerohive Networks CONFIDENTIAL LAB: Design Implementation 1. Clone of the Plan Building 160 Click on the Maps Tab Expand Planner Maps and right click on your 0X Plan Building Select Clone 161. 2014 Aerohive Networks CONFIDENTIAL LAB: Design Implementation 2. Clone of the Plan Building 161 Name your cloned building 0X Building Click the drop down arrow and select the Locations folder Click Create 162. 2014 Aerohive Networks CONFIDENTIAL LAB: Design Implementation 3. Planning the Production Network 162 Expand the Locations folder Expand your 0X Building Select Floor 1 Click the Devices Tab 163. 2014 Aerohive Networks CONFIDENTIAL LAB: Design Implementation 4. Adding your APs to the map 163 Select all of your 0X APs Click the arrow to move them to the Devices on Floor 1 section Click Update to place your devices on your 0X Building Floor 1 map 164. 2014 Aerohive Networks CONFIDENTIAL LAB: Design Implementation 5. Placing your APs 164 Uncheck the Ethernet and Mesh check boxes Uncheck the Nodes Locked check box Position the APs on your map as planned in the predictive model Check the Nodes Locked check box 165. 2014 Aerohive Networks CONFIDENTIAL Design Implementation 165 Once the APs are located properly you can use you map for post deployment validation processes such as: RSSI values Interference source locationing Channel verification Display of Ethernet and Mesh connections 166. 2014 Aerohive Networks CONFIDENTIAL Topology Maps With RSSI and Power (Heatmap) 166 Both 5 GHz or 2.4 GHz Bands can be view separately Ethernet and Mesh Connections can be displayed RSSI values can be used to display coverage The coverage areas range from red being the strongest to dark blue being the weakest coverageThe blue lines show the perimeter for an AP that a client within its boundaries should connect. Select the Band 5 GHz or 2.4 GHz Select the coverage you want to view Here you can see the subnet the MGT0 interface on the Aerohive APs 167. 2014 Aerohive Networks CONFIDENTIAL Topology Maps With Rogue AP Detection and Client Location 167 If three or more Aerohive APs on a map detect a rogue, HiveManager can estimate the location of the rogue on the topology map Also, if the Aerohive AP location service is enabled, you can view clients as well Friendly AP Rogue AP Client 168. 2014 Aerohive Networks CONFIDENTIAL 2014 Aerohive Networks CONFIDENTIAL QUESTIONS? 169. 2014 Aerohive Networks CONFIDENTIAL Classroom LAB Scenario 169 We'll start with the types of users we have in the network. We have different types of employees, and different types of guests. Employees should have secure access to the wireless network, and the most secure method is 802.1X/EAP We can create 1 SSID for all Employee access, but have different access policies depending on the type of employee. For devices that do not support 802.1X, or require fast roaming and do not support 802.11r or OKC, then you should consider Private PSK for that For guests, there is the legacy open SSID method, that we don't feel it does provide security for guests, and leave them extremely vulnerable. So instead we should provide a Private PSK infrastructure and a captive web portal for use policy acceptance. We can also provide a way for self registration, employee sponsorship, etc We will need to consider the best practice AP settings to meet our network design goals. After which we will need to show how to maintain and monitor a network. 170. 2014 Aerohive Networks Inc. SECTION 6: CREATING THE EMPLOYEE SECURE ACCESS NETWORK 170 Aerohives Instructor-led Training 171. 2014 Aerohive Networks CONFIDENTIAL Classroom Employee WLAN Scenario 171 Employees should have secure access to the wireless network, and the most secure method is to use 802.1X EAP. You are going to build an 802.1X EAP solution using the customers existing RADIUS server. RADIUS attributes can be leveraged to assign different types of employees to VLANs and user traffic settings by assigning them to the appropriate User Profiles. Employees will assigned to three different User Profiles: Employees, IT and Executives. User profiles will be used to assign different types access rights to different types of employees. 172. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating the Employee Secure Access Network 1. Creating the Corporate Network Policy 172 Click on the Configuration Tab Under Choose Network Policy Click the New Button 173. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating the Employee Secure Access Network 2. Creating the Corporate Network Policy 173 Fill in the Name box using Corp-X as your Network Policy Name3 Click the Create button It is recommended that you ALWAYS add descriptions about the objects you are building whenever possible. 174. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating the Employee Secure Access Network 3. Creating the Secure SSID Profile 174 To configure a 802.1X/EAP SSID for Secure Wireless Access Next to SSIDs, click Choose Click New 175. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Creating the Employee Secure Access Network 4. Creating the Secure SSID Profile Profile Name: Corp-Secure-X SSID: Corp-Secure-X Under SSID Access Security select WPA/WPA2 802.1X (Enterprise) Click Save 175 176. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating the Employee Secure Access Network 5. Saving the Secure SSID Profile 176 Ensure the Corp-Secure-X SSID is selected Click OK Ensure Corp-Secure-X is highlighted then click OK 177. 2014 Aerohive Networks CONFIDENTIAL Lab: Creating the Employee Secure Access Network 6. Creating the RADIUS Object 177 Under Authentication, click Choose RADIUS, click New Click Click 178. 2014 Aerohive Networks CONFIDENTIAL 178 RADIUS Name: RADIUS-X IP Address/Domain Name: 10.5.1.10 Shared Secret: aerohive123 Confirm Secret: aerohive123 Click Apply Click Save Click Apply When Done! Lab: Creating the Employee Secure Access Network 7. Creating the RADIUS Object 179. 2014 Aerohive Networks CONFIDENTIAL 179 Under User Profile, click Add/Remove Click New Lab: Creating the Employee Secure Access Network 8. Creating the User Profile 180. 2014 Aerohive Networks CONFIDENTIAL 180 Name: Employees-X Attribute Number: 10 Default VLAN: 10 Click Save Lab: Creating the Employee Secure Access Network 9. Creating the User Profile 181. 2014 Aerohive Networks CONFIDENTIAL 181 With the Default tab selected, ensure the Employees-X user profile is highlighted IMPORTANT: This user profile will be assigned if no attribute value is returned from RADIUS after successful authentication, or if attribute value 10 is returned. Click the Authentication tab Default Tab Authentication Tab Lab: Creating the Employee Secure Access Network 10. User Profile no returned RADIUS attributes 182. 2014 Aerohive Networks CONFIDENTIAL 182 Select the Authentication tab Select (highlight) both the IT and Executives User Profiles NOTE: The (User Profile Attribute) is appended to the User Profile Name Click Save Authentication Tab Lab: Creating the Employee Secure Access Network 11. User profiles for returned RADIUS attributes 183. 2014 Aerohive Networks CONFIDENTIAL 183 Ensure Employees-X, IT and the Executives user profiles are assigned to the Corp-Secure- X SSID Lab: Creating the Employee Secure Access Network 12. Verify the User Profiles 184. 2014 Aerohive Networks CONFIDENTIAL 184 Click the Continue button Lab: Creating the Employee Secure Access Network 13. Saving the work and preparing to update devices 185. 2014 Aerohive Networks CONFIDENTIAL 185 From the Configure & Update Devices section, click the drop down next to Filter and select your 0X-APs Filter. Lab: Creating the Employee Secure Access Network 14. Saving the work and preparing to update devices 186. 2014 Aerohive Networks CONFIDENTIAL 186 Select your 0X-A-xxxxxx access point and all of your 0X-SIMU-xxxxxxx access points Click the Update button Click Update Devices to push your Network Policy to your access points Click Yes in the Confirm window Lab: Creating the Employee Secure Access Network 15. Update the devices 187. 2014 Aerohive Networks CONFIDENTIAL 187 Click the Update Button Click OK in the Reboot Warning window Lab: Creating the Employee Secure Access Network 16. Update the devices 188. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 Once the Update is pushed, you will see the Update Status and the devices rebooting. When the devices have rebooted and start reporting to HiveManager, you will see their new up time and that the configuration on the devices matches the expected configuration in HiveManager. 188 Lab: Creating the Employee Secure Access Network 17. Update the devices 189. 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 1. For Windows: Use TightVNC client 189 If you are using a windows PC Use TightVNC TightVNC has good compression so please use this for class instead of any other application Start TightVNC For Lab 1 lab1-pcX.aerohive.com For Lab 2 lab2-pcX.aerohive.com For Lab 3 lab3-pcX.aerohive.com For Lab 4 lab4-pcX.aerohive.com For Lab 5 lab5-pcX.aerohive.com Select Low-bandwidth connection Click Connect Password: aerohive123123 Click OK 190. 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 2. For Mac: Use the Real VNC client 190 If you are using a Mac RealVNC has good compression so please use this for class instead of any other application Start RealVNC For Lab 1 lab1-pcX.aerohive.com For Lab 2 lab2-pcX.aerohive.com For Lab 3 lab3-pcX.aerohive.com For Lab 4 lab4-pcX.aerohive.com For Lab 5 lab5-pcX.aerohive.com Click Connect Password: aerohive123. Click OK 191. 2014 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 1. Connect to Secure Wireless Network 191 From the bottom task bar, and click the locate wireless networks icon Click Corp-Secure-X Click Connect 192. 2014 Aerohive Networks CONFIDENTIAL 192 After associating with your SSID, you should see your connection in the active clients list in HiveManager Go to MonitorClientsWireless Clients User Name: DOMAINuser VLAN: 10 Lab: Testing 802.1X/EAP to External RADIUS 2. Connect to Secure Wireless Network 193. 2014 Aerohive Networks CONFIDENTIAL 193 To change the layout of the columns in the Wireless Clients list, you can click the spreadsheet icon Select User Profile Attribute from the Available Columns list and click the right arrow With User Profile Attribute selected, click the Up button so that the column is moved after VLAN Click Save Click to change column layout Lab: Testing 802.1X/EAP to External RADIUS 3. Customizing Your Column View 194. 2014 Aerohive Networks CONFIDENTIAL 194 By Default all Device and Client screens display 15 items per page. You can scroll between pages using the arrow buttons or choose to display more items per page. Screen Auto refresh is enabled by default but can be disabled if so desired. Select Drop Down to display 50 items per page Auto refresh can be turned on or off as desired Select 50 items per page Lab: Testing 802.1X/EAP to External RADIUS 4. Customizing Your Column View 195. 2014 Aerohive Networks CONFIDENTIAL 195 To display only the wireless Clients in the Lab: Go to MonitorClientsWireless Clients. Click the + under Filter at the bottom of the Monitor options. Next to Topology Map select 0X Building_Floor 1 from the drop down In the Remember This Filter box type: Lab Click Search to save the filter Lab: Testing 802.1X/EAP to External RADIUS 5. Create a clients display filter Note: The proper use of Filters will save time in locating desired objects 196. 2014 Aerohive Networks CONFIDENTIAL 196 To display only the Wireless Clients in the Classroom: Go to MonitorClientsWireless Clients. Click the + under Filter at the bottom of the Monitor options. Next to Topology Map select Training Center_Floor1 from the drop down In the Remember This Filter box type: Instructor Click Search to save the filter Lab: Testing 802.1X/EAP to External RADIUS 6. Create a clients display filter Note: The proper use of Filters will save time in locating desired objects 197. 2014 Aerohive Networks CONFIDENTIAL 2014 Aerohive Networks CONFIDENTIAL QUESTIONS? 198. 2014 Aerohive Networks Inc. SECTION 7: PRIVATE PSK FOR DEVICES 198 Aerohives Instructor-led Training 199. 2014 Aerohive Networks CONFIDENTIAL Private PSK (PPSK) for Legacy Devices Scenario 199 Your customer has legacy devices that do not support 802.1X, or require fast roaming and do not support 802.11r or Opportunistic Pairwise Master Key Caching (OKC). There is a requirement that all devices have unique credentials. Aerohive offers a security solution called Private PSK (PPSK) that meets these needs. 200. 2014 Aerohive Networks CONFIDENTIAL SSIDs with WPA or WPA2 Personal Use Legacy Pre Shared Keys (PSKs) 200 All users share the same key If a user leaves or if a PC or portable device is lost, for security reasons, the shared key should be changed, and every client will have to update the keys on their wireless clients All users share the same network policy Because all users share the same SSID with the same key, they will also have the same network policies, such as their VLAN, because there have no way to uniquely identify users or types of users User 1 User 2 User 3 SSID: Corp-Wi-Fi Authentication: WPA2 Personal Shared Key: aSecretPhrase User Profile: Employee-Profile SSID: Corp-Wi-Fi Shared Key: aSecretPhrase SSID: Corp-Wi-Fi Shared Key: aSecretPhrase SSID: Corp-Wi-Fi Shared Key: aSecretPhrase AP 201. 2014 Aerohive Networks CONFIDENTIAL SSID with 802.1X/EAP Dynamically Create Pairwise Master Keys (PMKs) 201 With 802.1X, after a user successfully authenticates with RADIUS, a unique key is created for each user and AP pair called a PMK If a user leaves the company or a user loses a device, the user account can be disabled and passwords can be changed to prevent access to corporate resources New PMKs are created every time user authenticates Users can have unique network policies Because users are identified by their user name, based on the user or group, they can be assigned to different network policies User 1 User 2 User 3 SSID: Corp-W-iFi Authentication: WPA2 Enterprise (802.1X) - User 1 - PMK: d6#$%^98f.. - User 2 - PMK: 87fe@#$%a.. - User 3 - PMK: 90)356*&f.. SSID: Corp-Wi-Fi PMK: d6#$%^98f.. SSID: Corp-Wi-Fi PMK: 87fe@#$%a.. SSID: Corp-Wi-Fi PMK: 90)356*&f.. AP RADIUS 202. 2014 Aerohive Networks CONFIDENTIAL Private Preshared Key (PSK) Allows creation of unique PSKs per user 202 Private PSKs are unique pre shared keys created for individual users on the same SSID Client configuration is simple, just enter the SSID shared key for WPA or WPA2 personal (PSK) No 802.1X supplicant configuration is required Works with devices that do not support 802.1X/EAP You can automatically generate unique keys for users, and distribute via email, or any way you see fit If a user leaves or a device is lost or stolen, the PSK for that user or device can simply be revoked User 1 User 2 User 3 SSID: Corp-Wi-Fi SSID Type: Private PSK Authentication: WPA2 Personal - User 1 Private PSK: d6#$%^98f.. - User 2 Private PSK: 87fe@#$%a.. - User 3 Private PSK: 90)356*&f.. SSID: Corp-Wi-Fi Key: d6#$%^98f.. SSID: Corp-Wi-Fi Key: 87fe@#$%a.. SSID: Corp-Wi-Fi Key: 90)356*&f.. Aerohive AP 203. 2014 Aerohive Networks CONFIDENTIAL Private Preshared Key (PSK) Use Cases 203 Use Case #1: Private PSK is recommended for augmenting WLAN deployments that authenticate clients with WPA or WPA2 Enterprise (802.1X/EAP), but have some devices that: Support WPA or WPA2 Personal, but do not support WPA or WPA2 Enterprise with 802.1X/EAP Do not support opportunistic key caching (OKC) for seamless roaming Use Case #2: Recommended use in place of using traditional PSKs for environments that do not have a WLAN deployment using WPA or WPA2 Enterprise with 802.1X/EAP Use Case #3: Recommended for secure credentials with guest WLANs (secure guest management covered in a later section) 204. 2014 Aerohive Networks CONFIDENTIAL Private Preshared Key (PSK) Maximum PPSKS per Aerohive Device 204 205. 2014 Aerohive Networks CONFIDENTIAL Verify On-Premise HiveManager Time Settings 205 HiveManager and Aerohive Devices should have up to date time settings, preferably by NTP (HMOL Time Settings are automatic). Go to HomeAdministrationHiveManager Settings Next to System Date/Time click Settings Private PSKs are credentials that have a start time. Private PSKs, like other credentials, can also be time limited. Therefore, it is imperative that the HiveManager Time Settings be in proper synchronization with your network. The use of an NTP server is highly recommended. 206. 2014 Aerohive Networks CONFIDENTIAL 206 Go to Configuration Select your Network Policy: Corp-X and click OK Next to Additional Settings Click Edit Expand Management Server Settings Note: Upon first login to a new HiveManager system, an NTP server policy is automatically created with the same name as the User name. However, the object should be edited with the proper time zones. Next to NTP Server Click the + Icon Private PSKs are credentials that have a start time. Private PSKs, like other credentials, can also be time limited. Even more important than the HiveManager Time Settings, Aerohive Device Clock Settings must be properly synchronized. The use of an NTP server is MANDATORY. Verify Device Time Settings 207. 2014 Aerohive Networks CONFIDENTIAL 207 Name the service NTP-X Time Zone: Uncheck Sync clock with HiveManager NTP Server: ntp1.aerohive.com Click Apply Click Save Verify Device Time Settings MANDATORY: You must change the time zone to match the time zone where your Aerohive Devices reside. Do this BEFORE you configure the rest of your Network Policy. Instructor note: When using Lab #4 the Time Zone MUST be set to (GMT +10 Australia/Sydney) 208. 2014 Aerohive Networks CONFIDENTIAL Lab: Private PSK for Enterprise 1. Modify your Network Policy to Create an SSID 208 To configure a Private PSK SSID Go to Configuration Select your Network Policy: Corp-X and click OK Next to SSIDs, click Choose Click New 209. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Private PSK for Enterprise 2. Create a Private PSK SSID Profile Name: Device-PPSK-X SSID: Device-PPSK-X Under SSID Access Security select Private PSK Set maximum clients per private PSK to: 1 This limits how many times a single Private PSK can be concurrently used in a Hive Click Save 209 210. 2014 Aerohive Networks CONFIDENTIAL Lab: Private PSK for Enterprise 3. Create a Private PSK SSID 210 Ensure the Device-PPSK-X SSID is selected Ensure the Corp- Secure-X SSID is selected Click OK Ensure both Device-PPSK-X and Corp- Secure-X are highlighted then click OK 211. 2014 Aerohive Networks CONFIDENTIAL Lab: Private PSK for Enterprise 4. Create a Private PSK User Group 211 Under Authentication, click Click New Click Click 212. 2014 Aerohive Networks CONFIDENTIAL Lab: Private PSK for Enterprise 5. Create a Private PSK Group 212 User Group Name: Devices-X User Type: Automatically generated private PSK users User Profile Attribute: 2 VLAN: Inherited from user profile User Name Prefix: 0X- Click the Generate button to create a seed Expand Private PSK Advanced Options 213. 2014 Aerohive Networks CONFIDENTIAL Lab: Private PSK for Enterprise 6. Create a Private PSK User Group 213 Password length: 20 Click Save Note: You can define the strength of the PSKs Although each of the PPSKs will be unique, they are still susceptible to brute-force offline dictionary attacks. The Wi-Fi Alliance recommends a passphrase key strength of 20 characters or longer. 214. 2014 Aerohive Networks CONFIDENTIAL Lab: Private PSK for Enterprise 7. Save the Private PSK User Group 214 Ensure your Devices-X is highlighted Click OK 215. 2014 Aerohive Networks CONFIDENTIAL Lab: Private PSK for Enterprise 9. Create a user profile for the PPSK SSID 215 Under User Profile, click Add/Remove Click New 216. 2014 Aerohive Networks CONFIDENTIAL 216 Name: Devices-X Attribute Number: 2 Default VLAN: 2 Verify the settings, and click Save Lab: Private PSK for Enterprise 10. Create a user profile for the PPSK SSID Although these are corporate devices, they are using a shared key security. Since they are not using 802.1X, a more secure authentication method, it is a recommended practice to separate their traffic to protect you network from unwanted use. 217. 2014 Aerohive Networks CONFIDENTIAL Lab: Private PSK for Enterprise 10. Review Settings and Click Save 217 Ensure your Devices-X User Profile is selected Click Save Verify the settings, and click Save 218. 2014 Aerohive Networks CONFIDENTIAL Lab: Private PSK for Enterprise 11. Creating your User Accounts 218 In the Navigation pane go to: Advanced Configuration AuthenticationLocal Users Click Bulk Note: In a live deployment, each device and or user should be uniquely identifiable. We are using the Bulk option in class simply as a way to save time. 219. 2014 Aerohive Networks CONFIDENTIAL Lab: Private PSK for Enterprise 12. Creating your User Accounts 219 Create Users Under Group: Devices-X Number of New Users: 10 Description: 0X- Enter your REAL email address Click Create 220. 2014 Aerohive Networks CONFIDENTIAL 220 Apply a filter to view your Private PSK users In the Navigation pane, navigate to: Advanced ConfigurationAuthenticationLocal Users Click the Filter button Next to Description: Type 0X- and Click Search Results shown on next slide Lab: Private PSK for Enterprise 13. Viewing your User Accounts 221. 2014 Aerohive Networks CONFIDENTIAL Lab: Private PSK for Enterprise 14. View your Private PSK users 221 Locate your PPSK users Sort on the user name or use the filter You can click (Clear Text PPSK) to view the PPSK Click here to obscure or show or obscure your clear text PSK 222. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 Lab: Private PSK for Enterprise 15. Email your user their private PSK Check the box next to one of your user user accounts, and click Email PSK IMPORTANT: Please check your Junk Email folder if you do not receive this email IMPORTANT: In order for the email to work, you MUST have the email service settings configured under HomeAdministration HiveManager Services Update Email Settings Email the private PSK to the user Email Message Email Address 223. 2014 Aerohive Networks CONFIDENTIAL 223 Go to Configuration and select your Corp-X policy and click OK Click on the Continue button From the Configure & Update Devices section, click the drop down next to Filter and select your 0X-APs Filter. Lab: Private PSK for Enterprise 16. Updating your Aerohive Devices 224. 2014 Aerohive Networks CONFIDENTIAL 224 Select your 0X-A-xxxxxx access point and all of your 0X-SIMU-xxxxxxx access points Click the Update button Click Update Devices to push your Network Policy to your access points Lab: Private PSK for Enterprise 17. Updating your Aerohive Devices 225. 2014 Aerohive Networks CONFIDENTIAL 225 Click the Update Button Click OK in the Reboot Warning window Lab: Private PSK for Enterprise 18. Updating your Aerohive Devices 226. 2014 Aerohive Networks CONFIDENTIAL Copyright 2011 The physical APs will not need to reboot this time because this is a Delta update. The simulated APs will reboot. Only the configuration changes in the Network Policy were uploaded. Because a reboot is not necessary, clients already connected to the Corp-Secure-X SSID are not affected. 226 Lab: Private PSK for Enterprise 19. Updating your Aerohive Devices 227. 2014 Aerohive Networks CONFIDENTIAL Lab: Private PSK for Enterprise 1. Testing your PPSK SSID 227 From TightVNC, go to: labN- pcX.aerohive.com password: aerohive123 Copy the PPSK key either from the user account display or your email, make sure not to copy any extra spaces Connect to your SSID: Device-PPSK-X Paste your Passphrase/Network Key: Click OK 228. 2014 Aerohive Networks CONFIDENTIAL 228 After associating with your SSID, you should see your connection in the active clients list in HiveManager Go to MonitorClientsWireless Clients Your IP address should be from the 10.5.2.0/24 network Note the client information: VLAN: 2 User Profile Attribute: 2 Lab: Private PSK for Enterprise 2. Testing your PPSK SSID 229. 2014 Aerohive Networks CONFIDENTIAL Example Only: Revoke a Private PSK 1. Revoking Private PSK Users 229 If a user leaves the company, or if their device is lost or stolen, you can revoke a users key and de-authenticate any active client using the individual private PSK Go to ConfigurationAdvanced Configuration AuthenticationLocal Users Check the box next to your user account and click Remove Click Yes to continue Note: For this change to take effect, you will have to update the configuration of every Aerohive AP using this Private PSK account... 230. 2014 Aerohive Networks CONFIDENTIAL 230 Select your 0X-A-xxxxxx access point and all of your 0X-SIMU-xxxxxxx access points Click the Update button Click Update Devices to push your Network Policy to your access points Example Only: Revoke a Private PSK 2. Update the Configuration 231. 2014 Aerohive Networks CONFIDENTIAL Example Only: Revoke a Private PSK 3. Verify your PPSK user is revoked 231 To view the active clients, go to MonitorClients Wireless Clients The revoked clients will no longer appear in the active clients list If you view the desktop of the hosted client PC, you will see they are disconnected 232. 2014 Aerohive Networks CONFIDENTIAL 2014 Aerohive Networks CONFIDENTIAL QUESTIONS? 233. 2014 Aerohive Networks Inc. SECTION 8: AEROHIVE WLAN GUEST MANAGEMENT Aerohives Instructor-led Training 234. 2014 Aerohive Networks CONFIDENTIAL Why Provide Guest Access? 234 Many studies have shown that providing WLAN guest access is beneficial to your business Improved Productivity: Customers and contractors often need access to the Internet to accomplish job-related duties. If customers and contractors are more productive, your company employees will also be more productive. Customer Loyalty: In todays world, business customers have come to expect Guest WLAN access. Free guest access is often considered a value-added service. There is a good chance that your customers will move towards your competitors if you do not provide WLAN guest access. 235. 2014 Aerohive Networks CONFIDENTIAL Guest WLAN Essentials 235 Guest user traffic should always be segmented from employee user traffic. Four guest WLAN best practices include: Guest SSID: Wireless guest users should always connect to a separate guest SSID because it will have different security policies than a corporate or employee SSID. Guest VLAN: Guest user traffic should be segmented into a unique VLAN tied to an IP subnet t