Acwp Aerohive configuration guide.

© 2014 Aerohive Networks Inc.
Instructor-led Training
AEROHIVE CERTIFIED WIRELESS
PROFESSIONAL (ACWP)
1

© 2014 Aerohive Networks CONFIDENTIAL
Welcome
2
• Introductions
• Facilities Discussion
• Course Overview
• Extra Training
Resources
• Questions

Introductions
3
•What is your name?
•What is your organizations name?
•How long have you worked in Wi-Fi?
•Are you currently using Aerohive?

Facilities Discussion
4
• Course Material
Distribution
• Course Times
• Restrooms
• Break room
• Smoking Area
• Break Schedule
› Morning Break
› Lunch Break
› Afternoon Break

Aerohive Advanced WLAN Configuration
(ACWP) – Course Overview
5
Each student connects to HiveManager, a remote PC, and a
Aerohive AP over the Internet from their wireless enabled laptop in
the classroom, and then performs hands on labs the cover the
following topics:
• 802.1X/EAP architecture overview
• 802.1X with external RADIUS
• RADIUS attributes for user profile assignment
• Using Client Monitor to troubleshoot 802.1X/EAP
• HiveManager Certificate Authority
• Aerohive devices as RADIUS servers that integrate with LDAP
• Client Management – Device on-boarding using 802.1X
• Client Management – Device on-boarding using PPSK
• Layer 2 IPsec VPN client and VPN servers
• Device classification
• Layer 3 roaming configuration and troubleshooting
• Guest Management using GRE tunneling to a DMZ
2 Day Hands on Class

Aerohive CBT Learning
6
http://www.aerohive.com/cbt

Aerohive Education on YouTube
7
http://www.youtube.com/playlist?list=PLqSW15RTj6DtEbdPCGIm0Kigvrscbj-Vz
Learn the basics of Wi-Fi and more….

The 20 Minute Getting Started Video
Explains the Details
8
Please view the Aerohive Getting Started Videos:
http://www.aerohive.com/330000/docs/help/english/cbt/Start.htm

Aerohive Technical Documentation
9
All the latest technical documentation is available for download at:
http://www.aerohive.com/techdocs

Aerohive Instructor Led Training
10
• Aerohive Education Services offers a complete curriculum that provides you with
the courses you will need as a customer or partner to properly design, deploy,
administer, and troubleshoot all Aerohive WLAN solutions.
• Aerohive Certified WLAN Administrator (ACWA) – First-level course
• Aerohive Cerified WLAN Professional (ACWP) – Second-level course
• Aerohive Certified Network Professional (ACNP) – Switching/Routing course
• www.aerohive.com/training – Aerohive Class Schedule

Over 20 books about networking have been written
by Aerohive Employees
11
CWNA Certified Wireless Network Administrator
Official Study Guide by David D. Coleman and David
A. Westcott
CWSP Certified Wireless Security Professional
Official Study Guide by David D. Coleman, David A.
Westcott, Bryan E. Harkins and Shawn M.
Jackman
CWAP Certified Wireless Analysis Professional Official
Study Guide by David D. Coleman, David A. Westcott,
Ben Miller and Peter MacKenzie
802.11 Wireless Networks: The Definitive Guide,
Second Edition by Matthew Gast
802.11n: A Survival Guide by Matthew Gast
Aerohive
Employees
802.11ac: A Survival Guide by Matthew Gast
Over 20 books about networking have
been written by Aerohive Employees

Aerohive Exams and Certifications
12
• Aerohive Certified Wireless Administrator
(ACWA) is a first- level certification that
validates your knowledge and understanding
about Aerohive Network’s WLAN
Cooperative Control Architecture. (Based
upon Instructor Led Course)
• Aerohive Certified Wireless Professional
(ACWP) is the second-level certification that
validates your knowledge and understanding
about Aerohive advanced configuration and
troubleshooting. (Based upon Instructor Led
Course)
• Aerohive Certified Network Professional
(ACNP) is another second-level certification
that validates your knowledge about
Aerohive switching and branch routing.
(Based upon Instructor Led Course)

Aerohive Forums
13
• Aerohive’s online community – HiveNation
Have a question, an idea or praise you want to share? Join the HiveNation Community - a
place where customers, evaluators, thought leaders and students like yourselves can
learn about Aerohive and our products while engaging with like-minded individuals.
• Please, take a moment and register during class if you are not already a
member of HiveNation.
Go to http://community.aerohive.com/aerohive and sign up!

Aerohive Social Media
14
The HiveMind Blog:
http://blogs.aerohive.com
Follow us on Twitter: @Aerohive
Instructor: David Coleman: @mistermultipath
Instructor: Bryan Harkins: @80211University
Instructor: Gregor Vucajnk: @GregorVucajnk
Instructor: Metka Dragos: @MetkaDragos
Please feel free to tweet about #Aerohive training during
class.

Copyright ©2011
Aerohive Technical Support – General
15
I want to talk to somebody live.
Call us at 408-510-6100 / Option 2. We also provide service
toll-free from within the US & Canada by dialing (866) 365-9918.
Aerohive has Support Engineers in the US, China, and the UK,
providing coverage 24 hours a day.
Support Contracts are sold on a yearly basis, with
discounts for multi-year purchases. Customers can
purchase Support in either 8x5 format or in a 24 hour
format.
How do I buy Technical Support?
I have different expiration dates on several Entitlement keys, may
I combine all my support so it all expires on the same date?
Your Aerohive Sales Rep can help you set-up Co-Term, which allows
you to select matching expiration dates for all your support.

Copyright ©2011
Aerohive Technical Support – The
Americas
16
Aerohive Technical Support is available 24 hours a
day. This can be via the Aerohive Support Portal or
by calling. For the Support Portal, an authorized
customer can open a Support Case.
Communication is managed via the portal with new
messages and replies. Once the issue is resolved,
the case is closed, and can be retrieved at any time
in the future.
How do I reach Technical Support?
I want to talk to somebody live.
For those who wish to speak with an engineer call us at 408-510-
6100 / Option 2. We also provide service toll-free from within
the US & Canada by dialing (866) 365-9918.
I need an RMA in The Americas
An RMA is generated via the Support Portal, or by calling our Technical Support
group. After troubleshooting, should the unit require repair, we will overnight*
a replacement to the US and Canada. Other countries are international. If the
unit is DOA, it’s replaced with a brand new item, if not it is replaced with a like
new reburbished item.
*Restrictions may apply: time of day, location, etc.

Copyright ©2011
Aerohive Technical Support – International
17
Aerohive international Partners provide dedicated
Technical Support to their customers. The Partner has
received specialized training on Aerohive Networks’
product line, and has access to 24 hour Internal
Aerohive Technical Support via the Support Portal, or
by calling 408-510-6100 / Option 2.
How Do I get Technical Support outside The Americas?
World customer’s defective
units are quickly replaced by
our Partners, and Aerohive
replaces the Partner’s stock
once it arrives at our location.
Partners are responsible for all
shipping charges, duties, taxes,
etc.
I need an RMA internationally

Copyright Notice
18
Copyright © 2014 Aerohive Networks, Inc. All rights
reserved.
Aerohive Networks, the Aerohive Networks logo, HiveOS,
Aerohive AP, HiveManager, and GuestManager are
trademarks of Aerohive Networks, Inc. All other trademarks
and registered trademarks are the property of their
respective companies.

QUESTIONS?

Classroom SSID
Data Center setup
CLASSROOM & DATA CENTER
20

Lab: Get Connected
1. Connect to class WLAN
21
• Please connect to the SSID: aerohive-class
• Network Key: aerohive123
SSID:
Security:
Network Key:
Class-SSID
WPA/WPA2 Personal (PSK)
aerohive123
Guest
Client
VLAN 1
WLAN Policy: WLAN-Classroom
Internet
Mgt0 IP: 10.5.1.N/24 VLAN 1
Class-SSID
10.5.1.N/24
10.5.1.1
Connect to SSID:
IP:
Gateway:
Instructor PC

Copyright ©2011
Aerohive Training Remote Lab
22
Aerohive Access Points using external
antenna connections and RF cables to
connect to USB Wi-Fi client cards
(Black cables)
Access Points are connected from eth0 to
Aerohive Managed Switches with 802.1Q
VLAN trunk support providing PoE to the
APs (Yellow cables)
Firewall with routing support, NAT, and
multiple Virtual Router Instances
Access Points are connected from their
console port to a console server
(White Cables)
Console server to permit SSH access into the
serial console of Aerohive Access Points
Server running VMware ESXi running Active
Directory, RADIUS, NPS and hosting the
virtual clients used for testing configurations
to support the labs

Network Layout for Data Center
23
10.5.2.*/24
No Gateway
10.5.2.*/24
No Gateway
10.5.2.*/24
No Gateway
HiveManager
MGT 10.5.1.20/24
Win2008 AD Server
MGT 10.5.1.10/24
Linux Server
MGT 10.6.1.150./24
L3 Switch/Router/Firewall
eth0 10.5.1.1/24 VLAN 1
eth0.1 10.5.2.1/24 VLAN 2
eth0.2 10.5.8.1/24 VLAN 8
eth0.3 10.5.10.1/24 VLAN 10
eth1 10.6.1.1/24 (DMZ)
L2 Switch
Native VLAN 1
Aerohive AP Common Settings
Default Gateway: None
MGT0 VLAN 2
Native VLAN 1
LAN ports connected to
L2-Switch with 802.1Q
VLAN Trunks
X=2
X=3
X=N
X=2
X=3
X=N
Ethernet: 10.5.1.202/24
No Gateway
Wireless: 10.5.10.$/24
Gateway: 10.5.10.1
Ethernet: 10.5.1.203/24
No Gateway
Wireless: 10.5.V.X/24
Gateway: 10.5.V.1
Ethernet : 10.5.1.20N/24
No Gateway
Wireless: 10.5.V.X/24
Gateway: 10.5.V.1
14 Client PCs
For Wireless Access
14 Aerohive AP 340s
Terminal Server
10.5.1.5/24
Services for Hosted Class
Win2008 AD Server:
- RADIUS(NPS)
- DNS
- DHCP
Linux Server:
- Web Server
- FTP Server

Get Connected to HiveManager
AEROHIVE ENTERPRISE MODE
25

Connect to the Hosted Training
HiveManager
26
• Securely browse to the assigned HiveManager for class
› TRAINING LAB 1
https://training-hm1.aerohive.com
https://72.20.106.120
› TRAINING LAB 2
https://72.20.106.66
› TRAINING LAB 3
https://209.128.124.220
› TRAINING LAB 4
https://203.214.188.200
› TRAINING LAB 5
https://209.128.124.230
• Supported Browsers:
› Firefox, Internet Explorer, Chrome, Safari
• Class Login Credentials:
› Login: adminX
X = Student ID 2 - 29
› Password: aerohive123
NOTE: In order to access the
HiveManager, someone at your
location needs to enter the
training firewall credentials given
to them by the instructor first.

LAB: Setting Up a Wireless Network
LAB Goals
27
• Connect to HiveManager to create a simple Network Policy
with static PSK security.
• Define Static IP addresses for the student access point and
VPN gateway.
• Update the devices
• Connect to the hosted PC and test the wireless
connectivity.
• Each student creates a client monitor for future
troubleshooting.
• Proceed to the advanced labs.

Lab: Setting Up a Wireless Network
1. Creating a new Network Policy
28
• Go to
Configuration
• Click the New
Button

2. Building your Initial Wireless Network Policy
29
• Name:
WLAN-X
• Select:
Wireless
Access and
Bonjour
Gateway
• Click Create Only the Wireless Access and Bonjour Gateway Profiles are
used in this class. Switching and Branch Routing are covered
in another course. For information about that class visit:
http://aerohive.com/support/technical-training/training-
schedule for dates and registration.

Network Policy Types
30
• Wireless Access – Use when you have an AP only
deployment, or you require specific wireless policies for
APs in a mixed AP and router deployment
• Branch Routing– Use when you are managing routers, or
APs behind routers that do not require different Network
Policies than the router they connect through
BR100
BR200 AP
AP
Internet
Internet
Small Branch Office
or Teleworker Site Small to Medium Size Branch Office
that may have APs behind the router

• Switching
› Used to manage wired traffic using Aerohive switches
• Bonjour Gateway
› Recommended to deploy a Bonjour Gateway in 3rd Party
networks
› Bonjour Gateway Lab later in class
Network Policy Types
31
Internet
AP
AP
Po
E
SR2024
AP

3. Create a New SSID Profile
32
Network Configuration
• Next to SSIDs click
Choose
• Then click New

4. Configure a PSK Employee SSID
33
• SSID Profile: Class-PSK-X
X = 2 – 29 (Student ID)
• SSID: Class-PSK-X
• Select WPA/WPA2 PSK
(Personal)
• Key Value: aerohive123
• Confirm Value: aerohive123
• Click Save
• Click OK
IMPORTANT: For the SSID labs, please follow the
class naming convention.

5. Create a User Profile
34
• To the right of your
SSID, under User
Profile, click
Add/Remove
• In Choose User
Profiles Click New

6. Define User Profile Settings
35
• Name: Employee-X
• Attribute Number: 10
• Network or
VLAN-only Assignment: 10
• Click Save

7. Choose User Profile and Continue
36
• Ensure Employee-X
User Profile is highlighted
• Click Save

8. Save the Network Policy
37
• Click the
Configure &
Update Devices
bar or click the
Continue button
Note: The Save button saves
your Network Policy. The
Continue Button saves your
Network Policy and allows you
to proceed to the Configure
and Update Devices area
simultaneously.

Hosted Training Lab
Network IP Summary
38
HiveOS-VA-0X
MGT0
10.200.2.X/24
VPN Client
X-A-Aerohive
AP MGT0:
10.5.2.#
Firewall NAT Rules
1.2.1.X10.8.1.X
FW(NAT)
2.2.2.2
Gateway
10.5.2.1
Gateway
10.200.2.1
Client PC
WLAN Branch Office – Aerohive AP VPN Clients
# – Address Learned though DHCP
RADIUS
10.200.2.250
WLAN HQ – L2 VPN Gateway-VPN Servers

9. Update the configuration of your Aerohive AP
39
From the Configure & Update Devices section,
modify your AP specific settings
• Display Filter: None
• Click the Name column to sort the APs
• Click the link for your 0X-A-######

10. Update the configuration of your A-Aerohive AP
40
• Topology Map: Data
Center_Class-Lab or
Classroom
• Select your WLAN-X
Network Policy
• Set the power levels:
› 2.4GHz(wifi0) Power: 1
› 5GHz(wifi1) Power: 1
• Do not click Save yet
VERY IMPORTANT: We need to leave the
power set to 1dBm on both radios because
the APs are stacked in a rack in the data
center

12. Configure Settings on Your A-Aerohive AP
41
Under Optional Settings
• Expand MGT0 interface settings
› Select 8Static IP
› IP Address: 10.5.2.X
› Netmask: 255.255.255.0
› Gateway: 10.5.2.1
• Do not Click Save yet
We are assigning the AP a static IP address
because the AP will function as a RADIUS
server in a later lab. Whenever Aerohive
devices function as a server, they must have a
static IP address. Best practice is to assign
the device with the static IP address prior to
configuring a Network Policy that requires an
Aerohive device to function as a server.

12. Configure Settings on Your A-Aerohive AP
42
Under Optional Settings
• Expand Advanced
Settings
› Check Override
MGT VLAN: 2
• Click Save

13. Update the configuration of your HiveOS-VA
43
From the Configure & Update Devices section,
modify your HiveOS-VA specific settings
• Display Filter: None
• Click the Name column to sort the devices
• Click the link for your VA: HiveOS-VA-0X

14. Update the configuration of your HiveOS-VA
44
• Set the Device Function to L2 VPN Gateway
• Select your WLAN-X Network Policy
• Expand MGT0 Interface Settings, and assign the VPN gateway a static IP address:
› MGT0 IP Address: 10.200.2.X
› Netmask: 255.255.255.0
› Gateway: 10.200.2.1
• Click Save

15. Update the configuration of your AP & VA
45
In the Configure & Update Devices section
• Click the Name column to sort the devices
• Check the box next to your AP: X-A-######
• Check the box next to your L2 VPN Gateway: HiveOS-VA-0X

© 2014 Aerohive Networks CONFIDENTIAL 46
• Select Update
• Update Devices
• Click Update
• Click OK in the
Reboot Warning
window
16. Update the configuration of AP & VA
The first Update is
automatically a
complete update.
For this class, ALL
subsequent Updates
should be Complete
configuration
updates, unless
directed otherwise.

Copyright ©2011
17. Update the configuration of AP & VA
• The devices will reboot
47

• Go to MonitorDevicesAll Devices for more detailed
information and tools
18. Monitoring Devices
Set items
per page
Change column
settings
Turn off auto refresh if you
want to make changes
without interruption
If Audit is Red
Exclamation Point, click
it to see the difference
between HiveManager
and the device.
48

TEST YOUR CONFIGURATION
USING THE HOSTED PC
50

Lab: Test Hosted Client Access to SSID
Test SSID Access at Hosted Site
51
SSID:
Authentication:
Encryption:
Preshared Key:
User Profile 1:
Attribute:
VLAN:
IP Firewall:
QoS:
Class-PSK-X
WPA or WPA2 Personal
TKIP or AES
aerohive123
Employee(10)-X
10
10
None
def-user-qos
Hosted PC
Student-0X VLANs 1-20
Mgt0 IP: 10.5.2.N/24 VLAN 1
WLAN Policy: WLAN-X
Internal Network
AD Server:
10.5.1.10
DHCP Settings:
(VLAN 10)
network 10.5.10.0/24
10.5.10.140 – 10.5.10.240
Internet
Connect to SSID:
IP:
Gateway:
Class-PSK-X
10.5.10.N/24
10.5.10.1
Use VNC client to access Hosted PC:
password: aerohive123

1. For Windows: Use TightVNC client
52
• If you are using a windows PC
› Use TightVNC
› TightVNC has good compression so
please use this for class instead of any
other application
• Start TightVNC
› For Lab 1
› lab1-pcX.aerohive.com
› For Lab 2
› For Lab 3
lab3-pcX.aerohive.com
› For Lab 4
› For Lab 5
lab5-pc0X.aerohive.com
› Select  Low-bandwidth connection
› Click Connect
› Click OK

2. For Mac: Use the Real VNC client
53
• If you are using a Mac
› RealVNC has good compression so
please use this for class instead of any
other application
• Start RealVNC
› For Lab 1
› For Lab 2
› For Lab 3
› For Lab 4
› For Lab 5
lab5-pc0X.aerohive.com
› Select  Low-bandwidth connection
› Click Connect
› Click OK

3. In case the PCs are not logged in
54
If you are not automatically
logged in to your PC
• If you are using the web
browser client
› Click the button to Send
Ctrl-Alt-Del
• If you are using the tightVNC
client
• Click to send a
control alt delete
• Login: AH-LABuser
• Password: Aerohive1
• Click the right arrow to login

4. Connect to Your Class-PSK-X SSID
55
• Single-click the
wireless icon on the
bottom right corner
of the windows task
bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK

5. In case the PCs are not logged in
56
If you are not automatically
logged in to your PC
• If you are using the web
browser client
› Click the button to Send
Ctrl-Alt-Del
• If you are using the TightVNC
client
• Click to send a
control alt delete
• Login: AH-LABuser
• Click the right arrow to login

6. Go to the Windows 8 Desktop view
57
From the Windows 8 start screen, click on the Desktop icon

7. Connect to Your Class-PSK-0X SSID
58
• Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click Next

8. View Active Clients List
59
• After associating with your SSID, you should see your
connection in the active clients list in HiveManager
› Go to MonitorClientsWireless Clients
• Your IP address should be from the 10.5.10.0/24 network
• VLAN: 10

9. Add Additional Columns
60
• To change the layout of the
columns in the Active Clients list,
you can click the spreadsheet
icon
• Select User Profile Attribute
from the Available Columns list
and click the right arrow
• With User Profile Attribute
selected, click the Up button so
that the column is moved after
Host Name
• Click Save
Click to change
column layout

THE CLIENT MONITOR TOOL
62

Lab: Client Monitor
1. Select a client to monitor
63
• To start monitoring a clients connection
state go to: MonitorClientsActive
Clients
• Select the  check box next your client
to monitor
Note: If your client does not appear, you can
skip this step for now
• Click Operation...Client Monitor
• For class, ensure your Associated
Aerohive AP is selected (Do not select
All)
• The MAC address of your client will be
selected
Note: You can manually enter a the wireless
client MAC address without delimiters
• Write down your clients MAC address
• Note: Remember the Client MAC address
for the next step in the lab.
• Click Add
Click Client Monitor
Click Operation...
Click Add New Client
Click Add
Select your
Aerohive AP

Lab: Client Monitor
2. Start the client monitor
64
• Check  Filter Probe
Note: This removes all the probe
requests and responses you will
see from clients and APs so you
can focus on protocol connectivity
• Click Start
Note: Your client will be monitored
until you click Stop.
You can leave this window, and if
you go back to Operation...
Client Monitor, you will see the list
of all clients being monitored
• You can expand the window by
dragging the bottom right corner
• Select your client to see the
connection logs for your client as
they occur
1. Check 
Filter Probe
2. Click
Start
3. Drag bottom right
corner of window to
expand

Client Monitor Results
65
Throughout the labs, go to the client monitor for
your PC to view the ongoing results
4-way handshake
completes
Client is assigned IP
address from DHCP

TIME SETTINGS FOR
HIVEMANAGER
AND AEROHIVE DEVICES
67

Verify On-Premise HiveManager Time
Settings
68
• HiveManager and Aerohive Devices should have up to date time settings,
preferably by NTP (HMOL Time Settings are automatic).
• Go to HomeAdministrationHiveManager Settings
• Next to System Date/Time click Settings
Aerohive devices use
Private PSKs and
certificates which are
time limited credentials.
Therefore, it is
imperative that the
HiveManager Time
Settings be in proper
synchronization with
your network. The use
of an NTP server is
highly recommended.

• Go to Configuration
• Select your Network
Policy: WLAN-X and click
OK
• Next to Additional
Settings Click Edit
• Expand Management
Server Settings
Note: Upon first login to a
new HiveManager system, an
NTP server policy is
automatically created with the
same name as the User
name. However, the object
should be edited with the
proper time zones.
• Next to NTP Server
› Click the + Icon
Aerohive devices use Private PSKs and
certificates which are time limited credentials.
Even more important than the HiveManager Time
Settings, Aerohive Device Clock Settings must be
properly synchronized. The use of an NTP server
is MANDATORY.
Verify Device Time Settings

• Name the service NTP-X
• Time Zone: <Please use
the Pacific time Zone>
• Uncheck  Sync clock
with HiveManager
• NTP Server:
ntp1.aerohive.com
• Click Apply
• Click Save
Verify Device Time Settings
MANDATORY: You must change the time zone to match the time zone where
your Aerohive Devices reside. Do this BEFORE you configure the rest of your
Network Policy.
Instructor note: When using Lab #4 the Time Zone
MUST be set to (GMT +10 Australia/Sydney)

SECURE WIRELESS LANS
WITH IEEE 802.1X USING
PEAP AUTHENTICATION
72

IEEE 802.1X with EAP
73
Supplicant
Computer
Authentication
Server (RADIUS)
802.11 association
EAPoL-start
EAP-request/identity
EAP-response/identity (username) RADIUS-access-request
EAP-request (challenge) RADIUS-access-challenge
EAP-response (hashed resp.) RADIUS-access-request
EAP-success RADIUS-access-accept (PMK)
Access Granted
Access
Please!
Calculating key for
user…
Access
blocked
Authenticator
(AP)
Calculating
my key…

Extensible Authentication Protocol (EAP)
Comparison Chart
74

LAB: Secure WLAN Access With
802.1X/EAP LAB Goals
75
• Configure a Network Policy for 802.1X/EAP Enterprise
security where APs communicate with an external RADIUS
server
• Define multiple user profiles leveraging RADIUS attributes
• Connect to the hosted PC and test the 802.1X/EAP
authentication
• Troubleshoot authentication problems with Client Monitor.
• Verify user profile assignment using RADIUS attributes.

LAB: Secure WLAN Access With
802.1X/EAP
Using External RADIUS
76
Student-0X
VLANs 1-20
Mgt0 IP: 10.5.2.N/24 VLAN 1
Network Policy: WLAN-0X
AD Server:
10.5.1.10 NPS (2008)
DHCP Settings:
(VLAN 1)
network 10.5.2.0/24
10.5.2.140 –
10.5.2.240
(VLAN 10)
network 10.5.10.0/24
10.5.10.140 –
10.5.10.240
Internet
Connect to SSID:
IP:
Gateway:
Class-EAP-X
10.5.10.N/24
10.5.10.1
SSID:
Authentication:
Encryption:
Auth User Profile:
Attribute:
VLAN:
Default User Profile:
Attribute:
VLAN:
Class-EAP-X
WPA or WPA2 Personal
TKIP or AES
Employee-X
10 (RADIUS Attribute Returned)
10
Employee-Default-X
1000 (No RADIUS Attribute Returned)
8

Instructor Only: On Hosted RADIUS
Server
Verify RADIUS Client Settings
77
• Set the RADIUS
server to accept
RADIUS messages
from the MGT0
interface IP on all
Aerohive devices
that function as
authenticators
• This class uses:
10.5.2.0/24
• Shared Secret:
aerohive123
NOTE: Use a
stronger key in real
life!

Server
78
• RADIUS clients often
get confused with the
Wi-Fi clients
(supplicants)
• RADIUS clients are
devices that
communicate with a
RADIUS server using
the RADIUS protocol
• RADIUS clients are the
authenticators in an
802.1X/EAP
framework
• The term “RADIUS
clients” is also
synonymous with the
term NAS clients.

On Hosted RADIUS Server
Configuring RADIUS Return Attributes
79
• After successful
authentication by
users in the
AH-LABWireless
Windows AD group,
RADIUS will return
three attribute value
pairs to assign the
Aerohive user profile.
Standard RADIUS
Attribute/Value Pairs Returned
Tunnel-Medium-Type: IPv4
Tunnel-Type: GRE
Tunnel-Pvt-Group-ID: 10

Lab: Secure WLAN Access With
802.1X/EAP
1. Create a New SSID
80
To configure a
802.1X/EAP SSID
for Secure Wireless
Access
• Go to
Configuration
Policy: WLAN-X
and
click OK
• Next to SSIDs,
click Choose
• Click New

Copyright ©2011
802.1X/EAP
2. Configure a 802.1X/EAP SSID
• Profile Name:
Class-EAP-X
• SSID:
Class-EAP-X
• Under SSID
Access Security
select
WPA/WPA2
802.1X
(Enterprise)
• Click Save
81

802.1X/EAP
3. Select new Class-EAP-X SSID
82
• Click to deselect
the Class-PSK-X
SSID
• Ensure the
Class-EAP-X
SSID
is selected
• Click OK
Click to
deselect
Class-PSK-X
Ensure
Class-EAP-X is
highlighted then
click OK

802.1X/EAP
4. Create a RADIUS object
83
• Under Authentication, click <RADIUS Settings>
• In Choose RADIUS, click New
Click
Click

Lab: Secure WLAN Access With 802.1X/EAP
5. Define the External RADIUS Server
84
• RADIUS Name:
RADIUS-X
• IP Address/Domain
Name: 10.5.1.10
• Shared Secret:
aerohive123
• Confirm Secret:
aerohive123
• Click Apply
• Click Save
Click Apply
When Done!

802.1X/EAP
6. Create a New User Profile
85
• Under User Profile,
click Add/Remove
• Click New

7. Define User Profile Settings
86
• Name: Employee-Default-X
• Network or VLAN-only Assignment: 8
• Click Save

8. Assign User Profile as Default for the SSID
87
• With the Default > tab
selected, ensure the
Employee-Default-X user
profile is highlighted
› IMPORTANT: This user
profile will be assigned
if no attribute value is
returned from RADIUS
after successful
authentication, or if
attribute value 1000 is
returned.
• Click the Authentication
tab
Default Tab
Authentication Tab

9. Assign User Profile to be Returned by RADIUS
Attribute
88
• Select the
Authentication > tab
• Select (highlight)
Employee-X
› Important: This User
Profile will be
assigned if there are
matching RADIUS
attributes returned
from a RADIUS
server. You can have
as many as 63
unique User Profiles.
• Click Save
Authentication Tab
NOTE: The (User Profile Attribute) is
appended to the User Profile Name

802.1X/EAP 10. Verify and Continue
89
• Ensure Employee-Default-X and Employee-X user
profiles are assigned to the Class-EAP-X SSID
• Click Continue to Configure & Update Devices

• Select the Current Policy filter
• Click Update
802.1X/EAP 11. Update the AP Configuration

• Select Update Devices
• Select Perform a
complete
configuration update
for all selected
devices
• Click Update
• Click OK in the Reboot
Warning window
For this class, ALL
Updates from this
point should be
Complete
configuration
updates unless
otherwise directed.
12. Update the AP configuration

Copyright ©2011
Lab: Secure WLAN Access with 802.1X/EAP
• Your new
configuration
will upload
• The AP will
reboot
92

For Windows 7
Supplicants
CONFIGURING AND TESTING
YOUR
802.1X SUPPLICANT
94

Lab: Testing 802.1X/EAP to External RADIUS
1. Connect to Secure Wireless Network
95
• From the bottom task bar,
and click the locate wireless
networks icon
• Click Class-EAP-X
• Click Connect
Wireless
Network Icon

96
• Single-click the wireless
icon on the bottom right
corner of the windows task
bar
• Click Connect
• Select Use my Windows
user account
• Click OK

3. View Wireless Clients
97
› Go to MonitorClientsWireless Clients
• User Name: DOMAINuser
• User Profile Attribute: 10
• VLAN: 10
You were assigned to this User Profile based on a
returning RADIUS attribute

User Profile Assignment via RADIUS attributes
98
• User Profiles can be assigned
based upon returned RADIUS
attributes
• As many as 63 different
groups of users can be
assigned to different VLANs,
firewall policies, SLA policies,
time-based policies, etc.
Leveraging RADIUS attributes for User Profile
assignment means you only need to have a
single SSID for all your employees. Although
you can transmit as many as 16 SSIDs per
radio, best practices dictate no more than 3-4.
Excessive SSIDs create L2 overhead and
degrades performance. A common strategy is
to have three SSIDs: Employees, Voice and
Guests.

Default RADIUS attributes used for User
Profile assignment
99
Note: By default, user profile
assignment by RADIUS
attributes uses these
Attribute/Value Pairs:
Tunnel-Type: GRE
Standard RADIUS
Attribute/Value Pairs Returned
Tunnel-Type: GRE

User Profile Assignment via RADIUS attributes
100
• User Profiles can be
assigned based upon
any returned RADIUS
attributes
• The attributes can be
Standard or Custom
Standard RADIUS
Attribute
Custom RADIUS
Attribute

Example: Troubleshooting
Invalid User Profile attribute returned from RADIUS
101
• From MonitorAll Devices
• If you see an alarm when trying to authenticate with 802.1X/EAP, click
the alarm icon for details
• This alarm specifies that an incorrect attribute was returned from the
RADIUS server that is not defined on the Aerohive AP – In this case 50
Invalid User
Profile Returned

Client Monitor – For 802.1X/EAP
Example of an invalid user account
102
SSL negotiation uses the
RADIUS server certificate
Shows IP of RADIUS server
At this point you know the AAA
certificates were installed correctly and
the server certificate validation done
by the client passed
The user is not in the user database.
View the AAA server settings and
ensure the correct user group is
selected, and the Aerohive AP is a
RADIUS server. Then update the
configuration of the Aerohive AP.

Client Monitor
Troubleshooting 802.1X
103
Client Monitor is the perfect tool to troubleshoot 802.1X/EAP
problems
More information can be found at:
http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/troubleshooting-
wi-fi-connectivity-with-hivemanager-tools

RADIUS Test
Built Into HiveManager
104
To test a RADIUS account
• Go to Tools
Server Access Tests
RADIUS Test
• RADIUS Server:
10.5.1.10
• Aerohive AP RADIUS Client:
0X-A-######
• Select RADIUS
authentication server
• Username: user
• Click TestYou can even see the attribute
values that are returned

RADIUS
PROXY
106

Server
107
• Set the RADIUS
server to accept
RADIUS messages
from the MGT0
interface IP on all
Aerohive devices
that function as
authenticators
• This class uses:
10.5.2.0/24
• Shared Secret:
aerohive123
NOTE: Use a
stronger key in real
life!

RADIUS Proxy on Aerohive APs
108
• Aerohive devices can
be RADIUS proxies
› APs can set their
RADIUS server to be
the RADIUS proxy AP
› The RADIUS proxy
AP proxies the
authentication
requests to the
RADIUS server
› A single IP can be set
on the RADIUS
server for all the APs
that need to
authenticate
RADIUS Server
10.5.1.10
AP RADIUS
Proxy & RADIUS
Client
10.5.2.2
AP
RADIUS
Clients
AP
RADIUS
Clients
RADIUS
Client
Settings
Permit
10.5.2.2/32
Note: Aerohive APs,
switches, BR-200 branch
routers and VA gateways
can all function as a
RADIUS proxy.

LAB: Using Hive Devices as a RADIUS
Proxy
LAB Goals
109
• Define one Aerohive AP as a RADIUS proxy that will
forward RADIUS packets to an external RADIUS server
• Avoid the RADIUS client licensing restrictions imposed by
some RADIUS vendors
authentication
• Troubleshoot any authentication problems with Client
Monitor.
• Verify user profile assignment using RADIUS attributes.

Lab: Using Hive Devices as a RADIUS Proxy
1. Designating a RADIUS Proxy
110
• Click Configuration
• Expand Advanced
Configuration
• Click
Authentication
• Click RADIUS Proxy
• Then click the New
button

2. RADIUS Proxy Details
• Use Proxy-X as the
Proxy Name
• Click the + next to
RADIUS Server
• Do NOT save yet!

3. RADIUS Server Details
• Use RADIUS-Server-X
as the RADIUS Name
• Under Add New
RADIUS Server use the
dropdown arrow and
select 10.5.1.10
• Server Type Auth/Acct
• Enter and Confirm the
Shared Secret of
aerohive123
• Select Server Role as
Primary
• Click Apply
• Click Save
Click
Apply

4. RADIUS Proxy Details
• Use the dropdown arrow
next to Default under
Realm Name to select
RADIUS-Server-X as
your RADIUS Server
• Set the Realm name to:
ah-lab.local
• Ensure the  Strip the
Realm name from
proxied access
requests check box is
selected
• Verify your settings
• Click Apply
• Do NOT save yet
Click
Apply

5. RADIUS Proxy – No need for RADIUS Clients
• Though different Realms
can go to different
RADIUS servers, for this
lab, set them to: RADIUS-
Server-X
• Click Save
Note: When your APs and
AP-RADIUS Proxy are in the
same hive, i.e. configured
with the same hive name,
then you do not need to
configure RADIUS clients on
the AP RADIUS proxy. This
is because the RADIUS
client and shared keys are
automatically generated
among APs in a Hive.

6. Set AP to be RADIUS Proxy
115
• Go to Monitor
Access Points
Aerohive APs
•  Check the box next to
your X-A-###### AP
• Click the Modify button
• Under Optional Settings
› expand Service
Settings
• Assign Device RADIUS
Proxy to: Proxy-X
• Click Save
Note: A RADIUS
icon will appear next
to your AP in
monitor view

Lab: Using Hive Devices as a RADIUS
Proxy
7. Select your Network Policy
116
To edit your SSID:
Go to Configuration
Policy: WLAN-X
and
click OK

Proxy
8. Define the AAA client profile
117
• Under Authentication, click RADIUS-X
Click
Click

9. Define the External RADIUS Server (Use the Proxy)
118
• RADIUS Name:
RADIUS-Proxy-X
Name: 10.5.2.X
• No other settings are
needed as long as
the APs are in the
same Hive
• Click Apply
• Click Save
Click Apply
When Done!

10. Verify and Continue
119
profiles are assigned to the Class-EAP-X SSID
• Click Continue or click the bar to
Configure & Update Devices

• Click Update
Proxy
11. Update the AP Configuration

complete
for all selected
devices
• Click Update
Warning window
For this class, ALL
Updates from this
point should be
Complete
configuration
updates unless
otherwise directed.
Proxy

Copyright ©2011
Proxy
• Your new
configuration
will upload
• The AP will
reboot
122

For Windows 7
Supplicants
YOUR
802.1X SUPPLICANT
124

Lab: Testing 802.1X/EAP via RADIUS Proxy
125
networks icon
• Click Connect
Wireless
Network Icon

Lab: Testing 802.1X/EAP via RADIUS Proxy
126
networks icon
• Click Connect

Lab: Testing 802.1X/EAP View RADIUS Proxy
3. View Wireless Clients
127
› Go to MonitorClientWireless Clients
• User Profile Attribute: 10
• VLAN: 10

Required When Aerohive APs are Configured as RADIUS
Servers or VPN Servers
GENERATE AEROHIVE AP RADIUS
SERVER CERTIFICATES
129

Copyright ©2011
HiveManager Root CA Certificate
Location and Uses
• This root CA certificate is used to:
› Sign the CSR (certificate signing
request) that the HiveManager creates
on behalf of the AP acting as a
RADIUS or VPN server
› Validate Aerohive AP certificates to
remote client
802.1X clients (supplicants) will need a
copy of the CA Certificate in order to trust
the certificates on the Aerohive AP
RADIUS server(s)
• Root CA Cert Name:
Default_CA.pem
• Root CA key Name:
Default_key.pem
Note: The CA key is only ever used
or seen by HiveManager
• To view certificates, go to: Configuration, then go to Advanced
Configuration Keys and CertificatesCertificate Mgmt
130

Use the Existing HiveManager CA
Certificate, Do not Create a New One!
131
• For this class, please do not create a new HiveManager CA
certificate, otherwise it will render all previous certificates
invalid.
• On your own HiveManager, you can create your own HiveManager CA
certificate by going to: Configuration, then go to
Advanced ConfigurationKeys and CertificatesHiveManager CA
Only the Super
User admin should
have access rights
to create the root
HiveManager CA
certificate.

LAB: Aerohive Device - Server Certificates
1. Generate Server Certificate
132
• Go to ConfigurationAdvanced
Configuration
Keys and CertificatesServer CSR
• Common Name: server-X
• Organizational Name: Company
• Organization Unit: Department
• Locality Name: City
• State/Province: <2 Characters>
• Country Code: <2 Characters>
• Email Address: userX@ah-lab.com
• Subject Alternative Name:
User FQDN: userX@ah-lab.com
Note: This lets you add an extra step of validating the
User FQDN in a certificate during IKE phase 1 for
IPsec VPN. This way, the Aerohive AP needs a valid
signed certificate, and the correct user FQDN.
• Key Size: 2048
• Password & Confirm: aerohive123
• CSR File Name: AP-X
• Click Create
Notes Below

LAB: Aerohive Device - Server Certificates
2. Sign and Combine!
133
• Select Sign by HiveManager CA
› The HiveManager CA will sign the Aerohive AP Server certificate
• The validity period should be the same as or less than the number of days
the HiveManager CA Certificate is valid
› Enter the Validity: 3650 – approximately 10 years
• Check  Combine key and certificate into one file
• Click OK
Enabling this setting helps
prevent certificate and key
mismatches when
configuring the RADIUS
settings
Use this option to send
a signing request to an
external certification
authority.

LAB: Aerohive Device – Server Certificates
3. View the Certificate and Key File
134
• To view certificates,
go to:
Configuration
Advanced
Configuration
Keys and Certificates
Certificate Mgmt
• The certificate and key file
name is:
AP-X_key_cert.pem
• QUIZ – Which CA signed this
Aerohive AP server key?
What devices need to install the
CA public cert?

AEROHIVE AP RADIUS SERVER
WITH ACTIVE DIRECTORY
INTEGRATION
136

Aerohive Devices as RADIUS servers
137
Primary
AP-RADIUS Server
Authentication Server
AP-RADIUS Clients
Authenticators
LDAP Server
(Active Directory)
10.5.1.10
Backup
AP-RADIUS Server
Authentication Server
Wi-Fi Clients
Supplicants
EAP
request
RADIUS communications
LDAP
query
Aerohive Devices can be configured as RADIUS
servers and can be configured to fully integrate with
any kind of LDAP including Active Directory.

LAB: Aerohive Devices as RADIUS servers
LAB Goals
138
• Configure an Aerohive AP as a RADIUS server to perform
all the 802.1X/EAP operations
• Aerohive devices that function as RADIUS servers will be
joined to the AD domain in order to
› Let the Aerohive APs perform local 802.1X/EAP
processing
› Allow the Aerohive AP to access the AD user store in
order to authenticate users
› Allow the Aerohive AP to cache credentials in case the
AD server is not accessible
Note: Aerohive APs, switches, BR-200 branch routers and VA
gateways can all function as a RADIUS server

LAB: Aerohive Devices as RADIUS servers
LAB Goals
139
• During the configuration, one Aerohive device is selected
as the RADIUS server to
› Obtain domain information
› Join the Aerohive AP to the domain, which performs the actual
join operation for that AP
› Test user authentication
› Perform LDAP browsing operations
authentication
• Troubleshoot any authentication problems with Client
Monitor.
• Verify user profile assignment using LDAP attributes.

CREATING A DELEGATED
ADMINISTRATOR FOR JOINING
AEROHIVE AP-RADIUS SERVERS
TO THE DOMAIN
141

Two Domain Accounts Needed
142
•Aerohive AP Admin Account – Used to
Join Aerohive APs to the domain
•LDAP Query Account – Used by the
Aerohive AP that functions as a RADIUS
server to perform LDAP queries

Create a New Active Directory
Aerohive AP Administrator (Instructor Only)
143
On Windows 2008 AD Server
• In your domain, select Users, right
click and select NewUser
Note: The name used in this example is
not relevant, you can use any name
• First Name: HiveAP
• Last Name: Admin
• Full Name: HiveAPAdmin
• User Logon:
hiveapadmin@ah-lab.local
• Click Next

Create a New Active Directory
Aerohive AP Administrator (Instructor Only)
144
• Enter a Password: Aerohive1
• Confirm Password: Aerohive1
• Uncheck User must
change password at next
login
• Uncheck User cannot
change password
• Check Password never
expires
• Uncheck Account is
disabled
• Click Next
• Click Finish

Aerohive AP Administrator
Group Membership
145
• Locate and double click the
new Aerohive AP Admin
• Click Member Of
Note: Here you can see that
the Aerohive AP Admin only
needs to be a member of
Domain Users

Delegate Control of the Computer OU
to the Aerohive AP Admin (INSTRUCTOR ONLY)
146
• Right Click the Computers
OU and select Delegate
Control...

to the Aerohive AP Admin
147
• Welcome to the Delegation of Control Wizard
› Click Next
• Users or Groups
› Click Add
› Type Aerohive AP Admin
› Click OK
› Click Next

148
• Select Create a custom
task to delegate
• Click Next

149
• For Active Directory Object
Type
› Select Computer
Objects and leave the
rest of the default settings
› Check Create selected
objects in this folder
› Click Next
• For Permissions
› Check Read
› Check Write
› And leave the rest of the
default settings
• Click Next

150
• Click Finish

CONFIGURE AN AEROHIVE AP AS
A RADIUS SERVER
152

Lab: Aerohive Devices as RADIUS servers
1. Select your Network Policy
153
To edit your SSID:
Go to Configuration
Policy: WLAN-X
and
click OK

Copyright ©2011
2. Modify your AP settings
To configure the Aerohive AP as a RADIUS server...
• Click Continue to go to Configure and Update Devices
• Select the Filter: Current Policy
• Click the link for your Aerohive AP: 0X-A-######
154

Lab: Aerohive Devices as RADIUS
servers
3. Deselect the proxy object
155
Create a Aerohive AP RADIUS Service Object
• Under Optional Settings, expand Service Settings
• Next to Device RADIUS Proxy deselect the proxy object
created from the previous lab

4. Create a Aerohive AP RADIUS Service Object
156
Create a Aerohive AP RADIUS Service Object
• Under Optional Settings, expand Service Settings
• Next to Device RADIUS Service click +

servers
5. Create a Aerohive AP RADIUS Service Object
157
• Name: AP-RADIUS-X
• Expand Database
Settings
• Uncheck Local
Database
• Check External
Database
• Under Active Directory,
click + to define the
RADIUS Active Directory
Integration Settings

servers
6. Select a Aerohive AP to test AD Integration
158
• Name: AD-X
• Aerohive AP for Active Directory connection setup,
select your A Aerohive AP: 0X-A-#####
› This will be used to test Active Directory integration
› Once this Aerohive AP is configured for AD setup, it can be used as a
template for configuring other Aerohive AP RADIUS servers with Active
Directory integration
• The IP settings for the selected Aerohive AP are gathered and displayed

servers
7. Modify DNS settings for test Aerohive AP
159
• Set the DNS server to: 10.5.1.10
› This DNS server should be the Active Directory DNS server or an
internal DNS server aware of the Active Directory domain
• Click Update
› This applies the DNS settings to the Network Policy and to the
Aerohive AP so that it can test Active Directory connectivity

8. Specify Domain and retrieve Directory Information
160
• Domain: ah-lab.local
• Click Retrieve Directory Information
› The Active Directory Server IP will be populated as well as
the BaseDN used for LDAP user lookups

9. Specify Domain and retrieve Directory Information
161
• Domain Admin: hiveapadmin(The delegated admin)
• Password and Confirm Password: Aerohive1
• Check Save Credentials
• Click Join
NOTE: By saving credentials you can automatically join APs to the domain
without manual intervention

10. Specify a user to perform LDAP user searches
162
• Domain User user@ah-lab.local (a standard domain user )
• Password and Confirm Password: Aerohive1
• Click Validate User
› You should see the message: The user was successfully
authenticated.
› These user credentials will remain and be used to perform
LDAP searches to locate user accounts during
authentication.

11. Save the AD settings
163
• Click Save

servers
12. Save the RADIUS settings
164
• Select AD-X with
priority: Primary
• Click Apply
…Please make sure
you click Apply
• Do not save yet..

servers
13. Save the RADIUS settings
165
Enable the ability for an
AP-RADIUS server to
cache user credentials in
the event that the AD
server is not reachable, if
the user has previously
authenticated
• Check Enable RADIUS
Server Credential
Caching
• Expand RADIUS
Settings
• Do not save yet...

servers
14. Assign new Aerohive AP server certificate
166
Assign the Aerohive AP
RADIUS server to the
newly created AP server
certificate and key
• CA Cert File:
Default_CA.pem
• Server Cert File:
AP-X_key_cert.pem
• Server Key File:
AP-X_key_cert.pem
• Key File Password &
confirm password:
aerohive123
• Click Save

servers
15. Save the AP Settings
167
• Ensure that the
Aerohive AP RADIUS
Service is set to: AP-
RADIUS-X
• Click Save
NOTE: Your Aerohive
AP will have an icon
displayed showing that
it is a RADIUS server

SSID FOR 802.1X/EAP
AUTHENTICATION
USING AEROHIVE AP RADIUS WITH
AD KERBEROS INTEGRATION
169

1. Edit your WLAN Policy and Add SSID Profile
170
Configure an SSID that
uses the 802.1X/EAP
with AD (Kerberos)
Integration
• Select the Configure
Interfaces & User
Access bar
• Next to SSIDs click
Choose
• In Chose SSIDs
› Select New

Copyright ©2011
2. Configure a 802.1X/EAP SSID
• Profile Name:
Class-AD-X
• SSID:
Class-AD-X
• Under SSID
Access Security
select
WPA/WPA2
802.1X
(Enterprise)
• Click Save
171

3. Select new Class-AD-X SSID
172
• Click to deselect
the Class-EAP-X
SSID
• Ensure the
Class-AD-X SSID
is selected
• Click OK
Click to
deselect
Class-EAP-0X
Ensure
Class-AD-0X is
highlighted then
click OK

4. Create an AAA RADIUS client object
173
• Under Authentication, click <RADIUS Settings>
Click
Click

5. Define the External RADIUS Server
174
• RADIUS Name:
AP-RADIUS-X
Name: 10.5.2.X
• Leave the Shared
Secret Empty
NOTE: When the Aerohive
AP is a RADIUS server,
APs in the same Hive
automatically generate a
shared secret.
• Click Apply
• Click Save
Click Apply
When Done!

6. Select User Profiles
175
• Verify that under Authentication, AP-RADIUS-X is
assigned
• Under User Profile click Add/Remove

7. Assign User Profile as Default for the SSID
176
• With the Default >tab
select (highlight) the
Employee-Default-X user
profile
• IMPORTANT: This user
profile will be assigned if
no attribute value is
returned from RADIUS
after successful
authentication, or if
attribute value 1000 is
returned.
• Click the Authentication
tab
Default Tab
Authentication Tab

8. Assign User Profile to be Returned by RADIUS
Attribute
177
• In the Authentication >
tab
• Select (highlight)
Employee-X
› NOTE: The (User
Profile Attribute) is
appended to the User
Profile Name
• Click Save
Authentication Tab

9. Verify and Continue
178
profiles are assigned to the Class-AD-X SSID
• Click Continue

• Click Update

complete
for all selected
devices
• Click Update
Warning window
For this class, ALL
Updates from this
point should be
Complete
configuration
updates unless
otherwise directed.

Copyright ©2011
• Your new
configuration
will upload
• The AP will
reboot
181

ADDITIONAL AEROHIVE AP AD
INTEGRATION INFORMATION
182

Optional: Verify Aerohive AP Time
From the CLI of the Aerohive AP
183
• From CLI of Aerohive AP
# show time
Timezone: GMT-8
# show clock
2011-07-13 11:14:45 Wednesday

Joining Aerohive APs to Active Directory
Computer OU = Wireless/Aerohive APs
184
• From the AD server, you can go
to Active Directory Users and
Computers and see when the
Aerohive AP joins the domain
• If you specify an Active
Directory administrator account
in the AAA User Directory
Settings, then the Aerohive AP
will automatically add itself to
the domain
• If you did not specify an Active
Directory administrator, you will
have to manually add your
Aerohive AP to the domain
much like you would do with a
computer
Click
Refresh
Select the
computer OU
Here you can see the
hostname of your Aerohive
AP

Join Aerohive AP RADIUS Server to Domain
185
Note: you performed this step for
your Aerohive AP in the configuration,
however, here is how you do it for the
rest of the Aerohive AP RADIUS
servers in your network.
• Go to Tools
Server Access Tests
AD/LDAP Test
• Select RADIUS Server:
X-A-######
• Select Test joining the
Aerohive AP to an Active
Directory domain
• Active Directory Domain:
Primary
• User Name: hiveapadmin
• Click Test

Troubleshooting –
Joining a Aerohive AP to a Domain
186
• Possible Cause: The
Administrator does not have
privileges to add a
computer/Aerohive AP to
this OU
• Solution: Use an Administrator
with more privileges
• Possible cause: The Aerohive
AP was previously added to a
different OU, and this
administrator does not have
privileges to remove the other
entry
• Solution: Delegate
administration of this OU to
allow the selected administrator
to add computers to this OU
Here you can see that the
Aerohive AP has failed to
join the domain

Troubleshooting –
Joining a Aerohive AP to a Domain
187
• Possible Cause: The NTP
Server settings have not been
configured on the Aerohive AP
• Solution: Configure the NTP
Server settings by going to your
WLAN Policy
Management Services
NTP Server
Here you can see that the
Aerohive AP time is not
accurate

Test the user account for your hosted PC
188
• Select RADIUS Server:
0X-A-######
• Select Test Aerohive AP
credentials for Active
Directory Integration
• User Name: user
• Click Test
Kerberos authentication
passed for the user

CLIENT ACCESS PREPARATION -
DISTRIBUTING CA CERTIFICATES
TO WIRELESS CLIENTS
190

LAB: Exporting CA Cert for Server Validation
1. Go to HiveManager from the Remote PC
191
• From the VNC connection
to the hosted PC, open a
local connection to
HiveManager
• For HiveManager:10.5.1.20
• Login with: adminX
• password: aerohive123
NOTE: You are accessing
HiveManager via the PC’s
Ethernet connection

2. Download Default CA Certificate to the Remote PC
192
NOTE: The HiveManager
Root CA certificate should be
installed on the client PCs
that will be using the
RADIUS service on the
Aerohive APs for 802.1X
authentication
• From the Remote PC,
go to Configuration 
Advanced
Configuration
Keys and Certificates
Certificate Mgmt
• Select Default_CA.pem
• Click Export

3. Rename HiveManager Default CA Cert
193
• Export the public root
Default_CA.pem certificate to
the Desktop of your hosted
PC
› This is NOT your Aerohive
AP server certificate, this IS
the HiveManager public root
CA certificate
• Rename the extension of the
Default_CA.pem file to
Default_CA.cer
› This way, the certificate will
automatically be recognized
by Microsoft Windows
• Click Save
Make the Certificate name:
Default_CA.cer
Save as type:
All Files

4. Install HiveManager Default CA Cert
194
• Find the file that was just
exported to your hosted PC
• Double-click the certificate file on
the Desktop: Default_CA
• Click Open
• Click Install Certificate
Issued to: HiveManager
This is the name of the certificate if you
wish to find it in the certificate store, or if
you want to select it in the windows
supplicant PEAP configuration.

1. Finish certification installation
195
• In the Certificate Import
Wizard click Next
• Click  Place all
certificates in the
following store
• Click Browse

2. Select Trusted Root Certification Authorities
196
• Click Trusted Root
Certification
Authorities
• Click OK
• Click Next

3. Finish Certificate Import
197
• Click Finish
• Click Yes
• Click OK

4. Verify certificate is valid
198
• Click OK to Close the certificate
• Double-click Default_CA to
reopen the certificate
• You will see that the certificate is
valid and it valid from a start and
end date
• Click the Details tab

5. View the Certificate Subject
199
• In the details section, view the
certificate Subject
• This Subject: HiveManager is
what will appear in the list of
trusted root certification
authorities in your supplicant
configured later in this lab.
Protected EAP (PEAP) Properties
In supplicant (802.1X client)

For Windows 7
Supplicants
YOUR
802.1X SUPPLICANT
201

Lab: Testing AP-RADIUS w/ AD Integration
202
On the hosted PC,
from the bottom
task bar, click the
wireless networks
icon
• Click Class-AD-X
• Click Connect
• A windows security
alert should
appear, click
Details to verify
this certificate if
from HiveManager,
then click Connect
server-2 is the AP cert,
and HiveManager is the
trusted CA

Lab: Testing Aerohive AP RADIUS w/ AD Integration
203
On the hosted PC, from the bottom task bar, click the wireless
networks icon
• Click Class-AD-X
• Click Connect
• Click Use my Windows user account

Lab: Testing Aerohive AP RADIUS w/ AD Integration
204
• When prompted
about the server
certificate Click
Connect
• Notice that you are
now connected (this
may take a few
moments)

NOTE: User Profile Attribute is the Employee-Default-X user profile for
the SSID. This user profile is being assigned because no User Profile
Attribute Value was returned from RADIUS.
Lab: Testing AP-RADIUS w/ AD Integration
4. View Active Clients
205
› Go to MonitorClientWireless Clients
• IP Address: 10.5.8.#
• VLAN: 8
User Profile Attribute: 1000

MAPPING ACTIVE DIRECTORY
MEMBEROF ATTRIBUTE
TO USER PROFILES
207

Aerohive AP as a RADIUS Server - Using AD
Member Of for User Profile Assignment
208
• In your WLAN policy, you defined an SSID with two user profiles
› Employee-Default-X – Set if no RADIUS attribute is returned
» This use profile for example is for general employee staff, and they get
assigned to VLAN 8
› Employee-X – Set if a RADIUS attribute is returned
» This user profile for example is for privileged employees, and they get assigned
to VLAN 10
• Because the Aerohive AP RADIUS server is using AD to authenticate the
users, and AD does not return RADIUS attributes, how can we assign users
to different user profiles?
• Though AD does not return RADIUS attributes, it does return other attribute
values, like memberOf which is a list of AD groups to which the user belongs

Instructor Only: Confirm User is a
member of the Wireless AD Group
209
• Right click the
username “user” and
click Properties
• Click on the MemberOf
tab
• Each user account
should be assigned to
the Wireless AD Group

Lab: Use AD to Assign User Profile
1. Map memberOf attribute to user profile
210
• From Configuration,
Advanced
Configuration
Authentication 
Aerohive AAA Server
Settings
• Click on the AP-RADIUS-X
link

2. Map memberOf attribute to user profile
211
• Expand Database Settings
• Check  LDAP server attribute
Mapping
• Select  Manually map LDAP user
groups to user profiles
• LDAP User Group Attribute:
memberOf
• Domain: dc=AH-LAB,dc=LOCAL
• Click + to expand the LDAP tree

2. Add AD group to User Profile mapping
212
• Expand the tree
structure to locate
› Expand
CN=Users
› Select
CN = Wireless
• For Maps to, from the
drop down list, select
the user profile:
Employee-X
• Click Apply
• The mapping
appears below the
LDAP directory
• Click Save
Click the LDAP
Group
Map group to
Employee(10)-X

Lab: Use AD to Assign User Profile SSID
213
Go to Configuration
Policy: WLAN-X
and
click OK
• Click on the
Continue button to
go to the Configure
and Update Device
panel

• Click Update

• Select Update
Devices
• A complete upload
is not needed this
time
• Click Update

7. Disconnect and Reconnect to the Class-AD SSID
217
To test the mapping of
the memberOf
attribute to your user
profile
• Disconnect from the
Class-AD-X SSID
• Connect to the
Class-AD-X SSID

8. Disconnect and Reconnect to the Class-AD SSID
218
To test the mapping of
the memberOf
attribute to your user
profile
• Disconnect from the
Class-AD-X SSID
• Connect to the
Class-AD-X SSID

9. Verify your active client settings
219
• From MonitorClientsWireless Clients
› Your client should now be assigned to
»IP Address: 10.5.10.#
»User Profile Attribute: 10
»VLAN: 10
NOTE: In the previous lab, without the
LDAP group mapping, the user was
assigned to attribute 1000 in VLAN 8

AEROHIVE CLIENT MANAGEMENT
Aerohive’s
Instructor-led Training

Is the device a Corporate or
Personally owned client?
222
Can you tell the difference between
these two iPads?
Company Issued Device
• Owned and Managed by IT
• Provided for a Specific Purpose
• Enables New Working Models
Personal Device
• Employee-owned and Managed
• Wide Range of Potential Devices
• Improves Employee Satisfaction
and Productivity

How Aerohive Solves the Problem
Mobile user connects to
corporate SSID with
username and
password
1
User is authenticated
against Active
Directory or
other user store
such as LDAP
2
AP checks to see if device
is already enrolled with
HiveManager client
management
3
If device is not enrolled, it is redirected
to enrollment URL to acquire a custom
device certificate and secure profile
based on whether it is personal or
corporate issued device in the MAC
address list
5
6
Device is
reconnected to
the SAME SSID
with a custom
device certificate
HiveManager with
Client Management
7 Policy is applied based on all available
context, including: identity, device type,
device ownership, location, and time
Device is checked against a list of known
corporate devices (MAC addresses)
imported by IT admin
4
223

Client Management Concepts
Customer Issued or Bring Your Own Device (BYOD) ?
224
• Is a device Company
Issued Device(CID) or
is the device brought
from home Bring Your
Own Device (BYOD)?
• Enter MAC addresses
of devices to
automatically select
Corporate Issued
Devices
• Or the user decide
during Enrollment

Client Management Concepts
User profile reassignment Options
225
• Client Management automatically detects and reassigns devices to new
user profiles based upon BYOD or CID ownership.
• BYOD or CID ownership applies to iOS, MacOS, Android and
Chromebook devices.
• Policy decisions can be made based on OS and domain for User Profile
reassignment of other operating systems such as Windows or
Blackberry.
Note: You can still mix in other devices that are not supported by Client
Management

Client Management Overview
• Support for the following solutions:
› Single SSID based onboarding: requiring 802.1X on the SSID
› Single SSID based onboarding for PPSK: requires an initial static PSK
› Two SSIDs based onboarding:
» Open (for provisioning)
» Second SSID using PPSK (for secured access)
• Support both HMOL and on-premises HM
• Requires 6.1r3 HiveOS or later on APs
• Supports Mac OS X, iOS, Android devices and
Chrome OS (Chrome Books)
226

Firewall Considerations by the
Device types and Ports used
227
Source Destination Service
(Protocol and Port)
Apple Client Devices Apple Push Notification
Service (APNS) 17.0.0.0/8
TCP 5223
TCP 5223, 5229, 5330
Android & Chromebook
Devices
Google GCM Servers
HiveManager Client Management Service
(onboard.aerohive.com)
HTTPS 443
Access Points Client Management Service
(onboard.aerohive.com)
HTTPS 443
Access Points Apple Push Notification
Service (APNS) 17.0.0.0/8
TCP 5223

Enable Client Management in
HiveManager
228
• Enable Client
Management
• Test is an HTTPS test
to the Client
Management Cluster
which verifies all Client
Management services
are working
• Do this for On-Premise
and HMOL
• For On-Premise you
will also have to
retrieve the Customer
ID

LAB: CLIENT MANAGEMENT
USING 802.1X

Scenario
Your Enterprise Customer is using 802.1X/EAP
security. Employees are permitted to bring their
own devices to work to access the company
network and internet. The new requirements
include:
• Company Issued Devices (CID) such as iPads will receive the
Company profile.
• All mobile device cameras must be disabled for security purposes.
• Employee Personal Devices (BYOD) will receive the Personal profile.
• Employee Personal Devices will have a firewall policy that restricts
access to corporate resources but allows access to a gateway to the
Internet.
230

• Go to Configuration
• Select your Network Policy and click OK
• Click on the link for the Class-AD-X SSID
231
Lab: Client Management using 802.1X
1. Edit the network policy

• Check  Enable Client Management
• Click Save
232
2. Enable client management

• User Profile: Add/Remove
• Click New
233
3. Create a CID user profile

• Name: BYOD-X
• Attribute: 800
• VLAN: 10
• Do NOT click Save yet
4. Create a BYOD user profile
234

5. Assign a restrictive firewall policy
• Under Optional
Settings, expand
Firewalls
• IP Firewall Policy 
From-Access 
Guest-Internet
Access Firewall
Policy
• Default Action:
Permit
• Click Save
• Click Save again

Note: Firewall Policy
The guest firewall policy is a default policy that can be used
to restrict BYOD devices away the internal networks where
corporate resources reside. Access to a gateway to the
Internet can still be permitted.

• Click New to create a CID
user profile
• Name: CID-X
• Default VLAN: 10
• Click Save
• Click Save again
6. Create a CID user profile

7. Edit the Employee-X user profile
• Click the Employee-X user profile to edit

• Optional Settings:
Expand Client
Classification Policy
• Check  Enable user
profile reassignment
based on client
classification rules
• Click New
239
8. Create a reassignment rule for the CID user profile

• Ownership: CID
• Reassigned User Profile: CID-X
• Click Apply
• Do NOT Save Yet
240
9. Create a reassignment rule for the CID user profile

• Click New
• Ownership: BYOD
• Reassigned User Profile: BYOD-X
• Click Apply
10. Create a reassignment rule for BYOD user profile

• Verify the reassignment rules
• Click Save
242
11. Verify the reassignment rules

12. Verify the reassignment rules
• Expand the Employee-X user profile
• Click Add/Remove to active the rules
All employees will authenticate via 802.1X/EAP and be
assigned to VLAN 10. Employees will then use the
correct device profile based upon their enrollment status.

• Check  Enable user profile reassignment based on
client classification rules
• Click Save
244
13. Enable the reassignment rules

• Click Continue to save the network policy and
proceed to configure and update.
245
14. Enable the reassignment rules

• Choose the Current Policy filter
• Click on the 0X-A-XXXX-AP to
modify the configuration.
246
15. Edit your AP that is the RADIUS server

• Optional Settings  Expand Service Settings
• Next to the Device RADIUS Service Click the
modify icon to edit your AP-RADIUS-X object.
247

• Client Management is a
cloud-based onboarding
solution that requires you to
use the Client Management
Root certificate and server
certificate and key file.
• These certificates can be
used with any Aerohive
Device that functions as a
RADIUS server.
• A third-party RADIUS server
can be used for 802.1X with
Client Management,
however you will need to
export these same
certificates and install them
on the third-party RADIUS
server.
248
Why new certificates?

Client Management also supports the import of third
party certificates from an existing PKI.
249
Support for Third-Party Certificates

• Expand Database Settings
to select the client
management certificates
• CA Cert File:
ClientMgmt_CA.crt
• Server Cert File:
ClientMgmt-Radius-
Server_Crt.crt
• Server Key File:
ClientMgmt-Radius-
Server_key.pem
• Remove the passwords
from the previous lab
• Click Save
250

• Click Save
251
18. Save the AP specific settings

• Select  your
0X-A-XXXX AP
• Click Update
• Click Update
Devices
252
19. Upload the AP configuration

20. Upload the AP configuration
• Select 
Perform a
complete
configuration
update
• Click Update
• Click OK

• Click on the Configure Interfaces & User
Access bar
• Click on Client Management
The Client Management link is a
direct connection to configure
Client Management profiles.
21. Configuring Client Management

• Username: cm#-admin@ah-lab.com where # is the Lab
number 1,2,3,4 or 5
255

• Click Configuration
256

• Monitor Clients  Active Clients or Wireless Clients
• New Column to display Client Management Enrollment
• Grey icon indicates the client is enrolled in CM
Client Management Data in HiveManager

258
• Hover over the icon and it changes to Aerohive yellow
• Click on the popup and the admin is redirected to the CM server
monitor view for the client

259
• Click on the MAC
address of the enrolled
client device to see
Client Management
information in
HiveManager

Client Management
Useful Information and Tips
• There are two core types of profiles:
› Enrollment profiles – these are the
management profiles.
› Client profiles – these are the configuration
profiles i.e. Restrictions, ActiveSync, etc.
• The relationship between User Profiles and
UPIDs is a many to one relationship.
• Do not overload a single profile; divide the
load among individual profiles based upon
type (Restrictions, Web Clip, etc.) each using
the same attribute value.

24. Configuring a BYOD Client Profile
You will now create client profiles to match the
BYOD-X and CID-X user profiles.
• Click New.

25. Configuring a BYOD Client Profile camera removal
• Name: BYOD-X-
No-Camera
• User Profile
Attribute: 800
• Organization:
Aerohive
• Security: User can
remove profile
• Profile Lifetime on
Client Devices: Do
not delete the
profile from the
client device
• Click Restrictions

26. Enforcing Restrictions
• Turn ON Enforce Restrictions
• Uncheck ☐ Allow use of camera
• Click Save

27. Configuring a BYOD Client Profile adding Web Clip
• Name: BYOD-X-
Web Clip
• User Profile
Attribute: 800
• Organization:
Aerohive
remove profile
Client Devices: Do
not delete the
profile from the
client device
• Click Web Clips

• Label: Student-X-Video
• URL: http://bit.ly/1cKAzfA
• Options: Precomposed
Icon
• Click Save
28. Configuring a BYOD Client Profile adding Web Clip

29. Verifying the BYOD Client Profiles
• Verify your BYOD-X client profile
• Click New

30. Creating a CID Client Profile
• Name: CID-X
• User Profile
Attribute: 200
• Organization:
Aerohive
remove profile
Client Devices: Do
not delete the
profile from the
client device
• Click Restrictions

31. Enforcing Restrictions
• Turn ON Enforce Restrictions
• Do NOT uncheck  Allow use of camera
• Click Save

32. Verifying Client Profiles
• Verify the BYOD and CID client profiles

iOS Client Profile Restrictions
Many more restrictions can be
configured in your iOS Client Profiles.

iOS Client Profile Restrictions
Many more restrictions can be configured in
your iOS Client Profiles.

iOS Client Profile Settings
• Other iOS client
settings include
› VPN
› Exchange ActiveSync
› Web Clips
› CalDav
› CardDav
› Email

OPTIONAL CLIENT MANAGEMENT
INSTRUCTOR DEMONSTRATION
Because our lab is in a remote location we
cannot test the client management lab. If time
permits, the instructor will now demonstrate
client management in class
Should students wish to participate with their
personal devices in the demonstration,
ensure that they select the BYOD profile. The
Enrollment profile can be removed from their
personal devices after class.

Lab: Client Onboarding Demo
1. Connect to 802.1X SSID
On the instructor iOS device and/or student iOS devices:
• Go to Settings  Wi-Fi
• Click on the CM-802.1X-Demo SSID
• Username: demoX (Where X = student number) (Instructor is
demo1)
• Password: aerohive123

2. Connect to the 802.1X SSID
• Click the Accept button to accept the
certificate
• Verify that you are connected to the CM-
802.1X-Demo SSID

3. Continue with client onboarding
• Open your browser and try
to connect to a web site
• You will be redirected to the
Client Management
captive web portal for
onboarding

4. Continue with client onboarding
Specify the device ownership
 Personal Devices (BYOD)
will automatically be selected.
• Check  View and agree to
the terms of use
• Click Enroll My Device
 Company-Issued Devices
(CID) would automatically be
selected if this device’s MAC
address is configured in Client
Management.

5. Continue with client onboarding EXAMPLE
Specify the device ownership
 Company-Issued
Devices (CID) will
automatically be selected if
the device’s MAC address is
already configured in Client
Management.

6. Install the Client Enrollment profile
• The Enrollment process will begin.
• Click the Install button to install the Enrollment
Profile
• Read the disclaimer warning and click Install.
• Enter your device passcode if prompted.

• Click Done and the selected profile will begin
to install.

• Client Management verifies and installs the Wi-Fi profile
• The device is successfully enrolled

9. Client is enrolled
• Browser begins redirection
• Redirection is completed

• During the onboarding
process an Enrollment
profile is installed.
• A Wi-Fi profile is
installed.
• The needed certificate is
installed.
• The client device
disconnects and
reconnects to the 802.1X
SSID. This is not visible
to the user.

• Go to Settings 
General  Profiles
• Expand the profiles.
• Verify Certificates.
• Verify Restrictions.
• Verify that the camera
icon is not on your
device.

MONITORING

Verify enrolled clients in HiveManager
• Monitor  Clients  Wireless Clients
• All BYOD devices will be in VLAN 10 because CM sent
attribute 800 to the AP and the user was assigned to the
corresponding user profile
• ALL CID devices will be in VLAN 10 because CM sent
attribute 200 to the AP and the user was assigned to the
corresponding user profile
286

Copyright ©2011
Monitor enrolled devices in Client
Management
• From Home in Client Management you can view reported device data.
• Placing your cursor over a chart reveals more information.
• Clicking on a chart will take you to the location in Client Management
from which the information was gathered.
58

Copyright ©2011
Management
• Go to Monitor  Clients
• Verify BYOD and CID ownership as prescribed.
• Click on a any clients name for device specific
information and you are taken to Client Info for that
device.
59

Copyright ©2011
Management
• Information
reported from
the client is
displayed.
• View the
enrolled clients
settings
• The client
location is
based on the
client’s public
IP address,
not GPS
location.
60

Copyright ©2011
Management
• Great detail
about the client
device is
available.
• Scroll down
• Click on the
Apps tab to
view the
installed
applications of
the client.
• Click through
some of the
other tabs to
see more
information
about the client.
61

CUSTOMIZATION

Acwp Aerohive configuration guide.

Acwp Aerohive configuration guide.

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to Acwp Aerohive configuration guide.

Similar to Acwp Aerohive configuration guide. (20)

Recently uploaded

Recently uploaded (20)

Acwp Aerohive configuration guide.

Editor's Notes