More Related Content
Similar to Aerohive Configuration guide. (20)
Aerohive Configuration guide.
- 1. © 2013 Aerohive Networks CONFIDENTIAL
AEROHIVE CERTIFIED
NETWORKING PROFESSIONAL
(ACNP)
1
- 2. © 2013 Aerohive Networks CONFIDENTIAL
Introductions
2
•What is your name?
•What is your organizations name?
•How long have you worked in networking?
•What was your 1st computer?
- 3. © 2013 Aerohive Networks CONFIDENTIAL
Facilities Discussion
3
• Course Material
Distribution
• Course Times
• Restrooms
• Break room
• Smoking Area
• Break Schedule
› Morning Break
› Lunch Break
› Afternoon Break
- 4. © 2013 Aerohive Networks CONFIDENTIAL
Aerohive Switching & Routing
Configuration (ACNP) – Course Overview
4
Each student connects to HiveManager, a remote PC, and a Aerohive AP over the
Internet from their wireless enabled laptop in the classroom, and then performs hands
on labs the cover the following topics:
• Overview of Switching and Routing Platforms
• Unified Network Policy Management
• Spanning Tree
• Device Templates
• Port Types (802.1Q Ports, Phone and Data Ports, Secure Access Ports, Guest
Access Ports and WAN ports)
• Aggregate Channels
• PoE
• VLAN to Network mapping
• Router templates
• Parent networks and branch subnets
• Layer 3 VPN with VPN Gateway Virtual Appliance
• Policy Based Routing
• Router Firewall
• Cookie Cutter Branch Networking
2 Day Hands on Class
- 5. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Aerohive Training Remote Lab
5
Aerohive Access Points using external
antenna connections and RF cables to
connect to USB Wi-Fi client cards
(Black cables)
Access Points are connected from eth0 to
Aerohive Managed Switches with 802.1Q
VLAN trunk support providing PoE to the
APs (Yellow cables)
Firewall with routing support, NAT, and
multiple Virtual Router Instances
Access Points are connected from their
console port to a console server
(White Cables)
Console server to permit SSH access into the
serial console of Aerohive Access Points
Server running VMware ESXi running Active
Directory, RADIUS, NPS and hosting the
virtual clients used for testing configurations
to support the labs
- 6. © 2013 Aerohive Networks CONFIDENTIAL
Aerohive CBT Learning
6
http://www.aerohive.com/cbt
- 7. © 2013 Aerohive Networks CONFIDENTIAL
The 20 Minute Getting Started Video
Explains the Details
7
Please view the Aerohive Getting Started Videos:
http://www.aerohive.com/330000/docs/help/english/cbt/Start.ht
m
- 8. © 2013 Aerohive Networks CONFIDENTIAL
Aerohive Technical Documentation
8
All the latest technical documentation is available for download
at:
http://www.aerohive.com/techdocs
- 9. © 2013 Aerohive Networks CONFIDENTIAL
Aerohive Instructor Led Training
9
• Aerohive Education Services offers a complete curriculum that provides you with
the courses you will need as a customer or partner to properly design, deploy,
administer, and troubleshoot all Aerohive WLAN solutions.
• Aerohive Certified WLAN Administrator (ACWA) – First-level course
• Aerohive Cerified WLAN Professional (ACWP) – Second-level course
• Aerohive Certified Network Professional (ACNP) – Switching/Routing course
• www.aerohive.com/training – Aerohive Class Schedule
- 10. © 2013 Aerohive Networks CONFIDENTIAL
Over 20 books about networking have been written
by Aerohive Employees
10
CWNA Certified Wireless Network Administrator
Official Study Guide by David D. Coleman and David
A. Westcott
CWSP Certified Wireless Security Professional
Official Study Guide by David D. Coleman, David A.
Westcott, Bryan E. Harkins and Shawn M.
Jackman
CWAP Certified Wireless Analysis Professional Official
Study Guide by David D. Coleman, David A. Westcott,
Ben Miller and Peter MacKenzie
802.11 Wireless Networks: The Definitive Guide,
Second Edition by Matthew Gast
802.11n: A Survival Guide by Matthew Gast
Aerohive
Employees
802.11ac: A Survival Guide by Matthew Gast
Over 20 books about networking have
been written by Aerohive Employees
- 11. © 2013 Aerohive Networks CONFIDENTIAL
Aerohive Exams and Certifications
11
• Aerohive Certified Wireless Administrator
(ACWA) is a first- level certification that
validates your knowledge and understanding
about Aerohive Network’s WLAN
Cooperative Control Architecture. (Based
upon Instructor Led Course)
• Aerohive Certified Wireless Professional
(ACWP) is the second-level certification that
validates your knowledge and understanding
about Aerohive advanced configuration and
troubleshooting. (Based upon Instructor Led
Course)
• Aerohive Certified Network Professional
(ACNP) is another second-level certification
that validates your knowledge about
Aerohive switching and branch routing.
(Based upon Instructor Led Course)
- 12. © 2013 Aerohive Networks CONFIDENTIAL
Aerohive Forums
12
• Aerohive’s online community – HiveNation
Have a question, an idea or praise you want to share? Join the HiveNation Community - a
place where customers, evaluators, thought leaders and students like yourselves can
learn about Aerohive and our products while engaging with like-minded individuals.
• Please, take a moment and register during class if you are not already a
member of HiveNation.
Go to http://community.aerohive.com/aerohive and sign up!
- 13. © 2013 Aerohive Networks CONFIDENTIAL
Aerohive Social Media
13
The HiveMind Blog:
http://blogs.aerohive.com
Follow us on Twitter: @Aerohive
Instructor: David Coleman: @mistermultipath
Instructor: Bryan Harkins: @80211University
Instructor: Gregor Vucajnk: @GregorVucajnk
Instructor: Metka Dragos: @MetkaDragos
Please feel free to tweet about #Aerohive training during
class.
- 14. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Aerohive Technical Support – General
14
I want to talk to somebody live.
Call us at 408-510-6100 / Option 2. We also provide service
toll-free from within the US & Canada by dialing (866) 365-9918.
Aerohive has Support Engineers in the US, China, and the UK,
providing coverage 24 hours a day.
Support Contracts are sold on a yearly basis, with
discounts for multi-year purchases. Customers can opt
to purchase Support in either 8x5 format or in a 24
hour format.
How do I buy Technical Support?
I have different expiration dates on several Entitlement keys, may
I combine all my support so it all expires on the same date?
Your Aerohive Sales Rep can help you set-up Co-Term, which allows
you to select matching expiration dates for all your support.
- 15. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Aerohive Technical Support – The
Americas
15
Aerohive Technical Support is available 24 hours a
day. This can be via the Aerohive Support Portal or
by calling. For the Support Portal, an authorized
customer can open a Support Case.
Communication is managed via the portal with new
messages and replies. Once the issue is resolved,
the case is closed, and can be retrieved at any time
in the future.
How do I reach Technical Support?
I want to talk to somebody live.
For those who wish to speak with an engineer call us at 408-510-
6100 / Option 2. We also provide service toll-free from within
the US & Canada by dialing (866) 365-9918.
I need an RMA in The Americas
An RMA is generated via the Support Portal, or by calling our Technical Support
group. After troubleshooting, should the unit require repair, we will overnight*
a replacement to the US and Canada. Other countries are international. If the
unit is DOA, it’s replaced with a brand new item, if not it is replaced with a like
new reburbished item.
*Restrictions may apply: time of day, location, etc.
- 16. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Aerohive Technical Support – International
16
Aerohive international Partners provide dedicated
Technical Support to their customers. The Partner has
received specialized training on Aerohive Networks’
product line, and has access to 24 hour Internal
Aerohive Technical Support via the Support Portal, or
by calling 408-510-6100 / Option 2.
How Do I get Technical Support outside The Americas?
World customer’s defective
units are quickly replaced by
our Partners, and Aerohive
replaces the Partner’s stock
once it arrives at our location.
Partners are responsible for all
shipping charges, duties, taxes,
etc.
I need an RMA internationally
- 17. © 2013 Aerohive Networks CONFIDENTIAL
Copyright Notice
17
Copyright © 2013 Aerohive Networks, Inc. All rights
reserved.
Aerohive Networks, the Aerohive Networks logo, HiveOS,
Aerohive AP, HiveManager, and GuestManager are
trademarks of Aerohive Networks, Inc. All other trademarks
and registered trademarks are the property of their
respective companies.
- 18. © 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 19. © 2013 Aerohive Networks CONFIDENTIAL
Overview of hardware and software platforms
SWITCHING & ROUTING PRODUCT
LINE
19
- 20. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Aerohive Switching Platforms
20
SR2124P SR2148P
24 Gigabit Ethernet 48 Gbps Ethernet
4 Ports 1G SFP Uplinks 4 Ports 10 G SFP/SFP+ Uplinks
24 PoE+ (408 W)
128 Gbps switch56Gbps switching 176 Gbps switch
48 PoE+ (779 W)
Routing with 3G/4G USB support and Line rate
switching
Redundant Power Supply CapableSingle Power Supply
24 PoE+ (195 W)
SR2024P
Switching Only
- 21. © 2013 Aerohive Networks CONFIDENTIAL
Class Switches Deployed in Data Center
• SR2024
› Line Rate Layer 2 Switch
› 8 Ports of PoE
› Multi-authentication
access ports
» 802.1X with fallback to
MAC auth or open
› Client Visibility
» View client information
by port
› RADIUS Server
› Internet Router
› DHCP Server
› USB 3G/4G Backup
› Policy-based routing with Identity
Internet
AP
AP
PoE
SR202
4
AP
Provides Access For:
• Employees
• Guests
• Contractors
• Phones
• APs
• Servers
Note: The switch model (2024) used in the lab has been superseded by improved models.
- 22. © 2013 Aerohive Networks CONFIDENTIAL
Express Mode
• Optimized for ease of use
• Uniform company-wide policy
• One user profile per SSID
Enterprise Mode
• Enterprise sophistication
• Multiple Network policies
• Multiple user profiles/SSID
HiveManager Appliance 2U
• Redundant power& fans
• HA redundancy
• 5000 APs
HiveManager Virtual Appliance
• VMware ESX & Player
• HA redundancy
• 1500 APs with minimum configuration
HiveManager Form Factors
22
HiveManager Appliance
• Redundant power & fans
• HA redundancy
• 8000 APs
HiveManager Virtual Appliance
• VMware ESX & Player
• HA redundancy
• 5000 APs with minimum configuration
HiveManager Online
• Cloud-based SaaS management
Topology Reporting Heat Maps SLA ComplianceRF PlannerSW, Config, & Policy Guest Mgmt
- 25. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Aerohive Routing Platforms
25
BR 100 BR 200 AP 330 AP 350
Single Radio Dual Radio
2X 10/100/1000 Ethernet
5-10 Mbps
FW/VPN
30-50Mbps FW/VPN
1x1 11bgn 3x3:3 450 Mbps 11abgn
5X 10/100
5X
10/100/1000
0 PoE PSE0 PoE PSE 2X PoE PSE
*
* Also available as a non-Wi-Fi device
L3 IPSec
VPN
Gateway
~500 Mbps
VPN
4000/1024
Tunnels
Physical/Vir
tual
VPN Gateways
- 26. © 2013 Aerohive Networks CONFIDENTIAL
BR100 vs. BR200
26
BR100 BR200/BR200WP
5x FastEthernet 5x Gigabit Ethernet
1x1 11bgn (2.4Ghz) single radio 3x3:3 11abgn dual-band single radio (WP)
No integrated PoE PoE (in WP model)
No console port Console Port
No Spectrum Analysis Integrated Spectrum Analysis (WP)
No Wireless Intrusion Detection Full Aerohive WIPS (WP)
No local RADIUS or AD integration Full Aerohive RADIUS, proxy, and AD
No SNMP logging SNMP Support
- 27. © 2013 Aerohive Networks CONFIDENTIAL
2x2:2 300 Mbps
11n High Power
Radios
1X Gig.E
-40 to 55°C
PoE (802.3at)
N/A
Outdoor
Water Proof (IP
68)
Aerohive AP Platforms
AP170
2X Gig E
/w PoE Failover
3x3:3 450 + 1300 Mbps High Power Radios
Dual Radio 802.11ac/n
Plenum/Plenum
Dust Proof
-20 to 55°C
AP390
Indoor Industrial
Dual Radio
802.11n
AP230
Dual Radio 802.11n
2X Gig.E - 10/100 link
aggregation
-20 to
55°C
0 to 40°C
3x3:3
450 Mbps High Power
Radios
TPM Security Chip
PoE (802.3af + 802.3at) and AC Power
Indoor
Industrial
Indoor
Plenum/D
ust
Plenum Rated
AP121 AP330 AP350
1X Gig.E
2x2:2
300 Mbps High
Power Radios
USB for 3G/4G Modem
AP141
USB for future use
Indoor
2X Gig.E w/ link
aggregation
Plenum Rated
0 to 40°C
USB for future use
AP370*
* Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM
- 28. © 2013 Aerohive Networks CONFIDENTIAL
VPN Gateway Virtual Appliance
28
• Supports the following
› GRE Tunnel Gateway
› L2 IPSec VPN Gateway
› L3 IPSec VPN Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
› Bonjour Gateway
› DHCP server
• Use a VPN Gateway Virtual Appliance instead of an AP when higher
scalability for these features are required
Function Scale
VPN Tunnels 1024 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server)
authentications
256
- 29. © 2013 Aerohive Networks CONFIDENTIAL
VPN Gateway Physical Appliance
29
• Supports the following
› GRE Tunnel Gateway
› L2 IPSec VPN Gateway
› L3 IPSec VPN Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
› Bonjour Gateway
› DHCP server
• Use a VPN Gateway Appliance instead of an AP when higher scalability for
these features are required
Function Scale
VPN Tunnels 4000 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server)
authentications
256
Ports: One 10/100/1000 WAN port
Four LAN ports two support PoE
- 30. © 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 31. © 2013 Aerohive Networks CONFIDENTIAL
Lab Infrastructure
31
PC
PoE
SR202
4
AP
PC
PoE
SR202
4
AP
Core
Access
Student Space
Instructor Space
Student 2 Student X
Distribution
HiveManager
Router
VLAN 1
ip address 10.100.1.1/24
VLAN 2
ip address 10.100.2.1/24
VLAN 8
ip address 10.100.8.1/24
VLAN10
ip address 10.100.10.1/24
- 33. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting up a Wireless Network
1. Connect to the Hosted Training HiveManager
33
• Securely browse to the appropriate HiveManager for class
› TRAINING LAB 1
https://training-hm1.aerohive.com
https://72.20.106.120
› TRAINING LAB 2
https://training-hm2.aerohive.com
https://72.20.106.66
› TRAINING LAB 3
https://training-hm3.aerohive.com
https://209.128.124.220
› TRAINING LAB 4
https://training-hm4.aerohive.com
https://203.214.188.200
› TRAINING LAB 5
https://training-hm5.aerohive.com
https://209.128.124.230
• Supported Browsers:
› Firefox, Internet Explorer, Chrome, Safari
• Class Login Credentials:
› Login: adminX
X = Student ID 2 - 29
› Password: aerohive123
NOTE: In order to access the
HiveManager, someone at your
location needs to enter the
training firewall credentials given
to them by the instructor first.
- 34. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network
2. Create a Network Policy
34
• Go to
Configuration
• Click the New
Button
- 35. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network
3. Enable network policy options
35
• Name:
Access-X
• Check the options
for
› Wireless
Access
› Switching
› Bonjour
Gateway
• Click Create
• Note, enabling Branch Routing:
» Enables L3 VPN Configuration
» Disable L2 VPN Configuration
» Enable L3 Router Firewall Policy
» Policy-Based Routing with Identity
» Enables Router configuration settings in
Additional Settings
- 36. © 2013 Aerohive Networks CONFIDENTIAL
Network Policy Components
36
• Wireless Access – Use when you have an AP only
deployment, or you require specific wireless policies for
APs in a mixed AP and router deployment
• Branch Routing– Use when you are managing routers, or
APs behind routers that do not require different Network
Policies than the router they connect through
BR100
BR200 AP
AP
Internet
Internet
Small Branch Office
or Teleworker Site Small to Medium Size Branch Office
that may have APs behind the router
- 37. © 2013 Aerohive Networks CONFIDENTIAL
• Bonjour Gateway
› Allows Bonjour services to be seen in multiple subnets
• Switching
› Used to manage wired traffic using Aerohive Switches
Network Policy Components
37
Internet
AP
AP
PoE
SR2024
AP
- 38. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network
4. Create a New SSID Profile
38
Network Configuration
• Next to SSIDs click
Choose
• Then click New
- 39. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network
5. Configure Employee SSID
39
• SSID Profile: Class-PSK-X
X = 2 – 29 (Student ID)
• SSID: Class-PSK-X
• Select WPA/WPA2 PSK
(Personal)
• Uncheck the Obscure
Password checkbox
• Key Value: aerohive123
• Confirm Value: aerohive123
• Click Save
• Click OK
For the ALL labs, please follow the
class naming convention.
- 40. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network
6. Create a User Profile
40
• To the right of your
SSID, under User
Profile, click
Add/Remove
In Choose User
Profiles
• Click the New
button
- 41. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network
7. Define User Profile Settings
41
•Name:
Employee-X
•Attribute
Number:10
Default VLAN:
From the drop down
box,
•Select Create new
VLAN,
type:10
•Click Save
- 42. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network
8. Choose User Profile and Save
42
•Ensure
Employee-X
User Profile is
highlighted
•Click Save
- 43. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network
9. Review your policy and save
43
• From the Configure Interfaces & User
Access bar, click Save
- 45. © 2013 Aerohive Networks CONFIDENTIAL
How loops happen
1. Client sends broadcast such as ARP request
2. Switch A forwards packet on all interfaces, except
source interface
3. Switch B receives the broadcast twice, but does
not know it is the same broadcast. It forwards
the broadcast from interface 1 on interface 24
and vice versa
4. Switch A again receives the broadcast twice and
does the same at Switch B. (It also sends both
broadcasts back to the client
5. Rinse and repeat. The broadcast never leaves
the network
B
A
- 46. © 2013 Aerohive Networks CONFIDENTIAL 46
Easy to solve, right?
Just disconnect one cable…
But now there is no redundancy…
Have no fear!
There was once a loop to be,
In a redundant path for everyone to see.
The packets went round and round,
Until a new sheriff was found.
His name? Well, Spanning Tree!
Spanning Tree
- 47. © 2013 Aerohive Networks CONFIDENTIAL 47
So what does the Spanning Tree
Protocol (STP) do?
High level overview:
1. All interfaces are blocked (for non STP traffic)
while the switches elect a root bridge (switch)
2. After the root bridge is elected, switches calculate
the lowest cost path to the root bridge
3. Unblock corresponding ports and keep redundant
ports blocked
4. If an active link fails, unblock redundant port
I am root!
Speed 1Gbit
Cost: 20,000
Speed 100Mbit
Cost: 200,000
Root doesn’t
have to
calculate
Spanning Tree
- 48. © 2013 Aerohive Networks CONFIDENTIAL
Spanning Tree – extra reading
Found in the class materials:
Spanning-Tree-Overview.pptx
• STP
• RSTP
• MSTP
• (R)PVST
- 49. © 2013 Aerohive Networks CONFIDENTIAL
Switch Spanning Tree Settings
49
• By default, spanning tree is disabled on Aerohive switches
› Why?
› If you plug an edge switch into a network, and the switch priority is a
lower number (higher priority) on our switch, than what is configured on
the existing network, our switch will become the root switch
› This means that the optimal path and links that are available through a
network will be chosen based on getting to your edge switch!
› This most likely is not what a customer wants to do! ;-)
• What is the downside of not enabling spanning tree by default?
› If you plug two cables from our switch to the distribution switch network,
and the ports are not configured as an aggregate, you can cause a loop!
› This is far less of a concern than enabling spanning tree by default and
possibly rerouting all traffic through our switch, so we will disable
spanning tree by default
- 50. © 2013 Aerohive Networks CONFIDENTIAL
Verify Existing Network
Spanning Tree Priorities
50
• Before installing an Aerohive switch into an existing switch network,
have the company determine the root switch and backup root switch
priority
• Ensure our spanning tree priority is set to a higher number
• For example, on a Cisco Catalyst switch you can type:
CS-Dist-2#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID Priority 12288
Address 000f.23b9.0d80
Cost 0
Port 25 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 16384 (priority 16384 sys-id-ext 0)
Address 001f.274c.5180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- -----
Fa0/24 Desg FWD 200000 128.24 P2p
Gi0/1 Root FWD 200000 128.25 P2p
- 51. © 2013 Aerohive Networks CONFIDENTIAL
Verify Existing Network
Spanning Tree Priorities
51
CS-Dist-2#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID Priority 12288
Address 000f.23b9.0d80
Cost 0
Port 25 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 16384 (priority 16384 sys-id-ext 0)
Address 001f.274c.5180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- -----
Fa0/24 Desg FWD 200000 128.24 P2p
Gi0/1 Root FWD 200000 128.25 P2p
• Here you can see the Root Priority is: 12288
• The switch this command is run on shows a priority of 16384
• So most likely our switch default priority of: 32768 will not cause any
harm
- 52. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Enable Spanning Tree
1. Enable Spanning Tree
52
From the network policy that has switching enabled
• Go to Additional Settings and click Edit
- 53. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Enable Spanning Tree
2. Enable RSTP
53
Enable Rapid Spanning
Tree
• Expand Switch Settings
• Expand STP Settings
• Check the box to Enable
STP (Spanning Tree
Protocol)
• Select the radio button to
enable RSTP (Rapid
Spanning Tree)
• Click Save
- 54. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Enable Spanning Tree
3. Save your Network Policy
54
• From the Configure Interfaces & User
Access bar, click Save
- 55. © 2013 Aerohive Networks CONFIDENTIAL
Spanning Tree – Switch specific settings
55
More detailed Spanning Tree settings can be
configured on an individual switch in device level
settings should that be required.
- 56. © 2013 Aerohive Networks CONFIDENTIAL
DEVICE TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS
56
- 57. © 2013 Aerohive Networks CONFIDENTIAL
Device Templates
57
• HiveManager Device Templates are
used to assign switches at the same
or different sites to a common set of
port configurations
• For example, ports 1, 2
are for APs, ports 3-6 are
for phones, etc…
AP
PoE
SR202
4
APAP
PoE
SR202
4
AP
Distribution
Access/Edge
HiveManager – SR2024 as switch device template
- 58. © 2013 Aerohive Networks CONFIDENTIAL
Device Templates
58
• Device templates are used
to define ports for the same
device, devices with the
same number of ports, and
device function
• Device templates do not set
device function, i.e. switch,
router, or AP, but will only
match devices configured
with the matching function
• You configure a devices
function in the device
specific configuration
Apply to SR2024 switches
configured as switches
Apply to SR2024 switches
configured as routers.
Requires WAN port – icon
depicted as a cloud
- 59. © 2013 Aerohive Networks CONFIDENTIAL
Device Templates
For Devices Requiring Different Port
Settings
59
• If devices require different port
configurations for the same type of
device and function, you can
› 1. Configure device classification
tags to have different device
templates for different devices
› 2. Create a new network policy
with a different device template
PoE
SR202
4
APAP
PoE
SR202
4
AP
SR2024 as Switch
Default Sites
Default Site Device
Classification
Tag: Small Site
SR2024 as Switch
Small Sites
Note: The switch model (2024) used in the lab has been superseded by improved models.
- 60. © 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE DEVICE TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS
60
- 61. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Device Templates
1. Create device template
61
• Next to Device
templates, click
Choose
• Click New
- 62. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Device Templates
2. Create switch template
62
• Name:
SR2024-Default-X
• Click Device Models
• Select SR2024
• Click OK
• For SR2024, when
functioning as:
› Select Switch
• Click Save
Note: Here you are not setting the SR2024
to function as a switch. Instead, you are
only specifying that this template applies to
SR2024s when they are configured to
function as a switch. The switch/router
function is configured in switch device
settings.
Note: You only see switch as an option
and not Switch and Router, because Routing
was not enabled in the selection box when
creating this Network Policy.
- 63. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Device Templates
3. Save switch template
63
• Ensure your device template is selected
and click OK
• The device template will appear in the
Device Templates section
• You can show or hide the individual
device template by clicking the triangle
Shows you that this is a template
for your switch as a switch
- 64. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Device Templates
4. Save your Network Policy
64
• From the Configure Interfaces & User
Access bar, click Save
- 66. © 2013 Aerohive Networks CONFIDENTIAL
Lab Infrastructure
Aggregate Links for Connection to Distribution
66
Aggregate is statically configured similar to
EtherChannel
There is no LACP (Link Aggregation Control
Protocol) in this release.
• You can have 8 ports in one channel
› The ports do not have to be contiguous
• Every port on the SR2024 can be configured
into port channels except the USB and
console port
• The switch hardware creates a hash of the the
header fields in frames selected for load
balancing, for determining the ports in an
aggregate to send a frame
› Load balancing options are:
» Source & Destination MAC, IP, and Port
» Source & Destination IP Port
» Source & Destination IP
» Source & Destination MAC
PC
SR202
4
AP
- 67. © 2013 Aerohive Networks CONFIDENTIAL
Lab Infrastructure
Aggregate Links for Connection to Distribution
67
• Load balance of broadcast, multicast, and
unknown unicast traffic between ports in an
aggregate is based on Src/Dst MAC/IP.
• You cannot configure a 802.1X port in an
EtherChannel
• mac learning is on the port channel port,
instead of member port
• Only ports with same physical media type and
speed can be grouped into one aggregate.
• Supports LLDP per port but not per channel
PC
SR202
4
AP
- 68. © 2013 Aerohive Networks CONFIDENTIAL
Lab Infrastructure
Do not do this with aggregates
68
• In this case, distribution switch 1 and switch 2 will
see the same MAC addresses and cause MAC
flapping
› i.e. traffic from PC A for example might be load
balanced to Switch 1 and Switch 2
• In this case, there will also be a loop!
• Aggregates must be built between a pair of
switches only!
PC
SR202
4
AP
Aggregate 1
Distribution
Switch 1
Distribution
Switch 2
- 69. © 2013 Aerohive Networks CONFIDENTIAL
AGGREGATION –
CONFIGURATION EXAMPLE
69
- 70. © 2013 Aerohive Networks CONFIDENTIAL
Aggregate Links for Switch Connections
to Distribution Layer Switches
70
Each access switch will have two
aggregates:
• Aggregate 1: Port 17, 18
• Aggregate 2: Port 19, 20
These ports are not connected in
this classroom, this is only a
configuration example
PC
PoE
SR202
4
AP
Core
Access
Aggregates
ESXi Server
Distribution
HMOL
- 71. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Lab: Link Aggregation
1. Select ports 17 and 18
Select ports that will be used to connect to the distribution layer
switches (example only, aggregates are not used in class)
NOTE: Recommended not to use the first 8 ports on the SR2024 which provide PoE.
• Select port 17, and 18
• Check the box for Aggregate selected ports…
• Enter 1
• Click Configure
71
- 72. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Link Aggregation
2. Create Trunk Port policy
72
• Click New
• Name: Trunk-X
• Port Type: 802.1Q
• QoS Classification:
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
infrastructure markings
› Map to DSCP or
802.1p
• QoS Marking:Map
Aerohive..
› Map to DSCP or
802.1p
• Click Save
- 73. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Link Aggregation
2. Save Trunk Port policy
73
• Ensure that Trunk-X
is selected, click OK
- 74. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Link Aggregation
3. Select ports 19 and 20
74
• Select port 19 and 20
• Check aggregate selected ports… and enter 2
- 75. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Link Aggregation
4. Assign Trunk policy
75
• Click Configure
• For choose port type, select your
802.Q trunk that you created
previously: Trunk-X
• Click OK
- 76. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Link Aggregation
5. Review port settings
76
Port 17, 18, 19, and 20 will now display
an 802.1Q trunk icon and should all
appear the same, even though there
are two different aggregates
- 77. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Link Aggregation
6. Save your Network Policy
77
• From the Configure Interfaces & User
Access bar, click Save
- 78. © 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE UPLINKS USED IN
THE CLASSROOM
78
- 79. © 2013 Aerohive Networks CONFIDENTIAL
Classroom Links for Switch Connections
to Distribution Layer Switches
79
For the class, we are going to
configure single uplinks without
aggregation to connect to the
distribution switches
• Single Uplinks : Port 23, 24
Port 23 will be connected to
Distribution switch 1, and
port 24 will be connected to
Distribution switch 2
PC
PoE
SR202
4
AP
Core
Access
ESXi Server
Distribution
HMOL
• 3CX IP PBX
10.100.1.?
- 80. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Lab: Configure Uplink Ports
1. Select Ports 23 and 24
Select ports that will be used to connect to the distribution layer
switches
• Select port 23, and 24
• Click Configure
80
- 81. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Uplink Ports
2. Assign port policy and save
81
• For choose port type, select your
802.Q trunk that you created
previously: Trunk-X
• Click OK
• Ports 23 and 24 should now be the
same color as the other Trunk ports
- 82. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Uplink Ports
3. Save your Network Policy
82
• From the Configure Interfaces & User
Access bar, click Save
- 84. © 2013 Aerohive Networks CONFIDENTIAL
Lab Infrastructure
Configure PoE Ports for APs
84
Configure two of the PoE ports
for APs
• Use Port 1 and 2 for APs
NOTE: For class there is an AP
connected to port 1 of every
switch
PoE
SR202
4
Core
Access
ESXi Server
Distribution
HMOL
APAP
IP Phones
- 85. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Lab: Configure Access Point ports
1. Select ports 1 and 2
Select ports that will be used to connect to APs
NOTE: The first 8 ports on an SR2024 provide power
• Select port 1, and 2
• Click Configure
85
- 86. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Access Point ports
2. Create Trunk Policy
86
• Click New
• Name: AP-Trunk-X
• Port Type: 802.1Q
• QoS Classification:
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
infrastructure markings
› Map to DSCP or
802.1p
• QoS Marking:Map
Aerohive..
› Map to DSCP or
802.1p
• Click Save
- 87. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Access Point ports
3. Assign AP-Trunk Policy to ports 1 and 2
87
• Ensure that that AP-Trunk-X is selected
• Click OK
• Port 1and 2 will now display an 802.1Q trunk icon,
but this time, a power symbol appears as well
because ports 1 through 8 can provide power
• Notice that Ports 1
and 2 are a
different color
because there is a
different port policy
than the other
ports
- 88. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Access Point ports
3. Save your Network Policy
88
• From the Configure Interfaces & User
Access bar, click Save
- 89. © 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE POWER SOURCING
EQUIPMENT (PSE) PORTS FOR
POWER OVER ETHERNET (POE)
89
- 90. © 2013 Aerohive Networks CONFIDENTIAL
PoE Overview
90
• PoE standards define the capabilities of the power sourcing equipment (PSE)
and the powered device (PD).
• The PSE is an Aerohive switch. Aerohive access points would be considered
PDs.
• The 802.3af PoE standard defines 15.4 Watts from the PSE
• All 802.11n Aerohive APs will work with 802.3af - CAT5e cabling or better is
required.
• The maximum draw of an Aerohive AP-330 is14.95 Watts.
- 91. © 2013 Aerohive Networks CONFIDENTIAL
PoE Overview
91
• The 802.3at standard (PoE+) defines 32 Watts from the PSE
• 802.11ac Aerohive AP230 is fully functional using 802.3af
• However, the older 802.11ac Aerohive APs (AP370 and
AP390) require PoE+ for full functionality
• The AP370 and AP390 will function with 802.3af PoE however
the 80 MHz channels capability is restricted.
- 92. © 2013 Aerohive Networks CONFIDENTIAL
PoE Power Budgets
92
• Careful PoE power budget planning is a must.
• Access points will randomly reboot if a power budget has
been exceeded and the APs cannot draw their necessary
power.
SR2124P SR2148P
24 PoE+ (408 W) 48 PoE+ (779 W)24 PoE+ (195 W)
SR2024P
- 93. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports
1. Select additional port settings
93
• Select Additional port settings to configure
› Port Channel Load-Balance Mode Settings
› PoE port (PSE) Settings
Additional Port Settings
link is available if no ports are
currently selected
- 94. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports
2. Aggregate channel settings
94
• For Port Channel Load-Balance Mode, please selecting
the headers in a frame that will be used in creating a
hash to determine which port a frame should egress
› NOTE: If you are testing a single client, especially for a demo, the
more fields you use you will have a better opportunity to egress
multiple ports
- 95. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports
3. PSE settings
95
• Expand PSE Settings
• Because only the first two ports have been configured,
you will only have the ability to configure PSE (Provides
PoE) to the first two ports
• Next to Eth1/1 Click +
- 96. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports
4. PSE settings
96
• Name: af-high-X
• Power Mode: 802.3af
• Power Limit: 15400 mW
• Priority: high
• Save
Note: Default PoE port
settings is 802.3at (PoE+)
Power priority can be low,
high or critical
- 97. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports
5. PSE settings
97
• Assign Eth1/1 and Eth1/2 to: af-high-X
• Save
NOTE: You will only see the Interfaces(Ports) that have been
assign to a port type
- 98. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports
5. Save your Network Policy
98
• From the Configure Interfaces & User
Access bar, click Save
- 100. © 2013 Aerohive Networks CONFIDENTIAL
Lab Infrastructure
Configure PoE Ports for IP Phones
100
Configure 6 of the PoE ports for
IP Phones
• Use Port 3 - 8 for IP PhonesPoE
SR202
4
Core
Access
ESXi Server
Distribution
HMOL
APAP
- 101. © 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE PHONE PORTS IN
SWITCH DEVICE TEMPLATE
101
- 102. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Lab: Configure PoE ports for IP phones
1. Select ports 3-8
Select ports that will be used to connect to IP Phones
NOTE: The first 8 ports on an SR2024 provide power
• Select port 3, 4, 5, 6, 7, and 8
(Yes, you can multi-select)
• Click Configure
102
- 103. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports for IP phones
2. Phone & Data ports
103
•Click New
- 104. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports for IP phones
3. Phone & Data ports
104
• Name: Phone-and-Data-X
• Port Type: Phone & Data
• Check Primary authentication
using:
MAC via PAP
• QoS Classification:
Trusted Traffic Sources
Note: This means we are
trusting the upstream network
infrastructure markings
› Map to DSCP or 802.1p
• QoS Marking:Map
Aerohive..
› Map to DSCP or 802.1p
• Click Save
- 105. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports for IP phones
4. Phone & Data ports
105
• For choose port type, select
Phone-and-Data-X
• Click OK
• Port 3 – 8 will now display with a phone
icon
- 106. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports for IP phones
5. Save your network policy
106
• From the Configure Interfaces & User
Access bar, click Save
- 107. © 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE PORTS FOR OPEN
GUEST ACCESS
107
- 108. © 2013 Aerohive Networks CONFIDENTIAL
Lab Infrastructure
Configure Ports for Employee Computer Access
108
Configure 2 of the switch ports
for open access
(switch ports are in a secured
room – for testing purposes)
• Use Port 9 and 10
PoE
SR202
4
Core
Access
ESXi Server
Distribution
HMOL
APAP
IP Phones
Guest
Computers
- 109. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Lab: Configure Open Guest Ports
1. Select ports 9 and 10
Select ports that will be used to connect to guest computers
• Select port 9 and 10
• Click Configure
109
- 110. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Open Guest Ports
2. Create access port
110
•Click New
- 111. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Open Guest Ports
3. Create access port
111
• Name: Guest-X
• Port Type: Access
• Most likely you will
not be trusting the
DSCP settings on
guest devices, so
click Untrusted
Traffic Sources
• There is no need to
mark the traffic for
QoS marking
• Click Save
- 112. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Open Guest Ports
4. Assign access port policy
112
• For choose port type, select
Guest-X
• Click OK
• Port 9 and 10 will now display with a
world icon
- 113. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Open Guest Ports
5. Save your network policy
113
• From the Configure Interfaces & User
Access bar, click Save
- 114. © 2013 Aerohive Networks CONFIDENTIAL
For switch ports in a secure location
CONFIGURE PORTS FOR SECURE
EMPLOYEE ACCESS WITH 802.1X
114
- 115. © 2013 Aerohive Networks CONFIDENTIAL
Lab Infrastructure
Configure Ports for Employee Computer Access
115
Configure six of the switch ports
for 802.1X authentication
• Use Ports 11-16
PoE
SR202
4
Core
Access
ESXi Server
Distribution
HMOL
APAP
IP Phones
Employee
Computers
802.1X
- 116. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Lab: Configure Secure Access Ports
1. Select ports 11 - 16
Select ports that will be used to connect to employee computers
that support 802.1X
• Select port 11,12,13,14,15,16
• Click Configure
116
- 117. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Secure Access Ports
2. Create secure port policy
117
• Click New
- 118. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Secure Access Ports
3. Create secure port policy
118
• Name: Secure-X
• Port Type: Access
• Check the box for:
Primary Authentication
using 802.1X
• Uncheck ☐Allow multiple
hosts (same VLAN)
• For the ability to preserve
markings on PCs for softphones
or other important applications,
select QoS Classification:
Trusted Traffic Sources
• Check the box for QoS
Marking
Map Aerohive QoS …
• Select DSCP or 802.1p
depending on the upstream
switch architecture
• Click Save
- 119. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Secure Access Ports
4. Assign secure port policy
119
• For choose port type, select Secure-X
• Click OK
• Ports 11-16 will now display with a world
icon
- 120. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Secure Access Ports
5. Save your network policy
120
• From the Configure Interfaces & User
Access bar, click Save
- 122. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Lab: Configure Mirror Ports
1. Select ports 21 - 22
Select ports that will be used for port mirroring
• Select ports 21 and 22
• Click Configure
122
- 123. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Mirror Ports
2. Create mirror port policy
123
• Click New
• Name: Mirror-X
• Port Type: Mirror
• Click Save
- 124. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Mirror Ports
3. Assign mirror port policy
124
• For choose port type, select Mirror-X
• Click OK
• Check Port-Based
Note: VLAN-Based port
mirroring can only be
enabled on a single port
- 125. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Mirror Ports
4. Choose ports to mirror
125
• Eth1/21, Egress – click Choose
• Select Eth1/1 and Click OK
• Eth1/22, Ingress – click Choose
• Select Eth1/12 and Click OK
- 126. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Mirror Ports
5. Verify and save mirror port policy
126
• All downstream traffic destined for the WLAN clients of the
Aerohive AP on port Eth1/1 will be mirrored to port Eth1/21.
• All upstream traffic destined for the network from the host on
Eth1/12 will be mirrored to port Eth1/22.
• Click Save
- 127. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Mirror Ports
6. Verify and save mirror port policy
127
Ports 21 and 22 will now display a magnifying glass icon.
- 128. © 2013 Aerohive Networks CONFIDENTIAL 128
• From the Configure Interfaces & User
Access bar, click Save
Lab: Configure Mirror Ports
7. Save your network policy
- 129. © 2013 Aerohive Networks CONFIDENTIAL
GENERAL DEVICE TEMPLATE
INFO
129
- 130. © 2013 Aerohive Networks CONFIDENTIAL
General Port Template Info
130
If you have more than one port
selected, you can clear port
selections here so you do not
have to click all the selected
ports to deselect them.
- 131. © 2013 Aerohive Networks CONFIDENTIAL
General Port Template Info
131
• If you move your
mouse over one
of the defined
ports, an option
appears to
select all ports
using this port
type
Click Here
- 132. © 2013 Aerohive Networks CONFIDENTIAL
Guest Access
CONFIGURE PORT TYPES
132
- 133. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports – Guest Access
1. Port Types
133
• Configure the authentication, user profile, and VLAN information for the
port types defined in the device templates
- 134. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports – Guest Access
2. Create user profile
134
Similar to SSIDs, you need to
configure User Profiles (user
policy) for the access ports
• For your Guest-X port
type, under User Profile
click Add/Remove
• Click New
- 135. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports – Guest Access
3. Assign VLAN
135
User profiles are used
to assign policy to
devices connected to
the network.
NOTE: Switches use the VLAN in a
user profile. Switches functioning as
routers use the VLAN, but may also
make layer 3 firewall and policy-
based routing decisions based on
the user profile. In either case, user
profile information is carried with
user information throughout an
Aerohive network infrastructure.
• Name: Guest-X
• Attribute: 100
• Default VLAN: 8
• Click Save
The optional settings are utilized when
the user profile is enforced on an AP. The
switch, because it is forwarding packets
at line speed in silicon, does not utilize
the optional settings. If the switch is
configured to be a branch router, the user
profile is used for decisions in layer 3
firewall policies, IPSec VPN policies, and
identity-based routing.
- 136. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports – Guest Access
4. Save user profile
136
• Ensure Guest-X is
selected
• Click Save
• Verify your settings
- 137. © 2013 Aerohive Networks CONFIDENTIAL 137
• From the Configure Interfaces & User
Access bar, click Save
Lab: Configure Ports - Guest Access
5. Save your network policy
- 138. © 2013 Aerohive Networks CONFIDENTIAL
Employee Access Secured wit 802.1X
CONFIGURE PORT TYPES
138
- 139. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access
1. Configure RADIUS
139
Configure the RADIUS sever for
the ports secured with 802.1X
• For your Secure-X port type,
under Authentication
click <RADIUS Settings>
• Click New
- 140. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access
2. Configure RADIUS
140
Define the external
RADIUS server settings
• RADIUS name:
RADIUS-X
• IP address: 10.5.1.10
• Shared Secret:
aerohive123
• Confirm Secret:
aerohive123
• Click Apply!!
• Click Save
- 141. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access
3. Configure user profile
141
Assign user profiles to
the secure 802.1X ports
• Next to your Secure-X
port type, under User
Profile click
Add/Remove
- 142. © 2013 Aerohive Networks CONFIDENTIAL
Port Types
142
There are three user profile
assignment methods:
1. (Auth) Default – If a client
authenticates successfully,
but no user profile attribute is
returned, or if a user profile
attribute is returned matching
the default user profile
selected
2. Auth OK – If a client
authenticates successfully,
and a user profile attribute is
returned, it must match one
the selected user profiles you
select here
3. Auth Fail – If a client fails
authentication, use this user
profile
- 143. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access
4. Configure default user profile
143
Define the Default User Profile
assigned If a client authenticates
successfully, but no user profile
attribute is returned, or if a user
profile attribute is returned
matching the default user profile
selected
• Select the Default tab
• Select the user profile:
Employee-Default(1)
› Created by the
instructor…
› Assigns VLAN 1
- 144. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access
5. Configure Auth OK user profile
144
Define a user profile for Auth
OK – If a client authenticates
successfully, and a user
profile attribute is returned, it
must match one the selected
user profiles you select here.
You can have up to 63 Auth
OK user profiles.
• Select the Auth OK tab
• Select Employee-X(10)
› Assigns VLAN 10
- 145. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access
6. Configure Auth Fail user profile
145
Define a user profile for
Auth Fail – If a clients fails
authentication several
times, assign the Auth Fail
user profile
• Select Auth Fail
• Select Guest-X(100)
› Assigns VLAN 8
• Verify the Default, Auth
OK, and Auth Fail settings
one more time
• Click Save
- 146. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access
7. Verify settings
146
•Verify the settings
- 147. © 2013 Aerohive Networks CONFIDENTIAL 147
• From the Configure Interfaces & User
Access bar, click Save
Lab: Configure Ports - Secure Access
8. Save your network policy
- 148. © 2013 Aerohive Networks CONFIDENTIAL
PHONE & DATA PORTS
WITH NO AUTHENTICATION
148
- 149. © 2013 Aerohive Networks CONFIDENTIAL
Phone & Data Port Type
With Open Access
149
• Switch Port is assigned to a Phone & Data Port Type
• For this example, no authentication is selected in Phone & Data
SR2024
IP Phone
Phone & Data
uses 802.1Q
Data
Switch
- 150. © 2013 Aerohive Networks CONFIDENTIAL
Phone & Data Port Type
With Open Access
150
• You can then select a Default Voice, and Default Data user profile
• The Phone & Data port is an 802.1Q port
• The Phone VLAN will be tagged and sent to the IP phone via LLDP-MED
• The switch port will assign the Data VLAN as the native VLAN
› This way, the phone traffic is tagged, and data traffic is untagged
SR2024
IP Phone
LLDP assigns
Phone to tagged
Voice VLAN
Phone & Data
uses 802.1Q
Data
Switch
Note: For default data,
only the VLAN is used,
not the user profile
- 151. © 2013 Aerohive Networks CONFIDENTIAL
CLI Commands for
Phone & Data Port without Authentication
151
• interface eth1/3 switchport mode trunk
• interface eth1/3 switchport user-profile-attribute 2
• interface eth1/3 switchport trunk native vlan 10
• interface eth1/3 switchport trunk voice-vlan 2
• interface eth1/3 switchport trunk allow vlan 2
• interface eth1/3 switchport trunk allow vlan 10
• interface eth1/3 qos-classifier Phone-and-Net-2
• interface eth1/3 qos-marker Phone-and-Net-2
• interface eth1/3 pse profile QS-PSE
- 152. © 2013 Aerohive Networks CONFIDENTIAL
PHONE & DATA PORTS
WITH 802.1X/PEAP
AUTHENTICATION OR
MAC AUTHENTICATION
152
- 153. © 2013 Aerohive Networks CONFIDENTIAL
Phone & Data Port Type
With 802.1X/PEAP or MAC Authentication
153
• Switch Port is assigned to a Phone & Data Port Type
• For this example, 802.1X authentication is selected in Phone &
Data
SR2024
Phone & Data
uses 802.1Q, and 802.1X
Switch
IP Phone
Data
RADIUS Server
Phone Policy Returns
Cisco AV Pair: device-traffic-class=voice
User Profile and/or VLAN
Data (Employee) Policy Returns
User Profile and/or VLAN
Employees
- 154. © 2013 Aerohive Networks CONFIDENTIAL
Phone & Data Port Type
With 802.1X/PEAP
154
• You can connect a single client, or multiple clients behind an
IP phone data port
• Phones and clients authenticate independent of each other
and the order in which they authenticate does not matter
› However, the VLAN assigned to the first data device (Employee) that
authenticates is assigned as the data VLAN, all other devices will be
assigned to the same VLAN, even if they have different user profiles
with other VLANs assigned, or even if RADIUS returns a different
VLAN.
SR2024
Phone & Data
uses 802.1Q, and 802.1X
Switch
IP Phone
Data
RADIUS Server
Phone Policy Returns
Cisco AV Pair: device-traffic-class=voice
User Profile and/or VLAN
Data (Employee) Policy Returns
User Profile and/or VLAN
Employees
- 155. © 2013 Aerohive Networks CONFIDENTIAL
Phone & Data Port Type
With Primary and Secondary Authentication
155
• If a secondary authentication is used, if the first authentication is not
available, or fails three times, the second authentication will be tried
SR2024
Phone & Data
uses 802.1Q, and 802.1X
Switch
IP Phone
Data
RADIUS Server
Phone Policy Returns
Cisco AV Pair: device-traffic-class=voice
User Profile and/or VLAN
Data (Employee) Policy Returns
User Profile and/or VLAN
Employees
- 156. © 2013 Aerohive Networks CONFIDENTIAL
CLI Commands for
Phone & Data Port with 802.1X
156
• security-object Phone-and-Data-2
• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
• security-object Phone-and-Data-2 security protocol-suite 802.1x
• security-object Phone-and-Data-2 default-user-profile-attr 1
• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 switchport mode trunk
• interface eth1/3 switchport user-profile-attribute 1
• interface eth1/3 qos-classifier Phone-and-Data-2
• interface eth1/3 qos-marker Phone-and-Data-2
• interface eth1/3 pse profile QS-PSE
• no interface eth1/3 spanning-tree enable
• no interface eth1/3 link-discovery cdp receive enable
• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100
- 157. © 2013 Aerohive Networks CONFIDENTIAL
CLI Commands for
Phone & Data Port with MAC AUTH
157
• security-object Phone-and-Data-2
• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
• security-object Phone-and-Data-2 security additional-auth-method mac-based-auth
• security-object Phone-and-Data-2 default-user-profile-attr 1
• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
• security-object Phone-and-Data-2 security initial-auth-method mac-based-auth
• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 switchport mode trunk
• interface eth1/3 switchport user-profile-attribute 1
• interface eth1/3 qos-classifier Phone-and-Data-2
• interface eth1/3 qos-marker Phone-and-Data-2
• interface eth1/3 pse profile QS-PSE
• no interface eth1/3 spanning-tree enable
• no interface eth1/3 link-discovery cdp receive enable
• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100
- 158. © 2013 Aerohive Networks CONFIDENTIAL
Overview
CONFIGURING NPS FOR PHONE
AND EMPLOYEE
AUTHENTICATION WITH
802.1X/PEAP
158
- 159. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
159
• Create a
network
policy for
voice
- 160. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
160
• Enter a name
for the voice
policy, and click
next
- 161. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
161
• Click add to
specify a
condition
- 162. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
162
• Select
Windows
Groups
• Click Add
- 163. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
163
• Click Add Groups…
• A voice group was created by IT for IP
phones – enter voice and click OK
• Click OK
- 164. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
164
• Click Next
- 165. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
165
• Select
Access
granted
- 166. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
166
• Click Add
• Select Microsoft:
Protected EAP
(PEAP)
• Click OK
- 167. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
167
• Click Next
• For constraints
click Next
- 168. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
168
• Remove attributes
that are not
needed:
› Select Frame-
Protocol, and
Click Remove
› Select Service-
Type, and Click
Remove
- 169. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
169
Add the three attribute
value pairs needed to
assign a user profile
• Tunnel-Medium-Type: IP
v4 (value found in the
others section)
• Tunnel-Type: Generic
Route Encapsulation
(GRE)
• Tunnel-Pvt-Group-ID:
(String) 2
› 2 is the voice user
profile in this case
• Click Next
- 170. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
170
• Under RADIUS
Attributes, select
Vendor Specific
- 171. © 2013 Aerohive Networks CONFIDENTIAL
RETURN A CISCO AV PAIR TO LET
THE AEROHIVE SWITCH KNOW
WHICH USER PROFILE SHOULD
BE ASSIGNED AS THE VOICE
USER PROFILE
171
- 172. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
172
In order for a switch to
know a specific user profile
is for voice, Aerohive
devices can accept the
Cisco AV Pair: device-
traffic-class=voice. This is
sent to the switch, and the
switch uses LLDP to send
the voice VLAN any phone
that supports LLDP-MED
• Under RADIUS
Attributes, select Vendor
Specific
• Click Add
- 173. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
173
• Under
Vendor,
Select Cisco
- 174. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
174
• Click Add
• Click Add again
- 175. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
175
• Attribute value:
device-traffic-class=voice
• Click OK
• Click OK
• Click Close (The value does not show up
on this screen. Do not worry, it is there.)
- 176. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
176
• Attribute value:
device-traffic-
class=voice
• Click OK
• Click OK
• Click Next
- 177. © 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data
Authentication
177
• Click
Finish
- 179. © 2013 Aerohive Networks CONFIDENTIAL
CLI Commands for
Phone & Data Port without Authentication
179
Create a new policy
for employee access
• Policy name:
Wireless or Wired
Employee Access
- 180. © 2013 Aerohive Networks CONFIDENTIAL
CLI Commands for
Phone & Data Port without Authentication
180
• For the condition, select the
windows group that contains
your employees
• Add the three attribute value
pairs needed to assign a user
profile
› Tunnel-Medium-Type: IP v4
(value found in the others
section)
› Tunnel-Type: Generic Route
Encapsulation (GRE)
› Tunnel-Pvt-Group-ID: (String)
10
» 10 is the voice user profile in this
case
• Click Next
- 181. © 2013 Aerohive Networks CONFIDENTIAL
Phone and Data
CONFIGURE PORT TYPES
181
- 182. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data
1. Configure RADIUS
182
Configure the RADIUS sever for
the ports secured with 802.1X
• For your Phone-and-Data-X
port type, under Authentication
click <RADIUS Settings>
• Select RADIUS-X which is an
external Microsoft NPS
RADIUS server
• Click OK
- 183. © 2013 Aerohive Networks CONFIDENTIAL
Port Types
183
Assign user profiles to your
802.1X ports
• For your Phone-and-Data-X
port type, under User Profile
click Add/Remove
- 184. © 2013 Aerohive Networks CONFIDENTIAL
Port Types (Reminder)
Must Verify
184
There are three user profile settings:
1. Default – Default for data if no
user profile attribute, or a user
profile attribute is returned and
matches the user profile
configured here
2. Auth OK (Voice) – If a client
authenticates successfully, and a
user profile attribute is returned
matching a selected user profile,
and the Cisco AV Pair is also
returned
3. Auth OK (Data) – Client passes
authentication, and a user profile
attribute is returned, but no
Cisco AV pair
- 185. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data
2. Configure user profile – Auth OK (Voice)
185
• Click Auth OK (Voice)
• Click New
- 186. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data
3. Configure user profile – Auth OK (Voice) VLAN
186
User profiles are
used to assign
policy to devices
connected to the
network.
• Name: Voice-X
• Attribute: 2
• Default VLAN: 2
• Click Save
- 187. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data
4. Configure user profile – Auth OK (Voice)
187
• For the Auth OK
(Voice) tab select:
Voice-X(2)
› Assigns VLAN 2
- 188. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data
5. Configure user profile – Default
188
Assign the Default
user profile:
• Select the
Default tab
• Select Employee-
Default(1)
› Assigns VLAN 1
- 189. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data
6. Configure user profile – Auth OK (Data)
189
Define a user profile for Auth OK
(Data)– for clients connected
through an IP Phone
• Select Auth OK (Data)
• Select Employee-X(10)
› Assigns VLAN 10
• Verify the Default, Auth
OK (Voice), and Auth OK
(Data) settings one more
time
• Click Save
- 190. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data
7. Verify your settings
190
• Verify the settings
- 191. © 2013 Aerohive Networks CONFIDENTIAL 191
• From the Configure Interfaces & User
Access bar, click Save
Lab: Configure Ports - Phone and Data
8. Save your network policy
- 192. © 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE 802.1Q TRUNK
PORTS
192
- 193. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Trunk Ports
1. Configure AP-Trunk-X port policy VLANs
193
Define the allowed
VLANs on a trunk port
• Next to AP-Trunk-X
Click Add/Remove
• Add the specific
VLANs: 1,2,8,10
• Click OK
- 194. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Trunk Ports
2. Configure Trunk-X port policy VLANs
194
Define the allowed
VLANs on a trunk port
• Next to Trunk-X Click
Add/Remove
• Type all
• Click OK
- 195. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Trunk Ports
3. Verify your settings
195
Verify
Settings
- 196. © 2013 Aerohive Networks CONFIDENTIAL 196
• From the Configure Interfaces & User
Access bar, click Save
Lab: Configure Ports - Phone and Data
8. Save your network policy and continue
- 198. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Update Devices
1. Modify your AP
198
From the Configure & Update Devices section,
modify your AP specific settings
• Click the Name column to sort the APs
• Click the link for your AP: 0X-A-######
- 199. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Update Devices
2. Update the configuration of your Aerohive AP
199
• Location:
<FirstName_LastName>
• Topology Map: Classroom
• Network Policy:
Access-X
Note: Leave this set to default so
you can see how it is
automatically set to your new
network policy when you update
the configuration.
• Set the power down to 1dBm
on both radios because the
APs are stacked in a rack in the
data center
› 2.4GHz(wifi0) Power: 1
› 5GHz (wifi1) Power: 1
• Click Save
- 200. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Update Devices
3. Select AP and switch
200
• Select your AP and switch and click Update
Click Yes
- 201. © 2013 Aerohive Networks CONFIDENTIAL 201
• Select Update Devices
• Select Perform a
complete configuration
update for all selected
devices
• Click Update
For this class, ALL
Updates should be
Complete
configuration
updates
Lab: Update Devices
4. Update the AP and switch
- 202. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Update Devices
5. Update the AP and switch
202
• Should the Reboot warning box appear, select OK
Click OK
- 203. © 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 204. © 2013 Aerohive Networks CONFIDENTIAL
CREATE AN AEROHIVE DEVICE DISPLAY
FILTER
204
- 205. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Display Filter from Monitor View
1. Create a filter
205
• To create a display filter go to Monitor Filter: Select +
• Network Policy, select: Access-X
• Remember this Filter, type: Access-X
• Click Search
- 206. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Display Filter from Monitor View
2. Verify the display filter
206
- 207. © 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 208. © 2013 Aerohive Networks CONFIDENTIAL
TEST YOUR WI-FI
CONFIGURATION
USING THE HOSTED PC
208
- 209. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
Test SSID Access at Hosted Site
209
• Use VNC client to
access Hosted PC:
› password: aerohive
• From the hosted PC, you
can test connectivity to
your SSID
PoE
SR202
4
Core
Access
ESXi Server
- HM VA
Distribution
Internet
Hosted
PC
AP
Ethernet
Wi-Fi
- 210. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
1. For Windows: Use TightVNC client
210
• If you are using a windows PC
› Use TightVNC
› TightVNC has good compression so
please use this for class instead of any
other application
• Start TightVNC
› For Lab 1
lab1-pcX.aerohive.com
› For Lab 2
lab2-pcX.aerohive.com
› For Lab 3
lab3-pcX.aerohive.com
› For Lab 4
lab4-pcX.aerohive.com
› For Lab 5
lab5-pcX.aerohive.com
› Select Low-bandwidth connection
› Click Connect
› Password: aerohive.
› Click OK
- 211. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
2. For Mac: Use the Real VNC client
211
• If you are using a Mac
› RealVNC has good compression so
please use this for class instead of
any other application
• Start RealVNC
› For Lab 1
lab1-pcX.aerohive.com
› For Lab 2
lab2-pcX.aerohive.com
› For Lab 3
lab3-pcX.aerohive.com
› For Lab 4
lab4-pcX.aerohive.com
› For Lab 5
lab5-pcX.aerohive.com
› Click Connect
› Password: aerohive.
› Click OK
- 212. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
3. In case the PCs are not logged in
212
If you are not automatically
logged in to your PC
• If you are using the web
browser client
› Click the button to Send
Ctrl-Alt-Del
• If you are using the TightVNC
client
• Click to send a
control alt delete
• Login: AH-LABuser
• Password: Aerohive1
• Click the right arrow to login
- 213. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
4. Remove any Wireless Networks on Hosted PC
213
From the bottom task bar, click the locate wireless
networks icon
› Select Open Network and Sharing Center
› Click Manage wireless Networks
› Select a network, then click Remove
› Repeat until all the networks are removed
› Click [x] to close the window
- 214. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
5. Connect to Your Class-PSK-X SSID
214
• Single-click the
wireless icon on the
bottom right corner
of the windows task
bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK
- 215. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
6. View Active Clients List
215
• After associating with your SSID, you should see
your connection in the active clients list Wireless
Clients
• Your IP address should be from the 10.5.10.0/24
network which is from VLAN 10
Go to MonitorClientsWireless Clients and
locate your PC’s entry
- 216. © 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 217. © 2013 Aerohive Networks CONFIDENTIAL
TESTING SWITCH PORT
CONNECTIONS WITH WINDOWS 7
217
- 218. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
Test Guest and 802.1X Access
218
• Use VNC client to
access Hosted PC:
› password: aerohive
• From the hosted PC, you
can test connectivity to
your SSID
PoE
SR202
4
Core
Access
ESXi Server
- HM VA
Distribution
Internet
Hosted
PC
AP
Ethernet
Wi-Fi
- 219. © 2013 Aerohive Networks CONFIDENTIAL
Three Different VLANs are Possible
In this configuration
219
• Default - Auth OK, and RADIUS does not returned user
profile or matching user profile to default
• Auth OK – and RADIUS returns a user profile that matches
one of the user profiles configured here
• Auth Fail – RADIUS authentication fails (Guest)
- 220. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
1. Verify IP address of Ethernet adapter
220
• Locate Local Area Connection 3
• Right click
• Click Status
• Click Details
- 221. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
2. Verify IP address of Ethernet adapter
221
Why do you see an IP
from the 10.5.1.0/24
subnet?
This is the IP address
the device received
on VLAN 1 before the
switch was
configured
- 222. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
3. Reset Ethernet Adapter
222
Because the PC has the
wrong IP it will not work, you
can remedy this by
• Right click on Local Area
Connection 3
• Click Diagnose
or
• Disable then Enable Local
Area Connection 3
• Do NOT Disable Local Area
Connection 2
- 223. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
4. Verify IP address of Ethernet adapter
223
• Locate Local Area Connection 3
• Right click
• Click Status
• Click Details
- 224. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
5. Verify IP address of Ethernet adapter
224
Why do you see an IP
from the 10.5.8.0/24
subnet?
This is the guest
network that is
assigned if
authentication is not
supported or fails
- 225. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
6. Verify VLAN of wired client
225
Go to MonitorClientsWired Clients and locate your
PC’s entry
• Note the IP, Client Auth Mode, User Profile Attribute
and VLAN
• VLAN 8 is the guest VLAN assigned because
802.1X authentication was not supported or failed.
The host was assigned to the Auth Fail user
profile.
- 226. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
7. Enable 802.1X for wired clients
226
• In windows 7, you
must enable 802.1X
support
• As an administrator,
from the start menu
type services
• Then click services
- 227. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
8. Enable 802.1X for wired clients
227
• Click the
Standard tab
on the bottom
of the services
panel
• Locate Wired
AutoConfig
and right-click
• Click
Properties
- 228. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
9. Enable 802.1X for wired clients
228
• The Wired AutoConfig
(DOT3SVC) service is
responsible for performing IEEE
802.1X authentication on
Ethernet interfaces
• If your current wired network
deployment enforces 802.1X
authentication, the DOT3SVC
service should be configured to
run for establishing Layer 2
connectivity and/or providing
access to network resources
• Wired networks that do not
enforce 802.1X authentication
are unaffected by the DOT3SVC
service
- 229. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
10. Enable 802.1X for wired clients
229
• Click Automatic
• Click Start
- 230. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
11. Enable 802.1X for wired clients
230
• Click OK
- 231. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
12. Verify IP address of Ethernet adapter
231
• Locate Local Area Connection 3
• Right click
• Click Status
• Click Details
- 232. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
13. Verify IP address of Ethernet adapter
232
Why do you see an IP
from the 10.5.10.0/24
subnet?
The user has
authenticated with
802.1X/EAP and
RADIUS is returning
the user profile
attribute: 10
- 233. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network
14. Verify authentication and VLAN of wired client
233
Go to MonitorClientsWired Clients and locate your
entry
• Note the IP, Client Auth Mode, User Profile Attribute and
VLAN
• VLAN 10 is the employee VLAN assigned because
802.1X authentication was successful and the host was
assigned to the Auth OK user profile.
- 234. © 2013 Aerohive Networks CONFIDENTIAL
For Reference: Switch CLI
234
SR-04-866380# show auth int eth1/12
Authentication Entities:
if=interface; UID=User profile group ID; AA=Authenticator
Address;
if=eth1/12; idx=16; AA=08ea:4486:638c; Security-obj=Secure-2;
default-UID=1;
Protocol-suite=802.1X;Auth-mode=port-based; Failure-UID=100;
Dynamic-VLAN=10;
No. Supplicant UID Life State DevType User-Name
Flag
--- -------------- ---- ----- -------------- ------- -----------
--------- ----
0 000c:2974:aa8e 10 0 done data AH-
LABuser4 000b
- 235. © 2013 Aerohive Networks CONFIDENTIAL
Enable 802.1X for Wired Connections
235
If you need to troubleshoot
you can view Local Area
Connection 3
• From the start menu, type
view network
• Right-click Local Area
Connection 3, and click
Diagnose
› This will reset the
adapter, clear the
caches, etc…
- 236. © 2013 Aerohive Networks CONFIDENTIAL
Clearing Authentication Cache
For Testing or Troubleshooting
236
• From the Wired Clients
list, you can select and
Deauth a client
› Clear the All the
caches for the client
on the switch
• Then on the hosted PC,
you will need to disable
then enable Local Area
Connection 3 to force a
reauth
- 238. © 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
238
• MonitorSwitches
• Click on the hostname of
the switch
- 239. © 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
239
• Hover with your mouse over the switch ports
- 240. © 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
240
System Details
- 241. © 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
241
Port Details and PSE Details
- 242. © 2013 Aerohive Networks CONFIDENTIAL
Power Cycle Devices via PoE
242
• To configure this feature for selected ports on a switch, navigate to
Monitor Switches in the Managed Devices tab, click the name of
the switch, and scroll down to PSE Details.
• Select the check box or boxes for the port or ports that you want to
cycle, and then click Cycle Power.
This is useful in the event that an AP or multiple APs are locked up
and need to be rebooted remotely. Bouncing the PoE port forces
the AP reboot.
- 243. © 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
243
• MonitorActive ClientsWired Clients
• Add User Profile Attribute, and move it up, it is useful
- 244. © 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
244
• Click on the MAC address for a wired client to see more
information
- 245. © 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
245
• Utilities…StatisticsInterface
- 246. © 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
246
• Utilities…DiagnosticsShow PSE
- 247. © 2013 Aerohive Networks CONFIDENTIAL
VLAN Probe
Use VLAN Probe to verify VLANs and DHCP Service
247
• MonitorSwitches – Select your device, and go to
Utilities…DiagnosticVLAN probe
NOTE: If you get the same IP subnet for each of the VLANs, that is a sign that
the switch uplink port is connected to an access port, not a trunk port like it
should be.
- 248. © 2013 Aerohive Networks CONFIDENTIAL
Client Monitor
248
• Tools Client Monitor
• Client Monitor can be used to troubleshoot 802.1X/EAP
authentication for wired clients
- 249. © 2013 Aerohive Networks CONFIDENTIAL
Switch CLI
249
• SR-02-66ec00#show interface switchport
Name: gigabitethernet1/1
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 0
Static Access VLAN: 1
Dynamic Auth VLAN: 0
Name: gigabitethernet1/2
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 10
Static Access VLAN: 10
Dynamic Auth VLAN: 0
- 250. © 2013 Aerohive Networks CONFIDENTIAL
Switch CLI
250
• show client-report client
- 252. © 2013 Aerohive Networks CONFIDENTIAL
Storm Control
252
• Aerohive switches can mitigate traffic storms due to a variety of causes by
tracking the source and type of frames to determine whether they are legitimately
required.
• The switches can then discard frames that are determined to be the products of a
traffic storm. You can configure thresholds for broadcast, multicast, unknown
unicast, and TCP-SYN packets as a function of the percentage of interface
capacity, number of bits per second, or number of packets per second.
From your network policy with Switching enabled: Go to Additional
Settings>Switch Settings>Storm Control
- 253. © 2013 Aerohive Networks CONFIDENTIAL
IGMP Snooping MAC Addresses
253
• Aerohive switches are
capable of monitoring
IGMP transactions
between multicast
routers and client
devices, and maintaining
a local table of IGMP
groups and group
members
• Aerohive switches use
this information to track
the status of multicast
clients attached to the
switch ports so that it
can forward multicast
traffic efficiently
From your network policy with Switching
enabled: Go to Additional Settings>Switch
Settings>IGMP Settings
- 254. © 2013 Aerohive Networks CONFIDENTIAL
IGMP Snooping MAC Addresses
254
• Aerohive switches are
capable of monitoring
IGMP transactions
between multicast
routers and client
devices, and maintaining
a local table of IGMP
groups and group
members
• Aerohive switches use
this information to track
the status of multicast
clients attached to the
switch ports so that it
can forward multicast
traffic efficiently
From your network policy with Switching
enabled: Go to Additional Settings>Switch
Settings>IGMP Settings
- 255. © 2013 Aerohive Networks CONFIDENTIAL
IGMP Snooping MAC Addresses
255
• IGMP device specific options available in the switch device
configuration
• Users can enable/disable IGMP snooping to all VLAN or to a specified
VLAN. When IGMP snooping disabled, all multicast dynamic mac-
address should be deleted.
- 256. © 2013 Aerohive Networks CONFIDENTIAL
Required When Aerohive Devices are Configured as
RADIUS Servers
GENERATE AEROHIVE SWITCH
RADIUS
SERVER CERTIFICATES
256
- 257. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
HiveManager Root CA Certificate
Location and Uses
• This root CA certificate is used to:
› Sign the CSR (certificate signing
request) that the HiveManager creates
on behalf of the AP acting as a
RADIUS or VPN server
› Validate Aerohive AP certificates to
remote client
» 802.1X clients (supplicants) will need a
copy of the CA Certificate in order to
trust the certificates on the Aerohive AP
RADIUS server(s)
• Root CA Cert Name:
Default_CA.pem
• Root CA key Name:
Default_key.pem
Note: The CA key is only ever used
or seen by HiveManager
• To view certificates, go to: Configuration, click Show Nav, then go to
Advanced Configuration Keys and CertificatesCertificate Mgmt
257
- 258. © 2013 Aerohive Networks CONFIDENTIAL
Use the Existing HiveManager CA
Certificate, Do not Create a New One!
258
• For this class, please do not create a new HiveManager CA
certificate, otherwise it will render all previous certificates
invalid.
• On your own HiveManager, you can create your own HiveManager CA
certificate by going to: Configuration, then go to
Advanced ConfigurationKeys and CertificatesHiveManager CA
- 259. © 2013 Aerohive Networks CONFIDENTIAL
LAB: Aerohive Switch Server Certificate and
Key
1. Generate Aerohive switch server certificate
259
• Go to Configuration, click Show Nav
Advanced Configuration
Keys and CertificatesServer CSR
• Common Name: server-X
• Organizational Name: Company
• Organization Unit: Department
• Locality Name: City
• State/Province: <2 Characters>
• Country Code: <2 Characters>
• Email Address: userX@ah-lab.com
• Subject Alternative Name:
User FQDN: userX@ah-lab.com
Note: This lets you add an extra step of validating the
User FQDN in a certificate during IKE phase 1 for
IPSec VPN. This way, the Aerohive AP needs a valid
signed certificate, and the correct user FQDN.
• Key Size: 2048
• Password & Confirm: aerohive123
• CSR File Name: Switch-X
• Click Create
Notes Below
Enter
Switch-X
- 260. © 2013 Aerohive Networks CONFIDENTIAL 260
• Select Sign by HiveManager CA
› The HiveManager CA will sign the Aerohive AP Server certificate
• The validity period should be the same as or less than the number of
days the HiveManager CA Certificate is valid
› Enter the Validity: 3650 – approximately 10 years
• Check Combine key and certificate into one file
• Click OK
Enabling this setting helps
prevent certificate and key
mismatches when
configuring the RADIUS
settings
Use this option to send
a signing request to an
external certification
authority.
LAB: Aerohive Switch Server Certificate and
Key
2. Sign and combine
- 261. © 2013 Aerohive Networks CONFIDENTIAL 261
• To view certificates,
go to:
Configuration, click
Show Nav
Then go to Advanced
Configuration
Keys and Certificates
Certificate Mgmt
• The certificate and key file
name is:
switch-X_key_cert.pem
• QUIZ
› Which CA signed this
Aerohive switch server key?
› What devices need to install
the CA public cert?
LAB: Aerohive Switch Server Certificate and
Key
3. View server certificate and key
- 262. © 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 263. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch as a RADIUS server
1. Edit existing policy
263
• From Configuration,
• Select your Network policy:
Access-X
• Click OK and then Continue
- 264. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Lab: Switch Active Directory Integration
2. Select your Network Policy
To configure the Aerohive device as a RADIUS server...
Select the Configure & Update Devices bar
• Select the Filter: Current Policy
• Click the link for your Switch – SR-0X-######
264
- 265. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration
3. Create a RADIUS Service Object
265
Create a Aerohive AP RADIUS Service Object
• Under Optional Settings, expand Service Settings
• Next to Device RADIUS Service click +
- 266. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch AP Active Directory Integration
4. Create a RADIUS Service Object
266
• Name: SR-radius-X
• Expand Database
Settings
• Uncheck Local
Database
• Check External
Database
• Under Active Directory,
click + to define the
RADIUS Active Directory
Integration Settings
- 267. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration
5. Select a switch to test AD integration
267
• Name: AD-X
• Aerohive device for Active Directory connection setup,
select your Switch: SR-0X-#####
› This will be used to test Active Directory integration
› Once this switch is working, it can be used as a template for
configuring other Aerohive device RADIUS servers with Active
Directory integration
• The IP settings for the selected Aerohive switch are gathered and
displayed
- 268. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration
6. Modify DNS settings
268
• Set the DNS server to: 10.5.1.10
› This DNS server should be the Active Directory DNS server or an
internal DNS server aware of the Active Directory domain
• Click Update
› This applies the DNS settings to the Network Policy and to the
Aerohive device so that it can test Active Directory connectivity
- 269. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration
7. Specify Domain and Retrieve Directory Information
269
• Domain: ah-lab.local
• Click Retrieve Directory Information
› The Active Directory Server IP will be populated as well as
the BaseDN used for LDAP user lookups
- 270. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration
8. Specify Domain and Retrieve Directory Information
270
• Domain Admin: hiveapadmin(The delegated admin)
• Password and Confirm Password: Aerohive1
• Click Join
• Check Save Credentials
› NOTE: By saving credentials you can automatically join Aerohive
devices to the domain without manual intervention
- 271. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration
9. Specify A User to Perform LDAP User Searches
271
• Domain User user@ah-lab.local (a standard domain user )
• Password and Confirm Password: Aerohive1
• Click Validate User
› You should see the message: The user was successfully
authenticated.
› These user credentials will remain and be used to perform
LDAP searches to locate user accounts during
authentication.
- 272. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration
10. Save the AD Settings
272
• Click Save
- 273. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration
11. Apply the AD settings
273
• Select AD-X with
priority: Primary
• Click Apply
…Please make sure
you click apply
• Do not save yet..
- 274. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration
12. Enable LDAP credential caching
274
Enable the ability for an
Switch RADIUS server to
cache user credentials in
the event that the AD
server is not reachable,
if the user has previously
authenticated
• Check Enable
RADIUS Server
Credentials Caching
• Do not save yet...
- 275. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration
13. Assign server certificate
275
• CA Cert File: Default_CA.pem
• Server Cert File:
switch-X_key_cert.pem
• Server Key File:
switch-X_key_cert.pem
• Key File Password & confirm password: aerohive123
• Click Save
Optional Settings >
RADIUS Settings:
Assign the switch
RADIUS server to the
newly created switch
server certificate and
key
- 276. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration
14. Verify the RADIUS service object
276
• Ensure that the
Aerohive AP RADIUS
Service is set to:
switch-radius-X
• Do not save yet…
- 277. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration
15. Set Static IP address on MGT0 interface
277
• Expand MGT0 Interface Settings
• Select Static IP
• Static IP Address: 10.5.1.7X
X = student number 02 = 72, 03 = 73… 12 = 82, 13 = 83
• Netmask: 255.255.255.0
• Default Gateway: 10.5.1.1
Note: Aerohive devices that
function as a server must
have a static IP address.
- 278. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration
16. Save the switch settings
278
• Click Save
NOTE: Your Aerohive
switch will have an icon
displayed showing that
it is a RADIUS server.
- 279. © 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 280. © 2013 Aerohive Networks CONFIDENTIAL
SSID FOR 802.1X/EAP
AUTHENTICATION
USING AEROHIVE DEVICE RADIUS
WITH
AD KERBEROS INTEGRATION
280
- 281. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration
1. Edit your WLAN Policy and Add SSID Profile
281
Configure an SSID that
uses the 802.1X/EAP
with AD (Kerberos)
Integration
• Select the Configure
Interfaces & User
Access bar
• Next to SSIDs click
Choose
• In Chose SSIDs
› Select New
- 282. © 2013 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Lab: Switch RADIUS w/ AD Integration
2. Configure a 802.1X/EAP SSID
• Profile Name:
Class-AD-X
• SSID:
Class-AD-X
• Under SSID
Access Security
select
WPA/WPA2
802.1X
(Enterprise)
• Click Save
282
- 283. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration
3. Select new Class-AD-X SSID
283
• Click to deselect
the Class-PSK-X
SSID
• Ensure the
AD-X SSID
is selected
• Click OK
Click to
deselect
Class-PSK-X
Ensure
Class-AD-X is
highlighted then
click OK
- 284. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration
4. Create a RADIUS object
284
• Under Authentication, click <RADIUS Settings>
• In Choose RADIUS, click New
Click
Click
- 285. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration
5. Define the RADIUS Server IP settings
285
• RADIUS Name:
SWITCH-RADIUS-X
• IP Address/Domain
Name: 10.5.1.7X
02 = 72, 03 = 73…
12 = 82, 13 = 83
• Leave the Shared
Secret Empty
NOTE: When the Aerohive
device is a RADIUS server,
devices in the same Hive
automatically generate a
shared secret
• Click Apply
• Click Save
Click Apply
When Done!
- 286. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration
6. Select User Profiles
286
• Verify that under Authentication, SWITCH-RADIUS-X is
assigned
• Under User Profile click Add/Remove
- 287. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration
7. Assign User Profile as Default for the SSID
287
• With the Default tab
select (highlight) the
Employee-Default user
profile
• IMPORTANT: This user
profile will be assigned if
no attribute value is
returned from RADIUS
after successful
authentication, or if
attribute value 1 is
returned.
• Click the Authentication
tab
Default Tab
Authentication Tab
- 288. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration
8. Assign User Profile to be Returned by RADIUS
Attribute
288
• In the Authentication tab
• Select (highlight)
Employee-X
› NOTE: The (User
Profile Attribute) is
appended to the User
Profile Name
• Click Save
Authentication Tab
- 289. © 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration
9. Verify and Continue
289
• Ensure Employee-Default-1
and Employee-X user
profiles are assigned to the
Class-AD-X SSID
• Click Continue
or click the bar to
Configure & Update
Devices
- 290. © 2013 Aerohive Networks CONFIDENTIAL 290
In the Configure & Update Devices section
• Select the Filter: Current Policy
• Select your devices
• Click Update
Lab: Switch RADIUS w/ AD Integration
10. Upload the config to the switch and AP
- 291. © 2013 Aerohive Networks CONFIDENTIAL 291
• Select Update Devices
• Select Perform a
complete configuration
update for all selected
devices
• Click Update
For this class, ALL
Updates should be
Complete
configuration
updates
Lab: Switch RADIUS w/ AD Integration
10. Upload the config to the switch and AP
- 292. © 2013 Aerohive Networks CONFIDENTIAL 292
• Should the Reboot Warning box appear, select OK
Lab: Switch RADIUS w/ AD Integration
11. Upload the config to the switch and AP
Click OK
- 293. © 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 294. © 2013 Aerohive Networks CONFIDENTIAL
CLIENT ACCESS PREPARATION -
DISTRIBUTING CA CERTIFICATES
TO WIRELESS CLIENTS
294
- 295. © 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation
1. Go to HiveManager from the Remote PC
295
• From the VNC connection
to the hosted PC, open a
connection to:
• For HM 1 – 10.5.1.20
• For HM 2 – 10.5.1.23
• For HM 3 – 10.5.1.20
• For HM 5 – 10.5.1.20
• Login with: adminX
• Password: aerohive123
NOTE: Here you are
accessing HiveManager via
the PCs Ethernet connection
- 296. © 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation
2. Download Default CA Certificate to the Remote PC
296
NOTE: The HiveManager Root
CA certificate should be
installed on the client PCs that
will be using the RADIUS
service on the Aerohive device
for 802.1X authentication
• From the Remote PC,
go to Configuration,
then click Show Nav,
Advanced Configuration
Keys and Certificates
Certificate Mgmt
• Select Default_CA.pem
• Click Export
- 297. © 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation
3. Rename HiveManager Default CA Cert
297
• Export the public root
Default_CA.pem certificate to
the Desktop of your hosted
PC
› This is NOT your Aerohive
AP server certificate, this IS
the HiveManager public root
CA certificate
• Rename the extension of the
Default_CA.pem file to
Default_CA.cer
› This way, the certificate will
automatically be recognized
by Microsoft Windows
• Click Save
Make the Certificate name:
Default_CA.cer
Save as type:
All Files
- 298. © 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation
4. Install HiveManager Default CA Cert
298
• Find the file that was just
exported to your hosted PC
• Double-click the certificate file on
the Desktop: Default_CA
• Click Install Certificate
Issued to: HiveManager
This is the name of the certificate if you
wish to find it in the certificate store, or if
you want to select it in the windows
supplicant PEAP configuration.
- 299. © 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation
5. Finish certification installation
299
• In the Certificate Import
Wizard click Next
• Click Place all
certificate in the
following store
• Click Browse
- 300. © 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation
6. Select Trusted Root Certification Authorities
300
• Click Trusted Root
Certification
Authorities
• Click OK
• Click Next
- 301. © 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation
7. Finish Certificate Import
301
• Click Finish
• Click Yes
• Click OK
- 302. © 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation
8. Verify certificate is valid
302
• Click OK to Close the certificate
• Double-click Default_CA to
reopen the certificate
• You will see that the certificate is
valid and it valid from a start and
end date
• Click the Details tab