Contenu connexe
Similaire à Acwa AEROHIVE CONFIGURATION GIUDE. (20)
Acwa AEROHIVE CONFIGURATION GIUDE.
- 1. © 2014 Aerohive Networks Inc.
AEROHIVE CERTIFIED WIRELESS
ADMINISTRATOR (ACWA)
Aerohive’s
Instructor-led Training
- 2. © 2014 Aerohive Networks CONFIDENTIAL
Welcome
2
• Introductions
• Facilities Discussion
• Course Overview
• Extra Training
Resources
• Questions
- 3. © 2014 Aerohive Networks CONFIDENTIAL
Introductions
3
•What is your name?
•What is your organizations name?
•How long have you worked in Wi-Fi?
•Are you currently using Aerohive?
- 4. © 2014 Aerohive Networks CONFIDENTIAL
Facilities Discussion
4
• Course Material
Distribution
• Course Times
• Restrooms
• Break room
• Smoking Area
• Break Schedule
› Morning Break
› Lunch Break
› Afternoon Break
- 5. © 2014 Aerohive Networks CONFIDENTIAL
Aerohive Essentials WLAN Configuration
(ACWA) – Course Overview
5
Each student connects to HiveManager, a remote PC, and a Aerohive AP over
the Internet from their wireless enabled laptop in the classroom, and then performs
hands on labs the cover the following topics:
• Predictive modeling and WLAN design
• HiveManager overview
• Mobility solutions and Unified Policy Management
• HiveManager initial configuration
• Topology Maps: Real-time monitoring of AP coverage
• Scenario: Create a secure access network for employees
• Scenario: Create a secure access network for legacy devices using PPSK
• Secure WLAN Guest Management
• Scenario: Create a guest secure WLAN with unique user credentials
• Device specific settings
• Deployment optimization
• Device monitoring and troubleshooting
• Firmware updates
• Bring Your Own Device (BYOD)
• Auto-provisioning
• Cooperative Control Protocols
2 Day Hands on Class
- 6. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Aerohive Training Remote Lab
6
Aerohive Access Points using external
antenna connections and RF cables to
connect to USB Wi-Fi client cards
(Black cables)
Access Points are connected from eth0 to
Aerohive Managed Switches with 802.1Q
VLAN trunk support providing PoE to the APs
(Yellow cables)
Firewall with routing support, NAT, and
multiple Virtual Router Instances
Access Points are connected from their
console port to a console server
(White Cables)
Console server to permit SSH access into the
serial console of Aerohive Access Points
Server running VMware ESXi running Active
Directory, RADIUS, NPS and hosting the
virtual clients used for testing configurations
to support the labs
- 7. © 2014 Aerohive Networks CONFIDENTIAL
Hosted Lab for Data Center
7
10.5.1.*/24
No Gateway
10.5.1.*/24
No Gateway
10.5.1.*/24
No Gateway
HiveManager
MGT 10.5.1.20/24
Win2008 AD Server
MGT 10.5.1.10/24
Linux Server
MGT 10.6.1.150./24
L3 Switch/Router/Firewall
eth0 10.5.1.1/24 VLAN 1
eth0.1 10.5.2.1/24 VLAN 2
eth0.2 10.5.8.1/24 VLAN 8
eth0.3 10.5.10.1/24 VLAN 10
eth1 10.6.1.1/24 (DMZ)
L2 Switch
Native VLAN 1
Aerohive AP Common Settings in
VLAN 1
Default Gateway: None
MGT0 VLAN 1
Native VLAN 1
LAN ports connected to
L2-Switch with 802.1Q
VLAN Trunks
X=2
X=3
X=N
X=2
X=3
X=N
Ethernet: 10.5.1.202/24
No Gateway
Wireless: 10.5.10.X/24
Gateway: 10.5.10.1
Ethernet: 10.5.1.203/24
No Gateway
Wireless: 10.5.10.X/24
Gateway: 10.5.10.1
Ethernet : 10.5.1.20N/24
No Gateway
Wireless: 10.5.10.X/24
Gateway: 10.5.10.1
14 Client PCs
For Wireless Access
14 Aerohive APs
Terminal Server
10.5.1.5/24
Services for Hosted Class
Win2008 AD Server:
- RADIUS(IAS)
- DNS
- DHCP
Linux Server:
- Web Server
- FTP Server
- 8. © 2014 Aerohive Networks CONFIDENTIAL
Aerohive CBT Learning
8
http://www.aerohive.com/cbt
- 9. © 2014 Aerohive Networks CONFIDENTIAL
Aerohive Education on YouTube
9
http://www.youtube.com/playlist?list=PLqSW15RTj6DtEbdPCGIm0Kigvrscbj-Vz
Learn the basics of Wi-Fi and more….
- 10. © 2014 Aerohive Networks CONFIDENTIAL
The 20 Minute Getting Started Video
Explains the Details
10
Please view the Aerohive Getting Started Videos:
http://www.aerohive.com/330000/docs/help/english/cbt/Start.htm
- 11. © 2014 Aerohive Networks CONFIDENTIAL
Aerohive Technical Documentation
11
All the latest technical documentation is available for download at:
http://www.aerohive.com/techdocs
- 12. © 2014 Aerohive Networks CONFIDENTIAL
Aerohive Instructor Led Training
12
• Aerohive Education Services offers a complete curriculum that provides
you with the courses you will need as a customer or partner to properly
design, deploy, administer, and troubleshoot all Aerohive WLAN solutions.
• Aerohive Certified WLAN Administrator (ACWA) – First-level course
• Aerohive Cerified WLAN Professional (ACWP) – Second-level course
• Aerohive Certified Network Professional (ACNP) – Switching/Routing course
• www.aerohive.com/training – Aerohive Class Schedule
- 13. © 2014 Aerohive Networks CONFIDENTIAL
Over 20 books about networking have been written
by Aerohive Employees
13
CWNA Certified Wireless Network Administrator
Official Study Guide by David D. Coleman and David
A. Westcott
CWSP Certified Wireless Security Professional
Official Study Guide by David D. Coleman, David A.
Westcott, Bryan E. Harkins and Shawn M.
Jackman
CWAP Certified Wireless Analysis Professional Official
Study Guide by David D. Coleman, David A. Westcott,
Ben Miller and Peter MacKenzie
802.11 Wireless Networks: The Definitive Guide,
Second Edition by Matthew Gast
802.11n: A Survival Guide by Matthew Gast
Aerohive
Employees
802.11ac: A Survival Guide by Matthew Gast
Over 30 books about networking have
been written by Aerohive Employees
- 14. © 2014 Aerohive Networks CONFIDENTIAL
Aerohive Exams and Certifications
14
• Aerohive Certified Wireless Administrator
(ACWA) is a first- level certification that
validates your knowledge and
understanding about Aerohive Network’s
WLAN Cooperative Control Architecture.
(Based upon Instructor Led Course)
• Aerohive Certified Wireless Professional
(ACWP) is the second-level certification
that validates your knowledge and
understanding about Aerohive
advanced configuration and
troubleshooting. (Based upon Instructor
Led Course)
• Aerohive Certified Network Professional
(ACNP) is another second-level
certification that validates your
knowledge about Aerohive switching
and branch routing. (Based upon
Instructor Led Course)
- 15. © 2014 Aerohive Networks CONFIDENTIAL
Aerohive Forums
15
• Aerohive’s online community – HiveNation
Have a question, an idea or praise you want to share? Join the HiveNation
Community - a place where customers, evaluators, thought leaders and students
like yourselves can learn about Aerohive and our products while engaging with
like-minded individuals.
• Please, take a moment and register during class if you are not already a
member of HiveNation.
Go to http://community.aerohive.com/aerohive and sign up!
- 16. © 2014 Aerohive Networks CONFIDENTIAL
Aerohive Social Media
16
The HiveMind Blog:
http://blogs.aerohive.com
Follow us on Twitter: @Aerohive
Instructor: David Coleman: @mistermultipath
Instructor: Bryan Harkins: @80211University
Instructor: Gregor Vucajnk: @GregorVucajnk
Instructor: Metka Dragos: @MetkaDragos
Please feel free to tweet about #Aerohive training
during class.
- 17. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Aerohive Technical Support – General
17
I want to talk to somebody live.
Call us at 408-510-6100 / Option 2. We also provide service
toll-free from within the US & Canada by dialing (866) 365-9918.
Aerohive has Support Engineers in the US, China, and the UK,
providing coverage 24 hours a day.
Support Contracts are sold on a yearly basis, with
discounts for multi-year purchases. Customers can
purchase Support in either 8x5 format or in a 24 hour
format.
How do I buy Technical Support?
I have different expiration dates on several Entitlement keys, may
I combine all my support so it all expires on the same date?
Your Aerohive Sales Rep can help you set-up Co-Term, which allows
you to select matching expiration dates for all your support.
- 18. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Aerohive Technical Support – The
Americas
18
Aerohive Technical Support is available 24 hours a
day. This can be via the Aerohive Support Portal or
by calling. For the Support Portal, an authorized
customer can open a Support Case.
Communication is managed via the portal with
new messages and replies. Once the issue is
resolved, the case is closed, and can be retrieved
at any time in the future.
How do I reach Technical Support?
I want to talk to somebody live.
For those who wish to speak with an engineer call us at 408-
510-6100 / Option 2. We also provide service toll-free from
within the US & Canada by dialing (866) 365-9918.
I need an RMA in The Americas
An RMA is generated via the Support Portal, or by calling our Technical
Support group. After troubleshooting, should the unit require repair, we will
overnight* a replacement to the US and Canada. Other countries are
international. If the unit is DOA, it’s replaced with a brand new item, if not it is
replaced with a like new reburbished item.
*Restrictions may apply: time of day, location, etc.
- 19. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Aerohive Technical Support – International
19
Aerohive international Partners provide dedicated
Technical Support to their customers. The Partner has
received specialized training on Aerohive Networks’
product line, and has access to 24 hour Internal
Aerohive Technical Support via the Support Portal, or
by calling 408-510-6100 / Option 2.
How Do I get Technical Support outside The Americas?
World customer’s defective
units are quickly replaced by
our Partners, and Aerohive
replaces the Partner’s stock
once it arrives at our location.
Partners are responsible for all
shipping charges, duties, taxes,
etc.
I need an RMA internationally
- 20. © 2014 Aerohive Networks CONFIDENTIAL
Copyright Notice
20
Copyright © 2014 Aerohive Networks, Inc. All rights
reserved.
Aerohive Networks, the Aerohive Networks logo,
HiveOS, Aerohive AP, HiveManager, and
GuestManager are trademarks of Aerohive Networks,
Inc. All other trademarks and registered trademarks
are the property of their respective companies.
- 21. © 2014 Aerohive Networks CONFIDENTIAL© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 22. © 2014 Aerohive Networks Inc.
SECTION 1:
PLANNING AND DESIGNING YOUR
NETWORK
22
Aerohive’s
Instructor-led Training
- 23. © 2014 Aerohive Networks CONFIDENTIAL
The Relationship between the OSI Model
and Wi-Fi
23
Wi-Fi operates at layers one and two
Wireless LAN’s provide
access to the distribution
systems of wired networks.
This allows the users the
ability to have
connections to wired
network resources.
Session
Application
Network
Transport
Physical
Presentation
Data Link
- 24. © 2014 Aerohive Networks CONFIDENTIAL
Where Wi-Fi Fits into the OSI Model –
Physical Layer
24
Layer 1 ( Physical )
The medium through which Data is transferred
802.3 Uses Cables
802.11 RF Medium
Key Term: Medium
- 25. © 2014 Aerohive Networks CONFIDENTIAL
Where Wi-Fi Fits into the OSI Model –
Data Link Layer
25
Layer 2 ( Data-Link )
The MAC sublayer manages access to the physical medium
The LLC sublayer manages the flow of multiple simultaneous
network protocols over the same network medium
Devices operating no higher than Layer 2 include: network
interface cards (NICs), Layer-2 Ethernet switches, and wireless
access points
Header
with MAC
addressing
Trailer
with
CRC
3-7 Data
- 26. © 2014 Aerohive Networks CONFIDENTIAL
Amendments and Rates
26
DSSS Direct Sequencing Spread Spectrum
FHSS Frequency Hopping Spread Spectrum
OFDM Orthogonal Frequency Division Multiplexing
HT High Throughput
VHT Very High Throughput
SISO Single Input, Single Output
MIMO Multiple Input, Multiple Output
Standard Supported Data
Rates
2.4 GHz 5 GHz RF Technology Radios
802.11 legacy 1, 2 Mbps Yes No FHSS or DSSS SISO
802.11b 1, 2, 5.5 and 11 Mbps Yes No HR-DSSS SISO
802.11a 6 - 54 Mbps No Yes OFDM SISO
802.11g 6 - 54 Mbps Yes Yes OFDM SISO
802.11n 6 - 600 Mbps Yes Yes HT MIMO
802.11ac Up to 3.46 Gbps* No Yes VHT MIMO
*First generation 802.11ac chipsets support up to 1.3 Gbps
- 27. © 2014 Aerohive Networks CONFIDENTIAL
Class Scenario
27
• You have been tasked with designing the WLAN for a new
building that has two floors, each 200 feet in length.
• Employees and Guests require high data rate connectivity.
• Your customer plans to implement a voice over WLAN
solution in the future as well.
• This is an office environment although the customer has
already purchased AP350’s for the deployment.
• Many commercial products exist for predictive coverage
planning. For example: AirMagnet, Ekahau and Tamosoft.
• For this deployment the customer is using Aerohive’s Free
planner tool.
- 28. © 2014 Aerohive Networks CONFIDENTIAL
Defining the Lab
28
• Information Gathering (Site Survey)
• Types of Environments
• Client device types to be used
• Applications to be used
• Expected Growth vs. Current Needs
• Aerohive Devices to be used
• Mounting Concerns
• Coverage vs. Capacity Planning
• Device Density
• Security Enterprise and Guest use
• Using the Aerohive Planning Tool
• Questions
- 29. © 2014 Aerohive Networks CONFIDENTIAL
Every Environment is different
29
• Education
• K-12 Public and Private Schools
• University
• School Facilities
• Campus Housing
• Health Care
• Hospital
• Assisted Living
• Retail
• Stores
• Offices
• Warehousing
• Corporate Offices
• Logistics
• Ground Freight
• Air Freight
• Public Sector
• Emergency Services
• Civic Offices
• Outdoor Use
• Bridges
• Mesh
• Public Access
• Questions
- 30. © 2014 Aerohive Networks CONFIDENTIAL
Devices and Applications
30
• Devices
• Laptops
• Wi-Fi Phones
• Wi-Fi Enabled Cell Phones
• Barcode Scanners
• Tablets
• Point of Sale Systems
• BYOD
• Infrastructure
• Access Points
• Switches
• Routers
• Applications
• Internet Only
• Point of Sale Applications
• Medical Applications
• Voice
• Mobile Applications
• Standardized Testing
• Productivity Applications
• Custom Applications
Knowing the Device Types and Applications to be
used will greatly assist you in planning and
deploying successful networking solutions.
- 31. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
1. Connect to the Hosted Training HiveManager
31
• Securely browse to the appropriate HiveManager for class
› TRAINING LAB 1
https://training-hm1.aerohive.com
https://72.20.106.120
› TRAINING LAB 2
https://training-hm2.aerohive.com
https://72.20.106.66
› TRAINING LAB 3
https://training-hm3.aerohive.com
https://209.128.124.220
› TRAINING LAB 4
https://training-hm4.aerohive.com
https://203.214.188.200
› TRAINING LAB 5
https://training-hm5.aerohive.com
https://209.128.124.230
• Supported Browsers:
› Firefox, Internet Explorer, Chrome, Safari
• Class Login Credentials:
› Login: adminX
X = Student ID 2 - 29
› Password: aerohive123
NOTE: In order to access the
HiveManager, someone at your
location needs to enter the
training firewall credentials given
to them by the instructor first.
- 32. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
2. formatting your Plan Building
32
• Click on the Maps Tab
• Expand World in the Navigation Pane
• Expand Planner Maps in the Navigation Pane
• Expand 0X Plan Building (Where 0X is your Student Number)
• Click on Floor 1
- 33. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
3. Formatting your Plan Building
33
• To scale the map, move one red crosshair over the far left of the
building image and the other to the far right of the building
image
• In the Scale Map Section, use the drop down arrow to select feet
• Enter a value of 200 feet and click the Update button
- 34. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
4. Formatting your Plan Building
34
• Click on the Walls tab
• Click the Draw Perimeter button
• Click the upper left corner of your building image to begin tracing the
perimeter of your floor
• Move the cursor + clockwise and click and release on each of the remaining
corners
• When you are back to the first corner, double click to close the perimeter
- 35. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
5. Formatting your Plan Building
35
• Click the drop down arrow next to Wall Type and select any of
the material types you would like to use
• Click the / icon and trace over a few walls
• Click the drop down arrow next to Wall Type again and select
another material type
• Click the / icon and trace over a few different walls
- 36. © 2014 Aerohive Networks CONFIDENTIAL
802.11n, 802.11ac and MIMO radios
36
Aerohive AP 141 Aerohive AP 350
3x3:32x2:2 1x1:1
iPhone
3x3:3
Transmit Receive Spatial Streams
1x1:1
iPad
- 37. © 2014 Aerohive Networks CONFIDENTIAL
2x2:2 300 Mbps
11n High
Power Radios
1X Gig.E
-40 to 55°C
PoE (802.3at)
N/A
Outdoor
Water Proof (IP
68)
Aerohive AP Platforms
AP170
2X Gig E
/w PoE Failover
3x3:3 450 + 1300 Mbps High Power Radios
Dual Radio 802.11ac/n
Plenum/Plenum
Dust Proof
-20 to 55°C
AP390
Indoor Industrial
Dual Radio
802.11n
AP230
Dual Radio 802.11n
2X Gig.E - 10/100 link
aggregation
-20 to
55°C
0 to 40°C
3x3:3
450 Mbps High Power
Radios
TPM Security Chip
PoE (802.3af + 802.3at) and AC Power
Indoor
Industrial
Indoor
Plenum/D
ust
Plenum Rated
AP121 AP330 AP350
1X Gig.E
2x2:2
300 Mbps High
Power Radios
USB for 3G/4G Modem
AP141
USB for future use
Indoor
2X Gig.E w/ link
aggregation
Plenum Rated
0 to 40°C
USB for future use
AP370*
* Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM
- 38. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
6. Formatting your Plan Building
38
• Click the Planned APs tab
• Click the drop down arrow next to AP Type and select the AP350
• Leave the Channel and Power settings as default
• Click the Add AP button
- 39. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
7. Formatting your Plan Building
39
• Examine the predicted coverage provided by a single AP of the
type you selected earlier
• Click and drag the AP to another location and observe the
predicted coverage in the new location
• Click the Remove All APs button
• Click Yes to confirm the removal
- 40. © 2014 Aerohive Networks CONFIDENTIAL
dBm and mW conversions
40
Very Strong-
Great -
Weak-
Do not care-
No Signal-
dBm milliwatts
+30 dBm 1000 mW 1 Watt
+20 dBm 100 mW 1/10th of 1 Watt
+10 dBm 10 mW 1/100th of 1 Watt
0 dBm 1 mW 1/1,000th of 1 Watt
–10 dBm .1 mW 1/10th of 1 milliwatt
–20 dBm .01 mW 1/100th of 1 milliwatt
–30 dBm .001 mW 1/1,000th of 1 milliwatt
–40 dBm .0001 mW 1/10,000th of 1 milliwatt
–50 dBm .00001 mW 1/100,000th of 1 milliwatt
–60 dBm .000001 mW 1 millionth of 1 milliwatt
–70 dBm .0000001 mW 1 ten-millionth of 1 milliwatt
–80 dBm .00000001 mW 1 hundred-millionth of 1 milliwatt
–90 dBm .000000001 mW 1 billionth of 1 milliwatt
–95 dBm .0000000002511 mW Noise Floor
Notes Below
- 41. © 2014 Aerohive Networks CONFIDENTIAL
11Mbps DSSS
5.5Mbps DSSS
2Mbps DSSS
1Mbps DSSS
Dynamic Rate Switching
41
Lowest Rate
Higher Rate
Higher Rate
Highest Rate
To use higher data rates a
station requires a stronger
signal from the AP.
As stations move they adjust
the data rate used in order to
remain connected (moving
away) or to achieve a better
signal (moving closer).
- 42. © 2014 Aerohive Networks CONFIDENTIAL
Interference and
Signal to Noise Ratio
42
• Based on the SNR, the client and AP negotiate a data rate in which to send the packet, so the higher the SNR the
better
• For good performance, the SNR should be greater than 20 dB
• For optimal performance, the SNR should be at least 25 dB
Great Poor
Signal Strength -70dBm -70dBm
- Noise Level - (-95dBm) - (-80dBm)
= SNR = 25dB = 10dB
Notes Below
- 43. © 2014 Aerohive Networks CONFIDENTIAL
Planning Coverage for Different Scenarios
43
•-80 dBm Basic Connectivity
•-70 dBm High Speed Connectivity
•-67 dBm Voice
•-62 dBm Location Tracking – RTLS
When planning you should always take into
consideration future uses of Wi-Fi and projected
growth.
- 44. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
8. Formatting your Plan Building
44
• Click the Auto Placement Tab
• Using the drop down arrow next to Application, select Voice
• Ensure that the Signal Strength is set to -67 dBm
• Click the Auto Place APs button
• Observe the coverage patterns and move APs as needed to
create a hole in the coverage if needed
- 45. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
9. Formatting your Plan Building
45
• Click the Planned APs Tab
• Click the Add AP button
• Observe the new planned AP filling in a hole in coverage
- 46. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
10. Formatting your Plan Building
46
• In the Navigation pane, right click on your Floor 1 and
select Clone
• Name your Clone Floor 2
• Click the Create button
- 47. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
Multiple Floors
47
What if there are multiple
floors?
Not all buildings are
symmetrical.
If you have multiple
floors you can adjust
the X and Y
coordinates to align
the floors.
Use an anchor point
such as an elevator
shaft to align the
floors.
- 48. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
11. Formatting your Plan Building
48
• In the Navigation pane, click Floor 2
• Click the Auto Placement Tab
• Click the Auto Place APs button
• Observe the device placement
- 49. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
12. Formatting your Plan Building
49
• In the Navigation
pane, click on 0X
Plan Building (where
0X is your student
number)
• Observe the
placement and
channel selection of
the Planned APs on
both floors
• Remember RF signals
propagate in three
dimensions not just
two. Planning should
take this into account
for AP placement.
- 50. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
13. Formatting your Plan Building
50
• Click Floor 1 and then click on the View Tab
• Uncheck ☐RSSI and check Channels
• Change the Band to 2.4 GHz
• Observe the predicted channel coverage
- 51. © 2014 Aerohive Networks CONFIDENTIAL
2.4 GHz Channels
Used for 802.11b/g/n
51
• Channels 1, 6, and 11 are the only non-overlapping channels
between channels 1 and 11
› Using channels that cause overlap may cause CRC and other
wireless interference and errors
• If you are in a country that has channels 1 – 13 or 14 available,
you may still want to use 1, 6, and 11 for compatibility with mobile
users from other countries
- 52. © 2014 Aerohive Networks CONFIDENTIAL
Channel Reuse Pattern
52
In this plan only the non-overlapping channels of 1, 6 and 11 are used.
- 53. © 2014 Aerohive Networks CONFIDENTIAL
Adjacent Cell Interference
53
Improper designs use overlapping channels in the same physical area.
- 54. © 2014 Aerohive Networks CONFIDENTIAL
Co-Channel
Interference/Cooperation
54
Improper design using the same channel on all AP’s in the same physical area.
- 55. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Planning a Wireless Network
14. Formatting your Plan Building
55
• Change the Band from 2.4 GHz to 5 GHz
• Observe the predicted channel coverage
- 56. © 2014 Aerohive Networks CONFIDENTIAL
5 GHz Channels
Used for 802.11a/n/ac
56
• The 5 GHz spectrum has more non-overlapping channels available.
• Channels increment by 4 starting with channel 36.
• The available 5 GHz channels varies greatly by country and some are enabled
if the AP complies with DFS.
• The 5 GHz UNII-2 and UNII-2 Extended are enabled with DFS compliance.
- 57. © 2014 Aerohive Networks CONFIDENTIAL
Channel Reuse Plan-5 GHz
57
8-channel reuse plan using the channels in the UNII-1 and UNII-3
- 58. © 2014 Aerohive Networks CONFIDENTIAL
Quick and Easy mounting scheme of the
300 series now on the 121/141
58
ALL AP121/141 and AP330/350 Mountings are identical
All AP121/141 and AP330/350 Power Adaptor are identical
Note: Always use the mounting security screw
- 59. © 2014 Aerohive Networks CONFIDENTIAL
New Accessory: Suspend mount kits
59
- 60. © 2014 Aerohive Networks CONFIDENTIAL
New Accessory: Plenum mount kit
60
- 61. © 2014 Aerohive Networks CONFIDENTIAL
Antenna Patterns and Gain
61
• Aerohive AP 390, 350 &141
external omnidirectional
antennas radiate equally in all
directions, forming a toroidial
(donut-shaped) pattern
• Aerohive AP 370, 330, 121, and
110 internal antennas form a
cardioid (heart-shaped) pattern
• By using a directional antenna,
the power that you see with a
omnidirectional antenna can
redistributed to provide more
radiated power in a certain
direction called gain
In this case, the power is not
increased, instead it is
redistributed to provide more
gain in a certain direction
Aerohive AP350 Aerohive AP330, 121, 110
- 62. © 2014 Aerohive Networks CONFIDENTIAL
AP 141 MIMO Antenna Alignment
62
With external omnidirectional antennas, the
positioning of the antennas helps with de-correlation
of spatial streams, which is critical to maintaining high
data rates.
- 63. © 2014 Aerohive Networks CONFIDENTIAL
AP 350 MIMO Antenna Alignment
63
With external omnidirectional antennas, the
positioning of the antennas helps with
de-correlation of spatial streams, which is critical
to maintaining high data rates.
- 64. © 2014 Aerohive Networks CONFIDENTIAL
Indoor 5 GHz MIMO Patch Antenna
64
• 120 degree beamwidth
• 5 dBi gain
• 3x3 MIMO Patch
• Use with AP-350
• Use with AP-141(middle connector not used
with AP-141)
For High User Density
Deployments indoor Patch
Antennas are recommended for
sectorized coverage. For
example the patch antennas can
be mounted from the ceiling to
provide unidirectional coverage
in an auditorium.
- 65. © 2014 Aerohive Networks CONFIDENTIAL
Outdoor 5 GHz MIMO Patch Antenna
65
• 17 degree beamwidth
• 18 dBi gain
• 2x2 MIMO Patch
• Use with AP-170
Outdoor Patch Antennas
are well suited for point to
point connections between
buildings.
- 66. © 2014 Aerohive Networks CONFIDENTIAL© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 67. © 2014 Aerohive Networks Inc.
SECTION 2:
HIVEMANAGER OVERVIEW
67
Aerohive’s
Instructor-led Training
- 68. © 2014 Aerohive Networks CONFIDENTIAL
What is HiveManager?
68
We have completed the predictive model and have deployed
and physically mounted the APs. Now we need a way to centrally
manage the WLAN.
We will us Aerohive’s network management server (NMS) called
HiveManager. HiveManager can be used to monitor, configure
and update the WLAN.
• HiveManager can be deployed as a public cloud solution or as a
private cloud solution (on premise).
• The on premise HiveManager is available in different form factors.
• The Aerohive Devices use an IP discovery process to locate on
premise HiveManagers.
• A redirector service is used to guide Aerohive Devices to the
Public Cloud HiveManager.
• HiveManager uses CAPWAP as the protocol to monitor and
manage Aerohive Devices.
- 69. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
HiveManager Form Factors
69
SW Config, & Policy, RF Planning, Reporting, SLA Compliance,
Guest Management, Trouble Shooting, Spectrum Analysis
HiveManager Online
Scalable multi-tenant platform, Redundant data
centers with diversity, Backup & Recovery, Zero
touch device provisioning, Flexible expansion, On
demand upgrades, Pay as you grow
HiveManager On-Premise - VA
VMware ESX & Player, HA redundancy,
5000 APs with minimum configuration
HiveManager On-Premise Appliance
Redundant power & fans, HA redundancy
8000 APs and devices
- 70. © 2014 Aerohive Networks CONFIDENTIAL
On-Premise Virtual Appliance
70
• VMWare Server Hardware Requirements
› You can also install VMware Workstation or VMware
Fusion (Mac version) on your computer, and then install
› HiveManager Virtual Appliance.
› Processor: Dual Core 2 GHz or better
› Memory: 3 GB dedicated to HiveManager Virtual
Appliance; at least 1 GB for the computer hosting it
› Disk: 60 GB Dedicated to HiveManager Virtual Appliance
› Support for VMWare tools in version 6.1r3 and higher
• For more information please reference the HiveManager
Virtual Appliance QuickStart Guide.
- 71. © 2014 Aerohive Networks CONFIDENTIAL
HiveManager Virtual Appliance Software
71
The HiveManager Virtual Appliance software is
available from two sources:
• USB flash drive delivered to you by Aerohive
› Connect the drive to a USB port on your host or VMware ESXi
server and follow the procedure for "Installing the HiveManager
Virtual Appliance" on page 3 of the HiveManager Virtual
Appliance QuickStart Guide to import the .ova file to your
VMware ESXi server.
• Software download from the Aerohive Support Software
Downloads portal
› Log in to the Aerohive Support Software Downloads portal,
download the HiveManager Virtual Appliance OVA-formatted
file to your local directory, and follow the procedure for
"Installing the HiveManager Virtual Appliance" on page 3 of
the HiveManager Virtual Appliance QuickStart Guide to import
the .ova file to your VMware ESXi hypervisor server.
- 72. © 2014 Aerohive Networks CONFIDENTIAL
HiveManager Virtual Appliance Software
72
The .ova (Open Virtual Appliance) formatted files are
available in both 32-bit and 64-bit format and are
ready for import to your VMware EXSi hypervisor
server. In the following example, the HiveManager
release 6.1r3 files available on the Aerohive Support
Software Downloads portal are shown:
• HM-6.1r3-32bit-ESXi—6.1r3 HiveManager 32bit Virtual Appliance
ESXi in Open Virtual Appliance format.
• HM-6.1r3-64bit-ESXi—6.1r3 HiveManager 64bit Virtual Appliance
ESXi in Open Virtual Appliance format.
- 73. © 2014 Aerohive Networks CONFIDENTIAL
On-Premise HiveManager Appliance
73
- 74. © 2014 Aerohive Networks CONFIDENTIAL
On-Premise HiveManager Databases
74
- 75. © 2014 Aerohive Networks CONFIDENTIAL
HiveManager Online (HMOL)
75
• Customers can manage Aerohive Devices from
the Cloud using their HMOL accounts.
• http://myhive.aerohive.com
- 76. © 2014 Aerohive Networks CONFIDENTIAL
MyHive – Aerohive AP Redirection Server
76
• MyHive is a secure site
that allows you to log in
once and then
navigate to
HiveManager Online
• The Redirector/Staging
Server is built inside of
your HMOL account
• New HMOL accounts
will also have the ability
for a 30-day free trial of
ID Manager
- 77. © 2014 Aerohive Networks CONFIDENTIAL
HiveManager Online (HMOL)
77
• The Super-User administrator for your HMOL account
has the ability to create additional admins with other
access rights
- 78. © 2014 Aerohive Networks CONFIDENTIAL
MyHive – Aerohive device Redirector Server
78
• The redirector is used to tie
your devices to your HMOL
account.
• From Monitor All Devices
Device Inventory select
Add
- 79. © 2014 Aerohive Networks CONFIDENTIAL
MyHive – Aerohive device Redirector Server
79
• Simply enter in the serial
number of your APs,
routers, switches and
Virtual Appliances.
• Once the serial number
is entered into the
Redirector (Staging
Server) – your devices
will now be permanently
tied to your HMOL
account.
• You can also import a
CSV file with multiple
serial numbers
- 80. © 2014 Aerohive Networks CONFIDENTIAL
MyHive – Aerohive AP Redirection Server
80
• Devices that have not yet made a CAPWAP connection
with HMOL will display under the Unmanaged Devices tab.
• Once devices make a CAPWAP connection with HMOL,
they will be displayed under Managed Devices.
- 81. © 2014 Aerohive Networks CONFIDENTIAL
HiveManager
Online
Aerohive Device Redirection Services
For HiveManager Online
81
APs and Routers
Aerohive Redirector
at myhive.aerohive.com
Serial numbers are
entered into the
redirector
- 82. © 2014 Aerohive Networks CONFIDENTIAL
On-Premise HiveManager Discovery
APs, Routers and Switches Locate HiveManager
Aerohive
Devices
82
• In order for Aerohive devices to
communicate with an on-premise
HiveManager, they must know the on-
premise HiveManager IP address.
• The HiveManager address can be statically
configured or dynamically learned.
• Static CLI configuration:
› capwap client server name “ip address”
› save config
• Dynamic IP discovery:
› DHCP options
› DNS query
› L2 broadcast (Can be disabled)
› Redirector
On-Premise HiveManager
- 83. © 2014 Aerohive Networks CONFIDENTIAL
On-Premise HiveManager Discovery
APs and Routers Locate HiveManager
Aerohive
Devices
DHCP/DNS Server
1. DHCP Request
2. DHCP Response
IP, Domain, & DHCP Options returned
Optionally:
Option 225 (HM Name): hm1.yourdomain
Option 226 (HM IP): 2.1.1.10
3. If option 225 was received, then the device performs
a DNS lookup for the HM name received, otherwise
the device performs a DNS lookup for
hivemanager.yourdomain.
If option 226 was received, then the device sends the
CAPWAP traffic to the IP address of HiveManager.
4. DNS Response for IP
hivemanager.yourdomain or
hm1.yourdomain = 2.1.1.10 (for example) 83
- 84. © 2014 Aerohive Networks CONFIDENTIAL
On-Premise HiveManager Discovery
APs and Routers Locate HiveManager
5. CAPWAP UDP Port 12222
IP: 2.1.1.10
7. If no DHCP option or DNS option
is returned, or no IP is found
CAPWAP Broadcast UDP 12222
8. If no response
CAPWAP Broadcast TCP 80
HiveManager
2.1.1.10 (example)
May be a:
HiveManager Online,
HiveManager Virtual
Appliance (VA) ,
or a 1U or 2U
appliance.
6. If UDP fails:
CAPWAP TCP Port 80
IP: 2.1.1.10
9. If no responses
CAPWAP UDP Port 12222 to the IP address
of staging.aerohive.com
If no response, try CAPWAP TCP Port 80 to the
IP address of staging.aerohive.com
Aerohive
Devices
- 85. © 2014 Aerohive Networks CONFIDENTIAL
Redirector Account for On-Premise HM
Free account is available from Aerohive support
85
• You can go to:
myhive.aerohive.com
• Login with your redirector account
provided by Aerohive
• You can redirect your devices to an
on-premise HiveManager
Ask Aerohive support for the
required separate HiveManager
redirection username account.
- 86. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Redirector Account for On-Premise HM
Configure Standalone HiveManager
• To add a standalone HiveManager
account, click:
Configure Standalone HM
• Enter a public hostname or IP
address for your HiveManager
• Optionally change the Connection
Protocol to TCP if required
• Click Save
86
- 87. © 2014 Aerohive Networks CONFIDENTIAL
Redirector Account for On-Premise HM
Enter Device Serial Numbers
87
• To add your device serial
numbers so they can be
redirected click Device Access
Control List
• Click Enter
• ACL Category: Standalone HM
• Enter Your 14 digit serial
numbers
• Click Save
00112233445566
00112233445567
00112233445568
00112233445569
- 88. © 2014 Aerohive Networks CONFIDENTIAL
HiveManager
Online
Aerohive On-Premise HiveManager Discovery
APs, Routers and Switches Locate HiveManager
88
APs and
Routers
Your Private Cloud
or Company
HiveManager
hm1.yourdomain
Aerohive
Redirector
Redirect device to:
hm1.yourdomain
(Require a standalone
redirector account)
12. Connect to HM
returned from redirector:
hm1.yourdomain
13. Finally, if the redirector is
not configured, the complete
discovery process is restarted.
- 89. © 2014 Aerohive Networks CONFIDENTIAL
HiveManager DNS “A” Record
Example with Microsoft 2003 DNS
89
On your DNS server, create a DNS Host record with the IP address
of the HiveManager
A host record creates an A record, and can select the option to
automatically create the reverse (PTR) record as well
- 90. © 2014 Aerohive Networks CONFIDENTIAL
Management protocols & device updates
90
HiveManager
• Aerohive Device to Aerohive Device
management Traffic (Cooperative
Control Protocols)
› AMRP, DNXP, INXP and ACSP
› Encrypted with the Hive Key
» Cooperative Control discussed later in class
• Aerohive Device to HiveManager
management traffic
› CAPWAP - UDP port 12222 (default) or
TCP ports 80, 443 (HTTP/HTTPS
encapsulation)
› SCP - Port 22
Aerohive
Devices
- 91. © 2014 Aerohive Networks CONFIDENTIAL
Aerohive Device Configuration Updates
91
Complete Upload
DRAM
Running Config
Flash
Permanent
Storage
1. Over CAPWAP, HiveManager
tells the Aerohive AP to SCP its
config to its flash
2. Aerohive AP uses SCP to get the
config file from HiveManager and
store in flash
3. The Aerohive AP must be
rebooted to activate the new
configuration
1. Over CAPWAP HiveManager
obtains configuration from
Aerohive AP and compares with
its database
2. Over CAPWAP HiveManager
sends the delta configuration
changes directly to RAM which
are immediately activated, and
the running configuration is then
saved to flash
Delta Upload
DRAM
Running Config
Flash
Permanent
Storage
- 92. © 2014 Aerohive Networks CONFIDENTIAL
Cooperative Control Protocols
In-depth information located in section 16
92
Hive – Cooperative control for a group of Hive Devices that
share the same Hive name and Hive password.
› There is no limit to the number of Hive Devices that can
exist in a single Hive
› Aerohive APs in a Hive cooperate with each other using
Aerohive’s cooperative control protocols:
»AMRP (Aerohive Mobility Routing Protocol)
–Layer 2 and Layer 3 Roaming, Load Balancing, Band Steering, Layer
2 GRE Tunnel Authentication and Keepalives
»DNXP (Dynamic Network Extensions Protocol)
–Dynamic GRE tunnels to support layer 3 roaming
»INXP (Identity-Based Network Extensions Protocol)
–GRE tunnels for guest tunnels
»ACSP (Automatic Channel Selection & Power) Protocol
–Radio Channel and Power Management
- 93. © 2014 Aerohive Networks CONFIDENTIAL
Lab: HiveManager Menu navigation
1. Connect to the Hosted Training HiveManager
93
• Securely browse to the appropriate HiveManager for class
› TRAINING LAB 1
https://training-hm1.aerohive.com
https://72.20.106.120
› TRAINING LAB 2
https://training-hm2.aerohive.com
https://72.20.106.66
› TRAINING LAB 3
https://training-hm3.aerohive.com
https://209.128.124.220
› TRAINING LAB 4
https://training-hm4.aerohive.com
https://203.214.188.200
› TRAINING LAB 5
https://training-hm5.aerohive.com
https://209.128.124.230
• Supported Browsers:
› Firefox, Internet Explorer, Chrome, Safari
• Class Login Credentials:
› Login: adminX
X = Student ID 2 - 29
› Password: aerohive123
NOTE: In order to access the
HiveManager, someone at your
location needs to enter the
training firewall credentials given
to them by the instructor first.
- 94. © 2014 Aerohive Networks CONFIDENTIAL
Lab: HiveManager Menu Navigation
2. Dashboard
94
• The HiveManager dashboard provides detailed visibility into
wired and wireless network activity.
• From the dashboard, you can view comprehensive information
by application, user, client device and operating system, and a
wide variety of other options.
- 95. © 2014 Aerohive Networks CONFIDENTIAL
Lab: HiveManager Menu Navigation
3. Home
95
The Home section of the GUI is where you configure a number of
fundamental HiveManager settings, such as the following:
• Express and Enterprise modes
• VHM (virtual HiveManager) settings HiveManager administrator
accounts
• Settings for HiveManager time and network (including HA), admin
access and session timeout, HTTPS, SSH/SCP, Aerohive product
improvement program participation, and routing
• CAPWAP and e-mail notification settings, SNMP and TFTP services,
and HiveManager administrator authentication options
• Click on
the Home
Tab
- 96. © 2014 Aerohive Networks CONFIDENTIAL
Lab: HiveManager Menu Navigation
4. Monitor
96
• From the Monitor menu, you can view commonly needed information and link
to more detailed information about all the Aerohive devices that have
contacted HiveManager.
• With an On-Premise HiveManager, those listed in the Unconfigured Devices
section are not under HiveManager management and those in the
Configured Devices are being managed by HiveManager.
• When using HiveManager Online (HMOL) devices appear as Managed
Devices or Unmanaged Devices to illustrate if devices are being managed by
HiveManager or not.
• Click on
the
Monitor
Tab
- 97. © 2014 Aerohive Networks CONFIDENTIAL
Lab: HiveManager Menu Navigation
5. Reports
97
• Detailed reports can be created and customized
using the information the Aerohive Devices deliver to
HiveManager.
• Reports are covered in greater detail later in the class.
• Click on
the
Reports
Tab
- 98. © 2014 Aerohive Networks CONFIDENTIAL
Lab: HiveManager Menu Navigation
6. Maps
98
• Use the tools in the Maps section to plan network deployments, and
or to track and monitor the operational status of managed devices.
• Maps can be used in pre-deployment for predictive modeling.
• Maps can be used in post-deployment for coverage visualization,
troubleshooting, and client and rogue location tracking.
• Click on
the Maps
Tab
- 99. © 2014 Aerohive Networks CONFIDENTIAL
Lab: HiveManager Menu Navigation
7. Configuration
99
• The Configuration Tab allows you access to the Guided
Configuration.
• Here you build your Network Policies, and Configure and
Update Devices.
• Click on the
Configuration
Tab
- 100. © 2014 Aerohive Networks CONFIDENTIAL
Lab: HiveManager Menu Navigation
8. Configuration
100
• The Tools Tab allows you access additional testing and monitoring
abilities.
• Here you can access such things as:
› The Planning Tool
› The Client Monitor
› The VLAN Probe
› The Device/Client Simulator
› The Server Access Tests
• Click on the
Tools Tab
- 101. © 2014 Aerohive Networks CONFIDENTIAL© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 102. © 2014 Aerohive Networks Inc.
SECTION 3.
MOBILITY SOLUTIONS AND UNIFIED
POLICY MANAGEMENT
102
Aerohive’s
Instructor-led Training
- 103. © 2014 Aerohive Networks CONFIDENTIAL
2x2:2 300 Mbps
11n High
Power Radios
1X Gig.E
-40 to 55°C
PoE (802.3at)
N/A
Outdoor
Water Proof (IP
68)
Aerohive AP Platforms
AP170
2X Gig E
/w PoE Failover
3x3:3 450 + 1300 Mbps High Power Radios
Dual Radio 802.11ac/n
Plenum/Plenum
Dust Proof
-20 to 55°C
AP390
Indoor Industrial
Dual Radio
802.11n
AP230
Dual Radio 802.11n
2X Gig.E - 10/100 link
aggregation
-20 to
55°C
0 to 40°C
3x3:3
450 Mbps High Power
Radios
TPM Security Chip
PoE (802.3af + 802.3at) and AC Power
Indoor
Industrial
Indoor
Plenum/D
ust
Plenum Rated
AP121 AP330 AP350
1X Gig.E
2x2:2
300 Mbps High
Power Radios
USB for 3G/4G Modem
AP141
USB for future use
Indoor
2X Gig.E w/ link
aggregation
Plenum Rated
0 to 40°C
USB for future use
AP370*
* Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM
- 104. © 2014 Aerohive Networks CONFIDENTIAL© 2014 Aerohive Networks CONFIDENTIAL
Aerohive AP 230
Performance, Functionality & Economy
104
• Performance
› Dual radio 802.11ac 3x3:3 - three spatial stream
» Radio 1 (802.11n + Turbo-QAM)
– 2.4GHz 802.11b/g/n: 3x3:3
» Radio 2 (802.11ac)
– 5GHz 802.11a/n/ac: 3x3:3 with TxBF
» 256-QAM, Supports up to 80 MHz channel for 5 GHz
• Functionality
› Application Visibility AND Control at Gigabit speeds
› 2x Gig Ethernet ports with link aggregation
› HiveOS enterprise feature set
• Economy
› 3 Stream .11ac at ~ price of 2 stream .11n
› Full Wi-Fi functionality with existing PoE infrastructure
› Full .11n legacy support – with improvements in mixed environments
- 105. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Aerohive Routing Platforms
105
BR 100 BR 200 AP 330 AP 350
Single Radio Dual Radio
2X 10/100/1000 Ethernet
5-10 Mbps
FW/VPN
30-50Mbps FW/VPN
1x1 11bgn 3x3:3 450 Mbps 11abgn
5X 10/100
5X
10/100/1000
0 PoE PSE0 PoE PSE 2X PoE PSE
*
* Also available as a non-Wi-Fi device
L3 IPSec
VPN
Gateway
~500 Mbps
VPN
4000/1024
Tunnels
Physical/Vi
rtual
VPN Gateways
- 106. © 2014 Aerohive Networks CONFIDENTIAL
BR100 vs. BR200
106
BR100 BR200/BR200WP
5x FastEthernet 5x Gigabit Ethernet
1x1 11bgn (2.4Ghz) single radio 3x3:3 11abgn dual-band single radio (WP)
No integrated PoE PoE (in WP model)
No console port Console Port
No Spectrum Analysis Integrated Spectrum Analysis (WP)
No Wireless Intrusion Detection Full Aerohive WIPS (WP)
No local RADIUS or AD integration Full Aerohive RADIUS, proxy, and AD
No SNMP logging SNMP Support
- 107. © 2014 Aerohive Networks CONFIDENTIAL
Aerohive Switching Platforms
107
SR2124P SR2148P
24 Gigabit Ethernet 48 Gbps Ethernet
4 Ports 1G SFP Uplinks 4 Ports 10 G SFP/SFP+ Uplinks
24 PoE+ (408 W)
128 Gbps switch56Gbps switching 176 Gbps switch
48 PoE+ (779 W)
Routing with 3G/4G USB support and Line rate
switching
Redundant Power Supply CapableSingle Power Supply
24 PoE+ (195 W)
SR2024P
Switching Only
- 108. © 2014 Aerohive Networks CONFIDENTIAL
VPN Gateway Virtual Appliance
108
• Supports the following
› GRE Tunnel Gateway
› L2 IPSec VPN Gateway
› L3 IPSec VPN Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
› Bonjour Gateway
› DHCP server
• Use a VPN Gateway Virtual Appliance instead of an AP when higher
scalability for these features are required
Function Scale
VPN Tunnels 1024 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server)
authentications
256
- 109. © 2014 Aerohive Networks CONFIDENTIAL
VPN Gateway Physical Appliance
109
• Supports the following
› GRE Tunnel Gateway
› L2 IPSec VPN Gateway
› L3 IPSec VPN Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
› Bonjour Gateway
› DHCP server
• Use a VPN Gateway Appliance instead of an AP when higher scalability
for these features are required
Function Scale
VPN Tunnels 4000 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server)
authentications
256
Ports: One 10/100/1000 WAN port
Four LAN ports two support PoE
- 110. © 2014 Aerohive Networks CONFIDENTIAL
Aerohive Devices
are assigned to
Network Policy:
Corp1
Note: A Aerohive
Devices configured
with the same
Network Policy will
be in the same
Hive, and can use
cooperative control
protocols for mesh,
dynamic RF, layer
2/3 fast secure
roaming, VPN
failover, etc..
Network Policy = Configuration
Hive = Cooperative Control Protocols
110
Network Policy
Corp1
SSID
Voice
SSID
Employee
SSID
Guest
User
Profile
IT
Staff(9)
User
Profile
Staff(10)
User
Profile
Guests(8)
User
Profile
Voice(2)
Hive - Corp
WIPS
L2 IPsec VPN
Location Services
Access Console
VLAN
QoS
Firewall
L3 Roaming
VLAN
L3 Roaming
OS/Domain
SLA
VLAN
L3 Roaming
OS/Domain
SLA
VLAN
QoS Rate Limit
Firewall
Guest Tunnel
Schedule
OS/Domain
- 111. © 2014 Aerohive Networks CONFIDENTIAL
Network Policy
Guided Configuration
111
Network
Configuration
• There are three
main panels, you
can click on a
panel header to
go to the panel
• Clicking on the
Configure &
Update Devices
panel saves the
configuration, as
does Save, or
Continue
1. Configure
Network Policy
2. Configure
Interface &
User Access
3. Configure &
Update
Devices
- 112. © 2014 Aerohive Networks CONFIDENTIAL
Setting Up a Wireless Network
Building your Initial Unified Network Policy
112
• Click on
Configuration
• Under Choose
Network
Policy Click
New
- 113. © 2014 Aerohive Networks CONFIDENTIAL
Setting Up a Wireless Network
Building your Initial Unified Network Policy
113
• Network
Policies are
used to assign
the same
basic
configurations
to multiple
devices.
• One Network
Policy can
configure all
device types.
- 114. © 2014 Aerohive Networks CONFIDENTIAL
Network Policy Types
114
• Wireless Access – Use when you have an AP only
deployment, or you require specific wireless policies
for APs in a mixed AP and router deployment
• Branch Routing– Use when you are managing routers,
or APs behind routers that do not require different
Network Policies than the router they connect through
BR100
BR200 AP
AP
Internet
Internet
Small Branch Office
or Teleworker Site Small to Medium Size Branch Office
that may have APs behind the router
- 115. © 2014 Aerohive Networks CONFIDENTIAL
• Bonjour Gateway
› Allows Bonjour services to be seen in multiple subnets
• Switching
› Used to manage wired traffic using Aerohive Switches
Network Policy Types
115
Internet
AP
AP
PoE
SR2024
AP
- 116. © 2014 Aerohive Networks CONFIDENTIAL
Unified Policy Management (Instructor Demo)
116
• Students and Instructor should open and view and discuss the
Network Policy called Wireless-Access-Demo.
• Students and Instructor should open and view and discuss the
Network Policy called Wireless-Routing-Demo.
• Students and Instructor should open and view and discuss the
Network Policy called Wireless-Switching-Demo.
- 117. © 2014 Aerohive Networks CONFIDENTIAL© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 118. © 2014 Aerohive Networks Inc.
SECTION 4.
HIVEMANAGER WELCOME AND
INITIAL CONFIGURATION
118
Aerohive’s
Instructor-led Training
- 119. © 2014 Aerohive Networks CONFIDENTIAL
Scenario: First Login and Test Configuration
119
Upon initial login, there is a set of Welcome
screens for the Super-User Administrator.
If you are new to HiveManager it is
recommended to create a Test Network Policy
within HiveManager. Then upload the network
policy to some Aerohive Devices in a staging
area for testing purposes.
- 120. © 2014 Aerohive Networks CONFIDENTIAL
Informational
HiveManager Welcome Page
-Only Seen at First Login-
120
Verify your Aerohive Device Inventory and the click
Next
- 121. © 2014 Aerohive Networks CONFIDENTIAL
Informational
HiveManager Welcome Page
-Only Seen at First Login-
121
Welcome Page
Settings...
• New HiveManager
Password: <password
for HiveManager and
Aerohive APs>
• Administrative Mode:
Enterprise Mode
• Time Zone:
<Your time zone>
• Click FinishNote: Express mode is a legacy simplified
configuration option. Enterprise mode is
more robust and is recommended.
- 122. © 2014 Aerohive Networks CONFIDENTIAL
Informational
HiveManager Welcome Page
-Only Seen at First Login-
122
NOTE: Setting the HiveManager Password Here sets the default
Aerohive AP Access Console SSID Key and the CLI admin password.
You can change some of these settings individually by going to
HomeDevice Management Settings
- 123. © 2014 Aerohive Networks CONFIDENTIAL
Informational
HiveManager Initial Configuration
123
Device CLI passwords can be
globally set from Home/Device
Management Settings
Individual managed device
passwords can be set from
Monitor/ Modify
It is recommended that Aerohive Devices
have a unique admin password for CLI
login.
- 124. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Informational
HiveManager Initial Configuration
• At first login, the
administrator is prompted
to fill out settings for
Username, the
administrator password
for HiveManager, and a
Quick start SSID password
• HiveManager uses the Username as the
name for automatically generated
Quick Start objects such as the DNS
service, NTP service, QoS Classification
profile, LLDP profile, ALG profile, etc.. that
will work in most cases without need for
modification. You can create your own
objects, or use the quick start ones.
124
- 125. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Informational
HiveManager Initial Configuration
• For example,
› a DNS service
object with the
name “Class” is
automatically
generated
› an NTP service
object with the
name “Class” is
automatically
generated
• These objects are
used when
configuring WLAN
and routing settings
125
- 126. © 2014 Aerohive Networks CONFIDENTIAL
Informational
HiveManager Initial Configuration
126
Note: Quick Start Objects are automatically created in
every new Network Policy.
The Object names will be based upon the name from
the initial welcome screen.
- 127. © 2014 Aerohive Networks CONFIDENTIAL
Informational
HiveManager Initial Configuration
127
The IP addresses for the QuickStart DNS object are
Public DNS servers.
It is recommended that you edit the QuickStart DNS object to use DNS
server IP addresses that are relevant to your deployment. Do this BEFORE
you configure the rest of your Network Policy.
- 128. © 2014 Aerohive Networks CONFIDENTIAL
Informational
HiveManager Initial Configuration
128
The public Aerohive NTP server is used to set the clocks
of your Aerohive Devices. You can edit this object to
use a different NTP server.
Mandatory: You must change the time zone to match the time zone
where your Aerohive Devices reside. Do this BEFORE you configure the
rest of your Network Policy.
- 129. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
1. Connect to the Hosted Training HiveManager
129
• Securely browse to the appropriate HiveManager for class
› TRAINING LAB 1
https://training-hm1.aerohive.com
https://72.20.106.120
› TRAINING LAB 2
https://training-hm2.aerohive.com
https://72.20.106.66
› TRAINING LAB 3
https://training-hm3.aerohive.com
https://209.128.124.220
› TRAINING LAB 4
https://training-hm4.aerohive.com
https://203.214.188.200
› TRAINING LAB 5
https://training-hm5.aerohive.com
https://209.128.124.230
• Supported Browsers:
› Firefox, Internet Explorer, Chrome, Safari
• Class Login Credentials:
› Login: adminX
X = Student ID 2 - 29
› Password: aerohive123
NOTE: In order to access the
HiveManager, someone at your
location needs to enter the
training firewall credentials given
to them by the instructor first.
- 130. © 2014 Aerohive Networks CONFIDENTIAL
Aerohive Devices
are assigned to
Network Policy:
Corp1
Note: A Aerohive
Devices configured
with the same
Network Policy will
be in the same
Hive, and can use
cooperative control
protocols for mesh,
dynamic RF, layer
2/3 fast secure
roaming, VPN
failover, etc..
Network Policy = Configuration
Hive = Cooperative Control Protocols
130
Network Policy
Corp1
SSID
Voice
SSID
Employee
SSID
Guest
User
Profile
IT
Staff(9)
User
Profile
Staff(10)
User
Profile
Guests(8)
User
Profile
Voice(2)
Hive - Corp
WIPS
L2 IPsec VPN
Location Services
Access Console
VLAN
QoS
Firewall
L3 Roaming
VLAN
L3 Roaming
OS/Domain
SLA
VLAN
L3 Roaming
OS/Domain
SLA
VLAN
QoS Rate Limit
Firewall
Guest Tunnel
Schedule
OS/Domain
- 131. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
2. Configuring a Test Network Policy
131
• Go to
Configuration
• Click the New
Button
- 132. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
3. Configuring a Test Network Policy
132
• Name:
Test-X
• Select:
Wireless
Access and
Bonjour
Gateway
• Click Create
Only the Wireless Access and Bonjour Gateway Profiles are
used in this class. Switching and Branch Routing are covered
in another course. For information about that class visit:
http://aerohive.com/support/technical-training/training-
schedule for dates and registration.
- 133. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
4. Configuring a Test Network Policy
133
Network
Configuration
• Next to SSIDs click
Choose
• Then click New
- 134. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
5. Create an SSID Profile
134
• SSID Profile: Corp-PSK-X
X = 2 – 29 (Student ID)
• SSID: Corp-PSK-X
• Select WPA/WPA2 PSK
(Personal)
• Key Value: aerohive123
• Confirm Value: aerohive123
• Click Save
• Click OK
IMPORTANT: For the SSID labs, please follow the
class naming convention.
- 135. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
6. Create a User Profile
135
• To the right of
your SSID, under
User Profile, click
Add/Remove
• In Choose User
Profiles Click New
- 136. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
7. Create a User Profile
136
• Name: Staff-X
• Attribute Number: 1
• Default VLAN: 1
• Click Save
The attribute value and VLAN value do not
need to match.
However, it is recommended that the
attribute values and VLAN values match
each other when ever possible for clarity
and uniform configuration.
- 137. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
8. Save the User Profile
137
•Ensure Staff-X
User Profile is
highlighted
•Click Save
- 138. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
9. Save the Network Policy
138
• Click the
Configure &
Update Devices
bar or click the
Continue button
Note: The Save button saves
your Network Policy. The
Continue Button saves your
Network Policy and allows
you to proceed to the
Configure and Update
Devices area
simultaneously.
- 139. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
10. Create a Display Filter
139
From the Configure & Update Devices section, click the +
next to Filter to create a device display filter.
- 140. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
11. Create a Display Filter
140
• Device Model:
AP350
• Host Name: 0X-
• Remember This
Filter: 0X-APs
• Click Search
• Five APs will
display
- 141. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
12. Upload the Network Policy
141
• Select your 0X-A-xxxxxx access point and
all of your 0X-SIMU-xxxxxxx access points
• Click the Update button
• Click Update Devices to push your
Network Policy to your access points
• Click Yes in the Confirm window
- 142. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
13. Upload the Network Policy
142
• Click the Update Button
• Click OK in the Reboot Warning window
- 143. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Lab: Creating a Test Network Policy
14. Upload the Network Policy
Once the Update
is pushed, you will
see the Update
Status and the
devices
rebooting.
When the devices
have rebooted and
start reporting to
HiveManager, you
will see their new up
time and that the
configuration on the
devices matches
the expected
configuration in
HiveManager.
143
- 144. © 2014 Aerohive Networks CONFIDENTIAL
Overview of Update Settings
144
• Complete Upload: The entire Aerohive AP
configuration is uploaded and a reboot is
required
• Delta Upload: Only configuration changes
are uploaded and no reboot is required
• The default is “Auto”- HiveManager is smart
enough to know if the upload is Complete
or Delta
• The first upload is always a Complete
Upload
Should a Delta upload ever fail, best practice is to select a Complete
upload and force a reboot. Also, a Complete Update is recommended
when the configuration involves advanced security settings such as
RADIUS.
- 145. © 2014 Aerohive Networks CONFIDENTIAL
Overview of Update Settings
145
The Auto option, which is set by default, performs a complete initial upload,
requiring the device to reboot before activating the uploaded configuration.
Following that, all subsequent uploads consist of delta configurations based on
a comparison with the current configuration running on the device.
Should a Delta upload ever fail, best practice is to select a Complete
upload and force a reboot. Also, a Complete Update is recommended
when the configuration involves advanced security settings such as
RADIUS.
- 146. © 2014 Aerohive Networks CONFIDENTIAL
Because the filter is set by default to Current Policy/Default Policies,
you will only see devices assigned to your selected network policy, or
the def-policy-template (assigned to new devices)
Lab: Creating a Test Network Policy
15. Review of Device Display Filters
146
Filter set by
default to
Current
Policy/Default
Policies
Selected
Network Policy
Select None if
you want to
see all devices
- 147. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
16. Verify the Update Results
147
• From ConfigurationDevicesDevice Update
Results
• Review your update results
• Hover your cursor above the Description
• Review the pop-up window results
Always review Device
Update Results. The pop-up
window often has good
troubleshooting information
should an update fail.
- 148. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
17. Verify the Update Results
148
HiveManager pushes firmware and configuration updates in
stages: first to all online devices, and then automatically to any
offline devices the next time they connect to HiveManager.
• If any devices are offline, the update results will display as
Staged
• Once the devices re-establish CAPWAP connectivity,
HiveManager will then re-attempt to upload the configuration
until successful
- 149. © 2014 Aerohive Networks CONFIDENTIAL
• Go to MonitorDevicesAll Devices for more
detailed information
Lab: Creating a Test Network Policy
18. Device Monitor View
Set items
per page
Change column
settings
Turn off auto refresh if you
want to make changes
without interruption
If Audit is Red
Exclamation Point, click
it to see the difference
between HiveManager
and the device.
149
- 150. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
19. Customize the Monitor View Columns
150
• Click on the Edit Table Icon
• From Available Columns on the left select both MGT Interface
VLAN and Native VLAN and move them to the Selected Columns
on the right using the corresponding arrow button.
• Move both new options up until they are directly under IP
Address
• Click Save
Note:
Both the
Instructor and
Students MUST
perform this
exercise.
- 151. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating a Test Network Policy
20. Audit Icon
151
• Unconfigured Devices
are Aerohive APs,
Routers and other
Aerohive devices that
have discovered
HiveManager for the
first time.
• IP connectivity and
CAPWAP connectivity
are needed for
discovery.
Once Aerohive
Devices have a
configuration
uploaded they
become Configured
Devices.
The configuration on
HiveManager does
NOT match the
configuration on the
Aerohive Device
The configuration
on HiveManager
MATCHES the
configuration on
the Aerohive
Device
- 152. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
Test SSID Access at Hosted Site
152
SSID:
Authentication:
Encryption:
Preshared Key:
User Profile 1:
Attribute:
VLAN:
IP Firewall:
QoS:
Corp-PSK-X
WPA or WPA2 Personal
TKIP or AES
aerohive123
Staff-X
1
1
None
def-user-qos
Hosted PC
Student-X VLANs 1-20
Mgt0 IP: 10.5.1.N/24 VLAN 1
Network Policy: Test-X
Internal Network
AD Server:
10.5.1.10
DHCP Settings:
(VLAN 1)
network 10.5.1.0/24
10.5.1.140 – 10.5.1.240
Internet
Connect to SSID:
IP:
Gateway:
Corp-PSK-X
10.5.1.N/24
10.5.1.1
Use VNC client to access Hosted PC:
password: aerohive123
- 153. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
1. For Windows: Use TightVNC client
153
• If you are using a windows PC
› Use TightVNC
› TightVNC has good compression so
please use this for class instead of
any other application
• Start TightVNC
› For Lab 1
› lab1-pcX.aerohive.com
› For Lab 2
› lab2-pcX.aerohive.com
› For Lab 3
lab3-pcX.aerohive.com
› For Lab 4
lab4-pcX.aerohive.com
› For Lab 5
lab5-pcX.aerohive.com
› Select Low-bandwidth
connection
› Click Connect
› Password: aerohive123123
› Click OK
- 154. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
2. For Mac: Use the Real VNC client
154
• If you are using a Mac
› RealVNC has good compression
so please use this for class
instead of any other application
• Start RealVNC
› For Lab 1
› lab1-pcX.aerohive.com
› For Lab 2
› lab2-pcX.aerohive.com
› For Lab 3
lab3-pcX.aerohive.com
› For Lab 4
lab4-pcX.aerohive.com
› For Lab 5
lab5-pcX.aerohive.com
› Click Connect
› Password: aerohive123.
› Click OK
- 155. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
3. Connect to Your Class-PSK-X SSID
155
• Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
• Click your SSID
Corp-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK
- 156. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
4. View Active Clients List
156
• After associating with your SSID, you should see your
connection in the active clients list in HiveManager
› Go to MonitorClientsWireless Clients
• Your IP address should be from the 10.5.1.0/24
network
- 157. © 2014 Aerohive Networks CONFIDENTIAL© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 158. © 2014 Aerohive Networks Inc.
SECTION 5.
CONFIGURING ACCESS POINTS FOR
MAPS AND MONITORING
158
Aerohive’s
Instructor-led Training
- 159. © 2014 Aerohive Networks CONFIDENTIAL
Design Implementation
159
Now that the initial planning
and testing phases are
completed, you are ready
to begin creating the
framework for your live
deployment.
To accomplish the remaining goals you will:
Clone your predictive model maps you created
earlier
Add your APs to Floor 1 of your cloned maps
Position the APs as required for the needed
coverage
- 160. © 2014 Aerohive Networks CONFIDENTIAL
LAB: Design Implementation
1. Clone of the Plan Building
160
• Click on the Maps Tab
• Expand Planner Maps and right click on your 0X Plan
Building
• Select Clone
- 161. © 2014 Aerohive Networks CONFIDENTIAL
LAB: Design Implementation
2. Clone of the Plan Building
161
• Name your cloned building 0X Building
• Click the drop down arrow and select the Locations folder
• Click Create
- 162. © 2014 Aerohive Networks CONFIDENTIAL
LAB: Design Implementation
3. Planning the Production Network
162
• Expand the Locations folder
• Expand your 0X Building
• Select Floor 1
• Click the Devices Tab
- 163. © 2014 Aerohive Networks CONFIDENTIAL
LAB: Design Implementation
4. Adding your APs to the map
163
• Select all of your 0X APs
• Click the arrow to move them to the Devices on Floor 1
section
• Click Update to place your devices on your 0X Building Floor 1
map
- 164. © 2014 Aerohive Networks CONFIDENTIAL
LAB: Design Implementation
5. Placing your APs
164
• ☐ Uncheck the Ethernet and Mesh check boxes
• ☐ Uncheck the Nodes Locked check box
• Position the APs on your map as planned in the predictive model
• Check the Nodes Locked check box
- 165. © 2014 Aerohive Networks CONFIDENTIAL
Design Implementation
165
Once the APs are located properly you can use you map for post
deployment validation processes such as:
RSSI values
Interference source locationing
Channel verification
Display of Ethernet and Mesh connections
- 166. © 2014 Aerohive Networks CONFIDENTIAL
Topology Maps
With RSSI and Power (Heatmap)
166
• Both 5 GHz or 2.4 GHz
Bands can be view
separately
• Ethernet and Mesh
Connections can be
displayed
• RSSI values can be used
to display coverage
• The coverage areas
range from red being
the strongest to dark
blue being the weakest
coverageThe blue lines show the
perimeter for an AP that a
client within its boundaries
should connect.
Select the Band
5 GHz or 2.4 GHz
Select the
coverage you
want to view
Here you can see
the subnet the
MGT0 interface
on the Aerohive
APs
- 167. © 2014 Aerohive Networks CONFIDENTIAL
Topology Maps
With Rogue AP Detection and Client Location
167
• If three or more
Aerohive APs on a
map detect a
rogue,
HiveManager can
estimate the
location of the
rogue on the
topology map
• Also, if the
Aerohive AP
location service is
enabled, you can
view clients as well
Friendly AP
Rogue AP
Client
- 168. © 2014 Aerohive Networks CONFIDENTIAL© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 169. © 2014 Aerohive Networks CONFIDENTIAL
Classroom LAB Scenario
169
• We'll start with the types of users we have in the network. We have
different types of employees, and different types of guests.
• Employees should have secure access to the wireless network, and
the most secure method is 802.1X/EAP
• We can create 1 SSID for all Employee access, but have different
access policies depending on the type of employee.
• For devices that do not support 802.1X, or require fast roaming and
do not support 802.11r or OKC, then you should consider Private PSK
for that
• For guests, there is the legacy open SSID method, that we don't feel
it does provide security for guests, and leave them extremely
vulnerable. So instead we should provide a Private PSK infrastructure
and a captive web portal for use policy acceptance. We can also
provide a way for self registration, employee sponsorship, etc…
• We will need to consider the best practice AP settings to meet our
network design goals. After which we will need to show how to
maintain and monitor a network.
- 170. © 2014 Aerohive Networks Inc.
SECTION 6:
CREATING THE EMPLOYEE SECURE
ACCESS NETWORK
170
Aerohive’s
Instructor-led Training
- 171. © 2014 Aerohive Networks CONFIDENTIAL
Classroom Employee WLAN
Scenario
171
• Employees should have secure access to the
wireless network, and the most secure method is
to use 802.1X EAP.
• You are going to build an 802.1X EAP solution
using the customers existing RADIUS server.
• RADIUS attributes can be leveraged to assign
different types of employees to VLANs and user
traffic settings by assigning them to the
appropriate User Profiles.
• Employees will assigned to three different User
Profiles: Employees, IT and Executives. User profiles
will be used to assign different types access rights
to different types of employees.
- 172. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating the Employee Secure Access Network
1. Creating the Corporate Network Policy
172
• Click on the Configuration Tab
• Under Choose Network Policy Click the New
Button
- 173. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating the Employee Secure Access Network
2. Creating the Corporate Network Policy
173
• Fill in the Name box using Corp-X as your Network Policy Name3
• Click the Create button
It is recommended that you ALWAYS add descriptions about the objects
you are building whenever possible.
- 174. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating the Employee Secure Access Network
3. Creating the Secure SSID Profile
174
To configure a
802.1X/EAP SSID
for Secure Wireless
Access
• Next to SSIDs,
click Choose
• Click New
- 175. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Lab: Creating the Employee Secure Access Network
4. Creating the Secure SSID Profile
• Profile Name:
Corp-Secure-X
• SSID:
Corp-Secure-X
• Under SSID
Access Security
select
WPA/WPA2
802.1X
(Enterprise)
• Click Save
175
- 176. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating the Employee Secure Access Network
5. Saving the Secure SSID Profile
176
• Ensure the
Corp-Secure-X SSID
is selected
• Click OK
Ensure
Corp-Secure-X
is highlighted
then click OK
- 177. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Creating the Employee Secure Access Network
6. Creating the RADIUS Object
177
• Under Authentication, click <RADIUS Settings>
• Choose RADIUS, click New
Click
Click
- 178. © 2014 Aerohive Networks CONFIDENTIAL 178
• RADIUS Name:
RADIUS-X
• IP Address/Domain
Name: 10.5.1.10
• Shared Secret:
aerohive123
• Confirm Secret:
aerohive123
• Click Apply
• Click Save
Click Apply
When Done!
Lab: Creating the Employee Secure Access Network
7. Creating the RADIUS Object
- 179. © 2014 Aerohive Networks CONFIDENTIAL 179
• Under User Profile,
click Add/Remove
• Click New
Lab: Creating the Employee Secure Access Network
8. Creating the User Profile
- 180. © 2014 Aerohive Networks CONFIDENTIAL 180
• Name: Employees-X
• Attribute Number: 10
• Default VLAN: 10
• Click Save
Lab: Creating the Employee Secure Access Network
9. Creating the User Profile
- 181. © 2014 Aerohive Networks CONFIDENTIAL 181
• With the Default tab
selected, ensure the
Employees-X user
profile is highlighted
› IMPORTANT: This user
profile will be
assigned if no
attribute value is
returned from RADIUS
after successful
authentication, or if
attribute value 10 is
returned.
• Click the Authentication
tab
Default Tab
Authentication Tab
Lab: Creating the Employee Secure Access Network
10. User Profile – no returned RADIUS attributes
- 182. © 2014 Aerohive Networks CONFIDENTIAL 182
• Select the
Authentication tab
• Select (highlight)
both the IT and
Executives User
Profiles
NOTE: The (User
Profile Attribute) is
appended to the
User Profile Name
• Click Save
Authentication Tab
Lab: Creating the Employee Secure Access Network
11. User profiles for returned RADIUS attributes
- 183. © 2014 Aerohive Networks CONFIDENTIAL 183
• Ensure Employees-X, IT and the Executives
user profiles are assigned to the Corp-Secure-
X SSID
Lab: Creating the Employee Secure Access Network
12. Verify the User Profiles
- 184. © 2014 Aerohive Networks CONFIDENTIAL 184
• Click the Continue button
Lab: Creating the Employee Secure Access Network
13. Saving the work and preparing to update devices
- 185. © 2014 Aerohive Networks CONFIDENTIAL 185
From the Configure & Update Devices section, click the
drop down next to Filter and select your 0X-APs Filter.
Lab: Creating the Employee Secure Access Network
14. Saving the work and preparing to update devices
- 186. © 2014 Aerohive Networks CONFIDENTIAL 186
• Select your 0X-A-xxxxxx access point and
all of your 0X-SIMU-xxxxxxx access points
• Click the Update button
• Click Update Devices to push your
Network Policy to your access points
• Click Yes in the Confirm window
Lab: Creating the Employee Secure Access Network
15. Update the devices
- 187. © 2014 Aerohive Networks CONFIDENTIAL 187
• Click the Update Button
• Click OK in the Reboot Warning window
Lab: Creating the Employee Secure Access Network
16. Update the devices
- 188. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Once the Update
is pushed, you will
see the Update
Status and the
devices
rebooting.
When the devices
have rebooted and
start reporting to
HiveManager, you
will see their new up
time and that the
configuration on the
devices matches
the expected
configuration in
HiveManager.
188
Lab: Creating the Employee Secure Access Network
17. Update the devices
- 189. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
1. For Windows: Use TightVNC client
189
• If you are using a windows PC
› Use TightVNC
› TightVNC has good compression so
please use this for class instead of
any other application
• Start TightVNC
› For Lab 1
› lab1-pcX.aerohive.com
› For Lab 2
› lab2-pcX.aerohive.com
› For Lab 3
lab3-pcX.aerohive.com
› For Lab 4
lab4-pcX.aerohive.com
› For Lab 5
lab5-pcX.aerohive.com
› Select Low-bandwidth
connection
› Click Connect
› Password: aerohive123123
› Click OK
- 190. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
2. For Mac: Use the Real VNC client
190
• If you are using a Mac
› RealVNC has good compression
so please use this for class
instead of any other application
• Start RealVNC
› For Lab 1
› lab1-pcX.aerohive.com
› For Lab 2
› lab2-pcX.aerohive.com
› For Lab 3
lab3-pcX.aerohive.com
› For Lab 4
lab4-pcX.aerohive.com
› For Lab 5
lab5-pcX.aerohive.com
› Click Connect
› Password: aerohive123.
› Click OK
- 191. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Testing 802.1X/EAP to External RADIUS
1. Connect to Secure Wireless Network
191
• From the bottom task
bar, and click the locate
wireless networks icon
• Click Corp-Secure-X
• Click Connect
- 192. © 2014 Aerohive Networks CONFIDENTIAL 192
After associating with your SSID, you should see your
connection in the active clients list in HiveManager
• Go to MonitorClientsWireless Clients
• User Name: DOMAINuser
• VLAN: 10
Lab: Testing 802.1X/EAP to External RADIUS
2. Connect to Secure Wireless Network
- 193. © 2014 Aerohive Networks CONFIDENTIAL 193
• To change the layout of the
columns in the Wireless Clients
list, you can click the
spreadsheet icon
• Select User Profile Attribute
from the Available Columns
list and click the right arrow
• With User Profile Attribute
selected, click the Up button
so that the column is moved
after VLAN
• Click Save
Click to change
column layout
Lab: Testing 802.1X/EAP to External RADIUS
3. Customizing Your Column View
- 194. © 2014 Aerohive Networks CONFIDENTIAL 194
• By Default all Device and
Client screens display 15
items per page.
• You can scroll between
pages using the arrow
buttons or choose to display
more items per page.
• Screen Auto refresh is
enabled by default but can
be disabled if so desired.
Select Drop Down to
display 50 items per
page
Auto refresh can be
turned on or off as
desired
• Select 50 items per page
Lab: Testing 802.1X/EAP to External RADIUS
4. Customizing Your Column View
- 195. © 2014 Aerohive Networks CONFIDENTIAL 195
To display only the wireless
Clients in the Lab:
• Go to
MonitorClientsWireless
Clients.
• Click the + under Filter at the
bottom of the Monitor
options.
• Next to Topology Map select
0X Building_Floor 1 from the
drop down
• In the Remember This Filter
box type: Lab
• Click Search to save the filter
Lab: Testing 802.1X/EAP to External RADIUS
5. Create a clients display filter
Note: The proper use of
Filters will save time in
locating desired objects
- 196. © 2014 Aerohive Networks CONFIDENTIAL 196
To display only the Wireless
Clients in the Classroom:
• Go to
MonitorClientsWireless
Clients.
• Click the + under Filter at the
bottom of the Monitor
options.
• Next to Topology Map select
Training Center_Floor1 from
the drop down
• In the Remember This Filter
box type: Instructor
• Click Search to save the filter
Lab: Testing 802.1X/EAP to External RADIUS
6. Create a clients display filter
Note: The proper use of
Filters will save time in
locating desired objects
- 197. © 2014 Aerohive Networks CONFIDENTIAL© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 198. © 2014 Aerohive Networks Inc.
SECTION 7:
PRIVATE PSK FOR DEVICES
198
Aerohive’s
Instructor-led Training
- 199. © 2014 Aerohive Networks CONFIDENTIAL
Private PSK (PPSK) for Legacy Devices
Scenario
199
Your customer has legacy devices that
do not support 802.1X, or require fast
roaming and do not support 802.11r or
Opportunistic Pairwise Master Key
Caching (OKC).
There is a requirement that all devices
have unique credentials.
Aerohive offers a security solution called
Private PSK (PPSK) that meets these
needs.
- 200. © 2014 Aerohive Networks CONFIDENTIAL
SSIDs with WPA or WPA2 Personal
Use Legacy Pre Shared Keys (PSKs)
200
• All users share the same key
› If a user leaves or if a PC or portable device is lost, for security
reasons, the shared key should be changed, and every client will
have to update the keys on their wireless clients
• All users share the same network policy
› Because all users share the same SSID with the same key, they will
also have the same network policies, such as their VLAN,
because there have no way to uniquely identify users or types of
users
User 1
User 2
User 3
SSID: Corp-Wi-Fi
Authentication: WPA2 Personal
Shared Key: aSecretPhrase
User Profile: Employee-Profile
SSID: Corp-Wi-Fi
Shared Key: aSecretPhrase
SSID: Corp-Wi-Fi
Shared Key: aSecretPhrase
SSID: Corp-Wi-Fi
Shared Key: aSecretPhrase
AP
- 201. © 2014 Aerohive Networks CONFIDENTIAL
SSID with 802.1X/EAP Dynamically Create
Pairwise Master Keys (PMKs)
201
• With 802.1X, after a user successfully authenticates with RADIUS,
a unique key is created for each user and AP pair called a PMK
› If a user leaves the company or a user loses a device, the user
account can be disabled and passwords can be changed to
prevent access to corporate resources
• New PMKs are created every time user authenticates
• Users can have unique network policies
› Because users are identified by their user name, based on the
user or group, they can be assigned to different network policies
User 1
User 2
User 3
SSID: Corp-W-iFi
Authentication: WPA2 Enterprise (802.1X)
- User 1 - PMK: d6#$%^98f..
- User 2 - PMK: 87fe@#$%a..
- User 3 - PMK: 90)356*&f..
SSID: Corp-Wi-Fi
PMK: d6#$%^98f..
SSID: Corp-Wi-Fi
PMK: 87fe@#$%a..
SSID: Corp-Wi-Fi
PMK: 90)356*&f..
AP RADIUS
- 202. © 2014 Aerohive Networks CONFIDENTIAL
Private Preshared Key (PSK)
Allows creation of unique PSKs per user
202
• Private PSKs are unique pre shared keys created for individual users on the
same SSID
• Client configuration is simple, just enter the SSID shared key for WPA or
WPA2 personal (PSK)
› No 802.1X supplicant configuration is required
› Works with devices that do not support 802.1X/EAP
• You can automatically generate unique keys for users, and distribute via
email, or any way you see fit
• If a user leaves or a device is lost or stolen, the PSK for that user or device
can simply be revoked
User 1
User 2
User 3
SSID: Corp-Wi-Fi
SSID Type: Private PSK
Authentication: WPA2 Personal
- User 1 – Private PSK: d6#$%^98f..
- User 2 – Private PSK: 87fe@#$%a..
- User 3 – Private PSK: 90)356*&f..
SSID: Corp-Wi-Fi
Key: d6#$%^98f..
SSID: Corp-Wi-Fi
Key: 87fe@#$%a..
SSID: Corp-Wi-Fi
Key: 90)356*&f..
Aerohive AP
- 203. © 2014 Aerohive Networks CONFIDENTIAL
Private Preshared Key (PSK)
Use Cases
203
• Use Case #1: Private PSK is recommended for augmenting
WLAN deployments that authenticate clients with WPA or
WPA2 Enterprise (802.1X/EAP), but have some devices that:
› Support WPA or WPA2 Personal, but do not support WPA
or WPA2 Enterprise with 802.1X/EAP
› Do not support opportunistic key caching (OKC) for
seamless roaming
• Use Case #2: Recommended use in place of using
traditional PSKs for environments that do not have a WLAN
deployment using WPA or WPA2 Enterprise with 802.1X/EAP
• Use Case #3: Recommended for secure credentials with
guest WLANs (secure guest management covered in a
later section)
- 204. © 2014 Aerohive Networks CONFIDENTIAL
Private Preshared Key (PSK)
Maximum PPSKS per Aerohive Device
204
- 205. © 2014 Aerohive Networks CONFIDENTIAL
Verify On-Premise HiveManager Time
Settings
205
• HiveManager and Aerohive Devices should have up to date time
settings, preferably by NTP (HMOL Time Settings are automatic).
• Go to HomeAdministrationHiveManager Settings
• Next to System Date/Time click Settings
Private PSKs are
credentials that have a
start time. Private
PSKs, like other
credentials, can also
be time limited.
Therefore, it is
imperative that the
HiveManager Time
Settings be in proper
synchronization with
your network. The use
of an NTP server is
highly recommended.
- 206. © 2014 Aerohive Networks CONFIDENTIAL 206
• Go to Configuration
• Select your Network
Policy: Corp-X and click
OK
• Next to Additional
Settings Click Edit
• Expand Management
Server Settings
Note: Upon first login to a
new HiveManager system,
an NTP server policy is
automatically created with
the same name as the User
name. However, the
object should be edited
with the proper time zones.
• Next to NTP Server
› Click the + Icon
Private PSKs are credentials that have a start
time. Private PSKs, like other credentials, can
also be time limited. Even more important than
the HiveManager Time Settings, Aerohive Device
Clock Settings must be properly synchronized.
The use of an NTP server is MANDATORY.
Verify Device Time Settings
- 207. © 2014 Aerohive Networks CONFIDENTIAL 207
• Name the service NTP-X
• Time Zone: <Please use
the Pacific time Zone>
• Uncheck Sync clock
with HiveManager
• NTP Server:
ntp1.aerohive.com
• Click Apply
• Click Save
Verify Device Time Settings
MANDATORY: You must change the time zone to match the time zone
where your Aerohive Devices reside. Do this BEFORE you configure the
rest of your Network Policy.
Instructor note: When using Lab #4 the Time Zone
MUST be set to (GMT +10 Australia/Sydney)
- 208. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Private PSK for Enterprise
1. Modify your Network Policy to Create an SSID
208
To configure a
Private PSK SSID
• Go to Configuration
• Select your Network
Policy: Corp-X and
click OK
• Next to SSIDs,
click Choose
• Click New
- 209. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Lab: Private PSK for Enterprise
2. Create a Private PSK SSID
• Profile Name: Device-PPSK-X
• SSID: Device-PPSK-X
• Under SSID Access Security
select Private PSK
• Set maximum clients per
private PSK to: 1
› This limits how many times a
single Private PSK can be
concurrently used in a Hive
• Click Save
209
- 210. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Private PSK for Enterprise
3. Create a Private PSK SSID
210
• Ensure the
Device-PPSK-X SSID
is selected
• Ensure the Corp-
Secure-X SSID is
selected
• Click OK
Ensure both
Device-PPSK-X
and Corp-
Secure-X are
highlighted then
click OK
- 211. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Private PSK for Enterprise
4. Create a Private PSK User Group
211
• Under Authentication, click <PSK User Groups>
• Click New
Click
Click
- 212. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Private PSK for Enterprise
5. Create a Private PSK Group
212
• User Group Name:
Devices-X
User Type:
Automatically
generated private PSK
users
• User Profile
Attribute: 2
• VLAN: <empty>
Inherited from user profile
• User Name Prefix: 0X-
• Click the Generate
button to create a
seed
• Expand Private PSK
Advanced Options
- 213. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Private PSK for Enterprise
6. Create a Private PSK User Group
213
• Password length: 20
• Click Save
Note: You can define
the strength of the PSKs
Although each of the PPSKs will be unique, they are still susceptible to
brute-force offline dictionary attacks. The Wi-Fi Alliance recommends a
passphrase key strength of 20 characters or longer.
- 214. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Private PSK for Enterprise
7. Save the Private PSK User Group
214
• Ensure your Devices-X is highlighted
• Click OK
- 215. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Private PSK for Enterprise
9. Create a user profile for the PPSK SSID
215
• Under User Profile,
click Add/Remove
• Click New
- 216. © 2014 Aerohive Networks CONFIDENTIAL 216
• Name: Devices-X
• Attribute Number: 2
• Default VLAN: 2
• Verify the settings, and click Save
Lab: Private PSK for Enterprise
10. Create a user profile for the PPSK SSID
Although these are corporate devices, they are using a shared key
security. Since they are not using 802.1X, a more secure authentication
method, it is a recommended practice to separate their traffic to
protect you network from unwanted use.
- 217. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Private PSK for Enterprise
10. Review Settings and Click Save
217
• Ensure your Devices-X
User Profile is selected
• Click Save
• Verify the settings, and
click Save
- 218. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Private PSK for Enterprise
11. Creating your User Accounts
218
• In the Navigation pane go to:
Advanced Configuration
AuthenticationLocal Users
• Click Bulk
Note: In a live
deployment, each
device and or user
should be uniquely
identifiable. We are
using the Bulk option in
class simply as a way to
save time.
- 219. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Private PSK for Enterprise
12. Creating your User Accounts
219
• Create Users Under Group: Devices-X
• Number of New Users: 10
• Description: 0X-
• Enter your REAL email address
• Click Create
- 220. © 2014 Aerohive Networks CONFIDENTIAL 220
Apply a filter to view your Private PSK users
• In the Navigation pane, navigate to:
Advanced ConfigurationAuthenticationLocal Users
• Click the Filter button
• Next to Description: Type 0X- and Click Search
• Results shown on next slide
Lab: Private PSK for Enterprise
13. Viewing your User Accounts
- 221. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Private PSK for Enterprise
14. View your Private PSK users
221
• Locate your PPSK users
› Sort on the user name or use the filter
• You can click (Clear Text PPSK) to view the
PPSK
Click here to
obscure or show or
obscure your clear
text PSK
- 222. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
Lab: Private PSK for Enterprise
15. Email your user their private PSK
• Check the box next to one of your user
user accounts, and click Email PSK
IMPORTANT: Please check your Junk
Email folder if you do not receive this
email
IMPORTANT: In order for the
email to work, you MUST
have the email service
settings configured under
HomeAdministration
HiveManager Services
Update Email Settings
Email the private PSK to
the user
Email Message
Email Address
- 223. © 2014 Aerohive Networks CONFIDENTIAL 223
• Go to Configuration and select your Corp-X policy and click OK
• Click on the Continue button
• From the Configure & Update Devices section, click the drop
down next to Filter and select your 0X-APs Filter.
Lab: Private PSK for Enterprise
16. Updating your Aerohive Devices
- 224. © 2014 Aerohive Networks CONFIDENTIAL 224
• Select your 0X-A-xxxxxx access point and all of
your 0X-SIMU-xxxxxxx access points
• Click the Update button
• Click Update Devices to push your Network
Policy to your access points
Lab: Private PSK for Enterprise
17. Updating your Aerohive Devices
- 225. © 2014 Aerohive Networks CONFIDENTIAL 225
• Click the Update Button
• Click OK in the Reboot Warning window
Lab: Private PSK for Enterprise
18. Updating your Aerohive Devices
- 226. © 2014 Aerohive Networks CONFIDENTIAL
Copyright ©2011
The physical APs will not need to reboot this time
because this is a Delta update. The simulated APs will
reboot. Only the configuration changes in the
Network Policy were uploaded. Because a reboot is
not necessary, clients already connected to the
Corp-Secure-X SSID are not affected.
226
Lab: Private PSK for Enterprise
19. Updating your Aerohive Devices
- 227. © 2014 Aerohive Networks CONFIDENTIAL
Lab: Private PSK for Enterprise
1. Testing your PPSK SSID
227
• From TightVNC, go to: labN-
pcX.aerohive.com password: aerohive123
• Copy the PPSK key either from the user
account display or your email, make sure not
to copy any extra spaces
• Connect to your SSID: Device-PPSK-X
• Paste your Passphrase/Network Key:
<Paste your 20 character PSK>
• Click OK
- 228. © 2014 Aerohive Networks CONFIDENTIAL 228
• After associating with your SSID, you should see your connection in
the active clients list in HiveManager
› Go to MonitorClientsWireless Clients
• Your IP address should be from the 10.5.2.0/24 network
• Note the client information:
› VLAN: 2
› User Profile Attribute: 2
Lab: Private PSK for Enterprise
2. Testing your PPSK SSID
- 229. © 2014 Aerohive Networks CONFIDENTIAL
Example Only: Revoke a Private PSK
1. Revoking Private PSK Users
229
If a user leaves the company, or if their device is lost or stolen, you
can revoke a users key and de-authenticate any active client using
the individual private PSK
• Go to ConfigurationAdvanced Configuration
AuthenticationLocal Users
• Check the box next to your user account and click Remove
• Click Yes to continue
› Note: For this change to take effect, you will have to update the
configuration of every Aerohive AP using this Private PSK account...
- 230. © 2014 Aerohive Networks CONFIDENTIAL 230
• Select your 0X-A-xxxxxx access point and all of your
0X-SIMU-xxxxxxx access points
• Click the Update button
• Click Update Devices to push your Network Policy to
your access points
Example Only: Revoke a Private PSK
2. Update the Configuration
- 231. © 2014 Aerohive Networks CONFIDENTIAL
Example Only: Revoke a Private PSK
3. Verify your PPSK user is revoked
231
• To view the active clients, go
to MonitorClients
Wireless Clients
• The revoked clients will no
longer appear in the active
clients list
• If you view the desktop of the
hosted client PC, you will see
they are disconnected
- 232. © 2014 Aerohive Networks CONFIDENTIAL© 2014 Aerohive Networks CONFIDENTIAL
QUESTIONS?
- 233. © 2014 Aerohive Networks Inc.
SECTION 8:
AEROHIVE WLAN GUEST
MANAGEMENT
Aerohive’s
Instructor-led Training
- 234. © 2014 Aerohive Networks CONFIDENTIAL
Why Provide Guest Access?
234
Many studies have shown that providing WLAN guest
access is beneficial to your business
• Improved Productivity: Customers and contractors often need
access to the Internet to accomplish job-related duties. If
customers and contractors are more productive, your company
employees will also be more productive.
• Customer Loyalty: In today’s world, business customers have
come to expect Guest WLAN access. Free guest access is often
considered a value-added service. There is a good chance that
your customers will move towards your competitors if you do not
provide WLAN guest access.
- 235. © 2014 Aerohive Networks CONFIDENTIAL
Guest WLAN Essentials
235
Guest user traffic should always be segmented from
employee user traffic. Four guest WLAN best practices
include:
• Guest SSID: Wireless guest users should always connect to a
separate guest SSID because it will have different security policies
than a corporate or employee SSID.
• Guest VLAN: Guest user traffic should be segmented into a
unique VLAN tied to an IP subnet that does not mix with the
employee user VLANs.
• Captive Web Portal: A captive web portal can be used to
accept guest login credentials. More importantly, the captive web
portal should have a legal disclaimer.
• Guest Firewall Policy: A From-Access guest firewall policy is
the most important component of WLAN guest management.
- 236. © 2014 Aerohive Networks CONFIDENTIAL
WLAN Guest Firewall Policy
236
• A From-Access guest firewall policy is the most
important component of WLAN guest management.
The goal is to keep wireless guest users away from
corporate network resources and only allow them
access to a gateway to the Internet.
• Below is an example of the default Guest Firewall Policy
in HiveManager
- 237. © 2014 Aerohive Networks CONFIDENTIAL
WLAN Guest Firewall Policy
237
• The guest firewall policy can be much more
restrictive. A good practice is to block SMTP so
users cannot SPAM through the guest WLAN.
• If necessary, many more ports and/or
applications can be blocked.
• Ports that should be permitted include DNS UDP
port 53, DHCP-server UDP port 67, HTTP TCP port
80 and HTTPS TCP port 443 should be permitted.
• So that guest users can use an IPsec VPN: IKE
UDP port 500 and IPsec NAT-T UDP port 4500
should be permitted.
- 239. © 2014 Aerohive Networks CONFIDENTIAL
Peer Blocking
239
• Guest users should be prevented from peer-to-peer
connectivity on the guest VLAN/subnet. This prevents peer-
to-peer attacks.
• Peer blocking can be configured in the the Guest SSID
settings.
• Optional Settings DoS Prevention and Filter Traffic Filter
• Uncheck ☐ Enable Inter-station Traffic
- 240. © 2014 Aerohive Networks CONFIDENTIAL
Rate Limiting
240
• The bandwidth of
guest traffic can be
throttled with a rate
control policy
• User Profiles
Optional Settings
QoS Settings Rate
Control and Queuing
Policy