Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

Acwp Aerohive configuration guide.

Plus De Contenu Connexe

Acwp Aerohive configuration guide.

  1. 1. © 2014 Aerohive Networks Inc. Instructor-led Training AEROHIVE CERTIFIED WIRELESS PROFESSIONAL (ACWP) 1
  2. 2. © 2014 Aerohive Networks CONFIDENTIAL Welcome 2 • Introductions • Facilities Discussion • Course Overview • Extra Training Resources • Questions
  3. 3. © 2014 Aerohive Networks CONFIDENTIAL Introductions 3 •What is your name? •What is your organizations name? •How long have you worked in Wi-Fi? •Are you currently using Aerohive?
  4. 4. © 2014 Aerohive Networks CONFIDENTIAL Facilities Discussion 4 • Course Material Distribution • Course Times • Restrooms • Break room • Smoking Area • Break Schedule › Morning Break › Lunch Break › Afternoon Break
  5. 5. © 2014 Aerohive Networks CONFIDENTIAL Aerohive Advanced WLAN Configuration (ACWP) – Course Overview 5 Each student connects to HiveManager, a remote PC, and a Aerohive AP over the Internet from their wireless enabled laptop in the classroom, and then performs hands on labs the cover the following topics: • 802.1X/EAP architecture overview • 802.1X with external RADIUS • RADIUS attributes for user profile assignment • Using Client Monitor to troubleshoot 802.1X/EAP • HiveManager Certificate Authority • Aerohive devices as RADIUS servers that integrate with LDAP • Client Management – Device on-boarding using 802.1X • Client Management – Device on-boarding using PPSK • Layer 2 IPsec VPN client and VPN servers • Device classification • Layer 3 roaming configuration and troubleshooting • Guest Management using GRE tunneling to a DMZ 2 Day Hands on Class
  6. 6. © 2014 Aerohive Networks CONFIDENTIAL Aerohive CBT Learning 6 http://www.aerohive.com/cbt
  7. 7. © 2014 Aerohive Networks CONFIDENTIAL Aerohive Education on YouTube 7 http://www.youtube.com/playlist?list=PLqSW15RTj6DtEbdPCGIm0Kigvrscbj-Vz Learn the basics of Wi-Fi and more….
  8. 8. © 2014 Aerohive Networks CONFIDENTIAL The 20 Minute Getting Started Video Explains the Details 8 Please view the Aerohive Getting Started Videos: http://www.aerohive.com/330000/docs/help/english/cbt/Start.htm
  9. 9. © 2014 Aerohive Networks CONFIDENTIAL Aerohive Technical Documentation 9 All the latest technical documentation is available for download at: http://www.aerohive.com/techdocs
  10. 10. © 2014 Aerohive Networks CONFIDENTIAL Aerohive Instructor Led Training 10 • Aerohive Education Services offers a complete curriculum that provides you with the courses you will need as a customer or partner to properly design, deploy, administer, and troubleshoot all Aerohive WLAN solutions. • Aerohive Certified WLAN Administrator (ACWA) – First-level course • Aerohive Cerified WLAN Professional (ACWP) – Second-level course • Aerohive Certified Network Professional (ACNP) – Switching/Routing course • www.aerohive.com/training – Aerohive Class Schedule
  11. 11. © 2014 Aerohive Networks CONFIDENTIAL Over 20 books about networking have been written by Aerohive Employees 11 CWNA Certified Wireless Network Administrator Official Study Guide by David D. Coleman and David A. Westcott CWSP Certified Wireless Security Professional Official Study Guide by David D. Coleman, David A. Westcott, Bryan E. Harkins and Shawn M. Jackman CWAP Certified Wireless Analysis Professional Official Study Guide by David D. Coleman, David A. Westcott, Ben Miller and Peter MacKenzie 802.11 Wireless Networks: The Definitive Guide, Second Edition by Matthew Gast 802.11n: A Survival Guide by Matthew Gast Aerohive Employees 802.11ac: A Survival Guide by Matthew Gast Over 20 books about networking have been written by Aerohive Employees
  12. 12. © 2014 Aerohive Networks CONFIDENTIAL Aerohive Exams and Certifications 12 • Aerohive Certified Wireless Administrator (ACWA) is a first- level certification that validates your knowledge and understanding about Aerohive Network’s WLAN Cooperative Control Architecture. (Based upon Instructor Led Course) • Aerohive Certified Wireless Professional (ACWP) is the second-level certification that validates your knowledge and understanding about Aerohive advanced configuration and troubleshooting. (Based upon Instructor Led Course) • Aerohive Certified Network Professional (ACNP) is another second-level certification that validates your knowledge about Aerohive switching and branch routing. (Based upon Instructor Led Course)
  13. 13. © 2014 Aerohive Networks CONFIDENTIAL Aerohive Forums 13 • Aerohive’s online community – HiveNation Have a question, an idea or praise you want to share? Join the HiveNation Community - a place where customers, evaluators, thought leaders and students like yourselves can learn about Aerohive and our products while engaging with like-minded individuals. • Please, take a moment and register during class if you are not already a member of HiveNation. Go to http://community.aerohive.com/aerohive and sign up!
  14. 14. © 2014 Aerohive Networks CONFIDENTIAL Aerohive Social Media 14 The HiveMind Blog: http://blogs.aerohive.com Follow us on Twitter: @Aerohive Instructor: David Coleman: @mistermultipath Instructor: Bryan Harkins: @80211University Instructor: Gregor Vucajnk: @GregorVucajnk Instructor: Metka Dragos: @MetkaDragos Please feel free to tweet about #Aerohive training during class.
  15. 15. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Aerohive Technical Support – General 15 I want to talk to somebody live. Call us at 408-510-6100 / Option 2. We also provide service toll-free from within the US & Canada by dialing (866) 365-9918. Aerohive has Support Engineers in the US, China, and the UK, providing coverage 24 hours a day. Support Contracts are sold on a yearly basis, with discounts for multi-year purchases. Customers can purchase Support in either 8x5 format or in a 24 hour format. How do I buy Technical Support? I have different expiration dates on several Entitlement keys, may I combine all my support so it all expires on the same date? Your Aerohive Sales Rep can help you set-up Co-Term, which allows you to select matching expiration dates for all your support.
  16. 16. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Aerohive Technical Support – The Americas 16 Aerohive Technical Support is available 24 hours a day. This can be via the Aerohive Support Portal or by calling. For the Support Portal, an authorized customer can open a Support Case. Communication is managed via the portal with new messages and replies. Once the issue is resolved, the case is closed, and can be retrieved at any time in the future. How do I reach Technical Support? I want to talk to somebody live. For those who wish to speak with an engineer call us at 408-510- 6100 / Option 2. We also provide service toll-free from within the US & Canada by dialing (866) 365-9918. I need an RMA in The Americas An RMA is generated via the Support Portal, or by calling our Technical Support group. After troubleshooting, should the unit require repair, we will overnight* a replacement to the US and Canada. Other countries are international. If the unit is DOA, it’s replaced with a brand new item, if not it is replaced with a like new reburbished item. *Restrictions may apply: time of day, location, etc.
  17. 17. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Aerohive Technical Support – International 17 Aerohive international Partners provide dedicated Technical Support to their customers. The Partner has received specialized training on Aerohive Networks’ product line, and has access to 24 hour Internal Aerohive Technical Support via the Support Portal, or by calling 408-510-6100 / Option 2. How Do I get Technical Support outside The Americas? World customer’s defective units are quickly replaced by our Partners, and Aerohive replaces the Partner’s stock once it arrives at our location. Partners are responsible for all shipping charges, duties, taxes, etc. I need an RMA internationally
  18. 18. © 2014 Aerohive Networks CONFIDENTIAL Copyright Notice 18 Copyright © 2014 Aerohive Networks, Inc. All rights reserved. Aerohive Networks, the Aerohive Networks logo, HiveOS, Aerohive AP, HiveManager, and GuestManager are trademarks of Aerohive Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.
  19. 19. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  20. 20. © 2014 Aerohive Networks Inc. Classroom SSID Data Center setup CLASSROOM & DATA CENTER 20
  21. 21. © 2014 Aerohive Networks CONFIDENTIAL Lab: Get Connected 1. Connect to class WLAN 21 • Please connect to the SSID: aerohive-class • Network Key: aerohive123 SSID: Security: Network Key: Class-SSID WPA/WPA2 Personal (PSK) aerohive123 Guest Client VLAN 1 WLAN Policy: WLAN-Classroom Internet Mgt0 IP: 10.5.1.N/24 VLAN 1 Class-SSID 10.5.1.N/24 10.5.1.1 Connect to SSID: IP: Gateway: Instructor PC
  22. 22. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Aerohive Training Remote Lab 22 Aerohive Access Points using external antenna connections and RF cables to connect to USB Wi-Fi client cards (Black cables) Access Points are connected from eth0 to Aerohive Managed Switches with 802.1Q VLAN trunk support providing PoE to the APs (Yellow cables) Firewall with routing support, NAT, and multiple Virtual Router Instances Access Points are connected from their console port to a console server (White Cables) Console server to permit SSH access into the serial console of Aerohive Access Points Server running VMware ESXi running Active Directory, RADIUS, NPS and hosting the virtual clients used for testing configurations to support the labs
  23. 23. © 2014 Aerohive Networks CONFIDENTIAL Network Layout for Data Center 23 10.5.2.*/24 No Gateway 10.5.2.*/24 No Gateway 10.5.2.*/24 No Gateway HiveManager MGT 10.5.1.20/24 Win2008 AD Server MGT 10.5.1.10/24 Linux Server MGT 10.6.1.150./24 L3 Switch/Router/Firewall eth0 10.5.1.1/24 VLAN 1 eth0.1 10.5.2.1/24 VLAN 2 eth0.2 10.5.8.1/24 VLAN 8 eth0.3 10.5.10.1/24 VLAN 10 eth1 10.6.1.1/24 (DMZ) L2 Switch Native VLAN 1 Aerohive AP Common Settings Default Gateway: None MGT0 VLAN 2 Native VLAN 1 LAN ports connected to L2-Switch with 802.1Q VLAN Trunks X=2 X=3 X=N X=2 X=3 X=N Ethernet: 10.5.1.202/24 No Gateway Wireless: 10.5.10.$/24 Gateway: 10.5.10.1 Ethernet: 10.5.1.203/24 No Gateway Wireless: 10.5.V.X/24 Gateway: 10.5.V.1 Ethernet : 10.5.1.20N/24 No Gateway Wireless: 10.5.V.X/24 Gateway: 10.5.V.1 14 Client PCs For Wireless Access 14 Aerohive AP 340s Terminal Server 10.5.1.5/24 Services for Hosted Class Win2008 AD Server: - RADIUS(NPS) - DNS - DHCP Linux Server: - Web Server - FTP Server
  24. 24. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  25. 25. © 2014 Aerohive Networks Inc. Get Connected to HiveManager AEROHIVE ENTERPRISE MODE 25
  26. 26. © 2014 Aerohive Networks CONFIDENTIAL Connect to the Hosted Training HiveManager 26 • Securely browse to the assigned HiveManager for class › TRAINING LAB 1 https://training-hm1.aerohive.com https://72.20.106.120 › TRAINING LAB 2 https://training-hm2.aerohive.com https://72.20.106.66 › TRAINING LAB 3 https://training-hm3.aerohive.com https://209.128.124.220 › TRAINING LAB 4 https://training-hm4.aerohive.com https://203.214.188.200 › TRAINING LAB 5 https://training-hm5.aerohive.com https://209.128.124.230 • Supported Browsers: › Firefox, Internet Explorer, Chrome, Safari • Class Login Credentials: › Login: adminX X = Student ID 2 - 29 › Password: aerohive123 NOTE: In order to access the HiveManager, someone at your location needs to enter the training firewall credentials given to them by the instructor first.
  27. 27. © 2014 Aerohive Networks CONFIDENTIAL LAB: Setting Up a Wireless Network LAB Goals 27 • Connect to HiveManager to create a simple Network Policy with static PSK security. • Define Static IP addresses for the student access point and VPN gateway. • Update the devices • Connect to the hosted PC and test the wireless connectivity. • Each student creates a client monitor for future troubleshooting. • Proceed to the advanced labs.
  28. 28. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 1. Creating a new Network Policy 28 • Go to Configuration • Click the New Button
  29. 29. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 2. Building your Initial Wireless Network Policy 29 • Name: WLAN-X • Select: Wireless Access and Bonjour Gateway • Click Create Only the Wireless Access and Bonjour Gateway Profiles are used in this class. Switching and Branch Routing are covered in another course. For information about that class visit: http://aerohive.com/support/technical-training/training- schedule for dates and registration.
  30. 30. © 2014 Aerohive Networks CONFIDENTIAL Network Policy Types 30 • Wireless Access – Use when you have an AP only deployment, or you require specific wireless policies for APs in a mixed AP and router deployment • Branch Routing– Use when you are managing routers, or APs behind routers that do not require different Network Policies than the router they connect through BR100 BR200 AP AP Internet Internet Small Branch Office or Teleworker Site Small to Medium Size Branch Office that may have APs behind the router
  31. 31. © 2014 Aerohive Networks CONFIDENTIAL • Switching › Used to manage wired traffic using Aerohive switches • Bonjour Gateway › Recommended to deploy a Bonjour Gateway in 3rd Party networks › Bonjour Gateway Lab later in class Network Policy Types 31 Internet AP AP Po E SR2024 AP
  32. 32. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 3. Create a New SSID Profile 32 Network Configuration • Next to SSIDs click Choose • Then click New
  33. 33. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 4. Configure a PSK Employee SSID 33 • SSID Profile: Class-PSK-X X = 2 – 29 (Student ID) • SSID: Class-PSK-X • Select WPA/WPA2 PSK (Personal) • Key Value: aerohive123 • Confirm Value: aerohive123 • Click Save • Click OK IMPORTANT: For the SSID labs, please follow the class naming convention.
  34. 34. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 5. Create a User Profile 34 • To the right of your SSID, under User Profile, click Add/Remove • In Choose User Profiles Click New
  35. 35. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 6. Define User Profile Settings 35 • Name: Employee-X • Attribute Number: 10 • Network or VLAN-only Assignment: 10 • Click Save
  36. 36. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 7. Choose User Profile and Continue 36 • Ensure Employee-X User Profile is highlighted • Click Save
  37. 37. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 8. Save the Network Policy 37 • Click the Configure & Update Devices bar or click the Continue button Note: The Save button saves your Network Policy. The Continue Button saves your Network Policy and allows you to proceed to the Configure and Update Devices area simultaneously.
  38. 38. © 2014 Aerohive Networks CONFIDENTIAL Hosted Training Lab Network IP Summary 38 HiveOS-VA-0X MGT0 10.200.2.X/24 VPN Client X-A-Aerohive AP MGT0: 10.5.2.# Firewall NAT Rules 1.2.1.X10.8.1.X FW(NAT) 2.2.2.2 Gateway 10.5.2.1 Gateway 10.200.2.1 Client PC WLAN Branch Office – Aerohive AP VPN Clients # – Address Learned though DHCP RADIUS 10.200.2.250 WLAN HQ – L2 VPN Gateway-VPN Servers
  39. 39. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 9. Update the configuration of your Aerohive AP 39 From the Configure & Update Devices section, modify your AP specific settings • Display Filter: None • Click the Name column to sort the APs • Click the link for your 0X-A-######
  40. 40. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 10. Update the configuration of your A-Aerohive AP 40 • Topology Map: Data Center_Class-Lab or Classroom • Select your WLAN-X Network Policy • Set the power levels: › 2.4GHz(wifi0) Power: 1 › 5GHz(wifi1) Power: 1 • Do not click Save yet VERY IMPORTANT: We need to leave the power set to 1dBm on both radios because the APs are stacked in a rack in the data center
  41. 41. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 12. Configure Settings on Your A-Aerohive AP 41 Under Optional Settings • Expand MGT0 interface settings › Select 8Static IP › IP Address: 10.5.2.X › Netmask: 255.255.255.0 › Gateway: 10.5.2.1 • Do not Click Save yet We are assigning the AP a static IP address because the AP will function as a RADIUS server in a later lab. Whenever Aerohive devices function as a server, they must have a static IP address. Best practice is to assign the device with the static IP address prior to configuring a Network Policy that requires an Aerohive device to function as a server.
  42. 42. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 12. Configure Settings on Your A-Aerohive AP 42 Under Optional Settings • Expand Advanced Settings › Check Override MGT VLAN: 2 • Click Save
  43. 43. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 13. Update the configuration of your HiveOS-VA 43 From the Configure & Update Devices section, modify your HiveOS-VA specific settings • Display Filter: None • Click the Name column to sort the devices • Click the link for your VA: HiveOS-VA-0X
  44. 44. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 14. Update the configuration of your HiveOS-VA 44 • Set the Device Function to L2 VPN Gateway • Select your WLAN-X Network Policy • Expand MGT0 Interface Settings, and assign the VPN gateway a static IP address: › MGT0 IP Address: 10.200.2.X › Netmask: 255.255.255.0 › Gateway: 10.200.2.1 • Click Save
  45. 45. © 2014 Aerohive Networks CONFIDENTIAL Lab: Setting Up a Wireless Network 15. Update the configuration of your AP & VA 45 In the Configure & Update Devices section • Click the Name column to sort the devices • Check the box next to your AP: X-A-###### • Check the box next to your L2 VPN Gateway: HiveOS-VA-0X
  46. 46. © 2014 Aerohive Networks CONFIDENTIAL 46 • Select Update • Update Devices • Click Update • Click OK in the Reboot Warning window Lab: Setting Up a Wireless Network 16. Update the configuration of AP & VA The first Update is automatically a complete update. For this class, ALL subsequent Updates should be Complete configuration updates, unless directed otherwise.
  47. 47. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Lab: Setting Up a Wireless Network 17. Update the configuration of AP & VA • The devices will reboot 47
  48. 48. © 2014 Aerohive Networks CONFIDENTIAL • Go to MonitorDevicesAll Devices for more detailed information and tools Lab: Setting Up a Wireless Network 18. Monitoring Devices Set items per page Change column settings Turn off auto refresh if you want to make changes without interruption If Audit is Red Exclamation Point, click it to see the difference between HiveManager and the device. 48
  49. 49. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  50. 50. © 2014 Aerohive Networks Inc. TEST YOUR CONFIGURATION USING THE HOSTED PC 50
  51. 51. © 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID Test SSID Access at Hosted Site 51 SSID: Authentication: Encryption: Preshared Key: User Profile 1: Attribute: VLAN: IP Firewall: QoS: Class-PSK-X WPA or WPA2 Personal TKIP or AES aerohive123 Employee(10)-X 10 10 None def-user-qos Hosted PC Student-0X VLANs 1-20 Mgt0 IP: 10.5.2.N/24 VLAN 1 WLAN Policy: WLAN-X Internal Network AD Server: 10.5.1.10 DHCP Settings: (VLAN 10) network 10.5.10.0/24 10.5.10.140 – 10.5.10.240 Internet Connect to SSID: IP: Gateway: Class-PSK-X 10.5.10.N/24 10.5.10.1 Use VNC client to access Hosted PC: password: aerohive123
  52. 52. © 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 1. For Windows: Use TightVNC client 52 • If you are using a windows PC › Use TightVNC › TightVNC has good compression so please use this for class instead of any other application • Start TightVNC › For Lab 1 › lab1-pcX.aerohive.com › For Lab 2 › lab2-pcX.aerohive.com › For Lab 3 lab3-pcX.aerohive.com › For Lab 4 lab4-pcX.aerohive.com › For Lab 5 lab5-pc0X.aerohive.com › Select  Low-bandwidth connection › Click Connect › Password: aerohive123123 › Click OK
  53. 53. © 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 2. For Mac: Use the Real VNC client 53 • If you are using a Mac › RealVNC has good compression so please use this for class instead of any other application • Start RealVNC › For Lab 1 › lab1-pcX.aerohive.com › For Lab 2 › lab2-pcX.aerohive.com › For Lab 3 lab3-pcX.aerohive.com › For Lab 4 lab4-pcX.aerohive.com › For Lab 5 lab5-pc0X.aerohive.com › Select  Low-bandwidth connection › Click Connect › Password: aerohive123123 › Click OK
  54. 54. © 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 3. In case the PCs are not logged in 54 If you are not automatically logged in to your PC • If you are using the web browser client › Click the button to Send Ctrl-Alt-Del • If you are using the tightVNC client • Click to send a control alt delete • Login: AH-LABuser • Password: Aerohive1 • Click the right arrow to login
  55. 55. © 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 4. Connect to Your Class-PSK-X SSID 55 • Single-click the wireless icon on the bottom right corner of the windows task bar • Click your SSID Class-PSK-X • Click Connect › Security Key: aerohive123 › Click OK
  56. 56. © 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 5. In case the PCs are not logged in 56 If you are not automatically logged in to your PC • If you are using the web browser client › Click the button to Send Ctrl-Alt-Del • If you are using the TightVNC client • Click to send a control alt delete • Login: AH-LABuser • Password: Aerohive1 • Click the right arrow to login
  57. 57. © 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 6. Go to the Windows 8 Desktop view 57 From the Windows 8 start screen, click on the Desktop icon
  58. 58. © 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 7. Connect to Your Class-PSK-0X SSID 58 • Single-click the wireless icon on the bottom right corner of the windows task bar • Click your SSID Class-PSK-X • Click Connect › Security Key: aerohive123 › Click Next
  59. 59. © 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 8. View Active Clients List 59 • After associating with your SSID, you should see your connection in the active clients list in HiveManager › Go to MonitorClientsWireless Clients • Your IP address should be from the 10.5.10.0/24 network • VLAN: 10
  60. 60. © 2014 Aerohive Networks CONFIDENTIAL Lab: Test Hosted Client Access to SSID 9. Add Additional Columns 60 • To change the layout of the columns in the Active Clients list, you can click the spreadsheet icon • Select User Profile Attribute from the Available Columns list and click the right arrow • With User Profile Attribute selected, click the Up button so that the column is moved after Host Name • Click Save Click to change column layout
  61. 61. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  62. 62. © 2014 Aerohive Networks Inc. THE CLIENT MONITOR TOOL 62
  63. 63. © 2014 Aerohive Networks CONFIDENTIAL Lab: Client Monitor 1. Select a client to monitor 63 • To start monitoring a clients connection state go to: MonitorClientsActive Clients • Select the  check box next your client to monitor Note: If your client does not appear, you can skip this step for now • Click Operation...Client Monitor • For class, ensure your Associated Aerohive AP is selected (Do not select All) • The MAC address of your client will be selected Note: You can manually enter a the wireless client MAC address without delimiters • Write down your clients MAC address • Note: Remember the Client MAC address for the next step in the lab. • Click Add Click Client Monitor Click Operation... Click Add New Client Click Add Select your Aerohive AP
  64. 64. © 2014 Aerohive Networks CONFIDENTIAL Lab: Client Monitor 2. Start the client monitor 64 • Check  Filter Probe Note: This removes all the probe requests and responses you will see from clients and APs so you can focus on protocol connectivity • Click Start Note: Your client will be monitored until you click Stop. You can leave this window, and if you go back to Operation... Client Monitor, you will see the list of all clients being monitored • You can expand the window by dragging the bottom right corner • Select your client to see the connection logs for your client as they occur 1. Check  Filter Probe 2. Click Start 3. Drag bottom right corner of window to expand
  65. 65. © 2014 Aerohive Networks CONFIDENTIAL Client Monitor Results 65 Throughout the labs, go to the client monitor for your PC to view the ongoing results 4-way handshake completes Client is assigned IP address from DHCP
  66. 66. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  67. 67. © 2014 Aerohive Networks Inc. TIME SETTINGS FOR HIVEMANAGER AND AEROHIVE DEVICES 67
  68. 68. © 2014 Aerohive Networks CONFIDENTIAL Verify On-Premise HiveManager Time Settings 68 • HiveManager and Aerohive Devices should have up to date time settings, preferably by NTP (HMOL Time Settings are automatic). • Go to HomeAdministrationHiveManager Settings • Next to System Date/Time click Settings Aerohive devices use Private PSKs and certificates which are time limited credentials. Therefore, it is imperative that the HiveManager Time Settings be in proper synchronization with your network. The use of an NTP server is highly recommended.
  69. 69. © 2014 Aerohive Networks CONFIDENTIAL 69 • Go to Configuration • Select your Network Policy: WLAN-X and click OK • Next to Additional Settings Click Edit • Expand Management Server Settings Note: Upon first login to a new HiveManager system, an NTP server policy is automatically created with the same name as the User name. However, the object should be edited with the proper time zones. • Next to NTP Server › Click the + Icon Aerohive devices use Private PSKs and certificates which are time limited credentials. Even more important than the HiveManager Time Settings, Aerohive Device Clock Settings must be properly synchronized. The use of an NTP server is MANDATORY. Verify Device Time Settings
  70. 70. © 2014 Aerohive Networks CONFIDENTIAL 70 • Name the service NTP-X • Time Zone: <Please use the Pacific time Zone> • Uncheck  Sync clock with HiveManager • NTP Server: ntp1.aerohive.com • Click Apply • Click Save Verify Device Time Settings MANDATORY: You must change the time zone to match the time zone where your Aerohive Devices reside. Do this BEFORE you configure the rest of your Network Policy. Instructor note: When using Lab #4 the Time Zone MUST be set to (GMT +10 Australia/Sydney)
  71. 71. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  72. 72. © 2014 Aerohive Networks Inc. SECURE WIRELESS LANS WITH IEEE 802.1X USING PEAP AUTHENTICATION 72
  73. 73. © 2014 Aerohive Networks CONFIDENTIAL IEEE 802.1X with EAP 73 Supplicant Computer Authentication Server (RADIUS) 802.11 association EAPoL-start EAP-request/identity EAP-response/identity (username) RADIUS-access-request EAP-request (challenge) RADIUS-access-challenge EAP-response (hashed resp.) RADIUS-access-request EAP-success RADIUS-access-accept (PMK) Access Granted Access Please! Calculating key for user… Access blocked Authenticator (AP) Calculating my key…
  74. 74. © 2014 Aerohive Networks CONFIDENTIAL Extensible Authentication Protocol (EAP) Comparison Chart 74
  75. 75. © 2014 Aerohive Networks CONFIDENTIAL LAB: Secure WLAN Access With 802.1X/EAP LAB Goals 75 • Configure a Network Policy for 802.1X/EAP Enterprise security where APs communicate with an external RADIUS server • Define multiple user profiles leveraging RADIUS attributes • Connect to the hosted PC and test the 802.1X/EAP authentication • Troubleshoot authentication problems with Client Monitor. • Verify user profile assignment using RADIUS attributes.
  76. 76. © 2014 Aerohive Networks CONFIDENTIAL LAB: Secure WLAN Access With 802.1X/EAP Using External RADIUS 76 Student-0X VLANs 1-20 Mgt0 IP: 10.5.2.N/24 VLAN 1 Network Policy: WLAN-0X AD Server: 10.5.1.10 NPS (2008) DHCP Settings: (VLAN 1) network 10.5.2.0/24 10.5.2.140 – 10.5.2.240 (VLAN 10) network 10.5.10.0/24 10.5.10.140 – 10.5.10.240 Internet Connect to SSID: IP: Gateway: Class-EAP-X 10.5.10.N/24 10.5.10.1 SSID: Authentication: Encryption: Auth User Profile: Attribute: VLAN: Default User Profile: Attribute: VLAN: Class-EAP-X WPA or WPA2 Personal TKIP or AES Employee-X 10 (RADIUS Attribute Returned) 10 Employee-Default-X 1000 (No RADIUS Attribute Returned) 8
  77. 77. © 2014 Aerohive Networks CONFIDENTIAL Instructor Only: On Hosted RADIUS Server Verify RADIUS Client Settings 77 • Set the RADIUS server to accept RADIUS messages from the MGT0 interface IP on all Aerohive devices that function as authenticators • This class uses: 10.5.2.0/24 • Shared Secret: aerohive123 NOTE: Use a stronger key in real life!
  78. 78. © 2014 Aerohive Networks CONFIDENTIAL Instructor Only: On Hosted RADIUS Server Verify RADIUS Client Settings 78 • RADIUS clients often get confused with the Wi-Fi clients (supplicants) • RADIUS clients are devices that communicate with a RADIUS server using the RADIUS protocol • RADIUS clients are the authenticators in an 802.1X/EAP framework • The term “RADIUS clients” is also synonymous with the term NAS clients.
  79. 79. © 2014 Aerohive Networks CONFIDENTIAL On Hosted RADIUS Server Configuring RADIUS Return Attributes 79 • After successful authentication by users in the AH-LABWireless Windows AD group, RADIUS will return three attribute value pairs to assign the Aerohive user profile. Standard RADIUS Attribute/Value Pairs Returned Tunnel-Medium-Type: IPv4 Tunnel-Type: GRE Tunnel-Pvt-Group-ID: 10
  80. 80. © 2014 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 1. Create a New SSID 80 To configure a 802.1X/EAP SSID for Secure Wireless Access • Go to Configuration • Select your Network Policy: WLAN-X and click OK • Next to SSIDs, click Choose • Click New
  81. 81. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Lab: Secure WLAN Access With 802.1X/EAP 2. Configure a 802.1X/EAP SSID • Profile Name: Class-EAP-X • SSID: Class-EAP-X • Under SSID Access Security select WPA/WPA2 802.1X (Enterprise) • Click Save 81
  82. 82. © 2014 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 3. Select new Class-EAP-X SSID 82 • Click to deselect the Class-PSK-X SSID • Ensure the Class-EAP-X SSID is selected • Click OK Click to deselect Class-PSK-X Ensure Class-EAP-X is highlighted then click OK
  83. 83. © 2014 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 4. Create a RADIUS object 83 • Under Authentication, click <RADIUS Settings> • In Choose RADIUS, click New Click Click
  84. 84. © 2014 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 5. Define the External RADIUS Server 84 • RADIUS Name: RADIUS-X • IP Address/Domain Name: 10.5.1.10 • Shared Secret: aerohive123 • Confirm Secret: aerohive123 • Click Apply • Click Save Click Apply When Done!
  85. 85. © 2014 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 6. Create a New User Profile 85 • Under User Profile, click Add/Remove • Click New
  86. 86. © 2014 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 7. Define User Profile Settings 86 • Name: Employee-Default-X • Attribute Number: 1000 • Network or VLAN-only Assignment: 8 • Click Save
  87. 87. © 2014 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 8. Assign User Profile as Default for the SSID 87 • With the Default > tab selected, ensure the Employee-Default-X user profile is highlighted › IMPORTANT: This user profile will be assigned if no attribute value is returned from RADIUS after successful authentication, or if attribute value 1000 is returned. • Click the Authentication tab Default Tab Authentication Tab
  88. 88. © 2014 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 9. Assign User Profile to be Returned by RADIUS Attribute 88 • Select the Authentication > tab • Select (highlight) Employee-X › Important: This User Profile will be assigned if there are matching RADIUS attributes returned from a RADIUS server. You can have as many as 63 unique User Profiles. • Click Save Authentication Tab NOTE: The (User Profile Attribute) is appended to the User Profile Name
  89. 89. © 2014 Aerohive Networks CONFIDENTIAL Lab: Secure WLAN Access With 802.1X/EAP 10. Verify and Continue 89 • Ensure Employee-Default-X and Employee-X user profiles are assigned to the Class-EAP-X SSID • Click Continue to Configure & Update Devices
  90. 90. © 2014 Aerohive Networks CONFIDENTIAL 90 In the Configure & Update Devices section • Select the Current Policy filter • Check the box next to your AP: X-A-###### • Click Update Lab: Secure WLAN Access With 802.1X/EAP 11. Update the AP Configuration
  91. 91. © 2014 Aerohive Networks CONFIDENTIAL 91 • Select Update Devices • Select Perform a complete configuration update for all selected devices • Click Update • Click OK in the Reboot Warning window For this class, ALL Updates from this point should be Complete configuration updates unless otherwise directed. Lab: Secure WLAN Access With 802.1X/EAP 12. Update the AP configuration
  92. 92. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Lab: Secure WLAN Access with 802.1X/EAP 13. Update the AP configuration • Your new configuration will upload • The AP will reboot 92
  93. 93. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  94. 94. © 2014 Aerohive Networks Inc. For Windows 7 Supplicants CONFIGURING AND TESTING YOUR 802.1X SUPPLICANT 94
  95. 95. © 2014 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 1. Connect to Secure Wireless Network 95 • From the bottom task bar, and click the locate wireless networks icon • Click Class-EAP-X • Click Connect Wireless Network Icon
  96. 96. © 2014 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 2. Connect to Secure Wireless Network 96 • Single-click the wireless icon on the bottom right corner of the windows task bar • Click Class-EAP-X • Click Connect • Select Use my Windows user account • Click OK
  97. 97. © 2014 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP to External RADIUS 3. View Wireless Clients 97 • After associating with your SSID, you should see your connection in the active clients list in HiveManager › Go to MonitorClientsWireless Clients • User Name: DOMAINuser • User Profile Attribute: 10 • VLAN: 10 You were assigned to this User Profile based on a returning RADIUS attribute
  98. 98. © 2014 Aerohive Networks CONFIDENTIAL User Profile Assignment via RADIUS attributes 98 • User Profiles can be assigned based upon returned RADIUS attributes • As many as 63 different groups of users can be assigned to different VLANs, firewall policies, SLA policies, time-based policies, etc. Leveraging RADIUS attributes for User Profile assignment means you only need to have a single SSID for all your employees. Although you can transmit as many as 16 SSIDs per radio, best practices dictate no more than 3-4. Excessive SSIDs create L2 overhead and degrades performance. A common strategy is to have three SSIDs: Employees, Voice and Guests.
  99. 99. © 2014 Aerohive Networks CONFIDENTIAL Default RADIUS attributes used for User Profile assignment 99 Note: By default, user profile assignment by RADIUS attributes uses these Attribute/Value Pairs: Tunnel-Medium-Type: IPv4 Tunnel-Type: GRE Tunnel-Pvt-Group-ID: 10 Standard RADIUS Attribute/Value Pairs Returned Tunnel-Medium-Type: IPv4 Tunnel-Type: GRE Tunnel-Pvt-Group-ID: 10
  100. 100. © 2014 Aerohive Networks CONFIDENTIAL User Profile Assignment via RADIUS attributes 100 • User Profiles can be assigned based upon any returned RADIUS attributes • The attributes can be Standard or Custom Standard RADIUS Attribute Custom RADIUS Attribute
  101. 101. © 2014 Aerohive Networks CONFIDENTIAL Example: Troubleshooting Invalid User Profile attribute returned from RADIUS 101 • From MonitorAll Devices • If you see an alarm when trying to authenticate with 802.1X/EAP, click the alarm icon for details • This alarm specifies that an incorrect attribute was returned from the RADIUS server that is not defined on the Aerohive AP – In this case 50 Invalid User Profile Returned
  102. 102. © 2014 Aerohive Networks CONFIDENTIAL Client Monitor – For 802.1X/EAP Example of an invalid user account 102 SSL negotiation uses the RADIUS server certificate Shows IP of RADIUS server At this point you know the AAA certificates were installed correctly and the server certificate validation done by the client passed The user is not in the user database. View the AAA server settings and ensure the correct user group is selected, and the Aerohive AP is a RADIUS server. Then update the configuration of the Aerohive AP.
  103. 103. © 2014 Aerohive Networks CONFIDENTIAL Client Monitor Troubleshooting 802.1X 103 Client Monitor is the perfect tool to troubleshoot 802.1X/EAP problems More information can be found at: http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/troubleshooting- wi-fi-connectivity-with-hivemanager-tools
  104. 104. © 2014 Aerohive Networks CONFIDENTIAL RADIUS Test Built Into HiveManager 104 To test a RADIUS account • Go to Tools Server Access Tests RADIUS Test • RADIUS Server: 10.5.1.10 • Aerohive AP RADIUS Client: 0X-A-###### • Select RADIUS authentication server • Username: user • Password: Aerohive1 • Click TestYou can even see the attribute values that are returned
  105. 105. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  106. 106. © 2014 Aerohive Networks Inc. RADIUS PROXY 106
  107. 107. © 2014 Aerohive Networks CONFIDENTIAL Instructor Only: On Hosted RADIUS Server Verify RADIUS Client Settings 107 • Set the RADIUS server to accept RADIUS messages from the MGT0 interface IP on all Aerohive devices that function as authenticators • This class uses: 10.5.2.0/24 • Shared Secret: aerohive123 NOTE: Use a stronger key in real life!
  108. 108. © 2014 Aerohive Networks CONFIDENTIAL RADIUS Proxy on Aerohive APs 108 • Aerohive devices can be RADIUS proxies › APs can set their RADIUS server to be the RADIUS proxy AP › The RADIUS proxy AP proxies the authentication requests to the RADIUS server › A single IP can be set on the RADIUS server for all the APs that need to authenticate RADIUS Server 10.5.1.10 AP RADIUS Proxy & RADIUS Client 10.5.2.2 AP RADIUS Clients AP RADIUS Clients RADIUS Client Settings Permit 10.5.2.2/32 Note: Aerohive APs, switches, BR-200 branch routers and VA gateways can all function as a RADIUS proxy.
  109. 109. © 2014 Aerohive Networks CONFIDENTIAL LAB: Using Hive Devices as a RADIUS Proxy LAB Goals 109 • Define one Aerohive AP as a RADIUS proxy that will forward RADIUS packets to an external RADIUS server • Avoid the RADIUS client licensing restrictions imposed by some RADIUS vendors • Connect to the hosted PC and test the 802.1X/EAP authentication • Troubleshoot any authentication problems with Client Monitor. • Verify user profile assignment using RADIUS attributes.
  110. 110. © 2014 Aerohive Networks CONFIDENTIAL Lab: Using Hive Devices as a RADIUS Proxy 1. Designating a RADIUS Proxy 110 • Click Configuration • Expand Advanced Configuration • Click Authentication • Click RADIUS Proxy • Then click the New button
  111. 111. © 2014 Aerohive Networks CONFIDENTIAL 111 Lab: Using Hive Devices as a RADIUS Proxy 2. RADIUS Proxy Details • Use Proxy-X as the Proxy Name • Click the + next to RADIUS Server • Do NOT save yet!
  112. 112. © 2014 Aerohive Networks CONFIDENTIAL 112 Lab: Using Hive Devices as a RADIUS Proxy 3. RADIUS Server Details • Use RADIUS-Server-X as the RADIUS Name • Under Add New RADIUS Server use the dropdown arrow and select 10.5.1.10 • Server Type Auth/Acct • Enter and Confirm the Shared Secret of aerohive123 • Select Server Role as Primary • Click Apply • Click Save Click Apply
  113. 113. © 2014 Aerohive Networks CONFIDENTIAL 113 Lab: Using Hive Devices as a RADIUS Proxy 4. RADIUS Proxy Details • Use the dropdown arrow next to Default under Realm Name to select RADIUS-Server-X as your RADIUS Server • Set the Realm name to: ah-lab.local • Ensure the  Strip the Realm name from proxied access requests check box is selected • Verify your settings • Click Apply • Do NOT save yet Click Apply
  114. 114. © 2014 Aerohive Networks CONFIDENTIAL 114 Lab: Using Hive Devices as a RADIUS Proxy 5. RADIUS Proxy – No need for RADIUS Clients • Though different Realms can go to different RADIUS servers, for this lab, set them to: RADIUS- Server-X • Click Save Note: When your APs and AP-RADIUS Proxy are in the same hive, i.e. configured with the same hive name, then you do not need to configure RADIUS clients on the AP RADIUS proxy. This is because the RADIUS client and shared keys are automatically generated among APs in a Hive.
  115. 115. © 2014 Aerohive Networks CONFIDENTIAL Lab: Using Hive Devices as a RADIUS Proxy 6. Set AP to be RADIUS Proxy 115 • Go to Monitor Access Points Aerohive APs •  Check the box next to your X-A-###### AP • Click the Modify button • Under Optional Settings › expand Service Settings • Assign Device RADIUS Proxy to: Proxy-X • Click Save Note: A RADIUS icon will appear next to your AP in monitor view
  116. 116. © 2014 Aerohive Networks CONFIDENTIAL Lab: Using Hive Devices as a RADIUS Proxy 7. Select your Network Policy 116 To edit your SSID: Go to Configuration • Select your Network Policy: WLAN-X and click OK
  117. 117. © 2014 Aerohive Networks CONFIDENTIAL Lab: Using Hive Devices as a RADIUS Proxy 8. Define the AAA client profile 117 • Under Authentication, click RADIUS-X • In Choose RADIUS, click New Click Click
  118. 118. © 2014 Aerohive Networks CONFIDENTIAL Lab: Using Hive Devices as a RADIUS Proxy 9. Define the External RADIUS Server (Use the Proxy) 118 • RADIUS Name: RADIUS-Proxy-X • IP Address/Domain Name: 10.5.2.X • No other settings are needed as long as the APs are in the same Hive • Click Apply • Click Save Click Apply When Done!
  119. 119. © 2014 Aerohive Networks CONFIDENTIAL Lab: Using Hive Devices as a RADIUS Proxy 10. Verify and Continue 119 • Ensure Employee-Default-X and Employee-X user profiles are assigned to the Class-EAP-X SSID • Click Continue or click the bar to Configure & Update Devices
  120. 120. © 2014 Aerohive Networks CONFIDENTIAL 120 In the Configure & Update Devices section • Select the Current Policy filter • Check the box next to your AP: X-A-###### • Click Update Lab: Using Hive Devices as a RADIUS Proxy 11. Update the AP Configuration
  121. 121. © 2014 Aerohive Networks CONFIDENTIAL 121 • Select Update Devices • Select Perform a complete configuration update for all selected devices • Click Update • Click OK in the Reboot Warning window For this class, ALL Updates from this point should be Complete configuration updates unless otherwise directed. Lab: Using Hive Devices as a RADIUS Proxy 11. Update the AP Configuration
  122. 122. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Lab: Using Hive Devices as a RADIUS Proxy 13. Update the AP configuration • Your new configuration will upload • The AP will reboot 122
  123. 123. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  124. 124. © 2014 Aerohive Networks Inc. For Windows 7 Supplicants CONFIGURING AND TESTING YOUR 802.1X SUPPLICANT 124
  125. 125. © 2014 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP via RADIUS Proxy 1. Connect to Secure Wireless Network 125 • From the bottom task bar, and click the locate wireless networks icon • Click Class-EAP-X • Click Connect Wireless Network Icon
  126. 126. © 2014 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP via RADIUS Proxy 2. Connect to Secure Wireless Network 126 • From the bottom task bar, and click the locate wireless networks icon • Click Class-EAP-X • Click Connect
  127. 127. © 2014 Aerohive Networks CONFIDENTIAL Lab: Testing 802.1X/EAP View RADIUS Proxy 3. View Wireless Clients 127 • After associating with your SSID, you should see your connection in the active clients list in HiveManager › Go to MonitorClientWireless Clients • User Name: DOMAINuser • User Profile Attribute: 10 • VLAN: 10
  128. 128. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  129. 129. © 2014 Aerohive Networks Inc. Required When Aerohive APs are Configured as RADIUS Servers or VPN Servers GENERATE AEROHIVE AP RADIUS SERVER CERTIFICATES 129
  130. 130. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 HiveManager Root CA Certificate Location and Uses • This root CA certificate is used to: › Sign the CSR (certificate signing request) that the HiveManager creates on behalf of the AP acting as a RADIUS or VPN server › Validate Aerohive AP certificates to remote client 802.1X clients (supplicants) will need a copy of the CA Certificate in order to trust the certificates on the Aerohive AP RADIUS server(s) • Root CA Cert Name: Default_CA.pem • Root CA key Name: Default_key.pem Note: The CA key is only ever used or seen by HiveManager • To view certificates, go to: Configuration, then go to Advanced Configuration Keys and CertificatesCertificate Mgmt 130
  131. 131. © 2014 Aerohive Networks CONFIDENTIAL Use the Existing HiveManager CA Certificate, Do not Create a New One! 131 • For this class, please do not create a new HiveManager CA certificate, otherwise it will render all previous certificates invalid. • On your own HiveManager, you can create your own HiveManager CA certificate by going to: Configuration, then go to Advanced ConfigurationKeys and CertificatesHiveManager CA Only the Super User admin should have access rights to create the root HiveManager CA certificate.
  132. 132. © 2014 Aerohive Networks CONFIDENTIAL LAB: Aerohive Device - Server Certificates 1. Generate Server Certificate 132 • Go to ConfigurationAdvanced Configuration Keys and CertificatesServer CSR • Common Name: server-X • Organizational Name: Company • Organization Unit: Department • Locality Name: City • State/Province: <2 Characters> • Country Code: <2 Characters> • Email Address: userX@ah-lab.com • Subject Alternative Name: User FQDN: userX@ah-lab.com Note: This lets you add an extra step of validating the User FQDN in a certificate during IKE phase 1 for IPsec VPN. This way, the Aerohive AP needs a valid signed certificate, and the correct user FQDN. • Key Size: 2048 • Password & Confirm: aerohive123 • CSR File Name: AP-X • Click Create Notes Below
  133. 133. © 2014 Aerohive Networks CONFIDENTIAL LAB: Aerohive Device - Server Certificates 2. Sign and Combine! 133 • Select Sign by HiveManager CA › The HiveManager CA will sign the Aerohive AP Server certificate • The validity period should be the same as or less than the number of days the HiveManager CA Certificate is valid › Enter the Validity: 3650 – approximately 10 years • Check  Combine key and certificate into one file • Click OK Enabling this setting helps prevent certificate and key mismatches when configuring the RADIUS settings Use this option to send a signing request to an external certification authority.
  134. 134. © 2014 Aerohive Networks CONFIDENTIAL LAB: Aerohive Device – Server Certificates 3. View the Certificate and Key File 134 • To view certificates, go to: Configuration Advanced Configuration Keys and Certificates Certificate Mgmt • The certificate and key file name is: AP-X_key_cert.pem • QUIZ – Which CA signed this Aerohive AP server key? What devices need to install the CA public cert?
  135. 135. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  136. 136. © 2014 Aerohive Networks Inc. AEROHIVE AP RADIUS SERVER WITH ACTIVE DIRECTORY INTEGRATION 136
  137. 137. © 2014 Aerohive Networks CONFIDENTIAL Aerohive Devices as RADIUS servers 137 Primary AP-RADIUS Server Authentication Server AP-RADIUS Clients Authenticators LDAP Server (Active Directory) 10.5.1.10 Backup AP-RADIUS Server Authentication Server Wi-Fi Clients Supplicants EAP request RADIUS communications LDAP query Aerohive Devices can be configured as RADIUS servers and can be configured to fully integrate with any kind of LDAP including Active Directory.
  138. 138. © 2014 Aerohive Networks CONFIDENTIAL LAB: Aerohive Devices as RADIUS servers LAB Goals 138 • Configure an Aerohive AP as a RADIUS server to perform all the 802.1X/EAP operations • Aerohive devices that function as RADIUS servers will be joined to the AD domain in order to › Let the Aerohive APs perform local 802.1X/EAP processing › Allow the Aerohive AP to access the AD user store in order to authenticate users › Allow the Aerohive AP to cache credentials in case the AD server is not accessible Note: Aerohive APs, switches, BR-200 branch routers and VA gateways can all function as a RADIUS server
  139. 139. © 2014 Aerohive Networks CONFIDENTIAL LAB: Aerohive Devices as RADIUS servers LAB Goals 139 • During the configuration, one Aerohive device is selected as the RADIUS server to › Obtain domain information › Join the Aerohive AP to the domain, which performs the actual join operation for that AP › Test user authentication › Perform LDAP browsing operations • Connect to the hosted PC and test the 802.1X/EAP authentication • Troubleshoot any authentication problems with Client Monitor. • Verify user profile assignment using LDAP attributes.
  140. 140. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  141. 141. © 2014 Aerohive Networks Inc. CREATING A DELEGATED ADMINISTRATOR FOR JOINING AEROHIVE AP-RADIUS SERVERS TO THE DOMAIN 141
  142. 142. © 2014 Aerohive Networks CONFIDENTIAL Two Domain Accounts Needed 142 •Aerohive AP Admin Account – Used to Join Aerohive APs to the domain •LDAP Query Account – Used by the Aerohive AP that functions as a RADIUS server to perform LDAP queries
  143. 143. © 2014 Aerohive Networks CONFIDENTIAL Create a New Active Directory Aerohive AP Administrator (Instructor Only) 143 On Windows 2008 AD Server • In your domain, select Users, right click and select NewUser Note: The name used in this example is not relevant, you can use any name • First Name: HiveAP • Last Name: Admin • Full Name: HiveAPAdmin • User Logon: hiveapadmin@ah-lab.local • Click Next
  144. 144. © 2014 Aerohive Networks CONFIDENTIAL Create a New Active Directory Aerohive AP Administrator (Instructor Only) 144 • Enter a Password: Aerohive1 • Confirm Password: Aerohive1 • Uncheck User must change password at next login • Uncheck User cannot change password • Check Password never expires • Uncheck Account is disabled • Click Next • Click Finish
  145. 145. © 2014 Aerohive Networks CONFIDENTIAL Aerohive AP Administrator Group Membership 145 • Locate and double click the new Aerohive AP Admin • Click Member Of Note: Here you can see that the Aerohive AP Admin only needs to be a member of Domain Users
  146. 146. © 2014 Aerohive Networks CONFIDENTIAL Delegate Control of the Computer OU to the Aerohive AP Admin (INSTRUCTOR ONLY) 146 • Right Click the Computers OU and select Delegate Control...
  147. 147. © 2014 Aerohive Networks CONFIDENTIAL Delegate Control of the Computer OU to the Aerohive AP Admin 147 • Welcome to the Delegation of Control Wizard › Click Next • Users or Groups › Click Add › Type Aerohive AP Admin › Click OK › Click Next
  148. 148. © 2014 Aerohive Networks CONFIDENTIAL Delegate Control of the Computer OU to the Aerohive AP Admin 148 • Select Create a custom task to delegate • Click Next
  149. 149. © 2014 Aerohive Networks CONFIDENTIAL Delegate Control of the Computer OU to the Aerohive AP Admin 149 • For Active Directory Object Type › Select Computer Objects and leave the rest of the default settings › Check Create selected objects in this folder › Click Next • For Permissions › Check Read › Check Write › And leave the rest of the default settings • Click Next
  150. 150. © 2014 Aerohive Networks CONFIDENTIAL Delegate Control of the Computer OU to the Aerohive AP Admin 150 • Click Finish
  151. 151. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  152. 152. © 2014 Aerohive Networks Inc. CONFIGURE AN AEROHIVE AP AS A RADIUS SERVER 152
  153. 153. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 1. Select your Network Policy 153 To edit your SSID: Go to Configuration • Select your Network Policy: WLAN-X and click OK
  154. 154. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Lab: Aerohive Devices as RADIUS servers 2. Modify your AP settings To configure the Aerohive AP as a RADIUS server... • Click Continue to go to Configure and Update Devices • Select the Filter: Current Policy • Click the link for your Aerohive AP: 0X-A-###### 154
  155. 155. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 3. Deselect the proxy object 155 Create a Aerohive AP RADIUS Service Object • Under Optional Settings, expand Service Settings • Next to Device RADIUS Proxy deselect the proxy object created from the previous lab
  156. 156. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 4. Create a Aerohive AP RADIUS Service Object 156 Create a Aerohive AP RADIUS Service Object • Under Optional Settings, expand Service Settings • Next to Device RADIUS Service click +
  157. 157. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 5. Create a Aerohive AP RADIUS Service Object 157 • Name: AP-RADIUS-X • Expand Database Settings • Uncheck Local Database • Check External Database • Under Active Directory, click + to define the RADIUS Active Directory Integration Settings
  158. 158. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 6. Select a Aerohive AP to test AD Integration 158 • Name: AD-X • Aerohive AP for Active Directory connection setup, select your A Aerohive AP: 0X-A-##### › This will be used to test Active Directory integration › Once this Aerohive AP is configured for AD setup, it can be used as a template for configuring other Aerohive AP RADIUS servers with Active Directory integration • The IP settings for the selected Aerohive AP are gathered and displayed
  159. 159. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 7. Modify DNS settings for test Aerohive AP 159 • Set the DNS server to: 10.5.1.10 › This DNS server should be the Active Directory DNS server or an internal DNS server aware of the Active Directory domain • Click Update › This applies the DNS settings to the Network Policy and to the Aerohive AP so that it can test Active Directory connectivity
  160. 160. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 8. Specify Domain and retrieve Directory Information 160 • Domain: ah-lab.local • Click Retrieve Directory Information › The Active Directory Server IP will be populated as well as the BaseDN used for LDAP user lookups
  161. 161. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 9. Specify Domain and retrieve Directory Information 161 • Domain Admin: hiveapadmin(The delegated admin) • Password and Confirm Password: Aerohive1 • Check Save Credentials • Click Join NOTE: By saving credentials you can automatically join APs to the domain without manual intervention
  162. 162. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 10. Specify a user to perform LDAP user searches 162 • Domain User user@ah-lab.local (a standard domain user ) • Password and Confirm Password: Aerohive1 • Click Validate User › You should see the message: The user was successfully authenticated. › These user credentials will remain and be used to perform LDAP searches to locate user accounts during authentication.
  163. 163. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 11. Save the AD settings 163 • Click Save
  164. 164. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 12. Save the RADIUS settings 164 • Select AD-X with priority: Primary • Click Apply …Please make sure you click Apply • Do not save yet..
  165. 165. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 13. Save the RADIUS settings 165 Enable the ability for an AP-RADIUS server to cache user credentials in the event that the AD server is not reachable, if the user has previously authenticated • Check Enable RADIUS Server Credential Caching • Expand RADIUS Settings • Do not save yet...
  166. 166. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 14. Assign new Aerohive AP server certificate 166 Assign the Aerohive AP RADIUS server to the newly created AP server certificate and key • CA Cert File: Default_CA.pem • Server Cert File: AP-X_key_cert.pem • Server Key File: AP-X_key_cert.pem • Key File Password & confirm password: aerohive123 • Click Save
  167. 167. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 15. Save the AP Settings 167 • Ensure that the Aerohive AP RADIUS Service is set to: AP- RADIUS-X • Click Save NOTE: Your Aerohive AP will have an icon displayed showing that it is a RADIUS server
  168. 168. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  169. 169. © 2014 Aerohive Networks Inc. SSID FOR 802.1X/EAP AUTHENTICATION USING AEROHIVE AP RADIUS WITH AD KERBEROS INTEGRATION 169
  170. 170. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 1. Edit your WLAN Policy and Add SSID Profile 170 Configure an SSID that uses the 802.1X/EAP with AD (Kerberos) Integration • Select the Configure Interfaces & User Access bar • Next to SSIDs click Choose • In Chose SSIDs › Select New
  171. 171. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Lab: Aerohive Devices as RADIUS servers 2. Configure a 802.1X/EAP SSID • Profile Name: Class-AD-X • SSID: Class-AD-X • Under SSID Access Security select WPA/WPA2 802.1X (Enterprise) • Click Save 171
  172. 172. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 3. Select new Class-AD-X SSID 172 • Click to deselect the Class-EAP-X SSID • Ensure the Class-AD-X SSID is selected • Click OK Click to deselect Class-EAP-0X Ensure Class-AD-0X is highlighted then click OK
  173. 173. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 4. Create an AAA RADIUS client object 173 • Under Authentication, click <RADIUS Settings> • In Choose RADIUS, click New Click Click
  174. 174. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 5. Define the External RADIUS Server 174 • RADIUS Name: AP-RADIUS-X • IP Address/Domain Name: 10.5.2.X • Leave the Shared Secret Empty NOTE: When the Aerohive AP is a RADIUS server, APs in the same Hive automatically generate a shared secret. • Click Apply • Click Save Click Apply When Done!
  175. 175. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 6. Select User Profiles 175 • Verify that under Authentication, AP-RADIUS-X is assigned • Under User Profile click Add/Remove
  176. 176. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 7. Assign User Profile as Default for the SSID 176 • With the Default >tab select (highlight) the Employee-Default-X user profile • IMPORTANT: This user profile will be assigned if no attribute value is returned from RADIUS after successful authentication, or if attribute value 1000 is returned. • Click the Authentication tab Default Tab Authentication Tab
  177. 177. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 8. Assign User Profile to be Returned by RADIUS Attribute 177 • In the Authentication > tab • Select (highlight) Employee-X › NOTE: The (User Profile Attribute) is appended to the User Profile Name • Click Save Authentication Tab
  178. 178. © 2014 Aerohive Networks CONFIDENTIAL Lab: Aerohive Devices as RADIUS servers 9. Verify and Continue 178 • Ensure Employee-Default-X and Employee-X user profiles are assigned to the Class-AD-X SSID • Click Continue
  179. 179. © 2014 Aerohive Networks CONFIDENTIAL 179 In the Configure & Update Devices section • Select the Current Policy filter • Check the box next to your AP: X-A-###### • Click Update Lab: Aerohive Devices as RADIUS servers 10. Update the AP Configuration
  180. 180. © 2014 Aerohive Networks CONFIDENTIAL 180 • Select Update Devices • Select Perform a complete configuration update for all selected devices • Click Update • Click OK in the Reboot Warning window For this class, ALL Updates from this point should be Complete configuration updates unless otherwise directed. Lab: Aerohive Devices as RADIUS servers 11. Update the AP configuration
  181. 181. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Lab: Aerohive Devices as RADIUS servers 12. Update the AP configuration • Your new configuration will upload • The AP will reboot 181
  182. 182. © 2014 Aerohive Networks CONFIDENTIAL ADDITIONAL AEROHIVE AP AD INTEGRATION INFORMATION 182
  183. 183. © 2014 Aerohive Networks CONFIDENTIAL Optional: Verify Aerohive AP Time From the CLI of the Aerohive AP 183 • From CLI of Aerohive AP # show time Timezone: GMT-8 # show clock 2011-07-13 11:14:45 Wednesday
  184. 184. © 2014 Aerohive Networks CONFIDENTIAL Joining Aerohive APs to Active Directory Computer OU = Wireless/Aerohive APs 184 • From the AD server, you can go to Active Directory Users and Computers and see when the Aerohive AP joins the domain • If you specify an Active Directory administrator account in the AAA User Directory Settings, then the Aerohive AP will automatically add itself to the domain • If you did not specify an Active Directory administrator, you will have to manually add your Aerohive AP to the domain much like you would do with a computer Click Refresh Select the computer OU Here you can see the hostname of your Aerohive AP
  185. 185. © 2014 Aerohive Networks CONFIDENTIAL Join Aerohive AP RADIUS Server to Domain 185 Note: you performed this step for your Aerohive AP in the configuration, however, here is how you do it for the rest of the Aerohive AP RADIUS servers in your network. • Go to Tools Server Access Tests AD/LDAP Test • Select RADIUS Server: X-A-###### • Select Test joining the Aerohive AP to an Active Directory domain • Active Directory Domain: Primary • User Name: hiveapadmin • Password: Aerohive1 • Click Test
  186. 186. © 2014 Aerohive Networks CONFIDENTIAL Troubleshooting – Joining a Aerohive AP to a Domain 186 • Possible Cause: The Administrator does not have privileges to add a computer/Aerohive AP to this OU • Solution: Use an Administrator with more privileges • Possible cause: The Aerohive AP was previously added to a different OU, and this administrator does not have privileges to remove the other entry • Solution: Delegate administration of this OU to allow the selected administrator to add computers to this OU Here you can see that the Aerohive AP has failed to join the domain
  187. 187. © 2014 Aerohive Networks CONFIDENTIAL Troubleshooting – Joining a Aerohive AP to a Domain 187 • Possible Cause: The NTP Server settings have not been configured on the Aerohive AP • Solution: Configure the NTP Server settings by going to your WLAN Policy Management Services NTP Server Here you can see that the Aerohive AP time is not accurate
  188. 188. © 2014 Aerohive Networks CONFIDENTIAL Test the user account for your hosted PC 188 • Select RADIUS Server: 0X-A-###### • Select Test Aerohive AP credentials for Active Directory Integration • User Name: user • Password: Aerohive1 • Click Test Kerberos authentication passed for the user
  189. 189. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  190. 190. © 2014 Aerohive Networks Inc. CLIENT ACCESS PREPARATION - DISTRIBUTING CA CERTIFICATES TO WIRELESS CLIENTS 190
  191. 191. © 2014 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 1. Go to HiveManager from the Remote PC 191 • From the VNC connection to the hosted PC, open a local connection to HiveManager • For HiveManager:10.5.1.20 • Login with: adminX • password: aerohive123 NOTE: You are accessing HiveManager via the PC’s Ethernet connection
  192. 192. © 2014 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 2. Download Default CA Certificate to the Remote PC 192 NOTE: The HiveManager Root CA certificate should be installed on the client PCs that will be using the RADIUS service on the Aerohive APs for 802.1X authentication • From the Remote PC, go to Configuration  Advanced Configuration Keys and Certificates Certificate Mgmt • Select Default_CA.pem • Click Export
  193. 193. © 2014 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 3. Rename HiveManager Default CA Cert 193 • Export the public root Default_CA.pem certificate to the Desktop of your hosted PC › This is NOT your Aerohive AP server certificate, this IS the HiveManager public root CA certificate • Rename the extension of the Default_CA.pem file to Default_CA.cer › This way, the certificate will automatically be recognized by Microsoft Windows • Click Save Make the Certificate name: Default_CA.cer Save as type: All Files
  194. 194. © 2014 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 4. Install HiveManager Default CA Cert 194 • Find the file that was just exported to your hosted PC • Double-click the certificate file on the Desktop: Default_CA • Click Open • Click Install Certificate Issued to: HiveManager This is the name of the certificate if you wish to find it in the certificate store, or if you want to select it in the windows supplicant PEAP configuration.
  195. 195. © 2014 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 1. Finish certification installation 195 • In the Certificate Import Wizard click Next • Click  Place all certificates in the following store • Click Browse
  196. 196. © 2014 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 2. Select Trusted Root Certification Authorities 196 • Click Trusted Root Certification Authorities • Click OK • Click Next
  197. 197. © 2014 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 3. Finish Certificate Import 197 • Click Finish • Click Yes • Click OK
  198. 198. © 2014 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 4. Verify certificate is valid 198 • Click OK to Close the certificate • Double-click Default_CA to reopen the certificate • You will see that the certificate is valid and it valid from a start and end date • Click the Details tab
  199. 199. © 2014 Aerohive Networks CONFIDENTIAL LAB: Exporting CA Cert for Server Validation 5. View the Certificate Subject 199 • In the details section, view the certificate Subject • This Subject: HiveManager is what will appear in the list of trusted root certification authorities in your supplicant configured later in this lab. Protected EAP (PEAP) Properties In supplicant (802.1X client)
  200. 200. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  201. 201. © 2014 Aerohive Networks Inc. For Windows 7 Supplicants CONFIGURING AND TESTING YOUR 802.1X SUPPLICANT 201
  202. 202. © 2014 Aerohive Networks CONFIDENTIAL Lab: Testing AP-RADIUS w/ AD Integration 1. Connect to Secure Wireless Network 202 On the hosted PC, from the bottom task bar, click the wireless networks icon • Click Class-AD-X • Click Connect • A windows security alert should appear, click Details to verify this certificate if from HiveManager, then click Connect server-2 is the AP cert, and HiveManager is the trusted CA
  203. 203. © 2014 Aerohive Networks CONFIDENTIAL Lab: Testing Aerohive AP RADIUS w/ AD Integration 2. Connect to Secure Wireless Network 203 On the hosted PC, from the bottom task bar, click the wireless networks icon • Click Class-AD-X • Click Connect • Click Use my Windows user account
  204. 204. © 2014 Aerohive Networks CONFIDENTIAL Lab: Testing Aerohive AP RADIUS w/ AD Integration 3. Connect to Secure Wireless Network 204 • When prompted about the server certificate Click Connect • Notice that you are now connected (this may take a few moments)
  205. 205. © 2014 Aerohive Networks CONFIDENTIAL NOTE: User Profile Attribute is the Employee-Default-X user profile for the SSID. This user profile is being assigned because no User Profile Attribute Value was returned from RADIUS. Lab: Testing AP-RADIUS w/ AD Integration 4. View Active Clients 205 • After associating with your SSID, you should see your connection in the active clients list in HiveManager › Go to MonitorClientWireless Clients • IP Address: 10.5.8.# • User Name: DOMAINuser • VLAN: 8 User Profile Attribute: 1000
  206. 206. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  207. 207. © 2014 Aerohive Networks Inc. MAPPING ACTIVE DIRECTORY MEMBEROF ATTRIBUTE TO USER PROFILES 207
  208. 208. © 2014 Aerohive Networks CONFIDENTIAL Aerohive AP as a RADIUS Server - Using AD Member Of for User Profile Assignment 208 • In your WLAN policy, you defined an SSID with two user profiles › Employee-Default-X – Set if no RADIUS attribute is returned » This use profile for example is for general employee staff, and they get assigned to VLAN 8 › Employee-X – Set if a RADIUS attribute is returned » This user profile for example is for privileged employees, and they get assigned to VLAN 10 • Because the Aerohive AP RADIUS server is using AD to authenticate the users, and AD does not return RADIUS attributes, how can we assign users to different user profiles? • Though AD does not return RADIUS attributes, it does return other attribute values, like memberOf which is a list of AD groups to which the user belongs
  209. 209. © 2014 Aerohive Networks CONFIDENTIAL Instructor Only: Confirm User is a member of the Wireless AD Group 209 • Right click the username “user” and click Properties • Click on the MemberOf tab • Each user account should be assigned to the Wireless AD Group
  210. 210. © 2014 Aerohive Networks CONFIDENTIAL Lab: Use AD to Assign User Profile 1. Map memberOf attribute to user profile 210 • From Configuration, Advanced Configuration Authentication  Aerohive AAA Server Settings • Click on the AP-RADIUS-X link
  211. 211. © 2014 Aerohive Networks CONFIDENTIAL Lab: Use AD to Assign User Profile 2. Map memberOf attribute to user profile 211 • Expand Database Settings • Check  LDAP server attribute Mapping • Select  Manually map LDAP user groups to user profiles • LDAP User Group Attribute: memberOf • Domain: dc=AH-LAB,dc=LOCAL • Click + to expand the LDAP tree
  212. 212. © 2014 Aerohive Networks CONFIDENTIAL Lab: Use AD to Assign User Profile 2. Add AD group to User Profile mapping 212 • Expand the tree structure to locate › Expand CN=Users › Select CN = Wireless • For Maps to, from the drop down list, select the user profile: Employee-X • Click Apply • The mapping appears below the LDAP directory • Click Save Click the LDAP Group Map group to Employee(10)-X
  213. 213. © 2014 Aerohive Networks CONFIDENTIAL Lab: Use AD to Assign User Profile SSID 3. Update the configuration of your Aerohive AP 213 Go to Configuration • Select your Network Policy: WLAN-X and click OK • Click on the Continue button to go to the Configure and Update Device panel
  214. 214. © 2014 Aerohive Networks CONFIDENTIAL 214 In the Configure & Update Devices section • Select the Current Policy filter • Check the box next to your AP: X-A-###### • Click Update Lab: Use AD to Assign User Profile SSID 4. Update the configuration of your Aerohive AP
  215. 215. © 2014 Aerohive Networks CONFIDENTIAL 215 • Select Update Devices • A complete upload is not needed this time • Click Update Lab: Use AD to Assign User Profile SSID 5. Update the configuration of your Aerohive AP
  216. 216. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Lab: Use AD to Assign User Profile SSID 6. Delta Upload • The Delta Configuration will upload 216
  217. 217. © 2014 Aerohive Networks CONFIDENTIAL Lab: Use AD to Assign User Profile SSID 7. Disconnect and Reconnect to the Class-AD SSID 217 To test the mapping of the memberOf attribute to your user profile • Disconnect from the Class-AD-X SSID • Connect to the Class-AD-X SSID
  218. 218. © 2014 Aerohive Networks CONFIDENTIAL Lab: Use AD to Assign User Profile SSID 8. Disconnect and Reconnect to the Class-AD SSID 218 To test the mapping of the memberOf attribute to your user profile • Disconnect from the Class-AD-X SSID • Connect to the Class-AD-X SSID
  219. 219. © 2014 Aerohive Networks CONFIDENTIAL Lab: Use AD to Assign User Profile SSID 9. Verify your active client settings 219 • From MonitorClientsWireless Clients › Your client should now be assigned to »IP Address: 10.5.10.# »User Profile Attribute: 10 »VLAN: 10 NOTE: In the previous lab, without the LDAP group mapping, the user was assigned to attribute 1000 in VLAN 8
  220. 220. © 2014 Aerohive Networks CONFIDENTIAL QUESTIONS?
  221. 221. © 2014 Aerohive Networks Inc. AEROHIVE CLIENT MANAGEMENT Aerohive’s Instructor-led Training
  222. 222. © 2014 Aerohive Networks CONFIDENTIAL Is the device a Corporate or Personally owned client? 222 Can you tell the difference between these two iPads? Company Issued Device • Owned and Managed by IT • Provided for a Specific Purpose • Enables New Working Models Personal Device • Employee-owned and Managed • Wide Range of Potential Devices • Improves Employee Satisfaction and Productivity
  223. 223. © 2014 Aerohive Networks CONFIDENTIAL How Aerohive Solves the Problem Mobile user connects to corporate SSID with username and password 1 User is authenticated against Active Directory or other user store such as LDAP 2 AP checks to see if device is already enrolled with HiveManager client management 3 If device is not enrolled, it is redirected to enrollment URL to acquire a custom device certificate and secure profile based on whether it is personal or corporate issued device in the MAC address list 5 6 Device is reconnected to the SAME SSID with a custom device certificate HiveManager with Client Management 7 Policy is applied based on all available context, including: identity, device type, device ownership, location, and time Device is checked against a list of known corporate devices (MAC addresses) imported by IT admin 4 223
  224. 224. © 2014 Aerohive Networks CONFIDENTIAL Client Management Concepts Customer Issued or Bring Your Own Device (BYOD) ? 224 • Is a device Company Issued Device(CID) or is the device brought from home Bring Your Own Device (BYOD)? • Enter MAC addresses of devices to automatically select Corporate Issued Devices • Or the user decide during Enrollment
  225. 225. © 2014 Aerohive Networks CONFIDENTIAL Client Management Concepts User profile reassignment Options 225 • Client Management automatically detects and reassigns devices to new user profiles based upon BYOD or CID ownership. • BYOD or CID ownership applies to iOS, MacOS, Android and Chromebook devices. • Policy decisions can be made based on OS and domain for User Profile reassignment of other operating systems such as Windows or Blackberry. Note: You can still mix in other devices that are not supported by Client Management
  226. 226. © 2014 Aerohive Networks CONFIDENTIAL Client Management Overview • Support for the following solutions: › Single SSID based onboarding: requiring 802.1X on the SSID › Single SSID based onboarding for PPSK: requires an initial static PSK › Two SSIDs based onboarding: » Open (for provisioning) » Second SSID using PPSK (for secured access) • Support both HMOL and on-premises HM • Requires 6.1r3 HiveOS or later on APs • Supports Mac OS X, iOS, Android devices and Chrome OS (Chrome Books) 226
  227. 227. © 2014 Aerohive Networks CONFIDENTIAL Firewall Considerations by the Device types and Ports used 227 Source Destination Service (Protocol and Port) Apple Client Devices Apple Push Notification Service (APNS) 17.0.0.0/8 TCP 5223 TCP 5223, 5229, 5330 Android & Chromebook Devices Google GCM Servers HiveManager Client Management Service (onboard.aerohive.com) HTTPS 443 Access Points Client Management Service (onboard.aerohive.com) HTTPS 443 Access Points Apple Push Notification Service (APNS) 17.0.0.0/8 TCP 5223
  228. 228. © 2014 Aerohive Networks CONFIDENTIAL Enable Client Management in HiveManager 228 • Enable Client Management • Test is an HTTPS test to the Client Management Cluster which verifies all Client Management services are working • Do this for On-Premise and HMOL • For On-Premise you will also have to retrieve the Customer ID
  229. 229. © 2014 Aerohive Networks CONFIDENTIAL LAB: CLIENT MANAGEMENT USING 802.1X
  230. 230. © 2014 Aerohive Networks CONFIDENTIAL Scenario Your Enterprise Customer is using 802.1X/EAP security. Employees are permitted to bring their own devices to work to access the company network and internet. The new requirements include: • Company Issued Devices (CID) such as iPads will receive the Company profile. • All mobile device cameras must be disabled for security purposes. • Employee Personal Devices (BYOD) will receive the Personal profile. • Employee Personal Devices will have a firewall policy that restricts access to corporate resources but allows access to a gateway to the Internet. 230
  231. 231. © 2014 Aerohive Networks CONFIDENTIAL • Go to Configuration • Select your Network Policy and click OK • Click on the link for the Class-AD-X SSID 231 Lab: Client Management using 802.1X 1. Edit the network policy
  232. 232. © 2014 Aerohive Networks CONFIDENTIAL • Check  Enable Client Management • Click Save 232 Lab: Client Management using 802.1X 2. Enable client management
  233. 233. © 2014 Aerohive Networks CONFIDENTIAL • User Profile: Add/Remove • Click New 233 Lab: Client Management using 802.1X 3. Create a CID user profile
  234. 234. © 2014 Aerohive Networks CONFIDENTIAL • Name: BYOD-X • Attribute: 800 • VLAN: 10 • Do NOT click Save yet Lab: Client Management using 802.1X 4. Create a BYOD user profile 234
  235. 235. © 2014 Aerohive Networks CONFIDENTIAL 235 Lab: Client Management using 802.1X 5. Assign a restrictive firewall policy • Under Optional Settings, expand Firewalls • IP Firewall Policy  From-Access  Guest-Internet Access Firewall Policy • Default Action: Permit • Click Save • Click Save again
  236. 236. © 2014 Aerohive Networks CONFIDENTIAL 236 Note: Firewall Policy The guest firewall policy is a default policy that can be used to restrict BYOD devices away the internal networks where corporate resources reside. Access to a gateway to the Internet can still be permitted.
  237. 237. © 2014 Aerohive Networks CONFIDENTIAL 237 • Click New to create a CID user profile • Name: CID-X • Attribute Number: 200 • Default VLAN: 10 • Click Save • Click Save again Lab: Client Management using 802.1X 6. Create a CID user profile
  238. 238. © 2014 Aerohive Networks CONFIDENTIAL 238 Lab: Client Management using 802.1X 7. Edit the Employee-X user profile • Click the Employee-X user profile to edit
  239. 239. © 2014 Aerohive Networks CONFIDENTIAL • Optional Settings: Expand Client Classification Policy • Check  Enable user profile reassignment based on client classification rules • Click New 239 Lab: Client Management using 802.1X 8. Create a reassignment rule for the CID user profile
  240. 240. © 2014 Aerohive Networks CONFIDENTIAL • Ownership: CID • Reassigned User Profile: CID-X • Click Apply • Do NOT Save Yet 240 Lab: Client Management using 802.1X 9. Create a reassignment rule for the CID user profile
  241. 241. © 2014 Aerohive Networks CONFIDENTIAL 241 • Click New • Ownership: BYOD • Reassigned User Profile: BYOD-X • Click Apply Lab: Client Management using 802.1X 10. Create a reassignment rule for BYOD user profile
  242. 242. © 2014 Aerohive Networks CONFIDENTIAL • Verify the reassignment rules • Click Save 242 Lab: Client Management using 802.1X 11. Verify the reassignment rules
  243. 243. © 2014 Aerohive Networks CONFIDENTIAL 243 Lab: Client Management using 802.1X 12. Verify the reassignment rules • Expand the Employee-X user profile • Click Add/Remove to active the rules All employees will authenticate via 802.1X/EAP and be assigned to VLAN 10. Employees will then use the correct device profile based upon their enrollment status.
  244. 244. © 2014 Aerohive Networks CONFIDENTIAL • Check  Enable user profile reassignment based on client classification rules • Click Save 244 Lab: Client Management using 802.1X 13. Enable the reassignment rules
  245. 245. © 2014 Aerohive Networks CONFIDENTIAL • Click Continue to save the network policy and proceed to configure and update. 245 Lab: Client Management using 802.1X 14. Enable the reassignment rules
  246. 246. © 2014 Aerohive Networks CONFIDENTIAL • Choose the Current Policy filter • Click on the 0X-A-XXXX-AP to modify the configuration. 246 Lab: Client Management using 802.1X 15. Edit your AP that is the RADIUS server
  247. 247. © 2014 Aerohive Networks CONFIDENTIAL • Optional Settings  Expand Service Settings • Next to the Device RADIUS Service Click the modify icon to edit your AP-RADIUS-X object. 247 Lab: Client Management using 802.1X 16. Edit your AP that is the RADIUS server
  248. 248. © 2014 Aerohive Networks CONFIDENTIAL • Client Management is a cloud-based onboarding solution that requires you to use the Client Management Root certificate and server certificate and key file. • These certificates can be used with any Aerohive Device that functions as a RADIUS server. • A third-party RADIUS server can be used for 802.1X with Client Management, however you will need to export these same certificates and install them on the third-party RADIUS server. 248 Why new certificates?
  249. 249. © 2014 Aerohive Networks CONFIDENTIAL Client Management also supports the import of third party certificates from an existing PKI. 249 Support for Third-Party Certificates
  250. 250. © 2014 Aerohive Networks CONFIDENTIAL • Expand Database Settings to select the client management certificates • CA Cert File: ClientMgmt_CA.crt • Server Cert File: ClientMgmt-Radius- Server_Crt.crt • Server Key File: ClientMgmt-Radius- Server_key.pem • Remove the passwords from the previous lab • Click Save 250 Lab: Client Management using 802.1X 17. Edit your AP that is the RADIUS server
  251. 251. © 2014 Aerohive Networks CONFIDENTIAL • Click Save 251 Lab: Client Management using 802.1X 18. Save the AP specific settings
  252. 252. © 2014 Aerohive Networks CONFIDENTIAL • Select  your 0X-A-XXXX AP • Click Update • Click Update Devices 252 Lab: Client Management using 802.1X 19. Upload the AP configuration
  253. 253. © 2014 Aerohive Networks CONFIDENTIAL 253 Lab: Client Management using 802.1X 20. Upload the AP configuration • Select  Perform a complete configuration update • Click Update • Click OK
  254. 254. © 2014 Aerohive Networks CONFIDENTIAL 254 • Click on the Configure Interfaces & User Access bar • Click on Client Management The Client Management link is a direct connection to configure Client Management profiles. Lab: Client Management using 802.1X 21. Configuring Client Management
  255. 255. © 2014 Aerohive Networks CONFIDENTIAL • Username: cm#-admin@ah-lab.com where # is the Lab number 1,2,3,4 or 5 • Password: Aerohive123 255 Lab: Client Management using 802.1X 22. Configuring Client Management
  256. 256. © 2014 Aerohive Networks CONFIDENTIAL • Click Configuration 256 Lab: Client Management using 802.1X 23. Configuring Client Management
  257. 257. © 2014 Aerohive Networks CONFIDENTIAL 257 • Monitor Clients  Active Clients or Wireless Clients • New Column to display Client Management Enrollment • Grey icon indicates the client is enrolled in CM Client Management Data in HiveManager
  258. 258. © 2014 Aerohive Networks CONFIDENTIAL Client Management Data in HiveManager 258 • Hover over the icon and it changes to Aerohive yellow • Click on the popup and the admin is redirected to the CM server monitor view for the client
  259. 259. © 2014 Aerohive Networks CONFIDENTIAL Client Management Data in HiveManager 259 • Click on the MAC address of the enrolled client device to see Client Management information in HiveManager
  260. 260. © 2014 Aerohive Networks CONFIDENTIAL 260 Client Management Useful Information and Tips • There are two core types of profiles: › Enrollment profiles – these are the management profiles. › Client profiles – these are the configuration profiles i.e. Restrictions, ActiveSync, etc. • The relationship between User Profiles and UPIDs is a many to one relationship. • Do not overload a single profile; divide the load among individual profiles based upon type (Restrictions, Web Clip, etc.) each using the same attribute value.
  261. 261. © 2014 Aerohive Networks CONFIDENTIAL 261 Lab: Client Management using 802.1X 24. Configuring a BYOD Client Profile You will now create client profiles to match the BYOD-X and CID-X user profiles. • Click New.
  262. 262. © 2014 Aerohive Networks CONFIDENTIAL 262 Lab: Client Management using 802.1X 25. Configuring a BYOD Client Profile camera removal • Name: BYOD-X- No-Camera • User Profile Attribute: 800 • Organization: Aerohive • Security: User can remove profile • Profile Lifetime on Client Devices: Do not delete the profile from the client device • Click Restrictions
  263. 263. © 2014 Aerohive Networks CONFIDENTIAL 263 Lab: Client Management using 802.1X 26. Enforcing Restrictions • Turn ON Enforce Restrictions • Uncheck ☐ Allow use of camera • Click Save
  264. 264. © 2014 Aerohive Networks CONFIDENTIAL 264 Lab: Client Management using 802.1X 27. Configuring a BYOD Client Profile adding Web Clip • Name: BYOD-X- Web Clip • User Profile Attribute: 800 • Organization: Aerohive • Security: User can remove profile • Profile Lifetime on Client Devices: Do not delete the profile from the client device • Click Web Clips
  265. 265. © 2014 Aerohive Networks CONFIDENTIAL 265 • Label: Student-X-Video • URL: http://bit.ly/1cKAzfA • Options: Precomposed Icon • Click Save Lab: Client Management using 802.1X 28. Configuring a BYOD Client Profile adding Web Clip
  266. 266. © 2014 Aerohive Networks CONFIDENTIAL 266 Lab: Client Management using 802.1X 29. Verifying the BYOD Client Profiles • Verify your BYOD-X client profile • Click New
  267. 267. © 2014 Aerohive Networks CONFIDENTIAL 267 Lab: Client Management using 802.1X 30. Creating a CID Client Profile • Name: CID-X • User Profile Attribute: 200 • Organization: Aerohive • Security: User can remove profile • Profile Lifetime on Client Devices: Do not delete the profile from the client device • Click Restrictions
  268. 268. © 2014 Aerohive Networks CONFIDENTIAL 268 Lab: Client Management using 802.1X 31. Enforcing Restrictions • Turn ON Enforce Restrictions • Do NOT uncheck  Allow use of camera • Click Save
  269. 269. © 2014 Aerohive Networks CONFIDENTIAL 269 Lab: Client Management using 802.1X 32. Verifying Client Profiles • Verify the BYOD and CID client profiles
  270. 270. © 2014 Aerohive Networks CONFIDENTIAL 270 iOS Client Profile Restrictions Many more restrictions can be configured in your iOS Client Profiles.
  271. 271. © 2014 Aerohive Networks CONFIDENTIAL 271 iOS Client Profile Restrictions Many more restrictions can be configured in your iOS Client Profiles.
  272. 272. © 2014 Aerohive Networks CONFIDENTIAL 272 iOS Client Profile Settings • Other iOS client settings include › VPN › Exchange ActiveSync › Web Clips › CalDav › CardDav › Email
  273. 273. © 2014 Aerohive Networks CONFIDENTIAL OPTIONAL CLIENT MANAGEMENT INSTRUCTOR DEMONSTRATION Because our lab is in a remote location we cannot test the client management lab. If time permits, the instructor will now demonstrate client management in class Should students wish to participate with their personal devices in the demonstration, ensure that they select the BYOD profile. The Enrollment profile can be removed from their personal devices after class.
  274. 274. © 2014 Aerohive Networks CONFIDENTIAL 274 Lab: Client Onboarding Demo 1. Connect to 802.1X SSID On the instructor iOS device and/or student iOS devices: • Go to Settings  Wi-Fi • Click on the CM-802.1X-Demo SSID • Username: demoX (Where X = student number) (Instructor is demo1) • Password: aerohive123
  275. 275. © 2014 Aerohive Networks CONFIDENTIAL 275 Lab: Client Onboarding Demo 2. Connect to the 802.1X SSID • Click the Accept button to accept the certificate • Verify that you are connected to the CM- 802.1X-Demo SSID
  276. 276. © 2014 Aerohive Networks CONFIDENTIAL 276 Lab: Client Onboarding Demo 3. Continue with client onboarding • Open your browser and try to connect to a web site • You will be redirected to the Client Management captive web portal for onboarding
  277. 277. © 2014 Aerohive Networks CONFIDENTIAL 277 Lab: Client Onboarding Demo 4. Continue with client onboarding Specify the device ownership  Personal Devices (BYOD) will automatically be selected. • Check  View and agree to the terms of use • Click Enroll My Device  Company-Issued Devices (CID) would automatically be selected if this device’s MAC address is configured in Client Management.
  278. 278. © 2014 Aerohive Networks CONFIDENTIAL 278 Lab: Client Onboarding Demo 5. Continue with client onboarding EXAMPLE Specify the device ownership  Company-Issued Devices (CID) will automatically be selected if the device’s MAC address is already configured in Client Management.
  279. 279. © 2014 Aerohive Networks CONFIDENTIAL 279 Lab: Client Onboarding Demo 6. Install the Client Enrollment profile • The Enrollment process will begin. • Click the Install button to install the Enrollment Profile • Read the disclaimer warning and click Install. • Enter your device passcode if prompted.
  280. 280. © 2014 Aerohive Networks CONFIDENTIAL 280 Lab: Client Onboarding Demo 7. Install the Client Enrollment profile • Click Done and the selected profile will begin to install.
  281. 281. © 2014 Aerohive Networks CONFIDENTIAL 281 Lab: Client Onboarding Demo 8. Install the Client Enrollment profile • Client Management verifies and installs the Wi-Fi profile • The device is successfully enrolled
  282. 282. © 2014 Aerohive Networks CONFIDENTIAL 282 Lab: Client Onboarding Demo 9. Client is enrolled • Browser begins redirection • Redirection is completed
  283. 283. © 2014 Aerohive Networks CONFIDENTIAL 283 Lab: Client Onboarding Demo 10. Client is enrolled • During the onboarding process an Enrollment profile is installed. • A Wi-Fi profile is installed. • The needed certificate is installed. • The client device disconnects and reconnects to the 802.1X SSID. This is not visible to the user.
  284. 284. © 2014 Aerohive Networks CONFIDENTIAL 284 Lab: Client Onboarding Demo 11. Client is enrolled • Go to Settings  General  Profiles • Expand the profiles. • Verify Certificates. • Verify Restrictions. • Verify that the camera icon is not on your device.
  285. 285. © 2014 Aerohive Networks CONFIDENTIAL MONITORING
  286. 286. © 2014 Aerohive Networks CONFIDENTIAL Verify enrolled clients in HiveManager • Monitor  Clients  Wireless Clients • All BYOD devices will be in VLAN 10 because CM sent attribute 800 to the AP and the user was assigned to the corresponding user profile • ALL CID devices will be in VLAN 10 because CM sent attribute 200 to the AP and the user was assigned to the corresponding user profile 286
  287. 287. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Monitor enrolled devices in Client Management • From Home in Client Management you can view reported device data. • Placing your cursor over a chart reveals more information. • Clicking on a chart will take you to the location in Client Management from which the information was gathered. 58
  288. 288. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Monitor enrolled devices in Client Management • Go to Monitor  Clients • Verify BYOD and CID ownership as prescribed. • Click on a any clients name for device specific information and you are taken to Client Info for that device. 59
  289. 289. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Monitor enrolled devices in Client Management • Information reported from the client is displayed. • View the enrolled clients settings • The client location is based on the client’s public IP address, not GPS location. 60
  290. 290. © 2014 Aerohive Networks CONFIDENTIAL Copyright ©2011 Monitor enrolled devices in Client Management • Great detail about the client device is available. • Scroll down • Click on the Apps tab to view the installed applications of the client. • Click through some of the other tabs to see more information about the client. 61
  291. 291. © 2014 Aerohive Networks CONFIDENTIAL CUSTOMIZATION

Notes de l'éditeur

  • Through the Layer 3 roaming feature, wireless clients can roam between hive members in different subnets and maintain their original IP addresses and existing sessions. You can use the default Layer 3 roaming settings or modify them. Select the check box to make the neighbor Keepalives and roaming cache update options editable.

    Neighbor Keepalives

    Interval: Set the interval between the Keepalives that neighbors send to each other to indicate their continued presence on the network. The default Keepalive interval is 3600 seconds (1 hour). You can change the interval from 10 to 360,000 seconds (100 hours).
    Age out (Number of Missed Keepalives): Set the number of consecutive Keepalives from neighbor A that neighbor B must miss for B to determine that A is gone. Neighbor B then removes A from its list of neighbors. The default is 120 missed Keepalives. You can change the age out value from 2 to 1000.