AAWC-Class-3.5r1-rev.. - Free

wartrashyΔίκτυα και Επικοινωνίες

26 Οκτ 2013 (πριν από 3 χρόνια και 8 μήνες)

541 εμφανίσεις

2008

Confidential 2010

Advanced WLAN Configuration

Version 3.5r1

1

2008

Confidential 2010


Copyright Notice


Copyright © 2010 Aerohive Networks, Inc. All rights reserved.



Aerohive Networks, the Aerohive Networks logo, HiveOS, HiveAP,
HiveManager, and GuestManager are trademarks of Aerohive
Networks, Inc. All other trademarks and registered trademarks are
the property of their respective companies.



2

2008

Confidential 2010

Getting Started

3

2008

Confidential 2010

Lab: Get Connected

1. Connect to class WLAN


Please connect to the SSID:
Class
-
Guest


Network Key:
aerohive123


You should get an IP in the
10.5.1.0/24

subnet

4

SSID
:

Security:

Network Key:

Class
-
Guest

WPA/WPA2 Personal (PSK)

aerohive123

Guest

Client

VLAN 1

WLAN Policy: WLAN
-
Classroom

Internet

Mgt0 IP: 10.5.1.N/24 VLAN 1

Class
-
Guest

10.5.1.N/24

10.5.1.1

Connect to SSID:

IP:

Gateway:

Instructor PC

2008

Confidential 2010

Lab: Get Connected

2. Get class files from instructor


From your PC open a web browser and for the URL type:

ftp://ftp:aerohive@10.5.1.?
(Ask Instructor for the IP address)


U
sername:
ftp


P
assword:
aerohive


You will find:


Courseware (
pptx

files)


If you do not have MS office 2003 or later, please download a PPTX
viewer from Microsoft


Topology map jpg images


Used for the planning tool and topology map lab


Tight VNC


Please install the Viewer only


This is used to connect to a hosted PC


User files for Private PSK in CSV format


This is for the Private PSK lab


Putty SSH Client
(If you don’t have an SSH client already)


SSHv2 is used to access the console server to access the CLI of your AP



5

2008

Confidential 2010

Lab: Get Connected

1. Connect to Hosted HiveManager


Securely browse to HiveManager

https://training
-
hm1.aerohive.com


or

https://72.20.106.120


Supported Browsers:


Firefox


Internet Explorer


Chrome



Default Login Credentials:


Login:
admin
X

X = Student ID 2
-

15


Password:
aerohive123

6

2008

Confidential 2010

Lab:
Get Connected

4. Certificate error
-

Continue to the website


If prompted, accept the certificate permanently or add the security
exception or continue to the website








Note: (Do not perform this operation in the classroom)

In your own company you can import your own HiveManager certificate
going to:

Home

Ad浩ni獴s慴aon

Hiv敍慮慧敲

卥S癩捥c


Check


Update HTTPS Certificate


You can generate a self
-
signed certificate or import a third
-
party
certificate


Click

Update

7

2008

Confidential 2010

Lab: Get Connected

5.
Connect to class WLAN


Click
Agree
to the End
user license agreement

8

2008

Confidential 2010

Lab: Get Connected

6. The dashboard appears


From the dashboard you can get a summary of your WLAN


The dashboard is customizable


This dashboard will be covered in more detail later in this course

9

Click blue bar and drag
to move widget to new
location on screen

Select widgets
to see

Click to hide
left menu bar

2008

Confidential 2010

HiveManager Help

HiveManager provides a rich and powerful online help


Click
Help
… on the top menu bar to get a menu of
the help options


There is a help box on the right side of the guided
configuration








A link to Help also exists in the Start Here screen

10

2008

Confidential 2010

Help System in HiveManager


If you click Help in the upper right hand
corner of the HiveManager Settings


HiveManager Help


Context sensitive help based on where
you are when you select this option


Settings


Lets you specify a path to host the online
help web pages locally on your network


Videos and Guides


Contains links to all Aerohive
documentation and computer
-
based
training modules


You can also download the web
-
based
help system from here as well


Check for Updates


Checks Aerohive’s latest code


About HiveManager

11

Web
-
based

Help Files

Deployment,
Quickstart,
ad Mounting
Guides

CLI
Reference
Guides

Online
Training

2008

Confidential 2010

Help: Context Sensitive


Context sensitive help
can be viewed in any
configuration window


By default your PC must
be connect to the Internet
to view the help files
unless you have
downloaded them and
hosted on your own web
server

12

2008

Confidential 2010

Help:
Navigation

13

Global Search

Click here

to

go to the home page

Search on

Current Page

2008

Confidential 2010

Help: Global Search

14

You can enter
multiple

words

for

a global
search

Click the relevant

section

The help is automatically
expanded when the search
strings are found. Each word
in the list is highlighted in
different color

2008

Confidential 2010

Help: Search For Words Within Pages


Search for an exact word or phrase match within a page


This is a complete word match, not a partial word match


15

Enter word here to

highlight on page

Adds or removes
highlighting

2008

Confidential 2010

Help: Files Location


Help files are referenced from the Internet


If Internet access is not available when you manage your HiveManager,
download the web
-
based help files from the Videos & Guides section on
the help menu, and store them on your own local web server


Then specify a path to your own hosted web pages and click update

16

Here you can specify
a path to locally

hosted help files

2008

Confidential 2010

Creating a WLAN Policy

and Managing HiveAPs

Getting Started

17

2008

Confidential 2010

Connect To HiveManager

(In case you walked in late!)


Securely browse to HiveManager

https://training
-
hm1.aerohive.com


or

https://70.20.106.120


Supported Browsers:


Firefox


Internet Explorer



Default Login Credentials:


Login:
admin
X

X = Student ID 2
-

15


Password:
aerohive123

18

2008

Confidential 2010

Access Your Hosted HiveAP

19


Use Putty or your favorite SSH
tool to SSH to

training
-
console.aerohive.com


Ports 7002 though 7015

Note: Student IDs are 2
though 15

so the SSH port
number corresponds to the
student ID: 700
2

though
70
15


You will first see the Terminal
Server Login, just press enter:

Login as
:
<enter>

X
-
A
-
001122

login:
admin

Password:
aerohive123


Note: For Mac OSX or Linux use:

ssh

-
l admin training
-
console.aerohive.com

p 700X

2008

Confidential 2010

Access Your Hosted HiveAP

20


Use Putty or your favorite SSH
tool to SSH to

training
-
console.aerohive.com


Ports 7022 though 7035

Note: Student IDs are 2
though 15

so the SSH port
number corresponds to the
student ID: 70
22

though
70
35


You will first see the Terminal
Server Login, just press enter:

Login as
:
<enter>

X
-
A
-
001122

login:
admin

Password:
aerohive123


Note: For Mac OSX or Linux use:

ssh

-
l admin training
-
console.aerohive.com

p 700X

2008

Confidential 2010

Set HiveManager

Time Settings

Essential When Generating Certificates,

Using Private PSK, Wireless VPN, User
Manager, Time
-
Based Authentication,

and Schedules

21

2008

Confidential 2010

Set the Time and Time Zone

(Instructor Only)


Go to
Home

Ad浩ni獴s慴aon

Hi癥v慮慧er

卥瑴Sngs


For
System Date/Time
click

Settings

22

2008

Confidential 2010

Set the Time and Time Zone

(Instructor Only)


Time Zone:
<Time Zone of HiveManager>


Set the date/time manually or synchronize with an NTP server


Click


to save and update


Note:The

HiveManager services will be restarted



After a minute, you can log back into the HiveManager

23

2008

Confidential 2010

Quick Start

Aerohive Base WLAN Policy

Creation

24

2008

Confidential 2010

Lab: Create Base WLAN Policy

1. Add a new WLAN policy


Go to
Configuration


䝵id敤 Con晩gur慴aon


WLAN 偯li捩敳


Click

New



Enter a WLAN Policy
Name:
WLAN
-
X



Go to next slide

25

2008

Confidential 2010

Lab: Create Base WLAN Policy

2. Create a New Hive


Click
+

to create a new
Hive


Hive:
Hive
-
X


Modify Encryption
Protection


Select
Automatically
generate Password


Save

your
Hive


26

2008

Confidential 2010

Lab: Create Base WLAN Policy

3. Create an SSID SSID



WLAN Policy


SSID Profiles


Click:
Add/Remove SSID
Profile


Click
+
to create a new
SSID Profile

Go to next slide



27

2008

Confidential 2010

Lab: Create Base WLAN Policy

4. Configure SSID



SSID
Profile



Profile Name:
Class
-
PSK
-
X


SSID:
Class
-
PSK
-
X

Note:
The profile name typically

matches the SSID unless you want
different settings for the same SSID

in different locations.

SSID Access Security


Select:
WPA/WPA2

PSK (Personal)


Use Default WPA/WPA2
PSK Settings


Key Value:
aerohive123


Confirm Value:
aerohive123

User Profile for Traffic Mgmt


Click
+
to create a new user
profile


28

IMPORTANT: For the SSID labs, please
follow the class naming convention. SSIDs
are broadcasted over the air so we do not
want to people to accidentally connect

2008

Confidential 2010

Lab: Create Base WLAN Policy

5. Create User Profile for Employees



SSID/
User Profile





Name:
Employee(10)
-
X


Attribute Number:
10


Default VLAN:
1


Click

Apply



Ensure your user profile is
selected


Click
Save
to save the SSID



29

2008

Confidential 2010

Lab: Create Base WLAN Policy

6. Configure SSID



WLAN Policy



SSID Profiles


Select your SSID:

Class
-
PSK
-
X

from the
Available

SSID Profiles list:

and use the right arrow button

‘ >’
to move it to the

Selected SSID Profiles
list



Click
Apply


Really


Make sure

you click Apply




Do not save the WLAN

policy, go to

the next slide


30

Note: The WLAN policy must be assigned to one or
more HiveAPs for it to take affect

2008

Confidential 2010

Lab: Create Base WLAN Policy

7. Create an NTP Server object

Configure the NTP server to
configure the time zone and
NTP server settings. This is
important for any service
that depends on time, such
as VPN and RADIUS which
use certificates, schedules,
Private PSK validity, etc...


From your WLAN policy
under the
Optional
Settings


Expand
Management
Server Settings


Next to
NTP Server


Click
+

31

2008

Confidential 2010

Lab: Create Base WLAN Policy

8. Configure NTP Server Settings


Name:
Time
-
X


Time Zone:
<Please use
the time zone for the
location of the class>


Uncheck


Sync click
with HiveManager


NTP Server: pool.ntp.org


Click
Apply


Did you click
Apply
?


Click
Save

32

2008

Confidential 2010

Lab: Create Base WLAN Policy

9. Save your WLAN Policy

Back in your WLAN policy


Ensure NTP server is set
to:
Time
-
X


Click

Save

33

2008

Confidential 2010

Lab: Create Base WLAN Policy

10. Verify Your WLAN Policy


After saving your WLAN policy, you can review the settings here by
looking at the columns for your WLAN policy


Hive


SSID Profiles


When done, click
Monitor
to go to the list of HiveAPs

Go to next slide


34

2008

Confidential 2010

Provision HiveAPs

With Base WLAN Policy

35

2008

Confidential 2010

Wireless VPN Lab

Network IP Summary

VPN Server

X
-
B
-
HiveAP
MGT0

10.8.1.
X
/24


VPN Client

X
-
A
-
HiveAP

10.5.1.?

Firewall NAT Rules

1.1.1.
X

10.8.1.
X

FW(NAT)

2.2.2.2

Gateway

10.5.1.1

Gateway
10.8.1.1

Client PC

10.8.20
.
?
/
24

GW: 10.8.20.1

DHCP Server VLAN 20


Net: 10.8.20.0/24


Pool: 10.8.20.150


-

10.8.20.200


Gateway: 10.8.20.1

Layer 3 IPsec VPN Tunnels
-

IP Headers

(10.5.1.?)2.2.2.2


1.1.1.
2

WLAN Branch Office


HiveAP VPN Clients

WLAN HQ


HiveAP VPN Servers

Layer 2 GRE Tunnels
-

IP Headers

Tunnel0 10.8.1.
X
0


10.8.1.
X

?


Address Learned though DHCP

VPN Client Tunnel Address Pool

AP VPN 1: 10.8.1.
X
0


10.8.1.
X
9

36

RADIUS

10.8.1.200

2008

Confidential 2010

Configure Your HiveAP
-
A (X
-
A
-
######)

37

2008

Confidential 2010

Lab: Provision Two HiveAPs

1. Modify your HiveAP
-
A


Click the
Config

radio button near
the top of the screen

to see the
configuration view



Note that HiveAPs
are set to default
WLAN policy and
Hive



Select the check
box


湥nt t漠y潵爠
H楶敁e

X
-
A
-
######

and
click
Modify


38

2008

Confidential 2010

Lab: Provision Two HiveAPs

2. Modify settings for your HiveAP
-
A

Configure the HiveAP settings
and WLAN Policy


Location:

<First
-
name_Last
-
name>


For WLAN Policy select:
WLAN
-
X


Topology Map:
..Classroom


Select:
Use both radios
for client access


2.4GHz(wifi0
) Power:
1


5GHz (wifi1) Power:

1


Click

Save


39

Note
:
Because the APs are stacked on top of each other in a hosted rack
and
are
connected via coax to the hosted PCs, please set the power level to 1.

In a real deployment you can leave the power set to auto and ACSP will

determine
the appropriate power setting

2008

Confidential 2010

Configure Your HiveAP
-
B (X
-
B
-
######)

40

2008

Confidential 2010

Lab: Provision Two HiveAPs

3. Select and Modify your HiveAP
-
B


Verify the settings
for your X
-
B
-
HiveAP
by looking at the
columns


Select the check
box


湥nt t漠y潵爠
HiveAP

X
-
B
-
######

and
click
Modify


41

2008

Confidential 2010

Lab: Provision Two HiveAPs

4. Modify Settings for Your HiveAP
-
B


Location:

<First
-
name_Last
-
name>


For WLAN Policy select:
WLAN
-
X


Assigning your HiveAP to
a WLAN policy is how the
HiveAP will inherit a
majority of its
configuration settings


Topology Map:
..Classroom


Select:
Use both radios
for client access


Do not save

Go to the next slide


42

2008

Confidential 2010

Lab: Provision Two HiveAPs

5. Set Power and Static IP Address for HiveAP
-
B


2.4GHz(wifi0) Power:
1


5GHz (wifi1) Power:

1


This HiveAP will be a VPN
server, so you will need to
give it a static IP address:

[Optional Settings]


Expand Interface and
Networks Settings


Uncheck
DHCP Client
Enabled


IP:
10.8.1.
X


Mask:
255.255.255.0


Gateway:
10.8.1.1


Click

Save

Go to the next slide


43

2008

Confidential 2010

Lab: Provision Two HiveAPs

6. View configuration and monitor status


Verify the settings for your X
-
B
-
HiveAP by looking at the columns


You can click Monitor view to see that the HiveAPs and HiveManager are
not in sync. The green square and red triangle con shows that






You can click the Host Name column header to sort the HiveAPs by
hostname



44

2008

Confidential 2010

For Your Information
Outside US

Set the Country Code for World Mode HiveAPs

Note: Please do not perform in
this class unless told to do so
by your instructor!


Updating the country code on
a HiveAP configures the
radios to meet government
requirements for a country

You can update the country by
going to
Monitor


䅣捥獳A
偯in瑳

乥N

HiveA偳


Select all the HiveAPs


Click

Update...


Update Country Code


Select the
appropriate country
code


Click
Upload



45

2008

Confidential 2010

Lab: Provision Two HiveAPs

7. Update the Configuration on Your HiveAPs


Select the check box


湥nt t漠y潵爠tw漠H楶敁es


Click
Update

Uplo慤

慮d A捴c癡瑩on Con晩gur慴aon

46

2008

Confidential 2010

Lab: Provision Two HiveAPs

8. Update the Configuration on Your HiveAP


Go to
Configuration


䝵id敤 Con晩gur慴aon



Click
Settings


Change Activation time to:
Activate after [ 5 ]
Seconds


This is because mesh is not
being used, and therefore you
do not have to worry about
cutting off connectivity to a
mesh HiveAP


Click the Save Icon



These settings will remain for
all subsequent uploads


Do not save


Go to the next slide



47

2008

Confidential 2010

Lab: Provision Two HiveAPs

9. Update the Configuration on Your HiveAPs


You can view the configuration
that will be sent to the HiveAP if
that interests you


Right click the hostname of
the HiveAP


Select
View Configuration


After reviewing, close the
configuration window by
clicking the
[x]



Click
Upload
to update the
configuration on your HiveAPs



Go to the next slide



48

2008

Confidential 2010

Lab: Provision Two HiveAPs

10. View The HiveAP Update Results


You will be taken to the results page so you can view the status of your
update


If you leave this screen, you can go back by going to:
Monitor


A捣c獳s偯in瑳


Hi癥v倠Upd慴攠R敳el瑳




49

2008

Confidential 2010

Lab: Provision Two HiveAPs

11. Monitor HiveAP Status


Go to
Monitor

A捣敳c

偯in瑳

Hi癥v偳


Your HiveAP will have moved from the New HiveAPs list to the Managed
HiveAPs list


When the
Audit

column icon turns to two green squares


And the
Uptime

changes back from 0, the first update is complete

50

Note: You can expand or
collapse the New HiveAPs list
by clicking here

2008

Confidential 2010

Test Access to SSID Used

In Base WLAN Policy

51

2008

Confidential 2010

Test Base WLAN Policy

52

SSID
:

Authentication:

Encryption:

Preshared

Key:

User Profile 1:

Attribute:

VLAN:

IP Firewall:

QoS:

Class
-
PSK
-
X

WPA or WPA2 Personal

TKIP or AES

aerohive123

Employee(10)
-
X

10

1

None

def
-
user
-
qos


Hosted PC

Student
-
X

VLANs 1
-
20

Mgt0 IP: 10.5.1.N/24 VLAN 1

WLAN Policy: WLAN
-
X

Internal Network

AD Server:

10.5.1.10


DHCP Settings:


(VLAN 1)


network 10.5.1.0/24


10.5.1.140


10.5.1.240









Internet

Connect to SSID:

IP:

Gateway:

Class
-
PSK
-
X

10.5.1.N/24

10.5.1.1

2008

Confidential 2010

Access Your Hosted Client PC

Using the web for PC, Mac, or Linux


http://training
-
pc
X
.aerohive.com:5800


Click Options:


Specify Encoding:
Tight


Click
Close


VNC Authentication


Password:
aerohive


Click
OK


53

2008

Confidential 2010

Access Your Hosted Client
PC

Using the
TightVNC

Application


If you are using a windows PC
and you do not have Java
installed, you can install the
TightVNC

client application


TightVNC

has good
compression so please use
TightVNC

for class instead of
any other application


Start
TightVNC



VNC Host:

training
-
pc
X
.aerohive.com


Click
Connect






Password:
aerohive



54

2008

Confidential 2010

If you are not logged in

Login to Hosted PC



Click

to send a



control alt delete




Login:
user


Password:
Aerohive1

55

2008

Confidential 2010

Lab: Test Base WLAN Policy

1. Connect to the Class
-
PSK
-
X SSID


From the hosted PC


Double
-
click the
wireless
connection icon
on the bottom
right of the task
bar



C
onnect to your
SSID:

Class
-
PSK
-
X


Passphrase/

Network Key:
aerohive123


Click
Connect


56

x

2008

Confidential 2010

Lab: Test Base WLAN Policy

2. View Active Clients List


After associating with your SSID, you should see your
connection in the active clients list in HiveManager


Go to
Monitor

Cli敮瑳

A捴c癥

Cli敮ts


Your IP address should be from the
10.5.1.0/24

network


To change the layout of the columns in the Active Clients list, you
can click the icon with a pencil in it:

57

Click here to modify
the displayed columns

2008

Confidential 2010

Lab: Test Base WLAN Policy

3. Modify Columns in the Active Clients List


For this class, you can add the User
Profile Attribute, VLAN and BSSID


Move them right after channel in the
Select Columns list


Click
Save






You should now see:


BSSID: <MAC Address>

User Profile Attribute:
10


VLAN:
1


58

2008

Confidential 2010

Using RADIUS for Authentication

Create SSID Using

WPA/WPA2 Enterprise (802.1X)

59

2008

Confidential 2010

LAB: Secure WLAN Access Test

With 802.1X Diagram

60

Student
-
X

VLANs 1
-
20

Mgt0 IP: 10.5.1.N/24 VLAN 1

WLAN Policy: WLAN
-
X

AD (IAS
-
RADIUS) Server:

10.5.1.10


DHCP Settings:


(VLAN 1)


network 10.5.1.0/24


10.5.1.140


10.5.1.240


(VLAN 10)


network 10.5.10.0/24


10.5.10.140


10.5.10.240









Internet

Connect to SSID:

IP:

Gateway:

Class
-
802.1X
-
X

10.5.10.N/24

10.5.10.1

SSID
:

Authentication:

Encryption:

User Profile 1:

Attribute:

VLAN:

IP FW From Access:

IP FW To Access :

User Profile 2:

Attribute:

VLAN:

IP FW From Access:

IP FW To Access:


Class
-
802.1X
-
X

WPA or WPA2 Personal

TKIP or AES

Employee(10)
-
X

10
(RADIUS Attribute Returned)

1

FromClient
-
X

(Default Deny)

Employee
-
Default

1000

(No RADIUS Attribute Returned)

10

Employee
-
Default

(Default Deny)

2008

Confidential 2010

On Local RADIUS Server

Configuring RADIUS Clients

For HiveAPs that are
not VPN clients,
set the RADIUS
server to accept
RADIUS
messages from
the MGT0
interface IP on all
HiveAPs


This class uses
:

10.5.1.0/24


Click

Next

61

2008

Confidential 2010

On Local RADIUS Server

Configuring RADIUS Clients


Set the shared
secret to secure
the
communication
between the
HiveAPs and
RADIUS server


This class uses
:

aerohive123



Note:
For a real
network, please
use a longer,
more secure key

62

2008

Confidential 2010

LAB: Secure WLAN Access With 802.1X

1. Edit your WLAN Policy and Add SSID Profile

An 802.1X capable SSID and
related settings can be
configured from your WLAN
Policy


Go to
Configuration


WLAN 偯li捩敳


Edit
WLAN
-
X


Under SSID Profiles click
Add/Remove SSID Profile


Create a new SSID Profile


Click
+



Go to Next Slide


63

2008

Confidential 2010

LAB: Secure WLAN Access With 802.1X

2. Configure SSID and RADIUS Server


Profile Name:

Class
-
802.1X
-
X


SSID:
Class
-
802.1X
-
X


SSID Access Security


Select:
WPA/WPA2 802.1X
(Enterprise)


Next to RADIUS Server


Click
+


Go to Next Slide


64

2008

Confidential 2010

LAB: Secure WLAN Access With 802.1X

3. Configure RADIUS Server

Define RADIUS Server Settings


Click the radio button for:

External RADIUS Server


Profile Name:
RADIUS
-
X


Primary RADIUS Server:

10.5.1.10


Shared Secret:
aerohive123


Confirm Secret:
aerohive123


Click

Apply


Go to Next Slide


65

2008

Confidential 2010

LAB: Secure WLAN Access With 802.1X

4. Configure SSID with RADIUS and User Profile

Back in your SSID Configuration


Make sure your RADIUS server
is selected:
RADIUS
-
X


Specify User Profile assigned if
not attribute is returned from
RADIUS after successful
authentication:

Employees(1000)

Note:
This user profile was
created by the Instructor


Specify User Profiles assigned
via attributes returned from
RADIUS after successful
authentication:
Employee(10)
-
X


Save
your SSID


Go to Next Slide


66

2008

Confidential 2010

LAB: Secure WLAN Access With 802.1X

5. Remove Existing SSID and Add New SSID


To clean up the air in the data center, remove all other SSID profiles
from the selected SSID profiles list using the

<<

button


You should have no SSID Profiles listed under the Selected SSID
Profiles list









From the Available SSID Profiles, select
Class
-
802.1X
-
X

and

use the
>

button to move it to the Selected SSID Profiles List


Click

Apply
----

Please
please
, please click apply!


Go to Next Slide


67

2008

Confidential 2010

LAB: Secure WLAN Access With 802.1X

6. Verify Configuration and Save WLAN Policy


Verify your 802.1X SSID is listed under the SSID profiles and that your
SSID is mapped to two different user profiles:

Employees(1000)

and
Employee(10)
-
X









Save

your WLAN Policy



From the WLAN policy

summary you can verify your

SSID Class
-
802.1X
-
X is

assigned to your WLAN Policy


68

2008

Confidential 2010

LAB: Secure WLAN Access With 802.1X

7. Update delta configuration of your HiveAP

69

From
Monitor

Hi癥v偳


Select both of your
HiveAPs



X
-
A
-
HiveAP



X
-
B
-
HiveAP


Select
Update...


Uplo慤 慮d A捴c癡瑥v
Con晩gur慴aon


If you want to see the delta
configuration, click the link
for your
HiveAP



Close the View
Configuration window
after viewing the delta
configuration changes


Click
Upload



Click HiveAP link
to view delta
configuration

2008

Confidential 2010

Configuring and Testing Your

802.1X Supplicant

For Microsoft XP and Vista

Supplicants

70

2008

Confidential 2010

Connect to 802.1X SSID

(First Attempt Will Fail)

On the remote hosted PC


From the Microsoft
Wireless client:


Click
Class
-
802.1X
-
X


Click
Connect


Note:
The connection will fail
because Windows XP
defaults
Smart Card or
Other Certificates (EAP
-
TLS),
instead of
PEAP


However, the SSID entry
will be created, so all you
have to do is modify it


Click
Change Advanced
Settings

71

2008

Confidential 2010

72

Microsoft Wireless Network Client

802.1X Supplicant Configuration


View your Wireless Connections then click to
Change advanced settings


In
the Wireless network properties window
enter the following:


Change EAP Type to
: Protected
EAP (
PEAP)


Click
OK

72

2008

Confidential 2010

SSID Should Now Be Connected


Your Client will
automatically connect
to the

Class
-
802.1X
-
X


SSID

73

2008

Confidential 2010

View Active Clients


After associating with your SSID, you should see your connection in
the active clients list in HiveManager


Go to
Monitor

Client

Ac瑩ve

Clien瑳



User Name
: AHDEMO
\
user


BSSID: <The MAC address for your AP’s SSID>


VLAN:
1


User Profile Attribute:
10


74

2008

Confidential 2010

Example: Troubleshooting

Invalid User Profile Returned From RADIUS


From
Monitor

A捣c獳

偯in瑳

Hi癥v偳

(Monitor View)


If you see an alarm when trying to perform 802.1X, click the alarm icon







This alarm specifies that an attribute was returned from the RADIUS
server that is not defined on the HiveAP


In this case 50






Select the check box next to the alarm and then Click clear

75

2008

Confidential 2010

Generate HiveAP RADIUS

Server Certificates

Required When HiveAPs are Configured
as RADIUS Servers or VPN Servers

76

2008

Confidential 2010

LAB: Generate a Root CA Certificate
for HiveManager
(Instructor Only)


Go to
Configuration

Ad癡v捥c

Con晩gur慴aon


K敹e 慮d
C敲瑩晩捡瑥t

Hi癥M慮慧敲




Fill in the requested information and choose a secure password


Click
Create

Remember this
password

77

2008

Confidential 2010

HiveManager Root CA Certificate

Location and Uses


To view certificates, go to:

Configuration


Advanced Con晩gura瑩on


Keys and Cer瑩晩ca瑥s


Cer瑩晩ca瑥 Mgmt


This root CA certificate is used to:


Sign the CSR (certificate signing
request) that the HiveManager
creates on behalf of the AP acting
as a RADIUS or VPN server


Validate
HiveAP

certificates to
remote client


802.1X clients (supplicants) will
need a copy of the CA Certificate
in order to trust the certificates on
the HiveAP RADIUS server(s)


Root CA Cert Name:
“AerohiveHMCA.pem”


Root CA key Name: hm_key.pem

78

2008

Confidential 2010

LAB: HiveAP Server Certificate and Key

1. Generate HiveAP Server Certificate


Go to
Configuration


Advanced Con晩gura瑩on


Keys and
Cer瑩晩ca瑥s

卥rver

C卒


Common Name:
HiveAP
-
Server
-
X


Note: This is usually the FQDN of the HiveAP


Organizational Name:
Company


Organization Unit:
Department


Locality Name:
City


State/Province:
<2 Characters>


Country Code:
<2 Characters>


Email Address:
student
-
X
@ahdemo.com


Subject Alternative Name:
<Leave empty>

Note
: This is used if you want to generate unique
certificates for each HiveAP VPN server, and you
want to have HiveAP VPN clients validate one of
these fields. See notes below the slide.


Key Size:
1024


Password & Confirm:
aerohive123


CSR File Name:

HiveAP
-
X


Click
Create

Remember
Password

79

Enter
HiveAP
-
X

Notes Below

2008

Confidential 2010

LAB: HiveAP Server Certificate and Key

2. Sign and Combine!


Select
Sign by HiveManager CA


The HiveManager CA will sign the HiveAP Server certificate


The validity period should be the same as or less than the number of
days the HiveManager CA Certificate is valid


Validity:
1826 (5 years + leap day)


Check
Combine key and certificate into one file


Click

OK


80

Enabling this setting helps
prevent certificate and key
mismatches when configuring
the RADIUS settings

2008

Confidential 2010

LAB: HiveAP Server Certificate and Key

3. View HiveAP Certificate and Key File


To view certificates, go to:

Configuration


Ad癡v捥c
Con晩gur慴aon


K敹e 慮d C敲瑩晩捡瑥t


C敲瑩晩捡瑥tMgmt


The certificate and key file
name is:

HiveAP
-
X
_key_cert.pem

81

2008

Confidential 2010

Using HiveAPs and IPsec VPN Clients

and IPsec VPN Servers to Provides VPN
Connections with Wireless LANs

Wireless VPN

Version 3.5r1

82

2008

Confidential 2010

Wireless VPN Overview

-
For your reading pleasure
-


Aerohive’s

Wireless VPN delivers a simple and cost effective solution for mobile workers in
remote locations like branch offices,
teleworker

home offices, and conference centers, to
securely access corporate resources through a layer 2 IPsec VPN. Built upon
Aerohive’s

cooperative control architecture,
Aerohive’s

wireless VPN has the advantages of being
implemented on a highly resilient architecture utilizing best path forwarding, policy
enforcement at the edge with user
-
based
QoS

and firewall policy, and branch office
services including DHCP and RADIUS, which are centrally managed using HiveManager

Aerohive’s

WLAN management platform.



Aerohive’s

Wireless VPN solution allows workers in remote offices using wireless or
Ethernet connected laptops, desktops, and phones to directly access their corporate
network through a secure layer 2 IPsec VPN. This gives workers access to resources as if
they were physically attached to the corporate network, and still have direct access to local
branch or home office devices, like printers and file servers that may or may not be
corporate resources. This is made possible with best path forwarding, split tunneling, and
NAT technology. To protect corporate resources, stations that are attached to the branch
office that do not meet policy specifications for the VPN, will not be able to access the
corporate network or locally attached corporate devices.


83

2008

Confidential 2010

Wireless VPN Benefits


-
For your reading pleasure
-


Easy to Use


L2 IPsec VPN solution simplifies deployment, because it extends the local network across the VPN
without the need to dedicate subnets for each remote site and set up DHCP relays on branch
routers or firewalls


Automatic certificate creation and distribution for validating VPN devices


Profile
-
based Split Tunneling


Users and Services can be bridged locally or tunneled based on user profile


Flexible


Single mode of operation supports all deployments


Supported in all HiveAP platforms, Hardware Acceleration in 300 series


Multiple end point support


Backup VPN gateway support


Distributed Wireless VPN tunnel termination


Complete Functionality


Multiple AP Support with secure and fast roaming


Mesh Portals and Mesh Points supported


RADIUS, DHCP, NTLM, LDAP and NTP can selectively go to local or remote network


Rogue AP and rogue client detection,
DoS

prevention, Firewall, and
QoS

all occur locally on the
remote HiveAP


Economical


No license fees for wireless VPN, or any of the other features on the HiveAPs


For the cost of an AP, you get wireless VPN servers


84

2008

Confidential 2010

Internet

HiveAP1

VPN

Server

HiveAP2

VPN
Server

Headquarters

DHCP Server

Corporate Wi
-
Fi Devices

VLAN 10 10.5.10.0/24

Corporate Wi
-
Fi Voice

VLAN 11 10.5.11.0/24

Teleworker Home Office

Please View Notes Below Slide

85

Work Laptop

SSID: Corp

10.5.10.51

Home PC

with Printer

192.168.1.5

Teleworker Home Office

Home Laptop

SSID: Home

192.168.1.6


IPsec

Primary and

Backup VPN
Tunnels

Work Phone

SSID: Voice

10.5.11.33

Internet
Provider

Gateway

192.168.1.1

HiveAP 5

VPN Client

192.168.1.2


DMZ

Notes Below

2008

Confidential 2010

HiveAP4

VPN Client

192.168.1.6

HiveAP3

VPN Client

192.168.1.5

Laptop

SSID: Corp

10.5.10.12


Phone

10.5.11.5

Branch Office

Guest Laptop

SSID: Guest

192.168.1.50

Printer

10.5.10.11

Desktop

10.5.10.10

HiveAP1

VPN

Server

HiveAP2

VPN
Server

Headquarters

DMZ

DHCP Server

Corporate Wi
-
Fi Devices

VLAN 10 10.5.10.0/24

Corporate Wi
-
Fi Voice

VLAN 11 10.5.11.0/24

Phone

SSID: Voice

10.5.11.33

Internet

Wired

Wireless

IPsec

Primary and

Backup VPN
Tunnels

Gateway

192.168.1.1

Branch Office VPN with Bridging

86

2008

Confidential 2010

Create VPN Services Policy

87

2008

Confidential 2010

Wireless VPN Lab

Lab Network Diagram


Configure two HiveAPs,


HiveAP
-
A will be a VPN client


HiveAP
-
B will be a VPN server

Client

10.8.1.
X

10.5.1.
<DHCP>

HiveAP
-
B

VPN Server

HiveAP
-
A

VPN Client

Hostname:

Hive:

Interface
mgt0
:

Interface tunnel0:

X
-
A
-
<6
-
digits of
mac
>

Hive
-
X

10.5.1
.
<DHCP>
/
24 VLAN 1

10.8.1.
X
0

WLAN Policy: WLAN
-
X

WLAN Policy: WLAN
-
X

Hostname:

Hive:

Interface
mgt0
:

VPN:

IP Pool:

X
-
B
-
<6
-
digits of
mac
>

Hive
-
X

10.8.1
.
X
/
24 VLAN 1


10.8.1.

X
0

-

10.8.1.
X
9



2.2.2.2

1.1.1.1

NAT Policy

1.1.1.

X

10.8.1.

X

NAPT Policy

ANY

2.2.2.2

AD 10.8.1.200


-

VLAN 1

WEB 10.8.20.150


-

VLAN 20

88

2008

Confidential 2010

Wireless VPN Labs

Network IP Summary

VPN Server

X
-
B
-
HiveAP
MGT0

10.8.1.
X
/24


VPN Client

X
-
A
-
HiveAP

10.5.1.?/24

Firewall NAT Rules

1.1.1.
X

10.8.1.
X

FW(NAT)

2.2.2.2

Gateway

10.5.1.1

Gateway
10.8.1.1

Client PC

10.8.20
.
?
/
24

GW: 10.8.20.1

DHCP Server VLAN 20


Net: 10.8.20.0/24


Pool: 10.8.20.150


-

10.8.20.200


Gateway: 10.8.20.1

Layer 3 IPsec VPN Tunnels
-

IP Headers

(10.5.1.?)2.2.2.2


1.1.1.
2

WLAN Branch Office


HiveAP VPN Clients

WLAN HQ


HiveAP VPN Servers

Layer 2 GRE Tunnels
-

IP Headers

Tunnel0 10.8.1.
X
0


10.8.1.
X

?


Address Learned though DHCP

VPN Client Tunnel Address Pool

AP VPN 1: 10.8.1.
X
0


10.8.1.
X
9

89

RADIUS

10.8.1.200

2008

Confidential 2010

LAB: Create VPN Services Policy

1. Create VPN Policy


Modify your WLAN Policy

Configuration


WLAN 偯li捩敳



WLAN

X


|
Optional Settings |



VPN Service Settings


VPN Service:
Click
+

to create a new VPN

services policy



Go to Next Slide



90

2008

Confidential 2010

LAB: Create VPN Services Policy

2. Define Name and IP Settings


Profile Name:
VPN
-
X


Server Public IP:
1.1.1.
X


Server MGT0 IP Address:
10.8.1.
X


VPN Client Tunnel Interface Pool:

Note:
It is recommended that the pool is in
the same subnet as the MGT0 interface of
HiveAP VPN server. This pool is used for
GRE tunnel IP addresses on HiveAP VPN
clients.


Client Tunnel IP Address Pool Start:
10.8.1.
X
0


Client Tunnel IP Address pool End:
10.8.1.
X
9


Client Tunnel IP Address
Netmask
:
255.255.255.0


Go to Next Slide


91

2008

Confidential 2010

LAB: Create VPN Services Policy

3. Assign VPN Certificates for VPN Server


IPsec VPN Certification Authority Settings:


VPN Certificate Authority:

AerohiveHMCA.pem


VPN Certificate:

HiveAP
-
X
_key_cert.pem


VPN Cert Private Key:

HiveAP
-
X
_key_cert.pem


Optional Settings


VPN Client Credentials
:

These are VPN XAUTH credentials
that get generated automatically. A
unique credential gets created for each
tunnel interface IP address in the
tunnel interface address pool.


Nothing needs to be done here


Go to Next Slide


92

2008

Confidential 2010

LAB: Create VPN Services Policy

How XAUTH Credentials are Used


The default IKE peer authentication method for the wireless VPN is
"hybrid"


In hybrid mode,


The VPN server authenticates itself to the client with an RSA
signature, which requires the server to have a server certificate, and
the client must have the root CA certificate that signed the server
certificate so it can validate the server


The server authenticates the client using
Xauth


HiveManager generates a set of credentials (random string for
username and passwords) for each HiveAP VPN client and HiveAP
VPN server pair


When the VPN client uses valid credentials to authenticate
with the VPN server, the tunnel can be established


If the credentials are removed from either the VPN client or VPN
server, the tunnel cannot be established


93

2008

Confidential 2010

LAB: Create VPN Services Policy

4. View Advanced Server Options


Expand
Advanced Server Options



No changes are necessary for the
following options


| IKE Phase 1 Options |


| IKE Phase 2 Options |



Enable peer IKE ID validation



Go to Next Slide



94

2008

Confidential 2010

LAB: Create VPN Services Policy

5. Configure Advanced Client Options


Expand

Advanced Client Options


Set HiveAP VPN Client to use DNS
Server through tunnel:
10.5.1.10

| Management Traffic Tunnel Options
|


Determine which traffic from the
HiveAP to send though the tunnel


SNMP Traps


RADIUS


Note:
Set these so that RADIUS
messages and SNMP traps generated
from the HiveAP VPN clients are sent
though the VPN tunnel to the servers
on the HQ network

| Client IKE Settings |


Check
Enable NAT traversal

Adds a UDP header with port 4500 on
to the IPsec packets


Go to Next Slide



95

2008

Confidential 2010

For Redundancy: Dead Peer Detection

and AMRP Heartbeat Settings


Used for switching between HiveAP VPN Server 1 and

HiveAP VPN Server 2 upon failure


DPD Verifies IKE Phase 1


Send Heartbeat every 10 seconds (by default)


If you miss one heartbeat, send at the
Retry Interval
instead of at the
normal
Interval

settings


If you miss the number of retries specified, failover to backup VPN server







AMRP Verifies end to end through GRE and VPN Tunnel


Send Heartbeat every 10 seconds (by default)


If you miss one heartbeat, send 1 at second intervals instead of at the
normal
Interval

setting


If you miss the number of retries specified, failover to backup VPN server

Default DPD failover time:

~16 seconds


Default AMRP failover time:

~21 seconds

96

2008

Confidential 2010

LAB: Create VPN Services Policy

6. Save VPN Services Policy


Save
the VPN Service
Settings

97

2008

Confidential 2010

LAB: Create VPN Services Policy

7. Modify SSID to Add New User VPN Policy

Back in your WLAN Policy


Ensure your VPN Service
Policy is set to
VPN
-
X



Do not save your WLAN
policy at this time



Go to the next slide

98

2008

Confidential 2010

Configure 802.1X SSID

for Wireless VPN Access

99

2008

Confidential 2010

Wireless VPN Labs

Network IP Summary

VPN Server

X
-
B
-
HiveAP
MGT0

10.8.1.
X
/24


VPN Client

X
-
A
-
HiveAP

10.5.1.?/24

Firewall NAT Rules

1.1.1.
X

10.8.1.
X

FW(NAT)

2.2.2.2

Gateway

10.5.1.1

Gateway
10.8.1.1

Client PC

10.8.20
.
?
/
24

GW: 10.8.20.1

DHCP Server VLAN 20


Net: 10.8.20.0/24


Pool: 10.8.20.150


-

10.8.20.200


Gateway: 10.8.20.1

Layer 3 IPsec VPN Tunnels
-

IP Headers

(10.5.1.?)2.2.2.2


1.1.1.
X

WLAN Branch Office


HiveAP VPN Clients

WLAN HQ


HiveAP VPN Servers

Layer 2 GRE Tunnels
-

IP Headers

Tunnel0 10.8.1.
X
0


10.8.1.
X9

?


Address Learned though DHCP

VPN Client Tunnel Address Pool

AP VPN 1: 10.8.1.
X
0


10.8.1.
X
9

100

RADIUS

10.8.1.200

Tunnel Interface:

10.8.1.
X
0

2008

Confidential 2010

Tunnel Traffic Header Overview

101

2.2.2.2

1.1.1.1

Internet

HiveAP

VPN Server

MGT0 10.8.1.2

MGT0 IP

Before NAT

1.1.1.2

After NAT

10.8.1.2

(NAT)1.1.1.2


10⸸⸱⸲

MGT0 IP

10.5.1.100

NAT Traversal


UDP
-

Src & Dst Port 4500

Src Port Changes w/NAPT

Tunnel0

10.8.1.50

MGT0

10.8.1.2

IPsec (ESP) Tunnel


Encrypts GRE and
Client Traffic

GRE Tunnel


Encapsulates client
Layer 2 Traffic

Wireless Client

MAC: 0022.22aa.aa22

VLAN: 20

IP: 10.8.20.50


Corporate Server

MAC: 0011.11bb.bb11

VLAN: 20

IP: 10.8.20.150

Client Traffic

10.8.20.50

0022.22aa.aa22

VLAN Tag: 20

Layer 2 Client Data

Client Traffic

10.8.20.150

0011.11bb.bb11

VLAN Tag: 20

(NAPT) ANY


2⸲⸲⸲

FW: Public IP

2.2.2.2

AP: Private IP

10.5.1.100

FW: Public IP

1.1.1.2

HiveAP 1

VPN Client

MGT0 10.5.1.100

Tunnel0 10.8.1.50

Branch

Office

Corporate

Headquarters

1

2

3

4

8

7

6

5

2008

Confidential 2010

Instructor Only:
On Local RADIUS Server

Configuring HiveAP RADIUS Clients

For HiveAPs that are
VPN clients, set the
RADIUS server to
accept RADIUS
messages from the
Tunnel IP address
pool set up on the
HiveAP VPN server
to assign to HiveAP
VPN clients


For this class, the
tunnel IP pool
assigned to HiveAP
VPN clients is :

10.8.1.0/24


Click
Next

102

2008

Confidential 2010

Instructor Only:
On Local RADIUS Server

Configuring HiveAP RADIUS Clients


Set the shared
secret to secure the
communication
between the
HiveAPs and
RADIUS server


For this class
use:

aerohive123


Click
Finish


Note: For a real
network, please
use a more secure
key

103

2008

Confidential 2010

LAB: Configure SSID for Wireless VPN

1. Create New RADIUS Server Object for SSID

Configure a new RADIUS
server for your SSID, that is
accessible through the VPN


From inside your WLAN
policy

click the link to modify
your SSID:

Class
-
802.1X
-
X


104

2008

Confidential 2010

LAB: Configure SSID for Wireless VPN

2. Configure RADIUS Server Object

Define RADIUS Server Settings

for use with wireless clients
through the VPN


Next to RADIUS Server,

click
+


Click the radio button for

External RADIUS Server


Profile Name:
RADIUS
-
VPN
-
X


Primary RADIUS Server:

10.8.1.200


Shared Secret:
aerohive123


Confirm Secret:
aerohive123


Click

Apply
to save the new
RADIUS object


Do not save, go to next slide


105

2008

Confidential 2010

LAB: Configure SSID for Wireless VPN

3. Modify Employee User Profile


Select the
Employee(10)
-
X

user profile from the
Selected user profile list



Click the
Modify Icon:



106

2008

Confidential 2010

LAB: Create VPN Services Policy

4. Change VLAN and Add VPN Settings

Set the User Profile to use the
VPN and a new VLAN



Assign the

Default VLAN:
20


| Optional Settings |


Expand GRE or VPN
Tunnels


Select: VPN tunnel for
client traffic


| Split Tunnel |


Select Split Tunnel with
NAT to Local Subnet and
Internet



Click

Save



107

2008

Confidential 2010

LAB: Configure SSID for Wireless VPN

5. Save your SSID


Save

your SSID


108

2008

Confidential 2010

Split Tunnel Firewall Policy

Automatically Created


When you select the option to use split tunnel to local subnet and
Internet, the following policy gets created on the HiveAP


The following policy will not be displayed in HiveManager


From Access
Firewall Policy

Source IP

Destination IP

Service

Action

0.0.0.0/0

0.0.0.0/0

DHCP
-
Server

Permit (tunnel)

0.0.0.0/0

10.5.1.0/24

Any


NAT

0.0.0.0/0

10.0.0.0/8

Any


Permit (tunnel)

0.0.0.0/0

172.16.0.0/12

Any


Permit (tunnel)

0.0.0.0/0

192.168.0.0/16

Any


Permit (tunnel)

0.0.0.0/0

0.0.0.0/0

Any


NAT



Note,
by default there is no
To Access
firewall policy, so if you want
traffic to be initiated from HQ to the wireless clients thought the VPN,
you will need to create a To Access policy that permits access




109

2008

Confidential 2010

LAB: Create VPN Services Policy

6. Verify VPN Settings and Save WLAN Policy

Back in the WLAN
Policy


Expand VPN Service
Settings


Ensure the
Employee(10)
-
X

user profile is set
to use
VPN
Tunnel
and that
it is set to
Yes

for
Split Local
Traffic
(Split
Tunnel)



Click
Save

110

2008

Confidential 2010

Configuring HiveAPs to be

VPN Clients and VPN Servers

HiveAP VPN Roles

And Updating the Configuration

111

2008

Confidential 2010

LAB: Assign HiveAPs to VPN Roles

1. Modify Your HiveAP
-
A and Make VPN Client


From

Monitor

Hi癥v偳


Modify your
HiveAP
-
A:

X
-
A
-
######


| Optional Settings |


Expand
Services Settings


VPN Service Role:

Client



Click
Save




112

2008

Confidential 2010

LAB: Assign HiveAPs to VPN Roles

2. Modify Your HiveAP
-
B and Make VPN Server


From
Monitor

Hi癥v偳


Modify your
HiveAP
-
B:

X
-
B
-
######


| Optional Settings |


Expand SSID Allocation


(Optional) Clear the
check boxes to disable
the SSIDs on this HiveAP
VPN server


Expand
Services Settings


VPN Service Role:
Server



Click
Save




113

2008

Confidential 2010

LAB: Assign HiveAPs to VPN Roles

3. Verify HiveAP Roles


You will now see icons specifying whether the HiveAP is a



VPN client or


VPN Server



The up and down arrows next to the keys are red when the VPN is not
establish


The VPN will be established after updating the configuration of the
HiveAPs


114

2008

Confidential 2010

LAB: Assign HiveAPs to VPN Roles

4. Update Delta Configuration and VPN
Certs

115

From
Monitor

Hi癥v偳


Select both of your
HiveAPs



X
-
A
-
HiveAP



X
-
B
-
HiveAP


Select
Update...


Uplo慤 慮d A捴c癡瑥v
Con晩gur慴aon


If you want to see the delta
configuration, click the link
for your
HiveAP



Close the View
Configuration window
after viewing the delta
configuration changes


Click
Upload



Click HiveAP link
to view delta
configuration

2008

Confidential 2010

LAB: Assign HiveAPs to VPN Roles

5. View Update Results


After a successful update, you can move your mouse over the
Description to see what was updated


Here you should see that the VPN Certificates and Keys and the
Configuration has been updated

116

2008

Confidential 2010

LAB: Assign HiveAPs to VPN Roles

6. Monitor Status of VPN HiveAPs


From
Monitor

Hi癥v偳

you can see that the VPN is up because the
up and down arrows are green

117

2008

Confidential 2010

LAB: Assign HiveAPs to VPN Roles

7. HiveAP VPN Diagnostics

View VPN Tunnel

Diagnostic Commands


Select one of
theVPN

HiveAPs



X
-
A
-
HiveAP


Click

Tools

Di慧no獴s捳


卨o眠I偓散P十


Note:
It is clear to see that a
VPN is functional if you see the
tunnel from the MGT0 IP of the
VPN client to the (NAT) Address
of the MGT0 of the VPN Server,
and the reverse. Both use
different SAs (Security
Associations)


State:
Mature

118

2008

Confidential 2010

Diagnostics Show IKE Event


Click

Tools


Diagnostics


卨o眠IK䔠䕶敮t



If you see that phase 1
failed due to a
certificate problem


Check the time on
the HiveAPs


show clock


show time


Ensure you have the
correct certificates
loaded on the
HiveAPs in the VPN
services policy

119

2008

Confidential 2010

LAB: Assign HiveAPs to VPN Roles

8. HiveAP VPN Topology


You can view the VPN topology

by going to: Configuration


Ad癡v捥c Con晩gur慴aon


Security Policies


VPN Services


Click View for your VPN


If you move your mouse over

the HiveAP icons you can

see how long the tunnel has been established


If the icons are green, the tunnel is established


If the icons are red, the tunnel is down

120

2008

Confidential 2010

VPN Topology Example


Here is an example of a
VPN topology with 12
HiveAP VPN clients and
two HiveAP VPN servers
for tunnel load sharing and
redundancy

121

2008

Confidential 2010

Testing Your VPN Access

With 802.1X Client (Supplicant)

Using Microsoft XP

122

2008

Confidential 2010

If Your Remote PC IS Connected
From the Previous Lab

Note: If you have not set up your
802.1X supplicant on the
hosted client PC, please refer
to the 802.1X section earlier
in this training



Disconnect from:

Class
-
802.1X
-
X



Then reconnect to:

Class
-
802.1X
-
X



Make sure you

can connect


123

2008

Confidential 2010

Verify Status of Wireless Client

And VPN Connection from PC

Once your wireless client is
connected to
Class
-
802.1X
-
X


Verify your IP address by
opening a command prompt
and typing

ipconfig

/all


If the Ethernet adapter
Wireless Network Connection
is set to:
10.8.20.N


Then you are connected
through the tunnel to
VLAN 20


Great Job!!!


124

2008

Confidential 2010

Test your hosted PCs VPN
Connection


From your hosted PC,
open a browser and
connect to:

http://10.8.20.150



If this works, your hosted
PC is going though the
VPN on VLAN 20

125

2008

Confidential 2010

Check Status of Wireless Client


From
Monitor

Cli敮瑳

A捴c癥

Cli敮瑳


Locate the client on the remote hosted PC, and see if it is connected
with a 10.8.20.N IP address

126

2008

Confidential 2010

To View the XAUTH Credentials

Go to
Configuration


Ad癡v捥c Con晩gur慴aon

卥Suri瑹t偯li捩敳


噐V 卥S癩捥c


If an AP gets lost or stolen,
you can remove the
credential and push the
configuration to the HiveAP
VPN server


That will prevent the
VPN client from
building a tunnel to the
VPN server


You can also generate new
credentials and push them
out to the HiveAP VPN
servers and clients


127

Xauth

credentials are automatically
assigned to HiveAP VPN clients
that are assigned to this VPN
services policy

2008

Confidential 2010

Please remote the VPN tunnel
configuration from the Employee(10) User
Profile and change the VLAN before
continuing to the next labs

VPN Lab Clean
-
up

128

2008

Confidential 2010

Lab: VPN Lab Cleanup

1. Change VLAN and Disable Tunnel


From

Configuration


U獥s 偲o晩les


Select your
Employee(10)
-
X
user profile



Set the default VLAN to:
10



Under

Optional Settings


䝒䔠or 噐V Tunn敬s


Set the option for:

No tunnel



Click

Save


Note:
We do not need to
update the configuration at this
time. You will update the
configuration in the next lab.

129

2008

Confidential 2010

Lab: VPN Lab Cleanup

2. Remove Tunnel Roles from HiveAPs


From
Monitor


A捣c獳s偯in瑳


Hi癥v偳


Select the check box next to both of
your HiveAPs




X
-
A
-
######




X
-
B
-
######


Set VPN Service Role:
None


Click
Save

130

2008

Confidential 2010

To Simplify the WLAN Policy

Configuration When Different Settings for
HiveAPs are Needed at Different Locations

HiveAP Classification

Examples

2008

Confidential 2010

Question: How do define a single WLAN
policy, but configure different settings?


For example, in the WLAN
policy, you can only define
one MGT interface VLAN



But if the HiveAPs are in
different networks with
different MGT0 VLANs, what
can you do?

132

DMZ
-
X

Area
-
X

Router

L2
-
Switch

L2
-
Switch

Interface mgt0:

Classification Tag:

WLAN Policy:

MGT0 VLAN:

10.5.2.
?

Area
-
1

WLAN
-
X

2

HiveAP Device Settings

Interface mgt0:

Classification Tag:

WLAN Policy:

MGT0 VLAN:


10.8.1.
X

DMZ

WLAN
-
X

1

HiveAP Device Settings

2008

Confidential 2010

Answer: HiveAP Classification

Define an Object That is Variable

133

HiveAP Classification
Tag Settings:

This WLAN policy
is assigned to
HiveAP 1 and
HiveAP 2:


HiveAP 1 Configuration

HiveAP 2 Configuration

VLAN Object Definition

2008

Confidential 2010

HiveAP Classification

Tag Selection


If you specify multiple tags on a HiveAP, make sure the object
is defined to match


If you want to make this VLAN object match all
HiveAPs in
HQ
, you must define


Tag 1
as:
HQ
, but
uncheck

Tag 2
and


Tag 3
so they will be ignored



If you do not uncheck Tag 2 and Tag 3, you will have
to match all three tags on each HiveAP

134

VLAN Object Definition

HiveAP 1 Configuration

HiveAP 2 Configuration

2008

Confidential 2010

Object That Support

HiveAP Classification


Objects that support
HiveAP classification


IP/Hostname Objects


MAC Addresses/OUIs


VLANs


User Profile Attribute
Groups


These objects can be
configured once, but the
values assigned to the
HiveAP change based on
the HiveAPs


Topology Map


Classifier Tag


IP Address


Hostname

135

2008

Confidential 2010

HiveAP Classification

Types


VLANs, IP Address Objects, MAC
Address objects, and User Profile
Attribute groups can have
classification rules based on:


Map Name


Uses topology maps


HiveAP Name


Classifier Tag


Requires tags are defined in the
configuration of HiveAPs


Global


Selected if no match is found for
any of the other types


You can mix and match, the first
matching rule is used


Global is checked as the last
match even if it is defined first


136

2008

Confidential 2010

WLAN Policy Example 1
-

PSK

Using Classification Tags for VLANs

137

DMZ

Inside

Router

L2
-
Switch

L2
-
Switch

Interface mgt0:

Classification Tag:

WLAN Policy:

MGT0 VLAN:

10.5.2.
?

Inside

WLAN
-
X

2

HiveAP Device Settings

Interface mgt0:

Classification Tag:

WLAN Policy:

MGT0 VLAN:


10.8.1.
X

DMZ

WLAN
-
X

1

HiveAP Device Settings

VLAN ID:
2


Type:

Classifier Tag


Value: Tag 1: HQ


Tag 2: Bldg1


Tag 3: Trusted

VLAN ID:
1


Type:
Global

VLAN Object:
X
-
MGT0
-
VLANs

* Global VLAN is set, but it will not be used in this lab

WLAN Policy: WLAN
-
X

MGT0 VLAN:
X
-
MGT0
-
VLANs

Native VLAN:
1


2008

Confidential 2010

Lab: HiveAP Classification

1. Assign Classification Tag to HiveAP
-
A


From
Monitor

Hi癥v偳


Select the check box


next to your HiveAP
-
A

X
-
A
-
######

and

click

Modify


Expand
Advanced Settings


| HiveAP Classification |


Enter a value:

Tag 1


HQ

Tag
2


Bldg1

Tag
3


Trusted

Note:
You change these
settings for a group of HiveAPs
if you select multiple HiveAPs
before editing
them


Click
Save

138

..

2008

Confidential 2010

Lab: HiveAP Classification

2. Assign Classification Tag to HiveAP
-
B


From
Monitor

Hi癥v偳


Select the check box


next to your HiveAP
-
B

X
-
B
-
######

and

click

Modify


Expand
Advanced Settings


| HiveAP Classification |


Enter a value:

Tag 1


HQ

Tag 2


Bldg1

Tag 3


DMZ

Note:
You change these
settings for a group of HiveAPs
if you select multiple HiveAPs
before editing them


Click
Save

139

..

2008

Confidential 2010

Lab: HiveAP Classification

3. In your WLAN Policy Create a New VLAN

The VLAN for the MGT0 interface on a HiveAP is assigned via the WLAN
policy


Go to
Configuration

WLAN

偯li捩敳


Edit
WLAN
-
X


Next to
MGT interface VLAN
, Click
+


Go to Next Slide


140

2008

Confidential 2010

Lab: HiveAP Classification

4. Create a VLAN Policy for MGT0 VLANs


VLAN Name:
X
-
MGT0
-
VLANs


VLAN ID:
2


Type:
Classifier


Value:


Uncheck

Tag 1:
<empty>


Uncheck

Tag 2:
<empty>


Check

Tag 3:
Trusted


Click
Apply

(Do not save)


Click
New


VLAN ID:
1


Type:
Global


Click
Apply

Note:
HiveAPs in the DMZ use VLAN 1,
which will match the global define here


Save
your VLAN object

141

..

2008

Confidential 2010

Lab: HiveAP Classification

5. Assign MGT0 Interface VLAN to New VLAN


In your WLAN Policy, verify the

MGT0 Interface VLAN is set to:
X
-
MGT0
-
VLANs


The Native (untagged) VLAN should still be set to:
1


Save
your WLAN Policy

142

2008

Confidential 2010

Lab: HiveAP Classification

6. View Configuration Audit


Click the mismatch icon for your HiveAP
-
A to see the

configuration changes


You should see that the MGT0 interface is being set to VLAN 2


If you click the mismatch icon for HiveAP
-
B, you will not see a change in
the VLAN, because it is already set to use VLAN 1

143

2008

Confidential 2010

Lab: HiveAP Classification

7. Update Delta Configuration

144

From
Monitor

Hi癥v偳


Select both of your
HiveAPs



X
-
A
-
HiveAP



X
-
B
-
HiveAP


Select
Update...


Uplo慤 慮d A捴c癡瑥v
Con晩gur慴aon


If you want to see the delta
configuration, click the link
for your
HiveAP



Close the View
Configuration window
after viewing the delta
configuration changes


Click
Upload



Click HiveAP link
to view delta
configuration

2008

Confidential 2010

Lab: HiveAP Classification

8. View Update Results


After a successful update, you can move your mouse over the
Description to see what was updated

145

2008

Confidential 2010

Lab: HiveAP Classification

9. View the New IP Address for your HiveAP


From
Monitor

Hi癥v偳


Verify that the new IP address for your HiveAP

is in the
subnet:
10.5.2.0/24


Note: It may take up to a moment to reflect the changes


146

New IP Address in
VLAN 2

2008

Confidential 2010

HiveAP Classification

Example

2008

Confidential 2010

Using Classification Tags for VLANs

Example

148

Hive:

MGT0 VLAN:


SSID1:

Network Security:



SSID 2:

Network Security:



SSID 2:

Network Security:


Hive
-
Campus

VLAN
-
HiveAPs


Student
-
WiFi

WPA/WPA2

With PSK

TKIP or AES

Faculty
-
WiFi

WPA/WPA2

With PSK

TKIP or AES

Voice
-
WiFi

WPA/WPA2

With PSK

TKIP or AES

Area
-
2

Student

Client

HiveAP VLAN: 2

User VLANs: 3
-

5

10.1.
3
.10

WLAN Policy Settings:
Campus
-
Policy

Area
-
1

Router

L2
-
Switch

L2
-
Switch

HiveAP VLAN: 6

User VLANs: 7
-

9

Interface mgt0:

Classification Tag:

WLAN Policy:

DHCP
-
Client

Area
-
1

Campus
-
Policy

HiveAP Device Settings

Interface mgt0:

Classification Tag:

WLAN Policy:

DHCP
-
Client

Area
-
2

Campus
-
Policy

HiveAP Device Settings

VLAN
-
HiveAPs

Classifier Tag:

Classifier Tag:

VLAN
-
Students

Classifier Tag:

Classifier Tag:

VLAN
-
Faculty

Classifier Tag:

Classifier Tag:

VLAN
-
Voice

Classifier Tag:

Classifier Tag:


Area
-
1


VLAN 2

Area
-
2


VLAN 6


Area
-
1


VLAN 3

Area
-
2


VLAN 7


Area
-
1


VLAN 4

Area
-
2


VLAN 8


Area
-
1


VLAN 5

Area
-
2


VLAN 9

VLAN Network Objects

Native VLAN:


User Profile:

Attribute:

Tunnel Policy:

VLAN

User Profile:

Attribute:

Tunnel Policy:

VLAN :

User Profile:

Attribute:

Tunnel Policy:

VLAN :

1


Students

100

L3
-
Roaming

VLAN
-
Students

Faculty

101

L3
-
Roaming

VLAN
-
Faculty

Voice

102

L3
-
Roaming

VLAN
-
Voice

* Set global VLAN must be set, but it will not be used

Student

Client

10.1.
7
.10

2008

Confidential 2010

HiveAPs as RADIUS Servers

149

2008

Confidential 2010

Local User Database