Chapter 8 HiveManager Configuration Examples This chapter contains a sequential flow of examples that show how to import and organize maps, install HiveAPs on the network and link them to maps, configure typically needed features, assign these features to HiveAPs, and push configurations to the HiveAPs across the network.
EXAMPLE 1: MAPPING LOCATIONS AND INSTALLING HIVEAPS EXAMPLE 1: MAPPING LOCATIONS AND INSTALLING HIVEAPS HiveManager allows you to mark the location of HiveAPs on maps so that you can track devices and monitor their status. First, you must upload the maps to HiveManager, and then name and arrange them in a structured hierarchy (see "Setting Up Topology Maps").
Chapter 8 HiveManager Configuration Examples The selected image file is transferred from your management system to HiveManager as shown in Figure 3. Figure 3 Uploading a Map of a Building Floor Plan Map showing one of the floor plans Management System HiveManager Uploading map to HiveManager 5. Repeat this for all the image files that you need to load.
EXAMPLE 1: MAPPING LOCATIONS AND INSTALLING HIVEAPS 7. In the New Map (Submap for CorpOffices) dialog box, enter the following, and then click Create: • Map Name: HQ-B1-F2 • Map Icon: Floor • Background Image: Choose HQ-B1-F2.png from the drop-down list. • Environment: Enterprise • Width: 80 feet A white floor icon labeled "HQ-B1-F2" appears on the CorpOffices image, and a new entry named "HQ-B1-F2" appears nested under "CorpOffices" in the navigation tree. 8.
Chapter 8 HiveManager Configuration Examples Preparing the HiveAPs There are several approaches that you can take when mapping the location of installed HiveAP devices. Two possible approaches are presented below. With the first approach ("Using SNMP"), HiveManager automatically assigns HiveAPs to maps.
EXAMPLE 1: MAPPING LOCATIONS AND INSTALLING HIVEAPS Using MAC Addresses With this approach, you write down the MAC address labelled on the underside of each HiveAP and its location while installing the HiveAPs throughout the buildings. The MAC address on the label is for the mgt0 interface. Because the MAC addresses of all HiveAPs begin with the Aerohive MAC OUI 00:19:77, you only need to record the last six numerals in the address.
Chapter 8 HiveManager Configuration Examples Figure 6 CAPWAP Process—Beginning from the Run State CAPWAP Client (HiveAP) Run State CAPWAP Server (HiveManager) The CAPWAP client (HiveAP) pings the CAPWAP server (HiveManager) but receives no responses within the neighbor-dead-interval. ... Idle State Discovery State When the client determines its neighbor is dead, it transitions from the Run state to the Idle state.
EXAMPLE 2: DEFINING NETWORK OBJECTS AND MAC FILTERS EXAMPLE 2: DEFINING NETWORK OBJECTS AND MAC FILTERS Network objects are the most basic objects that you can configure and only function when other objects such as QoS classifiers, SSID profiles, and firewall policy rules reference them.
Chapter 8 HiveManager Configuration Examples By distinguishing voice traffic by the clients’ OUI and mapping it to class 6, HiveAPs can prioritize it above other traffic types (see "Example 4: Creating User Profiles" on page 113). 1. Log in to the HiveManager GUI. 2. Click Configuration > Network Objects > MAC Addresses/OUIs > New. 3. Enter the following, and then click Save: • MAC OUI: (select) • MAC Name: Type a name such as "VoIP_Phones". You cannot include any spaces when defining a MAC name.
EXAMPLE 2: DEFINING NETWORK OBJECTS AND MAC FILTERS 5. Click the Network Services tab, enter the following, and then click Apply: • Service: DNS • QoS Class: 5 - Video • Action: Permit • Logging: Select the check box to enable HiveAPs to log traffic that matches the service-to-Aerohive class mapping. (HiveAPs log traffic whether the action is permit or deny.
Chapter 8 HiveManager Configuration Examples Defining VLANs You define three VLANs that you will later assign to various user profiles (see "Example 4: Creating User Profiles" on page 113). By assigning different VLANs to different user roles, their traffic remains isolated from each other; that is, voice traffic never shares a broadcast domain with data traffic; and data traffic from guests never shares the same broadcast domain with employee data traffic.
EXAMPLE 2: DEFINING NETWORK OBJECTS AND MAC FILTERS Creating IP Addresses You use the IP addresses that you create here when defining management services for the HiveAPs (see "Example 6: Setting Management Service Parameters" on page 120). The IP addresses are used for DNS, SNMP, syslog, and NTP servers. To understand the locations of the different servers on the network, see Figure 15 on page 120. DNS Servers 1.
Chapter 8 HiveManager Configuration Examples Syslog Server Click Configuration > Network Objects > IP Addresses > New, and after entering all the following, click Save: • Address Name: Syslog-Server Enter the following, and then click Apply: — IP Address: 10.1.1.23 — Netmask: 255.255.255.255 — Type: Global Because all the HiveAPs at both the headquarters and branch site use the same syslog server, you classify it as Global.
EXAMPLE 2: DEFINING NETWORK OBJECTS AND MAC FILTERS Creating a MAC Filter A MAC filter is a type of security policy that you can apply to an SSID to allow or deny access to clients attempting to form associations based on their source MAC addresses. In this example, you define a MAC filter based on the VoIP phone OUI and apply it to the SSID to which you want VoIP clients to associate.
Chapter 8 HiveManager Configuration Examples EXAMPLE 3: PROVIDING GUEST ACCESS As a convenience for guests visiting the corporate headquarters or branch office, you provide them with wireless network access. To preserve bandwidth for employees, the rate limit for guests is somewhat minimized. To maintain security, visitors are restricted to accessing just the public LAN.
EXAMPLE 3: PROVIDING GUEST ACCESS Guest Access with Captive Web Portal A captive web portal provides registered users with network access while containing unregistered users. Aerohive offers two approaches to applying a captive web portal, one using external DHCP and DNS servers on the network and the other using internal DHCP and DNS servers on the HiveAP itself.
Chapter 8 HiveManager Configuration Examples 3 4 HTTP Connection to the Captive Web Portal DNS Address Resolution DNS Querient DNS Server HTTP Client HTTP Server HTTP GET DNS Query Reply DNS Reply The HiveAP allows DNS queries and replies between the client of an ungregistered user and a DNS server When the client sends an HTTP or HTTPS GET command, the HiveAP intercepts it and sends it to its HTTP server, which replies with a guest access registration page.
EXAMPLE 3: PROVIDING GUEST ACCESS Captive Web Portal with Internal DHCP and DNS Servers With this approach, when the client of a previously unregistered visitor first associates with the guest SSID, the HiveAP acts as a DHCP server, DNS server, and web server, limiting the client’s network access to just the HiveAP with which it associated. No matter what website the visitor tries to reach, the HiveAP directs the browser to a registration page.
Chapter 8 HiveManager Configuration Examples 5 6 Registration HTTP Client HTTP Server Registration Quarantine MAC: 0016:cf8c:57bc Registered MAC: 0016:cf8c:57bc After a guest agrees to the acceptable use policy, fills in the form, and submits the registration, the HiveAP moves the client’s MAC address from a quarantined list to a registered list.
EXAMPLE 3: PROVIDING GUEST ACCESS Figure 11 Captive Web Portal Registration Page http://www.cwp-login-0-1.com/index.html To modify the registration page, do the following: Authenticated Network Access loginscreen_02.jpg (304 x 56 px) User Name: Password: Submit loginscreen_03.jpg (450 x 4 px) Open Guest Network Access Acceptable Use Policy 1.0 Overview This company’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to this company.
Chapter 8 HiveManager Configuration Examples • Remove the string index_files/ from the image source definitions of the three images: Note: When working on image files, make sure that they match the above dimensions.
EXAMPLE 3: PROVIDING GUEST ACCESS Loading Customized Captive Web Portal Files To load your edited or new files onto one or more HiveAPs, you first create a directory on HiveManager and then upload the files from your management system or SCP (Secure Copy) server into that directory. From there, you can send the files to one or more managed HiveAPs when you push the configuration that references the files. To create a directory on HiveManager and upload files into it, do the following: 1.
Chapter 8 HiveManager Configuration Examples Defining a Captive Web Portal Define the following captive web portal for use when creating an SSID for guest registration (see "guest SSID" on page 119). The definition below references the web directory "guestCWP" and the HTML files that you modified and uploaded in the previous section—login.html and success.html.
EXAMPLE 4: CREATING USER PROFILES EXAMPLE 4: CREATING USER PROFILES User profiles contain a grouping of settings that determine the QoS (Quality of Service), VLAN, firewall policies, and mobility policy that you want HiveAPs to apply to traffic from a specific group of users. In this example, you define user profiles and their companion QoS forwarding rates and VLANs for VoIP phone users ("VoIP"), IT staff ("IT"), corporate employees ("Emp"), and corporate visitors ("Guests"2).
Chapter 8 HiveManager Configuration Examples Class Number - Name Scheduling Type Scheduling Weight % Policing Rate Policing Rate Weight (Read Only) Limit (Kbps) Limit (Kbps) (802.11a/b/g) (802.
EXAMPLE 4: CREATING USER PROFILES IEEE 802.1X authentication, you must configure the user profile attribute that you set here as an attribute on the RADIUS server as explained in "RADIUS Server Attributes" on page 124. • Attribute Group: Leave this field empty. • QoS Setting: QoS-ITdata • Default VLAN: VLAN-1-EmployeeData (previously defined; see "Defining VLANs" on page 100) HiveAPs assign users matching the IT user profile to VLAN 1.
Chapter 8 HiveManager Configuration Examples Class Number - Name Scheduling Type Scheduling Weight % Policing Rate Policing Rate Weight (Read Only) Limit (Kbps) Limit (Kbps) (802.11a/b/g) (802.11n) 4 - Controlled Load Weighted Round Robin 50 23% 2000 2000 3 - Excellent Effort Weighted Round Robin 40 19% 2000 2000 2 - Best Effort 1 Weighted Round Robin 30 14% 2000 2000 1 - Best Effort 2 Weighted Round Robin 20 9% 2000 2000 0 - Background Weighted Round Robin 10 4% 2000 2000 2.
EXAMPLE 5: SETTING SSIDS EXAMPLE 5: SETTING SSIDS An SSID (service set identifier) is an alphanumeric string that identifies a set of authentication and encryption services that wireless clients and access points use when communicating with each other.
Chapter 8 HiveManager Configuration Examples Employees that belong to the "IT" and "Emp" profiles can use SSIDs "voip" and "corp". The SSID with which they associate is based on how they are attempting to access the network. If they use a VoIP phone, then they associate with the voip SSID because that is the SSID configured on their phones. If they use a wireless client on a computer, then they associate with the corp SSID because that is the SSID configured on the wireless client on their computers.
EXAMPLE 5: SETTING SSIDS guest SSID 1.
Chapter 8 HiveManager Configuration Examples EXAMPLE 6: SETTING MANAGEMENT SERVICE PARAMETERS Management services include the settings for DNS, syslog, SNMP, NTP, and location servers. HiveAPs use these services for network communications and logging activities. In addition, you can set HiveAP admin access parameters. In this example, you configure the management services that you later reference in WLAN policies (see "Example 9: Creating WLAN Policies" on page 126).
EXAMPLE 6: SETTING MANAGEMENT SERVICE PARAMETERS DNS Assignment Click Configuration > Management Services > DNS Assignments > New, and after entering all the following, click Save: • Name: DNS-Primary-HQ • Domain Name: apis.com (This is the domain name of the corporation in this example.
Chapter 8 HiveManager Configuration Examples To specify a previously defined IP address object for the SNMP server, enter the following, and then click Apply: — Type: IP Address — SNMP Server: SNMP-Server — Version: From the drop-down list, select the version of SNMP that is running on the management system you intend to use: V1 or V2C.
EXAMPLE 7: DEFINING AAA RADIUS SETTINGS EXAMPLE 7: DEFINING AAA RADIUS SETTINGS In this example, you define the connection settings for a RADIUS server so that HiveAPs can send RADIUS authentication requests to the proper destination. After corporate employees associate with HiveAPs, they gain network access by authenticating themselves to a RADIUS server. The authentication process makes use of the IEEE 802.1X standard.
Chapter 8 HiveManager Configuration Examples 100,000,000 seconds. Generally, you want to make the retry interval fairly large so that supplicants (that is, wireless clients requesting 802.1X authentication) do not have to wait unnecessarily as a HiveAP repeatedly tries to connect to a primary server that is down for an extended length of time.
EXAMPLE 8: CREATING HIVES EXAMPLE 8: CREATING HIVES A hive is a set of HiveAPs that exchange information with each other to form a collaborative whole. In this example, you define three hives: two for the two buildings at headquarters and a third for the branch site. Later, in "Example 9: Creating WLAN Policies" on page 126, you assign the hives to WLAN policies, which in turn, you assign to HiveAP devices in "Example 10: Assigning Configurations to HiveAPs" on page 135.
Chapter 8 HiveManager Configuration Examples EXAMPLE 9: CREATING WLAN POLICIES Through HiveManager, you can configure two broad types of features: • Policy-based features – In combination, these features form policies that control how users access the network: SSIDs, user profiles, QoS (Quality of Service) forwarding mechanisms and rates, hives, AAA (authentication, authorization, accounting) services, management services (DNS, NTP, syslog), mobility policies, IP and MAC firewall policies, and VLAN assign
EXAMPLE 9: CREATING WLAN POLICIES 1. Click Configuration > WLAN Policies > New, enter the following on the first page of the new WLAN policy dialog box: • Name: WLANpolicy-1 (You cannot use spaces in the WLAN policy name.) • Description: Enter a useful description, such as "HiveAPs in Bldg1 at HQ". Network Settings 2. Enter the following in the Network Settings section. (Note that the hive and VLAN were previously configured in "Example 8: Creating Hives" on page 125 and "Defining VLANs" on page 100.
Chapter 8 HiveManager Configuration Examples WLANpolicy-hq1 (Page 2) On the second page of the new WLAN policy dialog box, you can map SSIDs to management service filters, AAA servers, radio modes, and user profiles. In addition, you can set the Ethernet interface in access mode (Bridge-Access or Bridge-802.1Q) and assign management service filters to the Ethernet and wireless backhaul interfaces.
EXAMPLE 9: CREATING WLAN POLICIES • RADIUS UP Rule: def-radius-user-profile-rule (default) This setting essentially controls which users authenticated by a RADIUS server can access the SSID. Because the voip SSID does not use RADIUS authentication, the setting is not applicable. • Radio Mode: 11ng(b/g) In this example, you want to use IEEE 802.11b/g for network access traffic because a broader range of wireless clients support IEEE 802.11b than IEEE 802.
Chapter 8 HiveManager Configuration Examples SSID: guest 1. Click New. 2.
EXAMPLE 9: CREATING WLAN POLICIES WLANpolicy-hq1 (Page 3) On the third page of the new WLAN policy dialog box, you can assign QoS classifier and marker maps to SSIDs and specify user profile-based QoS data forwarding rate limits and weights. (Note that no marker maps were configured previously, so this option is unavailable.) To view the third page of the WLAN policy dialog box configured with the SSID "guest" with and without a captive web portal, see Figure 19.
Chapter 8 HiveManager Configuration Examples Figure 20 User Profiles, Forwarding Rates, and Weights User Profiles Maximum Traffic Forwarding Rates Per Profile Name: VoIP User Profile Weights (for traffic forwarding using WRR) Per User VoIP (60) ID: 2 11a/b/g/n 3200 Kbps Weights 60 11a/b/g/n 512 Kbps Name: IT ID: 3 11a/b/g 54,000 Kbps 11n 1,000,000 Kbps Emp (25) 40 11a/b/g 54,000 Kbps 11n 1,000,000 Kbps 30 Guests (5) 20 Name: Emp ID: 4 11a/b/g 54,000 Kbps 11n 1,000,000 Kbps 10 11a/b/g 54,
EXAMPLE 9: CREATING WLAN POLICIES SSID "guests" with a captive web portal (two user profiles) User Profile Name Policing Rate Limit (Kbps) 802.11a/b/g Policing Rate Limit (Kbps) 802.11n Scheduling Weight Scheduling Weight % (read-only) Guests 2000 2000 5 3.7037 Unregistered-Guests 2000 2000 5 3.7037 VoIP 3200 3200 60 44.444 IT 54000 1000000 40 29.629 Emp 54000 1000000 25 18.
Chapter 8 HiveManager Configuration Examples These weights skew the rate at which the HiveAPs forward queued traffic using the WRR (weighted round robin) scheduling discipline. Roughly, for every 5 bytes of guest traffic per second, a HiveAP forwards 25 bytes of employee traffic, 40 bytes of IT traffic, and 60 bytes of VoIP traffic. These numbers are not exact because HiveAPs also have internal weights per class that also affect the amount of traffic that a HiveAP forwards.
EXAMPLE 10: ASSIGNING CONFIGURATIONS TO HIVEAPS EXAMPLE 10:ASSIGNING CONFIGURATIONS TO HIVEAPS After completing the steps in the previous examples, you can now assign the following configurations as appropriate to each HiveAP: • WLAN policy (created in "Example 9: Creating WLAN Policies" on page 126) • Radio profiles (default radio profiles) • Map (uploaded in "Example 1: Mapping Locations and Installing HiveAPs" on page 91) As the above list indicates, this example makes use of the two default radio
Chapter 8 HiveManager Configuration Examples Assigning Configurations 1. Click Access Points > Automatically Discovered. 2. Select a group of HiveAPs associated with the same map. If you defined SNMP sysLocation MIB objects as you installed the HiveAPs as explained in "Using SNMP" on page 94, each HiveAP listed in the Automatically Discovered window will now include a map title in the Topology Map column. By clicking the Topology Map column header, you can sort HiveAPs by topology map.
EXAMPLE 10: ASSIGNING CONFIGURATIONS TO HIVEAPS DTLS Passphrase HiveManager and HiveAPs use the DTLS (Datagram Transport Layer Security) passphrase to derive a preshared key that they then use to mutually authenticate each other when making a CAPWAP connection. By default, when a HiveAP first makes a CAPWAP connection to HiveManager, they use a predefined bootstrap DTLS passphrase combined with several other values to derive a shared key that they then use to authenticate each other.
Chapter 8 HiveManager Configuration Examples Uploading HiveAP Configurations At this point, you have assigned configurations to the HiveAPs, accepted them for management, changed their login settings, and possibly the country code as well. Now, you can push their configurations from HiveManager to the HiveAPs. 1. Click Access Points > Managed HiveAPs > Update > Upload and Activate Configuration (Wizard). The Upload and Activate Configuration (Wizard) dialog box appears. 2.
EXAMPLE 10: ASSIGNING CONFIGURATIONS TO HIVEAPS 6. Select the HiveAPs whose configurations you want to update, select one of the following options for controlling when the uploaded configurations are activated (by rebooting the HiveAPs), and then click OK: • Activate at: Select this option and set the time when you want the updated HiveAPs to activate their new configuration.
Chapter 8 HiveManager Configuration Examples 140 Aerohive
Chapter 9 HiveOS You can deploy a single HiveAP and it will provide wireless access as an autonomous AP (access point). However, if you deploy two or more HiveAPs in a hive, you can provide superior wireless access with many benefits. A hive is a set of HiveAPs that exchange information with each other to form a collaborative whole (see Figure 1).
Chapter 9 HiveOS COMMON DEFAULT SETTINGS AND COMMANDS Many major components of HiveOS are automated and typically require no further configuration. For example, radio power and frequency selection occurs automatically, as does route learning. Also, after defining a hive and its security protocol suite, all HiveAPs belonging to that hive automatically initiate and maintain communications with each other.
CONFIGURATION OVERVIEW CONFIGURATION OVERVIEW The amount of configuration depends on the complexity of your deployment. As you can see in "Deployment Examples (CLI)" on page 149, you can enter a minimum of three commands to deploy a single HiveAP, and just a few more to deploy a hive. However, for cases when you need to fine tune access control for more complex environments, HiveOS offers a rich set of CLI commands.
Chapter 9 HiveOS Policy-Level Configurations Policies control how wireless clients access the network. The following list contains some key areas of policy-level configurations and relevant commands. • QoS settings qos { classifier-map | classifier-profile | marker-map | marker-profile | policy } … • User profiles user-profile string … • SSIDs ssid string … • AAA (authentication, authorization, and accounting) settings for IEEE 802.
HIVEOS CONFIGURATION FILE TYPES HIVEOS CONFIGURATION FILE TYPES HiveOS supports several types of configuration files: running, current, backup, bootstrap, default, and failed. The running configuration (config) is the configuration that is actively running in DRAM. During the bootup process, a HiveAP loads the running config from one of up to four config files stored in flash memory: • current: a flash file containing a combination of default and admin-defined settings.
Chapter 9 HiveOS When you upload a configuration file from HiveManager or from a TFTP or SCP server, the HiveAP stores the uploaded file in the backup config partition in flash memory, where it remains until the HiveAP reboots. If there is a backup config file already stored in flash, the newly uploaded file overwrites it. See Figure 4.
HIVEOS CONFIGURATION FILE TYPES Note: To upload and activate a config file from HiveManager , see "Uploading HiveAP Configurations" on page 138.
Chapter 9 HiveOS Figure 6 Relationship of Current, Backup, Bootstrap, and Default Config Files Configuration Failover Behavior Backup Config Current Config Failover Bootstrap Config Failover . . . or if there is no bootstrap config . . . If the HiveAP cannot load either the current or backup config files, it deletes them, reboots, and loads the bootstrap config— if present—or the default config. Default Config Resetting the Configuration Current Config reset config Bootstrap Config . . .
Chapter 10 Deployment Examples (CLI) This chapter presents several deployment examples to introduce the primary tasks involved in configuring HiveAPs through the HiveOS CLI. In "Deploying a Single HiveAP" on page 150, you deploy one HiveAP as an autonomous access point. This is the simplest configuration: you only need to enter and save three commands. In "Deploying a Hive" on page 153, you add two more HiveAPs to the one deployed in the first example to form a hive with three members.
Chapter 10 Deployment Examples (CLI) EXAMPLE 1: DEPLOYING A SINGLE HIVEAP In this example, you deploy one HiveAP (HiveAP-1) to provide network access to a small office with 15 – 20 wireless clients.
EXAMPLE 1: DEPLOYING A SINGLE HIVEAP 3. Connect the other end of the cable to the male DB-9 or RJ-45 console port on the HiveAP. 4. On your management system, run a VT100 terminal emulation program, such as Tera Term Pro© (a free terminal emulator) or Hilgraeve Hyperterminal® (provided with Windows® operating systems).
Chapter 10 Deployment Examples (CLI) Step 3 Configure the wireless clients Define the "employee" SSID on all the wireless clients. Specify WPA-PSK for network authentication, AES or TKIP for data encryption, and the preshared key N38bu7Adr0n3. Step 4 Position and power on the HiveAP 1. Place the HiveAP within range of the wireless clients and, optionally, mount it as explained in the mounting section in the chapter about the HiveAP model that you are using. 2.
EXAMPLE 2: DEPLOYING A HIVE EXAMPLE 2: DEPLOYING A HIVE Building on "Deploying a Single HiveAP" on page 150, the office network has expanded and requires more HiveAPs to provide greater coverage. In addition to the basic configuration covered in the previous example, you configure all three HiveAPs to form a hive within the same layer 2 switched network.
Chapter 10 Deployment Examples (CLI) Step 1 Configure HiveAP-1 1. Using the connection settings described in the first example, log in to HiveAP-1. 2. Configure HiveAP-1 as a member of "hive1" and set the security protocol suite.
EXAMPLE 2: DEPLOYING A HIVE Step 2 Configure HiveAP-2 and HiveAP-3 1. Power on HiveAP-2 and log in through its console port. 2. Configure HiveAP-2 with the same commands that you used for HiveAP-1: ssid employee ssid employee security protocol-suite wpa-auto-psk ascii-key N38bu7Adr0n3 interface wifi0 ssid employee hive hive1 hive hive1 password s1r70ckH07m3s interface mgt0 hive hive1 3. (Optional) Change the name and password of the superuser. admin superuser mwebster password 3fF8ha 4.
Chapter 10 Deployment Examples (CLI) After HiveAP-3 boots up, it discovers the two other members of hive1 over a wireless backhaul link. The members authenticate themselves and establish a security association for encrypting backhaul communications among themselves. HiveAP-3 then learns its default route to the wired network from the other hive members. If the other members send routes with equal costs—which is what happens in this example—HiveAP-3 uses the first route it receives.
EXAMPLE 2: DEPLOYING A HIVE 7. To check that the hive members have full data connectivity with each other, associate a client in wireless network-1 with HiveAP-1 (the SSID "employee" is already defined on clients in wireless network-1; see "Deploying a Single HiveAP"). Then check if HiveAP-1 forwards the client’s MAC address to the others to store in their roaming caches.
Chapter 10 Deployment Examples (CLI) Step 4 Configure wireless clients Define the "employee" SSID on all the wireless clients in wireless network-2 and -3. Specify WPA-PSK for network authentication, AES or TKIP for data encryption, and the preshared key N38bu7Adr0n3. The setup of hive1 is complete. Wireless clients can now associate with the HiveAPs using SSID "employee" and access the network.
EXAMPLE 3: USING IEEE 802.1X AUTHENTICATION Note: This example assumes that the RADIUS and AD servers were previously configured and populated with user accounts that have been in use on a wired network (not shown). The only additional configuration on these servers is to enable the RADIUS server to accept authentication requests from the HiveAPs. Step 1 Define the RADIUS server on the HiveAP-1 Configure the settings for the RADIUS server (IP address and shared secret) on HiveAP-1.
Chapter 10 Deployment Examples (CLI) Step 5 Configure the RADIUS Server to accept authentication requests from the HiveAPs Log in to the RADIUS server and define the three HiveAPs as access devices. Enter their mgt0 IP addresses (or fully-qualified domain names) and shared secret. Step 6 Check that clients can form associations and access the network 1. To check that a client can associate with a HiveAP and access the network, open a wireless client application and connect to the "employee" SSID.
EXAMPLE 4: APPLYING QOS EXAMPLE 4: APPLYING QOS In this example, you want the hive members to prioritize voice, streaming media, and e-mail traffic. First, you map distinguishing elements of these traffic types to three Aerohive QoS (Quality of Service) classes: Class 6: voice traffic from VoIP phones with MAC OUI 00:12:3b (the OUI for all phones in the network) Voice traffic is very sensitive to delay and cannot tolerate packet loss without loss of voice quality.
Chapter 10 Deployment Examples (CLI) Note: The HiveAP assigns all traffic that you do not specifically map to an Aerohive class to class 2, which by default uses WRR with a weight of 30 and a rate of 54,000 or 1,000,000 Kbps, depending on the HiveAP. Figure 4 QoS Policy "voice" for Voice, Streaming Media, and Data QoS Policy: “voice” Voice qos policy voice qos 6 strict 512 0 The policy assigns the highest priority to voice traffic (class 6).
EXAMPLE 4: APPLYING QOS Step 1 Map traffic types to Aerohive QoS classes on HiveAP-1 1. Map the MAC OUI (organizational unit identifier) of network users’ VoIP phones to Aerohive class 6. qos classifier-map oui 00:12:3b qos 6 In this example, all network users use VoIP phones from the same vendor whose OUI (that is, the MAC address prefix ) is 00:12:3b. When HiveAP-1 receives traffic from a client whose source MAC address contains this OUI, it assigns it to Aerohive class 6. 2.
Chapter 10 Deployment Examples (CLI) 2. Associate the classifier profiles with the employee SSID and the eth0 interface so that HiveAP-1 can classify incoming traffic arriving at these two interfaces.
EXAMPLE 4: APPLYING QOS The QoS policy that you define is shown in Figure 5. Although you did not configure settings for Aerohive QoS classes 0, 1, 2, 4, and 7, the policy applies default settings to them. The HiveAP assigns all traffic that you do not specifically map to an Aerohive class to class 2, which uses WRR with a weight of 30 and a default rate of 54,000 or 1,000,000 Kbps. Because nothing is mapped to classes 0, 1, 4, and 7, their settings are irrelevant.
Chapter 10 Deployment Examples (CLI) Step 4 Configure HiveAP-2 and HiveAP-3 1. Log in to HiveAP-2 through its console port. 2.
EXAMPLE 5: LOADING A BOOTSTRAP CONFIGURATION Step 5 Configure RADIUS server attributes 1. Log in to the RADIUS server and define the three HiveAPs as RADIUS clients. 2. Configure the following attributes for the realm to which the wireless user accounts in network-1, -2, and -3 belong: • Tunnel Type = GRE (value = 10) • Tunnel Medium Type = IP (value = 1) • Tunnel Private Group ID = 2 The RADIUS server returns the above attributes for all wireless users it authenticates from network-1, -2, and -3.
Chapter 10 Deployment Examples (CLI) Step 1 Define the bootstrap config on HiveAP-1 1. Make a serial connection to the console port on HiveAP-1, log in, and load the default config. load config default reboot You do not want the bootstrap config to contain any of your previously defined settings from the current config. Therefore, you load the default config, which has only default settings.
EXAMPLE 5: LOADING A BOOTSTRAP CONFIGURATION Step 2 Save the bootstrap config to a TFTP server 1. Check the configurations to make sure the settings are accurate. show config bootstrap Check that the settings are those you entered in the previous step for the bootstrap config. show config backup Note that the backup config is the previous current config. This is the configuration that has all your previously defined settings. 2. Return to the previous current config. load config backup reboot 3.
Chapter 10 Deployment Examples (CLI) CLI COMMANDS FOR EXAMPLES This section includes all the CLI commands for configuring the HiveAPs in the previous examples. The CLI configurations are presented in their entirety (without explanations) as a convenient reference, and—if you are reading this guide as a PDF—as an easy way to copy and paste the commands. Simply copy the blocks of text for configuring the HiveAPs in each example and paste them at the command prompt.
EXAMPLE 5: CLI COMMANDS FOR EXAMPLES HiveAP-3 ssid employee ssid employee security protocol-suite wpa-auto-psk ascii-key N38bu7Adr0n3 interface wifi0.1 ssid employee hive hive1 hive hive1 password s1r70ckH07m3s interface mgt0 hive hive1 save config Commands for Example 3 Enter the following commands to configure the hive members to support IEEE 802.1X authentication in "Using IEEE 802.1X Authentication" on page 158: HiveAP-1 aaa radius-server first 10.1.1.
Chapter 10 Deployment Examples (CLI) Commands for Example 4 Enter the following commands to configure the hive members to apply QoS (Quality of Service) to voice, streaming media, and data traffic in "Applying QoS" on page 161: HiveAP-1 qos classifier-map oui 00:12:3b qos 6 service mms tcp 1755 service smtp tcp 25 service pop3 tcp 110 qos classifier-map service mms qos 5 qos classifier-map service smtp qos 3 qos classifier-map service pop3 qos 3 qos classifier-profile employee-voice mac qos classifier-prof
EXAMPLE 5: CLI COMMANDS FOR EXAMPLES qos classifier-profile employee-voice service qos classifier-profile eth0-voice mac qos classifier-profile eth0-voice service ssid employee qos-classifier employee-voice interface eth0 qos-classifier eth0-voice For HiveAPs supporting IEEE 802.11a/b/g qos policy voice qos 5 wrr 20000 90 qos policy voice qos 3 wrr 54000 60 For HiveAPs supporting IEEE 802.
Chapter 10 Deployment Examples (CLI) Commands for Example 5 Enter the following commands to create bootstrap config files and load them on the hive members in "Loading a Bootstrap Configuration" on page 167: bootstrap-security.txt admin root-admin Cwb12o11siNIm8vhD2hs password 8wDamKC1Lo53Ku71 hive hive1 hive hive1 password s1r70ckH07m3s interface mgt0 hive hive1 HiveAP-1 save config tftp://10.1.1.31:bootstrap-security.txt bootstrap show config bootstrap HiveAP-2 save config tftp://10.1.1.
Chapter 11 Traffic Types This is a list of all the types of traffic that might be involved with a HiveAP and HiveManager deployment. If a firewall lies between any of the sources and destinations listed below, make sure that it allows these traffic types.
Chapter 11 Traffic Types SRC Protocol Port DST Port Service Source Destination SNMP HiveAP mgt0 interface SNMP manager 17 UDP 1024 - 161 65535 Required for reporting alarms and events to an SNMP manager and to HiveManager if not using CAPWAP SNMP traps HiveAP mgt0 interface SNMP manager 17 UDP 1024 - 162 65535 Required for sending SNMP traps to an SNMP manager and to HiveManager if not using CAPWAP SSHv2 HiveManager MGT port HiveAP mgt0 interface 1024 - 22 65535 Required for the HiveMana
Appendix A Country Codes When the region code on a HiveAP is preset as "world", you must set a country code for the location where you intend to deploy the HiveAP. This code determines the radio channels and power settings that the HiveAP can use when deployed in that country. For HiveAPs intended for use in the United States, the region code is preset as "FCC"—for "Federal Communications Commission"—and the country code is preset for the United States.
Appenidix A Country Codes Greece 300 Japan22 (J22) 4022 Guatemala 320 Japan23 (J23) 4023 Honduras 340 Japan24 (J24) 4024 Hong Kong (S.A.R., P.R.
Appenidix A Country Codes Portugal 620 Thailand 764 Puerto Rico 630 Trinidad y Tobago 780 Qatar 634 Tunisia 788 Romania 642 Turkey 792 Russia 643 Saudi Arabia 682 Singapore 702 Slovakia (Slovak Republic) 703 Slovenia 705 South Africa 710 Spain 724 Sri Lanka 144 U.A.E.
Appenidix A Country Codes 180 Aerohive
This device is a transceiver. The data length as well as the timing is well controlled and acknowkedged between Tx and Rx. Information or operational fail will terminate the transmission and re-build the link immediately.