Aerohive Certified Wireless Administrator (Acwa) : Aerohive's Instructor-Led Training

AEROHIVE CERTIFIED WIRELESS
ADMINISTRATOR (ACWA)
Aerohive’s
Instructor-led Training
© 2015 Aerohive Networks Inc.

Welcome
• Introductions
• Facilities Discussion
• Course Overview
• Extra Training
Resources
• Questions
© 2015 Aerohive Networks CONFIDENTIAL 2

Introductions
• What is your name?

• What is your organizations name?
• How long have you worked in Wi-Fi?
• Are you currently using Aerohive?

Facilities Discussion
• Course Material
Distribution
• Course Times
• Restrooms
• Break room
• Smoking Area
• Break Schedule
› Morning Break
› Lunch Break
› Afternoon Break

Aerohive Essentials WLAN Configuration
(ACWA) – Course Overview
Each student connects to HiveManager, a remote PC, and an Aerohive AP over the Internet from their
wireless enabled laptop in the classroom, and then performs hands on labs the cover the following topics:
• Predictive modeling and WLAN design

• HiveManager overview
• Mobility solutions and Unified Policy Management
• HiveManager initial configuration
• Topology Maps: Real-time monitoring of AP coverage
• Scenario: Create a secure access network for employees
• Scenario: Create a secure access network for legacy devices using PPSK
• Secure WLAN Guest Management
• Scenario: Create a guest secure WLAN with unique user credentials
• Device specific settings
• Deployment optimization
• Device monitoring and troubleshooting
• Firmware updates
2 Day Hands on Class
• Bring Your Own Device (BYOD)
• Auto-provisioning
• Cooperative Control Protocols
Aerohive Training Remote Lab
Aerohive Access Points using external antenna

connections and RF cables to connect to USB Wi-
Fi client cards
(Black cables)
Access Points are connected from eth0 to Aerohive

Managed Switches with 802.1Q
VLAN trunk support providing PoE to the APs
(Yellow cables)
Access Points are connected from their console
port to a console server
(White Cables)
Console server to permit SSH access into the serial
console of Aerohive Access Points
Firewall with routing support, NAT, and multiple
Virtual Router Instances
Server running VMware ESXi running Active
Directory, RADIUS, NPS and hosting the virtual
clients used for testing configurations to support
the labs
Copyright ©2011
Hosted Lab for Data Center
HiveManager
14 Aerohive APs MGT 10.5.1.20/24 14 Client PCs
For Wireless Access
X=2
Win2008 AD
Server X=2 Ethernet: 10.5.1.202/24
MGT 10.5.1.10/24
10.5.1.*/24 No Gateway
Linux Server
No Gateway Wireless: 10.5.10.X/24
MGT 10.6.1.150./24
Gateway: 10.5.10.1
X=3 L2 Switch
Native VLAN 1 X=3 Ethernet: 10.5.1.203/24
Gateway: 10.5.10.1
X=N X=N Ethernet : 10.5.1.20N/24

Terminal Server Gateway: 10.5.10.1
10.5.1.5/24
Aerohive AP Common Settings in Services for Hosted Class
VLAN 1 Win2008 AD Server:
Default Gateway: None - RADIUS(IAS)
MGT0 VLAN 1 L3 Switch/Router/Firewall - DNS
Native VLAN 1 eth0 10.5.1.1/24 VLAN 1 - DHCP
LAN ports connected to eth0.1 10.5.2.1/24 VLAN 2 Linux Server:
L2-Switch with 802.1Q eth0.2 10.5.8.1/24 VLAN 8 - Web Server
VLAN Trunks eth0.3 10.5.10.1/24 VLAN 10 - FTP Server
eth1 10.6.1.1/24 (DMZ)

Aerohive Education on YouTube
Learn the basics of Wi-Fi and more….

http://www.youtube.com/playlist?list=PLqSW15RTj6DtEbdPCGIm0Kigvrscbj-Vz

The 20 Minute Getting Started Video
Explains the Details
Please view the Aerohive Getting Started Videos:

http://www.aerohive.com/330000/docs/help/english/cbt/Start.htm

Aerohive Technical Documentation
All the latest technical documentation is available for download at:
http://www.aerohive.com/techdocs

Aerohive Instructor Led Training
• Aerohive Education Services offers a complete curriculum that provides you with the
courses you will need as a customer or partner to properly design, deploy, administer, and
troubleshoot all Aerohive WLAN solutions.
• Aerohive Certified WLAN Administrator (ACWA) – First-level course
• Aerohive Cerified WLAN Professional (ACWP) – Second-level course
• Aerohive Certified Network Professional (ACNP) – Switching/Routing course
Aerohive Training Schedule
www.aerohive.com/support/technical-training/training-schedule

15 books or more about networking have been written
by Aerohive Employees
CWNA Certified Wireless Network Administrator

Official Study Guide by David D. Coleman and David
A. Westcott
CWSP Certified Wireless Security Professional

Official Study Guide by David D. Coleman, David A.
Westcott, Bryan E. Harkins and Shawn M.
Jackman
CWAP Certified Wireless Analysis Professional Official
Study Guide by David D. Coleman, David A. Westcott,
Ben Miller and Peter MacKenzie
802.11 Wireless Networks: The Definitive Guide,

Second Edition by Matthew Gast
802.11n: A Survival Guide by Matthew Gast
802.11ac: A Survival Guide by Matthew Gast
Over 15 books about networking have been

Aerohive
written by Aerohive Employees
Employees
Aerohive Exams and Certifications
• Aerohive Certified Wireless Administrator

(ACWA) is a first- level certification that
validates your knowledge and understanding
about Aerohive Network’s WLAN Cooperative
Control Architecture. (Based upon Instructor Led
Course)
• Aerohive Certified Wireless Professional
(ACWP) is the second-level certification that
validates your knowledge and understanding
about Aerohive advanced configuration and
troubleshooting. (Based upon Instructor Led
Course)
• Aerohive Certified Network Professional
(ACNP) is another second-level certification that
validates your knowledge about Aerohive
switching and branch routing. (Based upon
Instructor Led Course)
Aerohive Forums
• Aerohive’s online community – HiveNation

Have a question, an idea or praise you want to share? Join the HiveNation Community - a place
where customers, evaluators, thought leaders and students like yourselves can learn about Aerohive
and our products while engaging with like-minded individuals.
• Please, take a moment and register during class if you are not already a member of
HiveNation.
Go to http://community.aerohive.com/aerohive and sign up!

Aerohive Social Media
The HiveMind Blog:
http://blogs.aerohive.com
Follow us on Twitter: @Aerohive

Instructor: David Coleman: @mistermultipath
Instructor: Bryan Harkins: @80211University
Instructor: Gregor Vucajnk: @GregorVucajnk
Instructor: Metka Dragos: @MetkaDragos
Please feel free to tweet about #Aerohive training during class.

Aerohive Technical Support – General
How do I buy Technical Support?

Support Contracts are sold on a yearly basis, with discounts
for multi-year purchases. Customers can purchase Support
in either 8x5 format or in a 24 hour format.

Copyright ©2011
Copyright Notice
Copyright © 2015 Aerohive Networks, Inc. All rights reserved.
Aerohive Networks, the Aerohive Networks logo, HiveOS,

Aerohive AP, HiveManager, and GuestManager are trademarks of
Aerohive Networks, Inc. All other trademarks and registered
trademarks are the property of their respective companies.

QUESTIONS?
© 2015 Aerohive Networks CONFIDENTIAL

SECTION 1:
PLANNING AND DESIGNING YOUR
NETWORK
Aerohive’s
19
The Relationship between the OSI Model and
Wi-Fi
Application
Wireless LAN’s provide
Presentation access to the distribution
systems of wired networks.
Session This allows the users the
ability to have untethered
Transport
connections to wired network
Network
resources.
Data Link
Wi-Fi operates at layers one and two

Physical

Where Wi-Fi Fits into the OSI Model –
Physical Layer
Layer 1 ( Physical )
The medium through which Data is transferred
802.3 Uses Cables
802.11 RF Medium
Key Term: Medium

Where Wi-Fi Fits into the OSI Model – Data
Link Layer
Layer 2 ( Data-Link )
 The MAC sublayer manages access to the physical medium
 The LLC sublayer manages the flow of multiple simultaneous network
protocols over the same network medium
 Devices operating no higher than Layer 2 include: network interface
cards (NICs), Layer-2 Ethernet switches, and wireless access points
Header with Trailer

MAC
addressing 3-7 Data with
CRC

Amendments and Rates
Standard Supported Data 2.4 GHz 5 GHz RF Technology Radios
Rates
802.11 legacy 1, 2 Mbps Yes No FHSS or DSSS SISO
802.11b 1, 2, 5.5 and 11 Mbps Yes No HR-DSSS SISO
802.11a 6 - 54 Mbps No Yes OFDM SISO
802.11g 6 - 54 Mbps Yes No OFDM SISO
802.11n 6 - 600 Mbps Yes Yes HT MIMO
802.11ac Up to 3.46 Gbps* No Yes VHT MIMO
*First generation 802.11ac chipsets support up to 1.3 Gbps
DSSS Direct Sequencing Spread Spectrum

FHSS
FHSS Frequency
Frequency Hopping
Hopping Spread
Spread Spectrum
Spectrum
OFDM Orthogonal Frequency Division Multiplexing
HT High Throughput
VHT
VHT Very
Very High
High Throughput
Throughput
SISO Single Input, Single Output
MIMO Multiple Input, Multiple Output
Class Scenario
• You have been tasked with designing the WLAN for a new building
that has two floors, each 200 feet in length.
• Employees and Guests require high data rate connectivity.
• Your customer plans to implement a voice over WLAN solution in the
future as well. (-67 dBm Coverage)
• This is an office environment. However, the remote lab is built using
AP350’s and we will select them in our plans.
• Many commercial products exist for predictive coverage planning. For
example: AirMagnet, Ekahau and Tamosoft.
• For this deployment the customer is using Aerohive’s Free planner tool.

Defining the Lab
• Information Gathering (Site Survey)
• Types of Environments
• Client device types to be used
• Applications to be used
• Expected Growth vs. Current Needs
Knowing the Device
• Aerohive Devices to be used Types and Applications to
• Mounting Concerns be used will greatly assist
you in planning and
• Coverage vs. Capacity Planning deploying successful
networking solutions.
• Device Density
• Security Enterprise and Guest use
• Using the Aerohive Planning Tool
• Questions

Lab: Planning a Wireless Network
1. Connect to the Hosted Training HiveManager
• Securely browse to
https://training-hm#.aerohive.com
# = The Hosted HiveManager number
Username: adminX
X = Student ID 2 – 26
Password: aerohive123
• Click Log In
NOTE: In order to access the

HiveManager, someone at your
location needs to enter the
training firewall credentials given
to them by the instructor first.
2. formatting your Plan Building
• Click on the Maps Tab

• Expand World in the Navigation Pane
• Expand Planner Maps in the Navigation Pane
• Expand 0X Plan Building (Where 0X is your Student Number)
• Click on Floor 1
3. Formatting your Plan Building
• To scale the map, move one red crosshair over the far left of the building
image and the other to the far right of the building image
• In the Scale Map Section, use the drop down arrow to select feet
• Enter a value of 200 feet and click the Update button

• Click on the Walls tab

• Click the Draw Perimeter button
• Click the upper left corner of your building image to begin tracing the perimeter of
your floor
• Move the cursor + clockwise and click and release on each of the remaining corners
• When you are back to the first corner, double click to close the perimeter
• Click the drop down arrow next to Wall Type and select any of the material
types you would like to use
• Click the / icon and trace over a few walls
• Click the drop down arrow next to Wall Type again and select another
material type
• Click the / icon and trace over a few different walls
802.11n, 802.11ac and MIMO radios
Aerohive AP 141 Aerohive AP 350

iPhone Aerohive AP iPad
2x2:2 1x1:1 3x3:3 3x3:3 1x1:1
3x3:3
Transmit Receive Spatial Streams

Aerohive AP Platforms
AP121 AP141 AP330 AP350 AP230 * AP370 AP390 AP170 AP1130

Indoor Indoor
Indoor Indoor Outdoor
Industrial Industrial
Dual Radio Dual Radio
Dual Radio 802.11n Dual Radio 802.11ac/n
802.11n 802.11ac
2x2:2 3x3:3 2x2:2 300 2x2:2 300 + 867
3x3:3 450 + 1300 Mbps High Power
300 Mbps High Power 450 Mbps High Power Mbps 11n High Mbps 11ac High
Radios Power Radios Power Radios
Radios Radios
TPM Security Chip
2X Gig.E - 10/100 link 2X Gig.E w/ link 2X Gig E

1X Gig.E 1X Gig.E 1X Gig.E
aggregation aggregation /w PoE Failover
PoE (802.3af + 802.3at) and AC Power PoE (802.3at)
Plenum/ Plenum/ Water Proof Water Proof

Plenum Rated Plenum Rated Dust Proof
Dust (IP 68) (IP 67)
0 to 40°C -20 to 55°C 0 to 40°C -20 to 55°C -40 to 55°C
USB for future use USB for 3G/4G Modem USB for future use N/A
© 2015 Aerohive Networks CONFIDENTIAL * Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM
• Click the Planned APs tab

• Click the drop down arrow next to AP Type and select the AP350
• Leave the Channel and Power settings as default
• Click the Add AP button

• Examine the predicted coverage provided by a single AP of the type you selected
earlier
• Click and drag the AP to another location and observe the predicted coverage in the
new location
• Click the Remove All APs button
• Click Yes to confirm the removal

Relative versus absolute amplitude
•A relative measurement represents “change in power” as an RF

signal moves from one point in space to another point in space.
A decibel (dB) is a relative measurement that is a unit of comparison as opposed

to a unit of power.
› A +3 dB gain doubles absolute power.

› A -3 dB loss reduces absolute power by ½.
•An absolute measurement of power represents the transmit

amplitude of a signal or the received amplitude of an RF signal.
› Examples of absolute units of power are milliwatts (mW) and decibels

referenced to 1 mW (dBm)
0 dBm = 1 mw
The Rule of 10’s and 3’s
• Simple and fast way to get close to RF signal strength values

• For every 10 dB of gain you multiply signal strength by 10.
• If calculating loss, for every 10 dB of loss you divide signal strength by 10.
• For every 3 dB of gain multiply the signal strength by 2.
• If calculating loss, for every 3 dB of loss divide the signal strength by 2.

dBm and mW conversions
dBm milliwatts
+30 dBm 1000 mW 1 Watt

+20 dBm 100 mW 1/10th of 1 Watt
+10 dBm 10 mW 1/100th of 1 Watt
0 dBm 1 mW 1/1,000th of 1 Watt
–10 dBm.1 mW 1/10th of 1 milliwatt
–20 dBm.01 mW 1/100th of 1 milliwatt
–30 dBm.001 mW 1/1,000th of 1 milliwatt
Very Strong- –60 dBm.000001 mW 1 millionth of 1 milliwatt
Great - –70 dBm.0000001 mW 1 ten-millionth of 1 milliwatt
Weak- –80 dBm.00000001 mW 1 hundred-millionth of 1 milliwatt
Do not care-
–90 dBm.000000001 mW 1 billionth of 1 milliwatt
–95 dBm.0000000002511 mW Noise Floor
No Signal-

Notes Below
Dynamic Rate Switching
To use higher data rates a station
Note: -70 dBm requires a stronger signal from the
signal ensures AP.
high data rate
connectivity
1Mbps DSSS
Lowest Rate
2Mbps DSSS
Higher Rate
5.5Mbps
Higher RateDSSS
Highest Rate
11Mbps DSSS
As stations move they adjust the data

rate used in order to remain
connected (moving away) or to
achieve a better signal (moving
closer).
Signal to Noise Ratio
Great Poor
Signal Strength -70dBm -70dBm
- Noise Level - (-95dBm) - (-80dBm)
= SNR = 25dB = 10dB
Note: -70 dBm

signal ensures
high SNR
• Based on the SNR, the client and AP negotiate a data rate in which to send the packet, so the higher the SNR the better
• For good performance, the SNR should be greater than 20 dB
• For optimal performance, the SNR should be at least 25 dB

Notes Below
Planning Coverage for Different Scenarios
• -80 dBm Basic Connectivity

• -70 dBm High Speed Connectivity
• -67 dBm Voice
• -62 dBm Location Tracking – RTLS
When planning you should always take into consideration

future uses of Wi-Fi and projected growth.

• Click the Auto Placement Tab

• Using the drop down arrow next to Application, select Voice
• Ensure that the Signal Strength is set to -67 dBm
• Click the Auto Place APs button
• Observe the coverage patterns and move APs as needed to create a hole in the
coverage if needed
• Click the Planned APs Tab

• Click the Add AP button
• Observe the new planned AP filling in a hole in coverage

• In the Navigation pane, right click on your Floor 1 and select Clone
• Name your Clone Floor 2
• Click the Create button

• In the Navigation pane, click Floor 2

• Click the Auto Placement Tab
• Click the Auto Place APs button
• Observe the device placement
Multiple Floors
What if there are multiple

floors?
 Not all buildings are
symmetrical.
 If you have multiple
floors you can adjust the
X and Y coordinates to
align the floors.
 Use an anchor point such
as an elevator shaft to
align the floors.

• In the Navigation pane,

click on 0X Plan
Building (where 0X is
your student number)
• Observe the placement
and channel selection of
the Planned APs on both
floors
• Remember RF signals
propagate in three
dimensions not just two.
Planning should take this
into account for AP
placement.

• Observe the predicted channel coverage

5 GHz Channels
Used for 802.11a/n/ac
• The 5 GHz spectrum has more non-overlapping channels available.

• Channels increment by 4 starting with channel 36.
• The available 5 GHz channels varies greatly by country and some are enabled if the AP
complies with DFS.
• The 5 GHz UNII-2 and UNII-2 Extended are enabled with DFS compliance.
Channel Reuse Plan-5 GHz
8-channel
8-channel reuse
reuse plan
plan using
using the
the channels
channels in
in the
the UNII-1
UNII-1 and
and UNII-3
UNII-3

• Click Floor 1 and then click on the View Tab

• Uncheck ☐RSSI and check Channels
• Change the Band to 2.4 GHz
• Observe the predicted channel coverage
2.4 GHz Channels
Used for 802.11b/g/n
• Channels 1, 6, and 11 are the only non-overlapping channels between channels 1

and 11
› Using channels that cause overlap may cause CRC and other wireless interference
and errors
• If you are in a country that has channels 1 – 13 or 14 available, you may still
want to use 1, 6, and 11 for compatibility with mobile users from other countries

Channel Reuse Pattern
In
In this
this plan
plan only
only the
the non-overlapping
non-overlapping channels
channels of
of 1,
1, 66 and
and 11
11 are
are used.
used.

Adjacent Cell Interference
Improper
Improper designs
designs use
use overlapping
overlapping channels
channels in
in the
the same
same physical
physical area.
area.

Co-Channel Interference/Cooperation
Improper
Improper design
design using
using the
the same
same channel
channel on
on all
all AP’s
AP’s in
in the
the same
same physical
physical area.
area.

5 GHz Channels
Used for 802.11a/n/ac
5.15 5.25 5.35 5.47 5.725 5.825
Weather
Weather
RADAR
RADAR
100
124
128
153
157
104
108
120
132
136
140
144
149
161
165
112
116
44
48
52
36
40
56
60
62
U-NII-1 U-NII-2 U-NII-2E U-NII-3 ISM
Dynamic Frequency Selection
• The 5 GHz spectrum has more non-overlapping channels available.

• Channels increment by 4 starting with channel 36.
• The available 5 GHz channels varies greatly by country and some are enabled if the AP
complies with DFS.
• The 5 GHz UNII-2 and UNII-2 Extended are enabled with DFS compliance.
5 GHz Channels
802.11 Channel Bonding
5.15 5.25 5.35 5.47 5.725 5.825
Weather
RADAR
108
124
149
157
100
104
120
128
132
136
140
144
153
161
165
112
116
40
48
36
44
52
56
60
62
20 MHz
U-NII-1 U-NII-2 U-NII-2E U-NII-3 ISM

38 46 54 62 102 110 118 126 134 142 151 159 40 MHz
42 58 10 12 13 15 80 MHz
6 2 8 5
50 114 160
MHz
• 802.11n defines the use of 40 MHz wide channels.
• 802.11ac defines dynamic channel sizes up to 160 MHz wide.
Most 802.11ac chipsets on the market today will only scale to a maximum of 80 MHz wide channels.

Channel Reuse Plan-5 GHz
8-channel
8-channel reuse
reuse plan
plan using
using the
the channels
channels in
in the
the UNII-1
UNII-1 and
and UNII-3
UNII-3

Mounting requirements can vary
Different physical environments have their own mounting

requirements.
Note: Always use the mounting security screw to

attach the AP to the bracket.

Antenna Patterns and Gain
• External omnidirectional antennas

radiate equally in all directions, forming
a toroidial (donut-shaped) pattern
• Internal antennas form a cardioid
(heart-shaped) pattern
Aerohive 390, 350 Aerohive 230, 330, 121,
• By using a directional antenna, the
power that you see with a
omnidirectional antenna can
redistributed to provide more radiated
power in a certain direction called gain
In this case, the power is not increased,
instead it is redistributed to provide
more gain in a certain direction

2X2:2 MIMO Antenna Alignment
With external omnidirectional antennas, the

positioning of the antennas helps with de-correlation
of spatial streams, which is critical to maintaining high
data rates.

3X3:3 MIMO Antenna Alignment
With external omnidirectional antennas, the

positioning of the antennas helps with
de-correlation of spatial streams, which is critical
to maintaining high data rates.

Indoor 5 GHz MIMO Patch Antenna
For High User Density

Deployments indoor Patch
Antennas are recommended for
• 120 degree beamwidth
sectorized coverage. For
example the patch antennas can
• 5 dBi gain
be mounted from the ceiling to
provide unidirectional coverage • 3x3 MIMO Patch
in an auditorium.

Outdoor 5 GHz MIMO Patch Antenna
• 17 degree beamwidth
Outdoor Patch Antennas
are well suited for point to • 18 dBi gain
point connections between
buildings. • 2x2 MIMO Patch

AP1130 Antenna Selection
Omni Directional Antennas: Directional Antennas:

5 dBi gain (2.4GHz and 5 18 dBi gain
GHz) (5 GHz ONLY. 2x5 ft coax
cables included)
5 GHz antennas can be configured either via HM or on CLI:
CLI: int wifi1 radio antenna type omni

HM: HiveManager > Monitor > Access Points > device name > Modify.

QUESTIONS?

SECTION 2:
HIVEMANAGER OVERVIEW
Aerohive’s
66
What is HiveManager?
We have completed the predictive model and have deployed and physically
mounted the APs. Now we need a way to centrally manage the WLAN.
We will us Aerohive’s network management server (NMS) called HiveManager.
HiveManager can be used to monitor, configure and update the WLAN.
• HiveManager can be deployed as a public cloud solution or as a private cloud
solution (on premise).
• The on-premises HiveManager is available in different form factors.
• The Aerohive Devices use an IP discovery process to locate on premise
HiveManagers.
• A redirector service is used to guide Aerohive Devices to the Public Cloud
HiveManager.
• HiveManager uses CAPWAP as the protocol to monitor and manage Aerohive
Devices.

HiveManager Form Factors
SW Config, & Policy, RF Planning, Reporting, SLA Compliance, Guest

Management, Trouble Shooting, Spectrum Analysis
Scalable multi-tenant platform, Redundant data

centers with diversity, Backup & Recovery, Zero
HiveManager Online touch device provisioning, Flexible expansion, On
demand upgrades, Pay as you grow
VMware ESX & Player, HA redundancy,

HiveManager On-Premise - VA
Redundant power & fans, HA redundancy

HiveManager On-Premise Appliance

Copyright ©2011
MyHive - https://myhive.aerohive.com
• MyHive is a secure site that allows

you to log in once and then navigate
to HiveManager Online
• Aerohive cloud-based services such ID
Manager, Client Management and Social
Login
• A MyHive account can also be linked
to an On-Premise HiveManager to
provide access to the cloud based
services.

HiveManager Online
HiveManager Online Login

https://myhive.aerohive.com

HiveManager Online
Additional account creation
The Super-User administrator for your HMOL account has the

ability to create additional admins with other access rights

Aerohive’s device Redirection Services
For HiveManager Online
HiveManager Aerohive Redirector

Online at myhive.aerohive.com
g .a ero hiv e. co m
1. stagin
Serial numbers are
entered into the
redirector.
APs and Routers

HiveManager Online Device Inventory
• The redirector is used

to tie your devices to
your HMOL
account.
• From MonitorAll
DevicesDevice
Inventory select
Add/Import

• Simply enter in the serial

number of your APs, routers,
switches and Virtual
Appliances.
• Once the serial number is
entered into the Redirector
(Staging Server) – your
devices will now be
permanently tied to your
HMOL account.
• You can also import a CSV
file with multiple serial
numbers

• Devices that have not yet made a CAPWAP connection with HMOL
will display under the Unmanaged Devices tab.
• Once devices make a CAPWAP connection with HMOL, they will be
displayed under Managed Devices.

On-Premises Virtual Appliance
Hardware requirements 32bit Version
The .ova (Open Virtual Appliance) formatted files are

available in both 32-bit and 64-bit formats.
32 bit VMware Server Hardware Requirements

 Processor: Dual Core 2 GHz or better
 Memory: 3 GB dedicated to HiveManager Virtual Appliance; at least
1 GB for the computer hosting it
 Disk: 60 GB Dedicated to HiveManager Virtual Appliance
 Support for VMware tools in version 6.1r3 and higher

On-Premises Virtual Appliance
Hardware requirements 64bit version
The .ova (Open Virtual Appliance) 64-bit format has

different hardware requirements.
64 bit VMware Server Hardware Requirements for a

new installation:
 Processor: Dual Core 2 GHz or better
 Memory: 8 GB dedicated to HiveManager Virtual Appliance; at least
1.48 GB for the computer hosting it
 Disk: 60 GB Dedicated to HiveManager Virtual Appliance
 Support for VMware tools in version 6.1r3 and higher

HiveManager Virtual Appliance Software
The HiveManager Virtual Appliance software is available

from two sources:
• USB flash drive delivered to you by Aerohive
› Connect the drive to a USB port on your host or VMware ESXi server and
follow the procedure for "Installing the HiveManager Virtual Appliance" on
page 3 of the HiveManager Virtual Appliance QuickStart Guide to import
the .ova file to your VMware ESXi server.
• Software download from the Aerohive Support Software Downloads
portal
› Log in to the Aerohive Support Software Downloads portal, download the
HiveManager Virtual Appliance OVA-formatted file to your local directory,
and follow the procedure for "Installing the HiveManager Virtual
Appliance" on page 3 of the HiveManager Virtual Appliance QuickStart
Guide to import the .ova file to your VMware ESXi hypervisor server.

On-premises HiveManager
Physical Appliance

On-Premises HiveManager
Database configurations
• Standalone HiveManager with a local database
• Standalone HiveManager with an External database
• High Availability Pair HiveManager Deployment

Device auto discovery of HiveManager
• Static CLI configuration:

› capwap client server name “ip address”
Aerohive
› save config
Devices
• Dynamic IP discovery:
› DHCP options
› DNS query
› L2 broadcast (Can be disabled)
› Redirector
81
Aerohive
Devices
DHCP Server
DHCP Request
DHCP Response
Option 225 HiveManager FQDN
Option 226 HiveManager IP Address
DNS Server
DNS Query
The device performs a DNS lookup for
hivemanager.yourdomain
DNS Response with the HiveManager

IP address
82
Aerohive CAPWAP Local Broadcast

Devices
CAPWAP IP address of
HiveManager on local subnet
CAPWAP Aerohive devices

contact the redirector staging.aerohive.com

MyHive Account for On-Premises HM
Redirector Account
https://myhive.aerohive.com
• Any On-Premises HiveManager customer can

can get a free Redirector account from
Aerohive Support
• The Redirector account is linked to the On-
Premises HiveManager and is accessible
from myhive.aerohive.com

Redirector Account for On-Premises HM
Configure HiveManager
• To add a On-Premises
HiveManager account, click:
Configure Standalone HM
• Enter a public hostname or IP
address for your HiveManager
• Optionally change the Connection
Protocol to TCP if required
• Click Save

Copyright ©2011
Redirector Account for On-Premises HM
Enter Device Serial Numbers
• To add your device serial numbers so

they can be redirected click Device
Access Control List
• Click Add
• Enter your 14 digit serial numbers
• Click Save

Aerohive
Redirector
co m
v e .
ro hi Redirect device to:
g. ae hm1.yourdomain
in
st ag
ire ct
red (Require a standalone
redirector account)
Your Private Cloud
Connect to HM returned or Company
from redirector:
hm1.yourdomain
Finally, if the redirector is not HiveManager

APs and hm1.yourdomain
configured, the complete discovery
Routers process is restarted.
Management protocols & device updates
HiveManager
• Aerohive Device to Aerohive Device
management Traffic (Cooperative Control
Protocols)
› AMRP, DNXP, INXP and ACSP
› Encrypted with the Hive Key
» Cooperative Control discussed later in class
• Aerohive Device to HiveManager management

traffic
› CAPWAP - UDP port 12222 (default) or TCP
ports 80, 443 (HTTP/HTTPS encapsulation)
› SCP - Port 22
Aerohive
Devices
(Cooperative Control Protocols)
88
Aerohive Device Configuration Updates
1. Over CAPWAP, HiveManager tells the
Complete Upload Aerohive AP to SCP its config to its
flash
2. Aerohive AP uses SCP to get the

config file from HiveManager and store
in flash
DRAM Running
 Config
3. The Aerohive AP must be rebooted to
activate the new configuration Flash
Permanent
Storage
1. Over CAPWAP HiveManager obtains

configuration from Aerohive AP and
Delta Upload compares with its database
DRAM Running
2. Over CAPWAP HiveManager sends Config
the delta configuration changes directly
to RAM which are immediately
activated, and the running configuration Flash
is then saved to flash Permanent
Storage

Cooperative Control Protocols
Control Plane Intelligence
Hive – Cooperative control for a group of Hive Devices that share the same
Hive name and Hive password.
› There is no limit to the number of Hive Devices that can exist in a single
Hive.
› Aerohive APs in a Hive cooperate with each other using Aerohive’s
cooperative control protocols:
» AMRP (Aerohive Mobility Routing Protocol)
– Layer 2 and Layer 3 Roaming, Load Balancing, Band Steering, Layer 2
GRE Tunnel Authentication and Keepalives
» DNXP (Dynamic Network Extensions Protocol)
– Dynamic GRE tunnels to support layer 3 roaming
» INXP (Identity-Based Network Extensions Protocol)
– GRE tunnels for guest tunnels
» ACSP (Automatic Channel Selection & Power) Protocol
– Radio Channel and Power Management

Cooperative Control
WLAN Architecture
Brain
Brain == Protocol-based
Protocol-based
Control
Control Messages
Messages • Cooperative Control
Protocols
› Exchanged among APs
like OSPF for routers
Routers
• Redundancy
HQ
Network › Built in to the
L2 Switches
protocols
• No single point of failure
Aerohive › Routes around
APs problems and uses
dynamic mesh failover

Cooperative Control
WLAN Architecture
Brain
Protocol-based
Control
Control Messages
Messages
HQ Routers
Network • One architecture
› Same for one AP to
L2 Switches
thousands of APs
› Same for one to
Aerohive thousands of offices
APs
• Flexible software
update
WAN
› Update one AP, or any
Routers or
number of APs at any
Switches time
› Update one AP which
APs then updates other APs
using distributed
Branch Networks software updates
Cooperative Control
WLAN Architecture
Brain
Protocol-based
Control
Control Messages
Messages
HQ Routers
Network
L2 Switches
• Distributed
Aerohive Forwarding
APs › Takes advantaged of
the wired LAN
WAN › Uses same VLANs as
those used by wired
Routers or
users
Switches
APs
Branch Networks
HiveManager Menu navigation demo Connect
to the Hosted Training HiveManager
• Securely browse to
https://training-hm#.aerohive.com
# = The Hosted HiveManager number
Username: adminX@ah-lab.com
X = Student ID 2 – 26
• Click Log In
NOTE: In order to access the

HiveManager, someone at your
location needs to enter the
training firewall credentials given
to them by the instructor first.
HiveManager Menu Navigation
Dashboard
• The HiveManager dashboard provides detailed visibility into wired and

wireless network activity.
• From the dashboard, you can view comprehensive information by application,
user, client device and operating system, and a wide variety of other options.

Home
• Click on
the Home
Tab
The Home section of the GUI is where you configure a number of fundamental
HiveManager settings, such as the following:
• Express and Enterprise modes
• VHM (virtual HiveManager) settings HiveManager administrator accounts
• Settings for HiveManager time and network (including HA), admin access and
session timeout, HTTPS, SSH/SCP, Aerohive product improvement program
participation, and routing
• CAPWAP and e-mail notification settings, SNMP and TFTP services, and
HiveManager administrator authentication options

Monitor
• Click the
Monitor
Tab
• From the Monitor menu, you can view commonly needed information and link to more
detailed information about all the Aerohive devices that have contacted HiveManager.
• With an On-Premise HiveManager, those listed in the Unconfigured Devices section
are not under HiveManager management and those in the Configured Devices are being
managed by HiveManager.
• When using HiveManager Online (HMOL) devices appear as Managed Devices or
Unmanaged Devices to illustrate if devices are being managed by HiveManager or not.
Reports
• Click the
Reports
Tab
• Detailed reports can be created and customized using the

information the Aerohive Devices deliver to HiveManager.
• Reports are covered in greater detail later in the class.

Maps
• Click the
Maps Tab
• Use the tools in the Maps section to plan network deployments, and or to track
and monitor the operational status of managed devices.
• Maps can be used in pre-deployment for predictive modeling.
• Maps can be used in post-deployment for coverage visualization,
troubleshooting, and client and rogue location tracking.

Configuration
• Click the
Configuration
Tab
• The Configuration Tab allows you access to the Guided Configuration.

• Here you build your Network Policies, and Configure and Update
Devices.

Configuration
• Click the
Tools Tab
•The Tools Tab allows you access additional testing and monitoring abilities.
•Here you can access such things as:
›The Planning Tool
›The Client Monitor
›The VLAN Probe
›The Device/Client Simulator
›The Server Access Tests
QUESTIONS?

SECTION 3.
MOBILITY SOLUTIONS AND
UNIFIED POLICY MANAGEMENT
Aerohive’s
103
HiveManager Form Factors
SW Config, & Policy, RF Planning, Reporting, SLA Compliance, Guest

Management, Trouble Shooting, Spectrum Analysis
Scalable multi-tenant platform, Redundant data

centers with diversity, Backup & Recovery, Zero
HiveManager Online touch device provisioning, Flexible expansion, On
demand upgrades, Pay as you grow
VMware ESX & Player, HA redundancy,

HiveManager On-Premise - VA
Redundant power & fans, HA redundancy

HiveManager On-Premise Appliance

Copyright ©2011
Aerohive AP Platforms
AP121 AP141 AP330 AP350 AP230 * AP370 AP390 AP170 AP1130

Indoor Indoor
Indoor Indoor Outdoor
Industrial Industrial
Dual Radio Dual Radio
Dual Radio 802.11n Dual Radio 802.11ac/n
802.11n 802.11ac
2x2:2 3x3:3 2x2:2 300 2x2:2 300 + 867
3x3:3 450 + 1300 Mbps High Power
300 Mbps High Power 450 Mbps High Power Mbps 11n High Mbps 11ac High
Radios Power Radios Power Radios
Radios Radios
TPM Security Chip
2X Gig.E - 10/100 link 2X Gig.E w/ link 2X Gig E

1X Gig.E 1X Gig.E 1X Gig.E
aggregation aggregation /w PoE Failover
PoE (802.3af + 802.3at) and AC Power PoE (802.3at)
Plenum/ Plenum/ Water Proof Water Proof

Plenum Rated Plenum Rated Dust Proof
Dust (IP 68) (IP 67)
0 to 40°C -20 to 55°C 0 to 40°C -20 to 55°C -40 to 55°C
USB for future use USB for 3G/4G Modem USB for future use N/A
© 2015 Aerohive Networks CONFIDENTIAL * Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM
Aerohive Switching Platforms
SR2024P SR2124P SR2148P

24 Gigabit Ethernet 48 Gbps Ethernet
24 PoE+ (195 W) 24 PoE+ (408 W) 48 PoE+ (779 W)
4 Ports 1G SFP Uplinks 4 Ports 10 G SFP/SFP+ Uplinks
Routing with 3G/4G USB support and Line rate switching Switching Only
56Gbps switching 128 Gbps switch 176 Gbps switch
Single Power Supply Redundant Power Supply Capable

Copyright ©2011
Aerohive Routing Platforms
BR 100 BR 200 AP 330 AP 350 VPN Gateways
Single Radio Dual Radio

L3 IPSec
VPN
1x1 11bgn 3x3:3 450 Mbps 11abgn Gateway
5-10 Mbps ~500 Mbps

30-50Mbps FW/VPN
FW/VPN VPN
4000/1024
5X 10/100 5X 10/100/1000 2X 10/100/1000 Ethernet
Tunnels
Physical/Virt
0 PoE PSE 2X PoE PSE 0 PoE PSE
ual
© 2015 Aerohive Networks CONFIDENTIAL * Also available as a non-Wi-Fi device 107

Copyright ©2011
BR100 vs. BR200
BR100 BR200/BR200WP
5x FastEthernet 5x Gigabit Ethernet
1x1 11bgn (2.4Ghz) single radio 3x3:3 11abgn dual-band single radio (WP)
No integrated PoE PoE (in WP model)
No console port Console Port
No Spectrum Analysis Integrated Spectrum Analysis (WP)
No Wireless Intrusion Detection Full Aerohive WIPS (WP)
No local RADIUS or AD integration Full Aerohive RADIUS, proxy, and AD
No SNMP logging SNMP Support

VPN Gateway Virtual Appliance
• Supports the following
› GRE Tunnel Gateway
› L2 IPSec VPN Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
› Bonjour Gateway
› DHCP server
• Use a VPN Gateway Virtual Appliance instead of an AP when higher scalability for
these features are required
Function Scale
VPN Tunnels 1024 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server) 256
authentications

VPN Gateway Physical Appliance
• Supports the following
› GRE Tunnel Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
Ports: One 10/100/1000 WAN port
› Bonjour Gateway Four LAN ports two support PoE
› DHCP server
• Use a VPN Gateway Appliance instead of an AP when higher scalability for these
features are required
Function Scale
VPN Tunnels 4000 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server) 256
authentications

Network Policy = Configuration
Hive = Cooperative Control Protocols
Hive - Corp
WIPS Network Policy
L2 IPsec VPN Corp1
Location Services
Access Console Aerohive Devices
are assigned to
Network Policy:
SSID SSID SSID
Employee Guest Voice Corp1
Note: Aerohive
Devices configured
with the same
User
User User User
Network Policy will
Profile be in the same
IT
Profile Profile Profile
Staff(9)
Staff(10) Guests(8) Voice(2) Hive, and can use
cooperative control
protocols for mesh,
dynamic RF, layer
VLAN
VLAN VLAN
VLAN VLAN
VLAN VLAN
L3 Roaming L3 Roaming QoS
QoS Rate
Rate Limit
Limit QoS 2/3 fast secure
OS/Domain
OS/Domain
SLA
OS/Domain
OS/Domain
SLA
Firewall
Guest Tunnel
Firewall
Firewall roaming, VPN
SLA SLA L3
L3 Roaming
Roaming
Schedule
Schedule failover, etc..
OS/Domain
OS/Domain 111
Network Policy
Guided Configuration
1. Configure Guided Network

Network Policy Configuration
• Panel 1: This is
2. Configure where you select the
Interface & type of Network
User Access policy
where the bulk of the
object-oriented
configuration occurs
where device-
specific
3. Configure & configuration is done
Update and where devices
Devices are updated.
Network Policy
Advanced Configuration
Click here to
display the
Navigation Bar
Advanced Network Configuration

• Not all objects can be configured within
the guided configuration workflow.
• Some advanced configurations require that
the objects be created independently.
• From the Navigation Bar, any object can
be configured and linked later.

Setting Up a Wireless Network
Building your Initial Unified Network Policy
• Click on
Configuration
• Under Choose
Network Policy
Click New

Setting Up a Wireless Network
Building your Initial Unified Network Policy
• Network
Policies are used
to assign the
same basic
configurations to
multiple devices.
• One Network
Policy can
configure all
device types.

Network Policy Types
• Wireless Access – Use when you have an AP only deployment,

or you require specific wireless policies for APs in a mixed AP
and router deployment
• Branch Routing – Use when you are managing routers, or APs
behind routers that do not require different Network Policies than
the router they connect through
Internet 3G
/
4G
LT
3G E
Internet
/4G
LT
E
Po
E
BR200 Po AP
E
BR100 esh
M
AP
Small Branch Office
or Teleworker Site Small to Medium Size Branch Office
that may have APs behind the router

Network Policy Types
• Bonjour Gateway
› Allows Bonjour services to be seen in multiple subnets
• Switching
› Used to manage wired traffic using Aerohive Switches
Internet SR2024
PoE AP
AP AP
Unified Policy Management (Instructor Demo)
• Students and Instructor should open and view and discuss the Network
Policy called Wireless-Access-Demo.
Policy called Wireless-Routing-Demo.
Policy called Wireless-Switching-Demo.

QUESTIONS?

SECTION 4.
HIVEMANAGER WELCOME AND
INITIAL CONFIGURATION
Aerohive’s
120
Scenario: First Login and Test Configuration
Upon initial login, there is a set of Welcome screens for

the Super-User Administrator.
If you are new to HiveManager it is recommended to

create a Test Network Policy within HiveManager. Then
upload the network policy to some Aerohive Devices in a
staging area for testing purposes.

Informational
HiveManager Welcome Page
-Only Seen at First Login-
 Verify your Aerohive Device Inventory and the click Next

Informational
HiveManager Welcome Page
-Only Seen at First Login-
Welcome Page Settings...

• New HiveManager
Password: <password for
HiveManager and
Aerohive APs>
• Administrative Mode:
 Enterprise Mode
• Time Zone:
<Your time zone>
• Click Finish
Note: Express mode is a legacy simplified
configuration option. Enterprise mode is more
robust and is recommended.
Informational
HiveManager Initial Configuration
It is recommended that Aerohive Devices

s. have a unique admin password for CLI
a s
n cl login.
si
thi  Device CLI passwords can be globally set
T do
o NO from Home/Device Management
ased Settings
Ple
 Individual managed device passwords can
be set from Monitor/ Modify
Informational
• At first login, the • HiveManager uses the Username as the name

administrator is prompted to for automatically generated Quick Start objects
fill out settings for Username, such as the DNS service, NTP service, QoS
the administrator password for Classification profile, LLDP profile, ALG profile,
HiveManager, and a Quick etc.. that will work in most cases without need for
start SSID password modification. You can create your own objects, or
use the quick start ones.
Copyright ©2011
Informational
• For example,
› a DNS service object
with the name “Class”
is automatically
generated
› an NTP service object
with the name “Class”
is automatically
generated
• These objects are used
when configuring
WLAN and routing
settings

Copyright ©2011
Informational
 Note: Quick Start Objects are automatically created in every new

Network Policy.
 The Object names will be based upon the name from the initial
welcome screen.
Informational
 The IP addresses for the QuickStart DNS object are Public DNS
servers.
It is recommended that you edit the QuickStart DNS object to use DNS server IP
addresses that are relevant to your deployment. Do this BEFORE you configure the rest
of your Network Policy.
Informational
 The public Aerohive NTP server is used to set the clocks of your
Aerohive Devices. You can edit this object to use a different NTP
server.
Mandatory: You must change the time zone to match the time zone where your Aerohive
Devices reside. Do this BEFORE you configure the rest of your Network Policy.

Network Policy = Configuration
Hive = Cooperative Control Protocols
Hive - Corp
WIPS Network Policy
L2 IPsec VPN Corp1
Location Services
Access Console Aerohive Devices
are assigned to
Network Policy:
SSID SSID SSID
Employee Guest Voice Corp1
Note: Aerohive
Devices configured
with the same
User
User User User
Network Policy will
Profile be in the same
IT
Profile Profile Profile
Staff(9)
Staff(10) Guests(8) Voice(2) Hive, and can use
cooperative control
protocols for mesh,
dynamic RF, layer
VLAN
VLAN VLAN
VLAN VLAN
VLAN VLAN
L3 Roaming L3 Roaming QoS
QoS Rate
Rate Limit
Limit QoS 2/3 fast secure
OS/Domain
OS/Domain
SLA
OS/Domain
OS/Domain
SLA
Firewall
Guest Tunnel
Firewall
Firewall roaming, VPN
SLA SLA L3
L3 Roaming
Roaming
Schedule
Schedule failover, etc..
OS/Domain
OS/Domain 130
Lab: Creating a Test Network Policy
1. Configuring a Test Network Policy
• Go to Configuration
• Click the New Button

• Name:
Test-X
• Select:
Wireless
Access and
Bonjour
Gateway
• Click Create

Network Configuration
• Next to SSIDs click
Choose
• Then click New

4. Create an SSID Profile
• SSID Profile: Corp-PSK-X
X = 2 – 26 (Student ID)
• SSID: Corp-PSK-X
• Select WPA/WPA2 PSK (Personal)
• Key Value: aerohive123
• Confirm Value: aerohive123
• Click Save
• Click OK
IMPORTANT: For the SSID labs, please follow the

class naming convention.

5. Create a User Profile
• To the right of your

SSID, under User
Profile, click
Add/Remove
• In Choose User
Profiles Click New

6. Create a User Profile
• Name: Staff-X • Default VLAN: 1

• Attribute Number: 1 • Click Save
The attribute value and VLAN value do not

need to match.
However, it is recommended that the
attribute values and VLAN values match
each other when ever possible for clarity
and uniform configuration.
7. Save the User Profile
• Ensure Staff-X
User Profile is
highlighted
• Click Save

8. Save the Network Policy
Note: The Save button saves your

Network Policy. The Continue
Button saves your Network Policy
and allows you to proceed to the
Configure and Update Devices
area simultaneously.
• Click the Configure

& Update Devices
bar or click the
Continue button

9. Create a Display Filter
From the Configure & Update Devices section, click the + next to
Filter to create a device display filter.

10. Create a Display Filter
• Device Model:
AP350
• Host Name: 0X-
•  Save Filter As:
0X-APs
• Click Search
• Five APs will display

11. Upload the Network Policy
• Select your 0X-A-xxxxxx access point and all of

your 0X-SIMU-xxxxxxx access points
• Click the Update button
• Click Update Devices to push your Network
Policy to your access points
• Click Yes in the Confirm window
• Click the Update Button

• Click OK in the Reboot Warning window
Once the Update

is pushed, you will
see the Update
Status and the
devices rebooting.
When the devices have

rebooted and start
reporting to
HiveManager, you
will see their new up
time and that the
configuration on the
devices matches the
expected configuration
in HiveManager.
Copyright ©2011
Overview of Update Settings
• Complete Upload: The entire Aerohive AP

configuration is uploaded and a reboot is required
• Delta Upload: Only configuration changes are
uploaded and no reboot is required
• The default is “Auto”- HiveManager is smart
enough to know if the upload is Complete or Delta
• The first upload is always a Complete Upload
Should a Delta upload ever fail, best practice is to select a Complete

upload and force a reboot. Also, a Complete Update is recommended
when the configuration involves advanced security settings such as
RADIUS.

Overview of Update Settings
The Auto option, which is set by default, performs a complete initial upload, requiring the
device to reboot before activating the uploaded configuration. Following that, all subsequent
uploads consist of delta configurations based on a comparison with the current configuration
running on the device.
Should a Delta upload ever fail, best practice is to select a Complete

upload and force a reboot. Also, a Complete Update is recommended
when the configuration involves advanced security settings such as
RADIUS.

14. Review of Device Display Filters
Because the filter is set by default to Current Policy/Default Policies, you will
only see devices assigned to your selected network policy, or the def-policy-
template (assigned to new devices)
Select None if
you want to see
all devices
Selected
Network Policy
Filter set by
default to
Current
Policy/Default
Policies

15. Verify the Update Results
• From ConfigurationDevicesDevice Update Results

• Review your update results
• Hover your cursor above the Description Always review Device
Update Results. The pop-up
• Review the pop-up window results window often has good
troubleshooting information
should an update fail.

16. Verify the Update Results
HiveManager pushes firmware and configuration updates in stages: first to

all online devices, and then automatically to any offline devices the next
time they connect to HiveManager.
• If any devices are offline, the update results will display as Staged
• Once the devices re-establish CAPWAP connectivity, HiveManager will
then re-attempt to upload the configuration until successful

17. Device Monitor View
• Go to MonitorDevicesAll Devices for more detailed
information
Change column
settings
If Audit is Red
Exclamation Point, click Turn off auto refresh if you Set items
it to see the difference want to make changes per page
between HiveManager without interruption
and the device.
149
18. Customize the Monitor View Columns
• Click on the Edit Table Icon

• From Available Columns on the left select both MGT Interface VLAN
and Native VLAN and move them to the Selected Columns on the right
using the corresponding arrow button.
• Move both new options up until they are directly under IP Address
• Click Save
Note:
Note:
Both
Both the
the Instructor
Instructor
and
and Students
Students
MUST
MUST perform
perform
this
this exercise.
exercise.

19. Audit Icon
• Unconfigured Devices
The configuration on
HiveManager does are Aerohive APs, Routers
NOT match the and other Aerohive
configuration on the devices that have
Aerohive Device discovered HiveManager
for the first time.
• IP connectivity and
CAPWAP connectivity
are needed for discovery.
The configuration
on HiveManager Once Aerohive Devices
MATCHES the have a configuration
configuration on uploaded they become
the Aerohive Configured Devices.
Device

Lab: Test Hosted Client Access to SSID
Test SSID Access at Hosted Site
Use VNC client to access Hosted PC:

password: aerohive123 Internet
Internal Network
Hosted PC
Student-X VLANs 1-20 AD Server:
10.5.1.10
Connect to SSID: Corp-PSK-X DHCP Settings:

IP: 10.5.1.N/24 (VLAN 1)
Gateway: 10.5.1.1 Mgt0 IP: 10.5.1.N/24 VLAN 1
network 10.5.1.0/24
Network Policy: Test-X 10.5.1.140 – 10.5.1.240
SSID: Corp-PSK-X
Authentication: WPA or WPA2 Personal
Encryption: TKIP or AES
Preshared Key: aerohive123
User Profile 1: Staff-X
Attribute: 1
VLAN: 1
IP Firewall: None
QoS: def-user-qos

1. For Windows: Use TightVNC client
• If you are using a windows PC

› Use TightVNC
› TightVNC has good compression
so please use this for class instead
of any other application
• Start TightVNC
› labY-pcX.aerohive.com
› Y=HiveManager number
› X= Your student number
› Select  Low-bandwidth
connection
› Click Connect
› Password: aerohive123123
› Click OK
2. For Mac: Use the Real VNC client
• If you are using a Mac

› RealVNC has good compression so
please use this for class instead of
any other application
• Start RealVNC
› Click Connect
› Password: aerohive123.
› Click OK

3. Connect to Your Class-PSK-X SSID
• Single-click the
wireless icon on the
bottom right corner of
the windows task bar
• Click your SSID
Corp-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK

4. View Active Clients List
• After associating with your SSID, you should see your

connection in the active clients list in HiveManager
› Go to MonitorClientsWireless Clients
• Your IP address should be from the 10.5.1.0/24 network

QUESTIONS?

SECTION 5.
CONFIGURING ACCESS POINTS
FOR MAPS AND MONITORING
Aerohive’s
158
Design Implementation
Now that the initial planning and

testing phases are completed, you
are ready to begin creating the
framework for your live
deployment.
To accomplish the remaining goals you will:
Clone your predictive model maps you created earlier

Add your APs to Floor 1 of your cloned maps
Position the APs as required for the needed coverage

LAB: Design Implementation
1. Clone of the Plan Building
• Click on the Maps Tab

• Expand Planner Maps and right click on your 0X Plan Building
• Select Clone

2. Clone of the Plan Building
• Name your cloned building 0X Building

• Click the drop down arrow and select the Locations folder
• Click Create
3. Planning the Production Network
• Expand the Locations folder

• Expand your 0X Building
• Select Floor 1
• Click the Devices Tab
4. Adding your APs to the map
• Select all of your 0X APs

• Click the arrow to move them to the Devices on Floor 1 section
• Click Update to place your devices on your 0X Building Floor 1 map

5. Placing your APs
• ☐ Uncheck the Ethernet and Mesh check boxes

• ☐ Uncheck the Nodes Locked check box
6. Placing your APs
• Drag and drop the APs onto your map as planned in the predictive
model.
•  Check the Nodes Locked check box
Design Implementation
Once the APs are located properly you can use you map for post deployment validation
processes such as:
 RSSI values
 Interference source locationing
 Channel verification
 Display of Ethernet and Mesh connections
Topology Maps
With RSSI and Power (Heatmap)
• Both 5 GHz or 2.4 GHz

Bands can be view separately
Select the Band • Ethernet and Mesh
Select the
5 GHz or 2.4 GHz Connections can be displayed
coverage you
want to view • RSSI values can be used to
display coverage
• The coverage areas range
from red being the strongest
to dark blue being the
weakest coverage
Here you can see The blue lines show the

the subnet the perimeter for an AP that a
MGT0 interface client within its boundaries
on the Aerohive should connect.
APs
Topology Maps
With Rogue AP Detection and Client Location
• If three or more
Aerohive APs on a
map detect a rogue,
Client
HiveManager can
estimate the location
of the rogue on the
topology map
Friendly AP
• Also, if the Aerohive
AP location service is
Rogue AP
enabled, you can view
clients as well
168
QUESTIONS?

Classroom LAB Scenario
• We'll start with the types of users we have in the network. We have different types of
employees, and different types of guests.
• Employees should have secure access to the wireless network, and the most secure
method is 802.1X/EAP
• We can create 1 SSID for all Employee access, but have different access policies
depending on the type of employee.
• For devices that do not support 802.1X, or require fast roaming and do not support
802.11r or OKC, then you should consider Private PSK for that
• For guests, there is the legacy open SSID method, that we don't feel it does provide
security for guests, and leave them extremely vulnerable. So instead we should provide
a Private PSK infrastructure and a captive web portal for use policy acceptance. We
can also provide a way for self registration, employee sponsorship, etc…
• We will need to consider the best practice AP settings to meet our network design
goals. After which we will need to show how to maintain and monitor a network.

SECTION 6:
CREATING THE EMPLOYEE
SECURE ACCESS NETWORK
Aerohive’s
171
Classroom Employee WLAN
Scenario
• Employees should have secure access to the wireless

network, and the most secure method is to use 802.1X
EAP.
• You are going to build an 802.1X EAP solution using the
customers existing RADIUS server.
• RADIUS attributes can be leveraged to assign different
types of employees to VLANs and user traffic settings by
assigning them to the appropriate User Profiles.
• Employees will assigned to three different User Profiles:
Employees, IT and Executives. User profiles will be used
to assign different types access rights to different types of
employees.
IEEE 802.1X with EAP
Supplicant
Supplicant Calculating Authenticator
Authenticator Authentication
Authentication
Computer
Computer my key… (AP)
(AP) Server
Server (RADIUS)
(RADIUS)
802.11 association Access

Access blocked Calculating key for
Please! EAPoL-start user…
EAP-request/identity
EAP-response/identity (username) RADIUS-access-request
EAP-request (challenge) RADIUS-access-challenge
EAP-response (hashed resp.) RADIUS-access-request
EAP-success RADIUS-access-accept (PMK)
Access Granted

Lab: Creating the Employee 802.1X Network
1. Creating the Corporate Network Policy
• Click on the Configuration Tab

• Under Choose Network Policy Click the New button

2. Creating the Corporate Network Policy
• Fill in the Name box using Corp-X as your Network Policy Name
• Click the Create button
It is recommended that you ALWAYS add descriptions about the objects you are
building whenever possible.

3. Creating the Secure SSID Profile
To configure a
802.1X/EAP SSID
for Secure Wireless
Access
• Next to SSIDs,
click Choose
• Click New

4. Creating the Secure SSID Profile
• Profile Name:
Corp-Secure-X
• SSID:
Corp-Secure-X
• Under SSID Access
Security select
 WPA/WPA2
802.1X
(Enterprise)
• Click Save

Copyright ©2011
5. Saving the Secure SSID Profile
Ensure
Corp-Secure-X
is highlighted
then click OK
• Ensure the
Corp-Secure-X SSID
is selected
• Click OK

6. Creating the RADIUS Object
• Under Authentication, click <RADIUS Settings>

• Choose RADIUS, click New
Click
Click
7. Creating the RADIUS Object
• RADIUS Name:
RADIUS-X
• IP Address/Domain
Name: 10.5.1.10
Click Apply
• Shared Secret:
When Done!
aerohive123
• Confirm Secret:
aerohive123
• Click Apply
• Click Save

8. Creating the User Profile
• Under User Profile,

click Add/Remove
• Click New

9. Creating the User Profile
• Name: Employees-X
• Attribute Number: 10
• Default VLAN: 10
• Click Save

10. User Profile – no returned RADIUS attributes
• With the Default tab

selected, ensure the
Employees-X user profile is
highlighted
Default Tab
› IMPORTANT: This user
profile will be assigned if
no attribute value is
returned from RADIUS
after successful
authentication, or if
attribute value 10 is
Authentication Tab
returned.
• Click the Authentication
tab

Lab: Creating the Employee 802.1X Network 11. User
profiles for returned RADIUS attributes
• Select the
Authentication tab
• Select (highlight) both
the IT and Executives
User Profiles
NOTE: The (User Profile
Attribute) is appended to
the User Profile Name
Authentication Tab
• Click Save

12. Verify the User Profiles
• Ensure Employees-X, IT and the Executives user

profiles are assigned to the Corp-Secure-X SSID

13. Saving the work and preparing to update devices
• Click the Continue button

On Hosted RADIUS Server
Configuring RADIUS Return Attributes
Standard RADIUS
Attribute/Value Pairs Returned
Tunnel-Medium-Type: IPv4
Tunnel-Type: GRE
Tunnel-Pvt-Group-ID: 10
• After successful
authentication by
users in the
AH-LAB\Wireless
Windows AD group,
RADIUS will return three
attribute value pairs to
assign the Aerohive user
profile.

14. Saving the work and preparing to update devices
From the Configure & Update Devices section, click the drop down
next to Filter and select your 0X-APs filter.

15. Update the devices
• Select your 0X-A-xxxxxx access point and all of

your 0X-SIMU-xxxxxxx access points
• Click Update Devices to push your Network
Policy to your access points
• Click Yes in the Confirm window

Once the Update is

pushed, you will
see the Update
Status and the
devices rebooting.

rebooted and start
reporting to
HiveManager, you will
see their new up time and
that the configuration on
the devices matches the
expected configuration in
HiveManager.

Copyright ©2011
On Hosted RADIUS Server
Configuring RADIUS Return Attributes
Standard RADIUS
Attribute/Value Pairs Returned
Tunnel-Medium-Type: IPv4
Tunnel-Type: GRE
Tunnel-Pvt-Group-ID: 10
• After successful
authentication by
users in the
AH-LAB\Wireless
Windows AD group,
RADIUS will return three
attribute value pairs to
assign the Aerohive user
profile.

1. For Windows: Use TightVNC client

› Use TightVNC
• Start TightVNC
connection
› Click Connect
› Click OK
2. For Mac: Use the Real VNC client

• Start RealVNC
› Click Connect
› Click OK

Testing 802.1X/EAP to External RADIUS
1. Connect to Secure Wireless Network
• From the bottom task bar, and

click the locate wireless
networks icon
• Click Corp-Secure-X
• Click Connect

2. Connect to Secure Wireless Network
After associating with your SSID, you should see your connection in the
active clients list in HiveManager
• Go to MonitorClientsWireless Clients
• User Name: DOMAIN\user
• VLAN: 10
3. Customizing Your Column View
Click to change
column layout
• To change the layout of the

columns in the Wireless Clients list,
you can click the spreadsheet icon
• Select User Profile Attribute from
the Available Columns list and click
the right arrow
• With User Profile Attribute
selected, click the Up button so that
the column is moved after VLAN
• Click Save

Select Drop Down to

display 50 items per
page
• By Default all Device and Client

screens display 15 items per page.
• You can scroll between pages using
the arrow buttons or choose to
display more items per page.
Auto refresh can be
• Screen Auto refresh is enabled by
turned on or off as
default but can be disabled if so
desired. desired
• Select 50 items per page

Lab: Testing 802.1X/EAP to External RADIUS
Click to change
column layout
• To change the layout of the

columns in the Wireless Clients list,
you can click the spreadsheet icon
• Select User Profile Attribute from
the Available Columns list and click
the right arrow
• With User Profile Attribute
selected, click the Up button so that
the column is moved after VLAN
• Click Save

Select Drop Down to

display 50 items per
page
• By Default all Device and Client

screens display 15 items per page.
• You can scroll between pages using
the arrow buttons or choose to
display more items per page.
Auto refresh can be
• Screen Auto refresh is enabled by
turned on or off as
default but can be disabled if so
desired. desired
• Select 50 items per page

7. Create a clients display filter
To display only the wireless Clients

in the Lab:
• Go to
MonitorClientsWireless
Clients.
• Click the + under Filter at the
bottom of the Monitor options.
• Next to Topology Map select 0X
Building_Floor 1 from the drop
down
• Select  Save Filter As and type:
Lab
• Click Search to save the filter
Note:
Note: The
The proper
proper use
use of
of Filters
Filters
will
will save
save time
time in
in locating
locating
desired
desired objects.
objects.
7. Create a clients display filter
To display only the Wireless Clients

in the Classroom:
• Go to MonitorClientsWireless
Clients.
• Click the + under Filter at the
bottom of the Monitor options.
• Next to Topology Map select
Training Center_Floor1 from the
drop down
• Select  Save Filter As and type:
Instructor
Note:
Note: The
The proper
proper use
use of
of Filters
Filters
• Click Search to save the filter will
will save
save time
time in
in locating
locating
desired
desired objects.
objects.
QUESTIONS?

SECTION 7:
PRIVATE PSK FOR DEVICES
Aerohive’s
© 2015 Aerohive Networks Inc. 204

Private PSK (PPSK) for Legacy Devices
Scenario
 You have legacy devices that do not support

802.1X, or require fast roaming and do not
support 802.11r or Opportunistic Pairwise
Master Key Caching (OKC).
 There is a requirement that all devices have
unique credentials.
 Aerohive offers a security solution called
Private PSK (PPSK) that meets these needs.

SSIDs with WPA or WPA2 Personal
Use Legacy Pre Shared Keys (PSKs)
User 1 SSID: Corp-Wi-Fi

Shared Key: aSecretPhrase AP
User 2 SSID: Corp-Wi-Fi SSID: Corp-Wi-Fi

Shared Key: aSecretPhrase Authentication: WPA2 Personal
Shared Key: aSecretPhrase
User 3 SSID: Corp-Wi-Fi User Profile: Employee-Profile
Shared Key: aSecretPhrase
• All users share the same key

› If a user leaves or if a PC or portable device is lost, for security reasons, the
shared key should be changed, and every client will have to update the keys on
their wireless clients
• All users share the same network policy
› Because all users share the same SSID with the same key, they will also have
the same network policies, such as their VLAN, because there have no way to
uniquely identify users or types of users

SSID with 802.1X/EAP Dynamically Create
Pairwise Master Keys (PMKs)
AP RADIUS
PMK: d6#$%^98f..
User 2 SSID: Corp-Wi-Fi SSID: Corp-W-iFi

PMK: 87fe@#$%a.. Authentication: WPA2 Enterprise (802.1X)
- User 1 - PMK: d6#$%^98f..
User 3 SSID: Corp-Wi-Fi - User 2 - PMK: 87fe@#$%a..
PMK: 90)356*&f.. - User 3 - PMK: 90)356*&f..
• With 802.1X, after a user successfully authenticates with RADIUS,
a unique key is created for each user and AP pair called a PMK
› If a user leaves the company or a user loses a device, the user account can be
disabled and passwords can be changed to prevent access to corporate resources
• New PMKs are created every time user authenticates
• Users can have unique network policies
› Because users are identified by their user name, based on the user or group, they
can be assigned to different network policies

Private Preshared Key (PSK)
Allows creation of unique PSKs per user
User 1 SSID: Corp-Wi-Fi Aerohive AP
Key: d6#$%^98f.. SSID: Corp-Wi-Fi
SSID Type: Private PSK
Authentication: WPA2 Personal
Key: 87fe@#$%a..
- User 1 – Private PSK: d6#$%^98f..
User 3 SSID: Corp-Wi-Fi - User 2 – Private PSK: 87fe@#$%a..
Key: 90)356*&f.. - User 3 – Private PSK: 90)356*&f..
• Private PSKs are unique pre shared keys created for individual users on the same SSID
• Client configuration is simple, just enter the SSID shared key for WPA or WPA2 personal
(PSK)
› No 802.1X supplicant configuration is required
› Works with devices that do not support 802.1X/EAP
• You can automatically generate unique keys for users, and distribute via email, or any way
you see fit
• If a user leaves or a device is lost or stolen, the PSK for that user or device can simply be
revoked

Private Preshared Key (PSK)
Use Cases
• Use Case #1: Private PSK is recommended for augmenting WLAN

deployments that authenticate clients with WPA or WPA2 Enterprise
(802.1X/EAP), but have some devices that:
› Support WPA or WPA2 Personal, but do not support WPA or WPA2
Enterprise with 802.1X/EAP
› Do not support opportunistic key caching (OKC) for seamless roaming
• Use Case #2: Recommended use in place of using traditional PSKs for
environments that do not have a WLAN deployment using WPA or WPA2
Enterprise with 802.1X/EAP
• Use Case #3: Recommended for secure credentials with guest WLANs (secure
guest management covered in a later section)
• Use Case #4: BYOD – Onboarding personal and/or company issued mobile
devices with Client Management

Verify On-Premise HiveManager Time
Settings
• HiveManager and Aerohive Devices should have up to date time settings,
preferably by NTP (HMOL Time Settings are automatic).
• Go to HomeAdministrationHiveManager Settings
• Next to System Date/Time click Settings
Private PSKs are

credentials that have a
start time. Private
PSKs, like other
credentials, can also
be time limited.
Therefore, it is
imperative that the
HiveManager Time
Settings be in proper
synchronization with
your network. The use
of an NTP server is
highly recommended.
Verify Device Time Settings
• Select your Network Policy:
Corp-X and click OK
• Next to Additional Settings
Click Edit
• Expand Management
Server Settings
Note: Upon first login to a new
HiveManager system, an NTP
server policy is automatically
created with the same name as
the User name. However, the
Private PSKs are credentials that have a start object should be edited with the
time. Private PSKs, like other credentials, can proper time zones.
also be time limited. Even more important than
the HiveManager Time Settings, Aerohive Device • Next to NTP Server
Clock Settings must be properly synchronized. The › Click the + Icon
use of an NTP server is MANDATORY.

Verify Device Time Settings
Instructor note: When using Lab #4 the Time Zone MUST

be set to (GMT +10 Australia/Sydney)
• Name the service NTP-X
• Time Zone: <Please use the
Pacific time Zone>
• Uncheck  Sync clock with
HiveManager
• NTP Server:
ntp1.aerohive.com
• Click Apply
• Click Save
MANDATORY: You must change the time zone to match the time zone where your
Aerohive Devices reside. Do this BEFORE you configure the rest of your Network
Policy.

Lab: Private PSK for Enterprise
1. Modify your Network Policy to Create an SSID
To configure a
Private PSK SSID
• Select your Network
Policy: Corp-X and click
OK
• Next to SSIDs,
click Choose
• Click New

2. Create a Private PSK SSID
• Profile Name: Device-PPSK-X •  Set maximum clients per

private PSK to: 1
• SSID: Device-PPSK-X
This limits how many times a single
• Under SSID Access Security select Private PSK can be concurrently
used in a Hive
Private PSK
• Click Save

Copyright ©2011
3. Create a Private PSK SSID
Ensure both
Device-PPSK-X
and Corp-
Secure-X are
highlighted then
click OK
• Ensure the
Device-PPSK-X SSID
is selected
• Ensure the Corp-Secure-
X SSID is selected
• Click OK

4. Create a Private PSK User Group
• Under Authentication, click <PSK User Groups>

• Click New
Click
Click
5. Create a Private PSK Group
• User Group Name:

Devices-X
User Type:
 Automatically
generated private PSK
users
• User Profile
Attribute: 2
• VLAN: <empty>
Inherited from user profile
• User Name Prefix: 0X-
• Click the Generate button
to create a seed
• Expand Private PSK
Advanced Options

6. Create a Private PSK User Group
Note: You can define the

• Password length: 20 strength of the PSKs
• Click Save
Although each of the PPSKs will be unique, they are still susceptible to brute-force
offline dictionary attacks. The Wi-Fi Alliance recommends a passphrase key strength of
20 characters or longer.

7. Save the Private PSK User Group
• Ensure your Devices-X is highlighted

• Click OK

8. Create a user profile for the SSID

click Add/Remove
• Click New

9. Create a user profile for the PPSK SSID
• Name: Devices-X
• Default VLAN: 2
• Verify the settings, and click Save
Although these are corporate devices, they are using a shared key security. Since they
are not using 802.1X, a more secure authentication method, it is a recommended
practice to separate their traffic to protect you network from unwanted use.

10. Review Settings and Click Save
• Ensure your Devices-X User

Profile is selected
• Click Save
• Verify the settings, and click
Save

11. Creating your User Accounts
• In the Navigation pane go to:

Advanced Configuration
AuthenticationLocal Users
• Click Bulk
Note: In a live deployment,

each device and or user
should be uniquely
identifiable. We are using
the Bulk option in class
simply as a way to save time.

12. Creating your User Accounts
• Create Users Under Group: Devices-X

• Number of New Users: 10
• Description: 0X-
• Enter your REAL email address
• Click Create
Private Preshared Key for Enterprise use
Viewing your private Preshared Key credentials
Apply a filter to view your Private PSK users

• In the Navigation pane, navigate to: Advanced
ConfigurationAuthenticationLocal Users
• Click the Filter button.
• Email Notification: Enter your REAL email address
Results shown on next slide
14. View your Private PSK users
Click here to
obscure or show
or obscure your
clear text PSK
• Locate your PPSK users

› Sort on the user name or use the filter
• You can click (Clear Text PPSK) to view the PPSK
15. Email your user their private PSK
Email the private PSK to
the user
Email Address
• Check the box next to one of your user user Email Message
accounts, and click Email PSK
IMPORTANT: Please check your Junk
Email folder if you do not receive this
email
IMPORTANT: In order for the

email to work, you MUST have
the email service settings
configured under
HomeAdministration
HiveManager Services
Update Email Settings
Copyright ©2011
16. Updating your Aerohive Devices
• Go to Configuration and select your Corp-X policy and click OK

• Click on the Continue button
• From the Configure & Update Devices section, click the drop down next to
Filter and select your 0X-APs Filter.

• Select your 0X-A-xxxxxx access point and all of your

0X-SIMU-xxxxxxx access points
• Click Update Devices to push your Network Policy to
your access points

The physical APs will not need to reboot this time because
this is a Delta update. The simulated APs will reboot. Only
the configuration changes in the Network Policy were
uploaded. Because a reboot is not necessary, clients already
connected to the Corp-Secure-X SSID are not affected.
231
Copyright ©2011
1. Testing your PPSK SSID
• Connect to your remote PC using the VNC application.

• Copy the PPSK key either from the user account
display or your email, make sure not to copy any extra
spaces
• Connect to your SSID: Device-PPSK-X
• Paste your Passphrase/Network Key:
<Paste your 20 character PSK>
• Click OK

2. Testing your PPSK SSID
• After associating with your SSID, you should see your connection in the active
clients list in HiveManager
› Go to MonitorClientsWireless Clients
• Your IP address should be from the 10.5.2.0/24 network
• Note the client information:
› VLAN: 2
› User Profile Attribute: 2

Example Only: Revoke a Private PSK
1. Revoking Private PSK Users
If a user leaves the company, or if their device is lost or stolen, you can revoke a
users key and de-authenticate any active client using the individual private PSK
• Go to ConfigurationAdvanced Configuration
AuthenticationLocal Users
•  Check the box next to your user account and click Remove
• Click Yes to continue
› Note: For this change to take effect, you will have to update the configuration of every
Aerohive AP using this Private PSK account...

2. Update the Configuration
• Select your 0X-A-xxxxxx access point and all of your 0X-SIMU-

xxxxxxx access points
• Click Update Devices to push your Network Policy to your access
points

3. Verify your PPSK user is revoked
• To view the active clients, go to

MonitorClients
Wireless Clients
• The revoked clients will no longer
appear in the active clients list
• If you view the desktop of the hosted
client PC, you will see they are
disconnected

QUESTIONS?

SECTION 8:
AEROHIVE WLAN GUEST
MANAGEMENT
Aerohive’s

Why Provide Guest Access?
Many studies have shown that providing WLAN guest access is

beneficial to your business
• Improved Productivity: Customers and contractors often need access to
the Internet to accomplish job-related duties. If customers and contractors are
more productive, your company employees will also be more productive.
• Customer Loyalty: In today’s world, business customers have come to
expect Guest WLAN access. Free guest access is often considered a value-added
service. There is a good chance that your customers will move towards your
competitors if you do not provide WLAN guest access.

Guest WLAN Essentials
Guest user traffic should always be segmented from employee user

traffic. Four guest WLAN best practices include:
• Guest SSID: Wireless guest users should always connect to a separate guest
SSID because it will have different security policies than a corporate or
employee SSID.
• Guest VLAN: Guest user traffic should be segmented into a unique VLAN
tied to an IP subnet that does not mix with the employee user VLANs.
• Captive Web Portal: A captive web portal can be used to accept guest
login credentials. More importantly, the captive web portal should have a legal
disclaimer.
• Guest Firewall Policy: A From-Access guest firewall policy is the most
important component of WLAN guest management.

WLAN Guest Firewall Policy
• A From-Access guest firewall policy is the most important

component of WLAN guest management. The goal is to keep
wireless guest users away from corporate network resources and
only allow them access to a gateway to the Internet.
• Below is an example of the default Guest Firewall Policy in
HiveManager

• The guest firewall policy can be much more restrictive. A

good practice is to block SMTP so users cannot SPAM
through the guest WLAN.
• If necessary, many more ports and/or applications can be
blocked.
• Ports that should be permitted include DNS UDP port 53,
DHCP-server UDP port 67, HTTP TCP port 80 and
HTTPS TCP port 443 should be permitted.
• So that guest users can use an IPsec VPN: IKE UDP port
500 and IPsec NAT-T UDP port 4500 should be
permitted.


Peer Blocking
• Guest users should be prevented from peer-to-peer connectivity on the

guest VLAN/subnet. This prevents peer-to-peer attacks.
• Peer blocking can be configured in the the Guest SSID settings.
• Optional Settings  DoS Prevention and Filter  Traffic Filter
• Uncheck ☐ Enable Inter-station Traffic

Rate Limiting
• The bandwidth of guest

traffic can be throttled
with a rate control policy
• User Profiles 
Optional Settings 
QoS Settings  Rate
Control and Queuing
Policy

Captive Web Portals
If guest user
DNS lookup = whois www.google.com authentication is
required, the AP
will then query a
RADIUS server
with an
1.1.1.1 authentication
protocol such as
MS-CHAPv2.
DNS response = www.google.com = 1.1.1.1
When a guest user browses to a URL, a DNS redirect is used

to send the guest user to the captive portal login pages. If a
captive portal stops working, there is most likely a DNS
problem.

Captive Web Portals
• Aerohive has a large

selection of available
captive web portals
• The CWP pages use
cascading style sheets so
that they display properly
on a computer screen,
tablet screen or smart
phone screen
• Upon authentication,
guests can be redirected to
external URL or the
initially requested URL

Captive Web Portals
• Pages can be customized

within HiveManager
• Advanced customization
can be done with an
external HTML editor and
pages can be imported
back into the system and
then used as templates

Captive Web Portals
Captive Web Portal Login Page Examples
User Authentication Self Registration User Policy Acceptance

Captive Web Portals
Multi-Language Support

Guest VLAN in a DMZ
Sometimes a customer may have a written security policy that mandates that the
guest VLAN not reside at the edge of the network. The guest VLAN can only
exist in a DMZ
• GRE Tunneling – Aerohive APs can be configured to tunnel the guest traffic
back to a HiveOS Appliance server that resides in the DMZ
• Guest GRE Tunnel LAB – This lab is performed in the Aerohive Advanced
WLAN Configuration (ACWP) class
HiveOS VA

Secure Guest WLANs
Aerohive allows you to provide secure guest management:

• ID Manager – Cloud-Based Secure Guest Management
• Static PSK – At the very least a static shared PSK can be used to provide
encryption
More information is available about PPSK User Manager and PPSK self-
registration in the supplemental materials provided by your instructor.

ID MANAGER
USER EXPERIENCE

MyHive Portal – Admin Account Manager
Different views for On-premise HM or HMOL
HiveManager Online
+ ID Manager
ID Manager Only – Used with

On-Premise HiveManager
The configuration options

here are based on your
accounts access rights

ID Manager
To integrate your standalone

HiveManager with ID
Manager
• From Home
Administration
HiveManager Services
• Select  Retrieve ID
Manager Customer ID
• Enter your ID Manager
account email and
password
• Click Retrieve

ID Manager
Workflow
Internet
ID Manager
HTTPS
APs
• An operator who may be a lobby ambassador, an employee with ID

manager operator rights, or the guest themselves using the web-based
self-registration kiosk on an iPad for instance, can enter the Guest
information
• The operator if permitted can activate a Kiosk which is a secure web
interface into ID Manager for self-registration
ID Manager
Workflow
Internet
ID Manager
HTTPS
APs
Guest
• The Guest arrives and would like secure guest Wi-Fi access
• An operator who may be a lobby ambassador, an employee with ID manager
operator rights, or the guest themselves using the web-based self-registration
kiosk on an iPad for instance, can enter the Guest information
• Guest information includes who the guest is representing, who they are
visiting, their email, and a phone number
ID Manager
Workflow
Internet
ID Manager
HTTPS
APs
Guest
• Next, the guest or the operator creating the guest account can select the
type of guest access needed, such as a contractor, visitor, or guest
secured with Private PSK
• For this example a Visitor using Private PSK will be selected

ID Manager
Workflow
ID Manager Internet
HTTPS
Private PSK: APs
9LHA82v3
Guest
• ID Manager generates a Private PSK for the guest which is optionally

displayed on the screen
• Next, the guest or operator selects the delivery method for sending
guest access key or user credentials to the guest
› Text via SMS, Email, Print out, or Twitter Direct Messages
may be used
ID Manager
Secure Guest Connections
ID Manager
Internet
2. The AP uses
RADSEC uses RADSEC to verify APs
TCP Port 2083 the Private PSK:
3. If validated, the private PSK and user
9LHA82v3
session info is distributed to neighbor APs
1. The Guest connects to the Guest SSID
using WPA2 Personal and enters their
Guest Private PSK: 9LHA82v3
1. After the guest receives their Private PSK, they can use it as the WPA2 Personal
network key when connecting to the guest SSID
2. The AP forwards a verification request to a RADSEC proxy AP on the local subnet,
which could be itself, and that AP uses a secure RADSEC connection to ID
Manager to verify the Private PSK is valid
3. The Private PSK and user session information is securely distributed to neighboring
APs to permit secure and fast roaming
ID Manager Features
• Private PSK for Guest Access
• Customizable key creation and expiration times
• 802.1X and Captive Web Portal RADIUS authentication
• Third-party support with 802.1X
• RADIUS Proxy
• Customizable Interface for Guest Access
• Dashboards and Authentication Logs
• Notifications via Email, SMS, Twitter, Printer, and Screen
• Self service kiosk support for tablets and computers
• Anonymous access with time limits or bandwidth limits
• Employee Approval for Guest Self-Registration from CWP
• Employee Sponsorship – Authentication (Using SAML)
• Employee Sponsorship with AD integration
Secure Guest WLANs
Scenario
• Your customer has a requirement for secure guest access

for both contractors and visitors.
• Guest users should not be permitted on the secure
corporate network.
• Each guest is required to use their own secure credentials
for access to the guest network.
• Aerohive offers a secure guest access solution called ID
Manager.

ID MANAGER LAB

Lab: ID Manager - Secure Guest WLAN
1. Configure Guest
SSID
• Go to Configuration and select your

Corp-X Network Policy and click
OK
• Next to SSIDs, click Choose
• In Choose SSID click New
2. Configure Guest IDM SSID
• SSID Profile:
Guest-X
X = (Student ID)
• SSID: Guest-X
• Select  Private PSK
• Check  Use Aerohive ID
Manager.
• Check  Set the maximum
number of clients per private
PSK to: 3.
• Check  Enable a captive web
portal with use policy
acceptance.
• Click Save.
265
3. Save the Guest IDM SSID
• Ensure that all three SSIDs

are selected
• Click OK
266
4. Configure Captive Web Portal
Configure the captive web

portal for user policy
acceptance
• Click <CWP>
• Click New

5. Configure Captive Web Portal
• Name: CWP-X
NOTE: In each section, you can click Customize… if you want to modify the
default web pages or import your own pages.
• Expand Captive Web Portal Success Page Settings
› Select  Redirect to an external page and enter a URL:
http://www.aerohive.com
•© 2015
Save Aerohiveyour Captive Web Portal Settings
Networks CONFIDENTIAL 268
6. Create User Profile
Assign a user
profile to the
SSID
• To the right of
your SSID,
under User
Profile, click
Add/Remove
• Choose User
Profiles
• Click New

7. Create User Profile
• Name: Guest-X
• VLAN-Only Assignment: 8
• Under Optional Settings
expand
User Firewalls and specify a guest
firewall policy
• Under IP Firewall Policy
› From-Access: Guest-Internet-
Access-Only
› To-Access:
<Leave Empty>
› Default Action: Deny
› Click Save

8. Save User Profile
• Select
Guest-X(500)
• Click Save

9. Save Network Policy
• Verify your policy settings

• Click Continue

10. Perform a Complete Upload
• Select your 0X-A-xxxxxx access point and all of your 0X-SIMU-xxxxxxx

access points
• Check  Perform a complete configuration update for all selected devices
check box
• Click Update Devices and click OK in the Reboot Warning window
11. Perform a Complete Upload
Once the Update

is pushed, you will
see the Update
Status and the
devices rebooting.

rebooted and start
reporting to
HiveManager, you
will see their new up
time and that the
configuration on the
devices matches the
expected configuration
in HiveManager.
Copyright ©2011
ID MANAGER TEST

ID Manager Radsec Proxy APs
Within a
management subnet
for APs, two APs
get elected as ID
Manager RADSEC
proxy APs
The ID Manager
RADSEC proxy
APs have
icons that
look like this

ID Manager Tests from ID Manager
Proxy APs Using RADSEC
You can test that the ID

Manager proxy APs can
communicate with the
ID Manager RADSEC
server on the Internet
• Go to ToolsServer
Access Tests ID
Manager Test
• Select RADSEC
Proxy
• Select a proxy server
AP
Note: ID Manager Proxy APs use RADSEC
with TCP port 2083 to the Internet
• Click Test

ID Manager Tests from ID Manager
Proxy APs Using RADSEC
If the RADSEC Proxy APs

cannot communicate with the ID
Manager:
• Select a proxy server AP
• Go to UtilitiesClear ID
Manager Credentials
• Also verify that TCP port 2083
is open outbound on any
firewall

ID MANAGER CUSTOMIZATION

Guest User Interface Settings
• From ConfigurationID Manager SettingsRegistration UI

• You can customize the look and feel of the guest registration page.

• From ConfigurationID Manager • From the Private PSK Settings

SettingsRegistration UI, you can you can configure the
decide which fields are important and complexity of the access keys.
which notification methods are
available.

• From ConfigurationID Manager

SettingsRegistration UI, you can decide
which fields are important and which
notification methods are available
• You can decide whether you want to display

the key on the screen or only permit it to be
transmitted using one of the notification
methods
Employee Sponsorship
• Employee Sponsorship is an
ID Manager cloud service that
allows employees in your
organization to log in to the ID
Manager registration UI using
their corporate credentials and
register guests (essentially
acting as ID Manager
operators).
• Before you can enable
Employee Sponsorship, you
must already be using RADIUS
authentication that is integrated
with an external LDAP
NOTE:
NOTE: Employee
Employee sponsorship
sponsorship is
is available
available
database server.
from
from the
the registration
registration UI
UI only
only and
and is
is not
not
supported
supported on
on kiosks.
kiosks.
Using ID Manager as an External RADIUS
Server for 802.1X or Captive Web Portal
• You can use ID Manager as a standalone RADIUS server for

simple guest account creation.
• RADIUS can be used for 802.1X authentication or Captive Web
Portal authentication.

Using ID Manager as a RADIUS Proxy
• If you work closely with other organizations whose employees often visit your
company and vice-versa, RADIUS Proxy simplifies the guest login process for these
employees by granting guest access using the employee’s home login credentials.
• If the domain is on the whitelist, ID Manager checks the corporate directory of the
other organization. If the visitor is valid, ID Manager gives your operator the option
to authenticate the visitor using their home credentials.

Note: Your ID Manager Operator
has Limited Access
• Next you will be

accessing ID Manager as
an operator
• An ID Manager operator
has limited access as
displayed in
Configuration
Admin Accounts
Note: The permissions are set in the Admin Groups
ConfigurationAdmin Accounts • Lobby personnel typically
log in as ID Manager
From here you can create an administrator operators
with access to ID Manager specific
permissions
ID MANAGER LAB

ID Manager Configuration
1. Log into ID Manager
• Browse to HTTPS://myhive.aerohive.com.
• Log in with the credentials below.
Admin: idm#-admin@ah-lab.com
Where # is lab=1,2,3,4, or 5
2. Go to ID Manager
• Click Go

3. Go to ID Manager
• Click CONFIGURATION.

4. Configure a Guest Type
• From the side menu:

› Click Guest Type
› Click New

5. Define Guest Type
Guest Types Guest types are selectable by

are Displayed
On Guest Kiosk or
the operator when creating a
Guest Operator guest account
Console
• Type Name: Guest-X
• Ensure  Wireless Access is
checked
• Network: Guest-X
Note: This is the SSID that is
displayed in the notification.
• User Profile Attribute: 500
• Do not save yet

ID Manager Wired Access
• Authentication for
both wireless and
wired access can be
granted using a
user name and
password.
• Wireless
authentication
methods also
remain for Private
PSK or open
access.
6. Define more Guest Type settings
• Auth Types:
Select Private PSK
• Account Expires: in 24
hours
• Select Access key
must be used within: 2
days
Note: This restricts the
validity period of the key
causing the key to
automatically expire within
desired time frame
• Click Save
7. Verify your Guest Type was created

Time Based Guest Types
You can create

multiple Guest
Types each
with PPSKs
with different
time
limitations

REGISTERING A GUEST LAB

Lab: Guest Registration Interface
1. Go to Guest Registration Interface
Login into ID Manager as an

operator
• Open an additional window in your
web browser and go to:
https://idmanager.aerohive.com
Admin: idm#-user@ah-lab.com
Where # is lab=1,2,3,4, or 5
2. Register as Guest, Group, or Kiosk
• Here you have a few different

options
› Register a Guest or Register
a Group– These are options
available for an authorized
employee or lobby
ambassador who is responsible
for creating guest accounts
› The Kiosk is used for guest
self registration
› The options displayed here are
configurable
• Select Register a Guest

3. Select your guest type
• Scroll to the right to

see your guest type
› click the > button
to scroll
• Click Guest-X
4. Enter Guest Information
For the Kiosk, the guest

enters their own
information
For the register a guest or
register a group options,
the authorized operator
enters the information on
behalf of the guest
• Enter your
information
› Note: The phone
number requires a
country code
• Click the Green
Next arrow button
5. Confirm Settings
• Confirm your
settings
• Click the Green
Next arrow button
to Confirm

6. Select credential delivery method
• Use the option of your

choice to send the guest
credentials

7. Note your SSID and Key
• Optionally, your
SSID and Key
information is
displayed on the
screen
• Click Done

8. Note your SSID and Key
• Click on View Active Guests

• Verify the Guest List and click the Back button
• Click Log Out
• Next you will test the PPSK guest credentials
Email and SMS
Here are examples of the email and SMS sent from ID Manager
Please check your email for your guest credentials
Please check your phone for an SMS message with your guest
credentials
Lab: Connect to the Secure Guest Network
1. Connected to the Guest SSID
• From the hosted PC, connect to

the Guest-X SSID
• Enter the security key provided
in the email, SMS, or copied
from the screen
• The key is not configured on
your AP, so your AP will use
RADSEC to contact ID Manager
and determine if the key is valid
• If it is, the key is set and
distributed to neighboring APs
for fast and secure roaming

2. Login through the captive web portal
• Open a web
browser
• Click Accept once
the captive web
portal page
appears

3. Verify Guest VLAN in HiveManager
To view the active Guests

• Go to MonitorClientsWireless Clients
• You can modify the columns to see important information like: IP,
hostname, Client OS, User Profile, VLAN, Encryption Method,
SSID, Data consumption, and more
• Your client should have User Profile Attribute 500, and be in
VLAN 8

ID Manager Logs and Reports
• From the ID Manager  Monitor  Logs view you can get a

detailed history and current logs for users that have authenticated,
SMS Log, active sessions and more.

ID Manager Logs & Reports
• From the ID
Manager 
Monitor 
Reports view you
can create
authentication
reports, session
reports and more.

SOCIAL LOGIN
Guest Authentication via Social Media Accounts

Social Login
The Basics
The Guest Network

Step 1 Step 2 Step 3
Customize Captive Customize Landing Guest Analytics
Portal: Page • Customer
• Social channels • Promotion insights
• Branding • Social • Data export and
• VIP guest engagement correlation
tracking
The Guests
Step 1 Step 2 Step 3
Connect to the open Browser gets redirected Redirected to the
SSID to the Captive Portal landing page after the
Choose login method login

Social Login
The Customizable Captive Portal
Customizable Landing Pages
Use your Peet’s VIP account Login:

Login methods
Social Media Accounts
Use your phone number Login: Login
VIP Account Login
Login
Sign Up for Peet’s VIP Account:

Social Login
The Customizable Landing Page
Redeem the coupon by:
Download Peet’s App and get

$5 award
Download
Peet’s Subscriptions

Social Login
Gathering Customer Information

Instructor Demonstration (if time permits)
Social Login – HiveManager On-Premises
• Navigate to Home 
Administration 
• Place a check in the 
Social Login Settings
check box.
• Under General Settings,
ensure Enable Social
Login is selected.
• Under Social Login
Test, click the Test
button to verify
connectivity to the
Social Login Service.
• Click Update to save the
configuration.
Optional Lab (if time permits)
1. Social Login – Guest SSID Profile
• Navigate to Configuration
• In Choose Network Policy, select your Corp-X
• Click OK.

• Next to SSIDs, click Choose

• In the Choose SSIDs dialog box, click New.

• Profile Name: Social-X

• SSID: Social-X
• SSID Access Security: Open
• Do NOT save yet

• Profile Name: Social-X

• SSID: Social-X
• SSID Access Security: Open
• Place a check in the Use Social Login Check box
• Click Save

5. Social Login – Guest User Profile
• Ensure that your Social-X SSID Profile

is selected.
• Click OK.
Notice the new

Cloud Captive
Web Portal under
Authentication
• Under User Profile, click

Add/Remove
• In the Choose User Profiles dialog box,
click New.

• Name: Social-Guests-X
• Default VLAN: 8
• Click Save

• In the Choose User Profiles

dialog box, ensure that your
Social-Guests-X User Profile
is selected.
• Click Save

8. Social Login – Verify Profile Settings
• Verify your Social-X SSID Profile

settings.
• Click Continue.

9. Social Login – Update your devices
• Select your 0X-A-xxxxxx access point and all of your

0X-SIMU-xxxxxxx access points.
• Click the Update button.
• Click Update Devices to push your Network Policy to
your access points.
10. Social Login – Update your devices
• Click the Update Button.

• Click OK in the Reboot Warning window if needed.
11. Social Login – Testing the configuration

› Use TightVNC
• Start TightVNC
connection
› Click Connect
› Click OK

• Start RealVNC
› Click Connect
› Click OK

• From your remote PC, connect to your • In the captive web portal page, click the
Social-X SSID. link for a Social Media to use for login.
• Launch your browser from the remote
PC.

• Accept the Use Terms and Privacy • In the captive web portal page, click the
Policy. link for a Social Media to use for login.

• Fill in your credentials and click Login.

• You are redirected to a custom landing page.

• Now that you are connected, browse to
www.aerohive.com to verify connectivity.

17. Social Login – Monitoring through Social Login
• From your local PC, navigate to Monitor  Clients  Active Clients.

• Verify your connection.

Social Login
Guest Analytics - Optional Instructor Verification
Customer Activity Insights
Visitors Visitor Gender Distribution

300
200
100 Female
37%
0
da
y ay ay ay ay da
y ay Male
on esd esd rsd Fr
id
t ur und 63%
u
M Tu ed
n
Th Sa S
W
Returning Guests New Guests
Visitor Dwelling Time Visitor Age Distribution

50
40
40
30 60 min +
20 45 - 60 min 30
15 - 45 min
10 20
< 15 min
0 10
0
18-25 26-35 36-45 50+

Social Login
Social Dashboard - Optional Instructor Verification
Customer Background Insights
Icon Login Name DOB Age Phone Last Visit Friend Coupon
Range Visit Freq Counts s
FB David MM/ 20-30 11-22- 02/03 3 1B 1

C YY 33
TWTR Bryan MM/ 30-40 11-22- 02/05 2 100M 0
H YY 33
LNKD Gregor MM/ 30-40 11-22- 02/08 1 300M 1
V YY 33
GOOG Metka MM/ 30-40 11-22- 02/01 2 500M 2
D YY 33
VIP Brice L MM/ 30-40 11-22- 01/09 3 1.75T 1
YY 33

Lab Clean Up
In labs that follow, HiveManager will not allow you to place a physical device
on a Topology Map that contains simulated devices .
• Go to Monitor select all of your simulated APs, 0X-SIMU-XXXXX

• Click the Device Inventory... button and select Remove, to delete the
simulated devices from earlier labs.
• In the Remove Selected Devices Window, click the Remove button to ensure
that they are removed from HiveManager.
QUESTIONS?

SECTION 11:
DEVICE SPECIFIC SETTINGS
Aerohive’s
340
Device Settings
• All devices including Access Points, Routers, Switches and HiveOS Virtual
Appliances have settings specific to their device type and or model.
• For example, an AP’s device settings are different than those found on a
Switch
STP Settings do not exist on APs Radio Profiles do not exist on Switches

Device Settings
• Device Settings can be configured on a single device.

• Devices of the same make and model can be mass configured using multi select.
However, some options are unit specific and are not able to be configured on more
than one device at a time.
Single Device Configuration Multiple Device Configuration

LAB: AP Device Settings Review
1. Modify an AP’s settings
• Navigate to Monitor  Devices  Access Points  Aerohive APs

• Click on Host Name to put the APs in alphabetical order
•  Select your 0X-A-xxxxxx and click Modify

2. View the AP device specific settings
Host Name
Topology Map
Radio Functions
Classifier Tags
Radio Power Settings
WLAN Interface Configuration

Radio Channel Settings

3. View the AP Optional Settings
MGT0 Interface Settings
The MGT0
Interface is a
logical IP interface
for the AP which is
a Layer two device
Ethernet Setup
Advanced Settings Routing Service Settings

4. View the AP Radio Function Settings
• If both radios are used for

client access only, no
mesh link is available.
• If the 5 GHz radio is used
for a mesh link only, no
client access is available
in 5 GHz. Clients can
connect to the 2.4 GHz
radio.
• If the 5 GHz radio allows
client access and a mesh
link, clients can connect
to either radio. The 5
GHz mesh link will also
be available.
Wireless Mesh
Mesh
Mesh Portals
Portals
Mesh
Mesh Points
Points
User
User traffic
traffic can
can be
be routed
routed to
to the
the wired
wired network
network via
via a
a
mesh
mesh backhaul,
backhaul, reducing
reducing installation
installation cost
cost and
and
providing
providing fault
fault tolerance.
tolerance.

Mesh and Access on 5 GHz
Each Aerohive AP is a Portal
By default, if each Aerohive AP is a portal (Ethernet connected) it

selects a different channel for its mesh/access interface so that
more bandwidth is available for clients
Mesh and Access on 5 GHz
Two Aerohive APs are Portals and Two are Mesh Nodes
The channel map shows two Aerohive APs using channel 153 and two Aerohive
APs using 161 which provides double the bandwidth than an single channel
mesh solution
Radio Profiles
A Radio Profile determines the behavior of one of the two radios on Aerohive AP
to which you apply it. Each Aerohive AP has two radios. The wifi0 radio operates
in the 2.4 GHz band as specified in the IEEE 802.11b/g/n standards. The wifi1
radio operates in the 5 GHz band as specified in the IEEE 802.11a/n/ac
standards.
Note: Each radio can have its own

unique Radio Profile that defines
radio specific settings.

Band Steering Animation
2.4GHz Client 2.4GHz & 5GHz Client 2.4GHz & 5GHz Client
(Out of Range of 5GHz) (In of Range of 5GHz)
Connected at 2.4GHz Connected2.4GHz

at & 2.4GHz Connected5GHz
at
2.4GHz 2.4GHz 5GHz
2.4GHz & 5GHz 2.4GHz 5GHz & 5GHz 5GHzResponse
Probe Response Response
Probe Response Probe

Lab: Radio Profile
1. Create a New Radio Profile for 2.4 GHz Radio
• From Monitor
All Devices
Select your  0X-A-
xxxxxx Aerohive AP and
click and Modify
• For the 2.4 GHz radio,
click + to create a new
radio profile
• Click More Settings…

Lab: Radio Profile
2. Set name and radio mode
• Profile Name:
2.4GHz-X
• Radio Mode:
11g/n
Optional Advanced Settings
• Important Notes:
› Background scanning is used
for auto channel selection,
and rogue AP detection
› You can select a region or just
modify an existing region to
select your own channel plan.
The default is USA with
channels 1, 6, and 11
• Do not save yet...

Lab: Radio Profile (Band Steering)
3. Enable Band Steering
• Expand Optimizing Management Traffic Settings • Band steering modes

• Check  Enable the steering of clients from the 2.4 › Urge 5 GHz band use:
to 5 GHz bands and select the Urge 5 GHz band use Most clients will go, but
option if they insist on 2.4, let
them stay.
› Balance band use:
Clients can be steered to
either band. Allocate a
50/50 mix to balance the
clients between the
bands.
› Enforce 5 GHz band
use
If a client supports 5
GHz, only let them on 5
GHz and not the 2.4
GHz
Copyright ©2011
Load Balancing Animation
3 clients
21 clients 6 clients
21 clients 60 clients
24 21 clients

Lab: Radio Profile (Load Balancing)
4. Load Balancing
• Check  Enable Client Load

Balancing and select the Load
Balancing Mode: Station-
Number
• Click Save
Note: When using client load

balancing, the same type of load-
balancing mode must be selected on
both radios since this is an AP function
Load Balancing modes: vs. an individual radio.
• airtime-based Balancing based upon client air

time
• station-number Balancing based upon
associated client count

Copyright ©2011
Lab: Radio Profile
4. Assign 11ng Profile and Create 11na Profile
•Verify your 2.4 GHz

radio (wifi0) is assigned
to your new radio
profile: 2.4GHz-X
•Create a profile for
your 5 GHz radio(wifi1)
›Click +
›Click More Settings...
357

Channel Bonding (2.4 & 5 GHz)
5.15 5.25 5.35 5.470 5.725 5.825

GHz GHz GHz GHz GHz GHz
UNII-1 UNII-2 UNII-2e UNII-3
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2.402 GHz 40MHz 802.11n channel 2.483 GHz

Copyright ©2011
802.11ac Channel Bonding
• The 5 GHz radios in the

Aerohive 802.11ac capable
APs can be configured for 80
MHz wide channels.
• More frequency space will
need to be available for the 80
MHz wide channel use.
Therefore you should enable
DFS channel use for optimal
configuration.
• However, legacy clients may
not support the DFS channels.

Copyright ©2011
Lab: Radio Profile
5. Channel Bonding
• Profile Name:
5GHz-X
• Radio Mode:
11a/n
• NOTE: If the AP supports DFS in
your country, you can enable it here
• Expand Channel and Power
• Select 40 MHz and Above
• Expand Optimizing
Management Traffic Settings
• Enable Client Load Balancing
and select the Load Balancing
Mode: Station-Number
• Click Save
Lab: Radio Profile
6. Assign 11na Profile
• Verify your 5 GHz radio

(wifi1) is assigned to
your new radio profile:
5GHz-X
• Click Save
361
Radio Profiles
Local Demo If Possible
The radio profile settings cannot be demonstrated in this

lab environment.
However, your instructor may be able to demonstrate band
steering locally.
Remember: Some devices will not allow themselves to be

steered, since the client makes its own roaming decisions.

Radio Profiles
Local Demo If Possible
• Students and Instructor: Observe the connected data rate of your classroom
laptop. Are you connected to 2.4 GHz or 5 GHz?
• Instructor ONLY repeat the previous lab using the Aerohive APs in the Training
Room and Update the Training Room Aerohive APs.
• Students and Instructor disconnect from the Aerohive Class SSID and then
reconnect.
• Go to MonitorClientsActive Clients and apply the Training Room-X Filter
you made in an earlier lab.
• Determine how many devices were able to be guided into 5 GHz. Note the data
rates of the clients.
• Go to MonitorAccess PointsAerohive Access Points.
• Locate the Training Room Aerohive APs.
• Examine the Client load on each Aerohive AP to see the balance of Client Devices
among the Aerohive APs
• On the desktop of your laptop verify the data rate you are using.
QUESTIONS?

SECTION 12:
DEPLOYMENT OPTIMIZATION
Aerohive’s
365
User Profiles – Provide User Policy
Assigned to SSIDs or Bridge Interfaces
User Profiles provide the policy to assign
to users when they access an SSID or
bridge interface
• Attribute Number
Used to identify the user profile in a Hive –
returned by Private PSK Group or from
RADIUS after successful authentication
• VLAN Assignment
The VLAN assigned to clients
• GRE Tunnels
L3-Roaming & Identity-based Tunnels
• User Firewalls
MAC level Firewall and
Stateful IP (L3/L4) Firewall Policies
• QoS Settings
Specifies rate limits and weights for user
queues, users, and user profiles

User Profiles – Provide User Policy
Yes, there is more!
• Availability Schedules
Permitted User Access Times
• SLA Settings
Specify a service level agreement and decide
to report on and/or boost client performance
to meet a client’s SLA with help from the
dynamic airtime scheduling engine
• Client Classification Rules
Reassign user profiles based on the MAC
OUI, Operating System, Domain
membership or BYOD/CID ownership of a
user device.

Management and Native VLAN Configuration
• Management and Native

VLANS are configured in the
Network Policy.
• CAPWAP, Cooperative
Control protocols, SSH and
other management traffic
reside in the Management
VLAN.
• The Native VLAN is for
untagged traffic.
Although the default MGT VLAN setting is 1, a good security best practice is to change
the setting for the MGT VLAN to a non-default value.
Using Trunked Ports and VLANS
Multiple user VLANs will require

802.1Q tagging.
802.1Q
VLAN 1 – Native VLAN

VLAN 2 – Management VLAN
802.1Q
VLAN 5,10,20
SSIDs
Employee 802.1XVLAN 5
Device PPSK VLAN 10
IDM/Guest VLAN 20

Aerohive APs and VLANs
Guidelines
int mgt0 vlan 1 Switch port trunk VLANs 1-100

int mgt0 native-vlan 1 Switch port native (untagged) VLAN1
• The Native VLAN (Untagged VLAN) setting must match the same setting for the
Native VLAN ID on the switch
• Any traffic from an access client on an Aerohive AP that is assigned to a VLAN,
which does not match the native VLAN ID, is tagged with the VLAN identifier
before being sent out of the Ethernet interface
• If the mgt0 VLAN ID does not match the mgt0 Native VLAN ID, and management
traffic will be tagged with the VLAN id assigned to the mgt0 interface

Aerohive APs and VLANs
Example – Wrong Settings
LAN
Employee int mgt0 VLAN 2 Switch port trunk

Client PC int mgt0 native-VLAN 2 Switch port native VLAN 1
User Profile: Employee VLAN 20 Switch port trunk VLANs 1-100
• Traffic from the AP management interface to the LAN will be untagged and
dropped by the switch which expects the management traffic to be tagged.
VLAN 1 traffic is untagged.
• To correct this: The native VLAN on the Aerohive AP must match the native
VLAN on the switch

Syslog
It is a recommended best practice for PCI

compliance that the Syslog server and the
Aerohive devices using it are on the same
internal network.
• The use of NTP to synchronize the timestamp on messages from all syslog clients
ensures that all messages reported to the Syslog server appear in the proper
chronological order.
• You can set up to four Syslog servers to which Aerohive devices can save event log
entries.
• Remember that devices send Syslog messages for the severity level you choose plus
messages for all the more severe levels above it. Choose to send information you must
collect.

For Your Information Outside US
Set the Country Code for World Mode Devices
IMPORTANT: The Class APs are

in the U.S., so DO NOT change
the country code!
Note: Updating the country code
on an AP configures the radios to
meet government requirements
for the chosen country
You can update the country by
going to MonitorAll Devices
• Select all the devices that within
a single country
• Click Update...Advanced
Update Country Code
• Select the appropriate country
code
• Click Upload
• Repeat these steps if you have
devices in additional countries

QUESTIONS?

WIRELESS INTRUSION
PREVENTION SYSTEM (WIPS)

Rogue Classification – WIPS Policy
WIPS Policy is used to detect and classify access points:

• Aerohive AP – Authorized Aerohive access point
• Rogue AP – Unauthorized access point
• Friendly AP – Manual classification of a neighboring AP
• Rogue AP (In-Net) – Unauthorized access point that is connected to
the wired network

Rogue Mitigation
2.
1.
3.
In Network
6. Rogue
1. Rogue AP sends 6. If an Aerohive AP sees a station

ARP or any broadcast attached to the rogue, it will
2. Switch floods out all ports send spoofed unicast 802.11
3. APs learn MAC of rogue deauths from the MAC of the
device on their Ethernet station to the BSSID, and from
port the BSSID to the MAC of the client
4. BSSID of rogue is detected when 7. The 4 deauths in each direction
Aerohive APs perform scans are sent per second per
5. Aerohive AP compares BSSID of all mitigating AP
learned MAC addresses, and if it 8. With one mitigating AP, the
is within a range of 64 above or station may get some packets
64 below a learned MAC address transmitted, but with two or more
then BSSID is considered in the network mitigating APs, the client is
© 2015 Aerohive Networks CONFIDENTIAL contained 377
Lab: Locating and Mitigating Rogue APs
1. Modify Additional Settings
Rogue AP Detection and

other features can be
found in Additional
Settings
• Select your Network
Policy: Corp-X and
click OK
• Next to Additional
Settings click Edit

2. Create a WIPS Policy
• Expand
Service Settings
• Next to WIPS
Policy
- Click +
• Name: WIPS-X

3. Define Rogue AP Parameters
• Select  Enable short preamble check

• Select  Enable short beacon interval
check
• Select  Enable WMM check
• Select  Enable BSSID Detection
• Select  Aerohive-MAC-OUI
• Select  Determine if detected rogue
APs are in the backhaul network
• Do not save yet...

4. Define Rogue Mitigation Parameters
• Do not select  Enable SSID detection

› Note: Aerohive APs can check if the SSID names that other access points advertise
along with the type of encryption other APs might use match those in a checklist. - In
this lab, all students have a different SSID, so do not enable SSID detection.
• Select  Enable ad hoc network detection
› Note: When stations in an ad hoc network transmit 802.11 beacons and probe
responses, the ESS (extended service set) bit is set to 0 and the IBSS bit is set to 1,
indicating add hoc capability.
Do not save yet..

5. Define Rogue Mitigation Parameters
IMPORTANT:
IMPORTANT: For For class,
class, do
do not
not
enable
enable Automatic,
Automatic, because
because that
that
will
will impact
impact other
other classes
classes that
that are
are
going
going onon at
at the
the same
same time.
time.
• Expand Optional Settings

• Change mitigation mode to: Semi-Automatic
› IMPORTANT: If you use Automatic, it should only be enabled for rogue APs that are detected as in
network, otherwise you may mitigate valid APs and clients from neighboring companies which is illegal.
• Set the Max number of mitigator APs per rogue AP to: 3
› Note: this means that up to 3 APs which detect a rogue AP can send de-authentication frames to the
rogue AP and any attached client every second
• Select  Enable Rogue Client Reporting
• Click Save
Rogue Mitigation

6. Select the WIPS Policy
• In your Network policy, verify the WIPS

Policy is set to: WIPS-X
• Click Save.

Lab: Locating and Mitigating Rogue Aps
7. Update the Devices
• Click Continue or click on the Configure and Update Devices

bar.

• Go to Configuration and select your Corp-X policy and click OK

• Click on the Continue button
• From the Configure & Update Devices section, click the drop down next to
Filter and select the Current Policy Filter.

• Select your 0X-A-xxxxxx access point

• Click Update Devices to push your Network Policy
to your access points


• The Delta update will be pushed to your AP

The AP will not need to reboot this time because this is a

Delta update. Only the configuration changes in the
Network Policy were uploaded.
389
Copyright ©2011
Email Notification of In Network Rogue APs (View
Only Permissions in Class)
• You can be alerted when

In Network rogue APs
are detected
• Navigate to Home
Administration
• Select  Update Email
Service Settings
• Select  Enable Email
Notification
• Select In-net Rogue AP
• Deselect any setting you
do not want to receive
• Click Update
NOTE: Your permissions do not allow you to modify these settings for class
12. Verify Rogue AP Policy Settings
1. Verify Wireless IPS Policy

› Go to MonitorAccess PointsRogue APs
› Change Items per page to 100
› Select the Reporting Aerohive AP column
› See if you can find the MAC address of your Aerohive AP reporting a rogue AP
NOTE: You can go to Settings

Signal Strength Threshold
and define a strong signal strength
RSSI value so that you can filter
on strong RSSI values instead
of showing all Rogue APs
regardless of signal strength.
Semi-Automatic Rogue Mitigation
Found to be
attached to the Reason(s) why
wired network considered rogue
• When mitigation is set to Semi-Automatic, you can mitigate in-net rogues by going
to: MonitorAccess PointsRogue APs
• Select a BSSID for a rogue SSID to mitigate
• Click Mitigation...Start Mitigation, and click Yes
• The APs will cooperate among themselves to determine which APs should
participate in mitigation, which is similar to automatic mitigation
Topology Maps
With Rogue AP Detection and Client Location
• Select the box next to

 Rogues
• If three or more
Client Aerohive APs on a
map detect a rogue,
HiveManager can
estimate the location
Friendly AP of the rogue on the
topology map
• Also, if the Aerohive
Rogue AP
AP location service is
enabled, you can view
clients as well
393
QUESTIONS?

WI-FI SENSOR MODE

Wi-Fi Sensor Mode
• You can now configure Aerohive APs to function as dedicated

WIPS (wireless intrusion prevention service) or Presence sensors.
• An AP must normally divide its time between servicing clients
and scanning the channel.
• APs that operate as dedicated sensors do not service clients and
instead spend all their time scanning for (and mitigating) rogue
devices or collecting client presence information.
• Sensor Mode is configured in Radio Profiles
• Create radio profiles for both the 2.4 GHz and 5 GHz radios

Wi-Fi Sensor Mode
Three Modes:
• WIPS Only Mode:
› The AP scans the channels and collects data that it then uses to
identify and mitigate rogues devices.
• Presence Only Mode:
› The AP collects, aggregates, and analyzes client Presence data.
Presence must be enabled under Reports->Presence Analytics
• WIPS and Presence Mode:
› When both modes are enabled, the AP both collects presence
data and monitors the network for rogue activity.

Wi-Fi Sensor Mode – WIPS
Reference only – Do not perform in class
• Expand WIPS
Server Settings
• WIPS is enabled by
default in all radio
profiles.
• Only disable WIPS in
the radio profile if you
do not want WIPS
• A WIPS policy must
be still be configured
in your Network
Policy

• Navigate to MonitorAerohive APs.

• Select the desired AP.
• Click Modify.
• Select  Use a custom configuration.

• Under Optional Settings, expand Interface and

Network Settings.
• Under Radio Setup, select Sensor for both wifi0 and
wifi1.

Wi-Fi Sensor Mode
• In the Sensor Mode Scan Settings, enter the desired Dwell

Time.
Note: The dwell time is the time you want the sensor to remain on any channel
before moving to another channel to continue the scan.

SECTION 12:
AEROHIVE DEVICE MONITORING
AND TROUBLESHOOTING
Aerohive’s

HiveManager Help
HiveManager provides a rich and powerful online help
Click Help on the top menu bar to get a menu of the help options Click
Help

Help System in HiveManager
When you click Help in the upper right hand corner of the
HiveManager Settings you have several options.
› HiveManager Help
» Context sensitive help based on where you are when you select this
option
› Settings
» Lets you specify a path to host the online help web pages locally on
your network
› Videos and Guides
» Contains links to all Aerohive documentation and computer-based
training modules
» You can also download the web-based help system from here as well
› Check for Updates
» Checks Aerohive’s latest code
› About HiveManager

Help: Context Sensitive
• Context sensitive
help can be viewed
in any configuration
window
• By default your PC
must be connected
to the Internet to
view the help files
unless you have
downloaded them
and hosted on your
own web server

Help: Global Search
Explore the help system by conducting a search for

Dynamic Airtime Scheduling by typing the subject in the
search window and clicking on the magnifying glass.
The help is automatically expanded

when the search strings are found.
Click the relevant

section

Help System in HiveManager
Online Training
Deployment,
Quickstart, and
Mounting
Guides
CLI Reference
Guides

New Help System for Mobile Devices
• To access the new Help System for Mobile Devices, simply go to:
http://www.aerohive.com/330000/docs/help/english/6.1r3/hm/mobile/
help.htm
• Shortened URL: http://bit.ly/1aO1kJ7
Landing Page Table of Contents

New Help System for Mobile Devices
• By using a smart phone

or Internet-accessible
device, you can view a
mobile-friendly version
of the Help system.
• This allows you access
to Help on a mobile
device while access
HiveManager from
your desktop without
obstructing your view
of HM.

Client Visibility at a Glance
Without Diving Into Statistics
Client Statistics Client Health
Good connection
High data rates & high successful
transmission rates
Marginal connection
Lower data rates / lower
successful transmission rates
Poor connection
Low data rates / low successful
transmission rates
Calibrated to the organizations deployment goals

• High density, performance oriented network
• Normal density network
• Low density, coverage oriented network

Client Health = Sum of Its Parts
Radio health
Overall: “sum” of IP network health

components to (DHCP, DNS, etc)
the right
Application health
Based on SLA

Client Health Example
• At a glance
understanding of a
clients health
• Easy to drill into
problem client info

Client Health Blog
http://blogs.aerohive.com/blog/living-on-the-edge/diagnosing-wi-fi-with-
aerohives-client-health-tool

Client Monitor
Client Monitor allows you to monitor the process a wireless client goes through
when connecting with an Aerohive AP as well as other ongoing client activity
such as probe requests and responses.

Client & Aerohive AP Layer 2 Handshakes

Lab: Client Monitor
1. Select a client to monitor
Click Operation... • To start monitoring a clients connection state

go to: MonitorClientsActive Clients
• Select the  check box next your client to
monitor
Note: If your client does not appear, you can skip
Click Client Monitor this step for now
• Click Operation...Client Monitor
• For class, ensure your Associated Aerohive AP
is selected (Do not select All)
Click Add New Client • The MAC address of your client will be
selected
Select your Note: You can manually enter a the wireless client
Aerohive AP MAC address without delimiters
• Write down your clients MAC address
Click Add • Note: Remember the Client MAC address for the
next step in the lab.
• Click Add
Lab: Client Monitor
2. Start the client monitor
• Select  Filter Probe
Note: This removes all the probe
requests and responses you will see
from clients and APs so you can
1. Select 
Filter Probe focus on protocol connectivity
2. Click Start
• Click Start
Note: Your client will be monitored
until you click Stop.
You can leave this window, and if you
go back to Operation...
Client Monitor, you will see the list
of all clients being monitored
• You can expand the window by
dragging the bottom right corner
• Select your client to see the
connection logs for your client as
3. Drag bottom right corner
they occur
of window to expand

Lab: Client Monitor
3. Create a client problem to troubleshoot
From the bottom task bar, click the locate

wireless networks icon
› Select Open Network and Sharing
Center
› Click Manage wireless Networks
› Select your SSID and remove it

Lab: Client Monitor
4. Enter Wrong Security Key for your SSID
• Single-click the wireless icon

on the bottom right corner of
the windows task bar
• Try to connect to your
Guest-X SSID, but enter an
INCORRECT security key
• Click Connect
› Security Key: aerohive456
› Click OK

Lab: Client Monitor
5. Analyze client monitor output
• Go back to the Active ClientsOperations...Client Monitor

• View the output to look for a problem
• Here you can see that a 4-way handshake is failing
› This requires some knowledge of the protocol, but the first two messages are
to validate the PSK, and that is what is failing
• You can Export the data and send to support to help troubleshoot
PSK authentication
4-way handshake fails
and client is
de-authenticated

Lab: Client Monitor
6. Connect to your SSID with the correct security key
Correct the problem:

• Single-click the wireless
icon on the bottom right
corner of the windows task
bar
• Click your SSID
Guest-X
› Click Connect
› Enter the correct
Security Key: PPSK
from earlier lab
› Click OK

Lab: Client Monitor
7. Correct the PSK and view connection results
After correcting the problem:

View the client monitor again to view the results
4-way handshake
completes
Client is assigned IP
address from DHCP
Client Monitor
If Client Does Not Exist In Active Clients
3. From Active
1. On a windows PC for example: Have client open a Clients, click
CMD prompt then type ipconfig /all Operation...
Make sure to view the Wireless Network Connection Client Monitor
4. Enter the
wireless
client MAC
address
2. Note Wireless
MAC Address
5. Select 
6. Click Start Filter Probe
You do not need to know the client location or associated Aerohive AP. If you leave the fields blank, they will automatically be
found
Client Monitor Troubleshooting 802.1X Blog
Client Monitor is the perfect tool to troubleshoot 802.1X/EAP problems
More information can be found at:

http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/troublesho
oting-wi-fi-connectivity-with-hivemanager-tools

Virtual Access Console
Overview
The AP advertises a
WPA2 SSID that is its
hostname_ac
The administrator
connects to the SSID, Default gateway is not
and opens an SSH responding to PING
connection to the AP
Track IP
(Default Gateway)

Copyright ©2011
Lab: Virtual Access Console
1. Create an Wireless Access Console Object
To create a Wireless Access

Console object
• In your Network Policy go to:
Additional Settings
Service Settings
and next to
Access Console click +
• Name: Console-X
• Mode: Auto
› Note: Auto requires Track-IP to
trigger an action of access console
if access to one or more specified IP Optionally you can
addresses is lost specify the MAC
addresses of
› Recommendation: Set mode to permitted
enable during Aerohive AP administrators then
installation and set back to Auto deny the rest.
after your installation is complete.
2. Create an Wireless Access Console Object
Access Security
• Select WPA2-PSK
(WPA2-Personal)
› Encryption Method:
CCMP(AES)
› ASCII Key: aerohive123
› Confirm ASCII Key:
aerohive123
Optional Settings
• Use the default settings
Note: Telnet is secured because you are
using it over an encrypted Wi-Fi
connection. Also, if you know the MAC
addresses of the wireless cards on
administrator PCs, you can add them here
as well to limit access.
• Click Save

3. Verify Access Console
• In your network policy, verify the Access Console is set to:

Console-X
Do not save yet...

4. Create a Track IP Group
To create a track IP group to track the default gateway and enable

the access console if the gateway is unreachable..
• Under Track IP Groups for Backhaul
• Click +

5. Configure a Track IP Group
• Name: Track-X
•  Enable IP tracking
Track the following targets
•  Default Gateway
• Take action when:
all targets become unresponsive
Action
•  Enable the virtual access
console
•  Disable all active SSIDs
• Click Save Note: Note, disabling active SSIDs when the tracked IPs
are not available may lead people to believe the Wi-Fi is
not working, although the real problem is that the wired
network is down. If you enable this, please realize that
you may have to explain that to people.
6. Active the Track IP Group
• Click Track-X IP Group object

• Click the > arrow and move the object to the right window to
activate
• Click Save

Additional Actions using the Access Console
policy
In addition to bringing up the Virtual Access Console when

the Track IP group is not reachable, you can also select to
start the Backhaul(mesh) failover procedure. This triggers
mesh failover on a loss of IP connectivity instead of link-sate.

7. Updating the devices
• Click Continue or click on the Configure and Update Devices

bar.

8. Updating the Devices
• Select your 0X-A-xxxxxx access point

• Click Update Devices to push your Network Policy
to your access point

9. Updating the Devices

• The Delta update will be pushed to your AP

Test loss of connectivity to default gateway
• The instructor will disable ping on the default gateway

› This will cause track-ip to fail and enable the access console
• The access console will appear as an SSID with the following
format: <AP_Hostname>_ac
Client Track IP Will Fail


Firewall/Gateway
Connect to SSID: 01-A-001122_ac 10.5.2.1
IP: 1.1.2.2/24
Gateway: 1.1.2.1 MGT0 IP:10.5.2.10
MAC: 0019:7700:1122
Hostname: 01-A-001122
The Gateway
Access Console IP: 1.1.2.1/24
provided by Access Console SSID: 01-A-001122_ac (Hostname_ac)
Aerohive AP is IP of Broadcast SSID: Yes or No
Services: SSHv2 Access
the Access Console Telnet Optional

10. Determine your Aerohive APs Access Console SSID
• Your Wireless Access

Console SSID is the
hostname of your
AP appended with _ac
• In this example, the access
console SSID for the
Aerohive AP above is:
15-A-06b840_ac
• The access console is set to
Auto mode, which means it
will be enabled if track IP
Hostname
fails to get a response, or if
its Ethernet interface is
disconnected.
11. Connect to Your Aerohive APs Access Console
• View the SSIDs from your

hosted computer
• Within a moment or two, after
track IP fails, you will see the
SSID:
X-A-######_ac
• Click Connect
• Enter the Passphrase/Network
Key you created for the access
console SSID: aerohive123

12. Verify the IP address of your laptop
• The hosted computer will obtain an IP from the Aerohive AP

• The default gateway provided is an access console IP to access the
Aerohive AP from the CLI
› You do not have to worry about IP conflicts, because the IP is only accessible
via the unique Access Console SSID
C:\> ipconfig | more

Ethernet adapter Wireless Network Connection:
IP Address. . . . . . . . . . . . : 1.1.2.2
Subnet Mask . . . . . . .. . : 255.255.255.0
Default Gateway . . . . . . : 1.1.2.1

13. Telnet to your Aerohive APs Access Console
From the hosted computer:

Telnet to your Access Console IP
C:\> telnet 1.1.2.1

login: admin
Aerohive Networks Inc.
Copyright (C) 2006-2012
0X-A-NNNNNN# show run

14. Troubleshoot the AP’s connection problem
• Some commands to try out to help see where the problem is

access-console mode enable (Keeps the access console enabled)
show int mgt0
show int mgt0 dhcp client
show ip route
ping <default gateway>
VLAN PROBE:
int mgt0 dhcp-probe vlan-range 1 10 timeout 2

VLAN Probe Educational Blog
A more detailed explanation on how to use VLAN probe to troubleshoot

the wired network can be found at:
http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/its-not-a-wi-
fi-problem-use-vlan-probe-to-troubleshoot-the-wired-
network

Copyright ©2011
15. View CAPWAP Status
To view the CAPWAP status
AH-0021c0# show capwap client

CAPWAP client: Enabled
RUN state: Connected securely to the HiveManager
CAPWAP Aerohive AP IP: 10.5.1.101
CAPWAP HiveManager IP: 10.5.1.20
CAPWAP Destination Port: 12222
CAPWAP Send Event: Disabled
CAPWAP DTLS status: Enabled
. . .

Notes Below
16. CAPWAP Ping
If your Aerohive AP is not connecting to HiveManager, use CAPWAP Ping

 This will verify routes and firewall access to your HiveManager
 Works when CAPWAP transport is UDP
02-A-064200# capwap ping hivemanager
CAPWAP ping parameters:
Destination server: hivemanager (10.5.1.20)
Destination port: 12222
Count: 5
Size: 56(82) bytes
Timeout: 5 seconds
• Turn off the access console

access-console mode auto (resets the access console to automatic)

Instructor enables PING of the default gateway
• The instructor will now re-enable ping to the default gateway

› The access console SSID will disappear
• The Original-X SSIDs will reappear
Firewall/Gateway
10.5.2.1
Client SSID: Device-PPSK-X

The Utilities Menu
To bring up the Utilities Menu:

• Go to Monitor Devices
• Select the desired Device Type
• Select the box  next to the desired Device
• Click Utilities

The Utilities Menu
• The Utilities Menu can be accessed from both the Utilities button and from
the MAPS view
• To access the Utilities from MAPS, right click on an AP and select the desired
tool

Tools Available Within the Utilities Menu
• There are Utilities in the initial dropdown list that

are quite useful
• Some of the items offer even more functionality
through dropdown lists of their own
• Many of the Utilities offer the same functionality
as directly accessing a device and using CLI tools,
without the need of console access
• The tools available in the Utilities menu can be
used on any Aerohive Device found in your
HiveManager
• Functionality and tools may vary based upon
device type

Examining the Utilities
Client Information
• Client Information is available by navigating to the following location Utilities 

Client Information
• Client Information provides useful data such as:
› MAC Address
› IP Address
› Host Name
› Connection Time
› RSSI values, SSID, VLAN
› Authentication Method
› Encryption Method
› Client CWP Used, User Profile ID
› Radio Mode
› Channel
› Last Transmission Rate

L2 Neighbor Information
• L2 Neighbor Information is available by navigating to the following location

Utilities  L2 Neighbor Information
• L2 Neighbor Information reveals information such as:
› Host Names of Neighbors
› MAC addresses of Neighbors
› Connection Time
› Link Cost
› RSSI Values
› Link Type

Diagnostics
• Diagnostics reveals a list of extremely

useful troubleshooting tools
• Some tools allow you to troubleshoot the
device and it’s configuration
• Some tools allow you to troubleshoot
networking issues
• You may wish to use a few of these before
your Aerohive network installation is
complete, to document network
configurations prior to deployment

LAB 1. Ping
• Navigate to Monitor and place a check in the box  next to your 0X-
A-###### AP
• Click Utilities and select Diagnostics  Ping from the available list

LAB 2. Ping
• By default, the device is configured to PING it’s HiveManager

• You can enter any other IP address and use the PING tool to test
connectivity from the AP to that device

LAB 3. Launch Utilities/Diagnostics
A-###### AP
• Click Utilities and select Diagnostics  Show Running Config
from the list

LAB 4. Show Running Config View Output
• Examine the output

• Find your device Hostname and IP address
• Locate your DNS server address

Examining the Utilities Diagnostics
LAB 5. Show Version
A-###### AP
• Click Utilities and select Diagnostics  Show Version from the
list and find out which version of HiveOS is on your device

LAB 6. Show DNXP Neighbors
• Navigate to Monitor and place a check in the box  next to your 0X-A-
###### AP
• Click Utilities and select Diagnostics  Show DNXP Neighbors
from the list and see Layer 2 and Layer 3 neighbor relationships

LAB 7. Show CPU
A-###### AP
• Click Utilities and select Diagnostics  Show CPU from the list
and view the device CPU usage

LAB 8. VLAN Probe
• Navigate to Monitor  Aerohive APs and place a check in the box 

next to your 0X-A-###### AP
• Click Utilities and select Diagnostics  VLAN Probe

Examining the Utilities Diagnostics LAB 9.
VLAN Probe
• A DHCP Discover is sent out on each specified VLAN in the range from
the Aerohive AP
• If a DHCP offer is received from the DHCP server, the Aerohive AP will
NAK will be sent to free up the offer
• This tool ensures the switches, routers, DHCP relays, and DHCP server all
work for the VLANs that are available
• Enter a range of 1 to 10
• Click Start
• View the results
You can also see the

subnet of the IP
address that was
returned from DHCP!
Copyright ©2011
VLAN Probe
• A DHCP Discover
is sent out on each
specified VLAN in
the range from the
Aerohive AP
• If a DHCP offer is
received from the
DHCP server, the
Aerohive AP will
NAK will be sent to
free up the offer
• This tool ensures the
switches, routers,
DHCP relays, and
DHCP server all
work for the VLANs
that are available

Copyright ©2011
VLAN Probe
• DHCP server is down

• DHCP is out of lease
• DHCP server not configured properly
• IP Helper address is incorrect

Copyright ©2011
VLAN Probe Failures and their indications
• VLANs not configured on the access switch

• VLANs not tagged on the 802.1Q port
• Port has been configured as an access port

Copyright ©2011
VLAN Probe Educational Blog
A more detailed explanation on how to use VLAN probe to troubleshoot the

wired network can be found here:
http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/its-not-a-wi-
fi-problem-use-vlan-probe-to-troubleshoot-the-wired-
network

Copyright ©2011
Status
• To view Status after selecting a device go to Utilities > Status

• Status allows you to see the following:
› Advanced Channel Selection Protocol
› Interface
› Wi-Fi Status Summary

LAB 10. Advanced Channel Selection Protocol
###### AP
• Click Utilities and select Status  Advanced Channel Selection
Protocol
• Examine the Channels and power settings being used by your AP

LAB 11. Interface
###### AP
• Click Utilities and select Status  Interface
• Examine the configuration of both your wireless and wired interfaces

LAB 12. Wi-Fi Status Summary
A-###### AP
• Click Utilities and select Status  Wi-Fi Status Summary
• Examine the status of your wireless interfaces

Status
• LLDP/CDP can be enabled to allow your device to collect and transmit Link
Layer Discovery Protocol data and Collect Cisco Discovery Protocol data
• Typically this would be enabled via your Network Policy
• Here in Utilities you will have many of the same LLDP/CDP options
expected to be found in the CLI

ALG SIP Calls
• This option allows the viewing of all currently active Session Initiation
Protocol (SIP) calls
• The ALG SIP calls option is only available from Aerohive APs
• SIP is used for controlling multimedia communication sessions such as voice
and video calls over Internet Protocol (IP) networks
• SIP works with several other Layer 7 protocols that identify and carry the
session media

Configuration Audit
• Displays configurations in HiveManager that are different than those on the

device being audited
• Allows you to see if any configuration changes are required

Reboot Device and Set Image to Boot
• Reboot Device allows you to reboot devices from the Utilities menu
• Set Image to Boot allows you to select either the Active or Backup image
stored on the device
cla ss!
i s in
OT do th
O N
s eD
Plea

Locate Device
• Locate Device allows you to alter the LED status on Aerohive APs
• Facilitates rapid physical location of Aerohive APs
• You can select the LED Color
• You can alter the Blink Mode

Reset Device to Default
• Same action as reset config in the CLI

• Restores the device to factory settings
• Can restore devices to a Bootstrap configuration if you have created and set
one on the devices
• Once executed, upon next report to HiveManager, the devices will appear as
Unconfigured Devices
i n c lass!
is
do th
D O NOT
se
Plea

Alarms
• Displays any alarms generated by the selected device in

HiveManager

SSH Client
• Launches a Secure Shell (SSH) connection to the device from HiveManager

• Uses the Device Credentials from within HiveManager
• Provides remote access with console commands

SSH Proxy
• Allows you to use a different SSH client than the one provided in
HiveManager should you so desire
• Provides an opportunity to configure the SSH Proxy credentials and settings

Aerohive Device Phone Home
• Allows Aerohive Devices located behind firewalls to make a secure

connection to Aerohive Support
• Allows Aerohive support to more easily assist in troubleshooting

Get Tech Data
• Allows you to retrieve the output of the show tech command through the
HiveManager GUI
• Displays a wealth of important technical support information

Spectrum Analysis
• Helps locate the source of Layer 1 interference

• Works on most APs and the BR200WP

LAB 13. Spectrum Analysis
A-###### AP
• Click Utilities and select Spectrum Analysis
• Click YES in the Confirm window
While conducting Layer 1 analysis, Layer 2 functions

will be disrupted.

LAB 14. Spectrum Analysis
• Analyze the output in 2.4 GHz

• Click on Settings and change the Interface to 5 GHz
• Set the 5 GHz Channels to 36-165 and click Update
• Analyze the output in 5 GHz

Configuration Rollback
Provides Safeguarded Configuration Updates
2. HiveManager Sends New Configuration (NC) Update

and adds configuration rollback settings to configuration for Aerohive
AP
NC
RB
CC
NC
3. The current configuration (CC)
becomes the rollback (RB)
configuration, and the new
configuration (NC) is then loaded
1. Administrator updates 4. If the Aerohive AP cannot
complete or delta contact HiveManager with
configuration of Aerohive APs CAPWAP after the configuration
update, the Aerohive AP will start a
configuration rollback timer, which
is 10 minutes, and after the timer
expires, the Aerohive AP will reboot
and use the rollback configuration
to regain connectivity back to
483
© 2015 Aerohive Networks CONFIDENTIAL HiveManager
 Configuration rollback is enabled by default

 Occurs after Updates when an Aerohive Device cannot establish
CAPWAP connectivity with HiveManager
 Wait time is 10 minutes
Example – Configuration Update
Here the MGT0 interface is

set to the wrong VLAN
“by accident ”
The configuration audit shows

that the configuration rollback
command is set
• In this example the Aerohive AP’s MGT0 interface is set to a VLAN that does not
exist on the switch the AP is connected to
• When updating the configuration, if you view the configuration, you can see that
the config rollback command is set
Example – Configuration Update Results
• It takes 15 minutes for a configuration upload to timeout if

there are connectivity issues after the update
• The Hive Device waits 10 minutes then it will rollback its
configuration, reboots then contacts HiveManager, which
may take around 12 minutes
• The Hive Device update timer takes about 15 minutes to
expire before the Hive Device can be updated again

Contextual Application Dashboard
HTML 5 based Dashboard loads and navigates faster
Automatic
Automatic Contextual
Contextual Dashboard
Dashboard Filters
Filters
based
based on
on Device
Device Groups
Groups using…
using…
Location
Location
Network
Network Policies
Policies
Device
Device Tags
Tags
Additional
Additional Filtering
Filtering of
of Device
Device Groups
Groups based
based on…
on…
SSIDs
SSIDs
User
User Profiles
Profiles

Customizable Tab Views
• Click the + button to add your own Perspective

• Select the Widgets you wish to use and
Click the Save button
• Your Customized Tab will appear as My Perspective
Lab: Customized Dashboard
1. Experiment with customizing the dashboard
• Click Dashboard to view a customizable widgetized display

• Select Add Content to select up to 10 widgets to display
• The changes are saved per administrator account
Click and drag the widget

bar to move the widget to a
new location on the screen
Click Edit to select up to 10

widgets to be displayed

Lab: Reporting
2. Building a Network Summary Report
• Click the Dashboard tab and select the Network Summary tab
• Select World
• Click the dropdown arrow on the far right
• Click Save as Report

Lab: Reporting
3. Building a Network Summary Report
• Name the report Reports-X

• For Report Frequency select Daily
• For Email Delivery Address use your real email address and
Click Save

Lab: Reporting
4. Viewing the Report
• In the Information dialogue box Click the here link.

Lab: Reporting
• Select the top four applications on the left

• Click the Save button on the right

Lab: Reporting
Notice that your custom report has been saved

Lab: Reporting
7. Exporting the Report
• From the Dashboard tab click on the dropdown arrow on the far
right
• Select Export from the dropdown choices

Lab: Reporting
8. Download and view the Report
• Save and open the report

• Scroll through the information
Viewing reports requires a PDF reader.

Application Discovery
• Over 1200 Applications are AUTO-DISCOVERED with detailed context

› Identify traffic patterns and most popular applications without any
configuration
› No need to create user-defined watch lists
• Detailed context and drilldowns supported

Application Visibility
Historical Filters
Top Apps by #
All Applications of users
Most Used Heaviest Users

Applications By
Bandwidth Usage

Copyright ©2011
Application Visibility
• Application usage can be viewed at an individual user basis

• Individual users can be identified by 802.1X or PPSK credentials.
• With static PSK or Open SSIDs, the MAC address is the identifier.

Copyright ©2011
Signature Update Mechanism
• Signature Update Mechanism similar to HiveOS update

mechanism
› Expect new signatures released quarterly
› Upload new signatures to HiveOS Devices (~5 MB files)
› No reboot needed.
» File loads onto AP, L7 service stops temporarily on AP to load new signatures.

Signature Update Mechanism
• When new HiveOS

versions are released
application signature
updates are automatic.
• Signature updates can also
be done manually.
• L7 visibility is available
for wireless clients on all
Aerohive APs and wired
clients on BR-200 router.

Custom Application Detection Rules
• Multiple rules can be created and are evaluated from top to bottom
• Rules can be created using a Host Name, Server IP Address & Port
Number or just a Port Number

APPLICATION CONTROL
WITH AP QOS AND FIREWALL
POLICIES

L7 Aware Classifier Maps for QoS queues
• Configuration  Advanced Configuration  QOS

Configuration  Classifier Maps  New
• QoS policies can be created based on L7 applications

Rate Control & Queuing
• Maintain different Rate

Control & Queuing settings
for different user profiles
› Executives get Netflix
access at normal
bandwidth
› Employees get Netflix at
250 kbps
• Use Policing Rates on a
Queue for 802.11g and
802.11n devices
› Netflix classified into
Class 1/ Best Effort 2
› Set Policing Rate for each
PHY down to 250 kbps

Lab: Application Firewall
1. Create an Application Firewall Policy
• Navigate to
Configuration, select
your Corp-X policy and
click OK.
click on the link for
your Devices-X User
Profile
• Under Optional
Settings, expand
Firewalls
• Under IP Firewall
Policy click + next to
From-Access
• Name the Policy Application-X.

• Click the + button to the right.
• Under Service, select Application
Services.
• ddd

• Choose Group
• Type streaming
• Select  3-4 streaming
apps and move them to
the right >.
• Click OK.

• Under Action select Deny.

• Click the save icon to the right.
• Click + to create another rule.
• ddd

• Under Service, select Application Services.

• Select Application
• Type the name of a social media app such as Facebook and Twitter.
• Select  2-3 social media apps and move them to the right >.
• Click OK

• Under Actions choose Deny.

• Click the Save icon.

• Click the Save button.
• ddd

• Verify that your From-Access policy is selected.

• Default Action = Permit
• Click the Save button.

• Click the Continue button to configure and

update devices.
• ddd

• Choose the 0X-APs filter

• Check the box next to your AP  AP-0X-A-######
• Click Upload

11. Testing your Application Firewall Policy
• Connect to your remote PC using the VNC application.

• Copy the PPSK key either from the user account
display or your email, make sure not to copy any extra
spaces
• Connect to your SSID: Device-PPSK-X
• Paste your Passphrase/Network Key:
<Paste your 20 character PSK>
• Click OK

OPTIONAL Instructor Demo
• If time permits, the instructor can create their own

Application Firewall Policy and upload it to the
classroom access points.
• Students connected to the classroom APs, can try to
use any of the blocked applications.
• Discuss results.

QUESTIONS?

SECTION 13:
FIRMWARE UPDATES
Aerohive’s
519
Updating On-Premises HiveManager Software
Do not perform this operation in class
You can upgrade your HiveManager

by going to:
 HomeAdministration
HiveManager Operations
Update Software
 You can update from a local file,
SCP, or the Aerohive update
server
 Click OK to update
Note: The wireless LAN is completely

operational when HiveManager is being
updated.
Depending on whether the HiveManager
IMPORTANT! Before performing the
software is accessible over a high speed
software update, you should backup the link, the size of the database, and the
database and store it in a safe place. number of logs to convert, the update can
take a few minutes to a few hours.

On-Premises HiveManager Partitions
(Do not reboot the HiveManager in Class)
• The updated HiveManager will be in a new disk partition
• The old partition remains in tact
› This allows you to Reboot back into your old partition and HiveManager software
version if needed
• Go to HomeAdministrationHiveManager Operations
Reboot Appliance
› Here you can see the partition that is active, and the one that is in standby
› You can reboot into either of the partitions

Updating HMOL Software
• When the “Bee” appears, new software updates are available.

• HomeAdministrationHiveManager OperationsUpdate Software
• Click OK and follow the prompts

• By clicking Continue, the

update verifies that your
Aerohive Devices will have
CAPWAP connectivity with
the new servers.
• Once the validation is

complete, the Update test
results will be displayed.

• In in Confirm dialogue
box, you are reminded to
verify that your devices
can reach URL’s ending
in aerohive.com.
• The software update
continues.
• When prompted, click
the Confirm button to
complete the update.

Updating HiveOS
Multiple HiveOS Version Support
• Using HiveManager, you can update the

HiveOS of the same model.
› all Aerohive Devices The software on HiveManager should
› a set of Aerohive Devices ALWAYS be on the same version of code
or NEWER than the managed devices to
› a single Aerohive Device be able to manage them. Therefore, you
should upgrade HiveManager before
• HiveManager can manage Aerohive Devices updating your devices to newer code.
running different version of HiveOS.

Lab: Updating HiveOS
1. Update HiveOS on Your Aerohive AP
From Monitor  Access

PointsAerohive APs
• Select  Aerohive AP
• Select Update  Advanced
 Upload and Activate
HiveOS Software
• Select a HiveOS image from
the list
› If you do not have an image
you can import one first by
clicking Add/Remove
• Do not update yet...
Click Add/Remove to obtain

HiveOS Software for the update
Adding HiveOS Versions for Updates
• There is different
software for each
Aerohive Device
platform.
• You can select from
existing software on
HiveManager.
• Device software not
already on HiveManager
can be obtained from the
support site and uploaded
to your HiveManager or
obtained via the Aerohive
Update Server

Optional: Distributed Updates
Only 1 copy of the HiveOS software is sent to the remote office
HiveManager Branch Office
Internet
1. Administrator Uploads
HiveOS to a set of
Aerohive APs in a branch office
over a WAN link or the
Internet 3. The rest of the
Aerohive APs at
2. One Aerohive AP at the remote the remote site SCP to
site is selected as the Image the Image Upgrade
Upgrade Server and obtains the Server Aerohive AP
HiveOS software and install the HiveOS
from HiveManager software

Lab: Distributed Updates
2. Update Settings
You specify settings that can be

applied each time you update
• If Aerohive APs are mesh nodes,
or you are updating over the
Internet or WAN, you can chose
to activate at next reboot.
› When the update is complete,
you can click the link to
reboot your Aerohive AP
› You can also rate limit the
update so you do not
If you enable distributed
overwhelm smaller links
update, ensure you select the
• Click the Save icon APs in a single branch office
at one time to update
Note: TFTP can be enabled for connections

that use WAN optimizers for Aerohive APs
managed across a WAN.
Selecting the Update Server/Device
• When updating multiple devices, you may wish to choose a single device to
pull the update from HiveManager and distribute it to the other devices on its
subnet, making it an Update Server.
• To do so, click the Change Server button and select the desired device. (Make
sure to NEVER select a Mesh Point as the Server. If its Mesh Portal
reboots during the process, updating the other devices will be problematic.)
When selecting your Image Upgrade Server,

ALWAYS select a Mesh Portal (an AP with an
Ethernet connection).
Push the Updates to the Mesh Points FIRST

to ensure they are able to finish before any
Mesh Portals reboot.

Lab: Distributed Updates
3. Upload HiveOS
• Click Upload
• After a few minutes, you should
see the update is a success
• When updating the software, if
you elected to activate at next
reboot, you can select the box
next your Aerohive Device and
reboot it or click the Reboot link
to activate the new HiveOS
version

QUESTIONS?

SECTION 15:
AUTO PROVISIONING
Aerohive’s

Instructor Demo: Auto Provisioning
• Click Configuration
• Click the New Button
• Select Auto Provisioning in the
Navigation Pane

• Click the IP Management Button
• In the Imported Device IP

Subnetworks box Click
the Enter IP Button

• Enter the IP Subnetwork upon which your APs reside using CIDR notation
as seen in the example used in the image below
• Click Save
• Click OK and close the import dialog box

• Enable Auto Provisioning • Select  Use Serial Numbers or IP

Subnetworks to identify devices for
• Name your Profile InstructorDemo Auto Provisioning
• Select the device model being used • Move your subnetwork to the right

• Under Provisioning Configurations select a STUDENTS policy

from the dropdown list
• Select the Building1_Floor1 Default Topology Map

• Expand Advanced Settings

• Select  Upload configuration
automatically
• Select  Reboot after uploading
• Scroll up and click Save

• Navigate to Monitor-All Devices

• Select all of the students APs
• Click Remove
• When the APs relocate HiveManager they will be provisioned as you have
configured (This may take a few minutes)

QUESTIONS?

SECTION 16:
COOPERATIVE CONTROL
OVERVIEW
Aerohive’s

Explanation: Logical Networking Planes
Logical Network Planes Routers Switches Aerohive APs

Management Plane Centralized – Centralized – Centralized –
Configuration, updating, Using an NMS Using an NMS Using an NMS
and monitoring platform platform platform (HiveManager)
Control Plane Distributed – Distributed – Distributed –
The intelligence – Using Routing Using Using Aerohive
decision making for Protocols Spanning Tree Cooperative Control
functionality such as (OSPF, RIP, and MAC Protocols (AMRP, ACSP,
forwarding BGP, ...) to learning to DNXP, INXP) for dynamic
determine how determine how RF negotiations, fast and
traffic should traffic should secure L2/L3 roaming,
be forwarded be forwarded identity-based tunnels, and
for determining how traffic
should be forwarded
Data Plane Distributed – Distributed – Distributed –
Responsible for Processed and Processed Processed
processing and forwarded by and forwarded543 and forwarded
forwarding data each router by each switch by each Aerohive AP

Cooperative Control Within a Hive
Hive – Cooperative control for a group of Hive Devices that share the same
Hive name and Hive password.
› There is no limit to the number of Hive Devices that can exist in a
single Hive
› Aerohive APs in a Hive cooperate with each other using Aerohive’s
cooperative control protocols:
» AMRP (Aerohive Mobility Routing Protocol)
– Layer 2 and Layer 3 Roaming, Load Balancing, Band Steering, Layer 2
GRE Tunnel Authentication and Keepalives
» DNXP (Dynamic Network Extensions Protocol)
– Dynamic GRE tunnels to support layer 3 roaming
» INXP (Identity-Based Network Extensions Protocol)
– GRE tunnels for guest tunnels
» ACSP (Automatic Channel Selection & Power) Protocol
– Radio Channel and Power Management

Aerohive APs in Same Hive Use Cooperative
Control Protocols to Enable:
L3
L2 L2
Cooperative Wireless Mesh,
Radio Channel and
Power Management Dynamic Mesh
with, Routing,
Aerohive APs
Cooperative client Ethernet Bridging
load balancing, and over Wireless
band steering, Mesh,
Fast and Secure L2 and L3 Roaming,
Ethernet Client
Devices
Branch Office Layer 2 IPsec VPN, HQ Network
Guest Tunneling with GRE,

Internal Network DMZ and more...
Guest Client
Aerohive APs must be configured to be in the same Hive to interoperate with these
features
Hive - AMRP Operation Modes
Attach Message, DA and BDA roles
Designated AP Backup Designated AP
...
The rest of the APs are in Attach Mode
• Aerohive AP Operational Modes for Aerohive APs in the
same subnet of a Hive
› Attach – sends topology and load info to DA
» If DA exists, it takes <3 seconds for a new Aerohive AP to attach
» Sends unicast heartbeats and topology updates to DA
› DA (Designated AP) – AMRP Hello protocol automatically elects one DA per subnet
» Broadcasts Hello Packets to neighbors every 3 seconds
» Periodically broadcast topology table to the Ethernet every 60 seconds
– Triggered update when other APs attach
› BDA (Backup Designated AP) – Is the backup for the DA
» Periodically broadcast Hello packets to neighbors every 3 seconds
» Syncs with DA every 20 seconds in unicast
546
Cooperative Control Example:
Roaming Handoffs using AMRP
• User authenticates and RADIUS Server

associates then keys are
distributed
• The Aerohive AP
predicatively pushes keys and
session state to one hop
neighbors
• As the client roams and
associates with another
Aerohive AP the traffic
Roam
continues uninterrupted by
the roam
© 2015 Aerohive Networks CONFIDENTIAL 547 547

Copyright ©2011
How does it work?
Wireless Wired
Network Network
Policy Reporting Heat SLA
Configuration Maps Compliance
HiveManager NMS
 A single
Mesh HiveAP
networking
HiveAPs areby itselfbest
and
discovered, acts path
as a
Dynamic
With
full-featured best
WithCooperative
aCooperative
second path forwarding
HiveAP,Control,
Control, fast
forwarding
As policy isenterprise
more HiveAPs
Cooperative can power
pushed
RF beareclass
used
and access
for
the
added,
levels
and stateful
clients
clients
stateful roaming
can
can
roaming, securely
securely
point provides
cooperative
extra
WLAN
coverage, resiliency
is andand
operational
reliability
minimize
RF, and
station
resiliency
and seamlessly
Identity-based load
without
seamlessly
security, includingroam
balancing
a
roamsingle
stateful and
inspection
reachability
backhaul
co-channel
HiveManager bandwidth
FW, rogueisdetection
a single & increases
interference
mitigation
mgmt interface for
seamless point
across
across
configuration,
Airtime OS
Scheduling,of
the
the
resiliency failure
WLAN
WLAN
updates
SLA &are
complianceenabled
monitoring of
and local
Dynamically reroutes
thousands
forwarding around
of devices
implemented failures
at the edge
 Secure Fast L2/L3 Roaming

Traffic Flow Comparison
Resiliency Comparison
Seamless Wired Integration
Copyright ©2011
Client Roaming In Action
As Clients 0 1 2
3 4 5
Roam, APs 6 7 8
Constantly 12
9
13
10
14
11
11
15
Update 16
19
17
20
18
21
Neighbours 22 23
27
24
28
25
25
26
29 30 31
32 33 34 35
36 37
37 38
39 40
X AP to which client is Connected
X APs Sharing Clients information
X APs Removing Clients information

Copyright ©2011
Cooperative Control Example:
Roaming Cache
• AMRP forwards the

Pairwise Master Key
(PMK) between APs
within the same
subnet.
• DNXP forwards the

PMK across Layer 3
boundaries.
• PMKs are also

forwarded to next-
hop neighbors
• Next-hop neighbors
are APs that within
radio range.

QUESTIONS?

THE END
THANK YOU
Please review the supplemental information provided in this class.
552

Aerohive Certified Wireless Administrator (Acwa) : Aerohive's Instructor-Led Training

Uploaded by

Copyright:

Available Formats

Aerohive Certified Wireless Administrator (Acwa) : Aerohive's Instructor-Led Training

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aerohive Certified Wireless Administrator (Acwa) : Aerohive's Instructor-Led Training

Uploaded by

Copyright:

Available Formats

What are the main topics covered in the course?

What are the main topics covered in the course?

How does Cooperative Control enable seamless roaming?

How does Cooperative Control enable seamless roaming?

AEROHIVE CERTIFIED WIRELESS

© 2015 Aerohive Networks Inc.

© 2015 Aerohive Networks CONFIDENTIAL 2

• What is your name?

© 2015 Aerohive Networks CONFIDENTIAL 3

© 2015 Aerohive Networks CONFIDENTIAL 4

• Predictive modeling and WLAN design

Aerohive Access Points using external antenna

Access Points are connected from eth0 to Aerohive

X=N X=N Ethernet : 10.5.1.20N/24

© 2015 Aerohive Networks CONFIDENTIAL 7

Learn the basics of Wi-Fi and more….

© 2015 Aerohive Networks CONFIDENTIAL 8

Please view the Aerohive Getting Started Videos:

© 2015 Aerohive Networks CONFIDENTIAL 9

All the latest technical documentation is available for download at:

© 2015 Aerohive Networks CONFIDENTIAL 10

Aerohive Training Schedule

© 2015 Aerohive Networks CONFIDENTIAL 11

CWNA Certified Wireless Network Administrator

CWSP Certified Wireless Security Professional

802.11 Wireless Networks: The Definitive Guide,

Over 15 books about networking have been

• Aerohive Certified Wireless Administrator

• Aerohive’s online community – HiveNation

© 2015 Aerohive Networks CONFIDENTIAL 14

Follow us on Twitter: @Aerohive

Please feel free to tweet about #Aerohive training during class.

© 2015 Aerohive Networks CONFIDENTIAL 15

How do I buy Technical Support?

© 2015 Aerohive Networks CONFIDENTIAL 16

Copyright © 2015 Aerohive Networks, Inc. All rights reserved.

Aerohive Networks, the Aerohive Networks logo, HiveOS,

© 2015 Aerohive Networks CONFIDENTIAL 17

© 2015 Aerohive Networks CONFIDENTIAL

Wi-Fi operates at layers one and two

© 2015 Aerohive Networks CONFIDENTIAL 20

Key Term: Medium

Header with Trailer

© 2015 Aerohive Networks CONFIDENTIAL 22

DSSS Direct Sequencing Spread Spectrum

© 2015 Aerohive Networks CONFIDENTIAL 24

© 2015 Aerohive Networks CONFIDENTIAL 25

NOTE: In order to access the

• Click on the Maps Tab

© 2015 Aerohive Networks CONFIDENTIAL 28

• Click on the Walls tab

Aerohive AP 141 Aerohive AP 350

2x2:2 1x1:1 3x3:3 3x3:3 1x1:1

Transmit Receive Spatial Streams

AP121 AP141 AP330 AP350 AP230 * AP370 AP390 AP170 AP1130

TPM Security Chip

2X Gig.E - 10/100 link 2X Gig.E w/ link 2X Gig E

PoE (802.3af + 802.3at) and AC Power PoE (802.3at)

Plenum/ Plenum/ Water Proof Water Proof