Wednesday, April 20, 2011

Aerohive HiveAP Initial (Guided) Configuration

Once armed with HiveAPs that are provisioned and have successfully connected to the HiveManager system, and a working knowledge of the HiveManager configuration workflow, we are ready to create and deploy an initial configuration to our HiveAPs.

Administrators can opt to configure the HiveAPs through the Guided Configuration or the Advanced Configuration. I recommend that administrators use the guided configuration until they are comfortable and fully understand all of the settings contained in the advanced configuration section.

Guided Configuration
As the HiveManger online help system states:
"When you first start using HiveManager, the number of configuration objects can be somewhat overwhelming. Common questions that arise at this stage are "What do I need to configure?" and "Where do I begin?"
HiveManager Guided Configuration Section
Luckily, the HiveManager Guided Configuration takes the administrator through the basic configuration steps required to setup HiveAPs to get a WLAN up and running. Navigate to the "Configuration" section of HiveManager. The Guided Configuration section will be visible along the left side of the screen (shown right).

To create a basic configuration to get up-and-running, we'll tackle the basic settings for each of the four objects described in the HiveManager workflow, as well as provide an overview of the optional settings in each section. Note - we will configure individual "HiveAPs" at the end, as it makes a bit more sense to do this last.

Additionally, the HiveManager Help system is context-sensitive, so if you get stuck or need to lookup an item you are unfamiliar with you can simply select Help > HiveManager Help from the upper right corner.

Note - Configuration of these profiles does not affect the current operation of the wireless network until they are applied to HiveAPs and the updated configuration is pushed out, which is covered at the end of this article.

User Profiles
Create a new user profile which controls the default settings applied to users mapped to this profile. User profiles can be applied to users statically through SSID assignment or dynamically through RADIUS assignment based on returned attributes by the server.

Basic settings include the default VLAN access and the Attribute Number used for RADIUS policy assignment of users into the correct user profile. RADIUS attributes 64, 65, and 81 are used for both VLAN and User Profile assignment, with different values of-course (shown below).

Mapping LDAP User Groups to Local User Profiles with RADIUS Attributes
Optional settings in this section include GRE or VPN tunneling for station isolation (guest WLANs) or other security requirements, L2/L3 firewall policies, QoS settings for rate limiting, queuing, and call admission control (CAC), user profile availability schedule (day & time restrictions), and SLA settings for throughput and airtime fairness.

It should also be noted that many of the settings nested within these main objects are linked to corresponding Advanced Configuration objects. These links can be followed by clicking on the "Plus" (Add) or "Notepad" (Modify) icons next to the configuration item. Once the advanced item has been configured, the user is returned to the main object to continue configuration where they left off. 

Link to Add or Modify an Advanced Configuration Item
SSID Profiles
Within the SSIDs configuration section, administrators define logical wireless networks that control the methods by which client and access points communicate with each other, which often includes authentication and encryption settings (as shown below).

SSID definition and security settings configuration in HiveManager
Advanced Access Security Settings can be displayed where indicated by the red line by clicking the link in the figure above. This allows the administrator to fine-tune Group and Pairwise (User) encryption key lifetimes and timers, including an option to enable Proactive / Opportunistic Key Caching (PKC/OKC).

It should also be noted that Aerohive has developed a unique feature called Private Pre-Shared Key (PPSK), that enables the provisioning of unique PSKs to individuals, rather than sharing a single WPA/WPA2 PSK with everyone on the same network. This prevents users from eavesdropping on each other, makes network access revocation tied to individual users, and eases access revocation by eliminating the need to update PSKs on all workstations any time an individual user access is revoked. This is a great feature for small businesses with growing user bases to maintain network security and manageability without having to invest in enterprise class authentication with 802.1x/EAP. Often times small businesses struggle with the expertise, expense, and support involved with deploying an 802.1x solution, and this helps them transition and scale until they are ready. PPSKs are also useful in guest networking scenarios as an alternative to an open network, typically with a clerk, concierge, or attendant providing guests with unique PSKs upon arrival at the establishment.

User profiles are also assigned to users connected to this SSID. In the User Profiles for Traffic Management section, define the default user profile for all users accessing this SSID. Optionally, if using WPA/WPA2 802.1x (Enterprise) also select the user profiles that are allowed to be dynamically assigned to users by a RADIUS server. If the RADIUS server does not return a user profile attribute, or returns a non-selected user profile from the list, then the default user profile is applied. For advanced security, strict enforcement of selected user profiles available for dynamic assignment can be applied, and can be configured to instruct the access point to either disconnect the user, ban the user for period of time (e.g. 60 sec.), or ban the user forever. This is a great security feature which allows a single RADIUS server (or server cluster) to handle authentication for multiple user groups while still enforcing strict network access policies. This prevents SSID hopping whereby a valid user who authenticates successfully connects to a different SSID to gain higher privileged network access rights.

Optional settings in the SSID profile include radio data rates for both 2.4 GHz and 5 GHz network bands, denial of service prevention settings, traffic filtering for management access and client-to-client traffic handling, SSID availability schedules (day & time restrictions), and several advanced configuration settings such as maximum client limit, DTIM period, fragmentation threshold, Wi-Fi Multimedia (WMM), SSID broadcast / hiding, and U-APSD power save.

WLAN Policies
The WLAN policy is the top-level object underneath which all other configuration objects are stored (except for individual HiveAP settings), and are pushed to HiveAPs to apply the operational network settings. As such, the WLAN policy ties together many objects which have previously been configured with a few new ones.

After giving the WLAN policy a name and description, define the Hive that will be used for all access points which are assigned this WLAN policy. A Hive essentially allows multiple HiveAPs to coordinate distributed wireless network control plane and data plane operations, forming a virtual software controller using Aerohive's Cooperative Control architecture. This includes forwarding and routing paths, consistency of QoS and firewall policy enforcement, layer 2 and layer 3 client roaming, and radio frequency and power management. Hive members may be on the same subnet or different subnets. It is recommended that all HiveAPs which clients can seamlessly roam between (without disconnecting) be included in the same Hive.

Configuring a WLAN Policy in HiveManager
Next, add one or multiple SSID profiles to the WLAN policy, which defines the SSIDs that will be pushed to the HiveAPs for network access. Also define the default management interface VLAN and native (untagged) VLAN for the HiveAPs. These VLAN settings help administrators segment management traffic from user traffic to meet performance and security requirements common in most organizations.

Optional settings in the WLAN policy include HiveAP physical interface traffic filters, service settings for application layer gateway (ALG) and WIPS, management servers for SNMP, syslog, DNS, NTP, and location services, QoS classification and marking, dynamic airtime scheduling, VPN service settings for identity-based tunneling (guest DMZ termination for example), and statistics collection settings.

Note - QoS classification and marking is performed globally within the HiveAP, but QoS queuing structures are defined per user-profile.

Note - If you plan on assigning HiveAPs static IP addresses, ensure that DNS servers are defined in the WLAN policy applied to the AP so that it can resolve and connect to HiveManager.

Individual HiveAP Settings
In addition to User, SSID, and WLAN Policy settings, unique settings can be configured for individual HiveAPs. Select the "HiveAPs" link from the Guided Configuration section, which will redirect to the Monitor > HiveAPs screen. Be sure to select the "Config" option button before drilling into an AP to modify the configuration instead of viewing statistics.

Once in an individual HiveAP, administrators can configure various settings that are typically unique to a single AP. These include host name, map location, assigned WLAN policy, radio modes (access, bridge, mesh), and static channel and power settings.

Configuring individual HiveAP settings


Note - To assign a WLAN Policy to multiple HiveAPs at once, select the check boxes next to each HiveAP in the Monitor > HiveAPs screen and click the Modify button. A subset of HiveAP settings are available for configuration across the selected APs.

Optional settings include configuring the built-in captive web portal and RADIUS functions, DHCP or static IP address assignment, static layer 3 roaming neighbors (beyond the dynamically discovered Hive members), administrative security credentials for console access and CAPWAP security to HiveManager, layer 2/3 routing, VLAN tag settings (override WLAN policy), and HiveAP classification (for use in variable substitution with network objects).

Updating the HiveAP Configuration
Now that all four of the Guided Configuration sections have been completed, it's time to deploy the configuration to HiveAPs.

As a precautionary step, review the configuration audit status of the access points prior to deployment to verify accuracy of the updated configuration that will be pushed to the AP. To do this, navigate to the Monitor > HiveAPs screen, ensure the "Monitor" radio button is selected, and click the red triangle next to a HiveAP to view the configuration audit.

Viewing HiveAP configuration audit details
If satisfied with the configuration items, check the box next to every HiveAP to be updated and select the Update > Upload and Activate Configuration button. Configure the desired settings which instructs how HiveManager peforms the upload, including either a complete or delta upload and activation schedule, then click the save icon. The settings section will roll upwards, allowing the administrator click the Upload button and push the settings to the HiveAPs.

Configuring the HiveManager Upload Settings

The user will be redirected to the HiveAP Update Results screen, which will show the progress of the upload and report any issues that may occur.

Viewing HiveAP Update Results

If successful, the settings configured in HiveManager are now active on the HiveAPs and the wireless network should be fully operational.

3 comments:

  1. Hi Andrew,

    Great post as usual. Funny though I just posted my own blog post on PPSK subject today so I have a small, maybe unimportant remark about it.

    I believe that Ruckus Wireless developed PPSK first (or Dynamic PSK as they call it). They also have a patent on it: http://www.ruckuswireless.com/press/releases/20100524-dynamic-psk-patent

    But Aerohive did evolve PPSK further (usage of dynamic VLANs) and that can be super useful and important.

    Thanks for your posts, I truly enjoy reading them.

    Regards,

    Gregor

    ReplyDelete
  2. Gregor,
    Thanks for the feedback and the link!

    Andrew

    ReplyDelete
  3. Hi, Andrew. This is an excellent summary of the four main configuration components in HiveManager. There's a spot waiting for you on the Aerohive Tech Pubs team if you're interested! : ) - Joe Fraher (Manager of Technical Publications at Aerohive)

    ReplyDelete