Open topic with navigation
If your access point is configured for the World Regulatory Domain, it is important to set the country code to the country in which the AP will be deployed for optimal wireless operation. To do this, follow these steps:
For further assistance learning how to use Aerohive features and products, refer to the following online training videos and documentation:
This chapter introduces the HiveManager Classic GUI in Enterprise mode through a series of examples showing how to create a basic wireless-only network policy with a hive and an SSID. It then explains how to connect several APs to HiveManager Classic, accept them for management, and push the configuration to them over the network.
You can look at any of the following examples individually to study how to configure a specific feature or view all of them sequentially to understand the basic workflow for configuring and managing APs through HiveManager Classic. The examples are as follows:
After connecting some APs to the network, you enable them to make a CAPWAP connection to HiveManager Classic. You then create a network policy that includes a hive and an SSID and apply it plus some device-level settings to the APs. Finally, you push the configurations to them.
In this first example, you set up three APs for management through HiveManager Classic. Cable two of the APs—AP1 and AP2—to the network. Run an Ethernet cable from the eth0 port on each AP to a switch so that they are in the same subnet as the IP address of the MGT interface on HiveManager Classic. (Neither the AP300 eth1 port nor the HiveManager Classic LAN port are used in this example.) You can use AC/DC power adapters to connect them to a 100-240 VAC power source or allow them to obtain power through PoE (Power over Ethernet) from PSE (power sourcing equipment) on the network. (Both power adapters and PoE injectors are available from Aerohive as options.) Place the third AP—AP3—within range of the other two, and use a power adapter to connect it to an AC power source. See Figure 1, in which the switch uses PoE to provide power to APs 1 and 2.
Figure 1: Connecting APs to the network
By default, the APs obtain their network settings dynamically from a DHCP server. AP3 reaches the DHCP server after first forming a wireless link with the other two APs. (An AP in the position of AP3 is referred to as a mesh point, and APs such as AP1 and 2 are called portals.)
Within the framework of the CAPWAP (Control and Provisioning of Wireless Access Points) protocol, APs act like CAPWAP clients and HiveManager Classic like a CAPWAP server. Because all devices are in the same subnet in this example, the clients can broadcast CAPWAP Discovery Request messages to discover and establish a secure connection with the server automatically. During the connection process, each client proceeds through a series of CAPWAP states, resulting in the establishment of a secure DTLS (Datagram Transport Layer Security) connection.
2.1 Click Enter, type the serial number, and then click Save.
2.2 Check if the device appears at Monitor > Devices > All Devices in the HiveManager Classic Online GUI. Note that it can take up to ten minutes to complete the connection process.
2.3 If the device still does not appear on the All Devices page, power the AP off, wait five seconds, power it back on, and then check the All Devices page again.
2.4 If the device still does not appear on the All Devices page, check that it can access the Internet and that any firewall between it and the redirector allows outbound traffic on UDP 12222 or TCP 80.
If the device connects and appears on the All Devices page in your HiveManager Classic Online VHM, you have successfully resolved the issue and can stop troubleshooting. If not, continue to the next step.
3.1 In HiveManager Classic Online, click Configuration > Show Nav > Auto Provisioning > SN Management > Scan SN, type the 14-digit serial number for the Aerohive device, and then click Save. After that, click Cancel to close the Imported AP Serial Numbers dialog box.
3.2 On the AP Auto Provisioning page, click New, enter the following, and then click Save:
Enable AP Auto Provisioning: (select)
Name: Enter a name for the auto provisioning profile.
Description: Enter a useful note or comment about the profile.
Device Model: Choose the appropriate device model from the drop-down list.
Device Type: Choose the type of device for which you are configuring automatic provisioning.
Apply to devices with the following identification: (select)
Select the serial number that you just entered in the previous step and click the right arrow ( > ) to move it from the Available Serial Numbers column to the Selected Serial Numbers column.
3.3 Reboot the device to reset its CAPWAP state to Discovery. When it contacts the redirection server this time, HiveManager Classic Online will apply the access control defined in the automatic provisioning configuration and redirect the device to your VHM.
Using HiveManager Classic , you can configure two broad types of features:
A network policy is an assembly of policy-level feature configurations that HiveManager Classic pushes to all Aerohive devices that you assign to the policy. Because these configurations are policy-based, they can apply across multiple physical devices. In contrast, device-level configurations are more appropriately applied to smaller sets of devices or to individual devices themselves.
In this example, you create a network policy for wireless devices with a hive and SSID.
The Network Configuration page appears. It is a type of wizard consisting of three main panels:
By following this guided configuration sequence, you can easily and efficiently set up a simple wireless network.
Description: Test policy; remove later
Alternatively, if you already have an existing wireless-only network policy configured on HiveManager Classic, you can create and additional wireless-only policy based on it by cloning it. When you clone a network policy, the result is a network policy that has the same configuration as the original, except that you must give it a new name.
To clone an existing network policy, click Configuration, choose the existing wireless-only policy that you want to clone from the network policy list, click the tool icon on its right (), and then click Clone. Keep all the cloned settings to preserve the preconfigured settings, rename it, and then click Clone.
After you click Clone, the network configuration wizard advances to Configure Interfaces & User Access.
An SSID (service set identifier) is an alphanumeric string that identifies a group of security and network settings that wireless clients and access points use when establishing wireless communications with each other. In this example, you create a new SSID that uses a PSK (preshared key) for client authentication and data encryption.
A PSK is the simplest way to provide client authentication and data encryption. A PSK authenticates clients by the simple fact that the clients and access point have the same key. For data encryption, both the AP and clients use the PSK as a PMK (pairwise master key) from which they generate a PTK (pairwise transient key), which they use to encrypt unicast traffic. Although the PSK/PMK is the same on all clients, the generated PTKs are different not only for each client but for each session.
Because of its simplicity, a PSK is suitable for testing and small deployments; however, there is a drawback with using PSKs on a larger scale. All clients connecting through the same SSID use the same PSK, so if the key is compromised or a user leaves the company, you must change the PSK on the APs and all their clients. With a large number of APs and clients, this can be very time-consuming. For key management solutions that are more suitable for large-scale deployments, consider the WPA/WPA2 802.1X (Enterprise) and PPSK (Private Pre-Shared Key) options. For the present goal of showing how to use HiveManager Classic to configure an SSID, the PSK method works well.
Profile Name: test1-psk (A profile name does not support spaces, although an SSID name does.)
The profile name is the name for the entire group of settings for an SSID. It can include default or modified data rate settings, apply DoS (denial of service) policies and MAC filters, and specify the SSID name that the AP advertises in beacons and probe responses. The profile name—not the SSID name (although they can both be the same)—is the one that appears in the Choose SSIDs dialog box.
When you enter a profile name, HiveManager Classic automatically fills in the SSID field with the same text string. By default, the profile and SSID names are the same, yet they can also be different. You can create many different SSID profiles, each with a different group of settings, but each with the same SSID name. For users, their clients connect to the same SSID at different locations. From the AP perspective, each SSID profile applies a different group of settings.
This is the SSID name that clients discover from beacons and probe responses.
SSID Broadcast Band: 2.4 GHz (11b/g/n) and 5 GHz (11a/b/ac)
Most Aerohive APs have two radios: a 2.4 GHz radio, which supports 802.11n/b/g, and a 5 GHz radio, which supports 802.11n/a. On all AP models except the AP110, both radios can function concurrently. This setting broadcasts the SSID on the wifi0 interface, which is bound to the 2.4 GHz radio, and the wifi1 interface, which is bound to the 5 GHz radio.
As seen earlier in this chapter, one Aerohive AP is deployed as a mesh point; that is, it does not have an Ethernet connection but connects to the wired network over a wireless backhaul link through another AP that does have an Ethernet connection (see Example 5). Because of this, the APs must have at least one radio in dual mode for both wireless backhaul communications and client access.
Description: Test SSID for learning how to use the GUI; remove later
This note and the very name "test1-psk" are deliberately being used as reminders to replace this configuration later with an SSID profile and SSID name that you really intend to use in your WLAN.
SSID Access Security: WPA/WPA2 PSK (Personal)
Key Value and Confirm Value: CmFwbo1121 (To see the text strings that you enter, clear the Obscure
Password check box.)
With these settings, the AP and its clients can use either WPA or WPA2 for key management, CCMP (AES) or TKIP for data encryption, and the preshared key "CmFwbo1121" as the pairwise master key from which they each generate pairwise transient keys.
Enable Captive Web Portal: (clear)
Enable MAC Authentication: (clear)
To see how the AP advertises the SSID and how clients form associations with it, see Figure 2 below.
By default, when an Aerohive AP hosts a WPA/WPA2 PSK (Personal) SSID, it uses WPA2 for key management and CCMP (AES) for encryption. Also, the PSK text string is in ASCII format by default. If you want to change these settings and others, choose different options from the drop-down lists and expand the Advanced Access Security Settings section.
Figure 2 How a client discovers the SSID and forms a secure association
Because the SSID that you created in Example 3 does not require a captive web portal or RADIUS authentication, the Authentication section to the right of the SSID profile name is empty. However, there is now an Add/Remove link in the User Profile section. You must define a user profile and apply it to the traffic of users accessing the network through this SSID.
Attribute Number: 2
When an SSID uses WPA/WPA2 PSK (Personal), WEP, or Open for access security, an AP can assign only one user profile to all traffic on that SSID.1Although an AP can only assign one user profile to all clients connecting through an SSID that uses WPA/WPA2 PSK (Personal), WEP, or Open, it can reassign user profiles based on the MAC OUI, device domain name, or OS of the client. See the HiveManager Classic Help for more information about user profile reassignment. In these cases, APs use the user profile attribute to associate that user profile with the SSID. When the access security method is WPA/WPA2 802.1X (Enterprise), WEP-802.1X, or when the SSID has MAC authentication or a captive web portal with user authentication enabled, the AP can use returned RADIUS attributes for authenticated users to assign multiple user profiles to traffic on the same SSID. Similarly, when the access security method is PPSK, the SSID can also support the application of multiple user profiles. An AP learns the attributes of user groups to which different valid PPSK users belong and maps them to different user profiles with matching attributes. In this example, any unused attribute value will suffice.
Network or VLAN-only Assignment: 1
This assigns user traffic to VLAN 1, which is the native VLAN.
Description: Test user profile for learning how to use the GUI; remove later
This note and the user profile name "test1-user" are being used as reminders to replace this later with on that you really intend to use in your WLAN.
Manage users for this profile via User Manager: (clear)
This option is only relevant when you want User Manager administrators and operators to assign PPSK user keys to users. For more information about User Manager, see the online HiveManager Classic and User Manager Help.
After completing the steps in the previous examples, assign the network policy and some device-level settings to the APs and then push the configuration to them. The transfer of AP configuration assignments is presented conceptually in Figure 3. Finally, if you need to change the country code for the APs, see the instructions at the end of this chapter.
Figure 3: AP Configuration Assignments
Network Policy: Test-Network-Policy
This is the network policy that you created in Example 2.
Use one radio (2.4 GHz) for client access and one radio (5 GHz) for client access and a mesh link: (select)
This is the default radio mode setting, so you do not need to change it. However, it is mentioned here to emphasize the importance of having at least one radio in backhaul mode so that AP3, which is functioning as a mesh point, can form a wireless backhaul link with one of the other devices functioning as portals.
Credentials: (click to expand the section)
New Admin Name: It is a good security practice to change the default name of the root AP admin (Default: admin). Enter an alphanumeric string from 3 to 20 characters long.
New Password: Change the password for the root AP admin. (Default: aerohive) It can be an alphanumeric string from 5 to 32 characters long.
Confirm New Password: Enter the password again to confirm its accuracy. To see the text strings you entered in the two password fields, clear the Obscure Password check box.
Uploading Configurations to Aerohive Devices
At this point, you have finished assigning configurations to the AP objects on HiveManager Classic, and it is time to push these configurations from HiveManager Classic to the physical AP devices. Because this is the first time to use HiveManager Classic to update the configuration on these APs, you must perform a full upload, which requires rebooting the APs to activate their new configurations.
Because AP3 is a mesh point and the update involves changing its hive—from hive0 to Aerohive—you must make sure to update its configuration before updating the configurations on AP1 and AP2. If you upload the configuration on all of them at the same time and schedule them to reboot too quickly (say, 1 second after the upload process completes), there is a chance that the portal through which the configuration for the mesh point is passing will reboot before the mesh point finishes receiving its configuration. If that happens, only the configuration on the portals will be updated. As a result, the portals will become members of a different hive (Aerohive) from the mesh point (hive0). The mesh point will no longer be able to connect to the network through a portal using hive0 and will become disconnected from the network and from HiveManager Classic.
To avoid the preceding scenario, you must first change the hive on mesh points while they can still connect to the network. After you change the hive to which the mesh points belong, they will lose network and HiveManager Classic connectivity temporarily until you update the configuration on the portals. After they also join the new hive, the mesh points will once again be able to connect through their portals to the network and to HiveManager Classic.
The Device Upload Options dialog box appears.
Auto (First time with complete upload; subsequent uploads compare with running AP config): (select)
When initially sending the configuration to APs, HiveManager Classic must perform a complete upload, which it does automatically. After that, it automatically performs a delta upload by comparing the current configuration for the AP stored on HiveManager Classic with that running on the AP and then uploading only the parts that are different. The other three options for uploading configurations are as follows:
Complete Upload: This option uploads the complete configuration to the selected APs and reboots them to activate their new configuration.
Delta Upload (Compare with last HiveManager Classic config): This option uploads only the parts of the configuration that were not previously pushed to the APs from HiveManager Classic.
Delta Upload (Compare with running Aerohive device config): This option uploads only the changes to the configuration based on a comparison of the current configuration for the selected APs on HiveManager Classic with the current configuration running on the APs.
Uploading a delta configuration does not require activation by rebooting the AP and is, therefore, less disruptive. However, before HiveManager Classic can upload a delta configuration to a managed AP, it must first upload the full configuration and activate it by rebooting the AP. After that, you can use the delta options.
Activate after: (select) Leave the default interval of 5 seconds.
The three options for controlling the activation of an uploaded configuration are as follows:
Activate at: Select this option and set the time when you want the updated APs to activate their new configuration. This is a good choice if you want to stagger the activation, or if you want to load a configuration now but activate it when the network is less busy. To use this option accurately, both HiveManager Classic and the managed APs need to have NTP enabled.
Activate after: Select this option to load a configuration on the selected APs and activate it after a specified interval. The range is 0 – 3600 seconds; that is, immediately to one hour. The default is 5 seconds.
Activate at next reboot (requires rebooting device manually): Select this option to load the configuration and not activate it.
The loaded configuration is activated the next time the AP reboots.
Upload and activate configuration: (select)
Upload and active captive web portal pages and server key: (clear)
Upload and activate certificates for RADIUS and VPN services: (clear)
Upload and activate employee, guest, and contractor credentials: (clear)
It is only necessary to push the configuration itself to the APs. No captive web portal files, digital certificates, or user accounts need to be transferred at this time.
HiveManager Classic begins transferring the configuration to AP3 and displays the progress in the Upload Status column.
After AP3 reboots to activate its new configuration, it tries to reconnect with HiveManager Classic. However, it cannot do so because it is a mesh point that now belongs to the Aerohive hive while its portals—AP1 and AP2—are still using their original configurations in which they are members of hive0. This loss of connectivity will continue until you update the portals, which you do next.
If there is any failure when performing a delta upload, use a complete upload the next time.
After they reboot and activate their new configurations, check the status of their CAPWAP connections by looking at the CAPWAP column on the Monitor > Devices > Access Points > APs page with the View mode set as Display Device Status Information. After a few minutes, all three APs will reestablish their connections.
For APs intended for use in the United States, the region code is preset as “FCC”—for “Federal Communications Commission”—and the country code is preset as “United States”. If this is the case, you can skip this section.
If your AP was configured for the World Regulatory Domain, you must set the appropriate country code to control the radio channel and power selections that APs can use and to meet the regulatory compliance rules mandated in that country. If this is the case, update the country code as follows:
Copyright © Aerohive Networks, Inc.