Aerohive GuestManager Getting Started Guide

Copyright Notice Copyright © 2010 Aerohive Networks, Inc. All rights reserved. Aerohive Networks, the Aerohive Networks logo, HiveOS, HiveAP, HiveManager, and GuestManager are trademarks of Aerohive Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies. Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from: Aerohive Networks, Inc. 3150-C Coronado Drive Santa Clara, CA 95054 P/N 330010-03, Rev. A

2

Aerohive

Aerohive GuestManager Aerohive GuestManager is a visitor management solution through which administrators—called operators—can easily create and manage visitor accounts. The accounts are then stored on the GuestManager RADIUS server. Captive web portals running on HiveAPs communicate with the RADIUS server to authenticate users such as visiting guests, contractors, and mobile employees and provide them with simple and secure wireless network access (see Figure 1). Figure 1 User Login Process Visitor

GuestManager Receptionist (Operator) Create Account Check Login Visitor’s Laptop

1

HiveAP Internet

The visitor checks in, and the operator creates an account.

2

4

3

5

Internet

The operator prints out a receipt with connection credentials for the visitor to use when joining the network.

The visitor enters the preshared key “guest123” when forming an association with the HiveAP using the SSID “guest”.

After opening a browser, the captive web portal registration page appears. The visitor enters “jane.brown” and “jbrown123”, and clicks Submit. The HiveAP verifies the login with GuestManager.

After successfully logging in, the visitor opens a new browser instance and can connect to the network.

1. A visitor contacts an operator who creates a new user account. GuestManager can assign a randomly generated password or a manually defined password to the user account and then print out the login credentials. The operator specifies how long the account will remain valid by entering either a length of time or an expiration point. 2. The operator gives the receipt containing the login credentials to the visitor. 3. The visitor makes a wireless connection through an SSID configured with a captive web portal. 4. When the visitor opens a web browser, the captive web portal displays the registration page. The visitor enters the user name (email address) and password assigned by GuestManager. The HiveAP sends the login information as a RADIUS Access-Request message to GuestManager, which checks its user account database and replies with either an Access-Accept or Access-Deny message. Upon successful registration, the captive web portal displays a Successful Registration page, assigns the user to a registered user profile, and gives the wireless client an IP address with which it can access the network. 5. The visitor is now able to access the rest of the network.

GuestManager Getting Started Guide

3

Aerohive GuestManager

The scope of this getting started guide is limited to just the essentials required to set up GuestManager and begin using it to provide basic guest access. It explains how to configure GuestManager and NAS (network access server) devices—in this case, HiveAPs—so that they can work together to authenticate wireless users. In addition, the steps that follow include the configuration of RADIUS accounting, which measures the amount of time that RADIUS-authenticated users connect to the network so that you can enforce account lifetimes. The guide concludes with hardware-specific information and rack-mounting instructions.

CONFIGURING GUESTMANAGER Setting up GuestManager so that it can create user accounts and process wireless user login requests that HiveAPs forward it involves the following steps: •

"Step 1 Connect GuestManager to the Network"

•

"Step 2 Import the License File and Use the Initial Configuration Wizard" on page 5

•

"Step 3 Enable GuestManager for Accounting" on page 7

•

"Step 4 Create a Role" on page 7

•

"Step 5 Create an Operator" on page 8

•

(Optional) "Customization" on page 9

You can run GuestManager on a dedicated hardware appliance or as a software module on the same appliance as HiveManager. Its physical deployment affects the setup procedure slightly. When GuestManager is running on a stand-alone appliance, all of the following steps are required. When GuestManager is running on an appliance alongside an established HiveManager system, the first step is unnecessary. Note: If there are any firewalls between your management system or the operators’ systems and GuestManager, make sure they allow HTTP and HTTPS traffic (default TCP ports 80 and 443). Similarly, make sure that any firewalls between the NAS devices (HiveAPs) and GuestManager allow RADIUS authentication and accounting traffic (default UDP ports 1812 and 1813).

Step 1

Connect GuestManager to the Network

GuestManager must be connected to the network so you can configure it and use it to authenticate wireless users. •

First, you need to make an HTTPS connection to it from your management system and configure it.

•

Operators can then log in through HTTPS, create user accounts, and print receipts.

•

Finally, HiveAPs must be able to send it RADIUS Access-Request messages when wireless users attempt to authenticate themselves as they join the network.

The appliance on which GuestManager runs has two Ethernet interfaces: LAN and MGT. However, GuestManager 2.0 only supports the MGT interface. If you are running GuestManager on the same appliance with HiveManager, make sure that the default gateway is set in the same subnet as the MGT interface so that GuestManager can access it from the MGT interface. The following setup is only required when deploying GuestManager on an Aerohive appliance by itself. If you are adding GuestManager to an Aerohive appliance on which HiveManager is already running, its network settings must already have been configured. If so, proceed to step 2 on page 5. 1. Connect the power cable to a 100 – 240-volt power source, and turn on the Aerohive appliance. The power switch is on its back panel. 2. Connect one end of an RS-232 serial cable to the serial port (or COM port) on your management system. 3. Connect the other end of the cable to the male DB-9 console port on the appliance.

4

Aerohive

CONFIGURING GUESTMANAGER

4. On your management system, run a VT100 emulation program using the following settings: Bits per second (baud rate): 9600 Data bits: 8 Parity: none Stop bits: 1 Flow control: none 5. Log in by entering the default user name (admin) and password (aerohive). 6. The CLI shell launches and offers several options. To change network settings, enter 1 (1 Network Settings and Tools), and then enter 1 again (1 View/Set IP/Netmask/Gateway/DNS Settings). 7. Follow the instructions to configure a static IP address and netmask for the MGT interface, as well as its default gateway, host and domain name of the Aerohive appliance, and its primary DNS server. Note: The default IP address/netmask for the MGT interface is 192.168.2.10/24. 8. After you finish configuring the network settings, restart network services by entering 6 (6 Restart Network Services) and then enter yes to confirm the action. You can now disconnect the serial cable.

Step 2

Import the License File and Use the Initial Configuration Wizard

Before you can start using GuestManager, you must enter a license, which Aerohive sends to you in a text file. 1. Connect an Ethernet cable from the MGT interface to the network. 2. Connect your management system to the network so that you can make an HTTPS connection to the IP address that you set for the MGT interface. 3. Open a web browser and enter the IP address of the MGT interface in the address field. For example, if you changed the IP address to 10.1.1.8, enter this in the address field: https://10.1.1.8/gm If you add GuestManager to an appliance that also has HiveManager running on it, log in to HiveManager by entering https://10.1.1.8/hm and log in to GuestManager by entering https://10.1.1.8/gm Note: If you ever forget the IP address of the MGT interface and cannot make an HTTPS connection to GuestManager or HiveManager, make a serial connection to its console port and enter 1 for "Network Settings and Tools" and then 1 again for "View/Set IP/Netmask/Gateway/DNS Settings". 4. When you make an HTTPS connection to the appliance, it is normal for a security warning about the certificate to appear. This happens because the Aerohive appliance uses a self-signed certificate and your browser does not have the signing CA (certificate authority) certificate to verify it. Accept the certificate and continue. 5. After forming an HTTPS connection to the GuestManager interface, the GuestManager license management page appears. Browse to the license file that you received as an email attachment after purchasing GuestManager, select it, and then click Import. After the license is loaded, the login prompt appears. 6. Enter the default administrator user name and password—admin, aerohive—and then click Login. The license agreement page appears. 7. Read the license agreement, select I accept the terms and conditions of this license agreement if you accept it, and then click Continue to proceed. GuestManager launches an initial configuration wizard.

GuestManager Getting Started Guide

5

Aerohive GuestManager

8. On the first page of the wizard, create a new administrator account, and then click Save and Continue. Note: The password you set for this account also becomes the new password for the root administrator. The System Hostname page appears. 9. Either keep the existing host.domain name (the default name is hivemanager.aerohive.com) or set a new one, and then click Save and Continue. The Network Interfaces page appears. 10. Change network settings for the MGT interface by selecting it, clicking Edit, and then entering new settings; or accept the settings that are displayed. Then click Continue to HTTP Proxy to advance to the next page. The System HTTP Proxy page appears. 11. If GuestManager must access the public network through an HTTP proxy, enter its URL and—if it requires authentication—a user name and password. If the network does not require outbound traffic to pass through an HTTP proxy server, leave the fields empty. Then click Save and Continue. The SMTP Configuration page appears. 12. Configure SMTP settings so that GuestManager can send user account information by email, test your configuration, and then click Save and Close. (If your SMTP server is configured to block scripting, use the "No skin — Plain text only" option.) If you do not intend to use email as a means for delivering user accounts, leave the fields empty, and then click Save and Continue to advance to the next page. The SNMP Setup page appears. 13. If you want to allow SNMP managers to query GuestManager and receive SNMP traps, configure the SNMP settings. If not, leave the fields empty. Then click Save and Continue. The Server Time page appears. 14. Check if the date and time are correct. If so, leave the page as it is. If not, enter the IP address or domain name of one or more NTP servers that you want GuestManager to use. Then click Save and Continue. If you change the NTP settings, GuestManager system services restart to apply the new settings. After they restart, the RADIUS Default Vendor page appears. 15. Choose Aerohive (RFC 3576 support) from the NAS Type drop-down list, and then click Save and Continue. The RADIUS Network Access Servers page appears. 16. Click Create, located near the top of the rectangular area on the page. The Create Network Access Server dialog box appears. 17. Enter the following in the Create Network Access Server dialog box, and then click Create NAS Device: Name: Enter a descriptive name for the HiveAP. IP Address: Enter the IP address or resolvable domain name of a HiveAP from which you want GuestManager to accept authentication requests. NAS Type: From the drop-down list, choose Aerohive (RFC 3576 support). Shared Secret: Enter the shared secret that the HiveAP and GuestManager use to authenticate each other when the HiveAP connects to the GuestManager RADIUS server. Then enter it again in the Confirm Shared Secret field to confirm accuracy. Description: Enter a useful note, such as the location of the HiveAP. 18. Repeat the above configuration for each HiveAP that you want to define as a NAS, and when done, click Complete initialization. The initial setup wizard is complete. You can now use the GuestManager GUI to configure it further.

6

Aerohive

CONFIGURING GUESTMANAGER

Step 3

Enable GuestManager for Accounting

Configure some RADIUS server options to avoid sessions accidentally timing out if the network connection between the HiveAP and GuestManager fails and to support RADIUS accounting when clients roam. After completing the initial configuration wizard, GuestManager displays the "Welcome to Aerohive GuestManager" page. Click Manage RADIUS Services > Server Configuration, check that the two options (formatted in bold below) appear in the Server Options list. If they do not appear there, add them, and then click Save and Restart: # Uncomment these lines to enable these options: #security.reject_delay = 0 proxy_requests = no sql.simultaneous_stale_time = 60 sql.safe_characters = all override.session.radutmp = yes Setting the "sql.simultaneous_stale_time = 60" option prevents GuestManager from counting down the time remaining in an account if it does not receive any user traffic or a heartbeat from the HiveAP for 60 seconds. This protects users from losing time if there is a network issue that interrupts connectivity. Setting the "override.session.radutmp = yes" option enables session limits, which is necessary for accounting to work properly when clients roam.

Step 4

Create a Role

Create a user role and add a user profile attribute that the HiveAP uses to link the user account generated on GuestManager to a user profile defined on the HiveAP. The HiveAP can then assign the appropriate QoS, schedule, and firewall and mobility policies to traffic from users belonging to that user role/profile. To link the user account on GuestManager with a user profile on the HiveAP, click RADIUS Services > User Roles > Create a new role, enter the following, and then click Save Changes: Role Name: Enter a name for the role, such as "Guests with Accounting". Description: Enter a useful description or note about this user role. Private PSK: (clear) RADIUS Attributes User Profile Attribute: GuestManager includes this attribute in Access-Accept messages that it returns to HiveAPs after it successfully authenticates users. HiveAPs then map this attribute to a user profile attribute so that they can determine which user profile to apply. Enter the same number as the user profile attribute for authenticated users on the HiveAPs. For example, enter 11 if that is the the attribute of the authenticated user profile for the SSID hosting the captive web portal. If you do not configure GuestManager to return any attribute value, HiveAPs then apply a user profile specified as a default. VLAN ID: Enter the VLAN ID that you want the HiveAP to assign to authenticated users. Reauthorization Time: Enter an interval after which a user in an ongoing session must reauthenticate. If you do not set a reauthorization time, then users with an active session do not have to reauthenticate after a specified period of time elapses.

GuestManager Getting Started Guide

7

Aerohive GuestManager

Step 5

Create an Operator

An operator is the person who creates, prints, and manages user accounts. You can define an operator account with various types of privileges to create and edit user accounts, import and export guest account lists, and customize forms and print templates. 1. Click Administrator > Operator Logins > Manage Operators > Create operator login. The Create Operator Login dialog box appears. 2. Enter the following, leave the other fields as they are, and then click Create Operator Login: Operator Username: Enter the name that the operator will use when logging in to GuestManager. Operator Password: Enter the password that the operator uses to log in. Then enter it again to confirm accuracy. Note: The operator password must be at least six alphanumeric characters long and must be different from the operator user name. Comment: Enter a useful description for the operator. Operator Profile: To define permitted actions for the operator and the general appearance of the user interface that he or she will see, choose one of the following predefined operator profiles from the drop-down list: Administrator and Operator Profiles Privileges IT Administrators

Default administrative profile; full privileges

Null Profile

No privileges

Operations and Marketing

Can create, modify and delete user accounts and operator login accounts

Reception and Front Desk

Can create user accounts and print or send receipts

Note: If you want an operator to have a different set of privileges from those defined in the default profiles, you can create a new operator profile. To do that, log in with administrator privileges, and click Administrator > Operator Logins > Manage Profiles > Create a new operator profile. The initial GuestManager setup is complete. The defined operator can now use it to create user accounts, and GuestManager will accept authentication requests from the defined NAS devices. You can use the default user forms and receipts or customize them to allow the input and output of other types of information (see "Customization").

8

Aerohive

CONFIGURING GUESTMANAGER

Customization You can customize the new user account form and print templates for receipts to include different types of information from those provided in the default form and templates.

Customizing the New User Account Form 1. Log in to GuestManager with customization privileges. (Predefined operator profiles with these privileges are IT Administrators and Operations and Marketing.) 2. To create new fields or modify existing fields for account forms, click GuestManager > Customization > Customize Fields. To create a new field, click Create new field, and then enter the field name, field type, and description. To modify an existing, unlocked field, select the field, click Edit, and then modify the field name, type, and description. (A padlock icon indicates locked fields that cannot be edited.) Click Save Changes. 3. To modify the new user account form by adding new fields to it or by removing existing fields from the form, click GuestManager > Customization > Customize Forms & Views > form_name > Edit Fields. Select an existing field, and then click Edit to modify the field itself, Remove to remove it from the form, or Insert Before or Insert After to add a new field to the form before or after the selected one. Click Save Changes.

Customizing a Print Template 1. Log in with customization privileges. (Predefined operator profiles with these privileges are IT Administrators and Operations and Marketing.) 2. To create a new print template or modify an existing template, click GuestManager > Print Templates. To create a new print template, click Create new print template and then enter the HTML code used to generate a user account receipt. To modify an existing template, select the template, click Edit, and then modify the HTML code used to generate a user account receipt. Click Create Template or Save Changes. 3. To change the SSID name and preshared key that appears in the user account receipts that an operator gives to users, log in with access to Plugin Manager. (A predefined operator profile with access to Plugin Manager is IT Administrators.) Click Administrator > Plugin Manager > Manage Plugins > Configuration (for GuestManager Plugin). Enter a new name in the Site SSID field and a new preshared key in the Site WPA Key field. Click Save Configuration.

GuestManager Getting Started Guide

9

Aerohive GuestManager

CONFIGURING HIVEAPS AS NAS DEVICES HiveAPs are the devices through which wireless clients can access a network. One way to control that access is for the HiveAPs to assign unregistered wireless clients to a quarantined segment of the network and drive all their network connection attempts to a registration page on a captive web portal. There, users can register by entering the user name and password they received from GuestManager. The HiveAPs forward the submitted login data to GuestManager for validation. If GuestManager approves a request, then the HiveAP assigns the wireless client to the network segment for registered users and assigns the user to a registered user profile. A captive web portal provides registered users with network access while containing unregistered users. Aerohive offers two approaches to applying a captive web portal, one using external DHCP and DNS servers on the network and the other using internal DHCP and DNS servers on the HiveAP itself. In the first approach, both registered and unregistered users must be in the same VLAN because the DHCP and DNS servers that they use initially before they register will be the same ones that they continue using after they register. In the second approach, you can separate the unregistered and registered users into two separate VLANs because the unregistered users access the internal DHCP and DNS servers on the HiveAPs, whereas the registered users access the external DHCP and DNS servers, which can be in a different VLAN from the internal servers on the HiveAP.

Captive Web Portal with External DHCP and DNS Servers With this approach, when the client of a previously unregistered visitor first associates with the guest SSID, the HiveAP assigns the user profile for unregistered users to the visitor. It allows DHCP and DNS traffic to pass through so that the client can receive its address and TCP/IP assignments and resolve domain names to IP addresses. It also allows ICMP traffic for diagnostic purposes. However, the HiveAP intercepts all HTTP and HTTPS traffic from that client—and drops all other types of traffic—thereby limiting its network access to just the HiveAP with which it associated. No matter what website the visitor tries to reach, the HiveAP directs the visitor’s browser to a registration page. After the visitor registers, the HiveAP stores the client’s MAC address as a registered user, applies the registered user profile to the visitor, and stops keeping the client captive; that is, the HiveAP no longer intercepts HTTP and HTTPS traffic from that MAC address, but allows the client to access external web servers. The entire process is shown in Figure 2. Figure 2 Captive Web Portal Exchanges

1

Association Using SSID “guest”

Wireless Client

Wireless Access Point

2

Address and TCP/IP Assignments

DHCP Client

DHCP Server

DHCP Discover Association Request Association Response

DHCP Offer DHCP Request DHCP ACK

The client forms an association with the HiveAP but the visitor has not yet registered. The HiveAP allows DHCP, DNS, and ICMP traffic through It redirects all HTTP and HTTPS traffic to its own web server and drops all other traffic.

10

The HiveAP allows DHCP traffic to pass between the client of an unregistered user and a DHCP server on the network so that the client can receive its IP address and TCP/IP assignments.

Aerohive

CONFIGURING HIVEAPS AS NAS DEVICES

3

4 HTTP Connection to the Captive Web Portal

DNS Address Resolution

DNS Querient

DNS Server

HTTP Client

HTTP Server

HTTP GET

DNS Query

Reply DNS Reply

The HiveAP allows DNS queries and replies between the client and a DNS server on the network.

When the client sends an HTTP or HTTPS GET command, the HiveAP intercepts it and sends it to its HTTP server, which replies with a guest access registration page. The user must agree to an acceptable use policy, fill in some fields, and then submit the form.

5

6

Registration

GuestManager

DHCP, DNS, and HTTP Forwarding

Wireless Client HTTP Client

HTTP Server Registration

Quarantine MAC: 0016:cf8c:57bc

Wireless Acess Point

Servers DHCP DNS HTTP

Registered MAC: 0016:cf8c:57bc

After the user provides a username and password, and submits the registration, the HiveAP forwards the access request to GuestManager. If GuestManager approves the request, the HiveAP then moves the client’s MAC address from a quarantined list to a registered list.

GuestManager Getting Started Guide

The HiveAP applies the user profile for registered guests and forwards all types of traffic to the rest of the network, as permitted by firewall policies assigned to that user profile.

11

Aerohive GuestManager

Captive Web Portal with Internal DHCP and DNS Servers With this approach, when the client of a previously unregistered visitor first associates with the guest SSID, the HiveAP acts as a DHCP server, DNS server, and web server, limiting the client’s network access to just the HiveAP with which it associated. No matter what website the visitor tries to reach, the HiveAP directs the browser to a registration page. After the visitor registers, the HiveAP stores the client’s MAC address as a registered user and stops keeping the station captive; that is, the HiveAP no longer acts as a DHCP, DNS, and web server for traffic from that MAC address, but allows the client to access external servers. The entire process is shown in Figure 3. Figure 3 Captive Web Portal Exchanges Using Internal Server

1

Forming an Association

Wireless Client

Wireless Access Point

2

Address and TCP/IP Assignments

DHCP Client

DHCP Server

DHCP Discover Association Request

DHCP Offer DHCP Request

Association Response

DHCP ACK The client forms an association with the HiveAP but the visitor has not yet registered. The HiveAP directs all DHCP, DNS, and HTTP traffic from unregistered guests to itself instead of allowing it to the rest of the network.

IP Address: Netmask: Default Gateway: DHCP Server: DNS: Lease:

1.1.1.2 255.255.255.0 1.1.1.1* 1.1.1.1* 1.1.1.1* 10 seconds

* By default, a HiveAP assigns IP addresses to subinterfaces for captive web portal use as follows: wifi0.1 wifi0.16 1.1.1.1 1.1.16.1 wifi1.1 wifi1.16 1.1.101.1 1.1.116.1

3

DNS Address Resolution

DNS Querient

DNS Server

DNS Query DNS Reply

Wildcard A record in the root zone “.” on the HiveAP DNS server: * in a 1.1.1.1 The DNS server resolves all domain name-to-address queries to the same IP address, which in this case is 1.1.1.1.

12

4 HTTP Connection to the Captive Web Portal HTTP Client

HTTP Server

HTTP GET Reply

When the HTTP client sends a GET command, the HTTP server replies with a guest access registration page. The user must agree to an acceptable use policy, fill in some fields, and then submit the form.

Aerohive

CONFIGURING HIVEAPS AS NAS DEVICES

5

Registration

GuestManager

6

DHCP, DNS, and HTTP Forwarding

Wireless Client HTTP Client

Wireless Acess Point

HTTP Server

Servers DHCP

Registration

DNS

Quarantine MAC: 0016:cf8c:57bc

HTTP

Registered MAC: 0016:cf8c:57bc

After the user provides a username and password, and submits the registration, the HiveAP forwards the access request to GuestManager. If GuestManager approves the request, the HiveAP then moves the client’s MAC address from a quarantined list to a registered list.

The HiveAP applies the user profile for registered guests and forwards all types of traffic to the rest of the network, as permitted by firewall policies assigned to that user profile.

Using HiveManager to configure HiveAPs to use a captive web portal, forward registration requests to GuestManager for authentication, and then apply user profiles and their associated policies to the traffic of successfully registered users involves the following steps: •

"Step 1 Create an SSID with a Captive Web Portal" on page 13

•

"Step 2 Push the Configuration and Supporting Files to the HiveAPs" on page 15

Note: The following steps are written with the assumption that HiveManager is operating in Enterprise mode.

Step 1

Create an SSID with a Captive Web Portal

Create an SSID with a captive web portal for wireless clients to use when connecting to the HiveAP. For example, you might name the SSID something like "guest", use the wpa2-aes-psk security protocol suite, and use a string such as "aerohive123" as the preshared key. This protocol suite uses WPA2 (Wi-Fi Protected Access 2) with AES (Advanced Encryption Standard) to encrypt traffic between the wireless clients and the HiveAP, and a preshared key—which must be entered on both the HiveAP and wireless client—to encrypt it. 1. After logging in to HiveManager, click Configuration > WLAN Policies, click an existing WLAN policy that you are already applying to managed HiveAPs. 2. Click Add/Remove SSID Profile, and then click the New icon (+) below the Available SSID Profiles heading. 3. In the New SSID dialog box that appears, enter the following, and then click Save: Profile Name: guest SSID: guest Description: SSID for registering company guests

GuestManager Getting Started Guide

13

Aerohive GuestManager

SSID Access Security: WPA/WPA2 PSK (Personal) Use Default WPA/WPA2 PSK Settings: (select) Key Value and Confirm Value: aerohive123 If you do not want to trouble users with entering a preshared key, you can also use "open" or "open-wep" as the security protocol suite. This simplifies the connection process for the user; however, it also introduces security issues. The "open" protocol suite leaves all wireless traffic between the wireless client and HiveAP unencrypted and therefore susceptible to snooping. The "open-wep" protocol suite provides no authentication and uses WEP (Wired Equivalent Privacy) encryption, which unfortunately has several weaknesses that make it possible for it to be cracked. In light of these shortcomings, the example shown here uses the wpa2-aes-psk protocol suite to provide better security. Enable Captive Web Portal: Select the check box, and then click the New icon (+) to the right of the drop-down list. Enter the following in the Captive Web Portal dialog box that appears, leave all the other values at their default settings, and then click Save: Name: CWP-guest Registration Type: User Authentication Description: Captive web portal for guest registration Leaving everything else at its default setting creates a captive web portal configuration that uses all the predefined web files and the default network settings. The DHCP, DNS, and ICMP traffic from the clients of unregistered users is allowed to pass through the HiveAP to external servers. Note: For simplicity, the default captive web portal files are used. You can customize these to better represent your network. For information about customizing these pages, see the Aerohive Deployment Guide. Back in the SSID dialog box, choose CWP-guest from the captive web portal drop-down list. RADIUS Server: Click the New icon (+) to the right of the drop-down list, enter the following, and then click Apply: External RADIUS Server: (select) Profile Name: GuestManager Primary RADIUS Server: Choose the blank space at the top of the drop-down list, and type in the GuestManager IP address or domain name. HiveManager automatically creates an IP address/host name object from the information you enter. If you prefer to use a domain name, then on the authoritative DNS server for GuestManager, create an A record for its domain name and map it to the IP address of the MGT interface. For example: guestmanager.aerohive.com IN A 10.1.1.80 Secret and Confirm Secret: Enter the same shared secret that you entered when configuring NAS devices in GuestManager. When you configure the above external RADIUS server settings, RADIUS authentication support is enabled by default. The default destination port number for RADIUS authentication is 1812, which is also the default port number on which GuestManager listens for authentication messages. To configure more RADIUS server settings such as a different port number for RADIUS authentication or to enable HiveAP support of RADIUS accounting, select External RADIUS Server and then click More Settings. If you enable RADIUS accounting, HiveAPs send GuestManager updates on users’ sessions so that GuestManager can track when sessions start and how much time has elapsed and still remains before they expire. Note that the default accounting port settings on both GuestManager and HiveManager is port 1813.

14

Aerohive

CONFIGURING HIVEAPS AS NAS DEVICES

Back in the SSID dialog box, choose GuestManager from the RADIUS Server drop-down list. User Profiles for Traffic Management User profile assigned if no attribute is returned from RADIUS after successful authentication: default-profile User profiles assigned via attributes returned from RADIUS after successful authentication: If you created a user role with a specific attribute value in GuestManager, click the New icon (+) in the Available User Profiles column, and create a user profile with the same attribute value as that assigned to the user role. Click Apply, select it in the Available User Profiles column, and click the right arrow (>) to move it to the Selected User Profile column. If you did not define a user role in GuestManager, leave this empty to apply the default-profile to all registered users. When the HiveAP receives any traffic on the guest SSID from a client whose MAC address is not on its list of registered users, it assigns the user to a quarantined user list. After the user registers, the HiveAP moves the client to a registered user list and applies either the default-profile or another user profile whose attribute matches that returned by GuestManager. VLAN, QoS (Quality of Service), tunneling, and firewall policies are all bound to user policies. You might want to define and assign these settings to registered user profiles because it is through these settings that you can shape and direct their traffic. Although explaining the configuration and binding of such policies is beyond the scope of this guide, you can learn more in the Aerohive Deployment Guide and HiveManager online Help. SSID Broadcast Band: 2.4 GHz (11n/b/g) 4. In the WLAN Policy dialog box, select guest in the Available SSID Profiles column, click the right arrow (>) to move it to the Selected SSID Profile column, and then click Apply. 5. To save the WLAN policy with the newly added SSID, click Save.

Step 2

Push the Configuration and Supporting Files to the HiveAPs

To push the configuration and files to the managed HiveAPs on which you want to provide guest access, click Monitor > Access Points > HiveAPs > (select HiveAPs) > Update > Upload and Activate Configuration, enter the following, and then click Upload: Upload and activate configuration: (select) Upload and activate CWP pages and Server key: (select) Upload and activate certificate for RADIUS and VPN services: (select) Upload and activate employee, guests, and contractor credentials: (clear) Because the WLAN policy for the selected HiveAPs contains an SSID that references a captive web portal and a RADIUS server, you must upload the configuration and the files required for the captive web portal and RADIUS server to function. HiveManager uploads the supporting files first followed by the configuration. The HiveAP Update Results page appears so that you can monitor the progress of the upload procedure. When complete, "100%" appears in the Upload Rate column and "Successful" appears in the Update Result column. Note: If a managed HiveAP already has the maximum number of captive web portal directories (8), you must remove at least one of them before you can add a new one. To see how many directories are already on a HiveAP and remove a directory if necessary, do the following: 1. Click Monitor > Access Points > HiveAPs > (select a HiveAP) > Update > Remove Captive Web Page Directory > Remove Specific Web Page Directory. 2. Select the check box of the directory that you want to remove, and then click Submit.

GuestManager Getting Started Guide

15

Aerohive GuestManager

TESTING THE CONFIGURATION To make sure that the HiveAPs are in communication with GuestManager, perform the following simple trial run.

Guest Account Creation 1. Log in to GuestManager as an admin or operator with the privilege for creating new user accounts. 2. Click GuestManager > Create Account, enter the following, and then click Create Account: •

• • • •

Sponsor’s Name: Keep the name that appears here automatically. It is the name of the admin or operator that you logged in as. Account Role: Set any account role, such as Guest or a role that you previously defined. Username: Enter a name for the user account stored in the GuestManager RADIUS database. This is the string that the user must enter later when making a wireless connection. Visitor’s Name: Enter any name for the visitor. Company Name: Enter any name for the company. Email Address: Enter any email address. Account Activation: Choose Now from the drop-down list.

• •

Account Expiration: For testing purposes, set this for the minimum duration: 1 hour from now. Expire Action: Choose Delete and logout at specified time from the drop-down list.

• •

•

Password: Choose Generate a new random password from the drop-down list. This is the password that you enter later when making a wireless connection. • Terms of Use: (select) 3. In the Open print window using template… drop-down list, choose Guest Receipt and Instructions, and then print the receipt. You might need to allow pop-ups in the browser before you can print the receipt. The receipt includes the user name, password, expiration time. In addition, you can include the SSID name and preshared key ("wireless passphrase") on the printed receipt by customizing the receipt template (see "Customizing a Print Template" on page 9). 4. To restrict a single user to just one session at a time, click GuestManager > Edit Accounts > account_name > Edit, enter 1 in the Session Limit field, and then click Apply. (If you set this to a number greater than 1, RADIUS accounting cannot be accurate, and the user might gain network access beyond the defined account lifetime.) 5. Click RADIUS Services > Start Here, and then click Restart RADIUS Server.

Logging In 1. On a computer with a wireless client, connect to the "guest" SSID and enter the preshared key (wireless passphrase) from the GuestManager receipt—"aerohive123" in this example. 2. Check the DHCP network settings for the wireless adapter (on Windows, open the command prompt and enter ipconfig /all). When configuring the captive web portal to pass DHCP and DNS traffic through to external servers (as in the example above), the network settings are those for the main network. When configuring the captive web portal to use DNS and DHCP servers on the HiveAP, note that the IP address is in a quarantined area (1.1.1.0/24 – 1.1.16.0/24 or 1.1.101.0/24 – 1.1.116.0/24) and the lease is very short—10 seconds by default. 3. Open a browser. The captive web portal redirects your browser from its home page to the Authenticated Network Access page. 4. In the User Name and Password fields, enter the user name and password from the receipt, and then click Submit. A successful registration message appears in the browser. You can now access the rest of the network. 5. For a captive web portal using internal DHCP and DNS servers, check the DHCP network settings again for your wireless adapter. Notice that the address is on the main network and that the lease is no longer just 10 seconds. 6. On GuestManager, click GuestManager > Active Sessions, and check that the user name appears in the list.

16

Aerohive

HARDWARE OVERVIEW

HARDWARE OVERVIEW You can see the hardware components of the Aerohive appliance on which GuestManager runs in Figure 4 and read a description of each component in Table 1 "Component Descriptions". Figure 4 Hardware Components Front Panel

Mounting Bracket

Console Port

USB Port

Status MGT and LAN LEDs Ethernet Ports

Mounting Bracket

Rear Panel

On/Off Switch System Fans

Table 1

Serial Number Label

AC Power Inlet

Power Fan

Component Descriptions

Component

Description

Mounting Brackets

The two mounting brackets allow you to mount the appliance in a standard 19" (48.26 cm) equipment rack. You can also move the brackets to the rear of the chassis if you need to reverse mount it.

Console Port

A male DB-9 serial port to which you can make a console connection using an RS-232 (or "null modem") cable. The pin assignments are the same as those on the HiveAP (see "Ethernet and Console Ports" on page 18). The management station from which you make a serial connection to GuestManager must have a VT100 emulation program, such as Tera Term Pro© (a free terminal emulator) or Hilgraeve Hyperterminal® (provided with Windows® operating systems). The following are the serial connection settings: bits per second: 9600, data bits: 8, parity: none, stop bits: 1, flow control: none. The default login name is admin and the password is aerohive. After making a connection, you can access the Linux operating system.

GuestManager Getting Started Guide

17

Aerohive GuestManager

Component

Description

USB Port

The USB port is reserved for internal use.

Status LEDs

The status LEDs convey operational states for the system power and hard disk drive. For details, see "Status LEDs" on page 19.

MGT and LAN Ethernet Ports

The MGT and LAN Ethernet ports are compatible with 10/100/1000-Mbps connections, automatically negotiate half- and full-duplex mode with the connecting devices, and support RJ-45 connectors. They are autosensing and automatically adjust to straight-through and cross-over Ethernet cables. However, when a GuestManager license is installed on the appliance, only the MGT port can be used.

System Fans

The two system fans maintain an optimum operating temperature. Be sure that air flow through the system fan vents is not obstructed.

Serial Number Label

The serial number label contains the FCC compliance stamp, model number, input power specifications, and serial number for the device.

AC Power Inlet

The three-prong AC power inlet is a C14 chassis plug through which you can connect a GuestManager to a 100 – 240-volt AC power source using the 10-amp/125-volt IEC power cord that ships with the product.

On/Off Switch

The on ( | ) and off (  ) switch controls the power to GuestManager.

Power Fan

The fan that maintains the temperature of the power supply.

Ethernet and Console Ports The two 10/100/1000-Mbps Ethernet ports labeled MGT and LAN on the Aerohive appliance use standard RJ-45 connector pin assignments that follow the TIA/EIA-568-B standard (see Figure 5). They accept standard types of Ethernet cable—cat3, cat5, cat5e, or cat6. Because the ports have autosensing capabilities, the wiring termination in the Ethernet cables can be either straight-through or cross-over. Note: Do not attempt to use the LAN port when running GuestManager. GuestManager only supports the MGT port, the default IP address/netmask for which is 192.168.2.10/24. Figure 5 Ethernet Port LEDs and Pin Assignments (View of an Ethernet port on the appliance)

Pin

10/100Base-T Data Signal

1000Base-T Data Signal

1

Transmit +

BI_DA+

Link Rate LED

Link Activity LED

2

Transmit -

BI_DA-

Dark: 10 Mbps

Dark: Link is down

3

Receive +

BI_DB+

Green: 100 Mbps

Steady amber: Link is up but inactive

4

(unused)

BI_DC+

5

(unused)

BI_DC-

Blinking amber: Link is up and active

6

Receive -

BI_DB-

7

(unused)

BI_DD+

8

(unused)

BI_DD-

Amber: 1000 Mbps

8

1

Pin Numbers

Legend: BI_D = bidirectional A+/A-, B+/B-, C+/C-, D+/D- = wire pairings

The Ethernet ports are auto-sensing and can automatically adjust to transmit and receive data over straight-through or cross-over Ethernet connections. They follow the pinouts for the T568A and T568B standards.

18

Aerohive

HARDWARE OVERVIEW

The pin assignments in the male DB-9 console port follow the EIA (Electronic Industries Alliance) RS-232 standard. To make a serial connection between your management system and the console port on the Aerohive appliance, you can use a null modem serial cable, use another serial cable that complies with the RS-232 standard, or refer to the pin-to-signal mapping shown in Figure 6 to make your own serial cable. Connect one end of the cable to the console port on the appliance and the other end to the serial (or COM) port on your management system. The management system must have a VT100 terminal emulation program, such as Tera Term Pro© (a free terminal emulator) or Hilgraeve Hyperterminal® (provided with Windows® operating systems). Figure 6 Console Port Pin Assignments RS-232 Standard Pin Assignments Male DB-9 Console Port

1

2

6

3

7

4

8

Pin

5

9

(View of the console port on the Aerohive appliance)

Signal

Direction

DCD (Data Carrier Detect)

(unused)

2

RXD (Received Data)

Input

3

TXD (Transmitted Data)

Output

4

DTR (Data Terminal Ready)

(unused)

5

Ground

Ground

6

DSR (Data Set Ready)

(unused)

7

RTS (Request to Send)

(unused)

8

CTS (Clear to Send)

(unused)

9

RI (Ring Indicator)

(unused)

1

The above pin assignments show a DTE configuration for a DB-9 connector complying with the RS-232 standard. Because this is a console port, only pins 2, 3, and 5 need be used.

The serial connection settings are as follows: •

Bits per second: 9600

•

Data bits: 8

•

Parity: none

•

Stop bits: 1

•

Flow control: none

Status LEDs The two status LEDs on the front of the Aerohive appliance indicate various states of activity through their color (dark, green, amber) and illumination patterns (steady glow or blinking). The meanings of the various color + illumination patterns for each LED are shown in Figure 7. Figure 7 Status LEDs

System Power

Hard Disk Drive

Dark: No power

Dark: Idle

Steady illumination: Powered on

Blinking: Active

GuestManager Getting Started Guide

19

Aerohive GuestManager

RACK MOUNTING THE APPLIANCE You can mount the Aerohive appliance in a standard 19" (48 cm) equipment rack with two rack screws—typically 3/4", 1/2", or 3/8" long with 10-32 threads. The appliance ships with mounting brackets already attached to its left and right sides near the front panel (see Figure 4 on page 17). In this position, you can front mount it as shown in Figure 8. Depending on the layout of your equipment rack, you might need to mount the appliance in reverse. To do that, move the brackets to the left and right sides near the rear before mounting it. Figure 8 Mounting the Aerohive appliance in an equipment rack Rack Rails

Mounting Bracket

Washer

Rack Screw

1. Position the Aerohive appliance so that the holes in the mounting brackets align with two mounting holes in the equipment rack rails. 2. Insert a screw through a washer, the hole in one of the mounting brackets, and a hole in the rail. 3. Tighten the screw until it is secure. 4. Repeat steps 2 and 3 to secure the other side of the appliance to the rack.

20

Aerohive

DEVICE, POWER, AND ENVIRONMENTAL SPECIFICATIONS

DEVICE, POWER, AND ENVIRONMENTAL SPECIFICATIONS Understanding the range of specifications for the Aerohive appliance is necessary for optimal deployment and operation of the device. The following specifications describe the physical features and hardware components, the electrical requirements for the power supply and cord, and the temperature and humidity ranges in which the device can operate.

Device Specifications •

Form factor: 1U rack-mountable device

•

Chassis dimensions: 16 13/16" W x 1 3/4" H x 15 13/16" D (42.7 cm W x 4.4 cm H x 40.2 cm D)

•

Weight: 13.75 lb. (6.24 kg)

•

Serial port: male DB-9 RS-232 port (bits per second:9600, data bits: 8, parity: none, stop bits: 1, flow control: none)

•

USB port: standard Type A USB 2.0 port

•

Ethernet ports: MGT and LAN — autosensing 10/100/1000Base-T Mbps

Power Specifications •

•

ATX (Advanced Technology Extended) autoswitching power supply with PFC (power factor corrector): •

Input: 100 – 240 VAC

•

Output: 250 watts

Power supply cord: Standard three conductor SVT 18AWG cord with an NEMA5-15P three-prong male plug and three-pin socket

Environmental Specifications •

Operating temperature: 32 to 140 degrees F (0 to 60 degrees C)

•

Storage temperature: -4 to 176 degrees F (-20 to 80 degrees C)

•

Relative Humidity: 10% – 90% (noncondensing)

GuestManager Getting Started Guide

21

Aerohive GuestManager

22

Aerohive