Preview only show first 10 pages with watermark. For full document please download

Hivemanager Ng - Passport By Exclusive

   EMBED


Share

Transcript

TechBuzz HiveManager NG and Hive OS: What’s Changed? Gianluca Silvestri – System Engineer, Exclusive Networks Italy © Aerohive Networks, Proprietary & Confidential Overview • HiveOS 6.5r3 and 6.6r2 • HiveManager NG • • • • • • • • • • • • • • • Customize column views User Monitoring Rogue AP and client historical visibility WIPS History Report PCI DSSS 3.1 Compliance Report Role Based Access Control Supplemental CLI Device Classification: Time Zones Auto-provisioning DHCP sever & relay Captive Web Portals (CWP) Guest Access & Personal Device Access User credentials – local storage User credentials – cloud storage RadSec proxies © Aerohive Networks, Proprietary & Confidential • • • • • • • User Groups – PPSK and RADIUS Guest Access scenarios & workflows Personal Device Access scenarios and workflows Data/Time limit access policies AAA and SMS Logs SMS/Email print notification template APIs 2 HiveOS 6.5r3 and 6.6r2 © Aerohive Networks, Proprietary & Confidential HiveOS – Golden vs. Feature • Feature Release Goal – Include the latest and greatest features ASAP. • Golden Release Goal – Stability-focused. Resolve all serious issues found by Coverity. • Results • • • Done Team resolved about 2,500 serious issues Most remaining issues are in 3rd party code, or are medium/low severity • Watch for issues and retune as necessary • Next steps © Aerohive Networks, Proprietary & Confidential 4 HiveOS Support HiveManager NG now has support for the following HiveOS versions: • HiveOS 6.5r3 for all platforms including old hardware (AP120, AP110, etc) • HiveOS 6.6.r2a for AP130, AP230, AP330, AP350 and AP1130 IMPORTANT!: Go to HiveOS platform for Astra is 6.5r3 as it has the latest important updates including and critical bug fixes. 6.5r3 Release Notes 6.6r2 Release Notes © Aerohive Networks, Proprietary & Confidential 5 HiveManager NG Quarter Update © Aerohive Networks, Proprietary & Confidential Customize Column Views • Column views can be customized from the Monitor menu • Selectable column display • Adjustable column order • Authorized admin with read or read-write access can modify © Aerohive Networks, Proprietary & Confidential 7 Customize Column Views Monitor/Devices: • Click the edit column icon • Column edit window display all available column fields • Uncheck ☐ several fields • Column view changes © Aerohive Networks, Proprietary & Confidential 8 Customize Column Views ☞ ☞ Monitor/Devices: • Click and hold on any column header • Drag the column header to desired location • Release the header and the column order changes • Columns can be moved left or right © Aerohive Networks, Proprietary & Confidential 9 Customize Column Views Monitor/Clients: • Client column views can also be customized © Aerohive Networks, Proprietary & Confidential 10 Customize Column Views Monitor/Events: • Event column views can also be customized © Aerohive Networks, Proprietary & Confidential 11 Customize Column Views Monitor/Alarms: • Alarm column views can also be customized © Aerohive Networks, Proprietary & Confidential 12 User Monitoring 13 © Aerohive Networks, Proprietary & Confidential • Previously only client device monitoring was available • Click Monitor > Users • New monitor view of users • Based on unique credentials • View number of client devices connected from a single user User Monitoring • Click User Name • User Entity View • Click the individual client icons © Aerohive Networks, Proprietary & Confidential 14 Rogue AP and clients – Historical visibility • Timeline historical view is now available for Rogue APs, Unauthorized APs and Neighbor APs and rogue clients • Monitor > Security • Real-time view displays • Adjust the timeline slider bar to see the historical view up to 7 days • Click the report icon to generate a WIPS report © Aerohive Networks, Proprietary & Confidential 15 WIPS History Report • Monitor > Reports • Click + • Click the WIPS History icon © Aerohive Networks, Proprietary & Confidential 16 WIPS History Report • Recurrence of the report can be once, daily, weekly or monthly • Time range of the report can also be designated • Enter email addresses • Click Generate Report © Aerohive Networks, Proprietary & Confidential 17 WIPS History Report • Admin will receive a notification email • Click View Report • Admin will be redirected a URL where the report can be viewed online • Browser print/save capabilities can be used to save in PDF format © Aerohive Networks, Proprietary & Confidential 18 PCI 3.1 Compliance Report • Monitor > Reports • Click + • Click PCI DSSS 3.1 icon © Aerohive Networks, Proprietary & Confidential 19 PCI 3.1 Compliance Report • Recurrence of the report can be once, daily, weekly or monthly • Time range of the report can also be designated • Enter email addresses • Click Generate Report © Aerohive Networks, Proprietary & Confidential 20 PCI 3.1 Compliance Report • Admin will receive a notification email • Click View Report • Admin will be redirected a URL where the report can be viewed online • Browser print/save capabilities can be used to save in PDF format © Aerohive Networks, Proprietary & Confidential 21 PCI 3.1 Compliance Report To generate a monthly PCI or WIPS report: • Select ⦿ Monthly • Time Range: Select Month • Drag the time slider bar to cover the entire 31 days to collect full month of data © Aerohive Networks, Proprietary & Confidential 22 PCI 3.1 Compliance Report • All componets are on by default except the Summaries componet • Click + to include the Summaries componet in the PCI report © Aerohive Networks, Proprietary & Confidential 23 Role Based Access Control • HiveManager NG supports RBAC • When creating a new administrative account you can assign a role • A role defines what functions the admin is able to access within HiveManager NG • Access can be further restricted by location – users will only have access to devices in specific locations © Aerohive Networks, Proprietary & Confidential 24 Role Based Access Control • When creating a new user Role Based Access Control offers two choices: • Internal user account: Admin/users from within the organization • Outside users: Admin/users from outside the organization (resellers, distributors…) • Outside users must have existing HiveManager NG accounts • Accounts are checked against their email address • Access can be verified in logs © Aerohive Networks, Proprietary & Confidential 25 Role Based Access Control • Roles can be assigned access to certain locations based in topology maps • Roles are assigned based on tier two level of topology maps • The Administrator and the Guest Management role have universal access and cannot be assigned to unique locations © Aerohive Networks, Proprietary & Confidential 26 Role Based Access Control • Tier one of the network map is called a network name and it is often named after your organization. • The definition of the second tier depends on how you define your network map. • You can assign either a geographic location, such as a city or town, or a building to the network name. • For role based access control, tier two is the most important tier because its assignment determines the admin/user access. • Example #1: Tier two based on locations • Example #2: Tier two based on buildings • RBAC access rights cannot be assigned by floor © Aerohive Networks, Proprietary & Confidential 27 Role Based Access Control • Administrator Administrator role provides full access to all configuration, monitoring, and administrative functions. It is the only role that has access to account and license management. • Operator Operator role provides full access to most functions including network and device configuration. However, it does not allow access to user account and license management. • Monitor Monitor role provides full access to troubleshooting and readonly access to monitoring and configuration functions. • Help Desk Help Desk role provides full access to the Troubleshoot tab and search access to the User 360 View and Client 360 View. • Guest Management Guest Management role provides access to create network credentials. • Observer Observer role provides read-only access to most function except for account and license management. © Aerohive Networks, Proprietary & Confidential 28 Role Based Access Control • Admin/users who have access to your entire network are called global. • Admin/users who are restricted to a location or building, are called local. © Aerohive Networks, Proprietary & Confidential 29 Supplemental CLI • Supplemental CLI object gives an admin the ability to configure CLI commands that are not available in the HiveManager NG GUI • CLI object commands can be appiled to one device or many devices via a network policy • The commands listed in the CLI object will override the configuration in the network policy and device specific settings © Aerohive Networks, Proprietary & Confidential 30 Supplemental CLI • Supplemental CLI must be enabled at the global level • Off by default • Click the gear icon • Administration > VHM Management > Supplemetal CLI • Select © Aerohive Networks, Proprietary & Confidential 31 Supplemental CLI Configure within a Network Policy: • Additional Settings > Policy Settings > Supplemental CLI • Choose © Aerohive Networks, Proprietary & Confidential 32 Supplemental CLI • Mutiple CLI commands • One command per line • Max 2048 characters • Still requires a complete update • NG knows that a complete update is needed and reminds you in a message © Aerohive Networks, Proprietary & Confidential 33 Supplemental CLI • In this example, a CLI object was created with CLI command to assign a pool of user VLANs to a single user profile called employee • The VLAN pool consists VLANs 400, 401 and 402 © Aerohive Networks, Proprietary & Confidential 34 Supplemental CLI Monitor > Devices • Select ☑ the AP • Click the audit icon • Commands can be viewed in the complete configuration of the device • Show Running Config © Aerohive Networks, Proprietary & Confidential 35 Supplemental CLI Supplemental CLI objects can also be created from: • Configuration > Common Objects > > Basic > Supplemental CLI Objects • Used By: Click on the number • You can view Network policies that are linked the CLI object © Aerohive Networks, Proprietary & Confidential 36 Supplemental CLI Additional Settings: • Previously created CLI objects can be re-used in other network policies • Re-use Supplemental CLI Settings • Click • Select ☑ the object • Click Select © Aerohive Networks, Proprietary & Confidential 37 Supplemental CLI – device level • Supplemental CLI settings cam also be applied at the devicelevel • Different groups of devices can be assigned a supplemetal object via multi-select • At the device-level, a supplemental CLI can overide or append network policy-level supplemental CLI © Aerohive Networks, Proprietary & Confidential 38 Supplemental CLI – device level Supplemental CLI can also be appended at the device level • Monitor > Devices • Select ☑ the AP • Configuration > Device Configuration • Select ⦿ Keep Supplemental CLI in the network policy • Select or create CLI object to append © Aerohive Networks, Proprietary & Confidential 39 Supplemental CLI – device level • After complete upload the device-level supplemental CLI settings have been appended to the network policy. • The policy-level supplemental CLI settings also remain. © Aerohive Networks, Proprietary & Confidential 40 Supplemental CLI – device level Supplemental CLI can also be overidden at the device level • Monitor > Devices • Select ☑ the AP • Configuration > Device Configuration • Select ⦿ Overide Supplemental CLI in the network policy • Select or create CLI object for device-level override © Aerohive Networks, Proprietary & Confidential 41 Supplemental CLI – device level • After complete upload the device-level supplemental CLI settings have been appended to the network policy. • The device-level supplemental CLI settings replace the top policy-level supplemental CLI settings. © Aerohive Networks, Proprietary & Confidential 42 Device Classification: Time Zones • Time zones can be assigned to devices by classification • Devices such as APs must be linked to topology maps © Aerohive Networks, Proprietary & Confidential 43 Device Classification: Time Zones Configure within a Network Policy: • Additional Settings > Policy Settings > Device Time Zone • Select ☑ Apply time zone to devices via classification • Click + © Aerohive Networks, Proprietary & Confidential 44 Device Classification: Time Zones • Time Zone: select the desired time zone • Click Add • Assignment Rules: click + © Aerohive Networks, Proprietary & Confidential 45 Device Classification: Time Zones • Name: enter rule name • Click + • Click Device Location • Select the desired location, building or floor • Click Select © Aerohive Networks, Proprietary & Confidential 46 Device Classification: Time Zones • Observe the first rule • Scroll down and click Save © Aerohive Networks, Proprietary & Confidential 47 Device Classification: Time Zones Repeat the steps for the next time zone: • Time Zone: select the desired time zone • Click Add • Assignment Rules: click + © Aerohive Networks, Proprietary & Confidential 48 Device Classification: Time Zones • Name: enter rule name • Click + • Click Device Location • Select the desired location, building or floor • Click Select © Aerohive Networks, Proprietary & Confidential 49 Device Classification: Time Zones • Observe the assignment rules • Click Save • Click Next © Aerohive Networks, Proprietary & Confidential 50 Device Classification: Time Zones • Selct the APs • Click Upload • Click Upload • APs will update © Aerohive Networks, Proprietary & Confidential 51 Device Classification: Time Zones Verify the time zone assignment: • Monitor > Devices • Select ☑ an AP • Actions > Advanced > CLI Access © Aerohive Networks, Proprietary & Confidential 52 Device Classification: Time Zones • Type show time • Click Apply • Verify the time zone • Repeat the steps for another AP • Verify the time zone © Aerohive Networks, Proprietary & Confidential 53 Automatic Provisioning • Automatic provisioning is now supported in HiveManager NG • Configuration policies can be assigned automatically to Aerohive devices based on serial number or IP address • CSV import of more detailed information can also be used with Auto-Provisioning © Aerohive Networks, Proprietary & Confidential 54 Automatic Provisioning - Onboarding • Devices must first be onboarded into HiveManager NG • Based on serial numbers the devices will be registered into the redirector. © Aerohive Networks, Proprietary & Confidential 55 Automatic Provisioning Configure/Common Objects: • From the left policy sidebar, highlight Auto Provisioning • Click the + icon © Aerohive Networks, Proprietary & Confidential 56 Automatic Provisioning • Name: Auto-policy name • Device Function: AP • Device Model: All • Select ☑ Serial Numbers • Click the Select Serial Numbers button © Aerohive Networks, Proprietary & Confidential 57 Automatic Provisioning • Devices must be previously on-boarded. Select the serial numbers and move them to the right window • Click Save © Aerohive Networks, Proprietary & Confidential 58 Automatic Provisioning • Network Policy: select from drop-down • Country Code: select from drop-down • Auto-assign Location: Click Assign © Aerohive Networks, Proprietary & Confidential 59 Automatic Provisioning • Select a floorplan location and click Assign © Aerohive Networks, Proprietary & Confidential 60 Automatic Provisioning Advanced Settings • Upload configuration automatically • Reboot after uploading You also have the option of automatically updating the firmware of the APs: Upload HiveOS upon device authentication • Save your auto-provisioning policy • © Aerohive Networks, Proprietary & Confidential 61 Automatic Provisioning To active the auto-provisioning policy: • Enabled: Select © Aerohive Networks, Proprietary & Confidential 62 Automatic Provisioning • Connect the APs • APs establish CAPWAP connection to HiveManager NG and then auto-provision © Aerohive Networks, Proprietary & Confidential 63 Automatic Provisioning Monitor/Events: • Verify that autoprovisioning was successful © Aerohive Networks, Proprietary & Confidential 64 Automatic Provisioning • Auto Provisioning policies can be for all model APs • Auto Provisioning policies can be for specific model APs • Model-specific policies also allows for the capability to define device-specific settings • Example: Wireless and wired interface settings © Aerohive Networks, Proprietary & Confidential 65 Automatic Provisioning – CSV import • CSV import of more detailed information can also be used with Auto-Provisioning: • Host Names • Static IP addresses • Static Channel and Power settings • Supplemental CLI • Device specific rules in the CSV file take precedence over any global auto-provioning settings © Aerohive Networks, Proprietary & Confidential 66 Automatic Provisioning – CSV import • Make sure serial numbers are selected after initial onboarding • Select ☑ Add addition devices via CSV import • Click Choose • Select the CSV file from your computer and import • You can also manually type in serial numbers • Scroll down ⬇ • Verify import • Click Save © Aerohive Networks, Proprietary & Confidential 67 Automatic Provisioning by IP Subnet • Aerohive devices can also be auto-provisioned based on their IP subnetwork • Important: The serial numbers of the devices must previously be onboarded into the redirector. The serial numbers must also be selected in the provisioning poicy © Aerohive Networks, Proprietary & Confidential 68 Automatic Provisioning by IP Subnet • Click IP Subnetworks • Uncheck ☐ Add additional devices via CSV import • Select ☑ Manually enter additional devices • Enter mutiple IP subnets where devices may reside. Separate subnets by commas. • Click Save © Aerohive Networks, Proprietary & Confidential 69 Automatic Provisioning by IP Subnet • Choose Location and Subnet • From the dropdown box, select indivdual subnets and map them to different floorplan locations. • Click Save © Aerohive Networks, Proprietary & Confidential 70 DHCP Server & Relay Monitor > Devices • Select ☑ the device that will function as a DHCP server • Click the edit icon • Click DHCP Server and Relay • Click + © Aerohive Networks, Proprietary & Confidential 71 DHCP Server & Relay • Name: Type a name • Interface: Select mgt0.1 © Aerohive Networks, Proprietary & Confidential 72 DHCP Server & Relay • IP Address: 192.168.50.2 Enter IP address for the mgt0.1 interface • Netmask: 255.255.255.0 • VLAN ID: 300 • Enter VLAN that is mapped to this /24 network • Ensure that ☑ DHCP server is selected • Review default settings: ☑ Enable Ping on this interface ☑ Set the DHCP server as authoritive ☑ Use ARP to check for IP conflicts ☐ Enable NAT Support • Scroll down © Aerohive Networks, Proprietary & Confidential 73 DHCP Server & Relay IP Pool • Click + • Start IP Address: 192.168.50.100 • End IP Address 192.168.50.254 • System will warn if addressing is incorrect • Click Add • Verify IP Pool • Scroll down © Aerohive Networks, Proprietary & Confidential 74 DHCP Server & Relay DHCP Server Options • Default Gateway: 192.168.50.1 • DNS: 8.8.8.8 Note: The netmask is automatically inherited from the mgt.0X interface • Enter other server options • Click Save © Aerohive Networks, Proprietary & Confidential 75 DHCP Server & Relay DHCP options can also be configured © Aerohive Networks, Proprietary & Confidential 76 DHCP Server & Relay • Always better to use an external DHCP for scaling purposes • AP/DHCP server okay for smaller depoyments • Often used for Guest VLAN © Aerohive Networks, Proprietary & Confidential 77 DHCP Server & Relay • Aerohive Device can also function as a DHCP relay agent © Aerohive Networks, Proprietary & Confidential 78 Captive Web Portal (CWP) • Configure > Common Objects > Policy > Authentication > Captive Web Portals • Click + Many CWP use cases available: • User Authentication • Self-Registration • Private PSK • User Policy Acceptence • Combinations © Aerohive Networks, Proprietary & Confidential 79 Captive Web Portal (CWP) User Auth Self Registration* User Policy Acceptance © Aerohive Networks, Proprietary & Confidential PPSK *Note: Self Registration is cloud only 80 Captive Web Portal (CWP) Use Case User Auth* Self-Reg PPSK Guest Access (GA) Auth GA w/Auth&Policy Accept* GA w/Leave Details GA w/Policy Accept GA w/Details&Policy Acc. GA w/Self-Reg + PPSK Personal Device Access PDA + Policy GA w/Self-Reg+PPSK+Policy User Policy Acceptance *External RADIUS server is used. *3rd-Party CWP only available with option 1! UPA Captive Web Portal (CWP) • Captive web portal objects can also be directly configured with the various guided configuration workflows • Different CWP workflows for different SSID security © Aerohive Networks, Proprietary & Confidential 82 Captive Web Portal (CWP) • A different captive web portal can be displayed based on device classification (location) • A default CWP still needs to be selected © Aerohive Networks, Proprietary & Confidential 83 Captive Web Portal (CWP) • CWP pages can be customized • Colors, logo, disclaimer • CWP pages can be previewed © Aerohive Networks, Proprietary & Confidential 84 Captive Web Portal (CWP) • URL redirects for success page • Multiple language support • Advanced CWP settings • Walled garden © Aerohive Networks, Proprietary & Confidential 85 Personal Device Access and Guest Access • The “legacy” ID Manager (IDM) has been integrated into HiveManager NG • The IDM feature configuration is spread across HMNG GUI • The terms “ID Manager” or “IDM” refer to the legacy product and is no longer used • New Terminology: Personal Device Access Bring Your Own Device Guest Access Administrator initiated guest access Guest management role Self-registration API © Aerohive Networks, Proprietary & Confidential 86 Storing User Credentials Option 1: Locally on Aerohive Device • Supports both PPSK and RADIUS (802.1X) users • Supports up to 1000 users per User Group • User accounts are pushed to the APs • User Groups and User Profiles are stored locally • NOTE: User Profile ID is an internal concept and doesn’t need to be configured anymore! PPSK 802.1X User DB © Aerohive Networks, Proprietary & Confidential Push user accounts Big Data Store Data Processing 87 Storing User Credentials Option 1: Locally on Aerohive Device • User information: show user • User Group information: show user-group © Aerohive Networks, Proprietary & Confidential 88 Storing User Credentials When to use local storage of PPSK credentials? Survivability in case of WAN failure • Infrastructure devices (printers, TVs, scanners…) • VIP users • Critical devices (manufacturing...) Small sites with unreliable WAN • Could also be used for Personal Device and Guest Access User DB Storing User Credentials Option 1: Locally on Aerohive Device • User Profiles are stored in configuration • User Profile ID is mapped automatically • NOTE: User profile ID is no longer relevant for configuration and is an internal concept only! • exec aaa idm-test © Aerohive Networks, Proprietary & Confidential show user-profile show station 90 Storing User Credentials Option 2: In the Cloud (Service) • Supports both PPSK and RADIUS (802.1X) users • RadSec needs to be permitted between Aerohive device and HMNG • TCP port 2083 needs to be open in outbound firewall policies • Both authenication and acounting info is sent via the RadSec tunnel • Service can not act as RADIUS for 3rd party devices PPSK 802.1X RadSec Authentication Service Big Data Store Data Processing Note: Guest self-registration requires cloud storage © Aerohive Networks, Proprietary & Confidential 91 Storing User Credentials Cloud and local storage: RadSec proxy • Two APs per subnet are automatically elected as RadSec proxies to the cloud service • Reduces the amount of RadSec connections Lookup order • When a client authenticates, the local DB is queried first. If the credential is not found, the request is sent to the Cloud • Non-RadSec proxy devices relay the request through the RadSec proxy RadSec Proxies PPSK 802.1X RadSec Authentication Service Big Data Store Data Processing • RadSec proxy selection remains automatic • Two APs are dynamically elected as RadSec proxies on every management subnet • Currently no static assignment of RadSec proxy devices © Aerohive Networks, Proprietary & Confidential 93 RadSec Proxies • Currently no icon to indicate which devices are the RadSec proxies • CLI command can be used from any AP to see which of the RadSec proxies is being used by that AP: show idm © Aerohive Networks, Proprietary & Confidential 94 RadSec Proxies • TCP port 2083 needs to be open on outbound firewall policies • No GUI-based RadSec test tool yet • RadSec test tool available from the command line: exec aaa idm-test radsec-proxy © Aerohive Networks, Proprietary & Confidential 95 RadSec Proxies Error messages can also been seen in the Advanced Troubleshooting tool © Aerohive Networks, Proprietary & Confidential 96 User Groups • Credentials can be PPSK • Credentials can RADIUS-based (user name/password) © Aerohive Networks, Proprietary & Confidential • As an Administrator you can configure Users and User Groups • Each User belongs to a certain User Group • A User Group defines what kind of credentials will be used and where they will be stored • Credentials can be stored on an Aerohive device (AP) • Credentials can be stored in the Cloud 97 User Groups – PPSK on device User Group/PPSK configuration: • Strength of PPSK credentials can be configured • Time-based PPSK credentials based on fixed dates © Aerohive Networks, Proprietary & Confidential 98 User Groups – PPSK in cloud User Group/PPSK configuration: • More options with Cloud Allow renewal Enable CWP Register • More PPSK expiration choices: • Never Expire • Valid During Dates • Daily • Valid for Time Period • Delivery Settings: • Text Messages (SMS) • Email © Aerohive Networks, Proprietary & Confidential 99 User Groups – RADIUS User Group/RADIUS configuration: • Local • More options with Cloud: • Allow renewal • Enable CWP Register • More Expiration choices Local © Aerohive Networks, Proprietary & Confidential Cloud 100 User Groups and Users User Group/Users configuration: • User Groups and Users can be created from the object management menu • User Groups and Users can be created in the guided configuration workflow • Currently no bulk upload except via APIs. © Aerohive Networks, Proprietary & Confidential 101 Guest Access © Aerohive Networks, Proprietary & Confidential Guest Access - Workflows Admin Lobby admin An employee creates User accounts Administrator creates User accounts Guest Employee Guest self-register using (Optional) Employees approve guests CWP © Aerohive Networks, Proprietary & Confidential Custom application provisions Guest Accounts using Identity API 103 Guest Access: Employee/Guest Managers Workflow Scenario #2: •Create a User Group(s) •Create Guest Management User(s) •Create Employee Group •Create an SSID and associate User Groups •Update policy to APs •Login to HiveManager NG as Guest Management User •Create Guest Accounts © Aerohive Networks, Proprietary & Confidential 104 Guest Access: Employee/Guest Managers • Configure > Users > User Management > User Groups • Click + © Aerohive Networks, Proprietary & Confidential 105 Guest Access: Employee/Guest Managers • User Group Name: Guest-X • Password DB Location: Service • Password Type: PPSK • Password Settings: (Configure password strength) ☑ Letters ☑ Numbers ☐ Special Characters Enforce the use of: All selected character types • PSK Generation Method: Password Only • Scroll down⬇ © Aerohive Networks, Proprietary & Confidential 106 Guest Access: Employee/Guest Managers • Require Authentication After: 1800 Seconds • Account Expiration: Valid For Time Period • in 24 Hours • after First Login • Access key must be used within: 7 days • Deliver Access Key by: • ☐ Text Messages (SMS) • Select ☑ Email • Click © Aerohive Networks, Proprietary & Confidential 107 Guest Access: Employee/Guest Managers • Repeat steps to create more User Groups • Examples: VIPs and Contractors • You can create multiple guest user groups each with different time limitations • Mutiple user groups can be linked to a single guest SSID © Aerohive Networks, Proprietary & Confidential 108 Guest Access: Employee/Guest Managers Create a Guest Management Account • Click the gear icon • User Accounts: click + © Aerohive Networks, Proprietary & Confidential 109 Guest Access: Employee/Guest Managers Choose Role: • Select ⦿ Guest Management • Click Note: Locations cannot be assigned by the Guest Management Role • Select ⦿ Create a new user account • Email address: your email • Name: guest-X © Aerohive Networks, Proprietary & Confidential 110 Guest Access: Employee/Guest Managers The guest management user will receive a password registration email • Click Setup Password • Set Account Password: Aerohive123 • Confirm Account Password: Aerohive123 • Click Save & Next © Aerohive Networks, Proprietary & Confidential 111 Guest Access: Employee/Guest Managers Create an Employee Group • Configure > Users > User Management > Employee Groups • Click + © Aerohive Networks, Proprietary & Confidential 112 Guest Access: Employee/Guest Managers Link previously created guest management users to User Groups • Group Name: Guest Manager-X • Admin Account: Guest Management Role User • Management User: your email • Enable User Groups: ☑Guest-X Select which user groups that the guest management user(s) will be able to create guest users • Click © Aerohive Networks, Proprietary & Confidential 113 Guest Access: Employee/Guest Managers Create a Guest SSID within the Network Policy: • SSID Name: Guest-X • SSID Broadcast Name: Guest-X • Select Private Pre-Shared Key • Scroll Down ⬇ © Aerohive Networks, Proprietary & Confidential 114 Guest Access: Employee/Guest Managers Link User Groups to the SSID • Click the select icon • Select ☑ Guest-X • Click Select • Verify linked User Groups • Scroll down⬇ © Aerohive Networks, Proprietary & Confidential 115 Guest Access: Employee/Guest Managers • Create a Guest User Profile • Click + • User Profile Name: Guest-X • Connected to VLAN: 1 (Desiginate a Guest VLAN) • Security tab: Click ON © Aerohive Networks, Proprietary & Confidential 116 Guest Access: Employee/Guest Managers • Choose the select icon • Select the ☑ Guest-Internet-AccessOnly firewall policy • Click Select © Aerohive Networks, Proprietary & Confidential 117 Guest Access: Employee/Guest Managers • Verify the guest firewall policy • Click • Verify the guest User Profile and guest VLAN and click © Aerohive Networks, Proprietary & Confidential 118 Guest Access: Employee/Guest Managers • Update the APs • Click Upload © Aerohive Networks, Proprietary & Confidential 119 Guest Access: Employee/Guest Managers Create guest user credentials: • Login to HiveManager NG as the Guest Management User • Click + © Aerohive Networks, Proprietary & Confidential 120 Guest Access: Employee/Guest Managers • Choose the proper user group • Enter the guest user information • Generate or manually type a PPSK password • Designate delivery email address • Click © Aerohive Networks, Proprietary & Confidential 121 Guest Access: Employee/Guest Managers Guest user recieves an email with the PPSK credential © Aerohive Networks, Proprietary & Confidential 122 Guest Access: Self-Registration Workflow Scenario #3: •Create a PPSK-enabled SSID •Create a Self-Registation enabled User Group •Create an open SSID •Assign a Self-Registration Captive Web Portal •Update policy to APs © Aerohive Networks, Proprietary & Confidential 123 Guest Access: Self-Registration • Use the guided configuration to create a new Network Policy • In the policy, create an SSID profile • Click + © Aerohive Networks, Proprietary & Confidential 124 Guest Access: Self-Registration Create a Guest SSID within the Network Policy: • SSID Name: Secure-Guest-X • SSID Broadcast Name: Secure-Guest-X • Select Private Pre-Shared Key • Scroll Down ⬇ © Aerohive Networks, Proprietary & Confidential 125 Guest Access: Self-Registration Create a User Group for Self-Registration: • Click + © Aerohive Networks, Proprietary & Confidential 126 Guest Access: Self-Registration • User Group Name: Secure-Guest-X • Password DB Location: Service • Password Type: PPSK • Select ☑ Enable CWP Register • Password Settings: (Configure password strength) ☑ Letters ☑ Numbers ☐ Special Characters Enforce the use of: All selected character types • PSK Generation Method: Password Only • Scroll down⬇ © Aerohive Networks, Proprietary & Confidential 127 Guest Access: Self-Registration • Require Authentication After: 1800 Seconds • Acoount Expiration: Valid For Time Period • in 24 Hours • after First Login • Access key must be used within: 7 days • Deliver Access Key by: • ☐ Text Messages (SMS) • Select ☑ Email • Click © Aerohive Networks, Proprietary & Confidential 128 Guest Access: Self-Registration • Verify the self-registration User Group • Multiple User Groups can be linked to the SSID • Select on create a User Profile • Remember to include a guest firewall policy • Save the SSID settings © Aerohive Networks, Proprietary & Confidential 129 Guest Access: Self-Registration Create an open SSID for selfregistration: • Click + • SSID Name: Register-X • SSID Broadcast Name: Register-X • Select Open (Unsecured) • Click Enable Captive Web Portal • Scroll down ⬇ © Aerohive Networks, Proprietary & Confidential 130 Guest Access: Self-Registration Assign a self-registration CWP: • Turn Enable UPA • Turn Return Aerohive Private PSK • Turn Enable SelfRegistration • Click the + icon to create a Captive Web Portal © Aerohive Networks, Proprietary & Confidential 131 Guest Access: Self-Registration • Name: Register-X • Choose Access SSID (Private PSK): SecureGuest-X • Choose a PPSK Server: • Select Cloud PPSK Registration Server © Aerohive Networks, Proprietary & Confidential 132 Guest Access: Self-Registration • Employee Approval on by default • Turn Employee Approval • Captive Web Portal can now be customized • Save the CWP © Aerohive Networks, Proprietary & Confidential 133 Guest Access: Self-Registration • Verify the Captive Web Portal • Save the SSID • Verify both SSIDs • Click © Aerohive Networks, Proprietary & Confidential 134 Guest Access: Self-registration • Update the APs • Click Upload © Aerohive Networks, Proprietary & Confidential 135 Guest Access: Self-registration • Guest user connects to open SSID • Guest user self-registers via captive web portal © Aerohive Networks, Proprietary & Confidential 136 Guest Access: Self-registration • Captive web portal success page delivers the PPSK credential • Guest user connects to secure SSID using the PPSK credential © Aerohive Networks, Proprietary & Confidential 137 Personal Device Access © Aerohive Networks, Proprietary & Confidential Personal Device Access (PDA) Admin Administrator creates User accounts Employee Employees enroll personal devices using CWP Employee Employee sponsorship/Kiosk app (ADFS Auth) Custom application provisions PPSK for BYOD Guest Access and Personal Device Access Considerations © Aerohive Networks, Proprietary & Confidential Data and Time limit access policy User Policy 100 MB in 24 hrs 1 GB in 24 hrs Radsec Tunnel HMNG Accounting – Quota Expired, dicsconnect client • Admin can apply access control policy • When a client reaches their quota, it is disconnected by HMNG • This applies to PPSK/Open/WEP/802.1X clients • Requires RadSec connectivity with HMNG © Aerohive Networks, Proprietary & Confidential 141 Data and Time limit access policy User Policy 100 MB in 24 hrs 1 GB in 24 hrs Radsec Tunnel HMNG Accounting – Quota Expired, dicsconnect client Important: • Data and Time limits only works with PPSK/802.1X and not Open SSID • Only works with service (cloud)storage and not local storage. • Default accounting update interval between the AP and cloud is 10 minutes. • Therefore the smallest default time limit is 10 minutes. • Current best practice would be to also use rate-limiting if using the data limits within that 10 minute interval. © Aerohive Networks, Proprietary & Confidential 142 Data and Time limit access policy • Configure > Common Objects > Policy > User Profiles • Click + • Select the Data/Time Limit tab • Turn ON Access restrictions • Select either ☑ Time Limit or Data Usage Limit © Aerohive Networks, Proprietary & Confidential 143 Data and Time limit access policy Time access policy © Aerohive Networks, Proprietary & Confidential Data access policy 144 Data and Time limit access policy • SSID can be linked to mutiple User Profiles • Each User Profile can have a different time/data access policy • User Profiles can be assigned automatically based on rules linking to User Groups © Aerohive Networks, Proprietary & Confidential 145 Data and Time limit access policy • Check the admin accounting logs • Verify session time and data usage • Note: Data usage may not be 100% accurate © Aerohive Networks, Proprietary & Confidential 146 Authentication, Accounting and SMS logs • Click the icon • Logs: gear • Authentication • Accounting • SMS © Aerohive Networks, Proprietary & Confidential 147 SMS and Email Notification Template • Administrators can modify the SMS and Email template settings • In addition to notification text body, email notifications can include: • Icon • SSID as variable • Logo • Link to a custom URL © Aerohive Networks, Proprietary & Confidential 148 Configuring Notification Templates Configure > Basic > Notification Templates • Create a new template or edit existing notification templates • SMS template • Email template © Aerohive Networks, Proprietary & Confidential 149 APIs © Aerohive Networks, Proprietary & Confidential API Architecture HIve Manager Reference apps applications HiveStore Services © Aerohive Networks, Proprietary & Confidential Big Data Store Data Processing 151 New APIs in HM NG Location API Types Devices on and off the network Identity Access Management functionality – system integrations Monitoring HM NG network data and feeds 152 © Aerohive Networks, Proprietary & Confidential API Details Available on developer portal: • Location: query client location per AP • Monitoring: monitor clients and Aerohive devices API Details • Identity: Manage user accounts and credentials for GA and PDA • Create, Delete, Modify, Deliver, Extend Developer Portal • Developers should register at http://developer.aerohive.com • The portal includes documentation and profile information • Under “My Profile” you can see your registered applications Developer Portal Clicking the application provides important pieces of security information: • Client ID: this identifies the API user • Client Secret: this authenticates the API user • Redirect URL: identifies a valid URL to use for OAuth authorization – provides an additional layer of security Where to send the API requests • Requests need to go to the correct datacenter: • US customers: https://cloud-va.aerohive.com/xapi/v1/… • International: https://cloud-ie.aerohive.com/xapi/v1/… • Customer ID (VHM ID) is needed for every request • Identified as ownerId parameter • Click About to locate the VHM ID: Authentication and Authorization 3rd party app/app server GET https://cloud-va.aerohive.com/xapi/v1/location/clients • A correctly formed API request includes the following header fields: • Client secret • Redirect URL • Client ID HTTP/200 OK response Data in Response Body • Every request will also need to provide the correct ownerId (VHM ID) parameter Obtaining Access Token using OAuth2 OAuth is an open protocol for authorization between Web Applications: 1. Obtain the client ID and the client secret (developer portal) 2. Send authentication request to https://cloud.aerohive.com/thirdpartylogin?cli ent_id=&redirect_uri= 3. VHM login information is required to authorize the application 4. The session is redirected to the redirect URL (your web server) along with the auth code 5. The auth code is exchanged for a more permanent access and refresh tokens by issuing a request to https://cloud.aerohive.com/services/acct/third party/accesstoken Access Token Management Alternative to using OAuth: • Create Access Tokens in VHM • Used when there is no danger of compromising client ID and client secret • Use OAuth for web based applications Reference Applications Kiosk • Self-service registration for Guests • Simple, form-based workflow • For iPad Lobby Ambassador • • • • Designed for the receptionist Rapid on-boarding workflows System Overview and Usage For use on desktop monitors (HTML5) PRESENCE Presence © Aerohive Networks, Proprietary & Confidential 162 WLAN Client WLAN client devices are always probing for Access Points: • When not associated – where can I connect to? • When associated - where can I roam to? • AP detects client identity (MAC) and signal strength (RSSI). From AP’s point of view: • Unassociated client • Associated client • Presence is detected for both client types Presence Is About Client Location AP collects client presence data: • Mac address and RSSI information • Both on 2.4 GHz and 5 GHz AP collects presence data and forwards to HMNG • Reporting interval configurable. • Include both associated and unassociated clients. HMNG is responsible for: • Real-time storage • Historical storage • Calculating the actual location Big Data Store Data Processing CAPWAP Probe Client Location Estimate – Single AP Estimate client within a radius of a single AP • For example 2.5 meters from the AP • This is an approximation Pinpoint the client using triangulation • Client must be detected by at least 3 APs • Must be detected on the same frequency • Presence detection can be selectively configured on 5 GHz and/or 2.4 GHz radios Enabling Presence Create a radio profile with Presence settings • Configure > Common Objects > Policy > Radio profiles • Click + © Aerohive Networks, Proprietary & Confidential 166 Enabling Presence • Create a 5 GHz radio profile • Enable Presence Analytics • (Optional) Change the reporting interval • Rename the profie and Save Reporting interval © Aerohive Networks, Proprietary & Confidential • Repeat if you need it on 2.4 GHz radio radio profile as well • Push the radio profiles to the AP via Device Templates or via AP multi-select 167 Presence streaming API • The streaming API pushes raw location data to a 3rd party HTTP application server • The 3rd party server is responsible for storing and processing the data Push data to external HTTP server (Post URL) 3rd party server and database Big Data Store Data Processing CAPWAP Probe Presence streaming API data • Client MAC • Geolocation • Floor map location "apMac" : "9C5D12001AC0", "ownerId" : 10345, "observations" : [ { "clientMac" : "88CB87A0DA34", "ipv4" : "10.16.36.125", "ipv6" : null, "seenTime" : "2015-11-23T23:53:22.000Z", "seenEpoch" : 1448322802000, "ssid" : “TEST", "rssi" : -55, "manufacturer" : "Apple Inc", "os" : "Apple iOS", "lat" : -90.0, "lng" : -100.0, "unc" : 0.050709090242881026, "x" : 1430.772833949287, "y" : 900.3399784363806 Enabling Presence streaming API 1. Position devices on the floor plan. Resuts in (xy) coordinates © Aerohive Networks, Proprietary & Confidential 2. Define device geolocation (optional). Results in geolocation 170 Enabling Presence streaming API • Go to Administration • Select API Data Management • Add a Post URL where the Presence events should be sent to – this is your application server that will receive raw data • Make sure the access token matches both on HMNG and the application server © Aerohive Networks, Proprietary & Confidential 171 Feedback • Customers can provide feedback directly to Aerohive • Click text balloon Feedback • Customers can provide feedback directly to Aerohive • Admin can now capture or upload a screenshot • The screenshot can be attached to the feedback message that is sent to Aerohive © Aerohive Networks, Proprietary & Confidential 173 Feedback enhancement • The feedback form disappears and is now hidden when taking a screenshot • Feedback form reappears after the screenshot is captured © Aerohive Networks, Proprietary & Confidential 174 Thank you © Aerohive Networks, Proprietary & Confidential Questions? © Aerohive Networks, Proprietary & Confidential