Transcript
TechBuzz HiveManager NG and Hive OS: What’s Changed? Gianluca Silvestri – System Engineer, Exclusive Networks Italy
© Aerohive Networks, Proprietary & Confidential
Overview • HiveOS 6.5r3 and 6.6r2 • HiveManager NG • • • • • • • • • • • • • • •
Customize column views User Monitoring Rogue AP and client historical visibility WIPS History Report PCI DSSS 3.1 Compliance Report Role Based Access Control Supplemental CLI Device Classification: Time Zones Auto-provisioning DHCP sever & relay Captive Web Portals (CWP) Guest Access & Personal Device Access User credentials – local storage User credentials – cloud storage RadSec proxies
© Aerohive Networks, Proprietary & Confidential
• • • • • • •
User Groups – PPSK and RADIUS Guest Access scenarios & workflows Personal Device Access scenarios and workflows Data/Time limit access policies AAA and SMS Logs SMS/Email print notification template APIs
2
HiveOS 6.5r3 and 6.6r2
© Aerohive Networks, Proprietary & Confidential
HiveOS – Golden vs. Feature • Feature Release Goal – Include the latest and greatest features ASAP. • Golden Release Goal – Stability-focused. Resolve all serious issues found by Coverity. • Results • • •
Done Team resolved about 2,500 serious issues Most remaining issues are in 3rd party code, or are medium/low severity
•
Watch for issues and retune as necessary
• Next steps
© Aerohive Networks, Proprietary & Confidential
4
HiveOS Support HiveManager NG now has support for the following HiveOS versions:
• HiveOS 6.5r3 for all platforms including old hardware (AP120, AP110, etc) • HiveOS 6.6.r2a for AP130, AP230, AP330, AP350 and AP1130
IMPORTANT!: Go to HiveOS platform for Astra is 6.5r3 as it has the latest important updates including and critical bug fixes. 6.5r3 Release Notes 6.6r2 Release Notes © Aerohive Networks, Proprietary & Confidential
5
HiveManager NG Quarter Update
© Aerohive Networks, Proprietary & Confidential
Customize Column Views • Column views can be customized from the Monitor menu • Selectable column display • Adjustable column order • Authorized admin with read or read-write access can modify
© Aerohive Networks, Proprietary & Confidential
7
Customize Column Views Monitor/Devices: • Click the edit column icon • Column edit window display all available column fields • Uncheck ☐ several fields • Column view changes
© Aerohive Networks, Proprietary & Confidential
8
Customize Column Views
☞
☞
Monitor/Devices: • Click and hold on any column header • Drag the column header to desired location • Release the header and the column order changes • Columns can be moved left or right
© Aerohive Networks, Proprietary & Confidential
9
Customize Column Views Monitor/Clients: • Client column views can also be customized
© Aerohive Networks, Proprietary & Confidential
10
Customize Column Views Monitor/Events: • Event column views can also be customized
© Aerohive Networks, Proprietary & Confidential
11
Customize Column Views Monitor/Alarms: • Alarm column views can also be customized
© Aerohive Networks, Proprietary & Confidential
12
User Monitoring
13
© Aerohive Networks, Proprietary & Confidential
• Previously only client device monitoring was available • Click Monitor > Users • New monitor view of users • Based on unique credentials • View number of client devices connected from a single user
User Monitoring • Click User Name • User Entity View • Click the individual client icons
© Aerohive Networks, Proprietary & Confidential
14
Rogue AP and clients – Historical visibility • Timeline historical view is now available for Rogue APs, Unauthorized APs and Neighbor APs and rogue clients • Monitor > Security • Real-time view displays • Adjust the timeline slider bar to see the historical view up to 7 days • Click the report icon to generate a WIPS report
© Aerohive Networks, Proprietary & Confidential
15
WIPS History Report • Monitor > Reports • Click + • Click the WIPS History icon
© Aerohive Networks, Proprietary & Confidential
16
WIPS History Report • Recurrence of the report can be once, daily, weekly or monthly • Time range of the report can also be designated • Enter email addresses • Click Generate Report
© Aerohive Networks, Proprietary & Confidential
17
WIPS History Report • Admin will receive a notification email • Click View Report • Admin will be redirected a URL where the report can be viewed online • Browser print/save capabilities can be used to save in PDF format
© Aerohive Networks, Proprietary & Confidential
18
PCI 3.1 Compliance Report • Monitor > Reports • Click + • Click PCI DSSS 3.1 icon
© Aerohive Networks, Proprietary & Confidential
19
PCI 3.1 Compliance Report • Recurrence of the report can be once, daily, weekly or monthly • Time range of the report can also be designated • Enter email addresses • Click Generate Report
© Aerohive Networks, Proprietary & Confidential
20
PCI 3.1 Compliance Report • Admin will receive a notification email • Click View Report • Admin will be redirected a URL where the report can be viewed online • Browser print/save capabilities can be used to save in PDF format
© Aerohive Networks, Proprietary & Confidential
21
PCI 3.1 Compliance Report To generate a monthly PCI or WIPS report: • Select ⦿ Monthly • Time Range: Select Month • Drag the time slider bar to cover the entire 31 days to collect full month of data
© Aerohive Networks, Proprietary & Confidential
22
PCI 3.1 Compliance Report • All componets are on by default except the Summaries componet • Click + to include the Summaries componet in the PCI report
© Aerohive Networks, Proprietary & Confidential
23
Role Based Access Control • HiveManager NG supports RBAC • When creating a new administrative account you can assign a role • A role defines what functions the admin is able to access within HiveManager NG • Access can be further restricted by location – users will only have access to devices in specific locations
© Aerohive Networks, Proprietary & Confidential
24
Role Based Access Control
• When creating a new user Role Based Access Control offers two choices: • Internal user account: Admin/users from within the organization • Outside users: Admin/users from outside the organization (resellers, distributors…) • Outside users must have existing HiveManager NG accounts • Accounts are checked against their email address • Access can be verified in logs © Aerohive Networks, Proprietary & Confidential
25
Role Based Access Control • Roles can be assigned access to certain locations based in topology maps • Roles are assigned based on tier two level of topology maps • The Administrator and the Guest Management role have universal access and cannot be assigned to unique locations © Aerohive Networks, Proprietary & Confidential
26
Role Based Access Control • Tier one of the network map is called a network name and it is often named after your organization. • The definition of the second tier depends on how you define your network map. • You can assign either a geographic location, such as a city or town, or a building to the network name. • For role based access control, tier two is the most important tier because its assignment determines the admin/user access. • Example #1: Tier two based on locations • Example #2: Tier two based on buildings • RBAC access rights cannot be assigned by floor
© Aerohive Networks, Proprietary & Confidential
27
Role Based Access Control • Administrator
Administrator role provides full access to all configuration, monitoring, and administrative functions. It is the only role that has access to account and license management.
• Operator
Operator role provides full access to most functions including network and device configuration. However, it does not allow access to user account and license management.
• Monitor
Monitor role provides full access to troubleshooting and readonly access to monitoring and configuration functions.
• Help Desk
Help Desk role provides full access to the Troubleshoot tab and search access to the User 360 View and Client 360 View.
• Guest Management
Guest Management role provides access to create network credentials.
• Observer
Observer role provides read-only access to most function except for account and license management. © Aerohive Networks, Proprietary & Confidential
28
Role Based Access Control
• Admin/users who have access to your entire network are called global. • Admin/users who are restricted to a location or building, are called local. © Aerohive Networks, Proprietary & Confidential
29
Supplemental CLI • Supplemental CLI object gives an admin the ability to configure CLI commands that are not available in the HiveManager NG GUI • CLI object commands can be appiled to one device or many devices via a network policy • The commands listed in the CLI object will override the configuration in the network policy and device specific settings
© Aerohive Networks, Proprietary & Confidential
30
Supplemental CLI
• Supplemental CLI must be enabled at the global level • Off by default • Click the gear icon • Administration > VHM Management > Supplemetal CLI • Select
© Aerohive Networks, Proprietary & Confidential
31
Supplemental CLI Configure within a Network Policy: • Additional Settings > Policy Settings > Supplemental CLI • Choose
© Aerohive Networks, Proprietary & Confidential
32
Supplemental CLI • Mutiple CLI commands • One command per line • Max 2048 characters • Still requires a complete update • NG knows that a complete update is needed and reminds you in a message
© Aerohive Networks, Proprietary & Confidential
33
Supplemental CLI • In this example, a CLI object was created with CLI command to assign a pool of user VLANs to a single user profile called employee • The VLAN pool consists VLANs 400, 401 and 402
© Aerohive Networks, Proprietary & Confidential
34
Supplemental CLI Monitor > Devices • Select ☑ the AP • Click the audit icon • Commands can be viewed in the complete configuration of the device • Show Running Config
© Aerohive Networks, Proprietary & Confidential
35
Supplemental CLI Supplemental CLI objects can also be created from: • Configuration > Common Objects > > Basic > Supplemental CLI Objects • Used By: Click on the number • You can view Network policies that are linked the CLI object
© Aerohive Networks, Proprietary & Confidential
36
Supplemental CLI Additional Settings: • Previously created CLI objects can be re-used in other network policies • Re-use Supplemental CLI Settings • Click • Select ☑ the object • Click Select
© Aerohive Networks, Proprietary & Confidential
37
Supplemental CLI – device level • Supplemental CLI settings cam also be applied at the devicelevel • Different groups of devices can be assigned a supplemetal object via multi-select • At the device-level, a supplemental CLI can overide or append network policy-level supplemental CLI
© Aerohive Networks, Proprietary & Confidential
38
Supplemental CLI – device level
Supplemental CLI can also be appended at the device level • Monitor > Devices • Select ☑ the AP • Configuration > Device Configuration • Select ⦿ Keep Supplemental CLI in the network policy • Select or create CLI object to append
© Aerohive Networks, Proprietary & Confidential
39
Supplemental CLI – device level
• After complete upload the device-level supplemental CLI settings have been appended to the network policy. • The policy-level supplemental CLI settings also remain.
© Aerohive Networks, Proprietary & Confidential
40
Supplemental CLI – device level
Supplemental CLI can also be overidden at the device level • Monitor > Devices • Select ☑ the AP • Configuration > Device Configuration • Select ⦿ Overide Supplemental CLI in the network policy • Select or create CLI object for device-level override
© Aerohive Networks, Proprietary & Confidential
41
Supplemental CLI – device level
• After complete upload the device-level supplemental CLI settings have been appended to the network policy. • The device-level supplemental CLI settings replace the top policy-level supplemental CLI settings. © Aerohive Networks, Proprietary & Confidential
42
Device Classification: Time Zones • Time zones can be assigned to devices by classification • Devices such as APs must be linked to topology maps
© Aerohive Networks, Proprietary & Confidential
43
Device Classification: Time Zones Configure within a Network Policy: • Additional Settings > Policy Settings > Device Time Zone • Select ☑ Apply time zone to devices via classification • Click +
© Aerohive Networks, Proprietary & Confidential
44
Device Classification: Time Zones • Time Zone: select the desired time zone • Click Add • Assignment Rules: click +
© Aerohive Networks, Proprietary & Confidential
45
Device Classification: Time Zones • Name: enter rule name • Click + • Click Device Location • Select the desired location, building or floor • Click Select
© Aerohive Networks, Proprietary & Confidential
46
Device Classification: Time Zones • Observe the first rule • Scroll down and click Save
© Aerohive Networks, Proprietary & Confidential
47
Device Classification: Time Zones Repeat the steps for the next time zone: • Time Zone: select the desired time zone • Click Add • Assignment Rules: click +
© Aerohive Networks, Proprietary & Confidential
48
Device Classification: Time Zones • Name: enter rule name • Click + • Click Device Location • Select the desired location, building or floor • Click Select
© Aerohive Networks, Proprietary & Confidential
49
Device Classification: Time Zones • Observe the assignment rules • Click Save • Click Next
© Aerohive Networks, Proprietary & Confidential
50
Device Classification: Time Zones • Selct the APs • Click Upload • Click Upload • APs will update
© Aerohive Networks, Proprietary & Confidential
51
Device Classification: Time Zones
Verify the time zone assignment: • Monitor > Devices • Select ☑ an AP • Actions > Advanced > CLI Access © Aerohive Networks, Proprietary & Confidential
52
Device Classification: Time Zones • Type show time • Click Apply • Verify the time zone • Repeat the steps for another AP • Verify the time zone
© Aerohive Networks, Proprietary & Confidential
53
Automatic Provisioning • Automatic provisioning is now supported in HiveManager NG • Configuration policies can be assigned automatically to Aerohive devices based on serial number or IP address • CSV import of more detailed information can also be used with Auto-Provisioning
© Aerohive Networks, Proprietary & Confidential
54
Automatic Provisioning - Onboarding • Devices must first be onboarded into HiveManager NG
• Based on serial numbers the devices will be registered into the redirector.
© Aerohive Networks, Proprietary & Confidential
55
Automatic Provisioning Configure/Common Objects: • From the left policy sidebar, highlight Auto Provisioning • Click the + icon
© Aerohive Networks, Proprietary & Confidential
56
Automatic Provisioning • Name: Auto-policy name • Device Function: AP • Device Model: All • Select ☑ Serial Numbers • Click the Select Serial Numbers button
© Aerohive Networks, Proprietary & Confidential
57
Automatic Provisioning • Devices must be previously on-boarded. Select the serial numbers and move them to the right window • Click Save
© Aerohive Networks, Proprietary & Confidential
58
Automatic Provisioning • Network Policy: select from drop-down • Country Code: select from drop-down • Auto-assign Location: Click Assign
© Aerohive Networks, Proprietary & Confidential
59
Automatic Provisioning • Select a floorplan location and click Assign
© Aerohive Networks, Proprietary & Confidential
60
Automatic Provisioning Advanced Settings • Upload configuration automatically • Reboot after uploading You also have the option of automatically updating the firmware of the APs: Upload HiveOS upon device authentication • Save your auto-provisioning policy •
© Aerohive Networks, Proprietary & Confidential
61
Automatic Provisioning
To active the auto-provisioning policy: • Enabled: Select
© Aerohive Networks, Proprietary & Confidential
62
Automatic Provisioning
• Connect the APs • APs establish CAPWAP connection to HiveManager NG and then auto-provision © Aerohive Networks, Proprietary & Confidential
63
Automatic Provisioning Monitor/Events: • Verify that autoprovisioning was successful
© Aerohive Networks, Proprietary & Confidential
64
Automatic Provisioning • Auto Provisioning policies can be for all model APs • Auto Provisioning policies can be for specific model APs • Model-specific policies also allows for the capability to define device-specific settings • Example: Wireless and wired interface settings
© Aerohive Networks, Proprietary & Confidential
65
Automatic Provisioning – CSV import
• CSV import of more detailed information can also be used with Auto-Provisioning: • Host Names • Static IP addresses • Static Channel and Power settings • Supplemental CLI • Device specific rules in the CSV file take precedence over any global auto-provioning settings
© Aerohive Networks, Proprietary & Confidential
66
Automatic Provisioning – CSV import • Make sure serial numbers are selected after initial onboarding • Select ☑ Add addition devices via CSV import • Click Choose • Select the CSV file from your computer and import • You can also manually type in serial numbers • Scroll down ⬇ • Verify import • Click Save © Aerohive Networks, Proprietary & Confidential
67
Automatic Provisioning by IP Subnet
• Aerohive devices can also be auto-provisioned based on their IP subnetwork • Important: The serial numbers of the devices must previously be onboarded into the redirector. The serial numbers must also be selected in the provisioning poicy
© Aerohive Networks, Proprietary & Confidential
68
Automatic Provisioning by IP Subnet
• Click IP Subnetworks • Uncheck ☐ Add additional devices via CSV import • Select ☑ Manually enter additional devices • Enter mutiple IP subnets where devices may reside. Separate subnets by commas. • Click Save
© Aerohive Networks, Proprietary & Confidential
69
Automatic Provisioning by IP Subnet
• Choose Location and Subnet • From the dropdown box, select indivdual subnets and map them to different floorplan locations. • Click Save
© Aerohive Networks, Proprietary & Confidential
70
DHCP Server & Relay Monitor > Devices • Select ☑ the device that will function as a DHCP server • Click the edit icon • Click DHCP Server and Relay • Click +
© Aerohive Networks, Proprietary & Confidential
71
DHCP Server & Relay • Name: Type a name • Interface: Select mgt0.1
© Aerohive Networks, Proprietary & Confidential
72
DHCP Server & Relay • IP Address: 192.168.50.2
Enter IP address for the mgt0.1 interface
• Netmask: 255.255.255.0 • VLAN ID: 300
• Enter VLAN that is mapped to this /24 network
• Ensure that ☑ DHCP server is selected • Review default settings: ☑ Enable Ping on this interface ☑ Set the DHCP server as authoritive ☑ Use ARP to check for IP conflicts ☐ Enable NAT Support
• Scroll down © Aerohive Networks, Proprietary & Confidential
73
DHCP Server & Relay IP Pool • Click + • Start IP Address: 192.168.50.100 • End IP Address 192.168.50.254 • System will warn if addressing is incorrect • Click Add • Verify IP Pool • Scroll down © Aerohive Networks, Proprietary & Confidential
74
DHCP Server & Relay DHCP Server Options • Default Gateway: 192.168.50.1 • DNS: 8.8.8.8
Note: The netmask is automatically inherited from the mgt.0X interface
• Enter other server options • Click Save
© Aerohive Networks, Proprietary & Confidential
75
DHCP Server & Relay
DHCP options can also be configured
© Aerohive Networks, Proprietary & Confidential
76
DHCP Server & Relay • Always better to use an external DHCP for scaling purposes • AP/DHCP server okay for smaller depoyments • Often used for Guest VLAN
© Aerohive Networks, Proprietary & Confidential
77
DHCP Server & Relay • Aerohive Device can also function as a DHCP relay agent
© Aerohive Networks, Proprietary & Confidential
78
Captive Web Portal (CWP) • Configure > Common Objects > Policy > Authentication > Captive Web Portals • Click +
Many CWP use cases available: • User Authentication • Self-Registration • Private PSK • User Policy Acceptence • Combinations
© Aerohive Networks, Proprietary & Confidential
79
Captive Web Portal (CWP)
User Auth Self Registration* User Policy Acceptance
© Aerohive Networks, Proprietary & Confidential
PPSK
*Note: Self Registration is cloud only
80
Captive Web Portal (CWP) Use Case
User Auth*
Self-Reg
PPSK
Guest Access (GA) Auth GA w/Auth&Policy Accept* GA w/Leave Details GA w/Policy Accept GA w/Details&Policy Acc. GA w/Self-Reg + PPSK Personal Device Access PDA + Policy
GA w/Self-Reg+PPSK+Policy User Policy Acceptance *External RADIUS server is used. *3rd-Party CWP only available with option 1!
UPA
Captive Web Portal (CWP) • Captive web portal objects can also be directly configured with the various guided configuration workflows • Different CWP workflows for different SSID security
© Aerohive Networks, Proprietary & Confidential
82
Captive Web Portal (CWP)
• A different captive web portal can be displayed based on device classification (location) • A default CWP still needs to be selected © Aerohive Networks, Proprietary & Confidential
83
Captive Web Portal (CWP) • CWP pages can be customized • Colors, logo, disclaimer • CWP pages can be previewed
© Aerohive Networks, Proprietary & Confidential
84
Captive Web Portal (CWP) • URL redirects for success page • Multiple language support • Advanced CWP settings • Walled garden
© Aerohive Networks, Proprietary & Confidential
85
Personal Device Access and Guest Access • The “legacy” ID Manager (IDM) has been integrated into HiveManager NG • The IDM feature configuration is spread across HMNG GUI • The terms “ID Manager” or “IDM” refer to the legacy product and is no longer used • New Terminology:
Personal Device Access Bring Your Own Device Guest Access Administrator initiated guest access Guest management role Self-registration API
© Aerohive Networks, Proprietary & Confidential
86
Storing User Credentials Option 1: Locally on Aerohive Device • Supports both PPSK and RADIUS (802.1X) users • Supports up to 1000 users per User Group • User accounts are pushed to the APs • User Groups and User Profiles are stored locally • NOTE: User Profile ID is an internal concept and doesn’t need to be configured anymore!
PPSK 802.1X
User DB
© Aerohive Networks, Proprietary & Confidential
Push user accounts Big Data Store
Data Processing
87
Storing User Credentials Option 1: Locally on Aerohive Device • User information: show user • User Group information: show user-group
© Aerohive Networks, Proprietary & Confidential
88
Storing User Credentials When to use local storage of PPSK credentials? Survivability in case of WAN failure • Infrastructure devices (printers, TVs, scanners…) • VIP users • Critical devices (manufacturing...) Small sites with unreliable WAN • Could also be used for Personal Device and Guest Access
User DB
Storing User Credentials Option 1: Locally on Aerohive Device • User Profiles are stored in configuration
• User Profile ID is mapped automatically • NOTE: User profile ID is no longer relevant for configuration and is an internal concept only!
• exec aaa idm-test
© Aerohive Networks, Proprietary & Confidential
show user-profile show station
90
Storing User Credentials Option 2: In the Cloud (Service) • Supports both PPSK and RADIUS (802.1X) users • RadSec needs to be permitted between Aerohive device and HMNG
• TCP port 2083 needs to be open in outbound firewall policies • Both authenication and acounting info is sent via the RadSec tunnel • Service can not act as RADIUS for 3rd party devices
PPSK 802.1X
RadSec
Authentication Service
Big Data Store
Data Processing
Note: Guest self-registration requires cloud storage © Aerohive Networks, Proprietary & Confidential
91
Storing User Credentials Cloud and local storage: RadSec proxy • Two APs per subnet are automatically elected as RadSec proxies to the cloud service
• Reduces the amount of RadSec connections Lookup order • When a client authenticates, the local DB is queried first. If the credential is not found, the request is sent to the Cloud • Non-RadSec proxy devices relay the request through the RadSec proxy
RadSec Proxies PPSK 802.1X
RadSec
Authentication Service
Big Data Store
Data Processing
• RadSec proxy selection remains automatic • Two APs are dynamically elected as RadSec proxies on every management subnet • Currently no static assignment of RadSec proxy devices
© Aerohive Networks, Proprietary & Confidential
93
RadSec Proxies
• Currently no icon to indicate which devices are the RadSec proxies • CLI command can be used from any AP to see which of the RadSec proxies is being used by that AP: show idm
© Aerohive Networks, Proprietary & Confidential
94
RadSec Proxies
• TCP port 2083 needs to be open on outbound firewall policies • No GUI-based RadSec test tool yet • RadSec test tool available from the command line: exec aaa idm-test radsec-proxy © Aerohive Networks, Proprietary & Confidential
95
RadSec Proxies
Error messages can also been seen in the Advanced Troubleshooting tool © Aerohive Networks, Proprietary & Confidential
96
User Groups
• Credentials can be PPSK • Credentials can RADIUS-based (user name/password) © Aerohive Networks, Proprietary & Confidential
• As an Administrator you can configure Users and User Groups • Each User belongs to a certain User Group • A User Group defines what kind of credentials will be used and where they will be stored • Credentials can be stored on an Aerohive device (AP) • Credentials can be stored in the Cloud 97
User Groups – PPSK on device User Group/PPSK configuration: • Strength of PPSK credentials can be configured • Time-based PPSK credentials based on fixed dates
© Aerohive Networks, Proprietary & Confidential
98
User Groups – PPSK in cloud User Group/PPSK configuration: • More options with Cloud Allow renewal Enable CWP Register
• More PPSK expiration choices: • Never Expire • Valid During Dates • Daily • Valid for Time Period • Delivery Settings: • Text Messages (SMS) • Email
© Aerohive Networks, Proprietary & Confidential
99
User Groups – RADIUS User Group/RADIUS configuration: • Local • More options with Cloud: • Allow renewal • Enable CWP Register • More Expiration choices
Local © Aerohive Networks, Proprietary & Confidential
Cloud 100
User Groups and Users User Group/Users configuration: • User Groups and Users can be created from the object management menu • User Groups and Users can be created in the guided configuration workflow • Currently no bulk upload except via APIs.
© Aerohive Networks, Proprietary & Confidential
101
Guest Access © Aerohive Networks, Proprietary & Confidential
Guest Access - Workflows Admin
Lobby admin
An employee creates User accounts
Administrator creates User accounts Guest
Employee
Guest self-register using (Optional) Employees approve guests CWP © Aerohive Networks, Proprietary & Confidential
Custom application provisions Guest Accounts using Identity API 103
Guest Access: Employee/Guest Managers Workflow Scenario #2: •Create a User Group(s) •Create Guest Management User(s) •Create Employee Group •Create an SSID and associate User Groups •Update policy to APs •Login to HiveManager NG as Guest Management User •Create Guest Accounts
© Aerohive Networks, Proprietary & Confidential
104
Guest Access: Employee/Guest Managers
• Configure > Users > User Management > User Groups • Click +
© Aerohive Networks, Proprietary & Confidential
105
Guest Access: Employee/Guest Managers • User Group Name: Guest-X • Password DB Location: Service • Password Type: PPSK • Password Settings: (Configure password strength) ☑ Letters ☑ Numbers ☐ Special Characters Enforce the use of: All selected character types
• PSK Generation Method: Password Only • Scroll down⬇
© Aerohive Networks, Proprietary & Confidential
106
Guest Access: Employee/Guest Managers • Require Authentication After: 1800 Seconds • Account Expiration: Valid For Time Period • in 24 Hours • after First Login • Access key must be used within: 7 days • Deliver Access Key by: • ☐ Text Messages (SMS) • Select ☑ Email • Click © Aerohive Networks, Proprietary & Confidential
107
Guest Access: Employee/Guest Managers • Repeat steps to create more User Groups • Examples: VIPs and Contractors • You can create multiple guest user groups each with different time limitations • Mutiple user groups can be linked to a single guest SSID
© Aerohive Networks, Proprietary & Confidential
108
Guest Access: Employee/Guest Managers
Create a Guest Management Account • Click the gear icon • User Accounts: click + © Aerohive Networks, Proprietary & Confidential
109
Guest Access: Employee/Guest Managers Choose Role: • Select ⦿ Guest Management • Click
Note: Locations cannot be assigned by the Guest Management Role
• Select ⦿ Create a new user account • Email address: your email • Name: guest-X © Aerohive Networks, Proprietary & Confidential
110
Guest Access: Employee/Guest Managers The guest management user will receive a password registration email • Click Setup Password • Set Account Password: Aerohive123 • Confirm Account Password: Aerohive123 • Click Save & Next
© Aerohive Networks, Proprietary & Confidential
111
Guest Access: Employee/Guest Managers
Create an Employee Group • Configure > Users > User Management > Employee Groups • Click + © Aerohive Networks, Proprietary & Confidential
112
Guest Access: Employee/Guest Managers Link previously created guest management users to User Groups • Group Name: Guest Manager-X • Admin Account: Guest Management Role User • Management User: your email • Enable User Groups: ☑Guest-X
Select which user groups that the guest management user(s) will be able to create guest users
• Click
© Aerohive Networks, Proprietary & Confidential
113
Guest Access: Employee/Guest Managers Create a Guest SSID within the Network Policy: • SSID Name: Guest-X • SSID Broadcast Name: Guest-X • Select Private Pre-Shared Key • Scroll Down ⬇
© Aerohive Networks, Proprietary & Confidential
114
Guest Access: Employee/Guest Managers Link User Groups to the SSID • Click the select icon • Select ☑ Guest-X • Click Select • Verify linked User Groups
• Scroll down⬇
© Aerohive Networks, Proprietary & Confidential
115
Guest Access: Employee/Guest Managers • Create a Guest User Profile • Click + • User Profile Name: Guest-X • Connected to VLAN: 1 (Desiginate a Guest VLAN)
• Security tab: Click ON
© Aerohive Networks, Proprietary & Confidential
116
Guest Access: Employee/Guest Managers
• Choose the select icon • Select the ☑ Guest-Internet-AccessOnly firewall policy • Click Select © Aerohive Networks, Proprietary & Confidential
117
Guest Access: Employee/Guest Managers • Verify the guest firewall policy • Click • Verify the guest User Profile and guest VLAN and click
© Aerohive Networks, Proprietary & Confidential
118
Guest Access: Employee/Guest Managers • Update the APs • Click Upload
© Aerohive Networks, Proprietary & Confidential
119
Guest Access: Employee/Guest Managers Create guest user credentials: • Login to HiveManager NG as the Guest Management User • Click +
© Aerohive Networks, Proprietary & Confidential
120
Guest Access: Employee/Guest Managers • Choose the proper user group • Enter the guest user information • Generate or manually type a PPSK password • Designate delivery email address • Click
© Aerohive Networks, Proprietary & Confidential
121
Guest Access: Employee/Guest Managers
Guest user recieves an email with the PPSK credential
© Aerohive Networks, Proprietary & Confidential
122
Guest Access: Self-Registration Workflow Scenario #3: •Create a PPSK-enabled SSID •Create a Self-Registation enabled User Group •Create an open SSID •Assign a Self-Registration Captive Web Portal •Update policy to APs
© Aerohive Networks, Proprietary & Confidential
123
Guest Access: Self-Registration
• Use the guided configuration to create a new Network Policy • In the policy, create an SSID profile • Click + © Aerohive Networks, Proprietary & Confidential
124
Guest Access: Self-Registration Create a Guest SSID within the Network Policy: • SSID Name: Secure-Guest-X • SSID Broadcast Name: Secure-Guest-X • Select Private Pre-Shared Key • Scroll Down ⬇
© Aerohive Networks, Proprietary & Confidential
125
Guest Access: Self-Registration Create a User Group for Self-Registration: • Click +
© Aerohive Networks, Proprietary & Confidential
126
Guest Access: Self-Registration • User Group Name: Secure-Guest-X • Password DB Location: Service • Password Type: PPSK • Select ☑ Enable CWP Register • Password Settings: (Configure password strength) ☑ Letters ☑ Numbers ☐ Special Characters Enforce the use of: All selected character types
• PSK Generation Method: Password Only • Scroll down⬇ © Aerohive Networks, Proprietary & Confidential
127
Guest Access: Self-Registration • Require Authentication After: 1800 Seconds • Acoount Expiration: Valid For Time Period • in 24 Hours • after First Login • Access key must be used within: 7 days • Deliver Access Key by: • ☐ Text Messages (SMS) • Select ☑ Email • Click © Aerohive Networks, Proprietary & Confidential
128
Guest Access: Self-Registration • Verify the self-registration User Group • Multiple User Groups can be linked to the SSID • Select on create a User Profile • Remember to include a guest firewall policy • Save the SSID settings
© Aerohive Networks, Proprietary & Confidential
129
Guest Access: Self-Registration Create an open SSID for selfregistration: • Click + • SSID Name: Register-X • SSID Broadcast Name: Register-X • Select Open (Unsecured) • Click Enable Captive Web Portal
• Scroll down ⬇
© Aerohive Networks, Proprietary & Confidential
130
Guest Access: Self-Registration Assign a self-registration CWP: • Turn Enable UPA • Turn Return Aerohive Private PSK • Turn Enable SelfRegistration • Click the + icon to create a Captive Web Portal
© Aerohive Networks, Proprietary & Confidential
131
Guest Access: Self-Registration • Name: Register-X • Choose Access SSID (Private PSK): SecureGuest-X • Choose a PPSK Server: • Select Cloud PPSK Registration Server
© Aerohive Networks, Proprietary & Confidential
132
Guest Access: Self-Registration • Employee Approval on by default • Turn Employee Approval • Captive Web Portal can now be customized • Save the CWP
© Aerohive Networks, Proprietary & Confidential
133
Guest Access: Self-Registration • Verify the Captive Web Portal • Save the SSID
• Verify both SSIDs • Click
© Aerohive Networks, Proprietary & Confidential
134
Guest Access: Self-registration • Update the APs • Click Upload
© Aerohive Networks, Proprietary & Confidential
135
Guest Access: Self-registration • Guest user connects to open SSID • Guest user self-registers via captive web portal
© Aerohive Networks, Proprietary & Confidential
136
Guest Access: Self-registration • Captive web portal success page delivers the PPSK credential • Guest user connects to secure SSID using the PPSK credential
© Aerohive Networks, Proprietary & Confidential
137
Personal Device Access © Aerohive Networks, Proprietary & Confidential
Personal Device Access (PDA) Admin
Administrator creates User accounts
Employee
Employees enroll personal devices using CWP
Employee
Employee sponsorship/Kiosk app (ADFS Auth)
Custom application provisions PPSK for BYOD
Guest Access and Personal Device Access Considerations © Aerohive Networks, Proprietary & Confidential
Data and Time limit access policy User Policy 100 MB in 24 hrs 1 GB in 24 hrs
Radsec Tunnel
HMNG
Accounting – Quota Expired, dicsconnect client
• Admin can apply access control policy • When a client reaches their quota, it is disconnected by HMNG • This applies to PPSK/Open/WEP/802.1X clients • Requires RadSec connectivity with HMNG
© Aerohive Networks, Proprietary & Confidential
141
Data and Time limit access policy User Policy 100 MB in 24 hrs 1 GB in 24 hrs
Radsec Tunnel
HMNG
Accounting – Quota Expired, dicsconnect client
Important: • Data and Time limits only works with PPSK/802.1X and not Open SSID • Only works with service (cloud)storage and not local storage. • Default accounting update interval between the AP and cloud is 10 minutes. • Therefore the smallest default time limit is 10 minutes. • Current best practice would be to also use rate-limiting if using the data limits within that 10 minute interval. © Aerohive Networks, Proprietary & Confidential
142
Data and Time limit access policy • Configure > Common Objects > Policy > User Profiles • Click + • Select the Data/Time Limit tab • Turn ON Access restrictions • Select either ☑ Time Limit or Data Usage Limit
© Aerohive Networks, Proprietary & Confidential
143
Data and Time limit access policy
Time access policy © Aerohive Networks, Proprietary & Confidential
Data access policy 144
Data and Time limit access policy
• SSID can be linked to mutiple User Profiles • Each User Profile can have a different time/data access policy • User Profiles can be assigned automatically based on rules linking to User Groups © Aerohive Networks, Proprietary & Confidential
145
Data and Time limit access policy
• Check the admin accounting logs • Verify session time and data usage • Note: Data usage may not be 100% accurate © Aerohive Networks, Proprietary & Confidential
146
Authentication, Accounting and SMS logs • Click the icon • Logs:
gear
• Authentication • Accounting • SMS
© Aerohive Networks, Proprietary & Confidential
147
SMS and Email Notification Template • Administrators can modify the SMS and Email template settings • In addition to notification text body, email notifications can include: • Icon • SSID as variable • Logo • Link to a custom URL
© Aerohive Networks, Proprietary & Confidential
148
Configuring Notification Templates Configure > Basic > Notification Templates • Create a new template or edit existing notification templates • SMS template • Email template
© Aerohive Networks, Proprietary & Confidential
149
APIs © Aerohive Networks, Proprietary & Confidential
API Architecture HIve Manager
Reference apps
applications
HiveStore
Services
© Aerohive Networks, Proprietary & Confidential
Big Data Store
Data Processing
151
New APIs in HM NG Location
API Types
Devices on and off the network
Identity Access Management functionality – system integrations
Monitoring HM NG network data and feeds
152 © Aerohive Networks, Proprietary & Confidential
API Details Available on developer portal: • Location: query client location per AP • Monitoring: monitor clients and Aerohive devices
API Details • Identity: Manage user accounts and credentials for GA and PDA • Create, Delete, Modify, Deliver, Extend
Developer Portal • Developers should register at http://developer.aerohive.com • The portal includes documentation and profile information • Under “My Profile” you can see your registered applications
Developer Portal Clicking the application provides important pieces of security information: • Client ID: this identifies the API user • Client Secret: this authenticates the API user • Redirect URL: identifies a valid URL to use for OAuth authorization – provides an additional layer of security
Where to send the API requests • Requests need to go to the correct datacenter: • US customers: https://cloud-va.aerohive.com/xapi/v1/… • International: https://cloud-ie.aerohive.com/xapi/v1/… • Customer ID (VHM ID) is needed for every request • Identified as ownerId parameter • Click About to locate the VHM ID:
Authentication and Authorization 3rd party app/app server GET https://cloud-va.aerohive.com/xapi/v1/location/clients
• A correctly formed API request includes the following header fields: • Client secret • Redirect URL • Client ID
HTTP/200 OK response Data in Response Body
• Every request will also need to provide the correct ownerId (VHM ID) parameter
Obtaining Access Token using OAuth2 OAuth is an open protocol for authorization between Web Applications: 1. Obtain the client ID and the client secret (developer portal) 2. Send authentication request to https://cloud.aerohive.com/thirdpartylogin?cli ent_id=&redirect_uri= 3. VHM login information is required to authorize the application 4. The session is redirected to the redirect URL (your web server) along with the auth code 5. The auth code is exchanged for a more permanent access and refresh tokens by issuing a request to https://cloud.aerohive.com/services/acct/third party/accesstoken
Access Token Management
Alternative to using OAuth: • Create Access Tokens in VHM • Used when there is no danger of compromising client ID and client secret • Use OAuth for web based applications
Reference Applications Kiosk
• Self-service registration for Guests • Simple, form-based workflow • For iPad
Lobby Ambassador • • • •
Designed for the receptionist Rapid on-boarding workflows System Overview and Usage For use on desktop monitors (HTML5)
PRESENCE Presence © Aerohive Networks, Proprietary & Confidential
162
WLAN Client WLAN client devices are always probing for Access Points: • When not associated – where can I connect to? • When associated - where can I roam to? • AP detects client identity (MAC) and signal strength (RSSI).
From AP’s point of view: • Unassociated client • Associated client • Presence is detected for both client types
Presence Is About Client Location AP collects client presence data: • Mac address and RSSI information • Both on 2.4 GHz and 5 GHz AP collects presence data and forwards to HMNG • Reporting interval configurable. • Include both associated and unassociated clients. HMNG is responsible for: • Real-time storage • Historical storage • Calculating the actual location
Big Data Store
Data Processing
CAPWAP
Probe
Client Location Estimate – Single AP Estimate client within a radius of a single AP • For example 2.5 meters from the AP • This is an approximation
Pinpoint the client using triangulation • Client must be detected by at least 3 APs • Must be detected on the same frequency • Presence detection can be selectively configured on 5 GHz and/or 2.4 GHz radios
Enabling Presence Create a radio profile with Presence settings • Configure > Common Objects > Policy > Radio profiles • Click +
© Aerohive Networks, Proprietary & Confidential
166
Enabling Presence • Create a 5 GHz radio profile
• Enable Presence Analytics • (Optional) Change the reporting interval
• Rename the profie and Save
Reporting interval
© Aerohive Networks, Proprietary & Confidential
• Repeat if you need it on 2.4 GHz radio radio profile as well • Push the radio profiles to the AP via Device Templates or via AP multi-select 167
Presence streaming API • The streaming API pushes raw location data to a 3rd party HTTP application server • The 3rd party server is responsible for storing and processing the data
Push data to external HTTP server (Post URL)
3rd party server and database
Big Data Store
Data Processing
CAPWAP
Probe
Presence streaming API data • Client MAC • Geolocation • Floor map location
"apMac" : "9C5D12001AC0", "ownerId" : 10345, "observations" : [ { "clientMac" : "88CB87A0DA34", "ipv4" : "10.16.36.125", "ipv6" : null, "seenTime" : "2015-11-23T23:53:22.000Z", "seenEpoch" : 1448322802000, "ssid" : “TEST", "rssi" : -55, "manufacturer" : "Apple Inc", "os" : "Apple iOS", "lat" : -90.0, "lng" : -100.0, "unc" : 0.050709090242881026, "x" : 1430.772833949287, "y" : 900.3399784363806
Enabling Presence streaming API 1. Position devices on the floor plan. Resuts in (xy) coordinates
© Aerohive Networks, Proprietary & Confidential
2. Define device geolocation (optional). Results in geolocation
170
Enabling Presence streaming API • Go to Administration • Select API Data Management • Add a Post URL where the Presence events should be sent to – this is your application server that will receive raw data • Make sure the access token matches both on HMNG and the application server © Aerohive Networks, Proprietary & Confidential
171
Feedback • Customers can provide feedback directly to Aerohive • Click text balloon
Feedback • Customers can provide feedback directly to Aerohive • Admin can now capture or upload a screenshot • The screenshot can be attached to the feedback message that is sent to Aerohive
© Aerohive Networks, Proprietary & Confidential
173
Feedback enhancement
• The feedback form disappears and is now hidden when taking a screenshot • Feedback form reappears after the screenshot is captured © Aerohive Networks, Proprietary & Confidential
174
Thank you
© Aerohive Networks, Proprietary & Confidential
Questions?
© Aerohive Networks, Proprietary & Confidential