Aerohive
CONFIGURATION GUIDE
The purpose of the following manual is to describe the necessary configuration of Aerohive equipment using the HiveManager NG platform for integration with Octopus Platform.
1- Pre-requisites
If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:
Radius Servers:
Primary: <IP_Radius_1> 1812 and 1813 UDP ports
Secondary: <IP_Radius_2> 1812 and 1813 UDP ports
Splash Portal server:
Domain <captive_portal_domain> 80 and 443 TCP ports
For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.
2- Guest module configuration
2.1 WLAN Configuration
To configure the captive portal on a specific network / SSID with the HiveManager NG solution, follow the guide below to create or edit a specific Network Policy in the graphical interface of the Hive Manager NG platform. To create the profile go to the Configure > Networks Policies menu and create a new Network Policy by clicking on Add Network Policy.
Policy Details
After creating the new Network Policy, in the first tab of the configuration (Policy Details) just add the name of the Network Policy and click "SAVE".
Wireless Settings
In the section Wireless Network, please click on Add other Networks (standard) to add a new SSID profile.
First, we have to choose the Name of the wireless network and later the Broadcast Name that guests will see:
First, we have to choose the Name of the wireless network and later the Broadcast Name that guests will see:
Enable Captive Web Portal
User Auth on Captive Web Potal
Redirect to External URL for Authentication
Then it is necessary to configure the external captive portal parameters. To add a new captive portal profile, please click on the ADD button next to the text Default Captive Web Portal.
In the next window, configure the external captive portal with the following parameters:
User Auth on Captive Web Portal: ON
Login Page: set up the following configuration:
Login URL (check section 2.2 for the URL redirection to be http or https.)
Http option: http://<captive_portal_domain>/login/hotspot/aerohive
Https option: https://<captive_portal_domain>/login/hotspot/aerohive
Password Encryption: No Encryption (Plaintext Password)
Authentication Method: PAP
Success Page: choose the option Redirect clients after a successful login attempt and click in the option To a specified URL to type the URL which the users will be redirected to after their successful authentication. If you want to configure the redirection web site in the WIFI platform you have to fill this gap with the following URL, which can be found in Octopus Platform, in the WLAN section of the Location:
http Option: http://<captive_portal_domain>/login/hotspot/landing/wifiarea/WIFIAREA_ID/WLAN_ID
https Option: https://<captive_portal_domain>/login/hotspot/landing/wifiarea/WIFIAREA_ID/WLAN_ID
Failure Page: select the option Redirect clients after a failed login attempt and choose the option to redirect the users To the login page.
To obtain the WIFIAREA_ID and the WLAN_ID parameters to complete the URL above, please access to the WIFI platform and access to the Locations configuration menu. In the WLAN configuration tab, you will be able to check the URL that must be configured to redirect the users after their successful authentication.
Finally, it is necessary to add the domains that the users will be able to visit without being authenticated in the captive portal. Click on the Add button to include all the required domains.
If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.
Finally, the Radius Server to which the user authentication requests will be sent must be configured. Para ello será necesario crear dos servidores Radius. For that, two Radius servers must be created. Access to Configure > Common Objects and click on ADD to create the new Radius.
The first Radius server must be created with the following parameters:
Name: RADIUS1_WIFI
IP address Host Name: <IP_Radius_1>
Authentication port: 1812
Accounting port: 1813
Shared secret: <Secret>
The second Radius server must be created with the following parameters:
Name: RADIUS2_WIFI
IP address Host Name: <IP_Radius_2>
Authentication port: 1812
Accounting port: 1813
Shared secret: <Secret>
Then access to Wireless Network > User Access Settings inside SSID that we are configuring to define the proffile associated to the clients that connect to it. For example the vlan which will be assigned to the users.
Finally it is necessary to link the previous added Radius servers in the SSID configuration. For that, access to Authenticate via RADIUS Server and add a new RADIUS Server Group named RADIUS_GROUP and click on Select to select the 2 servers previously created:
Deploy Policy
Finally, all the configuration made must be deployed to the APs of the installation. To apply these changes, please access to the Deploy Policy tab, select the APs from the list and click on the Upload button to deploy the new configuration in these access points.
In the popup window, select Complete Configuration Update to make a full upgrade of the configuration deployed in the APs. Click on Perform Update to execute the update.
Once all the configuration is deployed in the access points, it is necessary to make a verification on the APs. To check it please open an SSH connection with the APs and execute the following command.
show ip route
If the IP network automatically assigned to the Wifi interface matches the network 1.1.1.0/24, it is necessary to modify this IP address as it might conflict with a public IP address.
To modify the IP address of the Wifi interface, in this example it would be the wifi0 interface, execute the following command replacing the SSID_NAME by the SSID configured in the APs. (If the IP address 3.3.3.3/24 is in use by another interface, please change this IP address by another one that is not in use by another interface).
interface wifi0 ssid SSID_NAME ip 3.3.3.3/24
2.2 HTTP or HTTPS login process configuration
There are two configuration options for the validation of the captive portal: One through http connectivity, where the traffic would not be encrypted, and the other through https.
HTTP Option
Leaving default values, we can use this configuration.
HTTPS Option
If you choose to configure this secure validation option, it is very important to know that a DNS resolution is required between the subdomain associated with the certificate and the IP of the Wireless Network virtual interface, otherwise the validations will not be redirected to the AP and authentication errors will occur. This DNS entry must be configured in the DNS servers delivered by DHCP to the clients.
To find out the IP of the Wireless Network virtual interface, one would have to access an AP via SSH and execute the following command: show ip route:
Firstly, it is necessary to load a new certificate in the HiveManager associated to the subdomain name to make the login. This can be done in Configure > Common Objects > Certificate > Certificate Management.
Click on Import button to upload the new certificate configuring the following parameters:
File: select the file provided
File Type: CERT_KEY
After click on Save, the new certificate will appear in the available certificates list:
Then it is necessary to enable authentication via HTTPS accessing to Authentication > Captive Web Portals. Then select the Captive Portal to edit it, access to Advanced Configuration and configure the following parameters in the Security option:
Enable HTTPS: enable this option.
HTTPS certificate: select the previously imported file.
Override Web server domain name with CN value in the certificate: enable this option
2.3 Authorized MAC Addresses
In order to allow the users to authenticate themselves in the captive portal correctly, it is necessary to identify the NAS that will send the authentication requests to the Radius Server. In this case you have to add all the MAC addresses asigned to the Wifi interface of the APs that will radiate the configured SSID. In order to do that, once all the configuration has been uploaded, access to all the APs to verify the MAC assigned on the Wifi interface for 2.4GHz and 5GHz.
To obtain these MAC addresses, open a SSH connection with each AP and execute the command show interface. Using this command you will be able to see the MAC address assigned to the radio interface of each SSID in 2.4GHz and 5GHz.
3- Enterprise module configuration
In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.
3.1 Captive portal + MAC Authentication configuration
To enable MAC Authentication you have to edit the WLAN created. To be able to perform this change it is necessary to access the APs through SSH. Once you have accessed to the configuration, please execute the following commands replacing the SSID_NAME by the SSID configured in the APs.
security-object SSID_NAME security additional-auth-method mac-based-auth
security-object SSID_NAME security additional-auth-method mac-based-auth fallback-to-ecwp
3.2 MAC Authentication configuration
To create an SSID dedicated only to validation by MAC Authentication, go to Network Policy in the graphical interface of the Hive Manager NG platform.
To crate the profile access Configure > Networks Policies and create a new Network Policy by clicking on Add Network Policy:
Policy Details
After creating the new Network Policy, in the first tab of the configuration (Policy Details) just add the name of the Network Policy and click "SAVE".
Wireless Settings
Next, under Wireless Networks we add a new SSID with the All other Networks (standard) option.
First, we choose a name for the WiFi network and then the name that it will radiate, for example, Mac_Auth_Guest
To configure the SSID created, select MAC Authentication:
Enable MAC Authentication
Authenticate via RADIUS Server: Link the radius servers created in point 2.1(radius) of this guide
Deploy Policy
To finalize the configuration, the changes made must be loaded in each of the APs of the installation.
To do this within Deploy Policy select the APs from the list and click on the Upload button to load the new configuration.
Once all the configuration has been loaded in the APs it is necessary to perform a check. To do this, access the APs via SSH and follow the steps mentioned at the end of point 2.1 of the manual.
To activate the authentication by MAC it is necessary to edit the WLAN created and enable this option. In order to make this change it is necessary to access the APs via SSH. Once inside the configuration mode, execute the following commands modifying the SSID_NAME by the SSID configured in the APs.
3.3 Configuration of Access Profiles
Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Aerohive. Although the most common and proprietary Aerohive radius dictionaries are available, the following is a list of some of the most interesting ones:
Attribute | Description | Format |
---|---|---|
Acct-Interim-Interval | Defines the time interval at which the NAS sends the accounting packet update with all the user's session information. | Seconds |
Reply-Message | Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ... |
|
Example of an Access Profile configuration with the attributes explained above: