Aerohive Social Login Evaluation Guide

Winter 2014

HiveManager 6.2r1 (and above), HiveOS 6.2r1 (and above), and Social Login

Aerohive Social Login provides a simple yet powerful wireless guest management solution, allowing guest users to connect to an Aerohive wireless network using only their credentials for social networking sites such as Facebook or Twitter. No employee intervention or provisioning is required, as guests are automatically prompted to enter their social networking user name and password when they connect to the wireless network. In return for providing wireless network access for guests, you can view demographic information about them based on publicly accessible information gleaned from their social network profile.

This guide will explain how to set up and deploy a Social Login-enabled SSID and introduce you to the Social Login service, data collection parameters, and configuration options.

To learn more about Aerohive products, visit www.aerohive.com/techdocs

Aerohive Social Login Evaluation Guide – Fall 2014 | 2

Contents

Introduction ...... 3 Getting Started ...... 4 Configure and Deploy A Network Policy ...... 5 Test Social Login ...... 7 Social Login GUI: Monitoring and Customization ...... 8 Troubleshooting ...... 11

To learn more about Aerohive products, visit www.aerohive.com/techdocs

Aerohive Social Login Evaluation Guide – Fall 2014 | 3

Introduction

Aerohive Social Login provides an easy and secure way to get guests online quickly, while still requiring authentication to gate access to the network. In exchange for this easy access to an open SSID, you can leverage Social Login to collect copious data to better understand user access and wireless traffic patterns, user demographics, and device types.

Users can easily access a Social Login-enabled guest network by simply connecting to the SSID and then entering their social network credentials—for Facebook, Google+, LinkedIn, or Twitter—into a captive web portal that pops up automatically when the user starts to browse the web. No employee intervention or onboarding action is required, as guests can easily get themselves onto the network within seconds. At the same time, you do not need to purchase and set up additional complicated hardware or software solutions to provide the social network integration, as Social Login is a Cloud-enabled application. Simply enable the service, configure an SSID to use Social Login, and let guests and customers start using the network. The Social Login service uses the OAuth open authentication standard to authorize users securely in a scalable, standardized way.

While providing guest users with access to the wireless network, Social Login also provides a wealth of information about guest users or customers. The Social Login dashboard and monitor pages present user demographic data culled from the various supported social networking services, along with repeat visit behavior. At the same time, HiveManager provides in-depth usage information about the wireless network, including traffic patterns and top network applications that guests and customers use while connected.

Over time, you can use this information to identify trends about users and usage of the guest network, which can help you to personalize the guest experience—either by customizing the login experience or by fine- tuning guest access and quality of service on the network.

This guide will introduce you to the Social Login service, walk you through a quick configuration of a guest wireless network, highlight the guest experience, and detail the customization options available in the Social Login service.

To learn more about Aerohive products, visit www.aerohive.com/techdocs

Aerohive Social Login Evaluation Guide – Fall 2014 | 4

Getting Started

Before deploying a Social Login-enabled wireless network, you must first enable the feature from within HiveManager. You must also ensure that firewalls are configured correctly to allow Social Login to operate within your network.

The instructions provided in this evaluation guide assume that you are using HiveManager Online to manage your wireless network and have some familiarity with HiveManager and Aerohive devices. In general, these instructions also apply to an on-premises HiveManager, with any significant differences noted and discussed.

1. Browse to https://myhive.aerohive.com, enter your admin name and password and click Log In to enter MyHive, and then click the name of your HiveManager instance to view the HiveManager Online GUI. 2. To enable Social Login for your HiveManager instance, click Home > Administration > HiveManager Services > Social Login Settings, select Enable Social Login, and then click Update. 3. To test HiveManager connectivity to Social Login, click Test.

Enabling Social Login for an On-Premises HiveManager

If you have a physical HiveManager appliance or a HiveManager Virtual Appliance on premises, you will continue to configure and deploy wireless networks through your HiveManager appliance as would normally. However, to configure and use Social Login, you will also need a MyHive account.

If you do not have a MyHive account, contact your Aerohive Support representative and provide your HiveManager system ID with your request. You can see the system ID on the Home > Administration > License Management page.

After you have obtained a HiveManager Online account, enable Social Login from within HiveManager:

1. Log in as a super admin, then click Home > Administration > HiveManager Services > Customer ID Retrieval. 2. Enter the email address that you use as your MyHive admin name, enter the password, and then click Retrieve. 3. Follow steps 2 and 3 above to enable Social Login services.

Note: If you have multiple VHMs defined on your on-premises HiveManager, this process links all VHMs to the same Myhive account and enables Social Login globally for all the VHMs. VHM administrators can then control which SSIDs use Social Login services.

4. To provide a captive web portal and OAUTH-based authentication with social network providers like Facebook, LinkedIn, Twitter, or Google+, Social Login, access points and client devices must have access to certain hosts and services on the Internet. For the proper operation of Aerohive wireless networks using Social Login, ensure that the following network ports and services are open for each of the relevant sources.

Service Destination Port Source Destination

Aerohive ACPP Service TCP 80, 443 Aerohive APs acpp.aerohive.com

Aerohive ACPP Service TCP 80, 443 Client Devices acpp.aerohive.com

Aerohive Social Login Service TCP 80, 443 Client Devices sl.aerohive.com

Aerohive Social Login Service TCP 80, 443 HiveManager sl.aerohive.com

OAuth Services from External TCP 80, 443 Client Devices To accommodate OAuth authentication to Providers external providers, Aerohive recommends that client devices have full outbound access to the Internet on TCP ports 80 and 443.

To learn more about Aerohive products, visit www.aerohive.com/techdocs

Aerohive Social Login Evaluation Guide – Fall 2014 | 5

Note: If any of the above services are blocked by a network firewall or are otherwise unavailable, Social Login might not operate as expected. Without access to these network services for the given sources, the Social Login captive web portal and authentication pages might not automatically pop up on client devices. Clients might be able to access the Internet without authentication, although any firewall rules assigned to users of the Social Login-enabled SSID would still be enforced.

You are now ready to configure and deploy a Social Login-enabled SSID.

Configure and Deploy a Network Policy

In this section, you configure a new network policy featuring a Social Login-enabled SSID and then deploy this policy to an Aerohive access point. You can also add a Social Login-enabled SSID to an existing network policy.

1. From HiveManager, click Configuration, and then click New to create a new network policy. 2. In the New Network Policy dialog box, enter a unique policy name, provide a useful description for later reference, select Wireless Access, and then click Create. 3. To create a new open SSID using Social Login for authorization, click Choose (next to SSIDs), click New in the Choose SSIDs dialog box that appears, enter the following in the New SSID panel, and then click Save:

Profile Name: Enter a name for the SSID profile and use the same name, which HiveManager automatically populates the SSID field, as the SSID.

SSID Access Security: Open

Use Social Login: (select)

4. In the Choose SSIDs dialog box, highlight your SSID, and then click OK. 5. To create a new user profile for users connecting to your Social Login-enabled SSID, click Add/Remove in the User Profile column, click New in the Choose User Profiles dialog box that appears, enter the following in the New User Profile panel, and then click Save:

Name: Social_Guests

Attribute Number: 100

VLAN: 1

Note: Ensure the VLAN defined here is available and operational for the network where your access point is connected.

Expand the Firewalls section, choose Guest-Internet-Access-Only from the From-Access drop-down list in the IP Firewall Policy subsection, and then set the Default Action as Permit.

6. In the Choose User Profiles dialog box, highlight Social_Guests (100), and then click Save.

To learn more about Aerohive products, visit www.aerohive.com/techdocs

Aerohive Social Login Evaluation Guide – Fall 2014 | 6

7. To save your network policy and advance to the Configure and Update Devices panel, click Continue. Set an SSID Availability Schedule Because a Social Login-enabled SSID is Note: If you do not see your AP in the Devices to Update list, essentially an uncontrolled entry point to the choose None from the Filter drop-down list. network, dependent on external sources for 8. To modify some device-specific settings, click the host name of client authorization, you might want to advertise the SSID only during specified time your AP. In the Edit Device panel, enter the following, and then windows. click Save: To create and assign an SSID availability Location: Enter the location that you want to appear in schedule, perform the following steps and Social Login reports. then click Save:

Network Policy: Choose your policy from the drop-down list. 1. Click the clock icon to the left of your SSID. 9. In the Configure and Update Devices panel, select your AP, and then click Update > Update Devices. 2. In the Choose Schedule dialog box that appears, click New, enter the following, 10. In the Update Devices dialog box, select Perform a complete and then click Save: configuration update for all selected devices, and then click Update. Name: Guest_Schedule Recurrent: (select) HiveManager uploads the configuration to your access point. If Start Time 1: (select) 08 hr, 00 min a firmware upgrade is available for your access point, the End Time: 17 hr, 59 min upgrade will happen automatically during this process. The access point will reboot after the upload completes. From: (select) Monday, To: Friday HiveManager automatically applies the Your Social Login-enabled wireless network will be available schedule that you just defined to the momentarily. SSID, even if there are other schedules already stored. If you want to apply Note: Only Aerohive access points running HiveOS 6.1r6 or later multiple schedules to an SSID—such as support Social Login. Social Login is not supported on Aerohive one for weekdays and another for routers (or APs operating in router mode). weekends—click the clock icon, highlight the ones you want, and then click OK.

To learn more about Aerohive products, visit www.aerohive.com/techdocs

Aerohive Social Login Evaluation Guide – Fall 2014 | 7

Test Social Login

Social Login is fully customizable, allowing you to tailor the captive web portal used for login, supported social networking services, terms of use and privacy policy, and the page shown after successful authorization. However, the Social Login cloud service requires no configuration whatsoever, so guests may connect right away.

You can try the default experience by connecting to your wireless network after the AP reboots.

1. Connect a client device to the Social Login-enabled SSID, open a web browser on the device, and attempt to navigate to any web page (for instance http://www.aerohive.com or http://www.apple.com.) The captive web portal will automatically redirect your browser to the Social Login splash page.

Note: Due to the nature of the Aerohive integration with Google+, the Social Login page might not appear automatically when you try to browse to some Google web sites. Try browsing to a different web site to trigger the launch of the splash page.

Supported Social Login Authorization Mechanisms

By default, Social Login supports these authorization methods for guest access: Facebook: Use Facebook credentials for secure login via OAuth. Google+: Use Google+ credentials for secure login via OAuth. Twitter: Use Twitter credentials for secure login via OAuth. LinkedIn: Use LinkedIn credentials for secure login via OAuth. Phone Login: Guests enter their cell phone numbers and receive login codes via SMS. User securely submits login code via HTTPS. Membership ID: A Social Login administrator* creates credentials for individual users through the Social Login GUI and provides credentials out of band. They then securely submit their membership IDs and access keys via HTTPS.

Anonymous Login – Users can connect to the network without entering any credentials.

2. Review and accept the Use Terms and Privacy Policy, select the authorization method you wish to use, and follow the on-screen instructions to complete authorization.

After you successfully log in, the AP redirects your browser to a success page. You now have access to the network as defined by the firewall policy you defined in step 5 in the previous section.

To learn more about Aerohive products, visit www.aerohive.com/techdocs

Aerohive Social Login Evaluation Guide – Fall 2014 | 8

Social Login GUI: Monitoring and Customization

Once guests start connecting to your Social Login-enabled SSID, Aerohive begins collecting demographic information about them Accessing the Social Login GUI from an based on their social network identity and connection behavior. Over On-premises HiveManager time, you can identify trends about users and usage of your guest There is no MyHive button in the GUI of an network, providing information you can use to personalize your guest on-premises HiveManager appliance. To experience. You can customize the captive web portal pages with access the Social Login GUI, log in to information, deals, or coupons particular to a segment of your guests. https://myhive.aerohive.com with your You can also block, throttle, or prioritize usage of certain applications MyHive admin name and password, and then click Go in the Social Login section. on the guest network.

1. To log in to the Social Login GUI from HiveManager Online, click MyHive, and then click Go in the Social Login section of the MyHive landing page. 2. The Home dashboard shows high-level information about the usage of your Social Login-enabled SSID, outlining the most commonly used login mechnanisms, your locations that are most visited, age trends among your guest users, and daily and weekly usage trend reports.

To learn more about Aerohive products, visit www.aerohive.com/techdocs

Aerohive Social Login Evaluation Guide – Fall 2014 | 9

3. You can drill down to view information about specific users of your Social Login-enabled guest SSID via the Monitor tab. Click on a user’s name to view the data collected about him or her. You can also modify or sort the columns displayed on the Monitor tab by clicking the Modify View icon ( ).

Note: Rules regarding data collection and retention vary depending on the type of social network identity used, and Aerohive makes every effort to conform to the data collection and retention rules defined by each social network service. The data collected will also vary between users based on the privacy settings that they define within their social network.

4. To customize the authentication options available to your guests, click Configuration > Customize CWP Settings and scroll down to the Login Page Settings section. Using the On/Off switch, you can enable and disable Membership ID Login, Phone Login, Social Login, and Anonymous Login. You can also disable individual social login services by clearing the check box next to any of the supported services.

For example, to disable users’ ability to log in anonymously or with their LinkedIn credentials, enter the following on the Customize CWP Settings page, and then click Save: Social Login: ON LinkedIn: (clear) Anonymous Login: Off

Test the new settings with a client device or by using the Preview tool in the Social Login GUI. Notice that LinkedIn and Anonymous Login are no longer available on the Social Login splash page.

To learn more about Aerohive products, visit www.aerohive.com/techdocs

Aerohive Social Login Evaluation Guide – Fall 2014 | 10

5. To customize the appearance of the Social Login splash page and add text to the use terms and privacy policy, navigate to the Common Settings section on the Customize CWP Settings page. Here you can import your own background and logo images or change the title of the splash page. You can also add your own text to the use terms and privacy policy.

Note: The use terms and privacy policy defined by Aerohive are always shown when guests view either of these documents. Any text you add via these fields will be appended to the bottom of the Aerohive statements.

6. To customize the success page, which is the page shown after a user successfully logs in, navigate to the Success Page Settings section on the Customize CWP Settings page. You can customize the success message and add an image for promotions such as coupons, advertisements, or some other type of graphic. You can also direct users’ browsers to an external success page by selecting the External radio button and entering the URL of your success page in the External URL field. 7. When you have completed your changes to the Customize CWP Settings page, click Save. 8. You can change certain login behaviors on the Configuration > Authentication Options page. Enter the following and then click Save:

Auto Login Settings

Remember Last Login Status: Control how often returning users need to re-authenticate. The default setting requires users to re-authenticate for every connection attempt. Available options are one day, one week, or one month.

CWP Passcode Settings

Passcode Expire Time: Set the lifetime of phone login passcodes. The default is 300 seconds or five minutes.

Generate Passcode Using and Length of Passcode: Change the complexity of phone login passcodes.

To learn more about Aerohive products, visit www.aerohive.com/techdocs

Aerohive Social Login Evaluation Guide – Fall 2014 | 11

9. You can create membership ID login accounts in the Monitor > Guests > Membership ID Logins section by importing an .xls spreadsheet with a list of user names and access keys. Download the template by clicking Import and then clicking Download the Template, or by downloading the file directly from https://sl.aerohive.com/static/files/importVipLogins.xls. Add your list of user names and access keys to the spreadsheet and then import the file by clicking Import, browsing to and selecting the file populated with your membership ID records, and then clicking the Import button.

Note: You can also create your own spreadsheet without the template. Just make sure the file has this format:

Troubleshooting

HiveManager Online administrators cannot enable Social Login.

A small number of HiveManager Online administrators cannot enable Social Login due to provisioning issues on a few back-end systems. In such cases, contact your Support representative and request that Social Login be enabled for your account.

On-premises HiveManager administrators cannot enable Social Login.

Within HiveManager, click Home > Administration > HiveManager Services, select Customer ID Retrieval, enter your MyHive user name and password, and then click Retrieve. If you do not have a MyHive account, contact your Support representative to request one.

Guests can access the Internet without the Social Login splash page appearing.

Double-check that network firewalls allow the necessary traffic from access points, wireless clients, and HiveManager (on-premises only). See the firewall access matrix on page 4.

Guests can access Google web sites and services without the Social Login splash page appearing.

Due to the nature of the Social Login integration with Google+, guests might be able to bypass the Social Login splash page and directly access some Google sites and services. The splash page will launch when guests attempt to visit a different site.

The Phone Login option is not available on the login page or in the Social Login GUI.

At this time, each Social Login account is only allowed to send 100 SMS text messages. Once that limit is reached, the Phone Login option will no longer be available for use.

The Social Login splash page does not appear when clients connect wirelessly to an Aerohive router.

At this time, Social Login is not supported on Aerohive routers or Aerohive APs (AP330/AP350) operating in router mode.

To learn more about Aerohive products, visit www.aerohive.com/techdocs