HiveOS and HiveManager 6.4r1 New Features Guide

This guide describes the new features and feature enhancements introduced in the HiveOS and HiveManager 6.4r1 releases.

New Features and Feature Enhancements

Several new features and feature enhancements were introduced in these releases. You can read summaries of these features and enhancements below. Major features are covered in more detail in individual sections in this guide. For information about known and addressed issues in these releases, refer to the corresponding Aerohive Release Notes.

New and Enhanced HiveOS 6.4r1 Features

The following new features and feature enhancements have been added in the HiveOS 6.4r1 release.

AP230 Location Services: AP230 devices can now perform background scanning to discover the received signal strength (RSSI) values of client transmissions and report these values to HiveManager, which uses them to calculate the probable location of the client, and display an icon for the client on a map. For a complete description of location services, see the HiveManager Online Help.

AP230 Protected Management Frames: AP230 devices now support the use of protected management frames (PMF) established with 802.11w, which prevents the malicious use of spoofed management frames to disrupt the operation of the wireless network.

AP230 Spectrum Analysis: AP230 devices now support spectrum analysis. This feature extracts RF interference information and classifies the cause based on spectrum signatures on both the 2.4 GHz and 5 GHz bands. For a complete description of spectrum analysis, see the HiveManager Online Help.

Asynchronous RADIUS Accounting Update: A RADIUS accounting update interval is a repeating, 20 second period of time during which APs report DHCP-snooped IP addresses of associated clients to the RADIUS server, so they can be recorded and be properly authorized for network access. This enhancement removes the requirement that the AP waits until the end of the interval to update the RADIUS server. The AP now provides updated IP addresses of clients to an external RADIUS server immediately as soon as this information is obtained.

MAC address bypass for captive web portal: The MAC address bypass enhancement allows administrators to configure a whitelist containing specific client MAC addresses. When paired with an SSID profile, these clients can bypass the normal captive web portal authentication and interaction process. This allows “headless” or embedded devices, such as ATMs and vending machines, to connect to the WLAN network without admin intervention. See "Support Enhancements for NAC" on page 17.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 1 New Features and Feature Enhancements

New and Enhanced HiveManager 6.4r1 Features The following new features and feature enhancements have been added in the HiveManager 6.4r1 release. AP230 as iBeacon: Bluetooth Low Energy (BLE) wireless technology provides many new applications for retail and commercial enterprises. With this release, you can enable an AP230 to behave as an iBeacon transmitter by connecting a Bluetooth dongle to the external USB port interface. iBeacon functions are configured in HiveManager. See "AP230 as iBeacon" on page 6. DFS support for AP230: AP230 devices now support dynamic frequency selection (DFS}, which is required when wireless devices are operating in the same regions as active radar systems. Because radar systems use part of the 5 GHz band, devices must be able to detect the radar activity and select an unoccupied channel automatically. Delegate remote deployment of Aerohive devices: Aerohive currently supports the HiveManager capability to upload a specific HiveOS image and configuration to all automatically discovered devices as soon as they make an initial CAPWAP connection with HiveManager. This release introduces enhancements to the provisioning process, and eliminates any additional manual input that was previously required by the remote deployment administrator. All device-specific settings are now imported to devices using the CSV import file, the device auto provisioning network policy is automatically created based on the CSV import file, and the device firmware upgrade is performed as defined in the policy. See "Delegate Remote Deployment of Aerohive Devices" on page 10. Unified IP firewall policy extended to switches: In this release, the unified IP firewall policy extends to the SR Series switches, covering both inbound and outbound traffic on wireless and wired clients. Previously, the IP firewall policy only supported Aerohive APs. See "Unified IP Firewall Policy Extended to SR Series Switches" on page 12. Hong Kong area support for DFS for the AP230 and AP330: When operating in the Hong Kong geographic area, AP230 and AP330 devices now support the use of dynamic frequency selection (DFS) where radar systems are in use. This allows the devices to select a radar-free channel automatically when a radar presence is detected. For a complete description of DFS, see the HiveManager Online Help. AP230 support for the China country code: AP230 devices now support the China country code. AP1130 support for the Korea country code: AP1130 devices now support the Korea country code. Support Enhancements for NAC: This release extends support for Network Access Control (NAC) applications. NAC Change of Authorization (CoA) messages can now redirect bring your own device (BYOD) users to an external captive web portal (in addition to the Aerohive internal web portal) for firs-time credential entry, or remediation, such as anti-virus software installation or other updates required to bring the user device into compliance with the network policy. See "Support Enhancements for NAC" on page 17. Technology Preview: Cooperative-Application Visibility and Control Extended to SR Series Switches: Cooperative-Application Visibility and Control (C-AVC) extends AVC to the SR Series switches, enabling you to monitor traffic patterns on wired and wireless networks. Using C-AVC, Aerohive switches and access points leverage Cooperative Control protocols to analyze application usage data from wired clients, while HiveManager provides monitoring and reporting of Layer 7 application data gathered from both wired and wireless clients. C-AVC is available on SR2024, SR2024P, SR2124P, and SR2148P switches when a supported AP230, AP330, or AP350 is connected directly to the switch. For more information about C-AVC, including currently supported features, supported configurations, and setup instructions, please see the C-AVC Technology Preview.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 2 HiveOS Feature Enhancements for 6.4r1

HiveOS Feature Enhancements for 6.4r1

MAC Address Bypass Enhancement A captive web portal is an Internet landing page to which end users can be directed to request network access. End users are granted access to your network after they enter required information, such as a login name and password. While captive web portals provide an efficient way to handle access requests, they also require user interaction, which may not be desirable or possible. For example, authenticating employees, students, or visitors who may move between buildings on a campus every few hours can be cumbersome. Embedded systems, such as ATMs at a sports stadium, are unable to interact with captive web portals. This enhancement allows you to configure a whitelist of MAC addresses that are not subject to captive web portal authentication. Use the HiveManager CLI Supplemental tool to create a list of MAC addresses and assign them to an SSID, and then upload the configuration to your devices.

This enhancement supports Aerohive APs and BR Series devices.

Enabling the CLI Supplemental Tool Configure the MAC address bypass feature using the CLI Supplemental tool. All of the specific commands necessary to create a MAC address whitelist and assign it to an SSID are available in this tool. If you have not already enabled the CLI Supplemental tool, you must enable it in HiveManager: 1. Navigate to Home > Administration > HiveManager Settings. 2. Click the check box next to Enable Supplemental CLI at the bottom of the page. 3. Click the save icon ( ) to save.

4.

For more details on how to use the CLI Supplemental tool, see the Online Help.

Configuring the MAC Address Bypass Whitelist To use the CLI tool to create a whitelist of MAC addresses and assign it to one or more SSIDs: 1. Navigate to Configuration > Advanced Configuration > Common Objects > CLI Supplement. 2. Click New to configure the MAC address bypass whitelist using the CLI commands described in "CLI Commands for MAC Address Bypass" on page 4. 3. When you are done, click Save to save the CLI profile containing the whitelist in HiveManager.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 3 HiveOS Feature Enhancements for 6.4r1

A complete configuration update is required to activate the MAC address bypass feature. To upload your whitelist to your devices and activate the MAC address bypass feature: 1. Navigate to Configuration > Devices > All Devices. 2. Click the name of the device or devices to which you want to assign a Supplemental CLI object (in this case a MAC address whitelist). 3. On the page that appears, scroll down to and expand the Advanced Settings section. 4. Select the CLI profile that you want to upload to a device from the drop-down menu next to the Supplemental CLI and then click Save. If you have created and saved more than one CLI profile, you can choose which profile you want to designate to the device at the next full configuration update. If you leave this field empty, no CLI profiles will be uploaded during the next complete configuration update. You can create a new Supplemental CLI object or edit an existing object from this window by clicking + next to the field, which takes you to the Supplemental CLI tool. 5. Upload the profile to one or more devices. On the Configuration > Devices > All Devices page, select the check box next to the name of the device or devices to which you want to assign the profile. 6. Click the Update button and select Upload and Activate Configuration from the Advanced option. To view the Supplemental CLI objects that are assigned to devices, you must first add this column to table on the All Devices display page. Click the Edit Table ( ) icon in the top right of the page. In the dialog box that appears, select Supplemental CLI from the Available Columns section and click the right ( > ) arrow to move it to Selected Columns section. You can also change the order in which it appears in the table using the Up and Down buttons. Click Save. The Supplemental CLI column now appears in the display table.

CLI Commands for MAC Address Bypass Specific CLI commands have been created for this feature, and are listed below, with examples of their use. The CLI command syntax to create a MAC whitelist object with a single MAC address or a range of addresses is: mac-object mac-range - For example, to create a single MAC whitelist object with one MAC address, enter: mac-object test124 mac-range 1111:2222:3333 - 1111:2222:3333 To create a single MAC whitelist object with a range of MAC addresses, enter: mac-object vending mac-range aaaa:bbbb:cccc - aaaa:bbbb:dddd To create a single MAC whitelist object with a range of MAC addresses, enter: mac-object test123 mac-range aaaa:bbbb:cc00 - aaaa:bbbb:ccff

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 4 HiveOS Feature Enhancements for 6.4r1

You can configure a maximum of 128 MAC objects. Each MAC object can contain a maximum of 255 You MAC addresses.

The CLI command syntax to enable this feature for a specific security object is: security-object security mac-white-list bypass-cwp For example, to specify an SSID, enter: security-object test-ssid security mac-white-list bypass-cwp If you have previously created an SSID profile in HiveManager, you must use the same SSID name as the name of the security object. In other words, the name, , is by definition, the same name that the security object uses. You can find SSIDs that you have previously created on the Configuration > SSIDs page. If you need to create one, click New.

Once this feature is enabled, you must pair the “mac-white-list bypass-cwp” to the MAC object that contains the specific MAC addresses that can bypass the captive web portal. The CLI command syntax to create a MAC object is: security-object security mac-white-list mac-object For example: security-object test-ssid security mac-white-list mac-object vending_albert1 Each security-object can have up to eight different MAC objects associated to a specific mac-white-list. For example, enter: security-object test-ssid security mac-white-list mac-object vending_albert1 security-object test-ssid security mac-white-list mac-object vending_albert2 security-object test-ssid security mac-white-list mac-object vending_albert3 security-object test-ssid security mac-white-list mac-object vending_albert4 security-object test-ssid security mac-white-list mac-object vending_albert5 security-object test-ssid security mac-white-list mac-object vending_albert6 security-object test-ssid security mac-white-list mac-object vending_albert7 security-object test-ssid security mac-white-list mac-object vending_albert8 You can add up to eight different MAC objects to a single mac-white-list. If you attempt to add more than eight objects, the following error message appears: security-object test-ssid security mac-white-list mac-object vending_albert9 can't bind mac-object to mac-white-list exceeding 8 members! The CLI command syntax to see all of the paired MAC objects for a specific security object is: show security-object security mac-white-list For example, enter: show security-object test-ssid security mac-white-list

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 5 HiveManager Feature Enhancements for 6.4r1

HiveManager Feature Enhancements for 6.4r1 AP230 as iBeacon In this release, Aerohive introduces support for BLE proximity beacon, or iBeacon services, based on version 4.0 of the Bluetooth specification. This feature allows an AP230 to act as an iBeacon transmitter. BLE technology does not rely on satellites (as GPS does), but on clients receiving signals within a certain proximity to local iBeacon transmitters. BLE technology works in locations where GPS signals are not available. With this feature, you do not need to install and set up separate iBeacon transmitters, separate AC power connections, or periodically replace weak batteries. Instead, you simply connect an iBeacon dongle to the USB port on an AP230. The dongle performs the iBeacon transmission using power provided by the AP230. You configure the iBeacon settings in HiveManager.

This release supports the BLED112 Bluetooth Smart Dongle from Bluegiga Technologies. The required firmware is integrated in HiveOS 6.4r1.

The following topics are covered in more detail below: • "Enabling the iBeacon Service in HiveManager" on page 6 • "Upgrading HiveOS and Extracting and Loading iBeacon USB Dongle Firmware" on page 7 • "Configuring the UUID String, Major and Minor Values, and Measured Power Setting" on page 8 • "Enabling the USB Power Mode in HiveManager" on page 9 To learn more about iBeacon technology, see Building Applications with iBeacon, by Matthew S. Gast, published by O’Reilly Media, Inc., October 10, 2014. Enabling the iBeacon Service in HiveManager To enable the iBeacon service in HiveManager: 1. Upgrade HiveManager to version 6.4r1. 2. Insert the iBeacon USB dongle (model BLED112 Bluetooth Smart Dongle, available from Bluegiga) in the USB port on the AP230. 3. In HiveManager, navigate to Home > Administration > HiveManager Services and select the check box for iBeacon Service Settings. 4. Select the check box for Enable iBeacon Service, and configure the UUID number and iBeacon name (up to 32 characters with no blank spaces). You can clear the name field, or leave it as AerohiveNetworks, which is the default setting. The iBeacon name is for your reference only, and is not included in the iBeacon advertisement packet transmitted by the BLED112. Click the Update button at the top of the page to enable the service. You will see a success message when the service is enabled.

The UUID shown (AerohiveNetworks) in the HiveManager Services page above is the default UUID. If your organization already has a UUID number, enter this number in the field. You can also set one yourself, or you can obtain a randomly generated one from the Internet. You can also leave the field blank.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 6 HiveManager Feature Enhancements for 6.4r1

Upgrading HiveOS and Extracting and Loading iBeacon USB Dongle Firmware There are two steps for upgrading HiveOS to support the iBeacon Service. First you must upgrade HiveOs to 6.4r1, and then you must update the iBeacon USB dongle firmware to extract it and load it on the BLED112 smart dongle. These procedures are described below.

SCP/TFTP is not supported in this release for the iBeacon upload and extraction process.

The firmware for the Bluegiga iBeacon dongle, included in the HiveOS 6.4r1 release, is extracted and loaded to the iBeacon dongle after you upgrade HiveOS from HiveManager.

Before updating to HiveOS 6.4r1, make sure that the USB device is connected to the AP230. To upgrade and activate HiveOS 6.4r1: 1. Navigate to Configuration > All Devices and select check box for the AP230. 2. Click the Update button for a drop-down list of update actions. 3. Select Advanced > Upload and Activate HiveOS Firmware. 4. In the dialog box that appears, select the AP230 HiveOS 6.4r1 image from the drop-down list, and click Upload. If you do not see the image in the drop-down list, click the Add/Remove button to select the HiveOS image from the update server. Click Upload to copy the HiveOS Image to HiveManager. Select the new HiveOS image in the drop-down list and then click Upload. To extract and load the iBeacon firmware on the BLED112 dongle: 1. Navigate to Configuration > All Devices and select check box for the AP230. 2. Click the Update... button for a drop-down list of update actions. 3. Select Advanced > Update the BLE device firmware. 4. In the Confirm dialog box, click Yes. A success message appears when the firmware has been updated.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 7 HiveManager Feature Enhancements for 6.4r1

Configuring the UUID String, Major and Minor Values, and Measured Power Setting Each iBeacon AP230 transmits three numbers that uniquely identify it to nearby client devices, such as smart phones. These numbers are the UUID, and major and minor numbers. The major and minor numbers identify areas within an organization. For example a department (major) or section of a department (minor) within a store. The following table illustrates how major and minor numbers are used:

Store Location San Francisco Palo Alto London New York

UUID D9B9ECIF-3925-43D0-80A9-1E9D4CEA95C Major 1 2 3 4 Software 10 10 10 10 Minor Electronics 20 20 20 20 Accessories 30 30 30 30

In this example, when a BYOD customer enters the Electronics department in the Apple store in Palo Alto, the following message appears on their device: “Welcome to the Apple Store, Palo Alto, California, Electronics Department”. To configure the UUID and major and minor values: 1. Navigate to Configuration > Devices > Aerohive APs. 2. Select the check box for the AP230, and click Modify. You can also double-click the name of the AP to see the Modify dialog box. 3. In the dialog box that appears, scroll down to the iBeacon section. 4. Enter values in the Major and Minor fields, and set the Admin state to Up to enable the ble0 interface. 5. The Power (dBm) field is where you can set a power value, which is the received strength signal indication (RSSI) value for clients that are within one meter of an iBeacon transmitter. For this release, the Power value must be -59 dBm for the BLED112 dongle. 6. Click Save.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 8 HiveManager Feature Enhancements for 6.4r1

Enabling the USB Power Mode in HiveManager Enabling the USB power mode ensures that the USB port is powered on when an iBeacon USB dongle is connected to the AP. To enable the USB power: 1. Navigate to Configuration > Devices > Aerohive APs. 2. Select the check box for the AP230, and click Modify. You can also double-click the name of the AP to display the Modify dialog box. 3. In the dialog box that appears, scroll down to the Optional Settings section. Expand the Advanced Port Settings section and select Enable from the drop-down list in the Power Mode column to power on the USB LAN interface. Click Save to save this setting.

4. To apply these settings to the AP230, navigate to Configuration > Devices > Aerohive APs and select the check box next to the AP230 you want to update. 5. Select Update Devices from the Update... drop down list.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 9 HiveManager Feature Enhancements for 6.4r1

6. In the dialog box that appears click Update.

Delegate Remote Deployment of Aerohive Devices In this release of HiveManager, the auto provisioning process is simplified to allow complete remote deployment of Aerohive devices. This feature allows the central admin to delegate the deployment to an on-site operations person. In the role as delegated admin, you can now import all Aerohive device-specific settings in a single workflow that includes import of the CSV file, upload of the auto provisioning configuration, and then upgrade of the firmware. This is in contrast to the additional manual configuration effort required after Aerohive devices first connected to the HiveManager. This feature is supported on both on-premises HiveManager and HiveManager Online.

The prerequisites to remote deployment is that the central admin create the network policy, and enable an automatic provisioning policy. These policies are associated to the remote deployment as part of the auto provisioning process when Aerohive devices reboot. The remote deployment process is as follows: 1. From on-premises HiveManager, navigate to Configuration > Devices > All Devices. 2. Select the Unmanaged Devices tab. From the Device Inventory drop-down, select Import. 3. In the Import CSV File dialog box, click Browse to select a file to open a dialog box to import a .csv file. The Import CSV File dialogue box display now contains more device-specific settings.

.

The Import CSV File dialogue box shown above reflects on-premise HiveManager. For HiveManager Online, the functionality is the same, but the display is slightly different.

4. Click View Details to see a table similar to the one shown below, which includes additional Wi-Fi, HiveOS, and Tag device settings:

: Attributes Description

Serial Number* Empty or 14 digits

Node ID* 12 hexadecimal digits

Device Model* AP110, AP1130, AP120, AP121, AP141, AP170, AP20, AP230, AP28, AP320, AP330, AP340, AP350, AP370, AP390, BR100, BR200, BR200-LTE-VZ, BR200-WP, SR2024, SR2024P, SR2124P, SR2148P

Device Function* AP, Router, Switch

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 10 HiveManager Feature Enhancements for 6.4r1

Attributes Description

Network policy 0-32 characters

Location 0-32 characters

Static IP Address Ex: 10.1.1.1

Netmask Ex: 255.255.255.0

Default Gateway Ex: 10.1.2.234

Topology Map 0-32 characters

Country Code Ex: 840 = United States

Wifi0 Radio Profile 0-32 characters This profile is ignored for devices without radio. The radio profile must be an existing and valid profile. Default is the same as auto provisioning default.

Wifi0 Admin State 0: Up 1: Down

Wifi0 Operation Mode 1: Access 2: Backhaul 4: Dual 7: Sensor

Wifi0 Channel Based on its country code 0: Auto Channel: 1,2,3,4,5,6,7,8,9,10,11,12,13

Wifo0 Power 0: Auto Setting: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20

Wifi1 Radio Profile 0-32 characters This profile is ignored for single-radio devices. The radio profile must be an existing and valid profile. Default is the same as auto provisioning default.

Wifi1 Admin State 0: Up 1: Down

Wifi1 Operation Mode 1: Access 2: Backhaul 4: Dual 7: Sensor

Wifi1 Channel Based on its country code and device model 0: Auto Channel: 36,40,44,48,149,153,157,161,165 DFS Channel: 52,56,60,64,100,104,108,112,116,120,124,128,132,136,140

Wifi Power 0: Auto Setting: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 11 HiveManager Feature Enhancements for 6.4r1

Attributes Description

HiveOS HiveOS image version (Ex: 6.2r1)

Tag1 0-64 characters, Device Classification

Tag2 0-64 characters, Device Classification

Tag3 0-64 characters, Device Classification

VHM Name* 1-32 characters

* Mandatory fields. 5. Click Choose File to browse to the .csv file that you created, and select it.

You should ensure that the .csv file attribute values are valid. Invalid values will result in an error message upon file import, and any incorrect attribute values that are entered may result in unexpected device behavior. (Values are case-sensitive.)

6. Select the check box to upload your device configuration settings if you are connecting to the HiveManager for the first time, and then select the check box to upgrade your devices to the specified HiveOS version. After you have physically installed your APs, all of your device setting information as defined in the .csv file will be assigned to your APs, along with your associated network and auto provisioning policies. AP firmware is upgraded, and after the APs reboot, all devices become operational.

Unified IP Firewall Policy Extended to SR Series Switches In HiveManager, the unified IP firewall policy has been extended to support wired clients connected to SR2024, SR2024P, SR2124P, and SR2148P Aerohive SR Series switches. This is in addition to the unified IP firewall policy that is already supported on Aerohive APs. By extending IP firewall support to the switches, Aerohive allows you to define a unified IP firewall policy, independent of wireless or wired access to your network. Creating a unified firewall policy for switches and APs involves configuring an IP firewall policy for switches and APs, adding the IP firewall policy to a user profile, and binding the configured user profile to access port types. Then, you push the updated configuration onto your devices. The unified IP firewall is configured in Layer 2 for switches and in Layer 3 for APs. As a result, there are fewer fields supported by the unified IP firewall on switches than on APs. For instance, logging is not supported on the switches, but it is supported on the APs. In addition, the switches support a maximum of 20 rules while the APs support a maximum of 64 rules. On the IP Firewall Policies page, there are two sections, one for switches and another for APs, in the same IP firewall policy under the same name. To make the switch IP firewall and the AP IP firewall a unified IP policy, make sure the configuration for both devices match.

The unified IP firewall policy is supported on Aerohive switches functioning as switches and APs functioning as APs. Branch routers, switches functioning as routers, and APs functioning as routers support network firewalls.

Configuring a Unified IP Firewall Policy for Switches and APs A unified IP firewall policy for switches and APs is a set of rules that determine which type of traffic to permit or deny based on the source and destination IP addresses as well as the service type. To create a unified IP firewall policy for switches and APs, you create a single policy for both device types. In the following configuration, you name the IP firewall policy, provide a descriptive note about it for future reference, and manage the rules that make up the policy.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 12 HiveManager Feature Enhancements for 6.4r1

To configure a unified IP firewall policy that applies to both switches and APs: 1. Navigate to Configuration > Advanced Configuration > Security Policies > IP Firewall Policies and then click New. 2. Enter the following fields: Policy Name: The name of the IP firewall policy. The name can be up to 32 characters and cannot include spaces. After you create a policy initially, this is the one field that you cannot modify. Description: Add a useful note about the policy, such as its purpose. For example, type “Unified IP Policy for Switches and APs.” The description can be up to 64 characters long, including spaces.

.

There are fewer fields available in the Firewall Policy for Switches than in the Firewall Policy for APs sections. First, configure the fields in the switch section, and then replicate the switch configuration in the AP section. To make the switch firewall and the AP firewall a unified policy, make sure the configuration for both devices match.

3. In the IP Firewall for Switches section, select the + and enter the following fields: Source IP: This is the address from which traffic originates. Select one or more source IP addresses or resolvable domain names from the list box. SHIFT-click to select multiple contiguous sources and CTRL-click to select multiple noncontiguous sources. If you do not see the address or domain you want, click the New icon and define it. (See the online Help for instructions.) Select “any” to represent all IP addresses. Destination IP: This is the address to which traffic is sent. Select one or more destination IP addresses or resolvable domain names from the list box. SHIFT-click to select multiple contiguous sources and CTRL-click to select multiple noncontiguous sources. If you do not see the address or domain you want, click the New icon and define it. (See the online Help for instructions.) Select “any” to represent all IP addresses. Service: Select the type of traffic to which the policy applies. For the switches, only Network Services is supported. When you select Network Services, the Select Services page is displayed. Create a new service for the unified IP firewall policy, by clicking the + icon in the middle of the page.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 13 HiveManager Feature Enhancements for 6.4r1

The Network Services > New page is displayed. For the switches, you can specify the name, description, IP protocol, and port number. Enter the following and then click Save:

Name: Type the name for a network service. The name can be up to 32 characters and cannot include spaces. Description: Type a meaningful note about the service, such as a description of its function (for example, “Network service for unified IP firewall”). The description can be up to 64 characters long and can include spaces. Service Idle Timeout: This field is supported by APs only. It is not supported by switches. IP Protocol: Choose the type of protocol that you want the service to use. For switches, there are three predefined IP protocols in the drop-down list: • TCP (Transmission Control Protocol) - 6 • UDP (User Diagram Protocol) - 17 • SVM (SpectraLink Voice Priority) - 119 You can also define a custom IP protocol by choosing CUSTOM. A new field called Protocol Number replaces the Port Number field. Enter the protocol ID number that you want to use. Its value can be from 1 to 255. Port Number: For services that use TCP or UDP, you also need to set a destination port number that the receiving device can use to map the service to a particular processor. Select a value from 1 to 65535. ALG Type: This field is supported by APs only. It is not supported by switches.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 14 HiveManager Feature Enhancements for 6.4r1

4. The Select Services page is displayed again. Click the check box next to the network service that you just created and then tap or click > to add this service to the Selected Services column. Then Click OK. You are returned to the IP Firewall Policies page. Enter the following fields. Then click the Save icon. Action: The action that the device performs when it receives traffic matching the three-part tuple of source address-destination address-service. The IP firewall can perform the following actions: Permit: The device allows traffic to traverse its firewall. Deny: The device blocks traffic from traversing its firewall.

For information about moving rules within a firewall policy, see the online Help.

5. Within the same policy, select + in the Firewall Policy for APs section, and create a firewall policy for the APs in your network that will apply to the same instance as the switch IP firewall policy that you just configured. Replicate the settings for the switch which are described above. (The only exception is that the network service that you created will be available from the Select Services page.) The IP Firewall Policies page is displayed again. Configure the remaining fields to match the switch configuration and then click Save.

Adding the Unified IP Firewall Policy Configuration to a User Profile After you configure a unified IP firewall policy for switches and APs, you must add the policy to a user profile. 1. Navigate to Configuration > User Profiles and then click New. Enter the following fields: Name: Enter a descriptive name for the user profile. When you later choose a user profile while configuring an SSID, this name appears in the user profile list. The name can be up to 32 characters long and cannot include spaces. Attribute Number: When the security access for an SSID is WPA/WPA2 PSK (Personal) or WEP or Open, the user profile attribute number links the user profile to an SSID so that the device can apply the appropriate firewall to all traffic on that SSID. When employing RADIUS authentication, consider including the attribute number as part of the user profile name. Devices identify which user profile to apply to traffic from authenticated RADIUS users by matching the attribute value that a RADIUS authentication server returns with the attribute value assigned to a user profile referenced by the SSID. Including the attribute value in the user profile name makes it easier to keep track of the user profiles assigned to SSIDs so that you can make sure they match the appropriate RADIUS user groups with corresponding values. The attribute number must be unique for each user profile that appears in the same network policy. You can set a number between 1 and 4095. Default VLAN: Choose the VLAN that you want to assign to traffic from members of this user profile. Description: Type a meaningful comment that describes the user profile for later reference. The comment can be up to 64 characters long, including spaces. 2. Select the arrow next to Firewalls to expand this section. Enter the following fields in the IP Firewall Policy section and then click Save.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 15 HiveManager Feature Enhancements for 6.4r1

From-Access: This is the address to which traffic is sent. Select the unified IP firewall policy you configured in the previous procedure. This field applies to both APs and switches. To-Access: This field applies to APs only. It is not supported by switches. Default Action: Choose either Permit or Deny from the drop-down menu for traffic that does not match the IP address and services in the policies. If you want to permit all traffic from members of the user profile to except traffic to or from a few IP addresses, then create IP firewall policies denying traffic to or from those addresses and choose Permit as the default action. Similarly if you want to deny all traffic from members of the user profile except traffic to or from specific IP addresses, then create IP firewall policies permitting traffic to or from those address and choose Deny as the default action.

Binding the User Profile to Access Port Types on the Switch After you have added the unified IP firewall policy to a user profile, you must bind the configured user profile to a port type for the switch and then push the updated configuration onto your devices in order for the unified IP firewall policy to take effect. 1. Navigate to Configuration > Guided Configuration and then select a network policy. Select a Device Template for a switch, select the ports that you want to assign to the unified IP firewall and then click Configure to assign a port type on the Choose Port Type menu. Then click OK. 2. In the Port Types section, select Add/Remove in the User Profile column to assign the user profile to a switch port. Select the user profile from the Choose User Profiles menu and then click Save.

When configuring a port type, make sure you do not select “Allow Multiple Hosts (Same VLAN)” in the Authentication section of the Port Types > New page. If you select this check box, the configured IP firewall policy will not take affect.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 16 HiveManager Feature Enhancements for 6.4r1

In the Unified IP firewall, you can bind a user profile to an access port type that is configured with or without authentication.

3. Select a Device Template for an AP and the ports that you want to assign to the unified IP firewall policy, then click Configure to assign a port type on the menu, and then click OK. 4. In the Port Types section, select Add/Remove in the User Profile column to assign the user profile to an AP port. Select the user profile form the Choose User Profiles menu, and then click Save. 5. Proceed to the Configure and Update Devices section to push the configuration to your devices.

Support Enhancements for NAC Enhancements have been made to provide full support for Network Access Control (NAC) solutions for BYOD network access. When the NAC application recognizes a new device, or a device that is not compliant with the enforced network policy, it sends a request to the RADIUS server, which then issues a Change of Authorization (CoA) message. When HiveOS receives a CoA message, it changes the user profile ID to redirect the user to either a new-user web portal where they can enter first-time credentials, or a quarantine web portal for remediation. Several new features have been added to HiveManager to support this feature in the user profile, IP firewall, and AAA Client profile sections. There are three steps to enable NAC in HiveManager, which are described in the following sections: • Enable the Default Redirect Action and specify the URL for the web portal in the user profile.

You must configure a separate user profile for each web URL to which you want users redirected.

• Configure the IP firewall policy to support the redirect option. • Enable CoA messages in the RADIUS client profile. To enable the Default Redirect Action in the user profile:

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 17 HiveManager Feature Enhancements for 6.4r1

1. Navigate to Configuration > User Profiles. 2. On the User Profiles page, click the name of an existing profile to modify it, or click New to create a new user profile. If you create a new profile, complete the required fields and then proceed to Step 3. For more information about how to create a user profile, see the online Help. 3. On the User Profiles > Edit page (to modify an existing profile) or the User Profiles > New page (if you are creating a new profile), expand the Optional Settings section, and the Firewalls section. 4. In the IP Firewall Policy section, select the check box to Enable Default Redirect Action. By default, the From-Access and To-Access fields change to Redirect-Only. 5. Enter the URL to which you want users redirected in the Redirecting URL field. 6. Click Save.

To enable CoA messages from the RADIUS server: 1. Navigate to Configuration > Advanced Configuration > AAA Client Settings. 2. On the AAA Client Settings page, click the name of an existing RADIUS client profile to modify it, or click New to create a new RADIUS client profile. If you create a new RADIUS client profile, complete the name and description fields, and then proceed to Step 3. For more information about how to create RADIUS client profiles, see the online Help. 3. From the AAA Client Settings > Edit page (to modify an existing profile), or the AAA Client Settings > New page (if you are creating a new profile), expand the Optional Settings section and select the check box to Permit Dynamic Change of Authorization Message (RFC 3576). 4. Click Save.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 18 HiveManager Feature Enhancements for 6.4r1

To enable the redirect option in the IP firewall policy: 1. Navigate to Configuration > Advanced Configuration > Security Policies > IP Firewall Policies. 2. On the IP Firewall Policies page, click the name of an existing IP firewall policy to modify it, or click New to create a new IP firewall policy. If you create a new IP firewall policy, complete the Policy Name and Description fields, and then proceed to Step 3.

3. To enable the redirect option, navigate to Configuration > Advanced Configuration > Security Policies > IP Firewall Polices. 4. In the Firewall Policy for APs section, you can either modify an existing rule to redirect or create a new rule to redirect. To modify an existing rule, click the pencil icon. To create a new rule, click the plus sign in the top right corner. For more information about how to create firewall policy rules, see the online Help. 5. Select Redirect from the Action drop-down menu. 6. Click Save.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 19 HiveOS 6.2r1 and HiveManager 6.2r1a New Features Guide

HiveOS 6.2r1 and HiveManager 6.2r1a New Features Guide

This guide describes the new features and feature enhancements introduced in the HiveOS 6.2r1 and HiveManager 6.2r1a releases.

New Features and Feature Enhancements

Several new features and feature enhancements have been introduced in these releases. You can read summaries of these features and enhancements below. Several major features are covered in more detail in individual sections later in this guide. For information about known and addressed issues in the HiveOS 6.2r1 and HiveManager 6.2r1a releases, refer to the corresponding Aerohive Release Notes.

New and Enhanced HiveOS 6.2r1 Features The following are the new features and feature enhancements in the HiveOS 6.2r1 release. IPv6 Enhancements: This release introduces the following enhancements to provide basic IPv6 support and ease the transition from IPv4 to IPv6 networks (see "IPv6 Enhancements"): • Multiple VLAN Support for SSIDs prevents IPv6 client devices from self-assigning incorrect IPv6 addresses based on multicast RAs (router advertisements) from multiple VLANs. • IPv4 and IPv6 Traffic Filtering by Ethertype allows you to control the type of IP traffic on your Aerohive devices. • Display Client IPv6 Addresses introduces CLI commands that display MAC and IPv6 addresses of associated client devices. • DHCP6 Shield and RA Guard improve security and prevent network disruption caused by rogue or misconfigured IPv6 servers by blocking RAs on all access interfaces and allowing them only on backhaul interfaces. Multicast-to-Unicast Conversion Supported on AP230: Multicast-to-unicast conversion helps manage multicast traffic efficiently and reliably. It uses IGMP snooping to avoid sending frames destined for WLAN hosts to the wired distribution system and vice versa. It also forwards multicast frames to WLAN hosts using unicast addresses. This provides strong wireless communication because unicast frames are acknowledged, retried, and rate controlled dynamically. Multicast frames are sent as a series of unicast packets addressed individually to each multicast group member. A typical use of this feature is to stream video from a centralized server to multicast group members connected to the WLAN. sFlow for APs: This release introduces support for sFlow, an industry standard, that allows you to monitor your network by providing traffic information to perform traffic monitoring. It thereby enables you to detect security breeches, troubleshoot network issues, monitor congestion, and perform traffic profiling. In this release, sFlow is supported on APs and is available in HiveOS through the command line interface (CLI) or through the Supplemental CLI tool in HiveManager. You can view the monitor information provided by the sFlow commands with a third-party application such as Wireshark, SolarWinds, or sFlowTrend. See "sFlow for APs". WIPS Sensor Mode: You can now configure Aerohive APs to function as dedicated WIPS (wireless intrusion prevention service) or presence sensors. Whereas an AP must normally divide its time between servicing clients and scanning the channel, APs that operate as dedicated sensors do not service clients and instead spend all their time scanning for (and mitigating) rogue devices or collecting client presence information. See "WIPS Sensor Mode".

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 20 New Features and Feature Enhancements

Enabling WIPS on Specific AP Radios: If a WIPS policy is configured in the network policy, WIPS is enabled for both the 2.4 GHz and 5 GHz radios by default. To override this default behavior and disable WIPS on a single radio even though a WIPS policy is configured in network policy, select the Disable WIPS check box for the corresponding radio. The WIPS policy is enabled for the radio only if the Disable WIPS check box is not selected, and a WIPS policy is specified in the network policy. Outbound SSH from HiveOS: HiveOS 6.2r1 provides SSH client connectivity capabilities to reach otherwise unreachable Aerohive devices on the same subnet. This is an SSH CLI-driven troubleshooting tool for debugging remote Aerohive devices in your wireless network. See "Outbound SSH from HiveOS".

New and Enhanced HiveManager 6.2r1a Features The following are the new features and enhancements in the HiveManager 6.2r1a release. Supplemental CLI Tool Support: In this release, the Supplemental CLI tool provides an efficient way for you to issue and upload CLI commands to multiple devices from the HiveManager GUI simultaneously. See "Supplemental CLI Tool Support". Application Visibility and Control DPI Engine Upgraded to NAVL 4.x: The DPI engine for Application Visibility and Control has been upgraded to NAVL 4.x, which is capable of classifying over 1200 applications that can be extracted from corresponding application traffic to provide deeper visibility and granularity into user activities. See "CAPWAP Delay Alarm Change". Stateless Gateway: The Bonjour Gateway scalability enhancement in this release allows you to deploy this feature without a constraint in the maximum number of advertised Bonjour services that it can support. In addition, the Bonjour Gateway default behavior filter rules are now configured to deny services. As a result, any rule you add automatically permits the specified service. See "Stateless Bonjour Gateway". Multiple Spanning Tree Protocol Support: Aerohive switches now support MSTP (Multiple Spanning Tree Protocol), which you can enable and configure to create an independent STP (Spanning Tree Protocol) instance for several selected groups of VLANs on your network. MSTP provides more flexibility than standard STP or RSTP (Rapid Spanning Tree Protocol), and is less processor-intensive than using protocols that bind a separate STP process for each VLAN individually. You can choose an STP mode in the network policy, and then override the policy-level settings on specific devices where required. See "Multiple Spanning Tree Protocol Support". HiveManager Upgrade Process Enhancements: HiveManager 6.2r1a describes the software update process when upgrading the HiveManager software image to a later version. During the update process, a separate window clearly indicates each step of the upgrade progress from uploading, verifying, and extracting the image as well as checking the system operation, backing up the data, rebooting the system, and restoring its database. See "HiveManager Upgrade Progress Enhancements". Viewing Enrolled Clients for Social Login, ID Manager, and Client Management: On the Active Clients and Wireless Clients pages, new icons appear for the three Aerohive Mobility Suite applications under the Managed column. These icons provide you with convenient access to Social Login, ID Manager, and Client Management from the HiveManager GUI as well as allow you to retrieve information quickly about the enrolled client devices. See "Viewing Enrolled Clients for Social Login, ID Manager, and Client Management". ID Manager Enhancements in HiveManager: This release adds enhancements to the ID Manager Test Tool in HiveManager, allowing you to sort test results. Also, the report now lists reasons for authentication failures, such as an incorrect password.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 21 New and Enhanced HiveOS 6.2r1 Features

New and Enhanced HiveOS 6.2r1 Features

The following sections describe new and enhanced features in the HiveOS 6.2r1 release.

IPv6 Enhancements Aerohive devices currently support IPv6 clients in pass-through mode. This release introduces several enhancements that provide basic IPv6 address support and help ease the transition from IPv4 to IPv6 networks. With the exception of multicast-to-unicast conversion, these enhancements are administered through CLI commands that do not have HiveManager GUI equivalents. These enhancements ensure reliable VLAN separation, display IPv6 addresses, allow you to select IPv6 or IPv4 support (or both), and improve security against rogue or misconfigured IPv6 servers and routers. This section describes the following enhancements.

Multiple VLAN Support for SSIDs Unlike IPv4, the IPv6 protocol allows more than one IP address per interface and gives clients the ability to assign their IPv6 addresses automatically without a DHCPv6 server. One way that IPv6 addresses are assigned to IPv6-capable wireless interfaces is by using SLACC (stateless address automatic configuration), as referenced in RFC 4862. Using SLACC, clients can combine local MAC addresses with the network prefix information from router advertisements (RAs) to automatically assign their own IP addresses. Because RAs use multicast addressing, they can be sent from multiple VLANs to clients on a single SSID. If the RAs all come from the same VLAN as that of the client, the client simply derives its IP address from the RA. If multicast RAs are received from multiple VLANs, the client device (for example, a tablet) could choose an incorrect IP address based on an RA prefix that is not part of the client’s VLAN. This can cause intermittent transmission and connectivity issues if the client then tries to communicate with other clients that are using the same SSID, but are on other VLANs. To address this issue, this release provides a reliable mechanism to support multiple VLANs, and ensure VLAN separation by converting multicast IPv6 RAs into unicast frames, which are then routed only to clients on a specific VLAN. This eliminates the possibility of a client using an incorrect self-assigned IPv6 address because clients can only assign IPv6 addresses based on the VLAN to which they are assigned.

IPv4 and IPv6 filtering by Ethertype This release introduces two CLI commands that allow you to control the IP combinations supported on Aerohive devices. You can now specify all IPv4, all IPv6, or both IPv4 and IPv6 traffic by filtering traffic by Ethertype. For example, you can block IPv6 traffic and support IPv4 traffic only, or you can block IPv4 traffic and support IPv6 traffic only. This ability can facilitate testing, by allowing you to set up an all-IPv6 network. The two CLI commands are described below. The following command allows you to disable the traffic filter in the user profile, and thereby allow both IPv4 and IPv6 traffic on Aerohive devices. The no form of the command re-enables the traffic filter. [no] user-profile security deny The following command configures the user profile to deny either IPv4 or IPv6 traffic. The default is IPv4 support. user-profile security deny []|[]

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 22 New and Enhanced HiveOS 6.2r1 Features

Display Client and MAC IPv6 Addresses This release adds two CLI commands that allow you to display the MAC and IPv6 addresses of clients that are currently connected to Aerohive devices. These commands are identical to its IPv4 command counterparts except that they do not include details such as channel number, associated time, and other parameters. The following command displays a list of all clients associated to a device by their MAC and IPv6 addresses and identifies whether the IPv6 address is local or global. show station ipv6 The following command displays clients that are associated only to a specific SSID, which can greatly reduce the size of the display and provide more specific information. show ssid station ipv6

DHCPv6 Shield and RA Guard An IPv4 network that introduces IPv6 addressing is vulnerable to network disruption caused by misconfigured, or rogue, IPv6 servers or routers. This release introduces two IPv6 security enhancements, DHCPv6 Shield and RA Guard. When DHCPv6 Shield is enabled, it inspects and blocks DHCPv6 server messages sent to associated clients on all access interfaces, but it does not block these same messages sent on backhaul interfaces. This is the only type of interface that is permitted to forward DHCPv6 messages.

An interface can be configured as an access interface, a backhaul interface, or a dual interface. A dual interface consists of two interface types. One type, a sub interface, is always configured in the backhaul mode. The second type, an access interface, is set up automatically for each SSID that you create. For example, if you create three SSIDs, you will have one backhaul interface and three access interfaces.

The following command enables (or disables) DHCPv6 Shield: [no] ipv6 -shield enable This feature is enabled by default on access interfaces and automatically blocks DHCPv6 server messages. However, DHCPv6 Shield is disabled by default on backhaul interfaces. DHCPv6 is similar to DHCP snooping which has been widely implemented on Layer 2 devices in IPv4 networks. To learn more about the mechanisms for protecting devices against rogue DHCPv6 servers, see: http://tools.ietf.org/html/draft-ietf-opsec-dhcpv6-shield-03. The second security enhancement is RA Guard (based on RFC 6105). It protects Aerohive devices in a Layer 2 infrastructure against malicious attacks or improperly configured IPv6 routers. To do this, RA Guard examines incoming router advertisements and either forwards or blocks them depending on how the interface is configured. When RA Guard is enabled, only those RAs received on the backhaul interface are forwarded, RAs received on the access interface are blocked. The following command enables (or disables) RA Guard: [no] ipv6 ra-guard stateless enable The feature is enabled by default on access interfaces, but it is disabled on backhaul interfaces. Use the no form of the command to disable it.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 23 New and Enhanced HiveOS 6.2r1 Features sFlow for APs This release introduces support for sFlow, an industry standard for traffic monitoring, that allows you to monitor your network by providing traffic information to perform traffic monitoring. The information provided by sFlow enables you to detect security breeches, troubleshoot network issues, monitor congestion, and perform traffic profiling. • Perform Traffic Monitoring: For compliance or network planning, sFlow provides information such as the source and destination of traffic. Currently, the Application Visibility and Control feature can provide the type of application in use, such as HTTP video, but it cannot provide the URL of the video site. With sFlow, you can obtain the URL to determine if it is in compliance with company policy. • Troubleshooting network issues and congestion control: Network problems are usually associated with certain traffic patterns such as a surge in traffic, especially a particular type of traffic. This information can help you drill down to the root cause of a surge. Also using sFlow, you can identify congested WLAN connections and associated network conversations. • Network planning: By examining historical traffic patterns and trends, you can plan your network infrastructure. In addition, sFlow contains routing information so you can use it to analyze routes and consequently realign your network more effectively. • Security: You can use sFlow to detect security attacks that are usually indicated by unique traffic patterns such as a spike in DNS requests. In this release, sFlow is available from the command line interface for APs as well as from the Supplementary CLI tool in HiveManager. See "Supplemental CLI Tool Support".

sFlow is not supported on the following devices: AP110, AP120, AP121, AP141.

The basic component of sFlow is an sFlow instance which consists of sample packet header information, a packet sampling rate, and counter polling intervals that are associated with an sFlow data source. By sampling the traffic to capture header information of some of the packets, sFlow can reveal useful information, such as the source and destination of traffic data. In the 6.2r1 release, the data source, or sFlow agent, is a located on an AP radio or port. Two instances are supported simultaneously and each instance operates independently. For example, you can assign one instance to a physical radio on an AP and the second instance to the second radio on the same AP. In addition to an sFlow agent, every sFlow implementation requires an sFlow application, which collects, analyzes, and displays the sFlow data. Since sFlow is an industry-standard, it is supported by third-party applications, such as Wireshark (www.wireshark.com), SolarWinds (www.solarwinds.com), or sFlowTrend (www.inmon.com). See "Displaying sFlow Application Settings" for information about the sFlow sample types that are provided by the third-party applications.

Enabling, Configuring, and Displaying sFlow When you enable an sFlow instance on an interface, it samples traffic from ingress, egress, or both directions. You can specify the direction of the traffic that you want to monitor. The default setting monitors both ingress and egress traffic. The sampling rate refers to how frequently the packet headers are sampled that is defined as one in x packets (where x defines the number of packets). The sFlow agent copies header information for every x packets. While a lower sample rate improves the accuracy of the sampling rate, it also consumes more resources. You need to strike a balance between the sampling rate and resource consumption. In this release, sFlow monitors links of speeds up to 10 Gbps without impacting network performance. You determine the sampling rate based on the interface speed and traffic level on your network as displayed in the following table.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 24 New and Enhanced HiveOS 6.2r1 Features

Table 1: Interface Speed, Traffic Level, and Sampling Rate

Interface speed Low Traffic Medium Traffic Medium Traffic 10 Mbps 1 in 64 packets 1 in 128 packets 1 in 256 packets 100 Mbps 1 in 128 packets 1 in 256 packets 1 in 512 packets 1 Gbps 1 in 256 packets 1 in 512 packets 1 in 1024 packets

Three new commands have been added for the sFlow feature that allow you to enable, configure, and display sFlow status in HiveOS. After you enable and configure the sFlow commands, use a third-party application, such as Wireshark or sFlow Trend, to view the sFlow traffic data. (By default, sFlow is disabled.) To enable sFlow on an AP, enter the following command: sflow enable To configure sFlow, enter the following command: sflow instance interface collector-addr collector-port [numbers] sampling-rate [numbers] polling-interval [polling_rate] direction [options] Table 2: sFlow Instance Configuration Command

Syntax Description sflow Set sFlow related parameters instance Set the sFlow instance name Enter the instance name (1-32 chars; Note: To delete the instance, precede the instance name with "no". This is an optional setting.) interface Set the interface that monitors sFlow Enter the Ethernet port number or Wi-Fi radio interface number, where ifname = eth0 or eth1 or wifi0 or wifi1 collector-addr Set the IP address of the sFlow collector Enter the IP address of the sFlow collector collector-port Set the port number of the sFlow collector [numbers] Enter the port number of the sFlow collector (Range: 1-65535; Default: 6343; Note: This is an optional setting.) sampling-rate Set the sFlow statistical sampling rate so that when set to 100, each packet has a 1% chance of being sampled by the packet forwarding engine (PFE) [numbers] Enter the sFlow sampling rate (Range: 50-5000; Default: 256; Note: This is an optional setting.) polling-interval Set the sFlow polling interval of the sFlow counters and the polling direction [polling_rate] Enter the sFlow polling interval in seconds (Range: 5-3600; Default: 20; Note: This is an optional setting.) direction Set the direction that packets are sampled [options] Enter the direction that packets are sampled (ingress|egress|both; Default: both; Note: This is an optional parameter.)

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 25 New and Enhanced HiveOS 6.2r1 Features

Examples To set the sFlow instance to monitor both ingress and egress traffic on Ethernet port 0 with an sFlow collector (or application) IP address of 172.100.20.3, an sFlow collector port of 6553, a sampling rate of 100, with a polling interval of 30 seconds, enter the following command: sflow instance Eth0_ingress_egress_traffic interface eth0 collector-addr 172.100.20.3 collector-port 6553 sampling-rate 100 polling-interval 30 To set the sFlow instance to monitor ingress traffic on Ethernet port 1 with an sFlow collector (or application) IP address of 172.100.20.5, a sampling rate of 200, and an sFlow collector port of 6555 with a polling interval of 20 seconds (the default setting), enter the following command: sflow instance Eth1_ingress_traffic interface eth1 collector-addr 172.100.20.5 sampling-rate 200 collector-port 6555 direction ingress To set the sFlow instance to monitor egress traffic on Wi-Fi interface 0 with an sFlow collector (or application) IP address of 172.100.20.7, a sampling rate of 100, and an sFlow collector port of 6557 with a polling interval of 60 seconds, enter the following command: sflow instance Wifi0_egress_traffic interface wifi0 collector-addr 172.100.20.7 sampling-rate 100 collector-port 6557 polling-interval 60 direction egress

Displaying sFlow CLI Settings You display the sFlow CLI settings with the show sflow instance command. Table 3: Show sFlow Instance

Syntax Description

show Show settings, parameters or dynamically generated information sflow Set sFlow related parameters instance Set the sFlow instance name Enter the instance name (1-32 chars)

For example, to display the current sFlow settings on an instance named "wifi0_egress_traffic", enter: show sflow instance wifi0_egress_traffic

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 26 New and Enhanced HiveOS 6.2r1 Features

Displaying sFlow Application Settings The following tables describe the HiveOS sFlow Sample Types that are available from a third-party sFlow application. For more information, see RFC 2233. Table 4: Ethernet Packet Sample

Sample Sample sFlow Sample Type Attribute Attribute Description Name Data Type name = Ethernet Packet Sam- length uint32 The length of the MAC packet ple; enterprise = 0; format = 2 received on the network, including FCS octets and excluding the lower-layer encapsulations and framing bits src_mac 6 bytes Source MAC address dst_mac 6 bytes Destination MAC address type uint32 Ethernet packet type

Table 5: IPv4 Packet Sample

Sample Sample sFlow Sample Type Attribute Attribute Description Name Data Type name = IPv4 Packet Sample; enter- length uint32 The length of the IP packet, prise = 0; format = 3 excluding lower-layer encapsu- lation protocol uint32 IP Protocol type (for example, TCP = 6, UDP = 17) src_ip uint32 Source IP address dst_ip uint32 Destination IP address src_port uint32 TCP or UDP source port number dst_port uint32 TCP or UDP destination port number tcp_flags uint32 TCP flags tos uint32 IP types of service

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 27 New and Enhanced HiveOS 6.2r1 Features

Table 6: Generic Interface Counters

Sample Sample sFlow Sample Type Attribute Attribute Description Name Data Type name = Generic Interface ifindex uint32 Interface index Counters; enterprise = 0; ifType uint32 Interface type format = 1 ifSpeed uint64 Interface speed ifDirection uint32 0 = unknown, 1 = full duplex, 2 = half duplex, 3 = in, 4 = out ifStatus uint32 Bit field with the following bits assigned, bit 0 = ifAdminStatus (0 = down, 1 = up), bit 1 = ifOperStatus (0 = down, 1 = up) iflnOctets uint64 Number of incoming bytes iflnUcastPkts uint32 Number of incoming unicast packets iflnMulticastPkts uint32 Number of incoming multicast packets iflnBroadcastP- uint32 Number of incoming broadcast packets kts iflnDiscards uint32 Number of incoming packets discarded iflnErrors uint32 Number of incoming packets deemed as errors and dropped iflnUnknown- uint32 Number of incoming packets with Protos unknown protocols ifOutOctets uint64 Number of outgoing bytes ifOutUcastPkts uint32 Number of outgoing unicast packets ifOutMultiUcast- uint32 Number of outgoing multicast packets Pkts ifOutBroadcast- uint32 Number of outgoing broadcast packets Pkts ifOutDiscards uint32 Number of outgoing packets discarded ifOutErrors uint32 Number of outgoing packets deemed as erroneous and dropped ifPromiscuous- uint32 When station accepts all packets trans- Mode mitted = 1; or when station does not accept all packets transmitted = 0

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 28 New and Enhanced HiveOS 6.2r1 Features

Table 7: Host Description Counter Sample sFlow

Sample Sample sFlow Sample Type Attribute Attribute Description Name Data Type name = Host Description hostname Host name Counter Sample; enter- uuid 16 bytes Binary UUID prise = 0; format = 2000 machine_type uint32 Enum machine_type (unknown = 0, other = 1, x86 = 2, x86_64 = 3, ia64 = 4, sparc = 5, alpha = 6, powerpc = 7, m68k = 8, mips = 9, arm = 10, hppa = 11, s390 = 12 os_name uint32 linux = 3 os_release For example, 2.6.9-42.ELsmp,xp-sp3, empty if unknown

Table 8: Host CPU Counter Sample

Sample Sample sFlow Sample Type Attribute Attribute Description Name Data Type name = Host CPU Counter load_one float 1 minute load average Sample; enterprise = 0; load_five float 5 minute load average format = 2003 load_fifteen float 15 minute load average proc_run uint32 Total number of running processes proc_total uint32 Total number of processes cpu_num uint32 Number of CPUs cpu_speed uint32 (not CPU Speed in MHz supported) uptime uint32 Number of seconds since last reboot cpu_user uint32 User time in milliseconds cpu_nice uint32 Nice time in milliseconds cpu_system uint32 System time in milliseconds cpu_idle uint32 Idle time in milliseconds cpu_wio uint32 Time waiting for I/O to complete in millisec- onds cpu_intr uint32 Time servicing interrupts in milliseconds cpu_sintr uint32 Time servicing soft interrupts in milliseconds interrupts uint32 Interrupt counts context uint32 Context switch count

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 29 New and Enhanced HiveOS 6.2r1 Features

Table 9: Host Memory Counter Sample

Sample Sample sFlow Sample Type Attribute Description Attribute Name Data Type Host Memory Counter mem_total uint64 Number of total bytes Sample; enterprise = 0; mem_free uint64 Number of free bytes format = 2004 mem_shared uint64 Number of shared bytes mem_buffers uint64 Number of buffer bytes mem_cached uint64 Number of cached bytes swap_total uint64 Number of total swap bytes swap_free uint64 Number of swap free bytes page_in uint32 Page incoming count page_out uint32 Page outgoing count swap_in uint32 Swap incoming count swap_out uint32 Swap outgoing count

Table 10: Host Network I/O Counter Sample

Sample Sample sFlow Sample Type Attribute Attribute Data Description Name Type name = Host Network I/O bytes_in uint64 Total number of incoming bytes Counter Samples pkts_in uint32 Total number of incoming packets errs_in uint32 Total number of incoming errors drops_in uint32 Total number of incoming drops bytes_out uint64 Total number of outgoing bytes packets_out uint32 Total number of outgoing packets errs_out uint32 Total number of outgoing errors drops_out uint32 Total number of outgoing drops

WIPS Sensor Mode When an AP that services clients also acts as a sensor, it must do so opportunistically. That is, the AP must suspend its client data handling activity when the traffic conditions permit so that it can perform background scanning. For networks with light traffic, suspending client data handling activity is relatively simple and the AP can spend considerable time scanning for rogue devices. However, if the network is heavily trafficked, then background scanning opportunities become increasingly rare. Unfortunately, it is during the times when traffic is higher or when the APs services many clients that scanning becomes most urgent.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 30 New and Enhanced HiveOS 6.2r1 Features

You can configure Aerohive APs to act a dedicated sensors that can scan or monitor traffic constantly while the rest of your network handles client traffic. To make background scanning more flexible, you can configure Aerohive APs to operate in one of three modes: WIPS only, Presence only, or WIPS and Presence.

By default, Aerohive APs configured to act as sensors operate as a combination WIPS and presence sensor.

WIPS Only Mode: In WIPS Only mode, the AP scans the channels and collects data that it then uses to identify and mitigate rogues devices. Presence Only Mode: In Presence Only mode, the AP collects, aggregates, and analyzes client data so that it can be used to customize interactions between the network and the client. In retail environments, the AP can track how long customers spend in various departments so that the network can provide them coupons, a guest login, or other offers. WIPS and Presence Mode: When the AP operates in this mode, it both collects presence data and monitors the network for rogue activity. The mode in which you want the AP to operate is determined in large part by the overall utilization of the network by the clients. Careful consideration is required to strike an optimal balance between servicing clients, monitoring for rogue activity, and tracking presence and dwell times. You can configure the AP sensor mode behavior in the radio profile. To configure and enable presence capabilities, click Configure > Radio Profiles > New, enter the following information (leave other settings at their default values), and then click Save: Profile Name: Enter a name for your radio profile. You choose this name within the device configuration pages to assign the radio profile to a specified device. Radio Mode: Choose the radio mode that you want to use when operating as a sensor. Optional Advanced Settings If WIPS is enabled in the network policy, it is automatically enabled by default on both the 2.4 GHz and 5 GHz radios. You can override the WIPs policy and disable WIPs for a specific radio profile using the Disable WIPS check box below.

You must configure a WIPS policy and apply it to the radio profile. You can find information regarding WIPS policy configuration in the online Help system.

In the Presence Server Settings section, select Enable Presence Analytics, and then enter the following information: Trap Interval: Set the number of seconds the Presence sensor reports sensor data to HiveManager. By default, the trap interval is set to 120 seconds. You can enter an interval between 15 and 600 seconds (10 minutes) to accommodate slow WAN connections. Aging Time: Enter the amount of time that you want the AP to retain collected data. After being detected for the first time, the client is reported at every interval until the same client is no longer detected within the duration of the aging time value. If the same client is detected again later, it is reported as detected for the first time. By default, the aging time is set to 120 seconds. Aggregate Interval: Set the interval that client data is collected in a single data sample and reported to HiveManager. It is preferable to set the aggregate interval to the same value as the reporting interval. By default, the aggregate interval is 120 seconds. You can enter an aggregate interval between 15 and 600 seconds (10 minutes) to accommodate slow WAN connections. In the Sensor Mode Scan Settings, enter the Dwell Time. The dwell time is the time you want the sensor to remain on any channel before moving to another channel to continue the scan.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 31 New and Enhanced HiveOS 6.2r1 Features

After the radio profile configuration is complete, apply the profile to any device you want to configure as a dedicated sensor by clicking Configuration > All Devices > device_name, choosing the new radio profile from the Radio Profile drop-down list, and then clicking Save.

After any change to a device setting, profile, or policy, you must upload the changes to the devices. For information on uploading and updating configurations, see the Help system.

Outbound SSH from HiveOS This release of HiveOS makes available the outbound SSH client feature, which provides SSH client connectivity capabilities to reach otherwise unreachable Aerohive devices that are on the same subnet. For example, as an admin with read/write or root permissions, you can troubleshoot an AP that is not directly connected to HiveManager Online. First, use HiveManager Online to access a device that is reachable, and then use the outbound SSH client commands to connect to any faulty device within the same subnet that would otherwise be unreachable. After accessing it, you can use its CLI functionality to further test and troubleshoot the AP. The outbound SSH client command is: exec ssh-client server user For example, to enter an SSH client command from AP AH-8b4940 to reach a faulty Aerohive AP AH-09be40 with IP address 10.16.0.217, enter the following command and include the SSH host name or IP address, user name, and password: Last login: Mon Jul 28 12:53:57 2014 from localhost Aerohive Networks Inc. Copyright (C) 2006-2014 AH-8b4940#exec ssh-client server 10.16.0.217 user admin [email protected]'s password: Aerohive Networks Inc. Copyright (C) 2006-2014 AH-09be40# You now have access to the CLI of the AP that is one hop away. For example, you can ping from the faulty AP at IP address 10.16.0.217 to another device at IP address 10.16.0.213 to test its connectivity to the other device: AH-09be40#ping 10.16.0.213 PING 10.16.0.213 (10.16.0.213) 56(84) bytes of data. 64 bytes from 10.16.0.213: icmp_seq=1 ttl=64 time=0.375 ms 64 bytes from 10.16.0.213: icmp_seq=2 ttl=64 time=0.328 ms 64 bytes from 10.16.0.213: icmp_seq=3 ttl=64 time=0.321 ms 64 bytes from 10.16.0.213: icmp_seq=4 ttl=64 time=0.286 ms 64 bytes from 10.16.0.213: icmp_seq=5 ttl=64 time=0.299 ms --- 10.16.0.213 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 3999ms rtt min/avg/max/mdev = 0.286/0.321/0.375/0.038 ms AH-09be40# The outbound SSH client clear command is: clear ssh known_host

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 32 New and Enhanced HiveManager 6.2r1a Features

For example, to clear the previous SSH client command, enter the following: AH-09be40#clear ssh known_host 10.16.0.217 SSH known_hosts updated.

New and Enhanced HiveManager 6.2r1a Features

The following sections describe new and enhanced features in the HiveManager 6.2r1a release. Supplemental CLI Tool Support The Supplemental CLI tool provides an efficient way for you to issue and upload CLI commands to multiple devices from the HiveManager GUI. You can upload a CLI profile that contains a list of CLI commands on multiple devices simultaneously. This is in contrast to the time-consuming method of using a console interface to enter CLI commands one at a time for each device or using the SSH Client option in HiveManager. To enter CLI commands using the Supplemental CLI tool, you enter (or copy and paste) them in sequence, one command per line, up to a maximum of 2048 characters in a CLI profile. Then you save the CLI profile and perform a complete configuration update on your selected devices. The commands contained in the CLI profile are incorporated into the new running configuration on the selected devices. The CLI Supplement tool is backward compatible with previous releases of HiveManager. To enable the Supplemental CLI tool, select the check box next to Enable Supplemental CLI on the bottom of the Home > Administration > HiveManager Settings page, and then save this setting. (The Supplemental CLI tool is disabled by default.) After this feature is enabled, you can enter CLI commands on the CLI entry page by clicking Configuration > Advanced Configuration > Common Objects. Click CLI Supplement (below the Bonjour Gateway Settings) and then click New on the page that appears. After you finish entering CLI commands on this page, save the CLI profile with a file name by clicking Save.

One advantage of being able to save a CLI profile is that you can add new CLI commands to a CLI profile at a later date. Also, you can keep a precise record, or an audit trail, of the commands that you want to run on specific devices, allowing you to use a CLI profile for a specific group of devices. This practice facilitates troubleshooting by allowing you to run comparison testing between two sets of device configurations more easily. With the CLI Supplemental tool disabled, HiveManager does not backup CLI commands and clears all the commands you have previously entered each time that you perform a complete configuration upgrade.

The Supplemental CLI tool does not support double quotations (“) or question marks (?) within commands.

To select from among the CLI profiles created and assign them to a device, click the device name on the All Devices page. Then on the All Devices > device_name page that appears, click Advanced Settings at the bottom of the page. You can select a CLI profile from the drop-down list next to Supplemental CLI and then click Save.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 33 New and Enhanced HiveManager 6.2r1a Features

If you want to erase the existing CLI profile commands from the selected devices during the next complete configuration update, choose the blank option on the Supplemental CLI drop-down list. However, selecting the blank option does not remove the CLI profile from the list of profiles in HiveManager. It is available to select at a later time.

To see a list of all the devices and their assigned CLI profiles, click the Edit Table icon on the top-right of the All Devices page, click Supplemental CLI in the Available Columns section on the panel that appears, and then click the right arrow ( > ) to move it to the Selected Columns section. When you select Save, Supplemental CLI is displayed as a column name.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 34 New and Enhanced HiveManager 6.2r1a Features

To display the View Configuration page that lists the CLI commands that you have previously activated, the configuration running on a device, and the CLI commands that you intend to upload, select the checkbox next to the device name on the All Devices page. Then click Update > Advanced > Upload and Activate Configuration. From this page, click on the host name of the device and select View Configuration.

You need to perform a complete configuration update each time you use a new CLI profile to ensure that it is activated correctly. To verify that a command is contained within the profile, click Settings a the top right of this panel, and on the page that appears, select Complete Upload.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 35 New and Enhanced HiveManager 6.2r1a Features

In the following example, the View Configuration page “new cli test for delay alarm” command is saved in a CLI profile. When you select View Configuration, it is displayed at the end of the generated CLI list. After you perform the next complete configuration update, all of the CLI commands in this file are activated and become part of the running configuration of the device. The difference between a CLI profile and the View Configuration page is that the CLI profile contains a list of CLI commands you want to activate on a device, and the View Configuration page lists the CLI commands already activated as well as the CLI commands saved in a profile.

Some Precautions Aerohive has designed the CLI Supplemental tool for network administrators that have experience with using CLI commands to improve productivity. If you are not completely familiar with the CLI commands that you intend to upload, Aerohive recommends that you become familiar with this tool on a test network before using it on a large scale production network, because the tool can update multiple CLI commands in sequence to many devices simultaneously. If you inadvertently enter a CLI command incorrectly and then upload the configuration onto your devices, you can affect network connectivity severely.

The Supplemental CLI tool does not notify you of syntax errors when you enter the commands into a CLI profile or when you do a complete upload on to your devices. As a result, you must make sure that you enter commands using the correct syntax, in the proper order, and that you understand any dependencies before doing a complete update on devices.

Application Visibility and Control Upgrade to DPI Engine NAVL 4.x In HiveManager 6.2r1a, the DPI engine that supports Application Visibility and Control has been updated to NAVL 4.x and now supports more than 1200 application signatures, notably the three additional Microsoft Lync applications: • LYNCCTRL: Monitors Lync protocol, login, and presence messages • LYNCMDIAL: Monitors Lync media, that is, voice and video calls, between clients • LYNCSHRE: Monitors Lync file and desktop sharing

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 36 New and Enhanced HiveManager 6.2r1a Features

In addition, Google Hangouts, Instagram, Snapchat, Spotify, and WeChat traffic applications are supported in this release. Support was also added for the Freegate, JonDo, and Ultrasurf Internet proxy services. The new DPI engine provides faster data extraction and improved efficiency. The DPI Engine NAVL 4.x is backward compatible with previous releases. As a result, if you have configured applications, including custom applications, these configurations are saved when you upgrade HiveOS on your devices to version 6.2r1 with a complete image upgrade. If you configured Microsoft Lync in a previous release, there was only one Microsoft Lync application, LYNC, to choose from, enabling you to monitor all Lync traffic. Consequently, you might want to update your configuration to include the new Microsoft Lync applications mentioned above. The DPI engine extends application awareness to QoS and IP firewall and the additional Microsoft Lync applications provide you with more control.

Stateless Bonjour Gateway Prior to HiveManager 6.2r1a and HiveOS 6.2r1 release, Aerohive Bonjour Gateway supported a maximum of 1,000 advertised Bonjour services in a multi-VLAN network. This constraint can be exceeded if your network, for example, has ten VLANs supporting up to one hundred advertised services each. In this release, Bonjour Gateway scalability enhancement allows you to deploy Bonjour Gateway without the previous constraint in the maximum number of advertised Bonjour services. The enhancement uses a stateless architecture to bypass the constraint of local device memory size, allowing you to deploy this feature in the largest educational institutions or enterprises. An additional enhancement improves the way the Bonjour Gateway default filter rules are initially configured. In previous releases, the Bonjour Gateway filter rules required you to set an action to deny or permit services from one VLAN group to another. In this release, you no longer need to set deny or permit actions. Instead, the default behavior is to deny services and any rule you add automatically permits the specified service. To display the Bonjour Gateway filter enhancement, click Configuration > Advanced Configuration > Common Objects > Bonjour Gateway Settings. Click New to create a new Bonjour Gateway Settings page. This menu is the same as previous releases except that the default action “Deny” column for All Services has been removed. In the example below, Apple TV Services are permitted from VLAN1 group to VLAN2 group over two wireless hops.

Multiple Spanning Tree Protocol Support MSTP (Multiple Spanning Tree Protocol) allows you more flexibility when designing your VLANs. Because standard 802.1D and 802.1t Spanning Tree Protocols operate without regard to VLAN topology and vendor solutions that allow a separate instance of STP on a per-VLAN basis consume a large amount of CPU resources, each solution is efficient only in a few specific cases. In contrast, MSTP allows you to configure multiple spanning trees based on how you provision your VLANs without binding a single spanning tree instance to a single VLAN on a one-to-one basis. Instead, each MST instance can contain multiple VLANs. This adds flexibility to standard STP, while reducing the CPU overhead of single-VLAN spanning tree instance. A key element of network design is the inclusion of multiple paths for load balancing. When using STP and RSTP, load balancing is only possible using Etherchannels, and all the VLANs supported on that trunk must use the Etherchannel. STP and RSTP do not support load balancing VLANs because to do so would require redundant paths whose ports are in the forwarding state—the very thing STP and RSTP are meant to prevent.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 37 New and Enhanced HiveManager 6.2r1a Features

Instead, all VLANs must share the same tree topology and are governed by the same STP instance. As an alternative, some vendors offer protocols that allow you to bind each VLAN to a separate STP instance. Although this solution provides flexibility and allows you to easily balance your VLAN load, there is no way to include multiple VLANs within a single STP instance. As a result, the more VLANs you have, the more heavily loaded your CPU becomes. The CPU must process each of the STP instances that, in turn, will result in more management traffic. MSTP is the solution to this problem. With MSTP enabled, but left unconfigured, the switch uses what the standard refers to as an IST (Internal Spanning Tree). The IST behaves as if it were a standard RSTP instance that works on all switches. By using an IST model, MSTP is backward compatible with RSTP (which, in turn, is backward compatible with legacy STP). MSTP, like per-VLAN STP solutions, supports the configuration of multiple MSTIs. Unlike per-VLAN STP solutions. However, you can combine multiple VLANs within a single MSTI, creating a gross topology that is easier to design, configure, and manage. Each MSTI is defined and configured only on the switches that participate in the particular instance. The following illustration shows that you can load balance VLANs easily by allocating VLANs among the MSTIs.

In addition, the illustration also shows that BPDUs (Bridge Protocol Data Units) that carry switch configuration and identification information move within each MSTI independently. To maintain ease of configuration and to keep the CPU utilization down, MSTI BDPUs do not list their supported VLANs explicitly. Instead, the information is hashed and then included in the BPDU as a digest. When another switch receives the BPDU, it compares the digest in the BPDU to the digest it computed using its own supported VLAN information. If the computations match, then the supported VLANs are known implicitly and the information within the BPDU can be used.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 38 New and Enhanced HiveManager 6.2r1a Features

Using digests that contain only VLAN information, however, can result in switches that cannot decode the BPDUs of their neighbors that support some, but not all of the same VLANs (resulting in a different hash value). To combat this problem, the standard uses the idea of MST regions. An MST region is a logical, explicit group of switches. You configure the region in the network policy, so switches that are governed by the setting in any particular network policy are, by default, part of the same region. Each region can have multiple MSTIs. For example, the switches in Region A can support multiple MSTIs within it, each MSTI supporting its own set of VLANs. Most organizations consist of a single region; however, larger organizations (or organizations with particular topological needs) can establish multiple regions. Each region operates independently with respect to MSTIs because the VLAN information within the BPDUs of a particular region are not decipherable by switches of another region. The IST is essentially an RSTP instance; therefore, it ignores region boundaries and regional BPDUs. This means that the IST instance allows the entire contiguous Layer 2 network to converge so that VLAN traffic that is not allocated to an MSTI (for example, the native VLAN) can still traverse the entire network.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 39 New and Enhanced HiveManager 6.2r1a Features

To configure the switches in your network policy to use MSTP, perform the following steps:

This configuration assumes that you have an existing network policy that contains switches.

1. Click Configure, choose the network policy on which you want to use MSTP, and then click OK. 2. In the Configure Interfaces & User Access panel, click Edit in the Additional Settings section. 3. In the Additional Settings dialog box, click Switch Settings > STP Settings > MSTP, choose a region from the drop-down list, and then click Save. If no regions are available, click the New ( + ) icon, enter the following information, click Save to commit the changes, and then click Save to continue to the exit the Additional Settings dialog box: Region Name: Enter a name for the logical group of switches you want to contain your MSTIs. Description: Enter a helpful description of the MSTP region. Revision: Enter the revision number. This is a bookkeeping value and does not change the behavior of the spanning tree protocols.

The region name, version, and the MSTI VLAN arrangement are used to generate the digest used by the BPDUs. All of these values must be identical to be decipherable by neighboring switches.

Max Hops: In the MSTI Table, click New ( + ), enter the following, and then click Save (disk icon): Instance (1-63): Enter the MSTI number. The MSTIs do not need to be sequential or contiguous. Priority (0-61440): Choose the priority from the drop-down list. VLANs (1-4094): Enter the VLAN numbers that you want to use with this MSTI. Any VLAN that you do not include in any MSTI is handled by the IST.

4. Click Continue to go on to the Configure and Update Devices panel (this step also saves the network policy changes), choose the devices you want to apply the new network policy changes to, and then click Update.

HiveManager Upgrade Progress Enhancements In this release of HiveManager software, the step-by-step upgrade progress is indicated on the Update Software page through a separate Upgrading HiveManager Software progress window when you upgrade HiveManager to a later software version. This feature applies to both HiveManager Express and Enterprise modes. The six hexagon icons change in color from gray to green as the upgrade progresses from uploading the image, verifying the image, extracting the image from the compressed file, checking the system operation, backing up the data, and finally rebooting the system and restoring its database.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 40 New and Enhanced HiveManager 6.2r1a Features

If the HiveManager upgrade process is successful, the normal Dashboard start page is displayed. If the HiveManager upgrade process fails, the appropriate error messages are saved and stored in the database. Upgrade errors that occurred during the upgrade process are displayed in the Update Log page after the admin, who has the proper credentials to initiate an upgrade, logs in to HiveManager. The example below displays an insufficient free disk space error message.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 41 New and Enhanced HiveManager 6.2r1a Features

The same error message appears at the top of the Update Software page when attempting to initiate another upgrade. To dismiss the error message displayed in the example below, or any error messages that appear, click X in the upper right corner of the message box.

The following is a list of the types of potential errors and brief, self-explanatory descriptions of the causes of software upgrade failure that might be displayed: • HiveManager failed to retrieve the image file. • Image file is not a valid Aerohive file. This file might be damaged or might not be an officially released Aerohive file. • Unable to upgrade HiveManager due to insufficient memory. Increase memory to at least 3 GB for a 32-bit or 8 GB for a 64-bit processor, and try again. • Image file software bit code (32-bit or 64-bit) does not match that required by HiveManager. (Note: The "1U" in the image file name means the file is a 32-bit code file, and "2U" means it is a 64-bit code file.) • Free disk space on your HiveManager is insufficient: Required free disk space: 1200 MB Actual free disk space: 300 MB

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 42 New and Enhanced HiveManager 6.2r1a Features

Viewing Enrolled Clients for Social Login, ID Manager, and Client Management In HiveManager Online and HiveManager on-premises 6.2r1a, new icons appear for the three Aerohive Mobility Suite applications under the Managed column on the Active Clients and the Wireless Clients pages. The location of these icons provides you with convenient access to the Social Login, ID Manager, and Client Management applications and allows you to quickly retrieve information from enrolled client devices. Click the appropriate icon to display the corresponding application page from HiveManager and view enrolled client-related details. The icons are automatically enabled and become visible in HiveManager only when enabled Social Login, ID Manager, and Client Management applications contain detailed information about the enrolled clients. (For information about how to enable the Mobility Suite applications in an on-premises HiveManager account, see the online Help.) These icons appear under the Managed heading on the Monitor > Clients > Active Clients or Monitor > Clients > Wireless Clients page. If the Managed heading does not appear, click the Edit Table icon at the top of the page, select Managed as a column heading in the Available Columns panel, and move it to the Selected Columns panel. When you click Save, the Managed column appears.

© 2014 Aerohive Networks, Inc. Aerohive is a U.S. registered trademark of Aerohive Networks, Inc. P/N 330117-01, Rev. B

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 43 Aerohive New Features Guide for 6.1r6a

Aerohive New Features Guide for 6.1r6a

This guide describes the new features and feature enhancements introduced in the HiveOS and HiveManager 6.1r6a releases.

New Features and Feature Enhancements

Several new features and feature enhancements have been introduced in these releases. You can read summaries of these features and enhancements below. Several major features are covered in more detail in individual sections later in this guide. For more information about known and addressed issues in the HiveOS 6.1r6 and HiveManager 6.1r6a releases, refer to the corresponding Aerohive 6.1r6 release notes.

New Hardware Platform BR200-LTE-VZ: This release introduces the BR200-LTE-VZ router. The BR200-LTE-VZ allows enterprises to provision branch office networks and teleworkers quickly and easily. This router provides LAN and WLAN connectivity and PoE (power over Ethernet) support. The router has a single dual band 2.4/5 GHz (802.11a/b/g/n) radio, an embedded LTE modem for use with the Verizon 4G LTE network, two external diversity antennas, one WAN port (ETH0), four LAN ports (ETH1 through ETH4), a Console port, and an LTE USB port for WAN connection redundancy (reserved for future use). The BR200-LTE-VZ router supports up to 16 SSIDs, 16 VLANs, 16 networks, and 64 user profiles across both wired and wireless interfaces..

New and Enhanced HiveOS 6.1r6 Features The following are the new features and feature enhancements in the HiveOS 6.1r6 release.

There is no 6.1r6 firmware image for the SR2124P and SR2148P devices.

Enhancements to NetConfig UI Security: The NetConfig UI in HiveOS 6.1r6 now displays a message that notifies you if Internet connectivity is unavailable rather than simply displaying the WAN Interface Settings page. See "AP230" on page 62. DHCP Option 43 Support: In HiveOS 6.1r5 and earlier, Aerohive devices were unable to fully support DHCP Option 43 because the maximum number of configurable hex digits was limited to 32. This release increases the number of configurable hex digits to 254, making it easier to deploy applications such as Microsoft Lync Server. See "DHCP Option 43 Support" on page 48. Additional USB Modem Support: This release adds the following USB modems to the supported modems list: • AT&T Beam AC340U • Verizon Pantech 4G LTE UML295 • T-Mobile Rocket 3.0 4G ZTE MF683 • Franklin Wireless 4G LTE U772 • Huawei E3276

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 44 New Features and Feature Enhancements

Devices Supporting KDDR Logging: The KDDR (Kernel Diagnostic Data Recorder) logs capture run-time statistical data about unexpected events and difficult-to-predict or unwanted situations that might occur with the ongoing processes and services of an Aerohive device. The KDDR logs are disabled by default in both the on-premises HiveManager appliances and HiveManager Online. With this release, KDDR logging support is available for all Aerohive access points that can run HiveOS version 6.1r6. New Certification for Aerohive devices: In the 6.1r6 release, several Aerohive devices have been newly certified for the following regulatory specifications and DFS (dynamic frequency selection):

Platform Regulatory Certification in: DFS Certification in:

AP121 China, India, Saudi Arabia, Taiwan USA FCC

AP141 China, India, Saudi Arabia, Taiwan USA FCC

AP170 China, Saudi Arabia, Taiwan China, Saudi Arabia, Taiwan

AP330 Canada, China, Taiwan Canada

AP350 Canada, China Canada

BR100 China, Taiwan N/A

BR200-WP China, Saudi Arabia, Taiwan N/A

New and Enhanced HiveManager 6.1r6a Features The following are the new features and enhancements in the HiveManager 6.1r6a release. BR Route Summarization: With this release, route summarization in HiveManager software increases the scale of a VPN gateway-BR deployment. HiveManager does a local subnet route summarization and then the VPN gateway uploads the larger subnet configuration to each branch. See "VPN Gateway-BR Route Summarization" on page 49. CAPWAP Delay Alarm Change: With this release, you can disable the CAPWAP delay alarms at the policy or device level to avoid excessive alarms that might be triggered as a result of variable or high-latency connections between HiveManager and its Aerohive devices. See "CAPWAP Delay Alarm Change" on page 52 Entitlement Key Information Export: With this release, you can easily identify the number of Aerohive license entitlements and determine when they need to be renewed for your Aerohive system. After you export a summary file that contains the entitlement key information, you can assess when you will need to notify Aerohive to renew your various licenses. See "Entitlement Key Information Export" on page 55. ID Manager Proxy: Prior to this release, when attempting to retrieve customer IDs using an on-premises HiveManager appliance deployed on a LAN, HiveManager could not contact ID Manager if use of a proxy server was required on the local network. The HiveManager proxy server support only extended to contacting the Aerohive License Server. With this release, an on-premises HiveManager appliance deployed in a LAN can now access ID Manager by configuring a proxy server for ID Manager connections. See "ID Manager Proxy" on page 56.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 45 New Features and Feature Enhancements

Manual Selection of ID Manager Authentication Proxy: With prior releases, both on-premises HiveManager and HiveManager Online automatically selected devices to act as ID Manager authentication proxies. For example, whenever an AP became a RADIUS server, the AP automatically became the ID Manager authentication proxy by default. If many APs were configured to act as RADIUS servers, it became difficult to identify which RADIUS servers were being used. See "Manual Selection of ID Manager Authentication Proxy" on page 57. HTTPS Security Enhancement for the NetConfig UI and TeacherView: The NetConfig UI and TeacherView now use HTTPS rather than HTTP for more secure communications over the network. See "HTTPS Security Enhancement for the NetConfig UI and TeacherView" on page 58. Stronger Wi-Fi Security and Transition of WPA to WPA/WPA2 "Auto" Authentication: With the decision of the Wi-Fi Alliance to discontinue certifying devices that support WPA only, or "WPA alone" authentication, WPA is still allowed, but only in the "WPA/WPA2 Mixed mode" or "Auto" mode. To comply with this decision, HiveManager 6.1r6a no longer allows WPA-PSK (WPA Personal) or WPA-802.1X (WPA Enterprise) authentication combinations to be used. For HiveManager and HiveOS 6.1r5 and earlier versions, you can still use the WPA only option without the setting being overridden by HiveManager 6.1r6a after a configuration upload. However, for AP230 devices, if HiveManager detects that the WPA only authentication option is set, it is replaced by the WPA/WPA2 "Auto" setting after a new configuration upload. See "Stronger Wi-Fi Security and Transition of WPA to WPA/WPA2 “Auto” Authentication" on page 59. PCI DSS 3.0 Support: PCI DSS (Payment Card Industry Data Security Standard) compliance is required for all merchants and service providers that store, process, or transmit payment cardholder data. With this release, HiveManager PCI compliance reports follow the PCI DSS 3.0 standard. This release adds the following sections to the PCI compliance report: • Authentication and session management compliance (PCI DSS 3.0 section 6.5.10) • Passwords and phrases requirements (PCI DSS 3.0 section 8.2.3) • Initialization, stopping, or pausing of the audit logs (PCI DSS 3.0 section 10.2.6) Client Management Certificate Files in .pfx Format: When enrolling clients through an 802.1X SSID that makes use of an external RADIUS server, it is necessary to export the Client Management server certificate, private key, and CA certificate files from HiveManager and then import them to the RADIUS server. When the external RADIUS server is a Microsoft NPS (Network Policy Server), it is necessary to import the files in .pfx format (PKCS #12). To simplify the file transfer, HiveManager now provides a .pfx file that contains all three required certificate and key files for export (Configuration > Advanced Configuration > Keys and Certificates). After exporting the .pfx file from HiveManager, you can then import it directly to the Windows Server running NPS. AVC signature update: For this release, an updated version of the AVC Signature files, version 3.1.6 (dated 2014/03/16), has been added to HiveManager. To download the latest AVC Signature files, go to Configuration > Show NAV > All Devices, select the check boxes next to devices that you want to update, and then click Update > Advanced > Upload and Activate Application Signatures. Or, you can request this file from the Aerohive site from the Support > Software Downloads > login with your Software Downloads Login > Current Software Releases > HiveOS and HiveManager Version 6.0 > Layer 7 Application Signatures page.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 46 New and Enhanced HiveOS 6.1r6 Features

New and Enhanced HiveOS 6.1r6 Features

The following sections describe new and enhanced features in the HiveOS 6.1r6 releases.

Enhancements to NetConfig UI Security In HiveOS 6.1r3 and earlier, BR100, BR200, and BR200-WP routers and AP330 and AP350 devices acting as routers indicate that they have lost Internet connectivity by simply displaying the WAN Interface Settings page in the NetConfig UI. You can try to re-establish an Internet connection by querying the DHCP server, configuring PPPoE settings, or using a static IP address. Because the BR200-WP router has two additional WAN interfaces, you can also try to re-establish an Internet connection by associating with an SSID or by using a USB modem to connect to a cellular network. The NetConfig UI in HiveOS 6.1r6 now displays a message page that notifies you that Internet connectivity is unavailable rather than displaying the WAN Interface Settings page. While the default setting is not to include a link on the new message page to the WAN Interface Settings page, the network administrator can include a link if so desired. To enable this option, go to HiveManager > Configuration, select the network policy that is applied to the router, click Additional Settings > Router Settings, and then select the Enable WAN configuration through the NetConfig UI for telecommuters check box. The advantage of showing an Internet down page without a link to the WAN Interface Settings page is that in a large office, some employees, guests, or contractors could, without the network administrator’s knowledge, re-establish an Internet connection by changing the WAN settings themselves. For example, a user might enable WAN connectivity through the USB modem. Internet connectivity might be restored, but doing so would incur unexpected charges as data goes through a cellular network. Another user might associate the router with an SSID on a nearby AP, but not knowing which SSID to connect to could also open a security risk. Alternatively, in a small office with a few workers, where there is no confusion as to who has administrative privileges, showing an Internet down page and providing a direct link to the WAN Interface Settings page after entering valid credentials is an added convenience.

After clicking the link, you must enter valid credentials with either a user name or the serial number of the device, and a password before you can configure WAN Interface Settings in the NetConfig UI. The illustration below shows the new Internet Connectivity is Temporarily Unavailable message page with a direct link to the WAN Interface Settings page. This link does not appear by default but you can enable it through HiveManager.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 47 New and Enhanced HiveOS 6.1r6 Features

The following illustration shows the option you select in HiveManager to enable WAN configuration through the NetConfig UI for telecommuters, which adds the link “Go to configure Network Settings” to the new network down message page.

DHCP Option 43 Support The maximum length of Hex options has been increased from 32 to 254 characters in HiveOS 6.1r6 to better support applications that require DHCP to be configured with vendor specific information such as option 43 (described in RFC2132). This enhancement helps you to deploy applications such as Microsoft Lync server, for instance. Devices that are running HiveOS 6.1r5 and earlier, cannot make use of this feature as the Hex option value is restricted to 32 or less. So, if you input a value greater than 32 hex digits in HiveManager 6.1r6 and upload a configuration to your device, HiveManager automatically changes the value that is inputed to 32 “F” Hex characters to “lock the field” to prevent the device from receiving a value greater than 32. You can see this change in HiveManager 6.1r6 by clicking Configuration > Networks > New. In the Subnetworks section, click New and expand Custom Options. Under the column Type, select Hex from the drop-down menu. Alternatively, you can see this by clicking Configuration > Advanced Configuration > Common Objects > DHCP Server and Relay > New. Expand Custom Options and under the column Type, select Hex from the drop-down menu.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 48 New and Enhanced HiveManager 6.1r6a Features

New and Enhanced HiveManager 6.1r6a Features

The following sections describe new and enhanced features in the HiveOS 6.1r6a releases. VPN Gateway-BR Route Summarization With this release, route summarization in HiveManager software increases the scale of a VPN gateway-BR deployment. HiveManager does a local subnet route summarization and then the VPN gateway uploads the larger subnet configuration to each branch. Route summarization increases the scale of VPN gateway-BR deployment by consolidating selected multiple routes into a single route advertisement, in contrast to flat routing, where every routing table contains a unique entry for each route. By causing a single summary route to be advertised to other areas by the VPN gateway, it reduces the need for BRs to maintain a large volume of routes in their routing tables. By representing a series of network numbers in a single summary address, route summarization reduces the number of routes that a router must maintain.

Example of Subnet Advertising with Previous Releases

In previous releases, BR1 has 16 subnets 10.100.1.0/24, 10.101.1.0/24, … and 10.115.1.0/24, BR2 has 16 subnets as 10.100.2.0/24, 10.101.2.0/24, … and 10.115.2.0/24, and so on until BR254 has 16 subnets as 10.100.254.0/24, 10.101.254.0/24, … and 10.115.254.0/24. Without route summarization, HiveManager pushes the following configuration to each BR: BR1: routing internal-sub-network 10.100.1.0/24 routing internal-sub-network 10.101.1.0/24 … routing internal-sub-network 10.115.1.0/24 BR2: routing internal-sub-network 10.100.2.0/24 routing internal-sub-network 10.101.2.0/24 … routing internal-sub-network 10.115.2.0/24 ... BR254: routing internal-sub-network 10.100.254.0/24 routing internal-sub-network 10.101.254.0/24 … routing internal-sub-network 10.115.254.0/24 These subnets are advertised to the VPN gateway in with the following format: BR1: 10.100.1.0/24 255.255.255.0 mgt0.1 subnet 10.100.1.0/24 255.255.255.0 10.101.1.0/24 255.255.255.0 mgt0.2 subnet 10.101.1.0/24 255.255.255.0 … 10.115.1.0/24 255.255.255.0 mgt0.15 subnet 10.115.1.0/24 255.255.255.0 BR2: 10.100.2.0/24 255.255.255.0 mgt0.1 subnet 10.100.2.0/24 255.255.255.0 10.101.2.0/24 255.255.255.0 mgt0.2 subnet 10.101.2.0/24 255.255.255.0 … 10.115.2.0/24 255.255.255.0 mgt0.15 subnet 10.115.2.0/24 255.255.255.0 ...

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 49 New and Enhanced HiveManager 6.1r6a Features

.BR254: 10.100.254.0/24 255.255.255.0 mgt0.1 subnet 10.100.254.0/24 255.255.255.0 10.101.254.0/24 255.255.255.0 mgt0.2 subnet 10.101.254.0/24 255.255.255.0 ... 10.115.254.0/24 255.255.255.0 mgt0.15 subnet 10.115.254.0/24 255.255.255.

The VPN gateway installed these subnets and advertised them to all other BRs. The total number of subnets being exchanged between BRs and the VPN gateway is 254 x 16 = 4064. Example of Subnet Advertising with this Release With route summarization implemented in this release, for example, HiveManager can push the following configuration to each BR: BR1: routing internal-sub-network 10.100.0.0/16 routing internal-sub-network 10.101.0.0/16 … routing internal-sub-network 10.115.1.0/16 BR2: routing internal-sub-network 10.100.0.0/16 routing internal-sub-network 10.101.0.0/16 … routing internal-sub-network 10.115.0.0/16 ... BR254: routing internal-sub-network 10.100.0.0/16 routing internal-sub-network 10.101.0.0/16 … routing internal-sub-network 10.115.0.0/16 The subnets will be advertised to the VPN gateway in a file with the following format: BR1: 10.100.1.0/24 255.255.255.0 mgt0.1 subnet 10.100.0.0/16 255.255.255.0 10.101.1.0/24 255.255.255.0 mgt0.2 subnet 10.101.0.0/16 255.255.255.0 … 10.115.1.0/24 255.255.255.0 mgt0.15 subnet 10.115.0.0/16 255.255.255.0 BR2: 10.100.2.0/24 255.255.255.0 mgt0.1 subnet 10.100.0.0/16 255.255.255.0 10.101.2.0/24 255.255.255.0 mgt0.2 subnet 10.101.0.0/16 255.255.255.0 … 10.115.2.0/24 255.255.255.0 mgt0.15 subnet 10.115.0.0/16 255.255.255.0

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 50 New and Enhanced HiveManager 6.1r6a Features

... BR254: 10.100.254.0/24 255.255.255.0 mgt0.1 subnet 10.100.0.0/16 255.255.255.0 10.101.254.0/24 255.255.255.0 mgt0.2 subnet 10.101.0.0/16 255.255.255.0 … 10.115.254.0/24 255.255.255.0 mgt0.15 subnet 10.115.0.0/16 255.255.255.0

Although the total number of subnets exchanged remains at 4064, the VPN gateway installs the subnets in the first portion of the line before mgt0.x but advertises the subnets to all other BRs in the second portion of the line following the mgt0.x. The total number of subnets exchanged between BRs and VPN gateway remains at only 16. Using the same approach, HiveManager maps the outside routable subnet to the inside non-routable subnet for a one-to-one NAT. The steps used for configuring a subnetwork in HiveManager remains the same. For detailed information about configuring subnetworks, see “Network” in the online Help system.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 51 New and Enhanced HiveManager 6.1r6a Features

CAPWAP Delay Alarm Change CAPWAP (Control and Provisioning of Wireless Access Points) delay alarms are triggered when the connection between an Aerohive device and HiveManager exceeds a predetermined delay threshold. For the on premises HiveManager, you can configure CAPWAP delay threshold intervals in the CAPWAP Server Settings section (Home > Administration > HiveManager Services > CAPWAP Server Settings). For HiveManager Online, however, the delay threshold intervals are fixed and cannot be modified by administrators. In previous releases, there was no mechanism available to disable CAPWAP delay alarms at the policy or device level. Whenever an Internet connection between an Aerohive device and HiveManager was slow and unreliable, multiple delay alarms were triggered that, in turn, caused multiple Email alarm notifications to be sent to the admin. With this release, you can disable the CAPWAP delay alarms at the policy or device level to avoid excessive alarms that might be triggered as a result of latent connections between HiveManager and its Aerohive devices. CAPWAP delay alarms are enabled by default. You can now disable CAPWAP delay alarm settings in three areas in HiveManager by clearing the appropriate check boxes: network policy (available only in Enterprise mode), single device, and multiple devices. Network Policy Setting To disable CAPWAP delay alarms in network policy in Enterprise mode, navigate to Network Policy > Additional Settings > Configure Interfaces and User Access, expand the Service Settings section, clear Enable CAPWAP delay alarms, and then click Save.

You cannot set network policies in Express mode.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 52 New and Enhanced HiveManager 6.1r6a Features

Single Device Setting To disable CAPWAP delay alarms on a single device in Enterprise mode, navigate to the Configuration > Devices > All Devices, select the device_name for which you want to disable the alarms, click Modify, expand the Advanced Settings section, clear the Enable CAPWAP delay alarms check box, clear the Override CAPWAP delay alarm settings check box, and then click Save.

Layer 3 VPN Gateway: To disable CAPWAP delay alarms on a Layer 3 VPN Gateway or VPN Gateway Virtual Appliance configured in Enterprise mode, navigate to the Configuration > Devices > All Devices, select the VPN_Gateway_name for which you want to disable the alarms, click Modify, expand the Advanced Settings section, clear Enable CAPWAP delay alarms, and then click Save.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 53 New and Enhanced HiveManager 6.1r6a Features

Layer 2 VPN Gateway: To disable CAPWAP delay alarms on a Layer 2 VPN Gateway or VPN Gateway Virtual Appliance configured in Enterprise mode, navigate to the Configuration > Devices > All Devices, select the VPN_Gateway_name for which you want to disable the alarms, click Modify, expand the Advanced Settings section, clear the Enable CAPWAP delay alarms check box, clear the Override CAPWAP delay alarm settings check box, and then click Save.

To disable CAPWAP delay alarms on a single device in Express mode, navigate to the Configuration > Devices > All Devices, select the device_name for which you want to disable the alarms, click Modify, expand the Advanced Settings section, clear the Enable CAPWAP delay alarms check box, clear the Override CAPWAP delay alarm settings check box, and then click Save.

Multiple Device Settings To disable CAPWAP delay alarms on multiple devices in Enterprise mode, navigate to the Configuration > Devices > All Devices, select multiple device_names for which you want to disable the alarms, click Modify, expand the Optional Settings section, expand the Advanced Settings section, clear the Enable CAPWAP delay alarms check box, clear the Change CAPWAP delay alarm settings check box, and then click Save. The multiple device settings option is not supported for VPN Gateways.

You cannot change the CAPWAP settings for multiple devices in Express mode.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 54 New and Enhanced HiveManager 6.1r6a Features

CAPWAP Delay Alarm Warning In both Express and Enterprise modes, a CAPWAP delay alarm message and action confirmation dialog box appears whenever a configuration upload operation is initiated and a CAPWAP delay alarm exists for the selected Aerohive devices to which you want to upload a new configuration. This message indicates that the network WAN connection speeds between HiveManager and the devices you selected for a configuration upload are slow or unreliable. When this confirmation dialog box appears, you can decide whether or not to continue with the configuration upload. Click Yes to continue the upload operation. Click No to cancel the upload operation.

Entitlement Key Information Export With this release, you can easily identify the number of Aerohive license entitlements and determine when they need to be renewed for your Aerohive system. After you export a summary file that contains the entitlement key information, you can assess when you will need to notify Aerohive to renew your various licenses. Simply log into either your on-premises HiveManager or HiveManager Online account and navigate to the License Management page (Home > Administration > License Management).

In the Device Inventory column, two types of items are displayed: the number of configured Aerohive devices and the number of VPN Gateway Virtual Appliances. To view device inventory details for each of these two items, click the total number of devices or VPN gateway fields as shown in the example. A popup list appears displaying the configured Aerohive device model and a total count of each device model.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 55 New and Enhanced HiveManager 6.1r6a Features

To export a .csv file to a spreadsheet application, such as Microsoft Excel, click Export.

If an entitlement key is not installed in HiveManager, the Export button does not appear even though the devices are registered.

The .csv file provides a list and total number of licensed device models, a list of VPN Gateway Virtual Appliances and total number of VPN Gateway Virtual Appliances licensed, evaluation and permanent entitlement keys for the devices in the current inventory, technical support expiration dates, and original license activation dates.

ID Manager Proxy When attempting to retrieve customer IDs using an on premises HiveManager deployed on a LAN prior to this release, HiveManager was unable to reach the ID Manager using only its default gateway, and the proxy server configuration options only supported external connections to the Aerohive License Server. With this release, an on premises HiveManager deployed in a LAN can now access the ID Manager by configuring a proxy server for ID Manager connections. To configure a proxy server to access the ID Manager: 1. Navigate to the Home > Administration > HiveManager Settings page, click Current Network Settings section (which becomes the Edit Network and HA Settings section), scroll down to the Proxy Configuration section, and select Enable HTTP Proxy for secure connection to Aerohive cloud service. 2. Optionally, depending on the settings of the HTTP proxy, enter the IP address or domain name, proxy port number, user name, and password to access ID Manager, and then click Test Connection via Proxy.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 56 New and Enhanced HiveManager 6.1r6a Features

3. If the connection test is successful, click Save. If unsuccessful, reconfigure the HTTP proxy parameters until you can successfully connect to ID Manager. 4. After the proxy server successfully connects to ID Manager, navigate to Home > Administration > HiveManager Services and select the Customer ID Retrieval check box. The Use proxy settings for ID Manager connections check box should appear above the Retrieve button.

5. Enter your Email address, password and password confirmation, select Use proxy settings for ID Manager connections check box, and then click Retrieve. Your customer ID is retrieved. 6. Select the Use proxy settings for ID Manager connections check box and click Update to obtain the certificate from ID Manager using the HTTP proxy server, or clear the Use proxy settings for ID Manager connections check box and click Update to obtain the certificate from ID Manager without using the HTTP proxy server. Manual Selection of ID Manager Authentication Proxy With prior releases, both on-premises HiveManager and HiveManager Online automatically selected devices to act as ID Manager authentication proxies. For example, whenever an AP became a RADIUS server, the AP automatically became the ID Manager authentication proxy by default. If many APs were configured to act as RADIUS servers, it became difficult to identify which RADIUS servers were being used. With this release, you can manually select which devices can serve as ID Manager authentication proxies by enabling or disabling them on a single device or on multiple devices. This manual selection feature is supported in both HiveManager Express and Enterprise modes. To enable or disable a single device or multiple devices to act as ID Manager authentication proxies when a device is configured as a RADIUS server: 1. Log in to HiveManager and navigate to the Configuration > Devices > All Devices page. 2. Select a single device, click Modify, expand the Service Settings section, select or clear the Act as ID Manager authentication proxy when this device is a RADIUS server check box in the ID Manager Authentication Proxy section, and then click Save.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 57 New and Enhanced HiveManager 6.1r6a Features

3. Select multiple devices, click Modify, expand the Service Settings section, select Change ID Manager authentication proxy check box in the ID Manager Authentication Proxy section, select or clear the Act as ID Manager authentication proxy when this device is a RADIUS server check box, and then click Save.

After the selected managed device or devices are enabled as ID Manager authentication proxies, a special icon is displayed in the HiveManager list view of the devices.

HTTPS Security Enhancement for the NetConfig UI and TeacherView In HiveManager 6.1r6a and HiveOS 6.1r6, the NetConfig UI, and TeacherView now use HTTPS rather than HTTP in all communications over the network. HTTPS is more secure as it encrypts data traffic between the client and Aerohive devices using SSL/TLS. It also allows the client to authenticate the device that it is connecting to in order to prevent information from being read by a third-party. As a result of this change, you might see a “certificate warning” page appear prior to the page that you wish to navigate to such as when you want to access the NetConfig UI by entering the IP of the device in your browser. The warning page is normal as Aerohive devices use self-signed certificates that are secure, but not independently verified. Depending on the specific browser that you are using, the warning might look different. To proceed past this page, simply click the option that allows you to continue to the website that you want. Some browsers display this warning once and allow you the option of not seeing it each time by providing an exception feature that accepts self-signed certificates. Alternatively, you can acquire one from well-known certificate authorities (CA) such as Verisign©, to avoid this behavior.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 58 New and Enhanced HiveManager 6.1r6a Features

Stronger Wi-Fi Security and Transition of WPA to WPA/WPA2 “Auto” Authentication Aerohive devices are certified by the Wi-Fi Alliance and conform to the list of security combinations that all devices must support. As of January 1, 2014, the Wi-Fi Alliance has discontinued certifying devices that support WPA only or “WPA alone” authentication. WPA is still allowed, but only in the “WPA/WPA2 Mixed mode” or “Auto” mode. To comply with this decision, HiveManager 6.1r6a no longer allows WPA-PSK (WPA Personal) or WPA-802.1X (WPA Enterprise) authentication combinations to be used. These combinations have been replaced with “Auto” options: WPA-(WPA or Auto)-PSK or WPA-(WPA or Auto)-802.1X, depending on which radio button in the SSID Access Security section is selected. The other two security combinations for Key Management, listing WPA2 in their respective drop-down menus, remain unchanged in their function. For HiveManager and HiveOS 6.1r5 and earlier versions, you can still use the WPA-PSK (WPA Personal) or WPA-802.1X (WPA Enterprise) security combinations without the setting being overridden by HiveManager 6.1r6a after a configuration upload. However, if HiveManager 6.1r6a detects that the device is an AP230, and the security combination is set to WPA-PSK (WPA Personal) or WPA-802.1X (WPA Enterprise), HiveManager replaces these settings with, Auto-(WPA or WPA2)-PSK or Auto-(WPA or WPA2)-EAP (802.1X) when you perform a configuration upload, depending on which option in the SSID Access Security section is selected. The “Auto” means that Aerohive devices detect whether the client is using WPA or WPA2 authentication and accommodates either method automatically. You can see the changes in HiveManager 6.1r6a by clicking Configuration > SSIDs > New and selecting the radio button WPA/WPA2 PSK (Personal), or Private PSK. Both of these drop-down menus are identical. To see the WPA-(WPA or Auto)-802.1X combination, select the radio button WPA/WPA2 802.1X (Enterprise).

© 2014 Aerohive Networks, Inc. Aerohive is a U.S. registered trademark of Aerohive Networks, Inc. P/N 330116-01, Rev. B

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 59 Aerohive New Features Guide for 6.1r5

Aerohive New Features Guide for 6.1r5

This guide describes the new features and feature enhancements introduced in the HiveOS and HiveManager 6.1r5 releases.

New Features and Feature Enhancements

Several new features and feature enhancements have been introduced in these releases. You can read summaries of these features and enhancements below. Several major features are covered in more detail in individual sections later in this guide. For more information about known and addressed issues for the HiveOS and HiveManager 6.1r5 releases refer to the corresponding Aerohive 6.1r5 Release Notes.

New 6.1r5 Hardware Platforms and Hardware Enhancements AP230: The AP230 is a new 802.11ac access point that supports up to 1.3 gigabit-per-second data rates and provides greater capacity, improved radio frequency management, and better performance than 802.11n. See "AP230" on page 62. Unsupported Features The following features are not supported on the AP230 at the time of this release: • Retail analytics • Location services to track the location of clients •Router mode • Voice Enterprise (802.11k/r/v) and WMM-Admission Control • IEEE 802.11w (protected management frames) • Spectrum analysis • Conversion of multicast frames to unicast frames VPN Gateway: The VPN Gateway appliance (model AH-VG-1U) supports on-site management and termination for up to 4,000 Layer 2 GRE and Layer 3 IPsec VPN tunnels for guests and branch routing. The appliance provides one 10/100/1000 WAN Ethernet port (Eth0) and one LAN Ethernet port (Eth1). See "VPN Gateway" on page 63.

For the 6.1r5 release, the VPN Gateway appliance is limited to 1000 Layer 2 GRE VPN tunnels.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 60 New Features and Feature Enhancements

New and Enhanced HiveOS 6.1r5 Features The following are the new features and feature enhancements in the HiveOS 6.1r5 release:

KDDR Enhancements: The KDDR (Kernel Diagnostic Data Recorder) logs capture run-time statistical data about unexpected events and difficult-to-predict or unwanted situations that might occur with the ongoing processes and services of an Aerohive device. The KDDR logs are disabled by default in both the on-premises HiveManager appliances and HiveManager Online. With this release, KDDR support is made available on the AP230. The following KDDR functionality is enhanced with this release: • Descriptive kernel function symbol names are added to reference symbol address values in the history buffer, making KDDR files more readable and facilitating file analysis. • Kernel trace content is integrated into the KDDR functionality to reduce the need to manually associate which kernel trace files correspond to which KDDR log. • A special buffer now collects historical event data recorded during the last few moments of an abnormal system reboot.

New and Enhanced HiveManager 6.1r5 Features The following are the new features and enhancements in the HiveManager 6.1r5 release. Client Management Data Displayed in HiveManager: From the Monitor section in the HiveManager GUI, you can now see information that HiveManager retrieves from Client Management about enrolled clients. HiveManager displays their enrollment status in a new column on the Active Clients page and more detailed information in a new section on Client Details pages. Additionally, both the icon that appears in the Enrolled column on the Active Clients page and the device name on the Client Details page are hyperlinks that open the corresponding Client Info page in the Client Management GUI where you can see even more information. HiveManager API: This release adds the HiveManager database API, which you can use to access database objects in an on-premises HiveManager with a REST (Representational State Transfer) client or from an external service through a REST adapter. See "The HiveManager REST API" on page 69. Displaying HiveOS Image File Information during an Upgrade: For this release, HiveManager now displays the HiveOS version number of the current and backup image files. See "Displaying HiveOS Image File Information" on page 68.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 61 New and Enhanced HiveOS 6.1r5 Features

New and Enhanced HiveOS 6.1r5 Features

The following sections describe new and enhanced features in the HiveOS 6.1r5 releases.

AP230 The AP230 has two radios that can operate in 802.11a/b/g/n/ac modes with optional Frame Burst support across all modes. The AP230 supports three 802.11n MIMO streams and three 802.11ac/n MIMO streams simultaneously. The maximum data rates are up to 450 Mbps in the 2.4 GHz 802.11n/g mode, up to 600 Mbps in the 2.4 GHz 802.11n mode with TurboQAM enabled, and 1.3 Gbps in the 5 GHz 802.11ac mode. Both radios also support legacy 802.11a/b/g wireless. The AP230 has two 10/100/1000 Mbps Ethernet ports. These devices provide multi-function capabilities including high throughput and strong security. HiveManager 6.1r5 or later is required to manage AP230 devices.

TurboQAM TurboQAM is an implementation of the 802.11ac Very High Throughput (VHT) technology for use within the 2.4 GHz band. Because 802.11ac only applies to the 5 GHz band, implementing its features in the 2.4 GHz band requires that the transmitter and receiver hardware support the feature and that vendor-specific extensions be used. TurboQAM supports 256-QAM VHT data rates and is only available when the radio is in 802.11b/g/n + TurboQAM mode.

Transmit Beamforming Transmit beamforming allows the AP230 to modify the shape of its transmission so that the client receives the best possible signal. The added directionality of the signal also results in a beamforming gain—that is, a stronger signal for the receiver—in the same way that using a directional antenna does. Transmit beamforming is supported only in the 5 GHz band. Transmit beamforming works first by sampling the signal from the client to determine the direction of arrival. Afterward, the AP formulates a beamforming matrix, which contains geometric, power, and other information necessary to determine as closely as possible the position of the client. The transmitter signal processors then use the matrix to send the signals to the antennas in a way that directs the transmission toward the client. In a beamforming scenario, the beamformer represents the device that is forming the beam; that is, the device that is transmitting a shaped radio pattern. By contrast, the beamformee is the device that receives a beamformed signal. Any device capable of beamforming its transmission can be a beamformer, including client devices. If both devices in a radio link are capable of beamforming (and are configured to do so), then they each can be beamformers or beamformees at different times. When a device is transmitting a beamformed signal, it is the beamformer; when receiving one, it is the beamformee. There are two types of beamforming: implicit beamforming, which generates a steering matrix based on sounding frames delivered from the beamformee, and explicit beamforming, which generates a steering matrix based on a feedback matrix sent by the beamformee. Implicit beamforming is simpler to execute because the beamformer relies on the information it alone determines from the radio environment. Explicit beamforming is more accurate, but requires that both beamformer and beamformee take active part in the process.

Frame Burst Mode The Frame Burst mode allows a device to transmit a series of frames in rapid sequence. This differs from frame aggregation in that frame aggregation encapsulates multiple subframes within an aggregate frame, whereas a frame burst consists of multiple individual frames (and their ACK responses) separated by a SIFS

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 62 New and Enhanced HiveOS 6.1r5 Features

(short interframe space). A SIFS is a very short period of time normally reserved for separating a data frame from its immediate control frames, such as the ACK (acknowledgment) frame. Normally, individual frames are separated from their respective control frames by a SIFS, but the individual data frames are separated by a full contention window consisting of a clear channel assessment, a random backoff time, and a DCF interframe space (DIFS). When you enable Frame Burst, the access point just uses a SIFS to separate data frames, thereby increasing data transmission efficiency, which results in higher throughput. Frame Burst functionality is available in all radio modes. VPN Gateway Layer 2 or Layer 3 VPNs tunnel network traffic through shared or public networks as though they were connected to a private network. The hosts at both ends of a Layer 3 VPN tunnel must be in different subnets whereas those at both ends of a Layer 2 VPN tunnel must be in the same subnet. Before this release, only the HiveOS Virtual Appliance was available to serve as Layer 3 VPN (Virtual Private Network) and Layer 2 VPN gateways. This release introduces the Aerohive VPN Gateway appliance as a Layer 3 and Layer 2 VPN concentrator as well as the GRE tunnel terminator to secure traffic between separate network sites. HiveManager defines a Layer 3 IPsec VPN routing network policy for Aerohive routers and Layer 3 VPN gateways. It also defines a Layer 2 IPsec VPN wireless-only network policy and client-server roles for device-level settings of Aerohive devices. The Aerohive VPN Gateway solution provides Layer 2 and Layer 3 extensions of the primary network to the remote sites of your organization. An Aerohive device located in the primary network, for example, corporate headquarters, is configured as a VPN gateway and devices located in remote branches are configured as VPN clients. The VPN client establishes a session over a secure IPsec tunnel to the destined VPN gateway and traffic from the remote clients is returned through an IPsec tunnel to the primary network. Clients located at branch networks receive IP addresses from the DHCP server at the corporate site just as if they were on the corporate network. Layer 3 VPN Gateway Gateway devices at the edge of two private networks in a Layer 3 IPsec VPN reside in different subnets and traffic is tunneled, based on route lookups, to create site-to-site VPN tunnel connections. Aerohive routers carry out route lookups and tunnel VPN traffic to the VPN Gateway. The router initiates route lookups to send traffic from hosts residing in the source subnetwork through an IPsec tunnel to hosts residing in the destination subnetwork at the other end of the VPN tunnel.

The Layer 3 VPN gateway sends and receives all traffic on its interface, including VPN traffic to branch sites, and uses the firewall/router as its default gateway.

Layer 3 VPN Gateway Branch Internet Site DMZ Firewall/ Router VPN Tunnel VPN DMZ Router Branch Gateway Site

Corporate LAN

There are two networks at each headquarters site and each remote site: the management network and the user network. A management network is the network on which all Aerohive devices at the same headquarters or remote site communicate with each other on the mgt0 interface. Aerohive routers determine the DNS service for the management network that is applied to Aerohive devices, such as APs and switches, connected to ports behind the Aerohive router and to the mgt0 interface of the router. On

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 63 New and Enhanced HiveOS 6.1r5 Features

remote sites, the management network is the network on which an Aerohive router and Aerohive APs and switches at the same branch site communicate with each other. The user network is the network that supports individual users or user groups accessing the wireless LAN at the headquarters and at the remote sites. A network for internal use is one that routers can apply to employees or students. DNS and DHCP services are optional, and you can enable web security for this type of network. The addressing for internal networks is unique among all branch sites so that it will be possible for routers to tunnel traffic through a VPN gateway appliance to a central site and to other branch sites. When you configure VPN gateways, you can also specify internal networks that you want the VPN gateway appliance to advertise to the routers through the VPN tunnels. Internal networks exist behind your VPN gateway within the corporate headquarters network, but are hidden behind a second router. Because internal routes use the VPN gateway, you only need to configure the network and the netmask for each internal network. When configured as internal, networks are always distributed to the Aerohive routers. If dynamic routing protocols, such as OSPF or RIPv2, are not enabled at headquarters, you need to set static routes to the management and user networks on the core routers pointing to the VPN gateway. Static routes differ from internal networks in that internal networks exist exclusively within the corporate network and always use the VPN gateway appliance as the gateway. Static routes, on the other hand, can be routes configured for any network, including the public Internet. You must configure the gateway address explicitly for each route to tell the outgoing VPN gateway to which interface it is to forward traffic. Internal networks routes are a subset of static routes to network destinations. Layer 2 VPN Gateway In a Layer 2 VPN configuration, hosts reside in the same LAN or subnet. When Aerohive devices located at branch networks are configured as VPN clients, Layer 2 VPNs extend network traffic through tunnels to VPN gateways or Aerohive devices configured as VPN servers at corporate headquarters. VPN clients must belong to the same management network as the VPN server and build GRE tunnels inside IPsec tunnels to the VPN server. If the device is configured as a VPN client with a user profile that applies a tunnel policy, the device sends traffic through a tunnel to the VPN Gateway located at headquarters. It also sends traffic through tunnels to other remote sites connected to headquarters because they are on the same subnet. Wireless clients located at the remote sites are bridged to the same subnet as the tunnel interface and headquarters site.

The VPN clients are configured with a user profile that references a tunnel policy. Devices tunnel Remote traffic to the VPN Gateway at the corporate head- site 1 quarters site and connect to other remote sites.

Corporate Layer 2 VPN Headquarters Gateway Remote site 2 Internet

Firewall

Remote Tunnel interfaces are in the same subnet as the network at the site 3 headquarters site. Wireless clients at the romote sites are in the same subnet as the tunnel interface and headquarters site.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 64 New and Enhanced HiveOS 6.1r5 Features

Configuring the Layer 3 VPN Gateway

To configure a network policy for the routers and device settings for the Layer 3 VPN Gateway so that they can build IPsec VPN tunnels between themselves: 1. Log in to HiveManager, click Configuration > VPN Services in the navigation tree, and confirm that the Layer 3 VPN gateway appears. 2. Click Configuration, choose an existing routing policy from the network policy list, click the tool icon ( ) and click Edit, or create a new policy. For more details about cloning and existing network policy or creating a new network policy, see Help. 3. Click Choose for SSID to configure an SSID along with a corresponding user profile, network, and VLAN. The PSK used in the SSID is the one that you set when you initially placed HiveManager in Enterprise mode. The policy also includes router LAN port assignments with the same accompanying user profile, network, and VLAN as those for the SSID. For more details about configuring an SSID, see Help. 4. Click Choose for Router Firewall, and then click New. Name your firewall policy, add a description, and add the rules you want the router to apply. When finished, click Save. 5. Click Choose for Layer 3 IPsec VPN, and then click New, enter the following, and then click Save: Profile Name: Enter a name for the VPN profile. Description: Enter a useful note about the VPN profile. Layer 3 IPsec VPN: (select) A Layer 3 IPsec VPN creates tunnels between routers and one or two VPN gateways. The routers perform route lookups to determine whether to send traffic from hosts on their network to hosts on the networks behind the VPN gateways or to hosts at other sites connected to the VPN gateways through tunnels. 6. In the VPN Gateway Settings section, choose the name of your VPN gateway from the VPN Gateway drop-down list, click the Modify icon, enter the following, and then click Save: General Settings Host Name: Leave the host name as it is or modify it. The host name can be up to 32 alphanumeric characters long and cannot contain spaces. Node ID: (read-only) Management Network: Choose the management network for the mgt0 interface on the VPN gateway appliance. Location: Enter the physical location of the VPN gateway for future reference. VPN Service: Reference VPN gateway. This is a read-only field. You must reference a VPN gateway when you create a VPN service. If a VPN gateway is not reference, “None” appears in this field. Device Model: (read-only) The preselected device model can be either a HiveOS Virtual Appliance or a VPN Gateway appliance. Device Function: Choose L3 VPN Gateway from the drop-down list. Management VLAN: Choose VLAN 1. Topology Map: Choose the name of a map where the VPN gateway is located from the drop-down list. The VPN gateway does not have to be in the same management network as the routers. If you use a VPN profile in multiple network policies, each policy might apply a different management network to routers while the VPN gateway remains in the management network set for it here.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 65 New and Enhanced HiveOS 6.1r5 Features

Interface and Network Settings Eth0 (WAN): Enter the IP address/netmask and default gateway for the Ethernet0 interface. To allow traffic through this interface, choose Up as the admin state. Eth1 (LAN): Because the Ethernet1 interface is not used, leave the IP address/netmask empty. Enable dynamic routing: To enable the VPN gateway to learn routes from other routers on the corporate network dynamically, select the check box. From the drop-down list, choose the dynamic routing protocol in use on the corporate network: OSPF: OSPF is a link-state routing protocol that uses link cost (an aggregate measure of availability, round-trip time of packets, throughput capacity, and so on) to determine the cost of a route. OSPF is suitable for larger networks because of faster convergence times and more accurate route advertisement. RIPv2—A distance-vector routing protocol that uses hop count to determine the cost of a route. RIPv2 is suitable for small, stable networks because frequent changes in large networks can cause incorrect route information to propagate through the network. Route Advertisement: Select the interface on which the VPN gateway will advertise routes about branch sites. When it is using its Ethernet1 interface, you can select Eth1 (LAN) to advertise routes about the branch sites on its Ethernet1 interface to the corporate routers. Select Eth0 (WAN) if you want it to advertise routes on its Ethernet0 interface. By default, a VPN gateway advertises routes only on its Ethernet1 interface. For the current example, choose Eth0 (WAN). If you ever want to block traffic through an Ethernet interface, set its admin state as Down. Note that doing so blocks all traffic on an interface, including management traffic. Therefore, be careful not to disable management access to the VPN gateway from HiveManager. Use MD5 authentication: Select the check box if the routers must authenticate one another before sharing routing information, and then enter the password used during the authentication process. You can use mutual authentication to restrict route updates among peers and prevent the malicious injection of false routes by attackers. Clear the check box if no authentication is required. Internal Networks: To ensure that the branch routers have all the relevant information regarding the corporate network, you can configure a list of internal networks that the VPN gateway advertises to the routers. This feature only controls the advertisement of routes to internal networks that you define here and does not affect the advertisement of connected routes or routes learned through dynamic routing protocols (RIPv2 and OSPF). Static Routes: To add a static route, click Static Routes to expand the Static Routes section, click New, enter the following, and then click Apply: Destination IP: Enter the destination host or subnet IP address. Netmask: Enter the netmask to define the destination as either a host or a subnet. Gateway: Enter the IP address of the gateway through which the router sends traffic for the specified destination. Distribute to routers: Select the check box to enable the VPN gateway to distribute the static route to routers. To add additional routes, click New, and repeat the above configuration steps. 7. To upload the a VPN gateway, click Configuration > gateway_name > Update > Advanced > Upload and Activate Configuration.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 66 New and Enhanced HiveOS 6.1r5 Features

Configuring the Layer 2 VPN Gateway

To configure a network policy for the routers and device settings for the the Layer 2 VPN gateway so that they can build IPsec VPN tunnels between themselves: 1. Log in to HiveManager, click Configuration > VPN Services in the navigation tree, and confirm that the Layer 2 VPN gateway appears. 2. Click Configuration, choose an existing routing policy from the network policy list, click the tool icon ( )and click Edit,or create a new policy (for more information about cloning and existing network policy or creating a new network policy, see "Network Policies" in the Help). 3. Define the roles of devices as VPN clients. For more details about assigning roles, see the Service Settings section in the “Aerohive AP Settings” in Help). 4. Click Choose for Layer 2 IPsec VPN, and then click New, enter the following, and then click Save: Profile Name: Enter a name for the VPN profile. Description: Enter a useful note about the VPN profile. Layer 2 IPsec VPN: (select). A Layer 2 IPsec VPN creates tunnels between APs functioning as VPN clients and one or two VPN gateway appliances or other APs functioning as VPN servers and is applied to traffic based on user profiles. There is also a distinction between the IP address requirements at both ends of Layer 3 and Layer 2 VPN tunnels. Device VPN Server and Device VPN Client Settings Single Device VPN Server: Select to configure a single VPN server with which VPN clients establish tunnels. Then enter the following settings: Device VPN Server 1: Choose a VPN Gateway defined as a Layer 2 VPN server from the drop-down list (for details about VPN Gateways, see “VPN Gateway Settings” in Help). VPN Gateway: After applying a network policy that references this VPN services profile to a VPN Gateway functioning as a Layer 2 VPN gateway, you must assign it to the role of VPN server in the Service Settings section on the Configuration > Devices > VPN Gateway > gateway_name > Modify page. (For Help, see “VPN Gateway Settings”). Server MGT0 IP Address: Enter the IP address of the mgt0 interface on the device VPN server. Server MGT0 Default Gateway: Enter the IP address of the default gateway for the subnet on which the VPN server mgt0 interface is located. Client Tunnel IP Address Pool Start: Enter the IP address defining the start of a range of IP addresses that the VPN Gateway (server) assigns to the tunnel interfaces on the VPN clients during the Xauth phase of the VPN tunnel setup (between IKE phase 1 and phase 2 negotiations). Client Tunnel IP Address Pool End: Enter the IP address defining the end of the range of IP addresses forming an address pool. Client Tunnel IP Address Pool Netmask: Enter the netmask that defines the subnet to which the tunnel interfaces belong. Redundant Device VPN Servers: Select to configure a pair of VPN servers to provide server redundancy in the event that one becomes unavailable. Enable automatic load sharing between the redundant VPN servers: By default, this option to share the traffic load between a pair of redundant VPN servers is enabled. Repeat the steps listed under “Device VPN Server and Device VPN Client Settings” above for each redundant server. 5. To upload the a VPN gateway, click Configuration > gateway_name > Update > Advanced > Upload and Activate Configuration.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 67 New and Enhanced HiveOS 6.1r5 Features

Displaying HiveOS Image File Information When upgrading a HiveOS image file on a device, HiveManager now displays information about the version number of the current and backup images. This enhancement, available from the Utilities drop-down list, allows you to confirm that you have selected the appropriate image file for the device.

You can choose Set Image to Boot from the Configuration > Devices > Managed Devices > Utilities drop-down list. Then select the radio button next to the current or backup HiveOS image and click Submit. A confirmation message appears. Click Yes to reboot the selected devices with the selected image. You can also access this setting from the Maps section by right-clicking a device icon to display the pop-up shortcut menu.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 68 New and Enhanced HiveManager 6.1r5 Features

New and Enhanced HiveManager 6.1r5 Features

The HiveManager REST API HiveManager on-premises allows administrators to make REST queries to the HiveManager database using third-party applications such as network monitoring software. HiveManager does this by exposing a limited number of internal monitoring entities within the database by means of a RESTful API (an application programming interface that uses the REST protocol). The REST protocol, in conjunction with a RESTful API, allows you to query these database entities using HTTP URLs that contain the text of the query. The HiveManager REST API is a read-only API, which means that only the HTTP GET method is supported. An API is a set of instructions that a third party can use to access a particular service. Generally, the API provides limited access to a database so that the third party can retrieve, store, or update information within the database. In the case of online sellers, APIs are often restricted to retrieval operations; however, when the database is used only by those with authorized access, then the API often allows storing data as well. In the case of HiveManager, the REST API allows you to retrieve existing data.

REST Clients, Testing, and Authentication For testing, you can send REST queries using a browser REST client, which are add-ons that you can install in your preferred browser. REST clients display an HTML form into which you type your query in a specific format. The HiveManager REST API uses basic HTTP authentication. Basic HTTP authentication encodes the user name and password as a BASE64 string. BASE64 encoding is not encryption, and it is easily decoded; however, because the authentication occurs over an SSL/TLS connection, the entire exchange is encrypted. If you are familiar with the use of REST clients and BASE64 encoding, then during your testing you can include your authentication credentials manually with the query itself by doing the following: 1. Assemble your user name and password into a single string, separated by a colon. For example, if your user name is “restuser” and the password is “restpassword”, then the combined string is “restuser:restpassword”. 2. Encode the combined string using a BASE64 encoder, which you can find online easily. When you encode “restuser:restpassword”, the BASE64-encoded string that results is “cmVzdHVzZXI6cmVzdHBhc3N3b3Jk”. 3. Enter the following text into the Header field of the REST client: Authorization: Basic cmVzdHVzZXI6cmVzdHBhc3N3b3Jk When the Header field contains the correctly encoded authentication information, the query is successful. In production, the code that you use must send the correctly encoded authentication string in the header of every RESTful query you send because the HiveManager API is stateless and does not cache credentials from previous queries or maintain a session.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 69 New and Enhanced HiveManager 6.1r5 Features

Enabling Access to the HiveManager REST API By default, the HiveManager REST API is disabled, so to use the HiveManager REST API, you must first enable it. To enable REST API access, click Home > HiveManager Settings > Update API Authorized Settings, enter the following, and then click Save (disk icon): Enable API Access: (select) API Administrator: Enter the user name that you want your code to use when it queries the HiveManager REST API.

The user name that you enter here does not need to be an existing user account. If you enter a user name that is not currently configured in HiveManager, then the user name is only used during RESTful transactions and cannot be used to log in to HiveManager. Entering a user name that is not an existing user account allows your code to make the appropriate REST queries without exposing the database to unintentional or malicious misconfiguration.

Change Password: Select if you want to change the password of an existing account now. If the API user name is not that of an existing HiveManager admin, then select this check box to assign a password to your REST-only user.

Query URL Format Because REST leverages the HTTP protocol, REST APIs accept queries in the form of a URL. When you want to query the database, you must append the query and any associated parameters to the base URL. The following URL is an example of a complete RESTful query: ://hivemanager-host-name/hm/api/v1/devices?vhmName=home&connect=true This query contains the following parts: • Base URL: The base URL is the location of the API itself. All RESTful queries must begin with the base URL: https://hivemanager-host-name/hm/api/v1/ • Query: The query consists only of the word devices. When you append devices to the end of the base URL, the REST API interprets that to mean that you want the database to return a list of devices. devices • Parameters: Parameters allow you to narrow the scope of the query so that the response includes more specific information. The initial parameter is introduced by the question mark ( ? ) followed immediately by the parameter itself, which is rendered in the form parameter=value. Subsequent parameters are introduced by an ampersand ( & ). ?vhmName=home&connect=true

Query Response Format When HiveManager responds, the REST API renders the response in a JSON (JavaScript object notation) format that can be parsed by third-party systems. For example, in response to a query to get a list of all the devices in a particular network, HiveManager, through the REST API, responds with the status of the query followed by a list of the devices.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 70 New and Enhanced HiveManager 6.1r5 Features

The sample text below represents the first and last several lines of a typical query response. (The following example consists of a single record.)

The items returned in the query response are not necessarily in any particular sorted order, although some queries allow limited sorting by using parameters. The following query response is formatted so that the contents can be easily read and understood. The query response that the HiveManager database returns is unformatted, so the code that parses the JSON string returned cannot rely on specific white space characters such as spaces, tabs, or new lines.

[ { “audit”: “A full configuration has not yet been uploaded to the Aerohive device. Please perform a complete configuration upload first.”, "hostName": "AH-0a4200", "alarm": "Critical", "interfaceIp": "192.168.85.1", "externalIp": "10.0.0.51", "topologyName": "home_floor1", "nodeId": "08EA440A4200", "connection": false, "deviceMode": "Portal",

...

"wifi0Channel": "-", "wifi0Power": "-", "wifi0RadioProfile": "radio_ng0", "wifi1Channel": "-", "wifi1Power": "-", "wifi1RadioProfile": "", "hwmodel": "BR200-WP" } ]

Format of the JSON Response When HiveManager generates the response text, the entire response is enclosed by a set of square brackets [ ]. Within the square brackets, each record is enclosed in curly braces { }. Each record, in turn, consists of a series of key-value pairs, which are enclosed in quotation marks ( " ) and separated by a colon ( : ). A comma ( , ) separates each pair from the next; however, the final key-value pair does not require a comma. [ { "key-1":"value-1", "key-2":"value-2", "key-3":"value-3" } ]

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 71 New and Enhanced HiveManager 6.1r5 Features

If the response requires the inclusion of subrecords within the response (such as when you query for client statistics, for example), the subrecords occur in place of the value of the relevant key-value pair, enclosed in its own set of curly braces { }: [ { "key-1":"value-1", "key-2":{ "subkey-2-1":"subvalue-2-1", "subkey-2-2":"subvalue-2-2" }, "key-3":"value-3" } ]

Query Scope and Capabilities The HiveManager REST API allows read-only queries. You cannot modify, delete, or insert data into the HiveManager database using the REST API. Currently, you can query the HiveManager database only for devices, clients, and locations. The table below describes the supported queries. (You can find additional API documentation at www.aerohive.com/330000/docs/help/english/6.1r3/hm/api/.)

Query String Description Comment

devices Returns a list of devices along Without parameters specifying the devices to with information such as host return, this query returns all devices from name, IP address, and so on HiveManager.

deviceCount Returns the number of devices as a long integer

device Returns information about a You must identify the device either by serial specific device number, host name, MAC address, or mgt0 IP address using the appropriate parameter.

device/{identifier} Returns information about the The identifier refers to the MAC address, which is device specified by {identifier} also referred to as the node ID (nodeId).

clients Returns information about You must identify a client either by serial clients, including channel, RSSI, number, host name, MAC address, or IP address SNR, VLAN, and so on using the appropriate parameter.

clients/stats Returns the operating systems, You must include the VHM name and the date radio types, SSIDs, user profiles, range for which the relevant client statistics and client counters for a apply. specified date range

locations Returns the topology map If the API user account belongs to the home locations VHM, then you must include the vhmName parameter in the query.

© 2014 Aerohive Networks, Inc. Aerohive is a U.S. registered trademark of Aerohive Networks, Inc. P/N 330110-01, Rev. C

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 72 HiveOS and HiveManager 6.1r3 New Features Guide

HiveOS and HiveManager 6.1r3 New Features Guide

This guide describes the new features and feature enhancements introduced in the HiveOS and HiveManager 6.1r3 releases, Client Management January 2014 release, and ID Manager January 2014 release. It also describes the new HiveManager Help system for mobile devices.

New Features and Feature Enhancements

Several new features and feature enhancements have been introduced in these releases. You can read summaries of these features and enhancements below. Major features are covered in more detail in individual sections later in this guide. For more information about known and addressed issues for the HiveOS and HiveManager 6.1r3 releases, Client Management January 2014 release, and ID Manager January 2014 release, refer to the corresponding Aerohive Release Notes.

New and Enhanced HiveOS and HiveManager 6.1r3 Features The following are the new features and feature enhancements in the HiveOS and HiveManager 6.1r3 releases.

New and Enhanced HiveOS 6.1r3 Features The following are the new features and feature enhancements in the HiveOS 6.1r3 release: Generic USB Modem Support: For this release, a new framework has been added to allow generic USB modem support for BR100 and BR200 routers, and AP330 and AP350 devices functioning as routers. After a new modem type is validated by Aerohive, you will be able to configure your routers to support the modem using the NetConfig UI. See "Generic USB Modem Support" on page 76. Reporting Application Usage by Clients in Application Visibility and Control: In 6.1r3, HiveManager reports application usage by clients in greater detail, helping you to understand the top clients or users using applications even if you do not have authentication such as captive web portal on an open SSID or PPSK (private preshared key) on your network. Three widgets that report application usage by clients have been added to the Applications perspective on the dashboard, allowing more drill-down information about clients and application usage. In addition, three widgets have been modified to display application-only information. After you drill down into client or application information, a new widget tab is created automatically which allows you faster access when revisiting the same data during the same session. See "Auto Discovery of Applications" on page 137. Enhancements to CAPWAP Auto Discovery: Aerohive devices and HiveManager communicate through the CAPWAP (Control and Provisioning of Wireless Access Points) protocol. In 6.1r3, there is a new auto discovery process for devices that have connected to HiveManager at least once. In addition, you can prevent devices from connecting to an unauthorized HiveManager that might have been inadvertently placed in the same subnet as these devices. See "Enhancements to CAPWAP Auto Discovery" on page 82. Captive Web Portal Enhancements: In this release of HiveOS firmware and HiveManager software support the following enhancements to the captive web portal: Multiple Captive Web Portal Clients on a Wired Port: The following Aerohive AP330s and AP350s, BR series, switch devices support the individual authentication of multiple captive web portal users when the users are connected through a switch or hub to a single Ethernet port on the Aerohive device.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 73 New Features and Feature Enhancements

Captive Web Portal Selection by Classifier Tags: You can now configure captive web portals to forward users to custom Internet or network destinations after authentication based on the classifier tag that you assign to the device. You can not only forward users to a custom destination after successfully authenticating, but you can also forward them to a custom destination after an unsuccessful authentication, depending on the type of authentication you use with your captive web portal. See "Captive Web Portal Selection by Classifier Tags" on page 83. AirWatch Compliance Enforcement: In this release of HiveOS firmware and HiveManager software, Aerohive supports periodic recurring AirWatch compliance checking and enforcement, allowing administrators to block non-compliant wireless devices. See "AirWatch Compliance Enforcement" on page 87. Integration of OpenDNS: HiveOS firmware and HiveManager software now integrate OpenDNS and support OpenDNS-based web content filtering and security through user profiles. Mapped to different groups of users though user profiles, this new feature allows you to enforce different security policies on Aerohive devices connected behind Aerohive routers. See "Integration of OpenDNS" on page 89. DFS Support: The AP330 and AP350 now support DFS (Dynamic Frequency Selection), permitting the AP to use of radio channels in the 5 GHz UNII-2 (Unlicensed National Information Infrastructure) bands, because mechanisms are in place and certified to detect and avoid interfering with radar systems. Topology Map Name No Longer Overrides sysLocation: This release introduces the ability to override the default behavior of overriding the sysLocation name with a topology map name. See "Topology Map Name Will Not Override sysLocation OID" on page 91. Power Cycle Devices through PoE: This release adds the ability to cycle the power on selected PoE ports. See "Power Cycle PoE Ports on Switches" on page 92. Default PoE on Switches Uses 802.3at: The default PoE port setting for Aerohive switches is now 802.3at instead of 802.3af. Syslog messages for Firewall Events: Aerohive devices now include the user name and host name in firewall events destined for a syslog server. The additional information provides important security and audit information for administrators. If you already have a syslog server configured, then no further configuration is necessary in HiveManager; however, if not, simply configure a syslog server in HiveManager to provide a destination for logging events, and then choose the server in the firewall policies. Aerohive devices automatically format firewall events, and then forward them to the server. Enhancements to Alarm Log Settings: The Alarm Log Settings dialog box available from Monitor > Alarms > Settings has been expanded, allowing you to differentiate between non-critical (cleared and uncleared) and critical alarms and set time and size limits for purging non-critical alarms. See "Enhancements to Alarm Log Settings" on page 92. Rogue Client Reporting and Expiry: When configuring a WIPS policy, you can configure HiveManager to purge a client that has previously been reported as a rogue after a specified amount of time. By default, if a rogue client is not detected on the network an hour after its last detected activity, then HiveManager drops the rogue device from its list of rogue devices. See "Expire Rogue Clients" on page 94. Overwrite Protection for NetConfig UI WAN Settings: In previous versions of HiveOS firmware and HiveManager software, devices that were configured using the NetConfig UI might be overwritten when HiveManager pushed updated settings to the BRs. The default behavior of this software release is that a BR originally set up using the NetConfig UI is protected from being overwritten by updates pushed to it from HiveManager at a later date. You can disable this protection so that whenever a newer configuration is pushed to the BRs, the newer configuration will take effect. See "Overwrite Protection for NetConfig UI WAN Settings" on page 95.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 74 New Features and Feature Enhancements

Bonjour Sleep Proxy Support: When a Bonjour-enabled device goes into power save mode, it can inform another device—referred to as a sleep proxy server—to continue advertising services on its behalf. The server then begins responding to ARP requests and multicast DNS queries for the sleeping device. When another device requests a service from the sleeping device, the sleep proxy server sends a magic packet to wake it up. The awakened device then broadcasts a gratuitous ARP, alerting all the devices in its subnet/VLAN of its MAC address. The requesting device can then communicate directly with the previously sleeping device. Aerohive devices functioning as Bonjour Gateways can filter the _sleep-proxy._udp service, which sleep proxy servers advertise, in the list of services that they share with other Bonjour Gateways. This allows you to control whether devices connected to Bonjour Gateways in different subnets/VLANs can access services on a device in power save mode through a sleep proxy server in another subnet/VLAN.

New and Enhanced HiveManager 6.1r3 Features The following are the new features and feature enhancements in the HiveManager 6.1r3 release: VMware Tools for HiveManager Virtual Appliance: VMware Tools suite is a set of utilities and drivers that increases the performance of a virtual machine and aids its management. HiveManager Virtual Appliance 6.1r3 and later deployed on VMware ESXi version 4.1 and later hypervisors support the VMware Tools suite. For details, see "VMware Tools for HiveManager Virtual Appliance" on page 95. Preconfigure Devices: You can now preconfigure devices before you add them to your HiveManager network. In addition, the Managed Devices and the Unmanaged Devices tabs have been added to on premises HiveManager Configuration and Monitor GUI sections. The Device Inventory menu on the Unmanaged Devices tab now has add, remove, export, and import options in both on premises HiveManager and HiveManager Online and this same menu on the Managed Devices tab provides remove and export options. There is a slight difference in behavior depending on if you are using on premises HiveManager or HiveManager Online. See "Preconfigure Devices" on page 97. Enhancements to Simplified Updates: In 6.1r3, you can push the latest HiveOS image onto a device even when the version numbers on the device and the image server are the same. See "Enhancements to Simplified Updates" on page 101.

New Help System for Mobile Devices Aerohive now allows you to link directly to a mobile version of our HiveManager 6.1r3 Help system. In cases where viewing the Help system on a traditional monitor is inconvenient or impossible, you can view the Help content on your smart phone. The HiveManager 6.1r3 Mobile Help system can be viewed using phones that do not support some of the advanced mobile web technologies. It does this by detecting the mobile device on which you are attempting to view the Help system and forwards your request to one of two independent versions of mobile Help system. See "Using the Mobile Help System" on page 127.

Client Management (January 2014) The following are the new features and feature enhancements in the Client Management (January 2014) release: Client Management as a Separate Product: Client Management has been removed from HiveManager and promoted from a feature to a separate product. By default, you can use Client Management to enroll and manage up to 100 Apple, Android, and Chromebook clients. To support more mobile devices, you can obtain subscriptions from your Aerohive sales representative. For more information, see "Introducing Client Management as a Separate Product" on page 102.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 75 New and Enhanced HiveOS 6.1r3 Features

Single Private PSK SSID for Enrollment: You can now use a single private PSK SSID for enrollment and access to the network. With this option, clients use a shared PSK to enroll with Client Management, which then assigns a unique private PSK to each client to access the same SSID after enrollment. For complete configuration instructions, see "Configuring Client Management" on page 105. Using an HTTP Proxy: For clients that must access the public network through an HTTP proxy server, you can configure HTTP proxy settings for inclusion in Wi-Fi configuration profiles. See "Using an HTTP Proxy" on page 124.

New and Enhanced ID Manager (January 2014) The following are the new features and feature enhancements in the ID Manager (January 2014) release: Support for CoA (Change of Authorization) Disconnect from ID Manager to APs: With this release, ID Manager notifies APs as soon as a guest account is revoked, expires, or when the customer’s ID Manager account has expired, it disconnects these accounts immediately. Previously, APs were not aware of account revocation or expiration until the next time the guest associated with the account tried to authenticate to ID Manager. Audit Log Enhancements: This release adds a section to the ID Manager Audit Log that shows when admin accounts have been created or deleted from the MyHive page. See "Audit Log Enhancements" on page 125. Email Template Customization: This release allows ID Manager administrators to customize the template for email and print notifications by changing the icon, logo, or text. See "Email and Print Template Customization" on page 125. Support for Multiple AP Networks for Anonymous Access: This release adds support for ID Manager Anonymous Access on multiple AP networks. Previously, only one AP and subnet were supported. This feature enables smooth roaming for anonymous access guests. ID Manager Wired Access: This release adds support for ID Manager on wired networks through BR200 router configuration. See "Wired Support for ID Manager on BR200 Routers" on page 126. Customized Registration UI: This release introduces the capability to customize the registration UI that appears on your kiosk. See "Customized Registration UI" on page 126.

New and Enhanced HiveOS 6.1r3 Features

Major new and enhanced HiveOS features are covered in detail in the following sections.

Generic USB Modem Support This release adds support for a nearly unlimited number of USB modem types for Aerohive routers and APs acting as routers (BR100, BR200 models, and AP330 and AP350). Once the modem you want to use is validated by Aerohive, you activate support for the modem in the NetConfig UI. To confirm whether for the modem you want to use is validated, refer to the NetConfig UI Help, which is updated as new modems are added to the supported modems list, or contact your Aerohive representative. Use the following steps to configure support for a new modem type in the NetConfig UI: 1. Navigate to Admin > WAN Interface Settings, select USB Modem Settings, enter the Network Mode configuration information for the new modem type, and then click Apply: Network Mode: Select Auto, LTE, 3G, or 2G. If you select Auto, HiveOS automatically determines which network mode is required by the USB modem you have connected.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 76 New and Enhanced HiveOS 6.1r3 Features

Mode Switch Configuration: In some cases, a USB modem that you want to use may be configured to act as flash storage instead. Select this check box to allow HiveOS to switch the mode to USB modem. The following fields are displayed when you select this check box: Vendor ID: This field is automatically populated by HiveOS. Product ID: This field is automatically populated by HiveOS. In the box below this field, you must enter the mode switch message text string that performs the modem switch. You can find this message text string by doing an Internet search for the mode switch message for your modem model. If you are unable to find the text string, contact your Aerohive representative for help. Name ID: This field is populated automatically by HiveOS, but can be edited if necessary. Connect Type: Select either PPP Dial-up (most common) or Attention Command. Attention Commands are also known as AT commands and are used by dial-up and wireless modems to interact with a computer. If you select PPP Dial-up, you are then directed to configure the dial-up information for the modem: Access Point Name: The Access Point Name (APN) specifies the cellular mobile network name. This field is generally left blank and is only required if your carrier requires you to specify the APN. An example of an APN is ISP.CINGULAR. Dial-up Username: Enter the dial-up user name for this modem, for example [email protected]. Dial-up Password: Enter a dial-up password for this modem. Dial-up Number: Enter the dial-up number for this modem. If you select Attention Command as the connect type, the fields change to the following: Connect Command: Enter the connect command or commands that you want HiveOS to use to connect to this modem. You can find the connect commands for your modem type by doing an Internet search or contacting your Aerohive representative. You can also leave this field blank if you are unable to locate the command. Disconnect Command: Enter the disconnect command or commands that you want HiveOS to use to disconnect this modem. You can find the disconnect commands for your modem type by doing an Internet search or contacting your Aerohive representative. You can also leave this field blank if you are unable to locate the command. Network Driver: If you know the network driver required for the modem, you can select it from the drop down list. You can find information about network drivers by doing an Internet search or you can contact Aerohive. You can also leave this field blank and HiveOS will try to select the correct driver. Serial Driver: If you know the serial driver required for this modem, you can select if from the drop down list. You can find information about serial drivers by doing an Internet search or you can contact Aerohive. You can also leave this field blank and HiveOS will try to select the correct driver. Set Attention Command: This setting is not required for basic connectivity, but you can enter AT commands to perform various modem functions. You can find lists of AT commands on the Internet, or contact Aerohive for help with your modem type. Get Attention Command: This setting is not required for basic connectivity, but you can enter GET commands to perform various modem functions. You can find lists of GET commands on the Internet, or contact Aerohive for help with your modem type. NetConfig UI Configuration Disable: Select this checkbox to prevent this USB modem configuration from being saved in flash and administered across device reboots.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 77 New and Enhanced HiveOS 6.1r3 Features

Reporting Application Usage by Clients In 6.1r3, HiveManager has the ability to report application usage by clients in greater detail. In PSK and open SSID captive web portal environments such as schools, hospitals, and hotels, you may have guests who were previously reported as unknown clients in the Applications perspective on the dashboard. Now you can identify these guests by host name and MAC address and then drill down for more information, such as the top clients by application usage, which applications a particular client is using, and the top users of a specific application. Three widgets that report client application usage have been added to this release of HiveManager: • "Top 20 Clients by Application Usage Widget" on page 79

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 78 New and Enhanced HiveOS 6.1r3 Features

• "Top 20 Applications for this Client Widget" on page 80 • "Top 20 Users for this Application Widget" on page 81 In addition, the following widgets have been modified to display only application-specific information when they are accessed from the Applications perspective: Client Details, SSIDs Accessed by this Client, and Aerohive Devices Accessed by this Client. The new widgets provide a greater level of detail, such as application usage data, client MAC addresses, the operating system running on the client, and the host name associated with the client. In addition, HiveManager creates a new widget tab after you drill down from the Applications perspective so you can more easily return to this information. For example, if you select a client from the Top 20 Clients by Application Usage widget, a new widget tab is created with “AppClient” appended to the client name. Or if you select an application from the Top 20 Applications for this User widget, HiveManager creates a new widget tab with “App” appended to the application name. These tabs appear next to the perspectives on the dashboard and are only retained during your current HiveManager session.

The “AppClient” widget tab is in addition to the widget tabs created in previous releases. For example, if you select a user from the Top 20 Users by Application Usage widget on the dashboard, a new tab is created with “User” appended to the user name.

The modified client widgets, Client Details, SSIDs Accessed by this Client, and Aerohive Devices Accessed by this Client, allow you to compare application usage and non-application usage depending on whether you select them from the Applications perspective or another perspective, such as the Users perspective. When you access these widgets from the Application perspective, they only report application usage data. However, when you access these same widgets accessed from the another perspectives, such as the User perspective, they report total usage data that includes the application data.

Top 20 Clients by Application Usage Widget The Top 20 Clients by Application Usage widget displays the top 20 clients based on the bandwidth usage of the selected application, with the client consuming the highest bandwidth usage appearing first. The client names that are displayed in this widget contain a hyper link to the Client Details, Top 20 Applications for this Client, SSIDs Accessed by this Client, and Aerohive Devices Accessed by this Client widgets, which are described later in this section. By default, HiveManager does not display the Top 20 Clients by Applications Usage widget. To display it, select the Applications perspective and then click the Customize Dashboard perspective icon ( ) in the upper right corner of the page. The list of all available Application widgets appears in the widget selection panel on the left side of the page. Select the check box next to the Top 20 Clients by Application Usage widget and then click Save. The Applications perspective is refreshed and now displays the Top 20 Clients by Application Usage widget (in the perspective view) which lists the client name, the amount of data (in Megabytes and Kilobytes) that this client is using on applications, and the MAC address of the client. As a byproduct of this selection, a new widget tab beginning with “APPClient” is created automatically and appears next to the perspective tabs on the dashboard. When you want to revisit the drill-down information for this client, you can select this tab again during this login session.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 79 New and Enhanced HiveOS 6.1r3 Features

Top 20 Applications for this Client Widget The Top 20 Applications for this Client widget displays the top 20 applications that a particular client is using, displaying the application consuming the most bandwidth first. There are two ways to access this widget. It does not appear in the list of available widgets in the Applications perspective. Instead, the Top 20 Applications for this Client widget is available by selecting a client from the Top 20 Clients by Application Usage widget (described above). In addition, the Top 20 Applications for this Client widget appears when you select a specific application, such as BitTorrent, from any of the widgets on the Applications perspective (such as the Top 20 Applications by Clients widget) or from an application from a watchlist widget, for example, Watchlist Applications by Clients or Watchlist Applications by Usage. The Top 20 Applications for this Client widget lists the name of the application, the amount of data, in Megabytes or Kilobytes, consumed by an application, and the usage percentage, which is the percentage of bandwidth devoted to a specific application (with the total percentage number adding up to 100%).

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 80 New and Enhanced HiveOS 6.1r3 Features

Top 20 Users for this Application Widget The Top 20 Users for this Application widget provides information about the top twenty users of a particular application, such as Google or Skype. This information is listed by application usage with the most used application listed first, followed the application that has the second most use. To select this widget, select the Top 20 Applications by Clients widget from the Applications perspective on the dashboard and then select an application. Or, select the Watchlist Applications by Usage widget from the Applications perspective and then select an application. The Top 20 Users for this Application widget appears. It displays the client name, the amount of data (in Megabytes or Kilobytes) that this client is using on applications, and the most recent AP to which this client has formed an association.

Client Details Widget The Client Details widget has been modified to display only application-specific usage when you select it from the Applications perspective. To display this widget, select the Applications perspective and then select the Top 20 Clients by Application Usage widget. Select a client from the Top 20 Clients by Application Usage widget. The Client Details widget appears. It lists the MAC address of the client device, the total amount of data (in Megabytes) that this client is using on applications, the host name, the operating system used by the client device, the most recent AP to which this client has associated, and the topology (or location) assigned to this device.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 81 New and Enhanced HiveOS 6.1r3 Features

SSIDs Accessed by this Client Widget The SSIDs Accessed by this Client widget has been modified to display only application-specific usage when you select it from the Applications perspective. To display this widget, select the Applications perspective and then select the Top 20 Clients by Application Usage widget. Select a client from the Top 20 Clients by Application Usage widget. The SSIDs Accessed by this Client widget appears. It lists the name of the SSID associated with this client, the amount of application data used by this client, and the number of users assigned to this client.

Aerohive Devices Accessed by this Client Widget In 6.1r3, the Aerohive Devices Accessed by this Client widget has been modified to display only application-specific usage when you select it from the Applications perspective. To display this widget, select the Applications perspective and then select the Top 20 Clients by Application Usage widget. Select an application from the Top 20 Clients by Application Usage widget. The Aerohive Devices Accessed by this Client widget appears. It lists the name of the Aerohive device, the MAC address of the client, the topology (or location) assigned to this device, and the date and time the client first became associated with the Aerohive device.

Enhancements to CAPWAP Auto Discovery In 6.1r3, the order of the CAPWAP auto discovery process has changed for Aerohive devices that have connected to HiveManager at least once and then have disconnected from HiveManager. The intention of adding this feature is to prevent devices from connecting to a local HiveManager inadvertently. If, for example, HiveManager is running on the local network for test purposes, or running on a Virtual Machine on a laptop, and then you upgrade HiveManager, your devices might inadvertently connect to the local HiveManager instead of the HiveManager to which they originally belonged. In addition, you can prevent devices from connecting to an unauthorized HiveManager that might have been inadvertently placed in the same subnet as these devices. Preventing the discovery process on a local subnet improves the robustness of the cloud discovery process. In addition, the default auto discovery process that unconfigured devices use to make a CAPWAP connection to HiveManager is independent of this new process and remains unchanged.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 82 New and Enhanced HiveOS 6.1r3 Features

Setting the CAPWAP Auto Discovery Process You can further customize the CAPWAP auto discovery process to disable local broadcast discovery process. To enable the new sequence for CAPWAP auto discovery, click Home > Device Management Settings to display the Device Management Settings page. Clear the check box next to the “Enable devices to transmit CAPWAP broadcasts to discover HiveManager in their local subnet” option and then click Update. Then push this configuration change onto your existing devices.

Captive Web Portal Selection by Classifier Tags Captive web portals allow you to control network access by requiring users to register, a process that usually consists of the user agreeing to a use policy or entering credentials. If the registration is successful, then the user is granted access to network resources. If unsuccessful, then the user is effectively isolated from the rest of the network.

Log In Log In

Unsuccessful Successful Authentication Authentication

Aerohive extends this model to allow you to customize the destination page based on device classification by specifying a device name, device tag, or topology node. For example, a retailer with locations in different markets can customize the destination experience of the user based on the market in which the user connects. Customizing the captive web portal experience in this way is not limited only to geographical distinctions. You can just as easily distinguish between grade levels in schools, administrative or academic departments in businesses or colleges, and buildings in a campus. Configuring custom captive web portal destinations using this feature requires that the devices serving the captive web portal be configured with classifier tags, and that the custom destinations are configured as IP Address/Host Name objects in HiveManager. When you configure the captive web portal, it references the IP Address/Host Name object, which in turn references the classifier tags configured on the device. The following example configuration creates a new network policy that leverages device classifier tags to customize the destination. Before creating the network policy, you must first configure your devices with the appropriate classifier tags.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 83 New and Enhanced HiveOS 6.1r3 Features

The Aerohive device The web page object is The captive web portal is is configured with configured with an configured to use a web page a classifier tag of object name, a URL and object name, which contains the BLDG_1. a site name (BLDG_1). destination site information.

Log In

Name: web_cwp_by_loc Use URL Object: URL: bldg1.mycompany.com web_cwp_by_loc BLDG_1 Tag: BLDG_1

After successful authentication, the user is redirected to the URL that is defined by the device tag, the web page object, and the captive web portal.

Configuring Device Classifier Tags Device classifier tags are text entries that are associated with specific hardware devices. When a device needs to be identified (individually or as part of a group of devices with identical tags) to receive a particular configuration, then you can configure the device with a classifier tag containing the specific identifying text.

Device classifier tags do not have to be used. Device classification functionality can be performed using device classifier tags, device name, and a topology node (map) where the device resides. Tags are only one of the three different options.

For example, if you want to identify a group of five APs in Building 2 as being at that location and requiring the same configuration, then you can configure the APs with classifier tags with text that uniquely identifies Building 2. Click Monitor > Devices > All Devices > > Modify. In the first unused tag, enter a tag value that uniquely identifies the group of devices that you want to forward users to a particular destination after they authenticate with the captive web portal. Click Save.

Network Policy with an SSID that Uses a Captive Web Portal The captive web portal is created for an SSID, not for a network policy. You can modify an existing network policy, or you can create a new network policy if one is not yet created. To create a new network policy captive web portal, click Configuration > New, enter the following, and then click Create: Name: cwp_by_loc Description: Enter a brief description.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 84 New and Enhanced HiveOS 6.1r3 Features

In the network requirements section for deployments, select only Wireless Access.

The network policy can also include switching, routing, and Bonjour Gateway features, but including them here adds unnecessary complexity to the example.

When you click Create, HiveManager advances you to the Configuring Interfaces & User Access panel.

Creating the SSID To create the SSID in the Configuring Interfaces & User Access panel, click Choose > New, enter the following information, and then click Save: Profile Name: ssid_cwp_by_loc SSID: Guest Access SSID Broadcast Band: (default) Description: Enter a brief description. SSID Access Security: Open

You can use any access security you want, but this example uses Open to simplify configuration. Using Open access is not recommended.

Enable Captive Web Portal: (select) When you click Save, HiveManager displays the Choose SSIDs dialog box. The SSID you just created is highlighted in the list along with any other SSIDs that were selected when you began creating the current SSID. Scroll through the list of SSIDs and make certain that only ssid_cwp_by_loc is highlighted, and then click OK. HiveManager returns you to the Configure Interfaces & User Access panel.

Configuring the Captive Web Portal To configure the captive web portal, click in the Authentication column of the SSIDs section, click New, and then enter the following information leaving all others at their default settings. Name: web_cwp_by_loc Registration Type: User Authentication Description: Enter a brief description. Expand the Captive Web Portal Success Page Settings. After a successful login: Select Redirect to an external page Use classified URL object: (select) Click New ( + ) to create a destination URL object, and then enter the following: Object Name: web_cwp_by_loc Web Page: http://hq.mycompany.com If the device with which the user authenticates does not have a tag configured for use with captive web portal redirection, then the user is directed to this URL upon successful authentication. You must enter a URL with the protocol prefix “http://” or “https://”; otherwise, HiveManager displays a notification that the URL is invalid.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 85 New and Enhanced HiveOS 6.1r3 Features

Click New to add another destination URL, enter the following, and then click Apply: Web Page: http://bldg1.mycompany.com Type: Device Tag Value: Building 1 Description: Enter a brief description of the location to which this tag pertains. For each site that you want to configure, create a new web page entry in the web page object. After each entry, you must click Apply. After you return to the New Captive Web Portal configuration page, click Save.

Creating the User Profile When a user authenticates with a captive web portal, the Aerohive device processing its traffic applies a user profile to the traffic. If authentication fails, then traffic is not allowed and no user profile is applied. In this section, you choose the appropriate user profile for authenticated users. To create a user profile, click Add/Remove. In the Choose User Profiles dialog box, click New, enter the following, and then click Save. Name: cwp_users Attribute Number: 1 Default VLAN: 1 Description: Enter a brief description. When you return to the Choose User Profiles dialog box, HiveManager highlights the user profile you just created. If necessary, scroll through the list of user profiles to make certain that your user profile is highlighted, and then click Save. To complete the configuration of the SSID, click Continue to progress to the Configure & Update Devices panel.

If you navigate away from this configuration panel, then you might lose your configuration changes up to this point. Be sure to click Save or Continue here.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 86 New and Enhanced HiveOS 6.1r3 Features

Captive web portal redirected to external URLs: Log In Building 1 Building 2 Building 3 Building 1 BLDG_1

Log In

Aerohive

Building 2 BLDG_2 HiveManager Online

Log In

Building 3 BLDG_3

Updating the Devices After you configure your Aerohive devices, you must update them with the new configuration. To do so, simply select the devices you want to update from the list of devices displayed, and then click Update > Update Devices. HiveManager displays the update progress and, if necessary, prompts you to reboot your devices.

AirWatch Compliance Enforcement In this release of HiveOS firmware and HiveManager software, Aerohive supports periodic recurring AirWatch compliance checking and enforcement, allowing administrators to block non-compliant wireless device.

AirWatch compliance checking is only supported in HiveManager Enterprise mode and not currently supported in HiveManager Express mode.

To deploy, secure, monitor, and manage mobile devices in the enterprise workspace, Aerohive enforces MDM (mobile device management) as an integrated solution with the AirWatch MDM system. With this integration, companies can deploy and manage both BYOD (bring your own device) and corporate owned devices, applying and enforcing the appropriate policy accordingly. AirWatch enforces compliance based on the compliance policy configured in the AirWatch dashboard. When creating a compliance policy in AirWatch, you can determine what actions to take to remedy the compromised status of the device, such as block and remove all or specified profiles, install the compliance profile, block and remove apps, or change roaming settings, helping identify already-connected devices that have fallen out of compliance with assigned AirWatch policy. When devices are determined to be out of compliance, Aerohive can send notification to users and quarantine the device on the network, until compliance with policy is returned. Using the new compliance check, HiveManager administrators can set the frequency with which Aerohive devices query AirWatch for enrollment and compliance status.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 87 New and Enhanced HiveOS 6.1r3 Features

When a connected device is determined to be out of compliance, Aerohive sends a notification to the user account defined for the client device in the AirWatch dashboard. Android-based client devices must have the AirWatch MDM Agent installed to support notifications. Aerohive only supports email notifications at this time. Because this warning message can be easily ignored by the owner of the device, Aerohive can also effectively quarantine the out-of-compliance client device on the network. Administrators can leverage Aerohive stateful bi-directional firewall or VLANs to provide the network connectivity sufficient to bring the device back into compliance, without exposing the client to the rest of the network. For example, if a device owner chooses to ignore the warning Email sent to him while on site the previous day and continues to use his device in the workplace on his return the next day, HiveOS queries AirWatch to assess the status of the device before making a decision. In this case, the device will be denied access to the enterprise network. At the same time, an Email is sent to the device owner to warn him that normal connectivity will not be granted until his device complies with the policy. This prevents the non-compliant device from doing harm.

Enabling HiveManager to Notify Non-Compliant Clients To enable HiveManager to notify clients that are not in compliance: 1. Click Configuration > Advanced Configuration > Security Policies > MDM Configuration > New or for an existing click Modify, enter the following, and then click Save. If you are creating a new MDM profile, first configure the basic MDM settings, and then configure the following compliance notification setting. For details about basic configuration of the MDM profile, see HiveManager Help. 2. To modify an existing MDM profile to add compliance enforcement settings, enter the following: Enable User Notification of Noncompliant Clients: (select) User Notification Methods: Select the notification method to be used to notify clients of device noncompliance as Email. Renew the IP Address when the VLAN is changed: A change in the user profile might cause the AP to disconnect the client device. Select if you want the client to receive a new IP address when it reconnects to an AP. Frequency for HiveManager to check the AirWatch server about client compliance: Enter a value in seconds for which you want HiveManager to check the AirWatch server about compliance of a client. To create a new a User Profile and a corresponding non-compliant quarantine VLAN: 1. Add a new SSID profile, click Choose > New and define the parameters of the SSID profile. 2. Click Advanced to expand the advanced settings, select the Enable MDM Enrollment check box, and then click Save. 3. Choose the newly created SSID from the Choose SSIDs dialog box, and then click OK. 4. To add a new user profile, click the Add/Remove link in the User Profile column, configure the user profile, and then click Save. 5. In the Choose User Profiles dialog box, choose the newly created user profile, and then click Save. 6. To configure a VLAN with which to isolate or quarantine non-compliant users, click VLANs > New. For this example, the VLAN was named Guest, but you can name it anything you want.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 88 New and Enhanced HiveOS 6.1r3 Features

7. To create a user profile for isolating non-compliant users that associate with this SSID, click the Add/Remove link in the User Profile column, choose the new user profile from the Choose User Profiles dialog box, click the Guest tab, click New, configure the user profile, and then click Save.

When selecting the Default VLAN parameter for non-compliant users, make sure that you have a dedicated VLAN where you can quarantine non-compliant devices and prevent them from accessing your network. As administrator, you must permit the APNS (Apple Push Notification Server) and AirWatch server in the IP policy. This is necessary to allow a quarantined device access to the AirWatch portal and come back into compliance.

8. In the Choose User Profiles dialog box, choose the newly created guest and then click Save. In the Configure Interfaces & User Access network configuration panel, the new SSID, compliant user profile, and non-compliant user profile appear. You can click the SSID or user profile names to modify their configuration.

Integration of OpenDNS The new HiveOS firmware and HiveManager software releases now integrate OpenDNS Umbrella and support OpenDNS-based web content filtering and security through user profiles. Mapped to different groups of users though user profiles, this new feature allows you to enforce different security policies on Aerohive devices connected behind Aerohive routers. The OpenDNS product offers a scalable, cloud-based web content filtering and security platform that protects your network users from malware infections, malicious botnet hosts, and phishing attacks by filtering responses to DNS requests and blocking responses. OpenDNS stores lists of malicious websites and blocks access to these websites. With OpenDNS integration, DNS requests are categorized by user profile attributes that are mapped to the OpenDNS labels, which are user-readable IDs in the OpenDNS dashboard. DNS requests generated from clients assigned to the same user profile attributes are mapped to the same filtering policies configured in the label. Enter the label in HiveManager to obtain a DID (device ID) from OpenDNS. The OpenDNS security servers read the DID in the DNS request message, apply the content filtering and security policies, update the dashboard, and process the DNS request. Whenever a new label is created, it maps to either an existing DID, or a newly generated DID. You configure the filtering policies for the DIDs in the OpenDNS dashboard. OpenDNS Umbrella User Profile Attribute

OpenDNS DID 100 Policy User Profile Attr 30: Label A/DID 300

OpenDNS DID 200 Policy User Profile Attr 10: Label B/DID 100

OpenDNS DID 300 Policy User Profile Attr 20: Label C/DID 200

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 89 New and Enhanced HiveOS 6.1r3 Features

HiveManager pushes the label configurations to Aerohive devices behind Aerohive routers. When an AP receives DNS queries from its clients, it ascertains whether the DNS request is internal or external. If the request is an external request, it looks up the DID based on the label and attaches the DID to the DNS request for domain name resolution and filtering. The AP forwards the response to its associated clients.

1 Users 2 If the user profile attribute is 20, attach 3 The OpenDNS server checks send DNS DID 200 to the DNS request and send it to the policy for the requests. the OpenDNS server. specified DID.

User Profile (attribute 20) Internet AP BR200

User Profile (attribute 30) Primary AP OpenDNS Server Secondary 208.67.220.220 OpenDNS Server User If the user profile attribute is 30, attach DID 300 208.67.222.222 to the DNS request and send to the OpenDNS server. User After HiveManager pushes the OpenDNS mapping parameters and DNS server IP addresses to the routers, they send all external DNS requests to OpenDNS servers.

4 After checking DIDs for user profile attribute 20, the server allows the website www.nice-site.com (DID 200) and forwards it to the user. For the user profile attribute 30, the server blocks the website www.naughty-site.com (DID 300) and denies access. 5 User is allowed access to the Internet website. AP BR200 User Profile (attribute 20) Primary OpenDNS Server User is denied Secondary AP 208.67.220.220 OpenDNS Server access to the User Profile 208.67.222.222 website. (attribute 30) User

User

Configuring OpenDNS Integration To configure HiveManager to push OpenDNS services to Aerohive routers, complete the following steps: 1. If you do not already have an OpenDNS account, you must first obtain an OpenDNS enterprise login account. 2. To make sure that HiveManager can connect to the OpenDNS servers, click Connection Test. If the connection is successful, OpenDNS returns an authorization token, which HiveManager stores and uses to maintain ongoing access to the OpenDNS servers. 3. Click Configuration > User Profiles > New to create a new user profile. 4. Within the guided configuration of our Branch Routing Network Policy, link the user profile to an access Port Type.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 90 New and Enhanced HiveOS 6.1r3 Features

5. To map the user profile to a label and then generate a DID, click Home > Administration > HiveManager Services, enter the following, and then click Update: OpenDNS Server Settings: (select) Enable OpenDNS Server Settings: (select) In the OpenDNS Device ID Mapping panel, click the New ( + ) icon for the newly created user profile to open the Create OpenDNS Device ID dialog box, enter the OpenDNS label that you want to use for this new user profile, and then click Get/Create Device ID. HiveManager sends the label to OpenDNS to obtain a DID. OpenDNS assigns a unique DID for every label. A DID is a 16-character string that uniquely identifies a set of DNS requests and filtering policies in OpenDNS. 6. To enable HiveManager to authenticate and maintain an open connection with OpenDNS and configure server settings, click Home > Administration > HiveManager Services, enter the following, and then click Update: OpenDNS Server Settings: (select) Enable OpenDNS Server Settings: (select) In the OpenDNS Settings panel, enter your OpenDNS login email address and password, and the primary and secondary OpenDNS Server IP addresses (the standard OpenDNS IP addresses are 208.67.220.220 and 208.67.222.222, respectively). 7. To download the OpenDNS configuration from HiveManager to the Aerohive routers and their Aerohive devices, click Configuration > Devices > Routers > router_name to select the Aerohive routers, and then click Update > Advanced > Upload and Activate Configuration. HiveManager pushes the OpenDNS configuration to the Aerohive routers. Afterwards, when an AP or a router receives a DNS request from one of its clients, it ascertains whether the DNS request is internal or external. If the request is an external DNS request, the Aerohive device looks up the OpenDNS server, attaches the DID and then sends it to the OpenDNS server for DID lookup. The OpenDNS server processes the request and returns a DNS reply to the Aerohive device, which forwards the response to its clients. 8. To specify the OpenDNS filtering policy settings, log in to OpenDNS, navigate to the OpenDNS dashboard, click the Settings tab, locate the OpenDNS label that corresponds to user profile for the DID, click Edit Settings, and then follow the instructions in the OpenDNS dashboard to configure content filters and security values.

Topology Map Name Will Not Override sysLocation OID You can now override the default behavior of amending the sysLocation name with a topology map name whenever a device is linked to a topology map location. This is especially useful for customers who rely on SNMP monitoring tools (for example, Solar Winds) that automatically provision it based on the SNMP location. If both Location and Topology Map are specified for a device, HiveManager will combine them and apply the new name to the SNMP MIB object sysLocation. 1. To disable this process, go to Monitor > Devices > All Devices, select the device or devices for which you want to disable this function in the Managed Devices tab, and then click Modify. 2. If only one device is selected, the All Devices > Edit dialog box appears. Scroll down to and click Advanced Settings to expand the advanced settings options, clear the check box for Use Location and Topology Map settings to configure the SNMP location for the device, and then click Save. If multiple devices are selected, the All Devices > Modify (Multiple) dialog box appears. Scroll down to and click Advanced Settings to expand the advanced settings options, and select No from the Use Location and Topology Map settings to configure the SNMP location for the device drop-down list, and then click Save.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 91 New and Enhanced HiveOS 6.1r3 Features

Power Cycle PoE Ports on Switches This release adds the ability to cycle the power on individual PoE switch ports. Previously, you could not “toggle” the PoE power on a port without also locking yourself out of the same port, which prevented you from restarting it. This feature allows you to safely reboot an AP that is connected to a specific switch port by bringing the switch port down, and then bringing it back up. This feature applies to all PoE ports on Aerohive switches, BR200-WP, and BR200-LTE.

1. To configure this feature for selected ports on a switch, navigate to Monitor > Switches in the Managed Devices tab, click the name of the switch, and scroll down to PSE Details. 2. Select the check box or boxes for the port or ports that you want to cycle, and then click Cycle Power. A confirmation message is displayed.

3. Click Yes. When the power cycle is complete for the selected ports, message similar to the one shown here appears.

Enhancements to Alarm Log Settings In 6.1r3, additional settings for the alarm log have been added to provide you with more control by differentiating between critical and noncritical (cleared and uncleared) alarms, setting the maximum number of alarm records retained on the database, and setting a reminder for critical alarm removal. Critical alarms are not included in the count of the maximum number of alarm records; therefore, critical alarms are not purged even when the maximum number of alarm records retained has been reached. Instead, you can clear critical alarms only from the HiveManager database manually.

Configuring Alarm Log Settings To display the Alarm Log Settings dialog box and change the default settings, click Monitor> Alarms > Settings > Alarm Log Settings.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 92 New and Enhanced HiveOS 6.1r3 Features

Select from the following fields and then click Update: Retain cleared alarms for: Set the number of days cleared alarms are saved in the alarm log. After this limit is reached, the cleared alarms are removed from the alarm log. The default is seven days. Retain uncleared, non-critical alarms for: Set the number of days uncleared, non-critical alarms are saved in the alarm log. After this limit is reached, the uncleared, non-critical alarms are removed from the alarm log. The default is 14 days. Maximum Number of Alarm Records to be Retained: Set the maximum number of alarm records, for cleared and non-critical uncleared alarms, that will be retained in the alarm log. After this limit is reached, the cleared and non-critical uncleared alarms are removed from the alarm log. The default for the maximum number of alarm records is dependent on your HiveManager system. For HiveManager Online, the default is 30,000 alarm records with a range of 1000 to 100000. For on premises HiveManager, the default is calculated with the number of devices in the entitlement key according to the following formula: 10 x Number of devices = Default number of devices supported, with a minimum of 500 devices and a maximum of 500,000 devices.

If you change the number of devices in your entitlement key, the value of the Maximum Number of Alarm Records to be Retained field is recalculated automatically.

Display a reminder to clear critical alarms after: Set a time period for displaying a reminder to clear the critical alarms that are older than thirty days from the alarm log. When you receive the reminder, it contains a Go button. Select Go to delete critical alarms from the alarm log. The default setting for the reminder is 30 days.

Upgrading from Previous Versions of HiveManager If you are upgrading from a previous version of HiveManager, the alarm records stored are retained during the upgrade process. These alarm records are classified as cleared non-critical alarms, uncleared non-critical alarms, or critical alarms. The Max Alarm Records field will be set to its default value which depends on if you have an on premises HiveManager or HiveManager Online (see the previous section) system. The Warning Age records field will be set to its default value of 30 days. After the upgrade is completed, the count down for purging new alarm records begins.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 93 New and Enhanced HiveOS 6.1r3 Features

Expire Rogue Clients The Aerohive WIPS (wireless intrusion prevention system) policy feature has been enhanced to allow the expiration of rogue clients disconnected from rogue APs. When configuring a WIPS policy, you can configure HiveManager to purge a client that has previously been reported as a rogue after a specified amount of time. By default, if a rogue client is not detected on the network an hour after its last detected activity, then HiveManager drops the rogue device from its list of rogue devices. By default this feature is disabled. To enable this feature in an existing WIPS policy, click Configuration > Advanced Configuration > Security Policies > WIPS Policies, select the policy in which you want to enable rogue client expiration, make the following changes to the configuration, and then click Save: 1. Expand the Optional Settings section, and select Enable Rogue Client Reporting. Enabling rogue client reporting reveals an additional setting that you can use to instruct HiveManager to purge the rogue client after a specified duration of rogue inactivity. 2. In the Expire Rogue clients disconnected from Rogue APs field, enter the number of seconds you want HiveManager to wait after the last contact with the rogue client to purge it from the rogue client list. By default this value is 3600 seconds (one hour).

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 94 New and Enhanced HiveManager 6.1r3 Features

Overwrite Protection for NetConfig UI WAN Settings The NetConfig UI is a simple, web-based graphical user interface provided by the HiveOS firmware and used to manage local network settings of APs and WAN interface settings for BRs. It configures BR WAN interface settings to be a PPPoE client, a DHCP client, or to use static network settings for the IP address and netmask of its mgt0 interface, its default gateway, and DNS server, or in the case of a BR200-WP, a Wi-Fi client. For detailed information about configuring a BR, see NetConfig UI Help. A BR200-WP can be configured using the NetConfig UI to operate in Wi-Fi client mode and connect to a third-party access point. For detailed information about configuring a BR200-WP for client mode, see HiveManager Help. In previous versions of HiveOS firmware and HiveManager software, devices that were configured using the NetConfig UI might be overwritten whenever HiveManager pushed updated configuration settings to the BRs. The default behavior of this new software release is that a BR originally set up using the NetConfig UI is protected from being overwritten by updates pushed to it from HiveManager at a later date. You can disable this overwrite protection if you want HiveManager to overwrite the original NetConfig UI WAN settings whenever a newer configuration is pushed to the BRs. For the BR200-WP, disabling the overwrite protection allows HiveManager to overwrite the WAN configuration of the BR200-WP the next time HiveManager pushes a new configuration to it. To disable the NetConfig UI settings protection for the BRs, click Configuration > Devices, select one or multiple BRs, and then click Utilities > Disable NetConfig UI WAN Configuration.

New and Enhanced HiveManager 6.1r3 Features

Major new and enhanced HiveManager features are covered in detail in the following sections.

VMware Tools for HiveManager Virtual Appliance The VMware Tools suite supports the: • Increased efficiency in memory allocation—allows you install a memory control driver for HiveManager that provides increased efficiency in memory allocation. The memory control driver allows the host to recover from memory issues in a manner that the guest OS, which is an operating system in addition to the host (such as Windows, Linux, Unix, Macintosh, and other operating systems) has control. • Ability to shut down HiveManager gracefully—allows you to shut down and restart HiveManager using the toolbar. Without VMware Tools, the only way to shut down the virtual machine (VM) is to force the ESXi hypervisor to shut down. The operating system on the VM kills the running processes and does not gracefully shut down the VM. • Improved clock synchronization—allows you to resolve clock synchronization issues. Because virtual systems have multiple CPUs, clock drift becomes an issue unless the proper host synchronization driver is installed. Synchronization of the clock in the virtual machine with the clock on HiveManager is improved.

Installing VMware Tools VMware Tools are supported on HiveManager Virtual Appliance version 6.1r3 and later. You can install the tools from the ESXi hypervisor console without accessing the shell.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 95 New and Enhanced HiveManager 6.1r3 Features

You can SSH into HiveManager Virtual Appliance to access the CLI, and then launch the VMware vSphere Client GUI after step 3 to install the tools, or you can use the VMware vSphere Client console to access the CLI.

To release the cursor and exit the VMware console when finished accessing the CLI, press the CTRL and ALT keys simultaneously and move your mouse button.

To install VMware Tools using the VMware vSphere Client console to access the HiveManager Virtual Appliance CLI, log in to the HiveManager Virtual Appliance CLI and complete the following steps: 1. To list the network settings, enter 1 (Network Settings and Tools). 2. To view the VMware options, enter 12 (VMware Related Options). 3. To install the VMware Tools, enter 2 (Install VMware tools). The following message appears: Please select “Install/Upgrade VMware Tools” from your VMware Guest Menu, then return here and select Y below. Continue with Install (Y/N). 4. To launch the VMware Guest menu for HiveManager Virtual Appliance, right-click the HiveManager Virtual Appliance name, select Guest from the pop-up menu that appears, and then select Install/Upgrade VMware Tools. The Install/Upgrade in VMware Tools dialog box appears.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 96 New and Enhanced HiveManager 6.1r3 Features

5. Select the Automatic Tools Upgrade in the Install/Upgrade Tools dialog box and then click OK to have vCenter automatically upgrade VMware Tools and reboot HiveManager Virtual Appliance. 6. Return to the HiveManager Virtual Appliance console CLI and enter Y. The following message appears: VMware Tools installation may take several minutes, please don’t cancel until it is done. VMware Tools installation starting ... After the installation is finished, the following message appears: VMware Tools Installation done.

Preconfigure Devices The Preconfigure Devices feature adds the ability to configure Aerohive devices before connecting them to HiveManager. If you have a very large network, you may want to preconfigure devices in a central location before you connect them to a remote location. A preconfigured device is one that has never made a connection to HiveManager. In on premises HiveManager, preconfigured devices are tracked through their node IDs, or MAC addresses. In HiveManager Online, these devices are tracked through their serial numbers. For both on premises HiveManager and HiveManager Online, when you connect a preconfigured device to your network, HiveManager pushes the applicable policies to it automatically. Also, this release adds the Managed Devices and the Unmanaged Devices tabs to the Configuration and Monitor GUI sections of the on premises HiveManager (both tabs were added to HiveManager Online systems in a previous release). The Managed Devices tab lists devices that have established a connection with HiveManager at least once. Within this tab, there are two categories—Unconfigured Devices and Configured Devices. The devices listed in the Unconfigured Devices category were connected to HiveManager at one time, but they are not currently connected. The devices listed under Configured Devices are configured devices that are connected to HiveManager.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 97 New and Enhanced HiveManager 6.1r3 Features

The Unmanaged Devices tab lists devices that have not yet established a connection with HiveManager. In HiveManager Online, these devices can be either unconfigured devices which only contain a serial number or preconfigured devices which include information such as host names and MAC addresses in addition to the serial number. In on premises HiveManager, devices can be preconfigured only. Once a device has connected to HiveManager, it is moved from the Unmanaged Devices tab to the Managed Devices tab. In both on premises HiveManager and HiveManager Online, the Device Inventory menu, available from the Managed Devices and Unmanaged Devices tabs, allows you to create preconfigured devices. The actions that you can perform from the Device Inventory menu depend on which tab you access it from. In support of preconfigured devices, the Device Inventory menu on the Unmanaged Devices tab has add, remove, export, and import options. From the Managed Devices tab, you can remove devices and export device information for multiple devices into a .csv file In addition, a Modify button has been added to the Unmanaged Device tab in on premises HiveManager and enhanced in HiveManager Online systems. This button allows you to modify the settings of preconfigured devices. The behavior of this button varies slightly, depending on if you are using an on premises HiveManager or HiveManager Online system.

Auto provisioning is not supported on preconfigured devices.

Setting a Preconfigured Device in On Premises HiveManager In on premises HiveManager, you can add a new device from the device list, remove an existing device, export device information to a .csv file, and import a .csv file from the Device Inventory menu on the Unmanaged Devices tab. To access this menu, click Configuration > All Devices > Unmanaged Devices tab > Device Inventory.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 98 New and Enhanced HiveManager 6.1r3 Features

The following options appear on the Device Inventory menu: Add: Click to add a preconfigured device to the Unmanaged Devices tab and then select a device type from the menu. The All Devices > New page is displayed. To preconfigure a device, you need to provide a host name, node ID (MAC Address), and a valid network policy. Then click Save. After a device is added successfully, it is listed in the Unmanaged Device tab. Remove: First select a check box next to a device on the All Devices > Unmanaged Devices tab and then click to remove a preconfigured device from the Unmanaged Devices tab. A confirmation message is displayed. Export: First select a check box next to a device on the All Devices > Unmanaged Devices tab and then click to open a dialog box to create a .csv file that contains the serial number, node ID, host name, device model, network policy, location, static IP address, netmask, default gateway, topology map, and VHM name. Import: First select a check box next to a device on the All Devices > Unmanaged Devices tab and then click to open a dialog box to import a .csv file that contains serial numbers, node IDs, host names, device models, network policies, locations, static IP addresses, netmasks, default gateways, topology maps, and VHM names.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 99 New and Enhanced HiveManager 6.1r3 Features

To modify the configuration of a preconfigured device, select the device from the Unmanaged Devices tab and then select Modify. (You can modify multiple preconfigured devices.) The All Devices > Edit “” page appears. Make the desired changes and then select Save.

In on premises HiveManager, the serial number of the device is set automatically when the device connects to your HiveManager network.

Setting Unconfigured and Preconfigured Devices in HiveManager Online In HiveManager Online, you can add or import a new device, remove an existing device, or export device information to a .csv file from the Device Inventory menu on the Unmanaged Devices tab. In HiveManager Online, you preconfigure devices in a two step process. First, you add the serial number of the device to HiveManager, thus creating an unconfigured device. Then click Modify to configure the MAC address, model type, and valid network policy, thereby creating a preconfigured device. To access the Device Inventory menu, click Configuration > Devices > All Devices > Unmanaged Devices tab > Device Inventory. The following options appear on the Device Inventory menu: Add/Import: Click to add an unconfigured device to the Unmanaged Devices tab. Then the Add Devices dialog box appears. You can enter the serial numbers of the devices manually, by selecting the Enter serial numbers tab. Or, you can import them from a .csv file by selecting the Import tab and browsing to the desired file. Then click Add and Close at the bottom of the page. To create a preconfigured device, select an unconfigured device on the Unmanaged Devices tab and then select a device type. Click Modify and the All Devices > Edit “” page appears. To preconfigure a device, you, need to provide a host name, node ID (MAC Address), and a valid network policy. Then click Save.

You can select multiple preconfigured devices and then press Modify to change their configuration; however, you cannot modify a combination of preconfigured and unconfigured devices.

For the following options, first select a check box next to a device on the All Devices > Unmanaged Devices tab and then perform the desired action. Remove: Click to remove either an unconfigured or a preconfigured device from the Unmanaged Devices tab. A confirmation message is displayed. Export: Click to create a .csv file that contains the serial number, node ID, host name, device model, network policy, location, static IP address, netmask, default gateway, topology map, and VHM name.

Adding a Filter to a Preconfigured Device A filter option in the Unmanaged Devices tab allows you to create a filter for (or add an existing filter to) preconfigured devices in both on premises HiveManager and HiveManager Online. Filters for preconfigured devices are available only from the Unmanaged Devices tab. (Filters for configured devices are only available from the Managed Devices tab.) To create a filter for a preconfigured device (or an unconfigured device in HiveManager Online), click Configuration > Devices > Unmanaged Devices and then select the check box next to the device to which you want to add a filter. Select the New ( + ) icon under Filter at the bottom of the navigation panel. The Filter Devices dialog box appears. See the online Help for configuration instructions.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 100 New and Enhanced HiveManager 6.1r3 Features

Enhancements to Simplified Updates When you upgrade devices with the latest HiveOS image, some units in your network may already have the latest version of HiveOS installed, but not the latest release of this version. In this case, a new option appears on the Update Devices page allowing you to push the latest HiveOS image onto a device even when the version numbers on the device and the image server are the same. For instance, you may need to upgrade from the beta version of the software to the official released version. See the option marked with the red circle in the Update Devices page below. By default, the check box is cleared. To access this option, navigate to Configuration > All Devices, click the check boxes next to the devices that you want to update. Select Update > Update Devices, select the Upgrade even if the HiveOS versions are the same check box, and then click Update.

In the Configure and Update Devices section of the Configuration Panel, three new status conditions have been added to the Updates Status column that appear during the update process: Warning: The device upgraded successfully but with a warning condition. Hover over the status to display the error message in a popup window. Failed: The device reboot failed. Either the device disconnected from HiveManager or HiveManager received error messages from the device. Hover over the status to display the message in a popup window. Timeout: Device stays in the rebooting state for 15 minutes, that is, if the device fails to reconnect to the HiveManager within 15 minutes.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 101 New and Enhanced Client Management Features

New and Enhanced Client Management Features

Client Management (December 2013) is no longer a feature within HiveManager, but a separate product that is accessible from your online MyHive account. In addition to this significant change, there are others such as HTTP proxy support, which are covered in detail in the following sections.

Introducing Client Management as a Separate Product Client Management is a subscription-based product that provides a simple method for controlling network access and mobile wireless device functions without any IT intervention. Users themselves enroll their devices when first connecting to a wireless network. After accepting the terms of use, they download an enrollment profile and Wi-Fi configuration to their devices. Depending on the Client Management settings, Apple and Android clients can also install client profiles that prescribe device behavior and usage restrictions. The infrastructure to support this is diagrammed below. As you can see in the illustration, the Client Management cluster of highly available servers communicates with HiveManager and with Apple clients through APNS (Apple Push Notification Service) and with Android and Chromebook clients through GCM (Google Cloud Messaging). This version of Client Management supports the provisioning and management of Apple mobile devices running iOS 5 or later, Apple computers running Mac OS X v10.7 or later, and Android 4.0 or later. Because of automatic updates, Chromebook clients always run the latest version of code.

HiveManager Online or Client Management server cluster APNS (Apple Push on premises with Client (admin GUI, database, enrollment page) Notification Service) Management enabled or CA and server GCM (Google Cloud Messaging) certificates

1 Notification to download enrollment, Wi-Fi, Configuration (and CA and and client profiles (and CA server certificates*) 3 and client certificates*) AP 4 1. The systems shown here 3. ... the AP checks if the client is exchange certificate files to already enrolled. If not, the AP secure communications in redirects the client browser to the support of client management. 2 Client Management enrollment page.

2. When a wireless client 4. Client Management sends the client a notification to connects to the AP and download and install enrollment, Wi-Fi configuration, and authenticates itself, ... client profiles (and CA and client certificates*). After Client their installation, the user can access the network.

* CA, server, and client certificates are only sent to the AP and client when the SSID uses 802.1X authentication and the AP functions as an Aerohive RADIUS server. If you use an external RADIUS server, you must export the CA and server certificates from HiveManager and then import them to the RADIUS server. If the SSID uses private PSKs or PSKs to authenticate users, no certificates are required.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 102 New and Enhanced Client Management Features

Make sure that any firewalls between the sources and destinations listed in the table below permit the following services:

Service Source Destination Protocol and Notes Destination Port

Client Apple, Android, and Gateway server in the TCP 443 Required for clients to Management Chromebook devices Client Management access the enrollment Services cluster portal and server URLs to download profiles (onboard-gw.aerohive and certificates, and .com, 198.46.48.1) send status updates

Aerohive APs Gateway server in the TCP 443 Required for message Client Management exchanges between cluster Aerohive APs and Client Management (onboard-gw.aerohive .com, 198.46.48.1)

HiveManager Gateway server in the TCP 443 Required for Client Management configuration and cluster status synchronization between Client (onboard-gw.aerohive Management and .com, 198.46.48.1) HiveManager

Gateway server in the HiveManager TCP 443 Required for Client Management configuration and cluster status synchronization between Client (onboard-gw.aerohive Management and .com, 198.46.48.1) HiveManager

APNS Apple devices APNS servers TCP 5223 Required for message (Apple Push exchanges between (17.0.0.0/8) TCP 443 Notification Apple devices and Service) APNS TCP 443 is a fallback option when TCP 5223 is unsuccessful.

GCM Android and GCM servers (see TCP 443, 5228, Required for message (Google Chromebook devices AS15169) 5229, and 5230 exchanges between Cloud Android and Messaging) Chromebook devices and GCM servers

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 103 New and Enhanced Client Management Features

Enabling Client Management To enable the Client Management system from your HiveManager Online account: 1. Click Home > Administration > HiveManager Services, expand Client Management Settings, select Enable Client Management, and then click Update.

After you enable Client Management, you cannot disable it.

2. To see the Client Management Go button in MyHive, log out of HiveManager Online and out of MyHive, and then log in again.

After logging in to MyHive, you can see that Client Management appears as a separate system on the MyHive landing page. To access it, click go!

To enable the Client Management system from your on-premises HiveManager: 1. If you do not have a MyHive account, contact Aerohive Technical Support and open a case requesting one. Include your HiveManager system ID when making the request. 2. Log in to your on-premises HiveManager, click Home > Administration > HiveManager Services, expand the Retrieve Customer ID section, enter the email address and password that you use to log in to your MyHive account, and then click Retrieve. If HiveManager successfully retrieves the customer ID, a message appears indicating success. Otherwise a message indicating the cause of the retrieval failure appears. 3. Expand the Client Management Settings section, select Enable Client Management, and then click Update at the top of the page. After you enable Client Management, you can begin using it with the100 free client device licenses that Aerohive provides. These licenses are valid for one year from the date that you enable Client Management. Additional licenses are available in groups of 100 per subscription and are valid for one-, three-, or five-year periods, as specified at the time of their purchase from your Aerohive sales representative. When ordering,

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 104 New and Enhanced Client Management Features

specify if you want to place a standard order, which adds more licenses to what you already have, or a renewal, which adds more licenses when your current ones expire.

Configuring Client Management Setting up and applying Client Management involves the configuration of user groups and users, certificates (when using 802.1X SSIDs), RADIUS, SSIDs, and user profiles in HiveManager and client profiles and a list of company-issued devices in the Client Management system. In HiveOS 6.1r3, Aerohive introduced an option to use Client Management with a single private PSK SSID. The basic configuration procedure is summarized below and then presented in detail on the following pages. 1. In HiveManager, configure the following: • Private PSK user groups and users for all the client devices that you expect to use the network and RADIUS user groups and users for all the people that will be on the network. Presumably, there will be several times more devices than people. • A RADIUS authentication server, which can be a third-party product or an Aerohive device configured as a RADIUS server. In the following example, you set a BR200-WP as the RADIUS server. (You also set the BR200-WP as a private PSK server that assigns private PSKs to users.1) • A RADIUS client profile that Aerohive devices functioning as RADIUS authenticators use to communicate with the RADIUS authentication server • A self-registration private PSK SSID profile with Client Management enabled • Multiple user profiles for all the types of client devices that you anticipate will be on your network. Aerohive Client Management supports the following types of mobile devices: Apple iOS and Mac OS, Android, and Chromebook. You must also enable client OS detection so that the Aerohive devices can apply user profiles according to the operating systems running on the various clients that connect. 2. In Client Management, you configure client profiles for the iOS, Mac OS, and Android operating systems. For each client profile, you must specify the user profile attribute number to which you want to apply it. HiveManager detects the client operating systems and applies the appropriate user profiles, and then Client Management applies the corresponding client profiles. You also import a list of MAC addresses of all the company-issued Mac OS clients. Client Management can then distinguish a company-issued Mac OS client from one that is privately owned. Based on client ownership type, the Aerohive devices can apply the appropriate user profiles and Client Management can apply the appropriate client profiles.

You can also modify the Client Management portal pages that users see during the enrollment process. For information about this, see "Modifying the Client Management Portal Pages" on page 122.

The following example illustrates the configuration workflow necessary to implement Client Management. There are several Aerohive APs on the network behind an Aerohive router, which acts as both a RADIUS and private PSK server.

The example does not explain how to configure the Aerohive router and APs nor how to deploy them on T your network. It is assumed that they are already in place and that you are adding Client Management functionality to an existing deployment.

1. There can only be one private PSK server per network policy. The configuration explained here is for a single site. If you have several sites, you can clone the network policy and choose the branch router that is at the site at which you intend to apply the policy.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 105 New and Enhanced Client Management Features

The mgt0 interfaces for all the The BR200-WP hosts a private PSK Aerohive devices are in the Internet server and a captive web portal on management network in VLAN 1. its mgt0 interface (172.18.255.129) in VLAN 1 and a RADIUS server on BR200-WP its mgt0.1 interface (10.1.1.129) in Management network VLAN 2. 172.18.255.128/25 VLAN 1 Hive communications AP121 AP121

AP121

Internal network 10.1.1.0/24 VLAN 2

These are various clients on the internal network: 172.18.255.128/25 (VLAN 2)

n the following example, you configure a single private PSK SSID with seven user profiles: five user profiles that Aerohive devices assign to clients based on client OS detection, a default user profile for clients that do not belong to any of the specified OS types, and one user profile for Mac OS devices based on device ownership (privately owned instead of company-issued). When an Aerohive device assigns a user profile to a client running Apple iOS or Mac OS, Android, or Chromebook, the user must first register on a captive web portal and then enroll through the Client Management portal. However, when an Aerohive device applies the default user profile or the profile for Windows clients, the user only needs to register through the captive web portal; the Aerohive device does not direct him or her to the Client Management portal for enrollment.

SSID access security types that support Client Management are 802.1X, private PSKs with self-registration, and PSKs. When using 802.1X, users connect to a single SSID for enrollment and network access. When enrolling, they use 802.1X with PEAP; and when accessing the network, they use 802.1X with certificates. With private PSKs, you have a choice of configuring one SSID for both enrollment and network access or two SSIDs, one on which users enroll and the other on which users access the network. With PSKs, users always connect to two SSIDs: an open SSID for enrollment and a second SSID secured with the PSK for network access.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 106 New and Enhanced Client Management Features

HiveManager - Users and RADIUS The configuration in this example is for a site with 100 employees. Therefore, you configure 100 RADIUS users in a single RADIUS user group.2 Assuming that each employee has approximately three wireless clients—a company-issued Windows or MacBook and one or two personally owned mobile devices—you also create 300 private PSK users in a single private PSK user group. 1. To create a RADIUS user group, click Configure > Advanced Configuration > Authentication > Local User Groups > New, enter the following, leave the rest of the settings as they are, and then click Save: User Group Name: Client-Mgt-RADIUS Description: Use with Client Management RADIUS users: (select) User Profile Attribute: 100 VLAN ID: 2 2. To create a private PSK user group, click Configure > Advanced Configuration > Authentication > Local User Groups > New, enter the following, leave the rest of the settings as they are, and then click Save: User Group Name: Client-Mgt-PPSK Description: Use with Client Management Automatically generated private PSK users: (select) User Profile Attribute: 100 VLAN ID: 2 User Name Prefix: client Private PSK Secret: (click Generate) 3. To add 100 RADIUS users, first create a .csv file with the following components for each user and the following format for each line in the file: User Name, User Type, User Group Name, Password, Description, VHM

For example: #User Name, User Type, User Group Name, Password, Description, VHM User1, 1, Client-Mgt-RADIUS, aerohive123, , home User2, 1, Client-Mgt-RADIUS, aerohive456, , home User3, 1, Client-Mgt-RADIUS, aerohive789, , home

HiveManager ignores any line beginning with a pound sign ( # ). Also, note that you can leave the description field empty.

Then, to import the .csv file into HiveManager, click Configure > Advanced Configuration > Authentication > Local Users > Import > Browse, navigate to the file you created, select it, and then click Import.

2. If you already have your BR200-WP configured as a RADIUS server, complete with all the RADIUS user accounts you need, you can skip this part of the configuration.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 107 New and Enhanced Client Management Features

4. To create 300 private PSK users, click Configure > Advanced Configuration > Authentication > Local Users > Bulk, enter the following, leave the Description and Email Notification fields empty, and then click Create: Create Users Under Group: Client-Mgt-PPSK Number of New Users: 300

Aerohive devices have different maximum private PSK user capacities, as documented in the 6.1r3 HiveManager Help.

5. To define a RADIUS server profile with all the users in the Client-Mgt-RADIUS user group so that you can apply it to the BR200-WP router, click Configure > Advanced Configuration > Authentication > Aerohive AAA Server Settings > New, enter the following, leave the other fields empty, and then click Save: Name: Client-Mgt-RADIUS-Server Expand the Database Settings section, select Local Database, highlight the Client-Mgt-RADIUS user group in the Available Local User Groups column, and then click the right arrow ( > ) to move it to the Selected Local User Groups column. 6. To create a RADIUS client profile that the Aerohive devices acting as RADIUS authenticators can use to contact the BR200-WP (acting as the RADIUS authentication server), click Configure > Advanced Configuration > Authentication > AAA Client Settings > New, name it BR200-WP-RADIUS, select Obtain an Aerohive RADIUS server address through DHCP options, and then click Save.

HiveManager - User Profiles You next create the following user profiles to apply to traffic to and from different types of client devices: • Apple-iOS: Attribute 200; for iPod, iPad, and iPhone clients; firewall policy permitting access only to the management network (for access to the captive web portal running on the BR200-WP) and the Internet • Android: Attribute 300; for clients running Android OS; the same firewall policy as above • Chromebook: Attribute 400; for Chromebook clients running Chrome OS; the same firewall policy as above • Mac-OS-BYOD: Attribute 500; for privately owned Mac OS clients; the same firewall policy as above • Corp-Clients: Attribute 600; for company-issued portable computers running Windows or Mac OS; no firewall policy • Other-Clients: Attribute 100; for all other clients whose OS type does not match any of the others; the same firewall policy as above; includes a client classification policy that assigns the other five profiles based on client OS The instructions below provide details for configuring all the user profiles. 1. Click Configuration > User Profiles > New, enter the following, leave the other settings as they are, and then click Save: Name: Apple-iOS Attribute Number: 200 Default VLAN: 2 Expand the Firewalls section, click the New icon ( + ) for From-Access in the IP Firewall Policy section, enter the following to create an IP firewall policy, and then click Save: Policy Name: Mgt-Network-Internet Click the New icon ( + ) at the right of the policy rules table header, and define a rule. After you finish defining it, click the Done icon at the far right to add the rule to the policy. Then click the New icon in

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 108 New and Enhanced Client Management Features

the table header again to add another rule. (HiveManager adds each new rule below the previous one.) Continue until the table looks like this:

Source IP Destination IP Service Action Logging

[-any-] [-any-] Network Service: DHCP-Client Permit Off

[-any-] [-any-] Network Service: DNS Permit Off

[-any-] 172.18.0.0/16* Network Service: HTTP Permit Off

[-any-] 172.18.0.0/16 Network Service: HTTPS Permit Off

[-any-] 10.0.0.0/255.0.0.0 Network Service: [-any-] Deny Dropped Packets

[-any-] 172.16.0.0/255.240.0.0 Network Service: [-any-] Deny Dropped Packets

[-any-] 192.168.0.0/255.255.0.0 Network Service: [-any-] Deny Dropped Packets

[-any-] [-any-] Network Service: [-any-] Permit Off

* This is an IP address/host name object for the management network. If you do not have this previously defined, simply click the New icon ( + ) to the right of the Destination IP field and define it.

Because Aerohive devices check the firewall policy rules for a match in order from the top, their position in relation to each other is important.

Choose Mgt-Network-Internet from the From-Access drop-down list, do not configure a To-Access IP firewall policy, and set the Default Action as Deny. 2. On the Configuration > User Profiles page, select the check box next to Apple-iOS, click Clone, enter Android as its name and 300 as its attribute number, use the other cloned settings, and then click Save. 3. Repeat the cloning operation: Select the Apple-iOS check box, click Clone, enter Chromebook as its name and 400 as its attribute number, use the other cloned settings, and then click Save. 4. Repeat the cloning operation again: Select the Apple-iOS check box, click Clone, enter Mac-OS-BYOD as its name and 500 as its attribute number, use the other cloned settings, and then click Save. 5. On the Configuration > User Profiles page, click New, enter the following, leave the other settings as they are, and then click Save: Name: Corp-Clients Attribute Number: 600 Default VLAN: 2 6. Select the check box next to Apple-iOS, click Clone, enter the following, use the other cloned settings, and then click Save: Name: Other-Clients Attribute Number: 100 Default VLAN: 2

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 109 New and Enhanced Client Management Features

Expand the Client Classification Policy section, select Enable user profile reassignment based on client classification rules, enter the following to create a client classification policy, and then click Save: Click New to define a rule. After you finish defining it, click Apply to add the rule to the policy. Repeat this to continue adding rules. (HiveManager adds each new rule below the previous one.) Continue until the table looks like this:

MAC Object OS Object Device Domain Ownership Reassigned User Object Profile

[-any-] Windows [-any-] [-any-] Corp-Clients

[-any-] MacOS [-any-] BYOD Mac-OS-BYOD

[-any-] MacOS [-any-] [-any-] Corp-Clients

[-any-] iPod/iPhone/iPad [-any-] [-any-] Apple-iOS

[-any-] Android [-any-] [-any-] Android

[-any-] Chrome [-any-] [-any-] Chromebook

HiveManager - SSID and Network Policy Next you configure a single self-registration private PSK SSID and assign the RADIUS server profile to your BR200-WP (along with the 100 RADIUS user accounts you associated with that profile in a previous step). The SSID references a captive web portal requiring user authentication and has Client Management enabled. You also configure the various user profiles that you want to apply to traffic for different types of client devices. 1. In the Configuration section of HiveManager, choose the network policy that applies to the Aerohive router and APs on your network, and then click OK. 2. Click the Choose button in the SSIDs section of the Configure Interfaces & User Access panel, and then click New in the Choose SSIDs dialog box. In the New SSID dialog box, enter the following, leave the other settings as they are, and then click Save: Profile Name: Corp-Connect SSID: Corp-Connect (automatically appears after you enter the SSID profile name) Private PSK: (select) Set the maximum number of clients per private PSK: (select, and enter 1) Enable Self-Registration to request a Private PSK: (select) Enable Client Management: (select) Allow users to register themselves on this SSID (Corp-Connect): (select; you can only select this option after enabling Client Management) Registration Key: Conn3ct! (This is a PSK that all users enter when initially associating with the SSID.) 3. After saving the configuration, the Choose SSIDs dialog box reappears with Corp-Connect highlighted. To add that SSID profile to the network policy, click OK. The following links appear in the Authentication column to the right of the Corp-Connect SSID profile: Client Management: This is a link to the Client Management login on the landing page of your MyHive account. You will return to this later to log in to Client Management and create a list of company-isued clients and several client profiles.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 110 New and Enhanced Client Management Features

: Click it, highlight Client-Mgt-PPSK in the Local User Groups dialog box that appears, and then click OK. HiveManager will send the private PSK users in the selected user group to all devices to which you apply the network policy. : Click it, highlight the host name of the BR200-WP router, and then click OK. This sets the selected BR200-WP as the private PSK server for this SSID. : Click it, and then click New in the Choose CWP dialog box. In the New Captive Web Portal dialog box that appears, enter the following, leave the other settings as they are, and then click Save: Name: Self-Reg-PPSK-CWP Expand the Captive Web Portal Login Page Settings section, and then select Authentication for the Private PSK Server Registration Type. 4. After defining a captive web portal that requires user authentication, a link appears below Self-Reg-PPSK-CWP. Click the link, highlight BR200-WP-RADIUS, and then click OK. 5. In the User Profile column, click Add/Remove. In the Choose User Profiles dialog box that appears, highlight Other-Clients(100) in the Default tab, select Enable user profile reassignment based on client classification rules at the bottom of the dialog box, and then click Save. 6. Click Edit for Additional Settings, expand Router Settings, choose Client-Mgt-RADIUS-Server from the RADIUS Service drop-down list, and then click Save. 7. To access the Client Management system to create client profiles for Apple iOS, Android, and Chromebook clients, click Client Management in the Authentication column for the Corp-Connect SSID. A new browser window opens to the myhive.aerohive.com login page. After logging in, you can navigate to the Client Management interface and continue with the configuration described next.

Client Management - Company-Issued Client List In the Client Management system, you import a list of MAC addresses of all the Apple Mac OS client devices that the company has issued to users. 1. Create an .xls or .xlsx spreadsheet with a list of the company-issued Mac OS client MAC addresses and save the file to a local directory. The file must have the words "MAC Address" at the top of the spreadsheet and the MAC addresses must be 12 or 17 characters (0 - 9, a - f, A - F) long, formatted with colons ( : ) or dashes ( - ), or without any delimiters, and entered singly one MAC address per line.3

Note that "MAC Address" appears in the first line. This is required. If you omit this, Client Management will reject the file for having an invalid format.

The three entries demonstrate the three ways that you can format MAC addresses in the spreadsheet.

2. Log in to MyHive, and then click go! to enter the Client Management GUI. 3. Click Configuration > Company-Issued Devices > Import, click Upload a file, navigate to the .xls spreadsheet that you just created, select it, and then click Save. 4. When prompted, confirm the importation of the list. Client Management replaces any previously existing list of MAC addresses with the new one.

3. Client Management provides a template in .xlsx format for importing MAC addresses. To download it, click Configuration > Company-Issued Devices > Import > Download the XLS Template. Because the file download does not work with Internet Explorer, use a Chrome or Firefox browser instead.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 111 New and Enhanced Client Management Features

When Mac OS clients associate with an Aerohive device hosting the registration SSID, the Aerohive device first redirects them to a captive web portal to register and then to the Client Management portal to enroll. During this process, the Aerohive device uses DHCP fingerprinting and HTTP user agent values to detect their operating system and assign them to user profile 600. After the clients enroll and then connect to the access SSID with their private PSK, the Aerohive device communicates through HTTPS with Client Management at onboard-gw.aerohive.com (198.46.48.1). Client Management checks its list of company-issued devices and reports back if the client MAC address is in its list. If Client Management reports that a client is in the list of company-issued clients, the Aerohive device continues applying user profile 600. If the client MAC address is not in the list, then it must be a privately owned client. Client Management notifies the Aerohive device of the client ownership type, and the Aerohive device reassigns it to user profile 500. In return, the Aerohive device sends an update to Client Management so that it can assign the client profile for attribute 500.

Client Management - Client Profiles You configure three client profiles—one for Apple iOS clients, one for privately owned Mac OS clients, and another for Android clients (Chromebook does not support client profiles yet)—and link them to the corresponding user profiles you created in HiveManager. For illustrative purposes, each client profile will perform a simple task: The Apple iOS client profile adds a web clip to the mobile version of the HiveManager Help system to the Home screen: www.aerohive.com/330000/docs/help/english/6.1r3/hm/mobile/help.htm. The Apple Mac OS client profile adds a web clip to www.aerohive.com/techdocs to the Home screen. The Android client profile disables the camera.

Apple iOS Client Profile

You configure a client profile for Apple iOS clients that adds a web clip to their Home screen. 1. Click Configuration > Client Profile > New, and then enter the following: Name: Apple-iOS-CP User Profile Attribute Number: 200 Organization: Enter the name of your organization. Security: Choose one of the options determining if users can remove the profile from their client devices and, if it is permitted, whether they must enter a password or not. (The password option is a good choice if you want to restrict the ability to remove the profile to administrators who know the password.) In the Profile Lifetime on Client Devices section, define whether you want the client profile to remain on client devices indefinitely or be automatically removed after a specified length of time after they leave the network. The automatic deletion option only removes the client profile, not the enrollment profile and Wi-Fi configuration. A client profile can contain restrictions (like disabling the camera) that users would only be willing to accept while their clients are on the network; when they are elsewhere, they would want such restrictions lifted. On the other hand, always keeping the enrollment profile and Wi-Fi configuration on a client is convenient because it allows users to return to the network without re-enrolling. After users do return, Client Management automatically reinstalls the client profile. For Apple iOS clients, you can define a profile controlling the availability and functionality of features in the following categories (those marked with the Apple logo are only available for Apple devices):

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 112 New and Enhanced Client Management Features

2. Click Web Clips > Add a Web Clipping, enter the following, and then click Save: Label: Aerohive Docs URL: http://www.aerohive.com/330000/docs/help/english/6.1r3/hm/mobile/help.htm Options: Removable: (select) Precomposed Icon: (select) Full Screen: (clear)

Apple Mac OS Client Profile

You configure a client profile for Apple Mac OS clients that adds a web clip that links to Aerohive product documentation to their Home screen. Aerohive devices apply this client profile only to Mac OS devices that are not in the list of company-issued client MAC addresses. 1. Click Configuration > Client Profile > New, and then enter the following: Name: Apple-Mac-OS-CP User Profile Attribute Number: 500 Organization: Enter the name of your organization. Set the same security and profile removable options that you set for the Apple-iOS-CP client profile or change them for Mac OS clients if you like. 2. Click Web Clips > Add a Web Clipping, enter the following, and then click Save: Label: Aerohive Docs URL: http://www.aerohive.com/techdocs Options: Removable: (select) Precomposed Icon: (select) Full Screen: (clear)

Android Client Profile

You configure a client profile for Android clients that disables their camera. 1. Click Configuration > Client Profile > New, and then enter the following: Name: Android-CP User Profile Attribute Number: 300 Organization: Enter the name of your organization. Set the same security and profile removable options that you set for the Apple-iOS-CP client profile or change them for Android clients if you like. 2. Click Restrictions, and then toggle the Enforce Restrictions setting from Off to On by clicking it. 3. Click Common, which shows the restrictions that Client Management can apply to both iOS and Android clients, clear Allow use of camera, and then click Save.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 113 New and Enhanced Client Management Features

HiveManager - Uploading the Configuration Finally, you enable the BR200-WP to function as a RADIUS server and upload a complete configuration from HiveManager to your BR200-WP and APs. 1. Return to the network policy you were previously configuring in HiveManager, and click Continue to save the settings in the Configure Interfaces & User Access panel and advance to the Configure & Update Devices panel. 2. Click the host name of your BR200-WP to view its device settings page, expand the Service Settings section, select Enable the router as a RADIUS Server, and then click Save. HiveManager automatically returns to the Configure & Update Devices panel. 3. Select your APs and upload a complete configuration and all the necessary files (select the following): Upload and activate configuration Upload and activate web portal pages and server key Upload and activate certificates for RADIUS and VPN services Upload and activate employee, guests, and contractor credentials 4. After all the APs have been updated, perform the same complete configuration and file upload to the BR200-WP. 5. To test the configuration, connect to the network using all the various wireless clients and ensure that they are assigned to the correct user profiles and, for the Apple iOS, BYOD Mac OS, and Android clients, that Client Management installs the proper client profiles on them after they enroll. You will need to use one of the RADIUS user names when registering on the captive web portal.

Connecting, Registering, and Enrolling The following illustrations show the experience for users connecting to the private PSK SSID initially using conn3ct! as their (public) PSK, registering through a captive web portal, enrolling their clients, and then reconnecting to the SSID using their unique private PSKs.

SSID: Corp-Connect AP RADIUS server and private 1 2 AP PSK self-registration server Password: Conn3ct! New ->

New browser page -> AP121 captive web portal BR200-WP RADIUS

The user chooses Corp-Connect The user opens a new browser page The user submits a user name and enters the Registration and is redirected to a captive web and password, which the router Key Conn3ct! when prompted. portal on the BR200-WP router. looks up on its RADIUS server.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 114 New and Enhanced Client Management Features

To the Captive Enroll- Client Management Settings Wi-Fi 3 cluster 4 network... web -> ment √ Corp-Connect > portal page

AP Router HTTPS to the enrollment page

Private PSK The user can now access HTTPS: Enrollment profile the network. APNS or Notification GCM Depending on the type of client OS, HTTPS: Wi-Fi configuration with private PSK the client either automatically switches from the registration key During the enrollment process, to its unique private PSK, or the Client Management installs the user manually disconnects from the The router then redirects the enrollment profile on the client and SSID and then reconnects to the client to the enrollment page notifies it through APNS or GCM same SSID using a private PSK. For on the Client Management (Google Cloud Messaging) to download some clients, Client Management cluster and sends the private and install the Wi-Fi configuration, also notifies it to download and PSK to the cluster. which contains the private PSK. install a client profile.

TThe specific steps in the enrollment process differ depending on the client operating system. Each process is described below so you can explain the process to your network users and assist them when questions arise.

Apple iOS Clients The following is the association, registration, authentication, and enrollment process for Apple iOS client devices like iPhones and iPads. 1. Tap Settings > Wi-Fi > Corp-Connect, enter Conn3ct! for the password when prompted, and then tap Join. 2. Launch the Safari browser and open a new web page. The Aerohive device hosting the SSID redirects the HTTP GET to the login page of the captive web portal on the BR200-WP mgt0 interface in a subnet of the management network (172.18.0.0/16 in this example). 3. Enter your RADIUS user name and password and then tap Log In. These must be the credentials for one of the user accounts in your RADIUS server database. After you successfully register, the BR200-WP redirects the browser to the Client Management enrollment page. 4. If prompted to specify device ownership, tap Personal Devices, tap View and agree to the terms of use to read them and then, after closing the Terms of Use pop-up window, tap the check box to accept them, and then tap Enroll My Device. The Client Enrollment server downloads an enrollment profile to your device. 5. To install the downloaded enrollment profile, tap Install. 6. Read the warning message that the device displays, and then tap Install to continue with the installation.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 115 New and Enhanced Client Management Features

7. Enter your passcode when prompted, and when the Profile Installed page appears, tap Done. The device returns to the Client Management enrollment page, where the Client Management server checks the enrollment status. It then downloads and installs a Wi-Fi configuration for connecting to the access SSID on the client device and checks the Wi-Fi profile. Finally, it does a network check. When done, a green check mark appears indicating that the enrollment was successful, but there is also a note stating that the client was unable to reconnect to the SSID automatically and directs you to reconnect manually. 8. Tap Settings > Wi-Fi, and turn off Wi-Fi and then turn it back on. Tap Corp-Connect if the device does not automatically join it. The device is no longer using the PSK "Conn3ct!" but its unique private PSK that it obtained in the Wi-Fi configuration.

If the client automatically connects to an SSID after enrollment, make sure it is the access SSID. If it automatically connects to a different SSID, manually change it back to access SSID.

9. Return to the browser and begin accessing network resources as permitted by the firewall in the user profile assigned to you. 10. Check that the Apple-iOS-CP client profile, which you created in the previous example, is installed by looking in Settings > General > Profiles. Also, check that the Aerohive docs web clip is on your Home screen and that it opens http://www.aerohive.com/techdocs when you tap it.

You can see the installed profiles in Settings > General > Profiles.

After an iOS client enrolls, Client Management installs the three profiles shown to the left on the client device.

Note that the organization name for the enrollment and Wi-Fi configuration profiles is "Aerohive Networks" and cannot be changed. However, the name for the client profile (Apple-iOS-CP) is "Hexa". This is the name set as the organization in the client profile definition. It will be used as an example in "Modifying the Client Management Portal Pages" on page 122.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 116 New and Enhanced Client Management Features

TTroubleshooting

If the iOS client cannot complete the enrollment process, check if both the enrollment profile and Wi-Fi configuration profile are in the Settings > General > Profiles directory. If you see both profiles, try turning off Wi-Fi, turning it back on again, and then reconnecting to Corp-Connect. If your client can reconnect without prompting you for a password and if it automatically downloads and installs the Apple-iOS-CP client profile, then you have completed the enrollment process successfully. If that does not happen, follow the steps below. If you see only the enrollment profile in Settings > General > Profiles—or if you saw two profiles and tried reconnecting to the SSID as explained in the preceding paragraph—then do the following to remove it, forget the Wi-Fi network (if your client is still connected to it): 1. Tap Settings > General > Profiles > Enrollment Profile > Remove, confirm the removal, and enter your passcode. Removing the enrollment profile automatically removes any other profiles as well. 2. Tap Settings > Wi-Fi > (i) for Corp-Connect > Forget this Network, and then confirm your action by tapping Forget. 3. Tap Wi-Fi to see the SSID list again, and then tap Corp-Connect, enter Conn3ct! for the password when prompted, and then tap Join to begin the enrollment process again. If the iOS client automatically connects to a different SSID after enrollment instead of to the access SSID, manually change it back to access SSID.

Apple Mac OS Clients The following is the association, registration, authentication, and enrollment process for Apple Mac OS client devices like MacBook Pro and MacBook Air. A client profile for Mac OS devices was created for privately owned clients in the preceding example. For company-issued Mac OS clients, no client profile was created or assigned. Even without providing a client profile, a benefit of the Client Management enrollment process is that it allows users to configure their own MacBooks without any IT involvement. 1. Tap Settings > Wi-Fi > Corp-Connect, enter Conn3ct! for the password when prompted, and then tap Join. 2. Launch the Safari browser and open a new web page. The Aerohive device hosting the SSID redirects the HTTP GET to the login page of the captive web portal on the BR200-WP mgt0 interface in a subnet of the management network (172.18.0.0/16 in this example). 3. Enter your RADIUS user name and password and then click Log In. These must be the credentials for one of the user accounts in your RADIUS server database. After you successfully register, the BR200-WP redirects the browser to the Client Management enrollment page. 4. If prompted to specify device ownership, select Company-Issued Devices, click View and agree to the terms of use to read them and then, after closing the Terms of Use pop-up window, select the check box to accept them, and then click Enroll My Device. The Client Enrollment server downloads an enrollment profile to your device. 5. To install the downloaded enrollment profile, click Continue in the confirmation dialog box that appears, read the warning message that the device displays, and then click Install to continue with the installation. 6. Enter your password when prompted. The device installs the enrollment profile, which you can see in the Profiles dialog box, which is still open. At the same time, the Client Management server checks the enrollment status.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 117 New and Enhanced Client Management Features

It then downloads and installs a Wi-Fi configuration profile for connecting to the access SSID on the client device and checks the Wi-Fi profile. The Mac OS device then automatically reconnects to the SSID with its unique private PSK obtained in the Wi-Fi configuration download, and redirects the browser to the URL set in the Client Management portal configuration.

If you use an Apple client running OS X 10.9, you might need to connect to the SSID manually after the profiles are successfully installed. If your client does automatically connect to an SSID after enrollment, make sure it is indeed the access SSID. If it automatically connects to a different SSID, manually change it back to access SSID.

After the Mac OS clients reconnect, the Aerohive device contacts Client Management through HTTPS. Client Management returns the ownership type for the clients. In return, the Aerohive device updates Client Management on their user profile assignments—500 for privately owned devices and 600 for company-issued devices. When a client is privately owned, Client Management sends the Aerohive device the client profile with the matching attribute number: 500 (Apple-Mac-OS-CP). 7. Return to the browser and begin accessing network resources as permitted by the firewall in the user profile assigned to you.

Troubleshooting

If the Mac OS client cannot complete the enrollment process, remove any installed profiles and repeat the enrollment process. 1. Click System Preferences > Profiles, select Enrollment Profile, click the Remove icon ( - ) in the lower left corner of the Profiles dialog box, and then confirm the removal. Removing the enrollment profile automatically removes any other profiles as well. 2. From the System Preferences window, click Network. To force the client to you the registration key Conn3ct! instead of the private PSK that if might have stored in memory for the Corp-Connect SSID, choose Join Other Network from the Network Name drop-down list, and then enter the following: Network Name: Corp-Connect Security: WPA2 Personal Password: Conn3ct! 3. Click Join to begin the enrollment process again. If the Mac OS client automatically connects to a different SSID after enrollment instead of to the access SSID, manually change it back to access SSID. When you manually change SSIDs in this manner and the configuration reassigns user profiles based on device ownership, the AP might not perform the user profile reassignment but instead assign the default user profile. If that occurs, you must remove the enollment and Wi-Fi configuration profiles from the client and enroll it again.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 118 New and Enhanced Client Management Features

Android Devices Before starting, Android users must change a security setting to allow the installation of unknown apps and cancel the verification of apps before their installation. This allows them to download and install the Aerohive Client Manager app from the Client Management portal during the enrollment process. Tap the All Apps icon > Settings > Security, clear the Verify apps check box, select the Unknown sources check box, and when the pop-up warning message appears, tap OK to confirm the settings change. When it is time to join the network, perform the following steps: 1. Tap the All Apps icon > Settings > Wi-Fi > Corp-Connect, enter Conn3ct! for the password when prompted, and then tap Connect. 2. Launch a Chrome or Firefox browser and open a new web page. The Aerohive device hosting the SSID redirects the HTTP GET to the login page of the captive web portal on the BR200-WP mgt0 interface in a subnet of the management network (172.18.0.0/16 in this example). 3. Enter your RADIUS user name and password and then tap Log In. These must be the credentials for one of the user accounts in your RADIUS server database. After you successfully register, the BR200-WP redirects the browser to the Client Management enrollment page. 4. To download and install the Aerohive Client Management app for Android devices, tap Download the app. If you are prompted to continue with the download, tap OK. 5. Navigate to the Aerohive Client Management app in All Apps > Downloads, and then tap CMClient-1.apk. 6. After reading the first section about the app, tap Next to see the next part. When ready, tap Install. 7. After you finish installing the app on the device, tap Done, and then return to the Client Management enrollment page in your browser to continue enrolling your client device. 8. If prompted to specify device ownership, tap Personal Device, tap View and agree to the terms of use to read them and then, after closing the Terms of Use pop-up window, tap the check box to accept them, and then tap Enroll My Device. 9. To install the downloaded enrollment profile, tap Install. 10. Read the warning message that the device displays, and then tap Activate to continue with the installation. The Client Management server checks the enrollment status and installs the Wi-Fi configuration profile on the client. When done, a green check mark appears indicating that the enrollment was successful. The Android device then automatically reconnects to the SSID with its private PSK obtained in the Wi-Fi configuration download, and redirects the browser to the URL set in the Client Management portal configuration. Finally the device automatically downloads and installs its client profile, which in the preceding example is Android-CP. 11. You can see that all three profiles are installed on the client device by tapping the Aerohive CM app.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 119 New and Enhanced Client Management Features

You can see the installed profiles in Apps > Aerohive CM.

After an Android client is enrolled, the three profiles shown to the left will be installed on the client device.

Note that the organization name for the enrollment and Wi-Fi configuration profiles is "Aerohive Networks" and the name for the client profile (Android-CP) is "Hexa". This is the name set as the organization in the client profile definition. It will be used as an example in "Modifying the Client Management Portal Pages" on page 122.

12. To check that the client profile is functioning properly, try to use the camera on the device. When you do, a message such as the following appears: Camera error Camera has been disabled because of security policies.

Troubleshooting

If the Android client cannot complete the enrollment process, remove the Aerohive CM app and the CMClient-1.apk (application package) file and repeat the enrollment process. 1. To enable the removal of the app, tap the All Apps icon > Settings > Security > Device administrators, clear the check box next to Aerohive CM, and then tap Deactivate in the Device administrator dialog box that appears. 2. Tap Security > Settings > Apps > Aerohive CM, and then tap Uninstall. 3. Tap the All Apps icon > Downloads, tap the check box for CMClient-1.apk, and then tap the trash can icon in the upper right corner. 4. Tap Settings > Wi-Fi > Corp-Connect, enter Conn3ct! in the Password field, and then click Connect to begin the process again.

Chromebook Devices The following is the enrollment process for Chromebook devices. Note that although there is no client profile for Chromebook client devices, you can use the Client Management enrollment process to delegate the wireless configuration of client devices to the users themselves. 1. On your Chromebook client, open the Chrome browser, and enter chrome://settings in the address field. 2. In the Internet connection section, click Wi-Fi network, click Corp-Connect in the SSID list that appears, click Connect, enter Conn3ct! in the Password field, and then click Connect. 3. Open a new browser page in Chrome and enter any URL, such as www.aerohive.com, in the address field.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 120 New and Enhanced Client Management Features

The Aerohive device hosting the SSID redirects the HTTP GET to the login page of the captive web portal on the BR200-WP mgt0 interface in a subnet of the management network (172.18.0.0/16 in this example). 4. Enter your RADIUS user name and password and then click Log In. These must be the credentials for one of the user accounts in your RADIUS server database. After you successfully register, the BR200-WP redirects the browser to the Client Management enrollment page. 5. If prompted to specify device ownership, select Personal Device, click View and agree to the terms of use to read them and then, after closing the Terms of Use pop-up window, select the check box to accept them, and then click Enroll My Device. 6. To install the downloaded enrollment profile, click Add in the Add to Chrome extension installation dialog box that appears. Chromebook adds the Aerohive Client Management extension and then opens the chrome://net-internals/#chromeos page. After that, Client Management generates the ONC (Open Network Configuration) file. 7. Follow the onscreen instructions to import the ONC file: Click Choose File in the Import ONC File section and then double-click the Chrome.onc file to load it. After you load the file, Chromebook automatically returns to the Client Management portal page. If it can, Chromebook automatically disconnects its wireless connection to the Corp-Connect SSID and then reconnects using the unique private PSK it obtained from the Wi-Fi configuration profile. If Chromebook cannot do that automatically, the portal displays a message directing you to disable and re-enable Wi-Fi manually and then reconnect to the Corp-Connect SSID. You can carry out these tasks in the Internet Connection section of the chrome://settings page.

Troubleshooting

If there is a firewall with strict outgoing rules to the Internet or a web filtering service enforcing access to a limited set of URLs, make sure that it allows Chromebook clients to download the Aerohive Client Management extension from the following URL: https://chrome.google.com/webstore/detail/aerohive-client-management/nijgbknbhcokgcaifonlbop aldobcilp If the client cannot complete the enrollment process, remove the Aerohive Client Management extension from the chrome://extensions page and the Chrome.onc file from the Downloads folder, and repeat the enrollment process. 1. Open the Chrome browser, navigate to chrome://extensions, and then click the trash can icon for the Aerohive Client Management extension. 2. Navigate to chrome://downloads, click Open downloads folder, select the Chrome.onc file from the downloads list, and then click the trash can icon in the lower right corner. 3. Navigate to chrome://settings, click Wi-Fi network, and the click Disable Wi-Fi. 4. Click Corp-Connect, and in the dialog box that appears, clear Automatically connect to this network, and then click Disconnect. 5. Click Wi-Fi network > Corp-Connect > Configure, enter Conn3ct! in the Password field, and then click Connect to begin the process again.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 121 New and Enhanced Client Management Features

Windows and Other Client Types When a Windows client or any client other than Apple, Android, or Chromebook connects to the Corp-Connect SSID, the user experiences the same wireless connection and captive web portal registration process. After successfully registering, their private PSK is displayed on screen. Users must then copy the private PSK string. Disconnect from Corp-Connect, and then paste the string when prompted for a password when reconnecting to the Corp-Connect SSID.

Modifying the Client Management Portal Pages When users enroll with Client Management, they access the GUI pages on the portal. You can control how the enrollment, welcome, and device ownership modification GUI pages appear to them by changing the logo, graphics, and text, and preview how your changes will look in either a horizontal or vertical orientation. 1. In Client Management, click Configuration > Client Management Portal to see the current Client Management portal settings. 2. To change the logo and the horizontal and vertical background images, click Upload a file, navigate to and select the file that you want to use, and then click Open. Note the recommended file dimensions listed for each image and make sure that the files you upload conform to these dimensions. 3. You can change the URL to which Client Management redirects enrolled clients and the text used in many of the various fields, in the terms of agreement, and the welcome message in the following section of the page. When modifying the welcome message, you can insert variables for information drawn from the client and its enrollment and Wi-Fi configuration profiles. You can use one or more of the five choices shown as blue buttons below the Welcome Message text field. Simply move your cursor to the place in the message where you want to insert the variable, and then click the appropriate button.

4. To preview the pages with your modifications, click Preview at the bottom of the page. You can view the enrollment, welcome, and modification pages in either horizontal mode by clicking the different options in the panel on the right. The image below shows the enrollment page after it was modified.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 122 New and Enhanced Client Management Features

Monitoring and Managing Clients You can get a high-level view of all the enrolled clients and their ownership (company-issued or privately owned), OS types and versions, device models, and device types (phone, tablet, or computer) through the dashboard on the Home page.

To view a list of all the clients and details about them in the Client Management GUI, see Monitor > Clients. From this page, you can take the following actions:

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 123 New and Enhanced Client Management Features

Lock client devices. You can lock selected client devices. If a passcode is enabled on a device when you perform this operation, the user must enter it to regain access to the device. Clear passcodes from selected devices. This operation clears the passcode for a device. It is useful if a user forgets it and cannot access the device. Erase client data from a device. This operation removes all data from selected devices. Note that it can only be applied to company-issued devices. (Exercise great caution before performing this operation.) Unenroll clients (which is useful for clearing away inactive clients to free up licenses for other clients). This operation removes enrollment, Wi-Fi configuration, and client profiles and related certificates installed on the selected client devices and from the Client Management cluster database. Release them. This deletes entries for selected clients from the Client Management cluster database. You can use this operation to resolve any client status mismatch that might arise between the database and a client. You can also see detailed information about individual clients by clicking the client host name. Using an HTTP Proxy If clients must access the public network through an HTTP proxy server, they must be configured with the HTTP proxy connection settings. If a client device does not have the proper settings and—in cases where authentication is required—the valid credentials to access the proxy server, they will be unable to reach the public network. You can configure Client Management to provide HTTP proxy settings—or provide a URL where a profile with the settings is stored so that the client can get them from there—in the Wi-Fi configuration profile that it downloads to clients.

When clients first enroll, they must reach the Client Management server before they have their Wi-Fi configuration with their HTTP proxy settings. To allow them to reach Client Management initially, open outbound HTTPS traffic through your firewall from the internal network to onboard-gateway.aerohive.com.

If there is an HTTP proxy server between the clients and the public network, configure HTTP proxy settings for them by clicking Configuration > Client HTTP Proxy > New, entering the following, and then clicking Save: SSID: Enter the name of the SSID to which you want to link the HTTP proxy server configuration. Whenever Client Management creates a Wi-Fi configuration profile for this SSID, it will also include the HTTP proxy settings as part of it. Mode: Choose either Manual to define the proxy server settings as part of the Wi-Fi configuration profile or choose Auto and specify a URL where clients can retrieve the proxy server settings themselves. If you choose Manual, enter the following: Server: Enter the IP address or domain name of the proxy server Port: Enter the port number on which the proxy server listens for traffic. Enable Authentication: If the proxy server requires user authentication, select the check box. If not, leave it cleared. User name: Enter the user name that clients include when sending HTTP traffic to the proxy server. Password: If the proxy server requires user authentication, enter the password associated with the user name. If you choose Auto, enter the following: Proxy Server URL: Enter the URL where the PAC (proxy automatic configuration) profile is hosted. The PAC profile automatically assigns proxy server settings to the client.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 124 New and Enhanced ID Manager Features

New and Enhanced ID Manager Features

Major new and enhanced features in ID Manager are covered in detail in the following sections.

Audit Log Enhancements With this release, the ID Manager audit log now shows when an admin account has been created or deleted in the MyHive as well as in ID Manager directly. This information appears in the audit log as shown in this example:

Email and Print Template Customization This release of ID Manager allows you to customize the email and print credential notification template by linking to a custom logo. Use the following guidelines for linked images for best results: • The recommended size for linked logo images is 300 pixels wide by 100 pixels high, however anything that is not wider than 600 pixels should display properly on all but the smallest phone screens. Anything taller than 100 pixels may cause the screen to be divided into two pages, so Aerohive recommends keeping the height to 100 pixels or less. (Smartphone resolution ranges from 240 x 320 up to 1024 x 768 pixels.) • Image resolution must be 72 dpi, which is the color mode for optimal web display is RGB, and the preferred file formats are JPEG, PNG, or GIF, depending on the image. Typically, JPEG files work. The RGB format (red, green, and blue) provides the best on-screen display quality, because monitor screens display using these three colors. Images that are printed on paper use the CMYK (cyan, magenta, yellow, and black) format. In many cases, a printout will look identical to what is displayed on a screen, but there might also be noticeable differences in the colors. To avoid display issues, make sure you always use RGB for images that will be displayed on a screen. JPEG (.jpg) is best for photos when you need to keep the file size small and do not mind giving up some quality for a significant reduction in size. JPEG is not suitable for images with text, large blocks of color, or simple shapes, because crisp lines will blur and colors can shift.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 125 New and Enhanced ID Manager Features

Use PNG (.png) when you need smaller file sizes with no loss in quality. PNG supports alpha transparency (soft edges) and was developed to be a web graphics replacement for GIF. Use GIF (.gif) for simple web graphics with limited colors. GIF files are always reduced to 256 or less unique colors and they produce very small, fast-loading graphics for the web. GIF works well for buttons, charts or diagrams, cartoon-style images, banners, text headings, and small, compact web animations. Do not use GIF for photos. The image area for logos is fixed at 270 x 70 pixels, so make sure your logo image does not exceed these measurements.

Wired Support for ID Manager on BR200 Routers This release adds support for wired connections through Aerohive BR200 routers. Previously, ID Manager was supported only for wireless access through an SSID. Now you can grant individual guest privileges for either (or both) wireless and wired access. Authentication for both wireless and wired access can be granted using a user name and password, while the wireless authentication methods remain Private PSK or open access.

Customized Registration UI

This release introduces the capability to customize the registration page that appears on your kiosk. You can now link to custom logos and background images. For the best quality display, consider the following guide- lines for logo and background images: • Image resolution must be 72 dpi, the color mode for optimal web display is RGB, and the preferred file formats are JPEG, PNG, or GIF, depending on the image.Typically, JPEG files work The RGB format (red, green, and blue) provides the best on-screen display quality, since monitor screens display using these three colors. Images that are printed on paper use the CMYK (cyan, magenta, yellow, and black) format. In many cases, a printout will look identical to what is displayed on a screen, but there might also be noticeable differences in the colors. To avoid display issues, make sure you always use RGB for images that will be displayed on a screen. JPEG (.jpg) is best for photos when you need to keep the file size small and don't mind giving up some quality for a significant reduction in size. JPEG is not suitable for images with text, large blocks of color, or simple shapes, because crisp lines will blur and colors can shift. Use PNG (,png) when you need smaller file sizes with no loss in quality. PNG supports alpha transparency (soft edges) and was developed to be a web graphics replacement for GIF. Use GIF for simple web graphics with 256 or fewer colors. GIF files are always reduced to 256 unique colors or less and they produce very small, fast-loading graphics for the web. GIF works well for buttons, charts or diagrams, cartoon-style images, banners, text headings, and small, compact web animations. Do not use GIF for photos. • The image area for logos is fixed at 270 x 70 pixels, so make sure your logo image does not exceed these measurements. • The recommended background image size is 750 x 750 pixels. Larger images may work, but be sure not to exceed the resolution limits of the device you are using as a kiosk. Standard resolution for most tablets is about 1024 x 600 pixels. • Make sure the colors you select will provide enough contrast for adequate display. For example, dark text will not display clearly against a dark, or very busy background image. To customize your registration page, navigate to Configuration > ID Manager Settings > Registration UI. Enter the following information in the Background and Logo section, and then click Save. Logo Image: Browse for the desired logo image. Make sure the image conforms to the recommended size (270 x 70 pixels).

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 126 Using the Mobile Help System

Background Image: Browse for the desired background image. Consider the recommendations listed above for background images (for example, your background image must be 750 x 750 pixels or smaller, saved in the RGB color mode, and must be a 72 dpi JPEG (.jpg), PNG (.png) or GIF (.gif) file.

Using the Mobile Help System

To view the 6.1r3 HiveManager Help system, you can scan the QR code below with your mobile device or click on the link below.

To view and bookmark the 6.1r3 HiveManager Help system on a traditional monitor, click the link below. If clicking the link does not work, you can simply copy the text of the link, paste it into your browser address bar, and then press Enter. http://www.aerohive.com/330000/docs/help/english/6.1r3/hm/mobile/help.htm

Working Around Insufficient Viewing Space When using a laptop at a remote location, it is often inconvenient to open the Help system in your browser at the same time that other necessary applications are running because it is difficult to view them simultaneously. Although switching between task windows is as simple as pressing a key combination, it is often impractical to do so. This inconvenience also occurs even where there are multiple monitors, in particular during troubleshooting when you need to monitor several devices or systems without interruption. By using a smart phone or Internet-accessible device, you can view a mobile-friendly version of the Help system without obscuring the information you are viewing or monitoring.

Researching Features without Bulky Hardware Mobile devices are becoming a common platform for viewing documentation. While many documents are easily viewable or custom made for mobile devices, help documentation tends not to be. Aerohive provides the HiveManager 6.1r3 Mobile Help system so that you can research Help topics and features comfortably without having the burden of requiring that you carry around—and make space for—a laptop computer in places such as book stores, cafés, coffee shops, and restaurants.

Researching Features While You Travel You can also use the HiveManager Mobile Help system to research topics while you travel. Whether you are on a plane or a passenger in a vehicle, you can find information as easily as navigating to a website.

Ad Hoc Access to Information The Aerohive Mobile Help system allows you to access information quickly in the event that you need the information right away. For example, in meetings with management, auditors, or customers, questions arise about functionality, which can now be answered quickly and easily without the need to contact others or seek information elsewhere.

Readable Mobile Format

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 127 Using the Mobile Help System

As Aerohive continues to fold documentation that was previously rendered in .pdf format into the online Help system, the ability to view it online without special readers or having to zoom into pages becomes a great advantage. Because the online Help system is specifically formatted to be rendered on a mobile device, the only time that you might need to zoom is to see illustration details.

Customizing Access Using Folders You can also bookmark a number of Help topics and store them on your mobile device desktop as shortcuts or app icons in a container such as a folder. This provides quick access to your most used Help topics.

© 2014 Aerohive Networks, Inc. Aerohive is a U.S. registered trademark of Aerohive Networks, Inc. P/N 330107-01, Rev. B

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 128 Aerohive 6.1r2 New Features Guide

Aerohive 6.1r2 New Features Guide

This guide describes the new features and feature enhancements introduced in the HiveOS and HiveManager 6.1r2 releases, ID Manager September 2013 release, and StudentManager 1.1r4 release.

New Hardware Platform SR2024P: This release introduces the SR2024P switch to the Aerohive SR2000 series switches that provide wired network access. The SR2024P model features PoE support on all 24 ports using the same power budget as the SR2024 plus four 1 Gigabit SFP/SFP+ uplink ports. The SR2024P switch can also operate as a router with full Aerohive router functionality.

New Features and Feature Enhancements

Several new features and feature enhancements have been introduced in the 6.1r2 release. You can read summaries of these features and enhancements below. Major features are covered in more detail in individual sections later in this guide. For more information about known and addressed issues for the HiveOS and HiveManager 6.1r2 releases, ID Manager September 2013 release, and StudentManager 1.1r4 release, refer to the corresponding Aerohive Release Notes. The following are the new features and feature enhancements in the HiveOS and HiveManager 6.1r2 releases. Support of IEEE 802.11ac: Aerohive supports the first wave of IEEE 802.11ac technologies, features, and data rates. See "IEEE 802.11ac" on page 132. Enhancements to Applications Visibility and Control (AVC): A number of enhancements have been made to the Applications Visibility and Control (AVC) feature, including auto discovery of applications by usage, the ability to create custom applications, support for the Microsoft Lync application, and the ability to disable AVC: Auto Discovery of Applications: This release significantly enhances the Application Auto Discovery feature by adding new widgets that automatically present the top applications based on usage out of the box. In 6.1r2, this feature now supports drill down capabilities. In addition, you can add up to seven applications to an applications watchlist as well as create individual watch lists for each virtual HiveManager (VHM). See "Auto Discovery of Applications" on page 137. Custom Applications: In addition to the more than 700 system defined applications, in 6.1r2 you can define custom applications that can be detected with the auto discovery feature and that you can add to the applications watchlist or to QoS and firewall policies. Custom applications, used for proprietary or hosted applications, incorporate rules that are defined by IP addresses, TCP or UDP ports as well as by HTTP and HTTPS host names. In addition, these custom applications can be viewed from the Dashboard. See "AVC Support for Custom Applications" on page 138. Support for Microsoft Lync: This release adds support of the Microsoft Lync suite of products as a system-defined application. See "AVC Support for Microsoft Lync" on page 140. Disabling AVC: Super users (in on-premises HiveManager) now have a system-wide way to disable or enable the Application Visibility and Control Settings for all VHMs. See "Disabling AVC" on page 141. Enhancements to Captive Web Portals: In this release, the captive web portals include the collection of client information during authentication and information to determine the Aerohive device to which a captive web portal client is associated:

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 129 New Features and Feature Enhancements

Collecting Client Information from Captive Web Portals: You can now collect information submitted by the user as part of the authentication and acceptance of the terms of use when a user authenticates to a captive web portal. See “Collecting Client Information from Captive Web Portals” on page 141. NAS-ID for External Captive Web Portal: Aerohive APs now include the NAS-ID in the redirected HTTP headers sent to external captive web portals so that you can use the information to determine the Aerohive device to which a captive web portal client is associated. You can configure an Aerohive device to use its host name as the NAS-ID, or to use a custom NAS-ID that you configure consisting of 1-64 characters. Using External DNS Servers in DHCP Offers: You can now specify DNS services directly from external DNS proxies or servers through the enabled DHCP connection of the router. See “Using External DNS Servers in DHCP Offers” on page 142. Specifying an Ethernet Port for Switch Netdump File: You can now specify an Ethernet port on an Aerohive switch for saving the netdump file to a TFTP server on the network automatically the next time the switch boots up. See “Specifying an Ethernet Port for Switch Netdump File” on page 143. Enabling or Disabling DHCP Server ARP Validation by Routers: There is now an option to enable or disable DHCP server ARP validation by Aerohive routers. See “Enabling or Disabling DHCP Server ARP Validation by Routers” on page 145. Switch PSE Support for Legacy Devices: This release adds the ability to configure Aerohive switches to provide PoE support for legacy powered devices that do not comply with the current 802.3at standard, which requires specific capacitors and resistors. An Enable Legacy Device Support check box in Configuration > Configure Interfaces & User Access > Device Templates > Switch Template > Additional Port Settings now allows you to enable or disable support for legacy powered devices. By default, this feature is enabled.

Whenever you enable or disable this feature, the switch PSE power module must reboot.

New HiveManager Graphical User Interface Appearance: The graphical user interface has a new look and feel In this release of HiveManager. "New HiveManager GUI Appearance" on page 146. Enhancements to Configuration and Monitoring Pages: Changes were made to the Configuration and Monitoring pages and commands in this release of HiveManager. See "Enhancements to Configuration and Monitoring Pages" on page 146. Simplified Device Updates: The Device Update drop-down menu has been updated to make it easier to push configuration changes to a device (or devices). See "Simplified Device Updates" on page 147. Support for RADIUS Proxy and ID Manager Proxy on the Same Device: You can now configure a RADIUS proxy server for authentication and an ID Manager RADSec proxy server to operate simultaneously on a single Aerohive device. HiveManager Online Configuration and Monitoring Changes: In 6.1r2, changes were made to how you add, remove, and view devices in HiveManager Online. See "HiveManager Online Configuration and Monitor Changes" on page 150. Enhanced ID Manager Features: The following improvements are included in the new ID Manager (September 2013): ID Manager Print Customization: ID Manager administrators can now customize the print template from the ID Manager kiosk to accommodate small-factor printers to print guest credentials on badges. Administrators can choose from two default templates, or can create and save their own templates. The default templates accommodate 8.5 x 11" standard paper and 2.4 x 4" thermal print paper. Templates can be customized for fonts, graphics, and the information that is provided on the badge or printed page. Text Message Customization: ID Manager provides branding and personalization of text messages by enabling you to edit the body of the text message that is sent to customers.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 130 New Features and Feature Enhancements

Customization of the Guest Management Portal: We now provide the ability to have a uniquely branded URL for use with ID Manager. Previously, one URL was used, http://idmanager.aerohive.com. In this release, you can prepend your company name to the previous URL, for example, http://yourcompanyname.idmanager.aerohive.com. Guest Approval Process Enhancements: Employees of the host company can now approve a request from a guest for Internet access before the guest receives access to the network. This feature applies to guests requesting access through the kiosk and is configured in the ID Manager administration GUI. ID Manager Print Customization: ID Manager administrators can now customize the print template from the ID Manager kiosk to accommodate small-factor printers to print guest credentials on badges.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 131 IEEE 802.11ac

IEEE 802.11ac

The following 802.11ac features appear in the 6.1r2 HiveManager GUI in anticipation of the forthcoming release of the first pair of Aerohive access points to support 802.11ac: the AP370 and AP390.

Aerohive supports the first wave of IEEE 802.11ac technologies, features, and data rates. Support of 802.11ac Wave 1 allows for devices that operate on wider 80-MHz channels, take advantage of improved media access protocols, such as dynamic channel access and RTS-CTS bandwidth signaling, and use MCS (modulation and coding scheme) 8 and 9, which modulates the signal using 256-QAM. Because the features of 802.11ac operate automatically in accordance with its own internal mechanism, you cannot configure their specific details; however, you can configure HiveManager to use or not to use 802.11ac features in specific situations. This section first explains the supported 802.11ac features, and then follows with a description of the HiveManager controls that invoke them.

Feature Descriptions This section describes each of the new 802.11ac features and behaviors that AP370 and AP390 access points support.

80 MHz Channel Width Aerohive AP370 and AP390 access points support a number of 802.11ac features that increase the speed and efficiency of network transmission. They support wider channel widths, which increases the channel capacity, thereby increasing the data rate. The 802.11n standard introduced the 40-MHz channel, which alone doubled the channel capacity over the previous 802.11a 20-MHz specification. 802.11ac goes further still, increasing it again to 80 MHz. Because the bandwidths required are so large, 802.11ac features operate exclusively in the 5 GHz band; the 2.4 GHz band is too narrow. An 80-MHz channel is made up of four adjacent, contiguous 20-MHz subchannels. To understand the importance of various fall-back processes such as dynamic channel access, it is important first to understand how the larger channels are formed. For example, in the illustration below, channel 60 is a 20-MHz channel. When bound to channel 64 to create a 40-MHz channel, channel 60 retains a certain amount of identity as the primary 20-MHz subchannel; channel 64 then becomes the secondary 20-MHz subchannel. When the 80-MHz channel is created by combining the 40-MHz channel (created by channels 60 and 64) and an adjacent 40-MHz channel (created by channels 52 and 56), the original 40-MHz channel retains its identity as the primary 40-MHz subchannel of the new 80-MHz channel. Likewise, the other 40-MHz channel is now the secondary 40-MHz subchannel.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 132 IEEE 802.11ac

Channels and Subchannels

60 802.11a first defined the 20 MHz channel.

802.11n defined a 40 MHz channel made by combining two 6460 adjacent 20 MHz channels. Here, channels 60 and 64 are combined with channel 60 acting as the primary 20 MHz subchannel.

802.11ac combines 40 MHz channels into 80 MHz channels, 5652 6460 consisting of a primary and secondary 40 MHz subchannel; the primary 40 MHz channel, in turn, has a primary (Channel 60) and secondary 20 MHz channel.

802.11ac also defines the optional 160 MHz channel, 4036 4844 5652 6460 which can be contiguous or segmented into two non-continuous 80 MHz subchannels. Aerohive devices do not currently support 160 MHz channels.

CCA (Clear Channel Assessment) on Secondary Channels 802.11ac optimizes channel utilization by performing a clear channel assessment not only on the primary 20-MHz subchannel, but all secondary subchannels. For example, when an Aerohive 802.11ac device wants to transmit on an 80-MHz channel, it first examines each of the 20-MHz subchannels for existing traffic. If the entire 80-MHz channel is clear, then the device begins the media contention phase on the full 80-MHz channel. If, however, part of the channel is noisy or busy, then the device continues with media contention only on the clear channel. By checking each of the subchannels of the 80-MHz channel in this order, Aerohive 802.11ac devices provide a means to transmit on one of the clear subchannels in the event that the entire 80-MHz channel is unavailable. For example, in the case of the Aerohive device mentioned above, if the primary 40-MHz subchannel is clear but the secondary 40-MHz subchannel is busy (that is, if another device is transmitting there), then the Aerohive device can still transmit a 40-MHz signal. By doing this, the Aerohive device is still able to transmit data, despite part of the 80-MHz channel being unavailable. This process of falling back to a narrower available channel is called dynamic channel access. By contrast, if a device uses static channel access, it cannot select a narrower band and must wait for the entire 80-MHz channel to clear before continuing to vie for access to the wireless medium.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 133 IEEE 802.11ac

Listen for Continue with media contention Clear Channel Assessment available channel protocols on primary 40 MHz (CCA) Channel (Physical layer) subchannel (MAC sublayer) The AP370 and AP390 assess 64 CCA Media Contention the entire 80 MHz channel, and then continue with The device can now use RTS/CTS Media contention only on and other protocols to access the subchannels that were 60 CCA the wireless medium. free of traffic and noise.

56 CCA Medium Busy 52 CCA Time

If the network is busy on both the secondary 40-MHz subchannel and the secondary 20-MHz channel (within the primary 40-MHz channel), the Aerohive 802.11ac device can still transmit on the primary 20-MHz subchannel. This ability increases channel utilization considerably.

RTS and CTS Bandwidth Signaling Similar to the operation of CCA, when the AP370 and AP390 contend for the medium using the RTS-CTS protocol, they do so by exploiting bandwidth signaling, a new contention resolution mechanism introduced in 802.11ac. An AP sends four 20-MHz RTS frames simultaneously to reserve a full 80-MHz channel. Each of the 20-MHz RTS frames is transmitted in the 802.11a format so that all stations can understand it. If a station is transmitting (or if there is noise) on one of the 40-MHz subchannels, then receiving devices can signal that only 40 MHz is available for data by responding the RTS with a 20-MHz CTS frame (also transmitted in the 802.11a format) on each of the free subchannels. Furthermore, if only one of the 20-MHz subchannels is available, then receiving devices respond with a 20-MHz CTS frame, notifying the AP of the bandwidth limitation.

MCS (Modulation and Coding Scheme) 8 and 9 Support The AP370 and AP390 support MCS (modulation and coding scheme) index values 8 and 9. MCS 8 and 9 use 256-QAM, which increases the link speed by a third over MCS 6 and 7, respectively, each of which use 64-QAM modulation. The reason for the increase is that 256-QAM can encode 256 distinct values in its 256 QAM states, which means it encodes eights bits of data per symbol. 64-QAM by contrast can only encode six bits of data per symbol. The increase from six bits to eight is an increase of 33.3%.

A symbol is the individual unit of transmitted data. it includes not only the data bits, but also error correction bits. The number of bits per symbol is found by the following equation:

Bits per symbol = log2 (Total number of modulation states).

For example, log2 256 = 8, so 256-QAM encodes eight bits of data per symbol, whereas log2 64 = 6, so 64-QAM encodes only six bits per channel.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 134 IEEE 802.11ac

Like 64-QAM--the highest modulation available in 802.11n—256-QAM uses coding rates of 3/4 and 5/6. These values represent the ratio of user data transmitted to total bits transmitted in each symbol; the lower the fraction of user bits, the lower the data rate, but the higher the error tolerance. Comparing 3/4 coding rate with 5/6 coding rate, the 5/6 coding rate results in a data rate that is about 11% higher than the 3/4 coding rate.

The non-user data bits are used for forward error correction, and can be likened conceptually to the parity data in certain RAID storage arrays.

Although the 5/6 coding rate results in a higher data rate (because a higher fraction of transmitted bits contains actual user data), it is more susceptible to noise and other interference problems because a smaller fraction of the transmitted data is dedicated to error correction. 256-QAM is even more susceptible to noise because of its constellation point density.

Aggregate MAC Protocol Data Unit (A-MPDU) Support The AP370 and AP390 also increase channel utilization because of the 802.11ac requirement to use aggregate frames to transmit data. Even when there is only one MPDU (MAC Protocol Data Unit), 802.11ac specifies that the MPDU be encapsulated as an aggregate MPDU, or A-MPDU. Transmitting all data as aggregate frames reduces protocol overhead by allowing much of the administrative header information for each contained MPDU to be transmitted at the VHT (Very High Throughput) instead of at base data rates. VHT is the nomenclature for the very high 802.11ac data rates, modulation, and coding. The A-MPDU consists of a number of subframes, each of which is a complete MAC frame encapsulated with an MPDU delimiter and an optional padding block. The MPDU delimiter is a four-byte field at the start of every aggregated subframe that contains the size of the MAC frame along with a delimiter signature—a unique, eight bit field that always has the value 0x4E so that devices or software can scan quickly for them. Successful transmission of the A-MPDU requires that each of the subframe has length (in octets) that is some multiple of four. If the MAC frame length is not a multiple of four octets, then a padding block is appended to the end of the MAC frame so that the total length of the subframe is a multiple of four octets. See the following illustration for a breakdown of a typical A-MPDU.

Aggregate MAC Protocol Data Unit (A-MPDU)

MPDU Subframes

A-MPDU

MPDU Subframe

MDPU MAC MAC Padding Delimiter Header Body Block

Aggregated MAC Subframe

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 135 IEEE 802.11ac

HiveManager 802.11ac Configuration This section describes where you can configure 802.11ac features and behavior in HiveManager.

QoS Rate Queuing You can configure the QoS settings independently among the primary 802.11 data-rate-related technologies. When you click Configuration > User Profiles > user_profile_name > QoS Settings, you have the option of setting the QoS rate limit per user by choosing a previously defined rate control & queuing policy and for all users combined based on the transmission type of their client devices: 802.11a/b/g, 802.11n, and 802.11ac. The default setting is to limit 802.11a/b/g traffic to 54 Mbps, 802.11n traffic to 1 Gbps, and 802.11ac traffic to 2 Gbps, but you can set these maximum rates by entering new values and clicking Save. If you want to create a new rate queuing policy, you can either click the New ( + ) icon next to Rate Control & Queuing Policy, or click Configuration > Advanced Configuration > QoS Policies > Rate Control and Queuing > New, enter your preferred rate limits, and then click Save.

Planning Tool and Map Objects You can choose to place AP370 and AP390 devices on a map using the Planning Tool. The AP370 and AP390 are 802.11ac devices, and the Planning Tool feature takes into account their features and behaviors. You can choose an 802.11ac device as the default AP type in the planning tool by clicking Tools > Planning Tool, choosing 802.11ac 3x3:3 - AP370 3x3 internal antenna, 3 streams, dual radio) or 802.11ac 3x3:3 - AP390 3x3 external antenna, 3 streams, dual radio) from the Default AP Type drop-down list, and then clicking Update. You can place AP370 and AP390 device icons on a map by clicking Maps > map_name > map_building > map_floor > Planned APs, choosing your desired 802.11ac access point from the AP Type drop-down list, and then clicking Add AP.

Radio Profiles New radio technologies require new radio profiles to take advantage of the new features. You can now find two new radio profiles in HiveManager that are preconfigured to use 802.11ac technology: radio_ac0, which is the default 802.11ac radio profile, and High-Capacity-80MHz-11ac-Profile, which is an 802.11ac radio profile template that you can clone and customize for your own use. Both of these profiles are available to be applied to specific APs by clicking Monitor > Devices > Access Points > Aerohive APs, selecting an 802.11ac-capable AP, clicking Modify, and then choosing the 802.11ac radio profile you want to apply to the 5 GHz radio.

802.11ac only applies to the 5 GHz band, so 802.11ac radio profiles are only applicable to 5 GHz radios.

You can clone and customize the High-Capacity-80MHz-11ac-Profile radio profile by clicking Configuration > Radio Profiles, selecting High-Capacity-80MHz-11ac-Profile, and clicking Clone. After naming and modifying the profile how you want it, click Save. The new radio profile is now available to apply to the 5 GHz radios on AP370 and AP390 devices.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 136 Enhancements to Applications Visibility and Control (AVC)

Enhancements to Applications Visibility and Control (AVC)

The Applications Visibility and Control (AVC) feature has been greatly enhanced with the addition of auto discovery of applications by usage, the ability to create custom applications, support for the Microsoft Lync application, and the ability to disable AVC.

Auto Discovery of Applications In 6.1r2, the Application Auto Discovery feature has been enhanced significantly with the addition of new Dashboard widgets that automatically present the top applications based on usage out of the box as well as supporting drill down capabilities. In addition to the auto discovery of applications, you can define a watchlist of up to seven applications for each VHM. Within a HiveManager network, VHMs might include multiple locations with different functions for each. For example, if your network consists of a sales organization in one building you might want to add Salesforce to your applications watchlist for that VHM. For an engineering department in a second building, you might want to add Bugzilla or Confluence to the watchlist for that VHM. A graphic representation of application usage is displayed in the widgets on the Applications perspective of the Dashboard tab. There are now two sets of widgets. One set is for the most used applications that are found through auto-discovery, including watchlist applications and custom applications that are the default widgets (see "AVC Support for Custom Applications" on page 138). A second set of widgets is dedicated to applications that are only included on the applications watchlist.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 137 Enhancements to Applications Visibility and Control (AVC)

The following widgets report usage information about the top usage applications: • All Applications by Usage • Top 10 Applications by Usage - Summary • Top 20 Applications by Usage • Top 20 Users by Application Usage • Top 20 Application Usage over Time • Top 20 Users by Clients The following widgets display information only about the applications in the user-defined applications watchlist: • Watchlist Applications by Clients • Watchlist Applications by Usage • Watchlist Applications by Usage - Summary • Watchlist Applications Usage over Time These widgets display applications regardless of how much traffic they generate. Consequently, the applications that you add to the above watchlists are likely to be mission critical applications that you want to guarantee are included in reports regardless of their usage. Also, adding an application to an applications watchlist does not prevent it from appearing in one of the top usage watchlists. To display the application watchlist widgets, select the Dashboard tab > Applications. To change which widgets are displayed, click the Customize Dashboard perspective icon ( ) in the upper right corner of the page and the list of all available Application widgets is displayed in the widget selection panel. Select the check boxes next to the watchlist widgets that you want to display and then click Save. The Applications perspective is refreshed with the widgets you selected. In previous releases, you could add up to 30 applications to a system-wide application watchlist. With the auto discovery of applications in this release, fewer applications are supported on the watchlist and fewer are needed because the widgets display the most used applications automatically. As a result of this change, if you have more than seven applications in your watchlist, you will need to revise it to a list of seven applications before you push 6.1r2 onto your devices. When you push your new watchlist to a device, the previous watchlist is removed from the device.

AVC Support for Custom Applications In addition to the over 700 system-defined applications, 6.1r2 permits you to create custom applications that are used for proprietary or hosted applications in order to monitor, control access, and assign bandwidth usage to these applications. For instance, custom applications might pertain to a specific industry, such as medical imaging or student testing applications. You define a custom application by specifying one or more of the following detection rules: • Host name (supporting both HTTP and HTTPS) • IP address • IP address and port number for TCP or UDP • Port number for TCP or UDP For the most part, HiveManager treats custom applications the same way it does system defined applications. Aerohive devices can automatically detect a custom application and report it to HiveManager for display in the dashboard widgets. You can also add a custom application to the applications watchlist and use it in QoS and firewall policies. However, there are two differences in how custom and system defined applications are treated. Unlike with system defined applications, the devices on your network are not aware of the detection rules for a custom application until you push the HiveManager configuration with the custom applications onto your devices. As a result, each time you

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 138 Enhancements to Applications Visibility and Control (AVC)

define a new custom application that you want your devices to monitor, you must push the configuration onto the devices in your network. Also, it is important to understand that custom applications take precedence over system defined applications. For example, if you create a custom application to monitor Aerohive FTP traffic, that application has a higher priority than the system defined FTP application. Within a custom application, all of the detection rules are grouped together. As a result, if traffic matches any of the rules within a custom application, the traffic is classified as belonging to that custom application. The maximum number of rules per custom application is 64 with a limit of 100 custom applications for each VHM. Within a VHM, each custom application must have a unique name and detection rules. You cannot create two custom applications with the same name or two applications with different names, but with the same detection rules. For example, if you define a application called "applicationOne" with TCP and port number 8080 you cannot define another application with TCP and port number 8080. However, within a different VHM you can create a custom application with TCP and port number 8080 and call it "applicationOne".

Creating a Custom Application To create a custom application, navigate to Configuration > Advanced Configuration > Common Objects > Application Services. The Applications Services page is displayed. Select the Custom Applications tab and then select Add. The Custom Application > New dialog box is displayed. Fill out the following fields: Application Name: Indicates the name of the custom application. Enter a name that consists of up to 32 characters, including special characters. Spaces are not permitted. Description: Enter a description of the custom application. This text is displayed when you use your mouse to hover over the application name.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 139 Enhancements to Applications Visibility and Control (AVC)

Application Detection Rules: Select one of the following from the drop-down menu, enter the required fields, and then click Add to add a rule to the application and Save: Hostname: Use the drop-down menu to select HTTP or HTTPS. Enter the host name that you want to associate with this application name. This field accepts a host name, such as www.aerohive.com. You can specify a wild card ( * ) in this field at either end of the host name. For example, both www.aerohive.* and *.aerohive.com are acceptable entries. Server IP Address: Use the drop-down menu to select TCP or UDP. Enter the IP address of the server that you want to associate with the application name and protocol. You can enter a single IP address in the following format: xxx.xxx.xxx.xxx or a range of IP addresses separated by a hyphen. Then you can assign an optional port number. Port Number: Use the drop-down menu to select TCP or UDP. Then assign a port number, from 1 to 65535, to the selected protocol. After you select Save, the Application Services page is displayed with the Custom Applications tab selected. It contains the following fields: Application: Lists the name of the custom application. Usage (Last Day): Indicates the usage of the custom application in the last day which is defined as the preceding 24 hours. Usage (Last 30 Days): Indicates the usage of the custom application in the last 30 days.

After you have created a custom application, push the configuration onto the devices in your network.

Adding a Custom Application to a Watchlist To add a custom application to an application watchlist, navigate to the Application Watchlist section of the Reports > Report Settings page. From the Applications Watchlist section, select the Custom Applications tab and then click the checkbox next to the desired custom application. Click the right arrow ( > ) to move the selected application from the Custom Applications list to the Selected Applications list. Then click Update at the top of the page. You can add a combination of both custom and system defined applications to a watchlist. (The limit of seven applications on a watchlist applies to the total number of custom and system defined applications.) When you add a custom application to the applications watchlist the group name is automatically assigned to "Custom".

AVC Support for Microsoft Lync Microsoft Lync is enterprise unified communications software that is loaded onto mobile clients and then used for collaboration via VoIP (Voice over IP) services, instant messaging, and audio, video, and web conferences. Aerohive devices can automatically detect this application traffic and report it to HiveManager for display in the Dashboard. You can also add Microsoft Lync to the applications watchlist and use it in QoS and firewall policies. The Aerohive AVC feature supports the following versions of Microsoft Lync: • Microsoft Office Communication Suite 2007 • Lync 2010 • Lync Online

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 140 Collecting Client Information from Captive Web Portals

The Microsoft Lync application requires version 3.1.0 of the application signature files. To check which version of the signature files are loaded onto your devices, navigate to Configuration > Devices > All Devices, and then click the Edit Table icon ( ). In the Customize Table Columns dialog box that appears, select App Signature, use the right arrow ( > ) to move it from the Available Columns list to the Selected Columns list, and then click Save. You can then see which version is loaded on all the devices listed on that page. To download the latest version of the signature files, select the check boxes for all devices with application signatures files earlier than 3.1.0, and then click Update > Advanced > Upload and Activate Application Signatures. The Upload and Activate Application Signatures dialog box appears with the version number of the application signature files for each selection in the App Signature column. (On premises HiveManager users must be logged in as a super user to download signature files.) If you selected various types of Aerohive platforms, click Settings, select Update by signature version, and then click the Save icon. (With this option selected, HiveManager can automatically upload the appropriate 3.1.0 file to multiple types of platforms.) Select the 3.1.0 version, make sure the check boxes for all the devices are selected in the section at the bottom of the dialog box, and then click Upload.

HiveManager 6.1r2 includes a preloaded set of version 3.0.9 application signature files. Upgrade to version 3.1.0 for a complete set of files.

To add the Microsoft Lync application to an application watchlist, navigate to the Application Watchlist section of the Reports > Report Settings page. From the Applications Watchlist section, select the System Defined Applications tab and then click the checkbox next to the Microsoft Lync application. Click the right arrow ( > ) to move the selected application from the System Defined Applications list to the Selected Applications list. Then click Update at the top of the page.

Disabling AVC In on-premises HiveManager only, super users can disable the AVC feature on all VHMs with one command from the Home VHM. (By default, the AVC feature is enabled.) To disable this feature, click Home > Administration > HiveManager Services, select the checkbox next to Application Visibility and Control Settings. Then clear the checkbox next to Enable Application Visibility Reporting on all VHMs and click Update. It is important to understand that this command only stops processing applications data on HiveManager and does not affect the configuration on the devices. When a super user disables AVC, VHM system administrators are notified that this feature is currently offline.

Collecting Client Information from Captive Web Portals

When a user authenticates to a captive web portal, you can now collect information submitted by the user as part of the authentication and acceptance of the terms of use. HiveManager reports information collected in this way in the HiveManager event monitor. To configure HiveManager to collect information from the captive web portal, log in to HiveManager as a user with administrator privileges, click Configuration > Advanced Configuration > Management Services > Management Options, choose the management profile you intend to use or to create a new one, select Report client information gathered from captive web portals, and then click Save. You can view the information that HiveManager collects by clicking Monitor > Events. The collected information appears in the Description column on the Events page.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 141 Using External DNS Servers in DHCP Offers

Using External DNS Servers in DHCP Offers

In earlier versions of HiveManager, routers acted as (DNS) servers or proxies in Dynamic Host Configuration Protocol (DHCP) offers and requested clients connect through them to DNS services. The DNS request was forwarded by the router to an internal or external DNS server for domain name resolution. In this release, you do not need routers to act as DNS proxies and can specify that DNS services be supplied from external DNS servers to obtain IP addresses in DHCP offers. If you specify a DNS service, HiveManager configures the router as the DNS proxy for any devices connected to its interfaces. You can specify the DNS proxy to use the same DNS servers for all domain name resolution, or to use separate DNS servers for internal and external domain name resolution. If you choose to use separate DNS servers, you can specify DNS settings for specific domains. Aerohive routers, Aerohive APs configured to function as routers, and Aerohive switches configured to function as routers can all be used as DNS proxies. If you specify an external DNS service, HiveManager does not configure the router as a DNS proxy. You must configure up to three external DNS servers using the static IP addresses of those external DNS severs. To use external DNS servers, routers must be configured and enabled to function as DHCP servers. With the DHCP server enabled, external DNS servers defined in the DNS service object apply to all associated subnetworks. You can customize DHCP to override the global DNS service settings at the subnetwork level, even if a DNS service is not specified. To summarize, you now have two options when defining a DNS service: • Supply external DNS server IP addresses in DHCP offers The router sends name resolution requests to up to three external DNS servers using DHCP that you supply to HiveManager by configuring their static IP addresses. DHCP must be enabled, and you must enter the static IP address of at least one (and up to three) external DNS servers. For subnetworks, you can override the global DNS service settings configured at the network level.

The same external DNS servers and proxies apply to all subnetworks with the DHCP server enabled. You can override the application of the same external DNS servers to a subnetwork level by setting the DHCP customization option.

• Set the router as the DNS server in DHCP offers The router acts as a DNS proxy and sends name resolution requests to the DNS servers you specify. You can choose name resolution using the same DNS servers configured for the router or specify other name resolution servers: • Set the router to use the same DNS servers for all domain name lookups The router sends DNS requests for names that match domains to the DNS servers you specify. • Set the router to use separate DNS servers for internal and external domain name lookups The router sends DNS requests for names that match internal domains to the specified internal DNS servers, and sends other requests through DHCP to specified external DNS servers.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 142 Specifying an Ethernet Port for Switch Netdump File

Configuring External DNS Server IP Addresses in DHCP Offers To configure a new network or modify an existing network to use external DNS servers: 1. Click Configuration > Show Nav > Networks > New, or for an existing network click Configuration > Show Nav > Networks > network_name, enter the following, and then click Save: Name: The name of the network Web Security: Whether web security is enabled for the network—and if so, if it is Barracuda or Websense—or not ("None") DNS Service: Click the New ( + ) icon to create a new DNS server, or click the Modify icon to modify an existing DNS Service. Name: Enter a descriptive name for the DNS service. The name can be up to 32 characters long, and cannot include spaces. Description: Enter a meaningful note for the DNS service for later reference. The description can be up to 64 characters long, including spaces. Supply external DNS server IP addresses in DHCP offers: (select) In this mode, the router sends DNS requests the specified external DNS servers for domain name resolution. In the External DNS Servers panel, specify up to three IP addresses and classification types, if applicable, for the external DNS servers to be used for domain name resolution.

The settings require routers to function as DHCP servers and are ignored by subnetworks if DHCP is disabled.

2. To override the global DNS service settings configured at the network level for an existing subnetwork, click Network > network_name, choose the following, and then click Save: Subnetwork: Select the check boxes to choose the subnetworks for which you want to override the network-level DNS service, and then click Modify. Override the DNS service set at the network level: (select) DNS Service: Select the network-level DNS service for which you want to override from the DNS Service drop-down list, and then click Save. To override the network-level DNS server by replacing it with another DNS server, click the New ( + ) icon and configure the new DNS service.

Specifying an Ethernet Port for Switch Netdump File

This release of HiveManager allows you to specify an Ethernet port on an Aerohive switch to save the netdump file to a TFTP server. If a switch becomes unresponsive, you can enable it to save the netdump file to a TFTP server on the network automatically the next time it boots up. You can then provide this file to Aerohive Support to assist in diagnosing the issue that triggered the lack of response from the switch. During the bootup phase on an Aerohive switch, the switch attempts to upload the netdump file to a TFTP server through all switch ports. This is problematic because such an upload can cause physical loops or traffic storms and uplink port issues. The ability to specify a management port is added to overcome potential physical loops and problematic uplinks, which are likely to hinder the process of saving the netdump file to a TFTP server.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 143 Specifying an Ethernet Port for Switch Netdump File

This new feature allows you to specify a networking port for the bootloader to upload the netdump file. When bootloader boots up and detects a need to upload the netdump file, only the specified netdump port is enabled (while the other switch ports are disabled) to upload the netdump file. The factory setting is eth1/0, which means all ports are available for the netdump transfer if ports are not specified. In HiveOS, only ports eth1/1–eth1/28 in a 24-port switch (or ports eth1/1–eth1/52 in a 48-port switch) are open to be configured as a management port, whereas eth1/0 can be set in the bootloader.

Specifying an Ethernet Port for the Netdump File To specify an Ethernet port for saving the netdump file to a TFTP server: 1. Click Configuration > Show Nav > Devices > Switches > switch_name, to select the switch for which you want to generate a Netdump file. 2. Click Update > Advanced > Update Netdump Settings, enter the following, and then click Upload. Enable Netdump: (select) TFTP server for saving netdump files: IP address of the TFTP server to which you want the switches to send the netdump file. VLAN for reaching the TFTP server: If your TFTP server lies on a specific VLAN, enter that VLAN number in this field. Native-VLAN of local Aerohive device: Enter the native VLAN of the device. Interface for management traffic: Use the two drop-down lists to select the management port. For example: Eth1/5.

Port drop-down list options depend on the switch models selected. If you select only 48-port switches, the range option is set to 1-52; otherwise, the range option is limited to 1-28.

DHCP: Select to have the switch bootloader use DHCP to obtain an address on startup. Static: Select to expand the section and enter the required network settings that the bootloader must use to connect to the network. Address of local Aerohive device: Enter the IP address of the local switch, along with the network prefix defining the network mask. For example, entering "10.1.1.1/24" means that the switch IP address is 10.1.1.1 and the subnet mask is a 24-bit mask, or 255.255.255.0. This is a required field if the Static radio button is selected. Gateway for reaching the TFTP server: Enter the IP address of the gateway switch that the switch will use to access the TFTP server. Even if the TFTP server is on the same subnet (and does not strictly require routing), this field is mandatory if the Static radio button is selected.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 144 Enabling or Disabling DHCP Server ARP Validation by Routers

Enabling or Disabling DHCP Server ARP Validation by Routers

In earlier versions of HiveManager, there was no option to enable or disable Dynamic Host Configuration Protocol (DHCP) server Address Resolution Protocol (ARP) validation by Aerohive routers. When DHCP server ARP validation is enabled, before it offers an IP address, the DHCP server carries out a series of ARP tests to validate that the address is available and no address conflict exists. If the DHCP server detects an address conflict, it offers another available IP address from the address pool. When there are many clients that require IP addresses at the same time, there is a disadvantage to ARP validation testing. For each address, the DHCP server must send a gratuitous ARP request and wait for several seconds to validate that the IP address is usable. However, this validation process consumes time and resources unnecessarily, because the HiveManager network management system itself sends gratuitous ARP tests to validate these IP addresses. In this release, DHCP server ARP validation is enabled by default. Disable branch routers from carrying out ARP validation tests in the Configure Subnetwork section.

Enabling and Disabling DHCP Server ARP Validation To enable or disable DHCP server ARP validation for an existing subnetwork: Click Configuration > Show Nav > Networks > network_name, enter the following, and then click Save: Subnetwork: Select the check boxes to choose the subnetworks for which you want to disable DHCP server ARP validation. Use ARP to check for IP address conflicts: (clear)

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 145 New HiveManager GUI Appearance

New HiveManager GUI Appearance

In this release of HiveManager, the graphical user interface has a new fresh look and feel, a lighter color theme, new icons and buttons that promote more harmonious interaction, and customized elements that are easier to use.

Enhancements to Configuration and Monitoring Pages

In 6.1r2, several changes were made to the Configuration and Monitoring pages and commands. On both the Configuration and Monitoring pages, the names of the headings have been changed. They are now called Unconfigured Devices and Configured Devices (formerly, New Devices and Managed Devices).

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 146 Simplified Device Updates

A device that appears under Unconfigured Devices has a CAPWAP (Control and Provisioning of Wireless Access Points) connection to HiveManager, but no configuration or HiveOS image changes have been pushed to the device. In addition to having a CAPWAP connection to HiveManager, a device in the Configured Devices heading has experienced a device-level change to the configuration or the HiveOS image such as having a network policy pushed to the device or upgrading the configuration or image files. Also, a new command, Guided Configuration, is available from the navigational panel. Selecting this command, takes you to the Network Configuration module as well as collapses the Nav. On the Configuration page, the link to the Monitor page, View Device Monitoring, has been replaced with a new command, Device Monitoring, that is available from the Utilities drop-down menu. Also the link to the Configuration page from the Monitor page, View Device Configuration, has been removed. However, the new Device Monitoring command is also available from the Utilities drop-down menu on the Monitor page.

Simplified Device Updates

A one-click option to push an updated configuration, HiveOS image, and new application signatures onto a device (or devices) has been added so that you can update all three configurations (complete or partial uploads) at the same time and reboot devices automatically. From the Network Configuration module as well as from the Configuration and Monitor pages, there are now two options available from the Update drop-down menu: Update Devices and Advanced. To push the configurations listed above onto a device or devices at the same time, use the Update Devices option. Use the Advanced option to update specific configurations on a device or devices, such as application signatures and bootstrap files, as well as perform configuration and HiveOS image uploads independently. To use the simplified device update feature, you must save HiveOS images, including .hm files, to HiveManager because HiveOS images require metadata that contain version information. Also, you need to obtain the image files from either an image server or the Aerohive License Server. Navigate to Configuration > All Devices > device > Update > Advanced > Upload and Activate HiveOS Software > Add/Remove HiveOS Image, select HiveOS 6.1r2 images from update server, and then click Upload.

For HiveManager Online administrators, image management is handled by the Aerohive Cloud team, so the correct versions are available by default.

There are two ways to access the new Update Devices menu. From the Network Configuration module, select a device (or devices) in the Configure & Update Devices section and then select Update > Update Devices to display the Update Devices menu. (The Update button was previously called the Upload button.) When you perform a complete configuration update, the devices are rebooted automatically.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 147 Simplified Device Updates

Or, you can select a device (or devices) from either the Configuration or Monitor page, and then click Update > Update Devices to display the Update Devices menu.

To do a partial configuration update on your devices, click Update. To do a complete configuration update, select Perform a complete configuration update for all selected devices, and then click Update. When you perform a complete update, the devices are rebooted automatically.

The HiveOS option on the Update Devices menu is only shown if the device is not running the latest version of HiveOS.

To do a partial update of the HiveOS image, click Update. To perform a complete update of the HiveOS image on the selected devices, select Upgrade these devices to the latest version of HiveOS, and then click Update. With this selection, the selected image is uploaded and devices will reboot automatically. To update HiveManager, application signatures, and an HiveOS image independently on a device, select Upload and Activate Configuration from the bottom of the Update Devices page. To upload an older version of the HiveOS software or to upload a version of HiveOS from your local management system or an SCP Server onto a device, select Upload and Activate HiveOS Software.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 148 Simplified Device Updates

To update specific configurations on a device or devices such as application signatures and bootstrap files, select Update > Advanced from the Configuration or Monitor pages to choose any of the following operations: Upload and Activate Configuration, Upload and Activate HiveOS Software, Upload and Activate Application Signatures, Remove Captive Web Page Directory, Update Bootstrap, Update Country Code, Update PoE Max Power, or Update Netdump Settings. (The commands available from the Advanced option were previously available from the Upload button on the Configuration and Monitor pages.) These options are described in the online Help. To perform targeted device uploads, such as a delta configuration uploads, from the Network Configuration module, select a device or devices in the Configure & Update Devices section and then click Update > Advanced Update and choose any of the upload options presented there. These options are described in the online Help.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 149 HiveManager Online Configuration and Monitor Changes

HiveManager Online Configuration and Monitor Changes

In HiveManager Online only, two new tabs have been added to the Configuration and Monitor pages, Managed Devices and Unmanaged Devices, as well as a method to add devices to and remove devices from the Aerohive cloud and a VHM. The Managed Devices tab is available to all HiveManager Online administrators. The devices listed on the Managed Devices tab are currently connected to the Aerohive cloud as well as to a VHM (or they were connected at one time). Devices that were once connected to a VHM and are now powered down are still shown on this tab, but in a disconnected state. The Unmanaged Devices tab is only displayed when you have device inventory access privileges. Devices listed on the Unmanaged Devices tab have never been connected to a VHM, but are connected to the Aerohive cloud. To allow access to the Unmanaged Devices tab, which are granted on the MyHive page (by a super user), select Admin Account Manager > New, and then Allow to manage HiveManager device inventory (supported in 6.1r2).

Managed Devices The devices listed on the Managed Devices tab are currently connected to the Aerohive cloud and are managed actively by a VHM or they were connected at one time. Managed devices include those that have already been configured and those devices that have not yet been configured.

The following fields appear on the Managed Devices tab: Modify: Click to modify the status of a selected device. The All Devices > Edit page appears. For information about the fields on this page, see the online Help. Update: Click to upload the configuration to a selected device or devices. See "Simplified Device Updates" on page 147. Utilities: Select this drop-down menu to access the Utilities options, including Device Monitoring, Client Information, and Diagnostics. For information about the options on this menu, see the online Help. Device Inventory: Select this drop-down menu to add or remove devices. To add a device to the Managed Devices tab, select Add. Then the Add Devices menu appears. You can enter the serial numbers of the devices you want to add manually, by selecting the Enter serial numbers tab, or by importing them from a .csv file by selecting the Import tab and browsing to the desired file. Then click Add and Close at the bottom of the page.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 150 HiveManager Online Configuration and Monitor Changes

To delete a device, select the checkbox next to a device on the Managed Devices tab, and then click Device Inventory > Removal. A warning message is displayed that indicates selecting this option removes the device from HiveManager Online, resets the device to its default or bootstrap settings, and removes the serial number of the device from your MyHive account. After you remove a device, a confirmation message is displayed and it is moved to the Unmanaged Devices tab.

Unmanaged Devices The devices listed on the Unmanaged Devices tab fall into two categories. A green "connected" device ( ) is currently connected to the Aerohive cloud, but the device has not yet made a connection to a VHM. A gray "disconnected" device ( ) is not currently connected to the Aerohive cloud. This includes devices that have never established a connection.

The following fields appear on the Unmanaged Devices tab: Refresh: Select this button to trigger the synchronization between the Aerohive cloud and the VHM. Device Inventory: Select this drop-down menu to add or remove devices. See the previous section for a description.

After a device establishes a connection with a VHM, it is moved to the Managed Devices tab. You may need to select Refresh to update the display.

© 2013 Aerohive Networks, Inc. Aerohive is a U.S. registered trademark of Aerohive Networks, Inc. P/N 330106-01, Rev. A

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 151 Aerohive 6.1 New Features Guide

Aerohive 6.1 New Features Guide

This guide describes the new features and feature enhancements introduced in the HiveOS and HiveManager 6.1 releases, ID Manager June 2013 release, and StudentManager 1.1r3 release.

New Features and Feature Enhancements

Several new features and feature enhancements have been introduced in the 6.1 releases. You can read summaries of these features and enhancements below. Major features are covered in more detail in individual sections later in this guide. For more information about known and addressed issues for the HiveOS and HiveManager 6.1 releases, ID Manager June 2013 release, and StudentManager 1.1r3 release, refer to the corresponding Aerohive Release Notes.

New Hardware Platforms SR2124P: This release introduces the SR2124P switch, the second in the Aerohive SR Series of switches that provide wired network access. Aerohive switches are configured, managed, and monitored through the cloud-enabled HiveManager and run HiveOS. The SR2124P model features PoE support on all 24 ports plus four 10 Gigabit SFP/SFP+ upload ports. The SR2124P switch can also operate as a router with full Aerohive router functionality. This switch will be released shortly after the 6.1r1 software.

New and Enhanced HiveOS and HiveManager 6.1r Features The following are the new features and feature enhancements in the HiveOS and HiveManager 6.1r1 releases. Presence Analytics (Retail Analytics): Aerohive and Euclid have formed a partnership to give physical retailers a free Presence Analytics function that is integrated directly into their HiveManager online or on-premises accounts. Presence Analytics allows you to monitor an unlimited number of retail stores, browse visitor traffic, collect data about shopper engagement and loyalty, compare retail activity across stores, view historical information, and share data with fellow retailers. You can also choose to upgrade to a premium Euclid account for access to more detailed metrics, greater historical data collection, and other capabilities, such as custom analysis. See "Presence Analytics" on page 154. Anonymous Access and Self-Registration with ID Manager: This release adds Anonymous Access and Self-Registration to ID Manager. Anonymous Access allows businesses to offer Internet access to visiting guests using mobile devices as a courtesy so that they do not have to pay for this service through their Internet providers. Self-Registration allows businesses to configure a captive web portal where a guest asks for and receives a username and password, uses these credentials to log in at first use, and then has ongoing access without the need to log in as long as they are in range, or until the ID Manager admin disables their account. See "ID Manager Anonymous Access and Self-Registration" on page 164. Client Management (Trial Version): With this feature, you can automatically provision and manage Apple mobile devices running i OS 5 or later and Apple computers running Mac OS X v10.7 or later as they connect to the wireless network. The Aerohive AP with which the client connects checks if the client is currently enrolled and, if not, a Wi-Fi configuration and an enrollment profile (with client and CA certificates and a mobile device management profile) are installed on the client to apply device security controls such as permitted applications and behavior. These profiles can differ based on whether the device matches a list of MAC addresses of corporate-issued devices or if it is a personally owned device. See "Client Management (Trial Version)" on page 169. Manual Private PSK Activation Timeout: This is a minor performance enhancement. There is no direct customer impact.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 152 New Features and Feature Enhancements

StudentManager Enhancements: StudentManager can now integrate with Aeries SIS (Student Information System) natively. Natively integrating with Aeries allows you to import and manage classes and schedules, along with the access of students to school network and Internet resources using StudentManager. After you configure StudentManager and Aeries SIS to work together and synchronize the school data, you can view and manipulate data through StudentManager. See " StudentManager Enhancements" on page 182. StudentManager and TeacherView Website Redirection: Teachers now have improved website redirection. When the teacher redirects students to a specified website, StudentManager and TeacherView can now redirect students to websites that access external content, including those that use content delivery networks to supply content and that subsequently redirect to another site. Also, students can be redirected to websites whose URL has changed and that are optimized for mobile devices.

New and Enhanced HiveManager 6.1r1 Features MyHive and HiveManager Initial Login Experience. This release introduces a new user experience for system administrators logging into a new version of HiveManager. The experience differs for system administrators of HiveManager Online, on-premises HiveManager, and on-premises HiveManager with the Redirection Server (also called the Redirector). Three new screens have been added to the HiveManager Online and on-premises HiveManager login experience. The Review Inventory page provides a list of Aerohive devices. For on-premises HiveManager, this page displays the total number of Aerohive devices connected to HiveManager at login. For HiveManager Online, this page displays a list of Aerohive devices that have been licensed to your organization, including the device type, as well as the total number of Aerohive devices. The Activate License page displays license and entitlement key information and allows you to activate your license. The Management Settings page requires you to change the default password, choose the Express or Enterprise mode, and select a time zone. (If you delete a HiveManager database, the Review Inventory and Management Settings pages are displayed. However, the Activate License page is not displayed in this case.) After you have completed these changes, a Congratulations! page is displayed. When you exit this page, the HiveManager Configuration panel is displayed. In addition to the changes described above, existing HiveManager Online system administrators will notice a new welcome screen in MyHive and that there is no longer a separate Redirector that is visible from this page. Instead of an external Redirector, you can use the HiveManager Online interface to redirect, or add and remove, devices. See "MyHive and HiveManager Initial Login Changes" on page 183. ID Manager GUI Enhancements: This release introduces a new look for the ID Manager administration interface. The new home page is divided into three clearly defined sections that provide at-a-glance visibility into critical information about your ID Manager account, and clear pointers to ID Manager configuration processes. HiveManager Online customers can now request a free 30-day trial of ID Manager. See "ID Manager GUI Enhancements" on page 190.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 153 Presence Analytics

Presence Analytics

The Aerohive Presence Analytics solution is a software product that runs on top of Aerohive wireless infrastructure. The solution enables physical retailers who deploy Aerohive wireless equipment to collect unique visitor metrics and insights into shopper behaviors in stores. HiveManager collects raw client data, sends it to Euclid for analysis, and then displays the results in specialized HiveManager reports. You simply create sensor radio profiles, apply them to Aerohive wireless devices, and define the business sites in which you want to deploy the Retail Analytics-enabled devices. When probe requests are received, the Aerohive device sends this information to HiveManager through its CAPWAP connection. This information is gathered over preselected time intervals, stored, and aggregated to derive valuable analytics to be displayed in HiveManager reports. Managers can collect important retail metrics to increase sales, such as measuring the percentage of clients passing by their sites that actually enter, or by altering the positioning of products to better steer clients to potentially high-margin items. Partnering with Euclid, Inc., Aerohive introduces a means to gather client data from Aerohive devices and send this raw data to Euclid for analysis. The Aerohive Presence Analytics solution is included free as part of on-premises HiveManager and HiveManager Online. You do not need any special licenses to enable it. The basic version includes various metrics for graphical and tabular visualization. If you want more in-depth analytics, you can upgrade to the Euclid Premium service to take full advantage of the retail analysis capabilities offered by Euclid. Aerohive devices running HiveOS version 6.1r1 or later already have integrated Presence Analytics capabilities designed to measure the behavior patterns of wireless clients by identifying and tracking their smartphones or other Wi-Fi-enabled mobile devices while continuing to provide wireless access. Additionally, you have the option to configure the radios of your Aerohive devices as sensors for scanning traffic only, in case you do not want to serve clients. When the Presence Analytics service is activated, Aerohive wireless devices can collect client data while performing their regular operations. If you want to focus strictly on collecting client data, you can also configure the radios in these devices to operate in sensor-only mode, where they constantly scan radio channels and function solely as sensors to detect wireless mobile devices. Clients do not need to associate with the SSID of an Aerohive device. These devices track clients by monitoring their probe requests. HiveManager uses the relative RSSI (radio signal strength indicator) values of client probe requests reported by different Aerohive devices to determine the approximate locations, either just outside or inside your place of business. For example, in the case of a retail store, Presence Analytics tracks which specific departments a client visits while inside the store, how long a client spends at any given location, and movement patterns of the client within the store at various times during normal store hours. The out-of-the-box solution works with as few as one AP per store. Storefront traffic is measured by algorithms designed to identify the people outside and inside the store. The effectiveness of window displays designed to entice clients to enter the store can also be measured. Users who do not wish to have their wireless mobile devices tracked must deliberately turn off the Wi-Fi feature of their handsets or power down their devices altogether. You can track clients at multiple sites by identifying where those sensors are located within the overall network topology of the business. Presence Analytics tracks the following statistics: Acquisition • Storefront traffic--number of people who walk by your store without coming into your store • Visits--number of people seen inside your store • Capture rate--percentage of people seen outside the your store that come into your store Engagement • Visit duration--amount of time visitors spend inside your store • Stay period distribution and bounce rates--track how many visitors stay in your store for a specified period of time

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 154 Presence Analytics

Loyalty • Visit frequency--average number of times a person visits your store in a 30-day period • Visit recency--number of days since a visitor was last seen in your store • Repeat visitor ratio--percentage of visitors that came into your store before

HiveManager allows customer to manage devices and visualize Euclid metrics.

VHM HiveManager Online sends data to Admin Euclid, whereEuclid metrics are aggregated and then returned to HiveManager for display. HiveManager Presence Online or Site 1 On-Premises HiveManager Presence Site 2 Aerohive AP141 detects probe requests for analytics while serving clients. AP141 in Site 1 BR100 in Aerohive BR100 scans Site 2 channels for client probe Clients with requests. mobile devices Clients with mobile devices

Configuring Basic Presence Analytics Service

For Aerohive devices to collect Presence Analytics data, they must be running HiveOS version 6.1r1 software. If the devices are running earlier versions of HiveOS software, they must be upgraded to version 6.1r1 software.

To activate Presence Analytics for Aerohive devices in HiveManager, you must enable the global Presence Analytics service, configure the Presence radio profiles, and then apply the Presence radio profiles to the Aerohive devices.

Enabling Global Presence Analytics To enable Presence Analytics globally, complete the following steps:

This operation is only required if you have an on-premise HiveManager. If you have a HiveManager Online account, contact Aerohive Technical Support to enable Presence Analytics in your account.

1. Log in to the HiveManager GUI, click Home > Administration > HiveManager Services, select Update Presence Analytics Settings, select Enable Presence Analytics, and then click Update. The global Presence analytics service is now enabled and the Presence Analytics navigation link appears under the Reports tab.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 155 Presence Analytics

2. Click Reports > Presence Analytics > Configure. The first time you click Configure, the end-user license agreement (EULA) appears. Read the EULA and click Accept to consent to its terms or click Decline to decline its terms. If you do not accept the EULA, you cannot proceed further and cannot configure Aerohive devices with Presence analytics capabilities. If you accept the license agreement, the Configure Presence Analytics page appears. Before you can assign Aerohive Presence-enabled devices to your retail stores, you must first configure Presence radio profiles and apply them to the Aerohive devices. See "Configuring Presence Radio Profiles" to set up a Presence radio profile, and then navigate to one of the following sections appropriate for the device to which you want to apply the Presence radio profile: • "Applying Presence Radio Profiles to BR100s" on page 157 • "Applying Presence Radio Profiles to Aerohive APs" on page 158 • "Applying Presence Profiles to BR200-WP" on page 159

Configuring Presence Radio Profiles If you want to configure any of the radios on your Aerohive devices to include Presence capabilities, complete the following steps: 1. Click Configuration > Show Nav > Radio Profiles. 2. To configure a new sensor radio profile, click New or click an existing radio profile name to modify its configuration. Configure the following Presence analytics settings, and then click Save:

The following parameters specify how frequently data is sent from Aerohive devices to the platform. They allow for adjustments made to accommodate situations where devices are connected over slower links, and where the data must be aggregated at different rates. They do not change the values of the Presence analytics. It is not necessary to change the default values if devices are connected over faster links.

Presence Analytics Radio Settings: (select) Enable Presence Analytics: Select this check box to enable and configure Presence analytics. Trap Interval: (Also known as the reporting interval.) Set how often the Presence sensor reports sensor data to HiveManager. By default, the trap interval is set to 30 seconds. You can enter an interval between 15 and 600 seconds (10 minutes) to accommodate slow WAN connections. Decreasing this interval below 30 seconds pushes the data faster but increases network traffic. Increasing this interval above 30 seconds pushes the data at a slower rate but decreases network traffic. Aging Time: After being detected for the first time, the client is reported at every interval until the same client is no longer detected within the duration of the aging time value. If the same client is detected again later, it is reported as detected for the first time. By default, the aging time is set to 30 seconds. You can enter an aging time between 15 and 600 seconds (10 minutes). Adjust the aging time in accordance with the reporting and aggregation interval such that client data is reported without being aged out. The aging time should be in line with or smaller than the reporting and aggregation intervals. Aggregate Interval: Set the interval during which time client data is collected in a single data sample and reported to HiveManager. It is preferable to set the aggregate interval to the same value as the reporting interval. By default, the aggregate interval is 30 seconds. You can enter an aggregate interval between 15 and 600 seconds (10 minutes) to accommodate slow WAN connections. Decreasing this interval below 30 seconds pushes the data faster but increases network traffic. Increasing this interval above 30 seconds pushes data at a slower rate but decreases network traffic.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 156 Presence Analytics

Scan Settings

Scan settings are needed only when Aerohive devices are optionally configured as sensors. For devices serving wireless clients, it is not necessary to configure the following values.

Dwell Time: Dwell time defines how long the radio transmits on a specific channel frequency to scan client probe requests before moving to the next channel. The radio remains for a limited fixed time on each channel before hopping to the next frequency in the channel sequence. By default, the dwell time value is 1200 milliseconds (1.2 seconds). You can set the dwell time between 10 and 30000 milliseconds (30 seconds). For purposes of Presence data collection, increasing the dwell time above the default value raises the data throughput of the data collected on each channel. Decreasing the minimum dwell time, reduces the latency but also reduces the throughput of the data collected on each channel. Scan all channels: Select the check box to scan all radio channel numbers on Aerohive devices in sensor mode on a per-radio basis to collect client probe request data. Clear check box if you want to set specific channel numbers to be scanned. Scan channels: Enter a list of channel numbers in the Scan channels field using commas to separate a series of them.

Applying Presence Radio Profiles to BR100s

The BR100 has one 2.4 GHz radio that can only perform in a single mode at any one time. Setting the radio to sensor mode creates a sensor-only device that no longer provides wireless network access to clients.

1. Click Configuration > Devices > All Devices. 2. Select the device check box of the BR100 to which you want to apply a Presence sensor-only radio profile, click Modify, select the following, and then click Save:

For this release, make sure that the BR100 is set to function as a router. If the BR100 is set to function as an AP, choose Router from the Device Function drop-down list, click Save, and then reselect the BR100 from the list on the All Devices page.

Use radio as a sensor (for Presence): Choose to set the single radio to Presence sensor-only mode. WLAN Interface 2.4 GHz (wifi0) Radio Profile: Choose a preconfigured Presence radio profile (defined earlier in "Configuring Presence Radio Profiles" on page 156) from the radio profile drop-down list to apply it to this interface.

Aerohive BR100s do not provide wireless network access in sensor mode but continue to serve wired clients on router ports when in Presence mode.

3. Click Configuration > All Devices, select the check boxes of the BR100s that HiveManager needs to update, and then click Update > Upload and Activate Configuration.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 157 Presence Analytics

Applying Presence Radio Profiles to Aerohive APs Aerohive APs can be configured to use their integrated Presence capabilities or to dedicate one of their radios for Presence sensor-only operation. The radios in Aerohive APs have integrated Presence capabilities. This means that a radio serves clients as it does normally and, at the same time, collects all client Presence data and delivers this data to HiveManager. With these Presence capabilities, the AP does not scan channels but remains on its current channel and performs additional processing when it receives Presence data from clients within its Wi-Fi radio coverage. To combine the Aerohive AP integrated Presence capabilities with the usual radio configuration: 1. Click Configuration > Devices > All Devices. 2. Select the device check box of the Aerohive AP for which you want to integrate a Presence radio profile, click Modify, select the following, and then click Save: Choose any radio setting (except for the Use a custom configuration setting) for which you want the Aerohive AP to perform normal wireless operations, such as supporting wireless client access and backhaul functions. WLAN Interface: Choose a radio interface on which you want to integrate a new Presence radio profile. 2.4 GHz (wifi0) Radio Profile: Select the New ( + ) icon, and then click More Settings to create a new Presence radio profile to apply to this interface. The New Radio Profiles window appears. Or 5 GHz (wifi1) Radio Profile: Select the New ( + ) icon, and then click More Settings to create a new Presence radio profile to apply to this interface. The New Radio Profiles window appears. Presence Analytics Radio Settings: (select) Enable Presence Analytics: Select to enable Presence analytics on this radio profile, and then configure the Presence interval and channel scanning settings if necessary (see "Configuring Presence Radio Profiles" on page 156 to configure the Presence settings). After you click Save, HiveManager returns to the new or existing Aerohive AP you selected in Step 2. 3. In the WLAN Interface section, choose the new Presence radio profile you just configured from the Radio Profile drop-down list to apply it to the interface, and then click Save. 4. Click Configuration > All Devices, select the check boxes of the APs that HiveManager needs to update, and then click Update > Upload and Activate Configuration. To enable Presence sensor-only capabilities on an Aerohive AP radio:

If you want to dedicate a device to serve only as a sensor for Presence analytics without serving wireless clients, then proceed to configure your Aerohive AP in Presence sensor-only mode.

1. Click Configuration > Devices > All Devices. 2. Select the device check box of the Aerohive AP device for which you want to apply a Presence sensor-only radio profile, click Modify, select the following, and then click Save: Use a custom configuration: Choose this radio setting to enable the AP to collect Presence sensor-only data. WLAN Interface: You can dedicate one radio or both radios to function in Presence sensor-only mode. Be aware that if you choose to set both radios to Presence sensor-only mode, the AP will no longer associate wireless clients and no longer support backhaul operations in this mode.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 158 Presence Analytics

2.4 GHz (wifi0) Radio Profile: Choose a preconfigured Presence radio profile (defined earlier in "Configuring Presence Radio Profiles" on page 156) from the radio profile drop-down list to apply it to this interface. Or 5 GHz (wifi1) Radio Profile: Choose a preconfigured Presence radio profile (defined earlier in "Configuring Presence Radio Profiles" on page 156) from the radio profile drop-down list to apply it to this interface. Radio Setup: wifi0: Choose the radio mode from the drop-down list as Access, Dual, Backhaul, or Sensor (for Presence). If the radio configured in the WLAN Interface wifi0 is a Presence radio profile, choose the Sensor (for Presence) mode. wifi1: Choose the radio mode from the drop-down list as Access, Dual, Backhaul, or Sensor (for Presence). If the radio configured in the WLAN Interface wifi1 is a Presence radio profile, choose the Sensor (for Presence) mode. 3. Click Configuration > All Devices, select the check boxes of the APs that HiveManager needs to update, and then click Update > Upload and Activate Configuration.

Applying Presence Profiles to BR200-WP Aerohive BR200-WP radios can be configured to use their integrated Presence capabilities or to dedicate their radios for Presence sensor-only operation. The radio in the BR200-WP has integrated Presence capabilities when you choose any of the first four radio settings. As with standalone APs, this means that a radio serves clients as it does normally and, at the same time, collects all client Presence data and delivers this data to HiveManager. With these Presence capabilities, the radio in the BR200-WP does not scan multiple channels but remains on its current channel and performs additional processing when it receives Presence data from clients within its radio coverage. To combine the BR200-WP radio integrated Presence capabilities with any one of its other radio modes: 1. Click Configuration > Devices > All Devices. 2. Select the device check box of the Aerohive BR200-WP device for which you want to apply a Presence radio profile, click Modify, select the following, and then click Save: Choose any radio setting except for the Use radio as a sensor (for Presence) setting for which you want the access point to perform normal wireless operations, such as supporting wireless client access and backhaul functions. WLAN Interface: Choose a radio interface on which you want to integrate a new Presence radio profile. 2.4 GHz (wifi0) Radio Profile: Select the New ( + ) icon, and then click More Settings to create a new Presence radio profile to apply to this interface. The New Radio Profiles window appears. Or 5 GHz (wifi0) Radio Profile: Select the New ( + ) icon, and then click More Settings to create a new Presence radio profile to apply to this interface. The New Radio Profiles window appears. Presence Analytics Radio Settings: (select) Enable Presence Analytics: Select to enable Presence analytics on this radio profile, and then configure the Presence interval and channel scanning settings if necessary (see "Configuring Presence Radio Profiles" on page 156 to configure the Presence settings). After you click Save, HiveManager returns to the new or existing Aerohive AP you selected in Step 2.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 159 Presence Analytics

3. In the WLAN Interface section, choose the new Presence radio profile you just configured from the Radio Profile drop-down list to apply it to the interface, and then click Save. 4. Click Configuration > All Devices, select the check boxes of the APs that HiveManager needs to update, and then click Update > Upload and Activate Configuration. To enable Presence sensor-only capabilities on the radio of the BR200-WP: 1. Click Configuration > Devices > All Devices. 2. Select the device check box of the BR200-WP for which you want to apply a Presence sensor-only radio profile, click Modify, select the following, and then click Save: Use radio as a sensor (for Presence): Choose this radio mode to configure the radio as a Presence sensor-only radio.

The BR200-WP with its radio in this mode continues to provide access for wired clients, but the radio no longer supports network access for wireless clients.

WAN Interface: Choose a radio interface on which you want to configure the Presence sensor-only capability. 2.4 GHz (wifi0) Radio Profile: Choose a preconfigured Presence radio profile (defined earlier in "Configuring Presence Radio Profiles" on page 156) from the radio profile drop-down list to apply it to this interface. Or 5 GHz (wifi0) Radio Profile: Choose a preconfigured Presence radio profile (defined earlier in "Configuring Presence Radio Profiles" on page 156) from the radio profile drop-down list to apply it to this interface. 3. Click Configuration > All Devices, select the check boxes of the BR200-WPs that HiveManager needs to update, and then click Update > Upload and Activate Configuration.

Defining Presence Retail Stores Before defining Presence retail stores, make sure you have activated the Presence analytics service. For those devices that use Presence radio profiles, make sure you have configured the radio profiles and applied them to the Aerohive devices in your retail stores. A store represents a physical retail store, a landmark within a store, or in general, a logical location where a customer wants to collect Presence Analytics. To create Presence retail stores and assign Aerohive devices to those stores, complete the following steps: 1. Click Reports > Presence Analytics. The Presence Analytics page appears. 2. Click Configure. You must have already accepted the end-user license agreement (EULA) to reach this point in the Presence Analytics setup procedure. The Configure Presence Analytics page appears. 3. To define a new retail store, click New, enter the following, and then click Save : Store Name: Enter the name of the store. The name can be up to 32 characters without including spaces. Time Zone: Choose the time zone of the store from the drop-down list. Address, City, State: Enter the complete store address.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 160 Presence Analytics

Associated Devices/Sensors: Aerohive devices manged by HiveManager that are not already assigned to a retail store location are displayed in the Available Devices list.

To view all managed Aerohive devices in HiveManager, navigate to Configuration > Devices > All Devices and view the devices listed under Managed Devices.

The total number of available unassigned devices in this list is shown within the parenthesis at the end of the list title. From the list of Available Devices, choose and move each device you want assigned to the new retail store to the Selected Devices list by clicking the device you want to move, and then clicking the right arrow ( > ).

If you attempt to move a managed Aerohive device from the Available Devices to the Selected Devices list that is not configured as a Presence-enabled device, an error message is displayed. The device is moved from one list to the other but is not recognized by the system as a Presence-enabled device.

The Devices at Other Stores list displays Aerohive devices located at other retail store locations. The total number of devices located in other stores is shown within the parenthesis at the end of the list title.

Selecting One or Multiple Devices When one Aerohive device is selected for a retail store, all the data collected by the device is associated with Presence Analytics metrics for that store. When multiple Aerohive devices are selected for a single retail store, all the data collected is aggregated into metrics for that store. To collect metrics for various landmark areas within a physical retail store, you can define those landmark areas as stores and associate Aerohive devices that correspond to those landmark areas.

Viewing Presence Analytics Dashboard Raw data gathered from Aerohive devices that is sent to Euclid is only processed during certain times of the day. To ensure you receive meaningful analytic results, allow at least 24 hours to elapse to make certain that Euclid has had sufficient time to accumulate and process raw data. Click Reports > Presence Analytics > Analytics Dashboard to view the following Visitor Analytics metrics: Visits: Number of client visits to the store or stores today versus client visits during a previous day, week, and month Opportunity: Capture rate as the percentage of clients passing by the store or stores that enter the store or stores today versus during a previous day, week, and month Engagement: Average visit duration in minutes and the percentage engagement rate of clients that stay for at least 20 minutes in the store or stores today versus during a previous day, week, and month. Loyalty: Frequency with which visitors later return to the store or stores today versus a previous day, week, and month. These are the four main metric widgets. However, you can expand the graphical view to see more metrics and create comparisons between them.

More metrics are available by opening the widget.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 161 Presence Analytics

For each of chart displays listed above, you can hover your mouse over portions of the chart to view metrics that cover different data aggregation periods. View Full Report: Click View Full Report for each of the four metrics to view more detailed current information for each metric. Invite users: To send an Email link to view this report to another person or an Email distribution alias, click Invite users. The Email message contains a link to allow viewing of this analytics report. An Email entry field appears.

Navigate to Home > HiveManager Services > Update Email Service Settings to set up Email destinations.

Invite: Enter the email destination address of the person or Email alias. Day, Week, or Month vs. Last Week, or Last Month: Select to display metrics aggregated during the current day, week, or month duration versus last week or last month. Click in the date entry field to select a day. A calendar appears from which you can select a day by first clicking on the arrows to select the month, and then select the day. store filter: Enter the filter to list filtered store-related information. PDF: Select to create a PDF report. Follow the instructions in the dialog box as it prompts you to open or save the PDF file. List of retail stores and metrics: The list displays retail stores and their corresponding metrics. The metrics for a particular retail store can be displayed over the following time durations: calendar days, week-to-date (WTD), last week (LW), month-to-date (MTD), or last month (LM), depending on the time duration you select. The total number of stores and total visitor metrics are shown at the bottom of the list. Show/Hide Inactive Stores: Click to show or hide retail stores that do not display active data collection. To return to the overview page, click Back to overview. View full chart: Click View full chart for the Visits, Opportunity, and Loyalty metrics to view more details. Menu Options: For all or individually chosen retail stores, you can choose from drop-down lists of Visits, Repeat Visit Rates, Capture Rate, Visit Frequency menus that are plotted on a graph as a solid line or choose another menu option for comparison that is plotted on the same graph as a dashed line. The menu options change depending on the Visitor Analytics metric you choose to chart. You can also chart the data for different time periods, such as daily, weekly, monthly, quarterly, or only on selected weekdays, that are displayed in different colored graphs. As with the other charts, you can hover your mouse over portions of the chart to view data that cover different periods. Select Stores and Tags: Click All to open the Select Stores and Tags dialog box. To add stores to the chart, select the store whose metrics you want to view from the list of stores, and then click Save. The stores you selected are listed at the right of the chart and assigned a unique color. Metrics for each store are graphed using the color assigned for each store. To return to the overview page, click Back to overview. Click + Add 2nd Chart to add and configure a second chart.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 162 Presence Analytics

Viewing Presence Analytics Monitor The Analytics Monitor tab is designed for troubleshooting by analyzing the raw data arriving at the Aerohive devices. Click Reports > Presence Analytics > Analytics Monitor to view the total number of detected clients that visit your store and the Presence data throughput of the Aerohive sensor-enabled devices: Time Range: Select Last Minute, Last Hour, or Last 24 Hours time period to view meaningful raw data collected from detected clients and the total amount of Aerohive sensor data throughput during the selected time period. Presence Analytics Connection Status: Displays the CAPWAP connection status of the Aerohive devices at the Presence retail store to HiveManager: green indicates the sensor is up, and gray indicates the sensor is down. Last time data was posted: Displays the day and time that Aerohive devices last reported sensor data to HiveManager. Total Number of Detected Clients: Displays the total number of clients detected by Aerohive devices during the selected time period. Total Throughput of Sensor Data: Displays the total amount of data throughput, in kilobytes, of Aerohive sensor data during the selected time period. List of Presence stores and number of devices at the store: To view real-time client movement detected by the Aerohive sensors at a particular retail store, click the store name to display Aerohive sensors for the chosen store. Click an Aerohive device from which you want to view real-time data. The Aerohive Device Summary window appears for the chosen device. View the following information, and then click Close to close the window: CAPWAP Status: The CAPWAP connection status of the chosen Aerohive device is displayed: green indicates the sensor has a CAPWAP connection to HiveManager, and gray indicates it is disconnected. Last connection time: Displays the date and time Aerohive last connected to HiveManager. Clients are currently being tracked: Displays the number of clients currently being tracked by Aerohive. Search: You can search the Recently Detected Clients list for a client MAC address. Enter the MAC address for the client you want to find in the list. If found, the client MAC address (displayed in yellow) and the amount of time since it was first seen are displayed. To view the complete list again, delete the MAC address from the search box. Pause: The display refreshes automatically every 10 seconds. To freeze the client MAC address list and elapsed time, click the Pause icon. To set the list to automatically refresh, click the Pause icon again. Recently Detected Clients: Displays a list of client MAC addresses. Time Detected: Indicates the amount of time elapsed since the client MAC address was first detected in the current session.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 163 ID Manager Anonymous Access and Self-Registration

ID Manager Anonymous Access and Self-Registration

This release adds two new ID Manager features: Anonymous Access and Self-Registration. Anonymous Access offers Internet access as a courtesy to visiting guests using mobile devices so they do not have to pay to use their own Internet providers. Self-Registration allows businesses to configure a captive web portal where a guest asks for and receives a username and password, uses these credentials to log in at first use, and then has ongoing access without the need to log in as long as they are in range, or until the account expires as configured by the ID Manager admin. Anonymous Access Use Anonymous Access to offer your customers and guests that are using mobile devices complimentary Internet access during their visits to your site. You benefit from increased customer satisfaction, a possible increase in return customer business, and the data logs that are generated for these guests. You can define duration and usage limitations for anonymous guests in ID Manager.

Anonymous Access runs on distributed networks where each site has one AP.

Setting Anonymous Access Restrictions You can enforce three types of access restrictions for anonymous access guests: • No restrictions: access and bandwidth are always available and unlimited • Time restrictions: You enforce time restrictions so that guests can only obtain access during the time periods that you specify. • Data Usage restrictions: You can enforce data usage (bandwidth) restrictions to prevent guest traffic and activity from overloading your network. You can also suspend access temporarily in instances where bandwidth usage or the number of guests exceeds your requirements. Anonymous Access grants access through open SSIDs and a “use policy acceptance” captive web portal that you configure in HiveManager and upload to devices that are running ID Manager. Then you create a guest type in ID Manager for anonymous access, and link that guest type to your anonymous access SSID.

You must configure a separate SSID in HiveManager for each of type of restriction that you want to enforce, and you must also configure a user profile for each SSID. If you only apply one type of restriction, (the most common case), or no restrictions, you only need one SSID with an associated user profile. You must also configure a Guest Type in ID Manager for each SSID, based on the restrictions you want to enforce. If you have only configured one SSID, then you need only one Guest Type.

The steps to configure Anonymous Access are described in the following sections.

Configuring an Anonymous Access SSID in HiveManager 1. In HiveManager, select your network policy (or create a network policy if you have not already done so), and click OK. In the configuration panel that appears, click the Choose button in the SSID section, enter the following information, and then click Save: Profile Name: Enter a name for the SSID. The name can contain up to 32 characters, including spaces. SSID: Use the same name as the SSID profile name or enter a different one. This is the name that wireless clients receive in beacons (unless you choose to hide the SSID). The name can be up to 32 characters long and—unlike the profile name—can include spaces. SSID Broadcast Band: Select 2.4 GHz & 5 GHz Description: Enter a brief description for this SSID. The description can contain up to 64 characters, including spaces. In the SSID Access Security section, select Open. Select the Use Aerohive ID Manager check box.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 164 ID Manager Anonymous Access and Self-Registration

In the dialog box that appears, make sure that only your new SSID is highlighted and then click OK. 2. Your now see your SSID in the Configure Interfaces & User Access window. In the Authentication section for your SSID, click the red link to configure the captive web portal for this SSID. From the dialog box, select New and click OK. 3. In the New Captive Web Portal window, enter the following information and then click Save. Name: Enter a name for the captive web portal of up to 32 characters including spaces. Registration Type: From the drop-down list, select Time/Data Limits (No Authentication Required).

You can use the default captive web portal settings or customize your captive web portal for appearance, language, and other options. For detailed instructions about how to customize captive web portals, see the HiveManager Help.

4. You can now either assign an existing user profile to this SSID, or create a new user profile for anonymous access only. In the User Profile section for this SSID, click Add/Edit. In the dialog box that appears, make sure you are in the Default tab, click New, enter the following information, and the click Save:

If you configure more than one SSID for anonymous access to enforce multiple restriction types, you must also configure a user profile for each SSID.

Name: Enter a name for this user profile of up to 32 characters including spaces. Attribute number: Assign a unique attribute number for each user profile and SSID that you configure. ID Manager uses attribute numbers to determine which restrictions (if any) to apply to guests that use anonymous access. Default VLAN: Leave the default VLAN as 1. Description: Enter a brief description for this user profile of up to 64 characters including spaces. 5. In the Choose SSIDs dialog box, make sure your user profile is the only one highlighted, and click OK.

You must upload SSIDs and User Profiles to the APs on which you will be using ID Manager before you can see them in ID Manager.

Enabling Anonymous Access in ID Manager Perform the following steps to enable Anonymous Access In ID Manager for the associated SSIDs. 1. From the ID Manager home page, in the Manage Guests section, select Guest Account Management. 2. Select the Guest Type tab, click New, enter the following information, and then click Create: Type Name: Enter a name for this guest type. The name can contain up to 12 characters, including spaces. SSID: If you uploaded the SSID and user profiles to your ID Manager devices, this field becomes a drop-down list. Select the SSID from this list. Attribute number: This field is automatically populated with the attribute number for the selected SSID. Auth Type: Select No authentication (Anonymous Access). A cancel switch now appears in this window. This switch allows you to turn off anonymous access for a period of time (for example, if data usage rates become unmanageable.) You can use this switch to temporarily block and then reinstate access without the need to reconfigure time limits or disable the feature completely. Access Restriction: Define access limitations, if any, in this section. You can choose to set no limitations, set a time limitation, or set a data usage limitation. For each type of limitation that you want, you will need to configure a separate SSID and user profile in HiveManager. No restriction: This option allows unrestricted guest access.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 165 ID Manager Anonymous Access and Self-Registration

Time Limit: This option slows you to set a time restriction on guest access. There are two options: Fixed time window: if this is selected, the allowed time period will always start at 12:00am. Rolling time window: If this is selected, the allowed time covers 24 hours prior to the current time.

Self-Registration ID Manager Self-Registration allows you to create an SSID and user profile where guests log in once with a username and password provided by ID Manager, and then have login-free access indefinitely as long as they are within range of the SSID, or until the account expires. Self-Registration in ID Manager operates in much the same way as guest access in many hotels and conference centers. To enable Self-Registration, first configure an SSID in HiveManager to use a one-time login captive web portal (that you configure in ID Manager as explained below.) Then configure two user profiles (a default profile for guest access and a registration profile for password creation and delivery.) Finally, push these configurations to the APs on which you want to apply ID Manager. The steps for these processes are described below. 1. In HiveManager, select your network policy (or create a network policy if you have not already done so), and click OK. In the configuration panel that appears, click the Choose button in the SSID section, enter the following information, and then click Save: Profile Name: Enter a name for the SSID. The name can contain up to 32 characters, including spaces. It will be helpful if you identify this SSID as a self-registration SSID. SSID: Use the same name as the SSID profile name or enter a different one. This is the name that wireless clients receive in beacons (unless you choose to hide the SSID). The name can be up to 32 characters long and—unlike the profile name—can include spaces. SSID Broadcast Band: Select 2.4 GHz & 5 GHz Description: Enter a brief description for this SSID. The description can contain up to 64 characters, including spaces. In the SSID Access Security section, select Open. Select the Use Aerohive ID Manager check box. In the Choose SSID dialog box that appears, make sure that only your new SSID is highlighted and then click OK. 2. Your now see your SSID in the Configure Interfaces & User Access window. In the Authentication section for your SSID, click the red link to configure the captive web portal for this SSID. From the Choose CWP dialog box, select New and click OK. 3. In the New Captive Web Portal window, enter the following information and then click Save. Name: Enter a name for the captive web portal of up to 32 characters including spaces. Registration Type: From the drop-down list, select Self-registration (Password-based).

You can use the default captive web portal settings or customize your captive web portal for appearance, language, and other options. For detailed instructions about how to customize captive web portals, see the HiveManager Help.

4. Create a new default user profile for self-registration. In the User Profile section for this SSID, click Add/Edit. In the Choose User Profiles dialog box, make sure you are in the Default tab, click New, enter the following information, and the click Save:

For Self-Registration, you must configure both a default user profile and a registration profile.

Name: Enter a name for this user profile of up to 32 characters including spaces.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 166 ID Manager Anonymous Access and Self-Registration

Attribute number: Assign a unique attribute number for each user profile and SSID that you configure. ID Manager uses attribute numbers to determine which restrictions (if any) to apply to guests that use anonymous access. Default VLAN: Leave the default VLAN as 1. Description: Enter a brief description for this user profile of up to 64 characters including spaces. 5. In the Choose User Profiles dialog box, make sure you are in the Default tab and that your new user profile is the only one highlighted. Do not exit from this dialog box yet, and do not click Save. 6. In the Choose User Profiles dialog box, click the Registration tab, and then click New. In the New User Profile window, enter the following information, and then click Save. Name: Enter a name for this user profile of up to 32 characters including spaces. Attribute number: Assign a unique attribute number for each user profile and SSID that you configure. ID Manager uses attribute numbers to determine which restrictions (if any) to apply to guests that use anonymous access. Default VLAN: Leave the default VLAN as 1. Description: Enter a brief description for this user profile of up to 64 characters including spaces. When you click Save, the Choose User Profiles dialog box appears. Follow the next two steps carefully to assign both profiles to your self-reg SSID. 7. In the Choose User Profiles dialog box, in the Registration section, select the user profile you just configured for registration. 8. In the same dialog box, switch to the Default section and highlight the default user profile you created for the self registration SSID. Now click Save.

If you do not select both a default and a registration user profile, you will be prompted to do so.

In the Configure Network Policy window, in the SSIDs section, you should now see both user profiles for the Self-Registration SSID that you created.

You must upload SSIDs and User Profiles to the APs on which you will be using ID Manager before you can see them in ID Manager.

Enabling Self-Registration in ID Manager There are two steps you must take in ID Manager to activate the Self-Registration. The first step is to create a guest type for self-registration. The second step is to configure the captive web portal information in ID Manager > Configuration > ID Manager Settings > Registration GUI. Both steps are described below.

Creating a Guest Type for Self-Registration 1. From the ID Manager home page, in the Manage Guests section, select Guest Account Management. 2. Select the Guest Type tab, click New, enter the following information, and then click Create: Type Name: Enter a name for this guest type. The name can contain up to 12 characters, including spaces. SSID: If you uploaded the SSID and user profiles to your ID Manager devices, this field becomes a drop-down list. Select the Self-Registration SSID from this list. Attribute number: This field is automatically populated with the attribute number for the selected SSID. Auth Type: Select User Name/Password. Account Expiration: Select a time period for which you want self-registration accounts to remain active from the options in this section.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 167 ID Manager Anonymous Access and Self-Registration

Configuring the Registration GUI Captive Web Portal for Self-Registration This step configures the captive web portal that is displayed on guest devices for Self-Registration. 1. In ID Manager > Configuration > ID Manager Settings > Registration GUI, scroll down to the Registration section. 2. Select the CWP based Registration tab. Complete the following fields in this section and then click Update: Enable CWP-based Registration: First select this check box to unlock the fields. Guest Type: Select the guest type that you created for self-registration from the drop-down list. Authorized by: Enter the name of the person who configured self-registration (this information is for use in the logs). Language: Select a language from the drop-down list. Time Zone: Select the time zone for your location. Date Format: Select a date format from the drop-down list. Time Format: Select either a 12 hour or 24 hour time format.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 168 Client Management (Trial Version)

Client Management (Trial Version)

As people increasingly make use of personal mobile devices to do work, they expect to be able to use them anywhere—at home, on the road, and in the office. Introducing a variety of wireless devices with different operating systems and applications to the corporate network poses a challenge for network security administrators. Client Management provides a simple method to control network access and mobile wireless device functions without any IT intervention. The employees themselves enroll their devices when first connecting to the wireless network. To determine the ownership type of their devices, their MAC addresses can automatically be compared with a list of all company-issued devices (CIDs) or the users can be allowed to specify their devices as personally owned or company issued. After the type of device ownership is established, users must accept the terms of use and then download an enrollment profile and Wi-Fi configuration to their devices. Depending on the Client Management settings, the enrollment profile can contain client and CA certificates and device behavior and usage restrictions. The infrastructure to support this is diagrammed below. As you can see in Figure 1, Aerohive has introduced an online database system, the Client Management cluster, to manage the enrollment process. This cluster consists of a group of highly available servers that communicate with HiveManager and with Apple clients through APNS (Apple Push Notification Service). This trial version supports the provisioning and management of Apple mobile devices running iOS 5 or later and Apple computers running Mac OS X v10.7 or later.

Figure 1 Client Management Overview

HiveManager Client Management cluster APNS with Client (database & enrollment page) (Apple Push Management enabled 1 CA and server Notification Service) certificates Client profiles 4 (CID MAC address list) Notification of a Wi-Fi configuration, client Configuration (and CA and profiles, (and CA and client server certificates*) certificates*) to the AP 3 AP 1. The systems shown here exchange configuration data 3. ... the AP checks if the client is and certificate files to already enrolled. If not, the AP establish the infrastructure 2 redirects the client browser to the to support client management. Client Management enrollment page.

4. After the client enrolls, the Client Management 2. When a wireless client cluster sends it an APNS notification to install a connects to the AP and Wi-Fi configuration and client profiles. After the authenticates itself, ... installation, the user can access the network. Apple client

* CA, server, and client certificates are only sent to the AP and client when the SSID uses 802.1X authentication and the AP functions as an Aerohive RADIUS server. If you use an external RADIUS server, you must export the CA and server certificates from HiveManager and then import them to the RADIUS server. If the SSID uses private PSKs to authenticate users, no certificates are required.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 169 Client Management (Trial Version)

Configuring Client Management There are several components involved in configuring Client Management, some of which are unique to the type of access security for the SSID—802.1X, private PSK, and PSK. The configuration elements that all three SSID types have in common are explained first, followed by three sections with the configuration steps for each SSID type. 1. To request that the trial version of Client Management be enabled for a HiveManager Online account or an on-premises HiveManager appliance, send an email to [email protected]. You must provide either your VHM ID if you have a HiveManager Online account or the system ID for an on-premises HiveManager appliance. 2. After receiving an email response confirming that you can begin using the feature, log in to the VHM for which you want to enable Client Management, click Home > Administration > HiveManager Services, expand Client Management Settings, enter the following, and then click Update: Enable Aerohive Client Management: (select) Automatic policy assignment based on device ownership: Select if you use a list of client MAC addresses for corporate-issued devices (CIDs) to determine whether clients are corporate issued or personally owned (BYOD for Bring Your Own Device). The Client Management cluster compares the MAC addresses of clients during the enrollment process with those in the list. If they are there, then they are CID; otherwise, they are BYOD. Clear if you do not use such a list but instead allow users to indicate whether their clients are corporate issued or personally owned during the enrollment process. 3. If you are not going to use a list of CID MAC addresses, you can skip this step. However, if you do have a list of MAC addresses for corporate-issued client devices and want to use that to distinguish which client devices are CIDs or BYODs, click Home > Administration > Auxiliary Files > CID Clients > Upload. Browse to the location of a .txt file with a list of CID MAC addresses, select it, and then click Upload. After uploading the file to HiveManager, HiveManager sends it by HTTPS to the Client Management cluster of servers at acm-beta.aerohive.com (207.20.241.108). HiveManager also displays the uploaded list of MAC addresses on the CID Clients page. To modify a MAC address or remove it from the list, you must edit the text file and then upload the revised file to HiveManager to effect the change.

If there is a firewall between your HiveManager and the Client Management cluster, make sure it allows HTTPS traffic from HiveManager to the cluster. The Cloud Management cluster generates certificate files, which HiveManager retrieves from it, and HiveManager pushes CID MAC address lists and client profiles to the cluster.

4. Because 802.1X EAP-TLS authentication and the validity period on private PSKs require accurate time settings on all devices, check the settings in the NTP profile that the network policy references. You can view the NTP profile from the network profile or by clicking Configuration > Advanced Configuration > Management Services > NTP Assignments and then clicking the name of the NTP profile whose settings you want to review. Make sure the correct time zone is set, Enable NTP client service is selected, and from one to four valid NTP servers are defined. 5. You can use an external RADIUS server or a RADIUS server running on an Aerohive device. An Aerohive RADIUS server can have a local user database or it can look up users on an Active Directory, OpenLDAP, or Open Directory server. This example demonstrates a local user database configuration. Create local RADIUS user groups and users. Click Configuration > Advanced Configuration > Authentication > Local User Groups > New, enter the following, leave the other settings as they are, and then click Save: User Group Name: Employees Description: For all employees using 802.1X authentication RADIUS users: (select) User Profile Attribute: 30 (This is the attribute that will be assigned to the default user profile in the next step.)

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 170 Client Management (Trial Version)

Click Configuration > Advanced Configuration > Authentication > Local Users > Import, browse to a CSV-formatted file containing a list of employees formatted as follows, and then click Import: #User Name, User Type, User Group Name, Password, Description, Virtual HiveManager Name User1, 1, Employees, aerohive123, , home User2, 1, Employees, aerohive123, , home 6. Create the following three user profiles to control the type of network access you want to provide employees when they are using different types of wireless client devices: • User profile for Apple CID clients with full access to the Internet and internal network • User profile for Apple BYOD clients with access only to the Internet. (You can enforce other restrictions in the BYOD user profile such as reduced rate limits and scheduled times of network access.) • Default user profile for non-Apple clients with full access to the Internet and internal network The settings below assume that the default VLAN is 1, user profile attributes 10, 20, and 30 are not in use by any other user profiles, and that the rate limits of 3000 Kbps for 802.11a/b/g/n BYOD clients are reasonable for your network. Keep in mind that these settings are just examples. Adapt them as necessary for your configuration and network.

User profile for Apple CID clients On the Configuration > User Profiles page, click New, enter the following, leave the other settings as they are, and then click Save: Name: CID-access Attribute Number: 10 Default VLAN: 1 Description: For employees’ CID Apple clients

User profile for Apple BYOD clients On the Configuration > User Profiles page, click New, enter the following, leave the other settings as they are, and then click Save: Name: BYOD-access Attribute Number: 20 Default VLAN: 1 Description: For employees’ BYOD Apple clients Firewalls: In the IP Firewall Policy section, choose the predefined policy Guest-Internet-Access -Only from the From-Access and To-Access drop-down lists and choose Deny as the Default Action.

Whenever there is a configuration change to a firewall policy referenced by a user profile, Aerohive recommends making a complete configuration upload and device reboot, not just a delta upload.

QoS Settings: Click the New icon ( + ) next to Rate Control & Queuing Policy, enter the following and then click Save: Name: BYOD-QoS Per User Rate Limits: 3000 Kbps (802.11a/b/g and 802.11n)

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 171 Client Management (Trial Version)

Description: For employees' BYOD Apple clients Per User Queue Management: Leave the policing rate limits for classes 6 and 7 as they are, and set classes 0-5 as 3000 Kbps for 802.11a/b/g and 802.11n. Choose BYOD-QoS from the Rate Control & Queuing Policy drop-down list, and set the Policing Rate Limit for a/b/g mode and 11n mode as 14000 Kbps. These are the maximum limits for all users to which the user policy applies and are significantly less than the default maximum rate limits for employees using CID clients.

Default user profile for non-Apple clients On the Configuration > User Profiles page, click New, enter the following, leave the other settings as they are, and then click Save: Name: employee-access Attribute Number: 30 Default VLAN: 1 Description: For employees’ non-Apple clients Client Classification Policy: Select Enable user profile reassignment based on client classification rules. Add the following two policy rules: Choose any - any - any - CID - CID-access, and then click Apply. Click New, choose any - any - any - BYOD - BYOD-access, and then click Apply. 7. Based on device ownership, you can apply different user profiles to enforce network access control through the settings within the user profiles. In addition, you can also bind client profiles to user profiles to enforce client device control. To save your changes to the network policy, click Save in the upper right of the Configure Interfaces & User Access panel. To create a client profile and bind it to the BYOD user profile created earlier, click Configuration > Advanced Configuration > Security Policies > Client Profiles > New, enter the following, and then click Save: Name: Enter a name for the client profile. User Profile Attribute: Enter the user profile attribute to which you want to bind this client profile. For example, in step 6 above, the CID-access user profile was assigned attribute 10 and the BYOD-access user profile was assigned attribute 20. If you enter 10 here, then this client profile will be applied to all CID clients. Likewise, if you enter 20 here, it will be applied to all BYOD clients. Organization: Enter the name of the organization that you want to appear on the client profile. Description: Enter a useful description about the client profile for future reference. Profile Lifetime on Client Devices Do not delete the profile from the client device: Select this option to keep the client profile on the client indefinitely. The user has to remove it manually later. Automatically delete the profile minutes later: Select this option to remove the client profile after the client leaves the wireless network and the specified period of time elapses. When the client disassociates, the AP sends a notification message to the Client Management cluster, which removes the client profile after it concludes its countdown. Note that the enrollment and Wi-Fi configuration profiles remain on the client so that it does not have to go through the complete enrollment process the next time it connects to the network. It only needs to download the client profile again.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 172 Client Management (Trial Version)

Client Settings To enforce client device settings and behavior, expand the various Client Settings sections, and then click Config. HiveManager displays a number of controls that you can set for the client such as restrictions to device functionality and application availability, and email account settings.

If you edit an existing client policy, your changes do not affect clients currently enrolled and connected to the network at the time that you make the changes. If you want to enforce the changes on all clients immediately, select the enrolled clients on the Monitor > Clients > Enrolled Clients page, and then click Operation > Unenroll Clients, If there are multiple client profiles on a device, the most restrictive settings have priority.

8. You can also control how the enrollment, welcome, and device ownership modification pages appear to the user by clicking Configuration > Advanced Configuration > Management Services > Client Mgmt Portal. On this page, you can change the logo, graphics, and text, and preview how your changes will look in either a horizontal or vertical orientation. When you click Save, HiveManager immediately communicates your changes to the Client Management cluster.

Because changes require HiveManager to communicate with the Client Management cluster, it is normal for there to be a delay in executing commands such as previewing and saving settings.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 173 Client Management (Trial Version)

Using 802.1X When you use an 802.1X SSID, the clients access a single SSID for enrollment and network access. Although the SSID is the same, there is a difference in the form of user authentication that occurs before and after enrollment. When the users authenticate before enrollment, they use PEAP, whereas after enrollment, they use EAP-TLS. The enrollment process is shown in Figure 2.

Figure 2 Enrollment process with an 802.1X SSID

SSID: Corp-Emp-802.1X BR200-WP Client 1 AP 2 User Name RADIUS server New -> Management Password cluster New browser page -> Enrollment page APNS

Connect Check Prompt Submit The user accepts the terms of use, chooses The AP checks the The user chooses Corp-Emp-802.1X, ownership type, and user name and submits a user name and password The user opens a new page accepts the Wi-Fi password on the when prompted, (and must also in Safari and is redirected config and enroll- RADIUS server. accept the server certificate.) to the enrollment page. ment profile .

3 Corp-Emp-802.1X To the 802.1X PEAP -> network... 802.1X EAP-TLS

The user can now access the network using the Corp-Emp -802.1X SSID. Although the SSID stays the same, the new Wi-Fi configuration uses EAP-TLS with the certificates from the enrollment profile.

1. Because the SSID uses 802.1X EAP-TLS authentication after enrollment, check that HiveManager has the correct certificates. (The Client Management cluster sends these to HiveManager shortly after you enable the Client Management feature.) To check the certificates, click Configuration > Advanced Configuration > Keys and Certificates > Certificate Mgmt, and then note if the following certificate files are present: ClientMgmt-Radius-Server_key.pem ClientMgmt-Radius-Server_Crt.crt ClientMgmt_CA.crt

If you use an external RADIUS server instead of an Aerohive RADIUS server, export these three files and then import them to the RADIUS server.

2. In the Configuration section of the GUI, create a new network policy that supports wireless access and branch routing or edit an existing one. (The configuration is simpler if you use an Aerohive router as the RADIUS server or private PSK server—note that the BR100 does not support RADIUS server functionality. However, you can also configure an AP as a private PSK server if it has static network settings.)

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 174 Client Management (Trial Version)

3. Click Choose for SSIDs, click New, enter the following, leave the other settings as they are, and then click Save: Profile Name: Corp-Emp-802.1X SSID: Corp-Emp-802.1X (automatically entered) WPA/WPA2 802.1X (Enterprise): (select) Enable Client Management: (select) 4. Highlight Corp-Emp-802.1X, and then click OK. To complete the configuration for the SSID, follow the steps below to apply the type of authentication and user profiles that you want to use: Authentication Click , and then click New. To use the Aerohive branch router as the RADIUS server, enter BR-RADIUS-Server in the RADIUS Name field, select Obtain an Aerohive RADIUS server address through DHCP options, and then click Save. User Profile Click , choose an existing configuration that defines the Aerohive branch router as the RADIUS server, and then click Save. If you do not already have such a configuration object, click New, enter BR-RADIUS-Server in the RADIUS Name field, select Obtain an Aerohive RADIUS server address through DHCP options, and then click Save.

5. Click Edit for Additional Settings, expand Router Settings, click the New icon ( + ) for RADIUS Service, enter the following, leave the other settings as they are, and then click Save: Name: Corp-Emp-RADIUS Database Settings: Select Local Database and move Employees from the Available Local User Groups column to the Selected Local User Groups column. Optional Settings: Choose the following certificate and server key files: CA Cert File: ClientMgmt_CA.crt Server Cert File: ClientMgmt-Radius-Server_Crt.crt Server Key File: ClientMgmt-Radius-Server_key.pem 6. To enable RADIUS server functionality on the router, click Configuration > Devices > Routers > router_name, expand Service Settings, and select Enable the router as a RADIUS server. Because BR series devices do not support Client Management, you must disable the SSIDs with Client Management configured for them on the routers. By disabling these SSIDs, clients cannot associate with them and then fail to enroll. Click Configuration > Devices > Routers > router_name, expand SSID Allocation, clear the check boxes for the Client Management-enabled SSIDs, and then click Save.

Because all APs support Client Management, an alternative approach is to use an AP330 or AP350 in router mode instead of using a BR series device. Then you do not have to disable the SSIDs on them.

7. To upload the network policy and certificates to your devices, click Configuration, highlight your network policy and click OK, and then click Continue to advance to the Configure & Update Devices panel. Select all your devices that you want to update. Click Settings and make sure that all of the check boxes at the bottom of the dialog box are selected so that HiveManager uploads not only the configuration

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 175 Client Management (Trial Version)

but also all the web portal pages, certificates, and users required for Client Management to function, and then click Upload.

Private PSK Self-Registration Private PSK self-registration uses an open SSID with a captive web portal requiring user authentication for enrollment and a private PSK SSID for access. In this approach, a user associates with two different SSIDs. First, the user accesses an open SSID with a captive web portal requiring him to submit a user name and password to register. After a successful registration, the AP contacts the private PSK server and obtains a private PSK for the user, which it sends to the Client Management cluster when it redirects the client to the enrollment page. After the user enrolls, the cluster sends a notification to the client through APNS to download a Wi-Fi configuration and a client profile from the cluster. When the cluster sends the Wi-Fi configuration to the client, it includes an encrypted form of the private PSK for use in the second SSID with which the client now automatically connects.4 The enrollment process is shown in Figure 3.

The private PSK is never seen by the user. The Client Management cluster encrypts and embeds it in the Wi-Fi settings profile, which it then sends to the client to use for its wireless network connection.

Figure 3 Enrollment process with private PSK self-registration

Settings Wi-Fi AP RADIUS server and private 1 2 AP Corp-Emp-PPSK > New -> PSK self-registration server √ Emp-Connect > New browser page -> captive web portal AP121 RADIUS BR200-WP

Private PSK

The user opens a new page in --which the AP looks up on the RADIUS The user chooses Emp-Connect, Safari, is redirected to the server. Then the AP gets a private which is an open SSID used only captive web portal, and submits PSK for the user from the private for user registration. a user name and password-- PSK self-registration server.

Captive Enroll- Client Management To the 3 4 Settings web -> ment cluster Wi-Fi network... portal page √ Corp-Emp-PPSK > Emp-Connect >

AP Router HTTPS to the enrollment page HTTPS private PSK The user can APNS Notification now access the network. HTTPS Wi-Fi config with PPSK and client profile

After the user enrolls, the cluster The AP redirects the client to notifies the client through APNS The client automatically switches the enrollment page on the Client to install the Wi-Fi configuration, from the open registration SSID Management cluster and sends which contains the private PSK, and to the secure access SSID: the cluster the private PSK. client profile. Corp-Emp-PPSK.

4. Although Apple devices running any version of iOS can automatically switch to the access SSID, Apple devices running OS X 10.7 and OS X 10.8 cannot. Users with client devices running these versions must switch to the new SSID manually.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 176 Client Management (Trial Version)

1. To create a private PSK user group, click Configuration > Advanced Configuration > Authentication > Local User Groups > New, enter the following, leave the other settings as they are, and then click Save: User Group Name: Employees-PPSK Description: For all employees using private PSKs Automatically generated private PSK users: (select) User Profile Attribute: 10 User Name Prefix: Corp Private PSK Secret: Click Generate. 2. To create private PSK users and assign them to the group, click Configuration > Advanced Configuration > Authentication > Local Users > Bulk, enter the following, leave the other settings as they are, and then click Create: Create Users Under Group: Employees-PPSK Number of New Users: (enter the number keys that you estimate you need for the size of your company, keeping in mind that many people carry more than one wireless mobile device) Description: For all employees Email Notification: Enter the name of the administrator responsible for distributing private PSKs to the employees. (To set or check the HiveManager email settings, click Home > HiveManager Services, and then expand Update Email Service Settings.) 3. In the Configuration section of the GUI, create a new network policy that supports wireless access and branch routing or edit an existing one. (The configuration is simpler if you use an Aerohive router as the RADIUS server and private PSK server—note that the BR100 does not support RADIUS server functionality. However, you can configure an AP as a RADIUS server and as a private PSK server if it has static network settings.) 4. Click Choose for SSIDs, click New, enter the following, leave the other settings as they are, and then click Save: Profile Name: Corp-Emp-PPSK SSID: Corp-Emp-PPSK (automatically entered) Private PSK: (select) Enable private PSK self-registration: (select) Registration SSID: Emp-Connect (This is an open SSID to which employees initially associate to enroll. After they successfully enroll, they then automatically transition to Corp-Emp-PPSK.) Enable Client Management: (select) 5. Highlight Corp-Emp-PPSK, and then click OK. To complete the configuration for the SSID, follow the steps below to apply the type of authentication and user profiles that you want to use: Authentication Click , highlight Employees-PPSK , and then click OK. Click , highlight BR_as_Private_PSK_Server , and then click OK. Click , click New, enter the following, leave the other settings as they are, and then click Save: Name: Enter a name for the captive web portal. Captive Web Portal Login Page Settings: Authentication

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 177 Client Management (Trial Version)

Click , and then click New. To use the Aerohive branch router as the RADIUS server, enter BR-RADIUS-Server in the RADIUS Name field, select Obtain an Aerohive RADIUS server address through DHCP options, and then click Save. User Profile Click Add/Remove, on the Default tab, highlight employee-access(30), select Enable user profile reassignment based on client classification rules, and then click Save. When finished, the full configuration for Corp-Emp-PPSK looks like this:

6. Click Edit for Additional Settings, expand Router Settings, click the New icon ( + ) for RADIUS Service, enter the following, leave the other settings as they are, and then click Save: Name: Corp-Emp-RADIUS Database Settings: Select Local Database and move Employees from the Available Local User Groups column to the Selected Local User Groups column. Optional Settings: Choose the following certificate and server key files: CA Cert File: ClientMgmt_CA.crt Server Cert File: ClientMgmt-Radius-Server_Crt.crt Server Key File: ClientMgmt-Radius-Server_key.pem 7. To enable RADIUS server functionality on the router for user authentication through the captive web portal, click Configuration > Devices > Routers > router_name, expand Service Settings, and select Enable the router as a RADIUS server. Because BR series devices do not support Client Management, you must disable the SSIDs with Client Management configured for them on the routers. By disabling these SSIDs, clients will not associate with them and then fail to enroll. Click Configuration > Devices > Routers > router_name, expand SSID Allocation, clear the check boxes for the Client Management-enabled SSIDs, and then click Save.

Because all APs support Client Management, an alternative approach is to use an AP330 or AP350 in router mode instead of using a BR series device. Then you do not have to disable the SSIDs on them.

8. To upload the network policy and certificates to your devices, click Configuration, highlight your network policy and click OK, and then click Continue to advance to the Configure & Update Devices panel. Select all your devices that you want to update. Click Settings and make sure that all of the check boxes at the bottom of the dialog box are selected so that HiveManager uploads not only the configuration but also all the web portal pages, certificates, and users required for Client Management to function, and then click Upload.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 178 Client Management (Trial Version)

PSK PSK uses an open SSID with a captive web portal requiring user authentication for enrollment, and a PSK SSID for access. In this approach, as with private PSKs, a user associates with two different SSIDs. First, the user accesses an open SSID with a captive web portal requiring him to submit a user name and password to register. After a successful registration, the AP redirects the client to the enrollment page on the Client Management cluster. When the cluster sends the Wi-Fi configuration through APNS to the client, it includes an encrypted form of the PSK for use in the second SSID with which the client now connects automatically.5 The enrollment process is shown in Figure 4 on page 179.

Figure 4 Enrollment process with a PSK SSID

Settings Wi-Fi AP 1 2 AP Aerohive RADIUS server Corp-Emp-PSK > -> √ Emp-Access > New

New browser page -> captive web portal AP121 BR200-WP RADIUS

The user chooses Emp-Access, The user opens a new page The user submits a user name which is an open SSID used only in Safari and is redirected and password, which the AP for user registration. to the captive web portal. looks up on the RADIUS server.

Captive Enroll- Client Management To the 3 4 Settings web -> ment cluster Wi-Fi network... portal page √ Corp-Emp-PSK > Emp-Access >

AP Router HTTPS to the enrollment page HTTPS PSK The user can Notification APNS now access the network. HTTPS Wi-Fi config with PSK and client profile

After the user enrolls, the cluster The AP redirects the client to notifies the client through APNS The client automatically switches the enrollment page on the Client to install the Wi-Fi configuration, from the open registration SSID Management cluster and sends which contains the PSK, and client to the secure access SSID: the cluster the PSK. profile. Corp-Emp-PSK.

1. In the Configuration section of the GUI, create a new network policy that supports wireless access and branch routing or edit an existing one. (The configuration is simpler if you use an Aerohive router as the RADIUS server. Note that the BR100 does not support RADIUS server functionality. However, you can also configure an AP as a RADIUS server if it has static network settings.) 2. Click Choose for SSIDs, click New, enter the following, leave the other settings as they are, and then click Save: Profile Name: Corp-Emp-PSK SSID: Corp-Emp-PSK (automatically entered)

5. Although Apple devices running any version of iOS can automatically switch to the access SSID, Apple devices running OS X 10.7 and OS X 10.8 cannot. Users with client devices running these versions must switch to the new SSID manually.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 179 Client Management (Trial Version)

WPA/WPA2 PSK (Personal): (select) Key Value and Confirm Key Value: Enter a PSK text string for users to enter. Enable Client Management: (select) Provisioning SSID: Access-PSK (This is an open SSID to which employees initially associate to enroll. After they successfully enroll, they then automatically transition to Corp-Emp-PSK.) 3. Highlight Corp-Emp-PSK, and then click OK. To complete the configuration for the SSID, follow the steps below to apply the type of authentication and user profiles that you want to use: Authentication Click , click New, enter the following, leave the other settings as they are, and then click Save: Name: Enter a name for the captive web portal. Registration Type: User Authentication Captive Web Portal Login Page Settings: Self-registration Click , choose an existing configuration that defines the Aerohive branch router as the RADIUS server, and then click Save. If you do not already have such a configuration object, click New, enter BR-RADIUS-Server in the RADIUS Name field, select Obtain an Aerohive RADIUS server address through DHCP options, and then click Save. User Profile Click Add/Remove, on the Default tab, highlight employee-access(30), select Enable user profile reassignment based on client classification rules, and then click Save. When finished, the full configuration for Corp-Emp-PPSK looks like this:

4. Click Edit for Additional Settings, expand Router Settings, click the New icon ( + ) for RADIUS Service, enter the following, leave the other settings as they are, and then click Save: Name: Corp-Emp-RADIUS Database Settings: Select Local Database and move Employees from the Available Local User Groups column to the Selected Local User Groups column. Optional Settings: Choose the following certificate and server key files: CA Cert File: ClientMgmt_CA.crt Server Cert File: ClientMgmt-Radius-Server_Crt.crt Server Key File: ClientMgmt-Radius-Server_key.pem 5. To enable RADIUS server functionality on the router for user authentication through the captive web portal, click Configuration > Devices > Routers > router_name, expand Service Settings, and select Enable the router as a RADIUS server.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 180 Client Management (Trial Version)

Because BR series devices do not support Client Management, you must disable the SSIDs with Client Management configured for them on the routers. By disabling these SSIDs, clients will not associate with them and then fail to enroll. Click Configuration > Devices > Routers > router_name, expand SSID Allocation, clear the check boxes for the Client Management-enabled SSIDs, and then click Save.

Because all APs support Client Management, an alternative approach is to use an AP330 or AP350 in router mode instead of using a BR series device. Then you do not have to disable the SSIDs on them.

6. To upload the network policy and certificates to your devices, click Configuration, highlight your network policy and click OK, and then click Continue to advance to the Configure & Update Devices panel. Select all your devices that you want to update. Click Settings and make sure that all of the check boxes at the bottom of the dialog box are selected so that HiveManager uploads not only the configuration but also all the web portal pages, certificates, and users required for Client Management to function, and then click Upload. Monitoring Clients After clients are enrolled, you can view them on the Monitor > Clients > Enrolled Clients page. You can see the device name, user name (learned through RADIUS), enrollment status, ownership type (CID or BYOD), MAC address, iOS version, device model, and the time of its most recent wireless connection. To see more device details, click the device name. You can see information such as its battery level, storage usage and capacity, apps installed on the device (up to a maximum of 10), and restrictions imposed through client profiles. To see the most up-to-date client information, select the check box for a client about which you want to view detailed information, and then click Operation > Refresh Clients before clicking the client name to view detailed device information. Besides refreshing client data, here are the other operations that you can perform on enrolled clients: Unenroll Clients: This removes client profiles, Wi-Fi configurations, and certificates installed on the selected client devices and from the Client Management cluster database. If a user manually removes the profiles from his client device, it sends a notification to the APNS server, which notifies HiveManager through the Client Management cluster. The cluster also polls the client periodically through APNS to check the status of the installed profiles. If the user deletes the profiles while his device is offline, the Client Management cluster will discover this when the client does not respond to the APNS poll it sends when the client reconnects to the enrollment page. Basically, the behavior is exactly the same whether the HiveManager admin or the user unenrolls the client.

If a user manually deletes the profile from an Apple device running OS X 10.7, the device does not send a notification and does not respond to polling requests. As a result, the Client Management cluster cannot discover that the profile has been deleted. To resolve this situation manually, use the Operation > Delete Clients option described next. Apple devices running OS X 10.8 also do not send a notification when a profile is deleted. However, they do respond to polls, so the situation will resolve itself automatically.

Delete Clients: This deletes entries for selected clients from the Client Management cluster database. You can use this operation to resolve any client status mismatch that might arise between the database and a client. Lock Clients: This locks selected client devices. If a passcode is enabled on a device when you perform this operation, the user must enter it to regain access to the device. Clear Passcode: This option clears the passcode for a device. It is useful if a user forgets it and cannot access the device.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 181 StudentManager Enhancements

Wipe Clients: This operation removes all data from selected devices. Note that it can only be applied to CID devices. (Exercise great caution before performing this operation.) If you experience any difficulty with the client enrollment process, ensure that there are no firewalls blocking the following services:

Source Destination Service (Protocol and Port)

Apple client devices APNS TCP 5223

Aerohive APs APNS TCP 5223

Client Management cluster APNS TCP 2195, TCP 2196

HiveManager Client Management cluster HTTPS, TCP 443

Apple client devices Client Management cluster HTTPS, TCP 443

Aerohive APs Client Management cluster HTTPS, TCP 443

StudentManager Enhancements

StudentManager includes a number of additional features and enhancements. In addition to interfacing with PowerSchool SIS (Student Information System), StudentManager now also seamlessly interfaces with Aeries SIS. This allows StudentManager to import and synchronize data from the Aeries system, and to manage the schedules, classes, teachers, and schedules. StudentManager in turn leverages the capabilities of HiveManager and TeacherView, providing centralized, fully manageable scheduling and control structures. For student information systems with which StudentManager does not interface natively, StudentManager has the ability to interface with them by means of a RESTful API. Using the RESTful API, StudentManager can access and manipulate the database object of third party student information systems, allowing you to centralize control of otherwise unsupported systems. You can find more information in the StudentManager API Guide.

Configuring StudentManager to Operate with Aeries SIS You must configure StudentManager to work with Aeries by providing StudentManager with the credentials and the name of the Aeries database you want to integrate. Do the following to configure StudentManager: 1. Log in to StudentManager as the administrator with super user privileges. 2. Click TeacherView > SIS Configuration, enter the following information, and then click Save: SIS Type: Aeries: Aeries Server IP Address: Enter the IP address of your Student Database Name: Enter the name of the Aeries database whose data you want to use. User Name: Enter the Aeries database username. Password: Enter the password for your Aeries database. Description: Enter a brief, helpful description of the configuration.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 182 MyHive and HiveManager Initial Login Changes

3. Select Enable Automatic Schedule Sync from SIS to synchronize the schedules between StudentManager and Aeries. When you synchronize schedules, the following actions are taken: • Any schedule that exists in StudentManager but not in Aeries, is created. • Any schedule that exists in Aeries but no in StudentManager, is deleted. • When a schedule exists in StudentManager and Aeries, StudentManager overwrites the contents of the Aeries database with StudentManager contents.

MyHive and HiveManager Initial Login Changes

This release introduces a new user experience for system administrators logging into a new version of HiveManager. The experience differs for system administrators of on-premises HiveManager, HiveManager Online, and on-premises HiveManager with the Redirector. Three new screens have been added to the on-premises HiveManager and HiveManager Online log in experience. The Review Inventory page provides a list of Aerohive devices. For on-premises HiveManager, this page displays the total number of Aerohive devices connected to HiveManager at login. For HiveManager Online, this page displays a list of Aerohive devices that have been licensed to your organization, including the device type, as well as the total number of Aerohive devices. The next screen, Activate License, displays license and entitlement key information and allows you to active your license. The Management Settings page requires you to change the default password, choose the Express or Enterprise mode, and select a time zone. (A system administrator who deletes the HiveManager database will see the Review Inventory and Management Settings pages. However, the Activate License page is not displayed in this case.) After you have completed these changes, a Congratulations! page is displayed. When you exit this page, the HiveManager Configuration panel is displayed. For on-premises HiveManager with the Redirector, there is a new login page. In addition to the new pages described above, existing HiveManager Online system administrators will notice a new welcome screen in MyHive and that there is no longer a separate Redirector that is visible from this page. Instead of an external Redirector, you can use the HiveManager Online interface to redirect, or add and remove, devices. Within HiveManager Online, a new Remove button, available from the Configuration and Monitor pages, permits you to remove a device from your HiveManager network, the serial number of the device from the HiveManager database, and the configuration from the device. Using this command, the device does not automatically reconnect to the HiveManager network. To add a device back into the network, you will need to select the Add button from the Monitor or Configuration page and supply the serial number of the device. As a result, you will want to record the serial number of any devices that you may want to add back onto your HiveManager network. For on-premises HiveManager and on-premises HiveManager with the Redirector, the new Remove button permits you to remove devices from the HiveManager network as well as remove the configuration from the device.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 183 MyHive and HiveManager Initial Login Changes

Also, a new option in the Utilities pull down menu, Reset Device to Default, is available from the Monitor and Configuration pages in HiveManager Online, on-premises HiveManager, and on-premises HiveManager with Redirector. This option allows you to reset APs, branch routers, switches, and VPN gateways. The Reset Device to Default option removes the device configuration from the device and from HiveManager. Then the device reconnects to the HiveManager network automatically.

Logging in to On-Premises HiveManager and HiveManager Online This procedure describes how to log in to on-premises HiveManager and HiveManager Online using the new log in pages. 1. For on-premises HiveManager, log in to HiveManager with the default user ID (admin) and password (aerohive). Then continue with step 4. For HiveManager Online, log in with your username and password using the following screen. Then click Login. If you do not already have an assigned username and password, you can use the default values of username (admin) and password (aerohive).

2. For HiveManager Online, the Dashboard page is displayed.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 184 MyHive and HiveManager Initial Login Changes

3. Select go! under HiveManager Online. 4. For both HiveManager Online and on-premises HiveManager, the License Agreement page is displayed. Read through the agreement and click Agree to continue. The Review Inventory page is displayed. It provides a list of devices that have established a connection to HiveManager as well as Aerohive devices that are not currently connected. Devices find HiveManager through DHCP, DNS, or a local CAPWAP connection. 5. Click Next.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 185 MyHive and HiveManager Initial Login Changes

6. The Activate License page is displayed.

Complete the following fields, and then click Next. Entitlement Key: The license key for your on-premises HiveManager product is populated automatically. This field also lists the number of devices that can be managed by this license as well as the expiration date of the license. For on-premises HiveManager: Add another entitlement key: Select this field to enter additional keys for your HiveManager network. After you select it, the Enter entitlement key field is displayed. Enter the entitlement key and click Activate. For HiveManager Online: Use 30 day trial appears instead of the Add another entitlement key field. You have the option to select this field instead of supplying an entitlement key.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 186 MyHive and HiveManager Initial Login Changes

7. The Management Settings page is displayed.

Change the following fields where indicated and then click Finish. HiveManager Username: This field displays the user name that you used to log on. Password: You must change the default password (aerohive) to complete the log in process. Enter a new password in this field that consists of 8 to 32 characters and then retype the password in the following field to confirm. You can clear the Obscure Password field to display the password in plain text. Administrative Mode Express Mode: Express mode provides a simple set of configuration components designed for managing a single network. This is the default setting. If you choose this mode, you can switch to Enterprise mode later and HiveManager will automatically convert your settings in Express mode to Enterprise mode. However, if you select Enterprise mode first, you cannot switch back to Express mode and preserve your settings. To change from Enterprise to Express mode, you must erase the database, reboot HiveManager, and then choose Express mode after you log back in.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 187 MyHive and HiveManager Initial Login Changes

Enterprise Mode. Enterprise mode provides a complete set of configuration components for managing multiple networks that require more advanced settings. If you select this mode, the Update default preshared key for device virtual access console field is displayed. If you select this field, you can enter the preshared key for a Virtual HiveManager. You can clear the Obscure Password field to display the preshared key in plain text. Administrator’s Time Settings Country: This field only appears in HiveManager Online. Use the scroll bar to select a country. The country the you select filters the list of time zones available in the Time Zone field. For example, if you select “United States” as the country, only four time zones are displayed. Time Zone: In on-premises HiveManager, this field is automatically set to the time zone location of the server that is running HiveManager. Use the scroll bar to change the time zone setting. Current Time: This field displays the current time of the time zone selected. 8. The Congratulations! page is displayed. Press Configure to continue to the HiveManager Configuration panel.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 188 MyHive and HiveManager Initial Login Changes

Logging in to On-Premises HiveManager with Redirector This procedure describes the new log in page when logging in to on-premises HiveManager with Redirector. 1. Log into the redesigned MyHive page by entering your username and password. Then press Login.

2. The Device Redirection Info page is displayed. It is unchanged from previous releases. Continue to use Redirector as in previous releases.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 189 ID Manager GUI Enhancements

ID Manager GUI Enhancements

This release introduces a new look for the ID Manager administration interface, including a procedure that allows HiveManager customers to request a free 30-day trial. In general, the functions and actions available in the new ID Manager administration interface are the same as in previous versions. The major change in this release is the look and feel of the interface, the ability to request a free 30-day trial account, and the addition of two new features: Anonymous Access and Self-Registration. For more information about these features, see "Anonymous Access" on page 164, and "Self-Registration" on page 166.

ID Manager Free Trial Account HiveManager Online customers who want to try ID Manager can now request a free 30-day version directly from their MyHive dashboard. They are directed through a series of steps through which they access the Configuration section in HiveManager, configure a guest SSID and request and activate the free ID Manager account for that SSID. These steps are described below.

Super administrators can also request free trials directly for their customers from HiveManager.

To request and activate a free version of ID Manager, follow these steps: 1. Click the Request a trial button under ID Manager on your MyHive dashboard.

The Request a trial button disappears from the MyHive page after it has been used once.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 190 ID Manager GUI Enhancements

2. In the Update Customer Info dialog box, complete the fields and click OK.

3. In the Sign up for an ID Manager Trial dialog box, select the number of guest accounts you want. If you want to allow your employees to use ID Manager to register guests, select the Enable directory integration check box and enter your domain name. (For more information about employee sponsorship, see the ID Manager online Help). Click Create my free trial.

4. In the Welcome to Aerohive window, enter and confirm a new password, select a language, time zone, and date format, then click Continue.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 191 ID Manager GUI Enhancements

5. You should now see a go! button in the ID Manager section on your MyHive dashboard. Do not go to ID Manager yet. First you must go to HiveManager Online to create a Guest SSID and enable ID Manager in HiveManager. From this window, click the link for your HiveManager Online account.

6. In the HiveManager Welcome window, click the Use 30 day trial link.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 192 ID Manager GUI Enhancements

7. In the Management Settings window that appears, enter the following information and then click Finish. HiveManager: Password: Enter and confirm a password for your HiveManager account. The password can contain between 8 and 32 characters, including upper- and lower-case letters, numbers, and punctuation. To view the characters as you type, clear the Obscure Password check box. Console Mode: Select either Express or Enterprise mode, depending on your network requirements. You can easily upgrade to Enterprise mode at a later date if you need to, but you cannot downgrade from Enterprise Mode to Express Mode. Administrator’s Settings: Select a country and a time zone.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 193 ID Manager GUI Enhancements

8. Click the Configure button in the Congratulations! window. You are taken to the Express or the Enterprise HiveManager Configuration page where you will configure a guest SSID and enable your ID Manager account.

9. In the Configuration panel, click the Choose button in the SSID section, enter the following information, and then click Save: Profile Name: Enter a name for your guest SSID. The name can contain up to 32 characters, including spaces. SSID: Use the same name as the SSID profile name or enter a different one. This is the name that wireless clients receive in beacons (unless you choose to hide the SSID). The name can be up to 32 characters long and—unlike the profile name—can include spaces. SSID Broadcast Band: Select 2.4 GHz & 5 GHz Description: Enter a brief description for this SSID. The description can contain up to 64 characters, including spaces. In the SSID Access Security section, select Open. Use Aerohive ID Manager: if your free trial version was created successfully, you should see a check box to enable ID Manager. Select the check box to enable ID Manager. 10. Complete the guest SSID and user profile configuration and upload the configuration to the Aerohive devices on which you want to try ID Manager. When you return to the ID Manager Home page, you will see a progress bar that tells you when your free trial will expire. Click either of the links in this area for information about how to purchase ID Manager.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 194 ID Manager GUI Enhancements

ID Manager Initial Customer Experience The following section describes the first-time login experience for ID Manager customers. When you purchase ID Manager, you will receive an email with your initial login credentials (including a link to your MyHive account, a user name and a MyHive password). When click the link, you will see the new MyHive login window.

Enter the user name and password that you received in the email message and click Login. The Welcome to Aerohive window appears. This window is where you can change your MyHive and HiveManager passwords. This window is shown below:

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 195 ID Manager GUI Enhancements

The process to change your MyHive settings in this window is identical to previous versions. Once you have completed these steps, the new MyHive dashboard is displayed, as shown here:

Select go! to see the new ID Manager Home page, as illustrated below.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 196 ID Manager GUI Enhancements

The new ID Manager Home page contains three sections that replace the links on the home page of previous versions: • Connect: This section replaces the Configure your network to support ID Manager link in previous versions. Click Show Me How to see the steps you take to link ID Manager to your network, and view a list of your active HiveManager accounts (VHMs). Click the name of a HiveManager account (VHM) to go to the HiveManager Configuration tab in a new window. • Manage Guests: This section replaces the Create and manage guest accounts link in previous versions. In this section you can see the number of connected guests and the total number of guest accounts you have created. Click any number (except 0) for more information. This section also provides a list of all of the guest types you have created. Click any guest type name to see more information. Click the Add New Guest link to see a dialog box where you can quickly add an individual guest account. Click the Guest Account Management link to go to a new window where you can create individual guest accounts, create a bulk guest list (for example, a group of guests who are scheduled to arrive at the same time for the same purpose such as a board meeting), reset a guest password, import a .csv file of guest information, remove guests, and export spreadsheet file of guest data. • Authorize: This section replaces the Create and manage ID Manager administrators and operators link in previous versions. Click Tell Me More to see a description of the default admin types (Admin, Operator, and Monitor). In this section you can see a list of all current ID Manager administrators, identified by type. Click any number to for more information about that group of administrators. Click Add to create a new admin. There are five tabs at the top of the new ID Manager Home page: • Home: The ID Manager Home page. Click this tab from any other page to return to the home page. • Monitor: Click this tab to see ID Manager logs and reports. • Configuration: Click this tab to create new guests or guest types. You can also reach this page by clicking the Guest Account Management link in the Manage Guests section on the Home page. • MyHive: Click this tab to return to your MyHive dashboard. • Registration GUI: Click this tab to open a new window containing the ID Manager registration interface.

The New ID Manager GUI - Additional Changes Although the functionality of most of the ID Manager administration GUI pages remains the same, the appearance has changed significantly in many cases. This section describes the most obvious differences. The Configuration Page: The default view (Guest Accounts) of this page displays information about all active guests and guest types. From this page you can create new guest accounts, either individually or in bulk, import .csv files for large groups of guests, export spreadsheet files, change passwords, and add or remove guests. Under the Guest Type tab you can add, clone, or remove guest types. The panel on the left side of this page provides these additional views: • Supported Networks: This view shows activity for your ID Manager SSIDs, including the number of guest accounts and the number of currently-connected guests for each SSID. • Admin Accounts: This view shows detailed information about all ID Manager administrators and Admin Groups.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 197 ID Manager GUI Enhancements

• ID Manager Settings: This view contains the following pages: • Registration GUI: This page is where you can customize the registration interface by changing the background color and logo, define the format of private keys, and configure what is displayed in the panels of the registration GUI and the Registration kiosk. In addition, you can configure a one-time login captive web portal for the Self-Registration feature on the CWP based Registration tab. • Employee Sponsorship: (Previously released.) This page is where you make changes to your employee sponsorship settings. • Authentication Options: This page is where you apply advanced authentication options, including third-party RADIUS client access, or enable the authentication proxy feature (previously released). • The Monitor page: This page displays detailed information about your ID Manager account activity and contains two subsections: • Logs: From this view you can see five types of logs and customize the time period for which the logs are kept. • Reports: From this view, you can see six different reports, customize the duration covered by these reports, and export the reports in spreadsheet (.xls) format.

P/N 330105-01, Rev. C

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 198 Aerohive 6.0r1 and 6.0r2 New Features Guide

Aerohive 6.0r1 and 6.0r2 New Features Guide

This guide describes the new features and feature enhancements introduced in the HiveOS and HiveManager 6.0r1 and 6.0r2 releases, primarily in the areas of configuration usability, reporting and the dashboard, topology, Bonjour Gateways, StudentManager, and support for the new SR2024 platform.

New Features and Feature Enhancements

Several new features and feature enhancements have been introduced in the HiveManager 6.0r2 release. You can read summaries of these features and enhancements below. Major features are covered in more detail in individual sections later in this guide. For more information about known and addressed issues for this release, refer to the Aerohive 6.0r2 Release Notes.

New Hardware Platforms SR2024: This release introduces the SR2024 switch, the first in the Aerohive SR series of switches that provide Layer 2 wired network access. Aerohive switches are configured, managed, and monitored through the cloud-enabled HiveManager and run HiveOS. The SR2024 switch provides twenty-four non-blocking 10/100/1000 copper RJ-45 Ethernet ports, eight with 802.3af and 802.3at PoE capability. This switch also provides four 1-gigabit SFP ports, an RJ-45 console port, and a 3G/4G USB modem port. You can configure the switch to function as a router, which provides Layer 2 switching with integrated routing capabilities.

When you configure the switch to operate as a router, you must have at least one switch port configured as a WAN interface to provide Internet access.

HiveManager Appliance: This release also introduces the new 1U HiveManager Appliance with a global power supply, six gigabit Ethernet ports, 8 gigabytes of memory, an RJ-45 serial console port, two USB 2.0 ports, a 500-GB hard disk drive. It supports up to 8000 Aerohive devices and provides up to one year of data retention.

New and Enhanced 6.0r2 Features The following are the new features and feature enhancements in the HiveOS and HiveManager 6.0r2 releases. Application Visibility and Control: Aerohive has added application awareness and intelligence to allow administrators to monitor traffic usage patterns on wireless networks as well as create policy rules to prioritize or block specific applications. Aerohive devices support over 700 application signatures, including those for Gmail, Skype, and Facebook, allowing you to monitor the specified applications on APs and branch routers from HiveManager or HiveManager Online. After you monitor application usage, you can prioritize applications for certain users or permit or deny traffic to and from specified endpoints based on application type. For instance, you can block Facebook applications, but allow access to the Facebook wall. In addition, you can create hourly, daily, and monthly reports on the top applications as well as the top users. To display application data in a perspective on the dashboard or schedule reports that contain application data, you must select specific applications.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 199 New Features and Feature Enhancements

WMM-AC (Admission Control): The AP121, AP141, AP330, and AP350 support WMM-AC, which uses QoS controls and bandwidth management techniques to augment existing WMM capabilities. It does this by monitoring the channel conditions and load to determine whether a device can support the traffic requested to be transmitted, and them making decisions regarding whether to allow them to transmit. Voice Enterprise (802.11k/r/v): Aerohive devices now support 802.11k, which allow wireless devices to exchange information regarding the radio link performance and the radio environment. Aerohive devices use Voice Enterprise to exchange neighbor information, channel load information, and so on. Aerohive devices are also capable of fast BSS (basic service set) transition. Using 802.11r fast BSS transition, wireless client authentication keys are forwarded to neighboring Aerohive devices to avoid time consuming reauthentication when the client device transitions from one AP to another. In addition, Aerohive devices can now take advantage of the WNM (wireless network management) protocols defined in 802.11v to exchange information regarding the network topology, channel usage, and SSID list. Using 802.11v in conjunction with 802.11r and 802.11k allows Aerohive devices to optimize the network cooperatively so that sensitive voice-enabled clients can operate more smoothly and consistently. Protected Management Frames (802.11w): Using 802.11w, devices are capable of encrypting 802.11 management frames, protecting them against malicious alteration, retransmission, and spoofing. Aerohive Router NAT and Port Forwarding: To route traffic through VPN tunnels connecting multiple branch sites with duplicate IP addresses at each site, you can apply NAT on the router tunnel interfaces. The routers translate the local addresses to a unique set of NAT addresses (unique within the entire private network, that is). This enables users at various sites to access resources at other sites. You can also configure port forwarding on routers so that users on the public network can reach servers on the private network behind the routers. Policy-based Routing Enhancements: Introduced in this release is a broader selection of source traffic types, providing greater flexibility in creating custom routing policies. With policy-based routing, outgoing traffic is first filtered through a set of rules and then given special processing or dropped, depending on the set of rules you configure and apply. This enhanced policy-based routing feature allows you to route packets arriving at your Aerohive router from different sources to the same or a different destination. In addition to the source user profile, you can define Aerohive routing policy rules based on different types of source traffic: an IP address range, a specified network, an ingress interface, or any traffic source type. You can choose the destination of the traffic to which you want to apply a rule using the destination drop-down list: any, IP range, network, host name, or private. The router enforces the rules in the order of their position in the policy rules list Bonjour Gateway Enhancements: Bonjour Gateways can now filter which services to share with each other based on VLANs and distance by creating policy rules governing how BDDs (Bonjour Designated Devices) in specific source and destination VLANs share services with each other. You can also specify how many subnets/VLANs apart one BDD can be from another for them to be able to advertise services that they share with each other. With these Bonjour Gateway feature enhancements, you have finer control over which services BDDs can share and with whom they can share them. Classification Tags to Distinguish Device Templates: If you require different port configurations for the same type of device and function in the same network policy, you can distinguish them through device classification tags. This legacy feature has been enhanced in this release to provide simplified configuration and monitoring for custom groups of devices and configuration exceptions. For example, you can classify devices and then use that classification to filter the display of information for just those devices in the dashboard. This supports the concept of virtual stacking, or cloud-enabled stacking.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 200 New Features and Feature Enhancements

Reporting Enhancements: This release introduces two predefined report templates to the Reports > Network Summary section. An easy-to-use work flow guides you through the process of creating custom reports using the same reporting widgets that are available on the dashboard. The following new templates have been added: Network Summary: Provides a quick view of your network activity by user, client, bandwidth, and device. System Summary: Provides a quick view of your system statistics, including version, security, active devices, and audit logs. HiveManager Dashboard Enhancements: The 6.0r2 release introduces additional dashboard widgets and a greater level of drill-down capacity for network details. (See also the New HiveManager Dashboard feature summary in the "New and Enhanced 6.0r1 Features" section below.) Mobile Device Management Integration with AirWatch: Aerohive can now integrate with AirWatch to provide mobile device management for iOS, Mac OS, Symbian, Blackberry, and Android. MAC-based Authentication on Router Ethernet Ports: Port access control authentication is now available on Aerohive BR200 series routers, BR100 router, Aerohive AP330 and AP350 access points when configured to function as routers, and Aerohive SR2024 Switches for wired ports using MAC-based authentication. You can choose either MAC-based authentication or IEEE 802.1X (RADIUS) authentication for primary and secondary access authentication. Aerohive devices in router mode can provide a certain level of network security by using MAC-based authentication with older devices that do not support 802.1X authentication. When a device connects to one of the Ethernet ports on a router, it submits the MAC address of the device as both a user name and password to the RADIUS authentication server. If the submitted credentials match a user account on the server, the device is authenticated and the router gives it network access as defined by the parameters of the applicable user profile. If not, the router denies network access to the wired device. Captive Web Portal Localization: Aerohive captive web portals support the display of default web portal pages in multiple languages. TeacherView MAC Authentication Support: When using StudentManager, you can now configure TeacherView to authenticate students by their client MAC addresses. Using MAC authentication allows device-specific access to the TeacherView-mediated network and its resources. StudentManager Database Integration: You can now integrate StudentManager with third-party student information system databases using the REST (Representational State Transfer) protocol and the RESTful API. The REST protocol, implemented on StudentManager, allows you to send queries to the StudentManager database by entering a URL containing the query into a browser, at which time the browser executes the query using HTTP.

New and Enhanced 6.0r1 Features The following are the new features and feature enhancements in the HiveManager 6.0r1 release. Unified Network Policy Configuration: Several significant enhancements have been made to network policies in HiveManager 6.0r1. You can now use the same user profile in different network policies but have different VLANs for each one. Also, network objects are no longer bound to user profiles for use by router interfaces, eliminating the distinction between Layer 2 and Layer 3 user profiles. In HiveManager 6.0r1, you map VLANs to networks at the network policy level. Instead of LAN profiles, which were used for configuring the LAN ports on routers, you now configure ports for both routers and switches through device templates and port type definitions. Finally, you can specify one or more deployment requirements for the network policy in any combination: wireless access, switching, branch routing, and Bonjour Gateway. By choosing your deployment requirements, HiveManager automatically generates the appropriate configuration elements for you, which helps simplify the policy configuration process.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 201 New Features and Feature Enhancements

Topology (Maps) Enhancements: The Topology section has been renamed Maps and contains both the planning tool and the network mapping features. Both planning and mapping functions have been greatly enhanced with the addition of the following features: • Google Maps: HiveManager Maps is now linked to Google Maps to give you a precise view of your building or campus. Use the Google Maps view (called Street Maps in HiveManager) to draw your building perimeters, or create your own perimeters from a floor plan. Google Maps eliminates the need to manually import floor plans. Addresses are geocoded and maps are automatically generated. Google Maps is enabled by default for HiveManager Online accounts, and can also be used with HiveManager accounts on physical or virtual appliances after they are initialized through a URL registration process. HiveManager remembers zoom and pan activities for a map and presents the last view the next time you visit the map using the Home button. • Map Migration between HiveManager Online accounts: This release simplifies the process of moving or sharing maps and floor plans from one HiveManager Online account to another. You can now select a folder in the map hierarchy and export that folder and all its sub-folders, including background images, interior walls, perimeter walls, and the type, power, and channel settings of all planned APs. You can then import that information into another HiveManager Online account for use there.

Actual APs and devices are ignored in the export process.

• Reusable Floor Names: Unique floor names are no longer required for each building in your network hierarchy. Floor names are now automatically linked to their corresponding buildings. In drop-down lists, for example, floor names now always include the name of the building in which they are located. • Improved Internal Wall Creation: You can now clone and move internal walls for reuse on a floor plan. • Configurable Network Folder Sorting: You can now organize your network folders in alphabetical order or by the default method, which is the order in which they were created. Customizable Time Format: You can now configure HiveManager to display the proper time format for your location. The default has also been changed from MM-DD to MM-DD-YYYY. Network Summary Report: The Network Summary Report has been enhanced to build scheduled historical reports with customized report content. You can now customize report headers, footers, and logos. New HiveManager Dashboard: The 6.0r2 release introduces a completely customizable HTML5-enabled dashboard with nearly 100 widgets that HiveManager displays in perspectives, allowing you to group the information based on the information most pertinent to your needs. HiveManager provides four predefined perspectives: Network Summary, System, Troubleshooting, and Applications, which can be retained, modified, or deleted per administrator. You can create up to six perspectives (including the predefined ones if retained) with ten widgets each to provide information by application, user, client, Aerohive device, and a variety of other options. Configuration Object Classification: The classification of configuration object definitions has been revised to make their assignments and viewing easier. By default, HiveManager applies classification types to configuration object definitions in the following order: (1) device tag; (2) device name; (3) map name; (4) global. In 6.0r1, you can reorder which classification type takes precedence over another through an easy drag-and-drop interface. You can view the device tags that have already been created and assigned to devices so that you can simply choose them, saving time and avoiding potential misconfigurations. You can also rename classifier tags from “tag 1”, “tag 2”, and “tag 3” to other more meaningful names. Switch Features: The following features are available on the SR2024 switch: • Layer 2 Forwarding Database: An Aerohive switch can learn MAC addresses dynamically or you can configure them statically. The switch saves dynamically learned addresses in its Layer 2 MAC learning table. By default, a MAC address remains in the table for 300 seconds (five minutes) after the last

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 202 New Features and Feature Enhancements

communication from a device. After that, the switch deletes, or ages out, the MAC address from its table. You can set this idle timeout from 10 to 650 seconds (almost 11 minutes), or to never time out, as best suits the needs of your network. You can also add static MAC addresses to the forwarding database manually. When you add a static MAC address, it does not age out but remains there until you delete it. Finally, you can configure the switch to disable learning MAC addresses on specific VLANs or on all VLANs • Link Aggregation: You can configure up to eight physical ports to act as a single logical port (called a port-channel) on an Aerohive switch, increasing the effective bandwidth of the link and providing link redundancy. When you create a port-channel, the switch balances traffic across all physical ports by default using source and destination MAC addresses, IP addresses, and Port numbers in the frames, but you can also use MAC or IP addresses only. • LLDP Support: Aerohive switches support transmission and reception of 802.1AB LLDP ( Discovery Protocol). This provides a means for Aerohive switches to advertise identity, status, and capability information to neighboring devices and collect and retain similar information from them. • LLDP-MED Support: Aerohive switches support the use of LLDP-MED (LLDP Media Endpoint Discovery). LLDP-MED allows Aerohive switches to advertise location information to VoIP phones. • CDP Support: Aerohive switches support the reception of CDP (Cisco Discovery Protocol). CDP support allows Aerohive switches to receive and parse CDP frames, which allows them to coexist within a mixed-vendor network. • IGMP (Internet Group Management Protocol) Snooping: Aerohive switches are capable of monitoring IGMP transactions between multicast routers and client devices, and maintaining a local table of IGMP groups and group members. Aerohive switches use this information to track the status of multicast clients attached to the switch ports so that it can forward multicast traffic efficiently. Aerohive switches support IGMPv3, which provides the ability for a host to request or filter traffic selectively from individual sources within a multicast group, is backward compatible with both IGMPv2 and the original IGMP specification. • Port Mirroring: You can configure a physical port to produce a copy of all frames that are being sent or received through another physical port, port-channel, or group of ports and port-channels. In addition to monitoring specific ports, you can also configure Aerohive switches to monitor traffic bound to a specific VLAN. You can use port mirroring to monitor traffic out of band for troubleshooting, auditing, or intrusion detection without causing latency delays inherent when using in-band monitoring. • Spanning Tree Protocol: (802.1D, STP; 802.1w, RSTP) Aerohive switches support 802.1D STP (Spanning Tree Protocol) and 802.1w RSTP (Rapid STP). Switches use STP to negotiate links that have the lowest cost (highest bandwidth), to establish backup links where possible, and to prevent Layer 2 network loops, which can result in duplicate unicast frames and broadcast storms. • Traffic Storm Control: Aerohive switches can mitigate traffic storms due to a variety of causes by tracking the source and type of frames to determine whether they are legitimately required. The switches can then discard frames that are determined to be the products of a traffic storm. Within HiveManager, you can configure thresholds for broadcast, multicast, unknown unicast, and TCP-SYN packets as a function of the percentage of interface capacity, number of bits per second, or number packets per second. • Port- and MAC-based 802.1X Authentication: Aerohive switches support robust port-based and MAC-based 802.1X authentication of clients. When using port-based 802.1X authentication, you can configure the switch to allow a single client per port, multiple clients within a single domain and VLAN, or multiple clients across multiple domains. When using MAC-based authentication, the switch compares the client MAC address with the MAC address that is in its database, and then either authenticates the client or denies the client access to the network. You can use both authentication modes simultaneously and specify which authentication mode you want to occur first. • Jumbo Frame Support: For a switch to support jumbo frames, you can set the MTU (Maximum Transmission Unit) for its Ethernet interfaces as high as 9600 bytes. This setting is in the Advanced Settings section on the device settings page.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 203 Application Visibility and Control

Application Visibility and Control

HiveManager version 6.0r2 supports the application visibility and control feature that monitors application usage as well as controls access to applications by assigning them priority levels or by blocking them for different types of users. This feature provides your network with application awareness and intelligence so you can be sure you are using your network bandwidth efficiently as well as direct bandwidth usage to your most important applications. In addition, you make these changes on user profiles, allowing different types of users their own access levels. DPI (Deep Packet Inspection) technology provides the contextual data regarding applications and users accessed on wireless networks. After you monitor the applications and users on your wireless network, you can configure individual user profiles with QoS and IP firewall settings. Then you use HiveManager to push user profiles to the APs. This technology enables you to create a monitoring list, or watchlist, of the applications running on your network. There are a maximum number of 30 applications permitted in the watchlist. Within this list, you can search for application groups, such as social networking, as well as drill down for a granular level of information about specific applications such as LinkedIn. For instance, you can view application usage for the last twenty-four hours as well as the last month. After you have configured your watchlist with applications, you can create a view, or perspective, of application usage and users. Each perspective provides graphs and charts to display data about application usage. There are six perspectives for each administrator and ten widgets are allotted to each perspective. The perspective also allows you to create hourly, daily, weekly, and custom views. Using the information from the watchlist and perspectives, you determine network policies for your company and optimize network performance with QoS (Quality of Service) prioritization of traffic as well as setting IP firewall rules-- both of which are applied to a user profile. The DPI engine extends application awareness to QoS and IP firewall. For QoS, you set marker maps to control the QoS queue assignments that are passed to the rest of the network. To ensure the prioritization of network traffic, you set rate control and queuing to assign different rate limits to each queue for individual user profiles. In addition, you can assign unique IP firewall policies to different user profiles, creating bidirectional policies to deny peer-to-peer applications such as Facebook. A firewall created on the allows you to block unwanted traffic at the edge of your network. In addition, the applications that you add to your IP firewall list are independent from the applications in the watchlist.

All Aerohive APs support complete application visibility and control functionality including reporting, firewall, and QoS. The BR200, BR200-WP, and AP330/AP350 in router mode support only the reporting component.

Before Setting Application Visibility and Control Before using the application visibility and control feature to gather meaningful data about the applications running on your network, you need to do the following steps: 11. Build a topology of your network. 12. Create your SSIDs and user profiles. Using at least two user profiles is recommended to obtain meaningful data. 13. Upload the configuration to all the APs on your network.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 204 Application Visibility and Control

Updating the Layer 7 Signature Files Aerohive periodically makes application signature file updates available. Use the following steps to update the signature files on your devices: 1. Click Configuration > Devices > All Devices, select the checkbox next to the devices that you want to update, and then select Update > Upload and Activate Application Signatures.

The selected devices must all be on the same platform.

2. From the Application Signature File drop-down list, choose a set of signatures that is appropriate for the platform you are updating. For instance, select the "AP120_all_plugins.tar.gz" to update AP120 devices. Click Upload. By default, the signatures are listed by name. To upload signature files by version number, click Settings, select the radio button next to Update by signature version, and then select the Save icon. You can also set the following: Connection Type: Enter the speed of the connection type, or leave it as Local Connection, which is the default setting. You can also select 128 Kbps, 256 Kbps, 1.5 Mbps (T1), or 2.0 Mbps (E1). Timeout: Enter the maximum number of minutes for downloading the application signatures. After this time, the connection is timed out. The default selection is 15 minutes. You can select a value between 15 minutes and 720 minutes. 3. To add Application Signature files to HiveManager you must be logged in as a super user. In this case, an Add/Remove button appears on the Upload and activate application signatures page. After you click this button, the Add/Remove Signatures page appears. Click Choose File and browse to the desired file on your system. The file name must end in ".tar.gz. Then click Upload.

The files listed on the Add/Remove Application Signature page are the HiveManager signature files.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 205 Application Visibility and Control

4. Repeat the previous steps to upload the latest signature files to other devices.

Creating an Application Watchlist You can create an application watchlist for your home VHM or HiveManager appliance when you are logged in with administrator privileges. Each VHM is limited to one application watch list. If you are an administrator with superuser privileges, you can only create a watchlist for your home VHM. The creation of an application watchlist involves the following steps: 1. Click Reports > Report Settings. 2. In the Application Watchlist section, the available applications are listed on the left. Click to the right of an application name to select it. (Selecting the application name itself causes a pop-up window with additional information about the application to appear.) Select up to 30 applications, and then click the right arrow ( > ) to move the selected applications to the Selected Applications list on the right side of the page.

To filter the application list by a specific application, select the radio button next to Application, enter an application name such as "EBAY", and then select the magnifier glass icon. To filter the list by application type, select the radio button next to Group and enter the group type, such as "web services" or "social networking", and then select the magnifier glass icon.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 206 Application Visibility and Control

3. Click Update at the top of the page. 4. Upload the configuration with the application watchlist to the APs.

Creating an Application and Users Perspective The creation of a new perspective of contextual application and usage data involves the following steps: 1. In the Dashboard section, select the New icon ( + ) to the right of the Troubleshooting tab.

2. HiveManager automatically names the new perspective "My Perspective". Select the following widgets from the left side of the page: • All Applications by Usage • Top 10 Watchlist Applications by Usage - Summary • Top 20 Watchlist Applications by Usage • Top 20 Users by Application Usage HiveManager automatically adds the widgets to the perspective in the order in which you select them. For example, it places the first widget that you select in the upper left corner of the page and then places the second widget to its right. It places the third widget in a new row below the first widget, and then the fourth widget to its right, and so on.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 207 Application Visibility and Control

3. Click Save. To change the name of the widget, double-click My Perspective to rename it. 4. You can create hourly, daily, and weekly reports by selecting the Last Hour, Last Day, or Last Week buttons on the top of the page. In addition, you can click Custom at the top of the page to create a custom report.

To confirm that a group of APs are reporting to the graph on the Dashboard, assign a unique tag or map to the group. For information about how to assign tags and maps, see the online help.

Editing an Application and Usage Perspective The editing the application perspective involves the following steps: 1. In the Dashboard section, select the application perspective. Then click the Edit button. The Applications drop box appears beneath the applications perspective.

2. Select or clear the check boxes of the widgets that you want to appear in the applications perspective. Then click the Save icon.

Editing the Report Settings If you are logged in with super user capabilities, you can make changes to reports. For instance, you can set the value of the Last Hour button on the Dashboard to increase the number of minutes between the time that reports are generated from 10 minutes to 30 minutes. These settings apply to the application reports as well as to all data base reports. If your HiveManager exceeds the maximum number of hourly, daily, or weekly records that you set here, the oldest data is dropped from the database. 1. Click Report > Report Settings, and scroll down to Application Report Settings.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 208 Application Visibility and Control

2. In the Generate report data field, use the pull-down menu to select the length of time (in minutes) that you want HiveManager to generate a report when you select the Last Hour button on the Dashboard. The default setting is a report generated every 10 minutes. You can choose a value between 1 and 30 minutes. 3. For Virtual HiveManager, set the maximum number of devices simultaneously allowed in last hour mode in a VHM. You select the number of devices on the Dashboard > Devices page. The default setting is 20 devices. If you increase the number of devices, you may experience a small impact in performance. 4. For a HiveManager appliance, set the maximum number of simultaneously allowed in last hour mode in a HiveManager. You select the number of devices from the Devices panel on the left side of the Dashboard. The default value is 100 devices. If you increase the number of devices, you may experience a small impact in performance.

The values in the Application Usage DB Settings fields apply to application reports as well as to all data base reports.

5. In the Application Usage DB Settings, change the following fields according to the needs of your database. If you exceed any of the limits set here, the oldest data is dropped from the data base: Max number of hourly records: Enter the maximum number of hourly records that you expect your database to retain. Max number of daily records: Enter the maximum number of daily records that you expect your database to retain.

Creating Application-based QoS and IP Firewall Policies You can control the flow of services identified at Layer 3 and 4 (network services) or at Layer 7 (application services) by using QoS to limit traffic flow and prioritize or deprioritize the transmissions and firewall rules to allow or block it. The configuration of QoS (Quality of Service) involves two major components: • A classifier map to map various applications in incoming traffic to Aerohive classes. Through this map, you can prioritize mission-critical applications by assigning them to higher classes and deprioritize others by assigning them to lower classes. After providing the scheduling and data rate limiting defined for that class of service, an Aerohive device can then map outgoing traffic to the appropriate QoS class for an 802.11e, 802.1p, or DiffServ classification system through the application of a marker map. This carries the QoS classification onward with the frame as the Aerohive device forwards it to the next forwarding device in the network. You apply classifier and marker maps to a network policy. • A rate control and queuing profile to define the scheduling and data rate limiting for traffic in all Aerohive QoS classes. You apply a rate control and queuing profile to user profiles. Each component of the QoS configuration is explained in the sections that follow. Aerohive provides two types of IP firewall policies: a network firewall policy that runs on Aerohive routers and applies to all traffic within a network, and an IP firewall policy that runs on Aerohive APs and applies to traffic belonging to specific user profiles. The first type of firewall identifies services at Layers 3 and 4 in the OSI model (the network and transport layers). The second type of firewall can identify services at the Layers 3 and 4 or at Layer 7 (the application layer) and will be the type of firewall described here immediately following the QoS configuration. Using this procedure, you can add QoS Rate Control and Queuing to a user profile.

Application-based QoS and IP firewall policies are only supported on APs. They are not supported on branch routers.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 209 Application Visibility and Control

Adding a Classifier Map to a Network Policy To create a classifier map for an existing network policy: 1. Click Configuration, highlight a network policy for a wireless deployment whose QoS and IP firewall settings you want to modify, and then click OK. 2. On the Configure Interfaces & User Access panel, click Edit next to Additional Settings, expand the QoS Settings section, and then click the New icon ( + ) next to Classifier Map. 3. Enter the following to begin creating a classifier map: Name: Enter a name for the classifier map. This is the name that will appear in the Classifier Map drop-down list in the network policy. Description: Type a useful note about the map for future reference. Services: Select the check box to display the Services table, which at this point just displays its heading. 4. Click the New icon ( + ) to the right of Logging, and then enter the following:

Service: From the drop-down list, choose Application Services. The Select Applications dialog box appears. Move the applications that you want to assign to an Aerohive QoS class from the Available Applications list to the Selected Applications list by clicking to the right of an application name and then clicking the right arrow. (Selecting the application name itself causes a pop-up window with additional information about the application to appear.) To filter the display of applications by application name or group name, enter all or part of a name in the Filter by field and click the magnifying glass icon.

5. When done, click OK. HiveManager returns to the Classifier Maps > New dialog box.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 210 Application Visibility and Control

6. Continue configuring the classifier map for the services you selected, and then click the Save icon at the right of the row: QoS Class: Choose the Aerohive class to which you want to map the selected applications. By default, the higher the class is, the higher its priority is. Action: Choose Permit to pass traffic through the APs. If you choose Deny, the APs will block it. The permit and deny actions in a QoS policy enable devices to enforce a simple stateless firewall policy that inspects packets individually, not within the context of an ongoing session. For example, a stateless firewall configured with a policy that permits outgoing requests does not associate the corresponding incoming responses as being related to the permitted outgoing requests. You must configure a separate policy permitting the return traffic. On the other hand, a stateful firewall maintains a table internally so that it can associate related outgoing and incoming traffic as part of the same session. A stateful firewall with a policy permitting outgoing traffic also permits the corresponding incoming traffic. Because the firewall policy that you will configure next for user profiles is stateful and provides more complete coverage, choose Permit here within the context of the classifier map and set your firewall policy rules in the next section. Logging: Select the check box to enable devices to log traffic that matches the service-to-Aerohive class mapping. (Devices log traffic whether the action is permit or deny.) The main use of logging traffic is to see if the devices are receiving expected-or unexpected-types of traffic when you debug connectivity issues. You can see the log entries in the event log on the devices (show logging buffered). Also, if you configure the device to send event logs to a syslog server, you can see the log entries there.

You can edit individual service-to-Aerohive class mappings by clicking the Edit icon (pencil) and remove them by clicking the Delete icon. 7. To add more application services to the classifier map, repeat the previous steps. When done, click the Save button in the upper right corner of the dialog box. 8. Choose the classifier map that you just created in the Classifier Map drop-down list. 9. You can also create a marker map to map classes from the Aerohive QoS class system to an 802.11e, 802.1p, or DiffServ classification system and apply that marking on all outbound traffic. Then the next forwarding device in the network can apply an appropriate level of service to the traffic it receives from the Aerohive device. (Because the creation and use of marker maps remains unchanged in this release, their configuration is not covered here. See the HiveManager Help for information about configuring marker maps.) 10. To add the classifier and marker maps to the network policy, click Save at the top of the Additional Setting panel. HiveManager returns to the Configure Interface & User Access panel.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 211 Application Visibility and Control

Adding QoS Rate Control and Queuing to a User Profile To create a rate control and queuing profile for an existing user profile: 1. In the Configure Interfaces & User Access panel in the Configuration section, select a previously configured user profile. 2. In the Edit User Profiles panel, expand the QoS Settings section, and then click the New icon ( + ) next to the Rate Control & Queuing Policy field. The Rate Control & Queuing dialog box appears.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 212 Application Visibility and Control

3. Enter the following, and then click Save: Name: Enter a name for the rate control and queuing profile. This is the name that will appear in the drop-down list in the network policy. Per User Rate Limits: Enter the maximum amount of bandwidth in Kbps that an individual member of this profile can use with a wireless client supporting the IEEE 802.11a/b/g and 802.11n standards. Class Number - Name: (read-only) This is a list of the eight Aerohive QoS classes identified by class number and name. Scheduling Type: Choose either Strict or Weighted Round Robin as the scheduling method which sets how the APs forward traffic. When you apply strict scheduling, APs forward traffic immediately; they do not queue it. When you apply weighted round robin, APs forward traffic in turns based on how traffic is weighted. APs forward traffic with a greater weight faster than traffic with a lesser weight. Scheduling Weight: This defines a preference for forwarding traffic using a weighted round robin scheduling discipline. The weight for one class of traffic is relative to the weights of other classes. A larger weight of one traffic class indicates a greater preference in relation to the weights of other classes. For example, if you use weights to give the forwarding of one class of traffic twice as much priority as another, the effect of weights 5 to 10 would be the same as 50 to 100 (where 10 and 100 weigh more than 5 and 50, respectively and, therefore, indicate greater preferences). Weight%: (read-only) This indicates an automatically calculated percentage of the weight of each class of traffic in relation to the weights of other classes. Policing Rate Limits for 802.11a/b/g and 802.11n: For each of the eight classes, you can set a different rate limit-for devices supporting the IEEE 802.11a/b/g standards and for those supporting 802.11n. The default rate limits for each class are as follows: 7 - Network Control: 512 Kbps for 802.11a/b/g and 20,000 for 802.11n 6 - Voice: 512 Kbps for 802.11a/b/g and 20,000 for 802.11n 5 - Video: 10,000 Kbps for 802.11a/b/g and 1,000,000 for 802.11n 4 - Controlled: 54,000 Kbps for 802.11a/b/g and 1,000,000 for 802.11n 3 - Excellent Effort: 54,000 Kbps for 802.11a/b/g and 1,000,000 for 802.11n 2 - Best Effort 1: 54,000 Kbps for 802.11a/b/g and 1,000,000 for 802.11n 1 - Best Effort 2: 54,000 Kbps for 802.11a/b/g and 1,000,000 for 802.11n 0 - Background: 2 - Best Effort 1: 54,000 Kbps for 802.11a/b/g and 1,000,000 for 802.11n You can change the traffic class rate limit to any number from 0 to the value entered in the Per User Rate Limit field. The maximum traffic class rate limit can be equal to, but not great than the maximum user rate limit. 4. Choose the policy that you just created from the Rate Control & Queuing Policy drop-down list. 5. For the policing rate limit, define the maximum traffic forwarding rate per user profile for each wireless mode. This is the maximum amount of bandwidth in Kbps that all users belonging to this profile can use. Aerohive devices control the maximum amount of bandwidth that all members in a user profile can use by enforcing a maximum rate limit. This limit applies to the cumulative, concurrent traffic of all the members belonging to a profile. 6. Continue to the next section to configure IP firewall policies for the same user profile.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 213 Application Visibility and Control

Application-based IP Firewall Policies You can create IP firewall policies that permit and deny traffic based on services identified at Layer 3 and 4 (network services) or at Layer 7 (application services). To configure an IP firewall policy based on application services for a user profile: 1. In the same Edit User Profiles panel where you configured the QoS settings in the previous section, expand the Firewalls section, and then click the New icon ( + ) next to the From-Access field under IP Firewall Policy. The IP Policies > New dialog box appears. 2. Enter the following, and then click Save in the upper right corner of the IP Policies > New dialog box: Policy Name: Enter a name for the IP firewall policy. This is the name that appears in both the From-Access and To-Access drop-down lists. You can use the same policy to control traffic in both directions or you can have separate policies for each direction. Description: Type a descriptive note about the policy for future reference. To add a rule to the policy, click the New icon ( + ) at the far right of the table heading row (next to the Logging column), enter the following: Rule ID: (read-only) HiveManager automatically generates an ID for each rule after you save the policy. Aerohive APs use these IDs internally. Source IP: Choose the IP address from which traffic initiates. If you do not see a previously defined IP object/host name that you want to use, click the Modify icon to modify an existing object or click the New icon ( + ) and define one. Destination IP: Choose the IP address to which traffic is sent. As with the source IP address, you can modify an existing IP object/host name or create a new one if necessary.

The predefined IP object/host name "any" is the equivalent of 0.0.0.0/0 and represents all IP addresses.

Service: From the drop-down list, choose Application Services. The Select Applications dialog box appears. Move the applications to which you want to apply the rule from the Available Applications list to the Selected Applications list by clicking to the right of an application name and then clicking the right arrow. (Selecting the application name itself causes a pop-up window with additional information about the application to appear.) To filter the display of applications by application name or group name, enter all or part of a name in the Filter by field and click the magnifying glass icon.

When done, click OK. HiveManager returns to the IP Policies > New dialog box.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 214 Application Visibility and Control

3. Click the Done icon at the right of the row. The services that you selected in the Select Applications dialog box appear in a list of IP policy rules.

4. Choose the pencil icon to edit the Action and Logging columns if necessary. 5. Use the all directional arrow in the far left of the table to reorder the policies if desired. The order of the rules is important because HiveManager begins its search with the first rule by looking at incoming frames for the source IP address, source port, destination IP address, destination port, action, and service. When HiveManager finds a match in a frame, it applies the rule. Then it searches for the same information in the second rule and so on. For more information about firewalls, see the online help. 6. Then click Save. The Configure Interfaces & User Access panel of the Configuration section appears. 7. Choose the IP firewall policy that you just created from the To-Access drop-down list. You can also choose it from the From-Access list or create another policy depending on your network security requirements. 8. To save the QoS and IP firewall policy settings and exit the Edit User Profile panel, click Save. 9. To upload the configuration to the APs, click Continue, select the APs to which you want to upload the configuration, and click then click Upload. This completes the configuration for traffic control based on application services.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 215 Voice Enterprise

Voice Enterprise

The Aerohive Voice Enterprise feature offers several controls to fine tune the ability of the network to handle voice traffic, allowing you to combine WMM-AC (Wireless Multimedia-Admission Control), radio resource measurement (802.11k), wireless network management (802.11v), and fast BSS transition (802.11r) into a customizable, comprehensive, and responsive network well-suited to voice traffic. On the AP121, AP141, AP330, and AP350, WMM-AC uses QoS controls and bandwidth management techniques to augment existing WMM capabilities. It does this by monitoring the channel conditions and load to determine whether a device can support the traffic requested to be transmitted. If the device determines that the current channel conditions cannot support the extra traffic, then it will deny the traffic, causing the transmitting station to seek another path. If the channel conditions are determined to be healthy enough to support the extra traffic, then the device allows the traffic. In this way, WMM-AC prevents voice degradation due to channel conditions and management. Aerohive uses radio resource management (802.11k) to monitor the performance of the network with respect to the RF environment, such as noise, channel load, and station statistics. Using 802.11k, Aerohive devices can collect information and make intelligent decision about client roaming and channel usage. Aerohive uses a similar technology, wireless network management (802.11v), to allow clients to share information regarding the WLAN environment, including maintaining a list of neighbors. Sharing information in this way allows wireless devices to make real-time adjustments to the WLAN to optimize network performance. Location services are more accurate under 802.11v because stations can use the frame TOA (time of arrival) to determine relative positions of one another. Fast BSS transition (802.11r) is also part of the Aerohive implementation of Voice Enterprise. Fast BSS transition introduces streamlined hand-off protocols by requiring stations to establish the QoS state and to negotiate encryption keys before the transition occurs. This way, when the transition occurs, there are no delays due to renegotiation of the keys and QoS assignment. To configure WMM-AC in an existing SSID on an AP121, AP141, AP330, and AP350, click Configuration > SSIDs > ssid_name, expand the Advanced section, configure the following, and then click Save: Enable WMM: (select) Voice: Select to enable admission control algorithms for voice traffic. Video: Select to enable admission control algorithms for video traffic. Enable Unscheduled Automatic Power Save Delivery: Select to allow stations to request queued traffic at any time, rather than receiving queued traffic scheduled with the beacon. Enable Voice Enterprise: (select) When you select this check box, HiveManager displays a reminder that enabling Voice Enterprise enables other options as well, and then prompts you to confirm the selection. When you click OK, HiveManager automatically selects WMM-AC Voice, and all of the Voice Enterprise options (802.11k/r/v).

Because HiveManager selects the 802.11k/r/v options when you enable Voice Enterprise, the 802.11k/r/v option disappear from the GUI interface. Despite being invisible, the 802.11k/r/v options are enabled. If you do not enable Voice Enterprise explicitly, you can still select 802.11k, 802.11v, and 802.11r separately. This approach has the same effects as selecting Voice Enterprise.

Subsequently clearing this check box causes HiveManager to prompt you to choose whether you want the 802.11k/r/v options to remain selected or to be cleared as a result of clearing the Enable Voice Enterprise check box. Enable 802.11k (Radio Resource Measurement of Wireless LANs): (select) Enable 802.11v (IEEE 802.11 Wireless Network Management): (select) Enable 802.11r (Fast BSS Transition): (select)

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 216 Protected Frame Management

To Enable Voice Enterprise or 802.11r, the SSID must be configured to use WPA2 key management. If the SSID is not configured to use WPA2 key management, these options are disabled (see figure below).

If you configure WMM-AC on devices other than an AP121, AP141, AP330, or AP350, HiveManager generates an error message when you attempt to upload a new configuration to the unsupported devices.

Protected Frame Management

IEEE 802.11w establishes a number of protections that stations can use to protect 802.11 management frames from certain types of exploitation, such as reply attacks and deauthentication attacks, and enhance the ability of receiving stations to verify the data integrity and the origin of the frame. To protect management frames, 802.11w-rather than encrypting the entire frame-uses a MIC (message integrity check), which is appended to the management frame (see illustration below). When the receiving station receives the frame, it checks the MIC to determine whether it is valid or missing. If the MIC is valid, then the frame is accepted; if invalid or missing, then the frame is discarded.

Management Frame MIC

In addition to preventing malicious disconnections by spoofing, 802.11w also protect a number of action frames that act to carry information regarding the state of the network, RF environment, and so on. Such frames include spectrum and radio management frames, QoS, fast BSS transition, and block ACK frames.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 217 Aerohive Router NAT and Port Forwarding

The illustration below shows how 802.11w helps to protect management frames from malicious activity.

Mgmt Frame Mgmt Frame

The rogue AP cannot generate a valid MIC, Valid Network Friendly and the friendly AP Host AP discards the management frame. Valid hosts send a valid Mgmt Frame MIC-protected management The rogue wireless client cannot frame. Mgmt Frame generate a valid MIC, so it cannot successfully spoof the valid management frames.

Valid Network Host Frame MIC Frame MIC

Valid MIC Invalid MIC

Aerohive Router NAT and Port Forwarding

If you have any branch sites in your enterprise topology where each site has the same IP address space, or you have sites with conflicting IP address schemes, and you want to be able to have inbound access through the VPN to each site, then you can use the one-to-one NAT capabilities through VPN tunnels on routers at each site. The branch routers can then map local subnetworks to different addresses that are routable through VPN tunnels across your network. With this approach, you can configure the Aerohive branch routers, which function as NAT gateways, to map their local subnetwork addresses, one-for-one, to NAT subnetwork addresses. HiveManager maps each host address on the local subnetwork side of the router uniquely to a corresponding network host address on the NAT subnetwork side of the router. Port forwarding on the WAN interface of a BR100, BR200, AP330, AP350, or SR2024 in branch router mode allows remote computers on the public network to connect to a specific host, such as an HTTP server, on the private network behind the router.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 218 Aerohive Router NAT and Port Forwarding

One-to-One NAT Subnetwork Translation Aerohive refers to the one-to-one mapping of IP addresses in a local subnetwork to corresponding addresses in a NAT subnetwork. For example, if 192.168.1.0/24 is the local subnetwork for Site 1 and 10.10.10.0/24 is the NAT subnetwork for Site 1, then the router translates the source IP address of outbound traffic from a host at address 192.168.1.10 to 10.10.10.10. Conversely, the router translates the destination IP address of inbound traffic to 10.10.10.10 to 192.168.1.10.

10.10.40.10 192.168.1.0/24 (local subnetwork) 192.168.1.0/24 (local subnetwork) translates to 10.10.10.0/24 (NAT HQ translates to 10.10.20.0/24 (NAT subnetwork) 10.10.40.0/24 subnetwork)

Site 1 BR200 Site 2 BR200 Branch Router HQ VPN Gateway Branch Router

10.10.10.10 10.10.20.10

10.10.10.0/24 10.10.20.0/24

192.168.1.10 192.168.1.10

192.168.1.0/24 192.168.1.0/24

In the same example, Site 2, which is a different branch, has a host with the same IP address of 192.168.1.10. For the device at Site 1 to connect to the host at Site 2, the router at Site 1 translates 192.168.1.10 to 10.10.10.10, and the router at Site 2 translates 192.168.1.10 to 10.10.20.0. The VPN gateway at headquarters is then able to route 10.10.10.10 and 10.10.20.10. Additionally, a device at headquarters can communicate with these two hosts as well.

Configuring NAT Subnetwork Translation You can configure NAT subnetworks for branches using overlapping or conflicting local IP addresses. You can replicate the same local subnetwork at each site. The routers and VPN gateway use the NAT subnetworks to route traffic over VPN tunnels.

Replicating the Same Subnetwork at Each Site You might use this when different branch sites were configured with the same addresses at the time before they were connected by VPN tunnels. Now you want them to communicate with each other, but you do not want to reassign new addresses.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 219 Aerohive Router NAT and Port Forwarding

To replicate the same subnetwork at each site, complete the following steps: 1. Log in to the HiveManager GUI, click Configuration, select an existing network policy for routing that you want to edit, and then click OK.

The following configuration procedure does not include steps for configuring a network policy or a VPN. See the "Unified Network Policy Configuration" section in this document and the HiveManager Help system and Aerohive Deployment Guide for instructions.

2. Click the New button in the Subnetworks section. The Configure Subnetwork page appears. 3. Enter the following, and then click the Save button at the bottom of the Customize Subnetworks section: Replicate the same subnetwork at each site: (select) Local Subnetwork: Enter the IP address and netmask of the local subnetwork at each branch site, and select either the first or last IP address as the default gateway depending on how it is configured.

If your select Create a unique local subnetwork at each site, it is unnecessary to enable NAT through the VPN tunnels because each site will already have unique IP addresses that are routable through the VPN.

Enable DHCP server: Select this option to provide DHCP services on the subnetwork and enter the following: DHCP Address Pool: Click and move the sliders from Excluded at start and Excluded at end to select the number of IP addresses in the DHCP pool. You can use IP addresses that are excluded from the larger DHCP pool for assigning static IP addresses to certain branch devices. Lease Time: DHCP servers provide IP addresses to clients only for a limited time interval called the lease time. A DHCP client must renew its IP address before the lease time interval expires or relinquish the address. The lease time range is 60-86400000 seconds, with the default lease time set at 86400 seconds or 24 hours. NTP Server IP: NTP () is a networking protocol that devices can use to synchronize the current date and time. You can enter the IP address of the NTP server to which you want hosts in this subnetwork to synchronize their system clocks. Domain Name: Enter the domain name for the hosts in this subnetwork (0-32 characters).

See the HiveManager Help system for information about Domain Name configuration.

Network Address Translation (NAT) Settings: Click this option to expand the NAT parameter settings section. Enable NAT through the VPN tunnels: When you select Replicate the same subnetwork at each side at the beginning of the Configure Subnetworks page, NAT is always enabled (and the check box cannot be cleared). Number of branches: Enter the number of branch sites. NAT IP Address Space Pool: Enter the NAT IP address space. The NAT IP address space must be large enough to be mapped to the local subnetwork at every branch site of the local subnetwork IP address space.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 220 Aerohive Router NAT and Port Forwarding

Mask: (Read-only field) HiveManager calculates the netmask required to support the number of NAT subnetwork branches you want replicated and the NAT address pool you entered.

The Export Mapping button allows you to export a one-to-one map of your local subnetwork IP addresses to their corresponding NAT subnetwork IP addresses in a .csv (comma separated value) file. You can open it with a spreadsheet application, such as a Microsoft Excel, after entering the Number of branches and a valid NAT IP Address Space Pool.

See the HiveManager Help system for instructions about selecting subnetworks based on classification rules and allocating NAT subnetworks by specific IP addresses at sites.

Port Forwarding on the Branch Router WAN Interface Aerohive branch routers can use port forwarding on their WAN interfaces to allow remote computers on the public network to connect to a specific host on the private network behind them. A router accomplishes this by mapping incoming traffic to a specific destination port on its WAN interfaces to a host on the private LAN connected to one of its LAN interfaces. To set up port forwarding, configure the IP addresses to which hosts send traffic the destination port number, the local host IP address, internal host port number, and traffic protocol. For example, Site 2 operates an HTTP server on port 8080. By default, the router denies all incoming connections to avoid exposure to potential security risks. In this example, you can configure a port forwarding rule that maps all incoming TCP connections to port 8080 on the WAN/ETH0 interface to port 80 of the host at 192.168.1.2. If a client at 1.1.1.1 initializes an HTTP connection request to 2.2.2.2:8080, which is the IP address of the WAN/ETH0 interface on the router and the destination port number in the port forwarding rule, the router translates the destination to 192.168.1.2:80. For the HTTP response, the router reverses the translation from 192.168.1.2:80 to 2.2.2.2:8080.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 221 Aerohive Router NAT and Port Forwarding

. 1.1.1.1 Router WAN/ETH0 2.2.2.2

Internet

192.168.1.2

2.2.2.2:8080 192.168.1.2:80

A remote host at address 1.1.1.1 sends an HTTP request to port 8080 on the router WAN interface at 2.2.2.2. The router translates the destination IP address:portnumber 2.2.2.2:8080 to 192.168.1.2:80 and forwards it to the HTTP server behind the router. The router translates the source IP address and port number in the reply from 192.168.1.2:80 to 2.2.2.2:8080 before routing it back to the Internet.

For each WAN interface, the current port forwarding feature allows you to map up to 16 ports to the first 50 reserved static IP addresses that you excluded from the larger DHCP address pool for access to certain branch devices. To configure port forwarding: 1. Enable port forwarding through the WAN interfaces: (select) The Aerohive router has a single public IP address on its WAN/ETH0 interface and performs NAT on all outbound traffic to the Internet. If you require access to your LAN behind the router, you can use port forwarding to route inbound traffic to the internal IP address and port number of servers on the private LAN. 2. Click the New button and enter the following parameters to map inbound traffic to an internal host, and then click the Apply button. Destination Port Number: Select and enter the destination port number of the inbound traffic. Map WAN interfaces inbound traffic to an internal host based on the destination port number. Local Host IP Address: Enter the private IP address of the internal host, such as that of an HTTP server. The IP address of the host must be among the excluded addresses at the start of the DHCP pool. If DHCP is not enabled for the subnetwork, all IP addresses are considered excluded. Internal Host Port Number: Enter the port number on which the host receives traffic. This can be the same as the destination port number or a different one. Traffic Protocol: Use the drop-down list to choose the protocol of the inbound traffic: Any, TCP, or UDP.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 222 Policy-based Routing Enhancements

Policy-based Routing Enhancements

HiveManager 6.0r2 and HiveOS 6.0r2 releases enhance policy-based routing features for Aerohive BR series routers, AP330, and AP350 access points configured as routers, and the SR2024 when configured as a router. Introduced in this release is a broader selection of source traffic types, providing greater flexibility in creating routing policies. Without routing policies applied, a router makes routing decisions using the its routing table. With policy-based routing, outgoing traffic is first filtered through a set of rules and then given special processing or dropped, depending on the set of rules you configure and apply. This enhanced policy-based routing feature allows you to route packets arriving at your Aerohive router from different sources to the same or a different destination. In addition to the source user profile, you can define Aerohive routing policy rules based on different types of source traffic: an IP address range, a specified network, an ingress interface, or any traffic source type. The router enforces the rules in the order of their position in the policy rules list. 1. To add a routing policy to an existing network policy, log in to the HiveManager GUI and click Configuration. Choose a network policy for routing, and then click OK. 2. Click Edit for Additional Settings at the bottom of the Configure Interfaces & User Access panel, expand Router Settings, and click the New icon ( + ) next to Routing Policy.

Although you have the ability to create a separate routing rule for each source traffic type, it is not necessary to do so. Each of the configurations has a catch-all rule for traffic that applies to all source traffic types and cannot be deleted. If the traffic does not match any of the rules you configure, then the router forwards the traffic through the appropriate interface according to the final rule.

3. Enter the following, and then click Save: Profile Name: Enter a name for the routing policy. This is the name that appears in the Routing Policy drop-down list in network policies. Description: Enter a brief description for future reference.

The Track IP settings are no longer applied in the routing policy as in previous releases. You now apply them in the Additional Settings > Service Settings section of a network policy.

You have the option to use a standard split tunnel template, tunnel all traffic through the VPN tunnel, or create a custom routing rule set. Regardless of which option you choose, each rule set is preconfigured with its own catch-all rule that applies to all user profiles and cannot be deleted. Split Tunnel: Select this option to forward all non-guest source traffic through the VPN tunnel, and forward any external source traffic through the selected interface. Guest traffic that is destined for internal resources is dropped. You can also select backup forwarding interface for source traffic. You can choose a primary WAN interface under Forwarding Action and a secondary, or backup, WAN interface under Backup Forwarding Action. If the primary WAN interface goes down, it fails over to the secondary interface to ensure that the traffic is not disrupted. When setting up split tunnel, use the Forwarding Action drop-down list to choose the forwarding interface to drop or forward traffic to the Internet. Choose a Backup Forwarding Action secondary interface from the drop-down list to drop or forward traffic to the Internet in the event that the primary interface goes down. Tunnel All: Select this option to route all non-guest traffic through the VPN tunnel and drop all other traffic. All of the fields in this rule are read-only; it does not allow you to change Forwarding Action or Backup Forwarding Action. There is only one routing rule for this option that applies to all non-guest traffic, and the forwarding action is Tunnel All.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 223 Policy-based Routing Enhancements

Custom: Select this option to define a set of custom rules that routes traffic from any source, IP address range, network, interface, or user profile to any destination, IP address range, network, host name, or private. Click the New icon located to the right of the Routing Polices section to create a new custom rule. A new rule configuration row appears. Define a new rule by selecting the source traffic type and destination route type from predefined sets of traffic and route types. Then assign appropriate values or value ranges to those source traffic and destination route types. Source Traffic: Choose the source of the traffic to which you want to apply a rule using the Type drop-down list: any, IP range, network, interface, or user profile. Enter appropriate values for an IP range (start and end of IP addresses to define range), network (IP address and netmask), interface (Ethernet port), or choose a previously defined user profile. Any - Use this when you want a routing policy rule to apply to traffic from any source. For example, you might want the router to send all traffic destined for public IP addresses out the primary WAN interface to the Internet. IP range - Use this when you want a rule to apply to traffic from a range of IP addresses, such as the addresses in a DHCP pool reserved for a specific group of users, such as the executive team at the site.

When selecting an IP address range, be sure to use a tilde (~) instead of a hyphen to indicate a range.

Network - Use this when you want a rule to apply to traffic from an entire subnetwork, such as a network reserved for one or more types of users, such as contractors and guests. Interface - Use this when you want to apply a rule to all traffic arriving at a specific interface. For example, for devices connected to specific switch ports. User profile - Use this when you want to apply rules to specific types of users. Destination Route: Choose the destination of the traffic to which you want to apply a rule using the Type drop-down list: any, IP range, network, hostname, or private. Enter appropriate values for IP range, network IP address and netmask, or host name. You cannot enter values for the any or private route destinations. Any - Use this when you want a routing policy rule to apply to traffic to any destination. For example, you might want the router to send all traffic out the primary WAN interface. IP range - Use this when you want a rule to apply to traffic to a range of IP addresses, such as a group of routers set in a contiguous range of static IP addresses. Network - Use this when you want a rule to apply to traffic to an entire subnetwork. Hostname - Use this when you want a rule to apply to traffic destined for a server with a specific host name. Private - Use this when you want a rule to apply to traffic destined to the corporate VPN. Forwarding Action: From the drop-down list, choose the primary route you want the traffic to take after the router applies a rule: Primary WAN - This option routes traffic through the interface designated as the primary WAN interface on the device settings page. By default, the primary WAN interface on a branch router is WAN/ETH0. On an SR2024, if one Ethernet ports is in WAN mode, and the wireless USB modem is set in WAN mode, then the Ethernet port is the primary WAN interface by default. If there are two Ethernet ports set in WAN mode on an SR2024 device, then the one with the lower port number is the primary WAN interface by default.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 224 Policy-based Routing Enhancements

Backup WAN-1 - This option routes traffic through the interface designated as the backup WAN interface on the device settings page. By default, the backup WAN interface on a branch router is the wireless USB modem. If an Ethernet port and the USB modem on an SR2024 are set in WAN mode, then the modem is again the backup WAN-1 interface. If two Ethernet ports are set in WAN mode on an SR2024, then the one with the higher port number is the backup WAN-1 interface by default. Backup WAN-2 - This option routes traffic through the interface designated as the secondary backup WAN interface when there are three interfaces in WAN mode. On an SR2024, it is possible to have three WAN interfaces if you put two Ethernet ports in WAN mode and also use a wireless USB modem. In this case, the modem would be the secondary WAN interface behind the two Ethernet ports. On a branch router, you can put one of the LAN ports (ETH1, ETH 2, ETH3, or ETH4) in WAN mode, and if there are two other WAN interfaces—ETH0/WAN and a wireless USB modem—then the LAN port would be backup WAN-1 and the USB modem would be backup WAN-2 by default. Corporate Network (VPN) - This option routes traffic through the tunnel interface on a router that connects a branch site to the corporate site through an IPsec VPN tunnel. Drop - This option drops traffic rather than forwarding it. USB - This option routes traffic through a wireless USB modem. Wifi0 or Wifi1 - This option routes traffic through the chosen Wi-Fi interface when the device is in client Wi-Fi mode. Eth0-Eth28 - This option routes traffic through the selected Ethernet interface. Your choice is dependent on the platform to which you apply this routing policy. Backup Forwarding Action: If the router cannot use the primary route because of an IP tracking failure, use the drop-down list to choose the backup route you want the traffic to take after the router applies the rule: Primary WAN, Backup WAN-1, Backup WAN-2, Corporate Network (VPN), Drop, USB, Wifi0, Wifi1, or Eth0-Eth28.

The Forwarding Action route cannot be the same route for the Backup Forwarding Action; they are mutually exclusive.

After you have configured a rule, click the Save icon located at the right side of the rule, or you can click the Cancel icon to clear your selections and start again. If you want to modify a rule you defined previously, click the Modify icon, make the changes, and then click the Save icon. To remove the rule altogether, click the Remove icon. 4. Repeat this procedure to add more rules for the newly created routing policy. You can have a maximum of 128 rules in a single policy. Because the device applies rules in the order in which they are positioned in the routing policy, you might need to reorder them. To do so, drag and drop the rules to rearrange them in the list.

Example Routing Policy The following is an example policy for routing various types of traffic from a retail site to the Internet and through a VPN tunnel to the corporate LAN. You create a policy rule to tunnel traffic from an "Execs" user profile to the private corporate network and back up it across the wireless 3G/4G network. You create another rule to tunnel traffic from an "Employees" user profile to the private corporate network but do not back it up across the 3G/4G network because of the expense. Similarly, you also create rules for the employees and executives to access the Internet through the WAN/ETH0 port but only back up Internet access for the executives.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 225 Policy-based Routing Enhancements

You create a rule for traffic generated by point-of-sale credit card purchases, directing traffic from equipment physically connected to the ETH4 port on the router through the VPN tunnel to a secure corporate server with the host name secure.corp.com. Finally, you create a rule routing guest and customer traffic from subnet 10.1.1.0/24 to the Internet out the WAN/ETH0 port on the router.

secure.corp.com Execs and Employees traffic is defined by creating Application a user profle for each type of corporate user and Server traffic routed through the corporate VPN, but only the Execs traffic is backed up using the USB Corpoate LAN modem. Credit card Purchases sent to the ETH4 router port are routed to the secure.corp.com HQ VPN 3G/4G server over the VPN tunnel and backed up using the Gateway Backup USB modem. Guest traffic on subnet 10.1.1.0/24 is sent out of the branch router WAN/ETH0 port.

WAN/ETH0 Internet Guest Traffic ETH4 Port

Retail Store BR200-WP POS Credit Card Branch Router Purchases 10.1.2.0/24 Guest/Customer Employees & 10.1.1.0/24 Execs 10.1.3.0/24

When in backup mode, all traffic that is set for backup is routed through the USB modem across the 3G/4G private network to the corporate LAN.

Users Source Destination Forwarding Action Backup Forwarding Action

Execs User profile "Execs" Private VPN USB

Employees User profile Private VPN None "Employees"

Execs User profile "Execs" Any WAN/ETH0 USB

Employees User profile Any WAN/ETH0 None "Employees"

POS Credit Card Interface ETH4 Hostname VPN USB Purchases "secure.corp.com"

Guests & customers Network 10.1.1.0/24 Any WAN/ETH0 None

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 226 Policy-based Routing Enhancements

Define Executives by creating an Exec user profile and create a policy rule to send Executive traffic to the private corporate network that is backed up by the branch router USB modem port. Define Employees by creating a separate Employee user profile and create a policy rule to send Employee traffic to the private corporate network that is not backed up. Create rules for by Employees and Execs that allows them to access the Internet through the WAN/ETH0 router port, but only back up the Execs access to the Internet. Define a rule for point-of-sale credit card purchases such that all such traffic is routed to the ETH4 router port and destined to the secure corporate server with the host name secure.corp.com. Define a rule for guest and customer traffic on subnet 10.1.1.0/24 that is routed to the Internet using the WAN/ETH0 port of the router. When in backup mode, all traffic that is set for backup is routed through the USB modem to the 3G/4G system.

secure.corp.com

Application Server

Corpoate LAN

HQ VPN 3G/4G Only Execs and POS credit Gateway Backup card purchases are backed up using the USB modem.

WAN/ETH0 Internet Guest Traffic ETH4 Port

Retail Store BR200-WP POS Credit Card Branch Router Purchases 10.1.2.0/24 Guest/Customer Employees & 10.1.1.0/24 Execs 10.1.3.0/24

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 227 Bonjour Gateway Enhancements

Bonjour Gateway Enhancements

You can configure Bonjour Gateways to filter which shared services to advertise based on VLANs and distance. You can create policy rules governing how BDDs (Bonjour Designated Devices) in specific source and destination VLANs share services with each other. You can also specify how many management subnet hops away a BDD can be from another BDD for them to advertise the services that they share. (A management subnet is the subnet in which the mgt0 interface IP address of an Aerohive device is located.) For example, if the mgt0 interfaces of two BDDs are in different subnets and they are wireless neighbors to one another-that is, they can detect each other's radio signals-they are one hop away. If two BDDs are not within radio range, they learn of one another through a single intermediary hive member, and the mgt0 interfaces of all three devices are in different subnets from one another, then the two BDDs are two hops away. If there are two intermediary hive members in two separate subnets between them, then they are three hops away, and so on. Aerohive APs, routers (except the BR100), HiveOS Virtual Appliances, and SR2024 switches in router mode can act as Bonjour Gateways. Because each management subnet requires a single active Bonjour Gateway, all the hive members in that subnet elect a BDD. The different Aerohive models have different priorities, which determine which device wins the election. The following are the default priority settings per platform:

SR2024: 50 AP320 and AP340: 15

BR200: 40 AP120, AP121, AP141, and AP170: 10

HiveOS Virtual Appliance: 25 AP110: 5

AP330 and AP350: 20

If you want to change the priority for a platform, you can do so in the Bonjour Gateway Configuration section on the Device Settings page for a single Aerohive device or for multiple devices. The range is 0-255, and values closer to 255 have higher priority. If the management subnet has only one type of platform, then the device with the lowest MAC address is elected BDD. When there are different platforms, then the above priority values become important. If chosen to be the BDD (Bonjour Designated Device) for the management subnet to which it belongs, the Aerohive device scans an admin-defined set of VLANs for Bonjour services and then shares them with other BDDs in different management subnets within the same realm. In addition, the SR2024 also advertises services that the other BDDs share with it. You can control which Bonjour services the Bonjour Gateways share with each other by creating filter rules. A filter rule controls the sharing of services by source and destination VLANs, by the number of management subnet hops away the receiving BDD is from the sending BDD, and by realm name. A realm consists of one or more hive members within radio range of one another but in different subnets/VLANs. These devices can detect each other automatically. If the hive members are not within radio range, then you can put them in the same realm by doing one of the following on the Device Settings page: Place all of the devices on the same map.

or Manually set the same Bonjour realm name in the Bonjour Gateway Configuration section.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 228 Bonjour Gateway Enhancements

To create a filter rule, edit a previously defined Bonjour Gateway Settings profile or create a new one, and then click the New ( + ) icon at the top of the Bonjour filter rules section.

Enter the following to define a Bonjour filter rule, and then click the Save icon: Service: Choose the name of a service. Type: (read-only) The service name and protocol for the resource record in the following format: _._. From VLAN Group: Choose the VLAN group from which services are advertised. If you do not see a VLAN group that you want to use, click the New ( + ) icon, and create one. To VLAN Group: Choose the VLAN group to which services are advertised. Action: Choose the action for the Bonjour Gateway filter to take on services between the specified source and destination VLAN groups: Permit the sharing of service advertisements or Deny them. Metric (0-255): Enter the maximum number of hops away from the local BDD to accept service advertisements. (An immediately neighboring BDD is one hop away, a neighbor of that neighbor is two hops away, and so on.) The range of metric values is from 0 to 100. A value of 0, the default, means that there is no maximum distance. Realm: Choose the name of an existing realm to apply this rule only to members of that realm (for information about defining a realm, see the preceding section). To apply it to members of all realms, choose [-any-] from the drop-down list. The filter rules are applied in order from the top until a match is found. Because of this, the order of the rules is important. Put more specific rules near the top so that broader rules do not occlude them. If necessary, you can reposition rules with the list by drag-and-dropping them.

AirPlay and iOS 6.1 or Later Apple devices running iOS 6.1 or later require two services for AirPlay to function: AirPlay and RAOP (Remote Audio Output Protocol). Therefore, enable Bonjour Gateway filter rules to allow both of them: *._airplay._tcp and *._raop._tcp. (Note that Apple devices running iOS 6.0 and earlier do not require RAOP to use AirPlay.)

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 229 Reporting Enhancements

Reporting Enhancements

Release 6.0r2 adds two predefined report templates to the Network Summary section. An easy-to-use workflow helps you create custom reports using the same widgets that are available on the dashboard. Network summary reports are now fully customizable and you can filter by geographical location or network policy, user profile, or SSID. You can also add a custom logo to your generated PDF reports. (For information about the widgets used in create reports, see "Predefined Dashboard Widgets" on page 233.)

Cloning and Customizing a Network Summary Report To clone and customize a network summary report, complete the following steps. 1. Click Reports > Network Summary, select the check box for Network Summary, and then click Clone. 2. Enter the following information, and then click OK: Report Name: Enter a name for your report. Report Description: Enter a brief description for your report. Report Header: Enter a header for your report. Report Footer: Enter a footer for your report. Report Summary: Enter a summary description for your report. 3. By default, the Network Summary template contains five predefined widgets. You can add more widgets, or remove these widgets and add new ones from the list of widgets in the Report Settings panel. Select the check boxes for widgets that you want to add to your summary report. The allowed maximum is 25 widgets per report. When you are done, click Continue. For information about the available widgets, see "New HiveManager Dashboard" on page 231.)

To make changes to your report before it is complete, click the Back button at any time.

4. From the Report Settings panel, select a device group, (either a location on one of the maps or a network policy), then select a data filter, (either an SSID or a user profile), and then click Continue. 5. Configure the following scheduling options for this report and then click OK: Report Frequency: Select how often you want to generate the report: Daily, Weekly, or Monthly. If you select Daily, you can schedule specific days for this report by selecting Customize Days and then selecting or clearing the check boxes for the days (the default setting is Monday through Friday). To specify a time span for the report, select Customize Time. The default is 12:00 AM to 12:00 AM. If you select Weekly, you can then choose the weekday on which you want the report to start. If you select Monthly, the report automatically starts on the first day of each month. Enter a valid email address where you would like the report to be sent.

Customizing the Logo You can customize the report for your organization, by adding a logo to the upper left corner of each page that HiveManager generates. 1. Click Reports > Report Settings. 2. In the Report PDF Logo section, click Select, navigate to the location of the image file that you want to use for your logo, select it, and then click Upload. Your selected logo then appears in the Report PDF Logo section of the GUI. The next time HiveManager generates a report, it will use this logo.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 230 New HiveManager Dashboard

New HiveManager Dashboard

HiveManager 6.0r2 introduces a new dashboard that provides a one-screen network management view into your entire deployment of Aerohive devices. Real-time monitoring helps you identify usage and trends by applications, users, clients, and wired and wireless Aerohive devices on your network. The dashboard combines the existing Network Summary view with new default and configurable perspective views into the activity on your network. Multiple network administrators can now customize up to six dashboard perspectives to meet their network management requirements. HiveManager automatically maintains these perspectives from one login to the next for each admin.

Viewing the Dashboard The following illustration identifies the dashboard components.

Edit, schedule, export, or email network data for the entire perspective using these tools... Four default perspectives

or for each view separately Multiple time coverage options using these icons.

Device groups show your network hierarchy as defined in maps

Left navigation bar. When editing perspectives, this area changes to show the predefined widgets.

This area is the main perspective panel. Data filters for Each perspective can have up to ten the active reports. You can customize the default perspective perspectives or add your own perspective (for a maximum number of six).

The following sections describes the dashboard components that are shown in the illustration. Perspective panel: The main portion of the dashboard contains the perspective views. For each of the default perspectives and for any custom perspectives that you create, data appears in this area when you select a perspective tab from the top of the page. Each perspective can contain up to 10 widgets. You can view perspective data for specific time periods, and you can filter the data that is presented in the perspective widgets.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 231 New HiveManager Dashboard

Default perspectives: The dashboard has four default perspective tabs; Applications, Network Summary, System Summary, and Troubleshooting. By default, when you first open the dashboard, the Network Summary perspective appears. You can modify any of these perspectives, or create custom perspectives by clicking the plus sign ( + ) to the right of the last perspective tab. The tabs for custom perspectives will appear to the right of the default tabs. For instructions on how to create a custom perspective, see "Creating a Dashboard Perspective" on page 234. For a more detailed description of each widget, see "Predefined Dashboard Widgets" on page 233. The default perspectives contain the following widgets: Applications default widgets • All Applications by Usage • Top 10 Watchlist Applications by Usage - Summary • Top 20 Watchlist Applications by Usage • Top 20 Users by Applications by Usage

Data does not appear in Watchlist widgets until you create an application watchlist. For instructions on how to do this, see "Creating an Application Watchlist" on page 206.

Network Summary default widgets • Unique Wi-Fi Clients over Time • Top 10 APs by Wi-Fi Client Usage • Bandwidth Usage over Time • Top 10 Wi-Fi Client OS Types by Usage • Unique Wi-Fi Clients by OS over Time • Active Client Status (Network Wide) • Current Aerohive Device Status (Network Wide) System Summary default widgets • Current HiveOS Versions • Current Network Security (Network Wide) • Aerohive Devices in Up State • Last 10 Audit Logs (Network Wide) Troubleshooting default widgets • Top 10 APs by Channel Utilization • Top 10 Aerohive Devices by Errors • Top 10 APs by Retries • Top 10 APs by Airtime Utilization • Top 10 Clients by Tx Airtime • Top 10 Clients by Rx Airtime • Client Device SLA Compliance over Time • Aerohive Device SLA Compliance over Time

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 232 New HiveManager Dashboard

Time period buttons: The four time period buttons immediately below the perspective tabs allow you to view data for the last hour, last 24 hours, last 7 days, and a custom-defined period of time. For the Application perspective, the options are Last Hour, Last 8 Hours, Last Calendar Day (that is, the last complete, 24-hour calendar day from midnight to midnight), and Custom. To the right of these buttons there is a Refresh icon, and a notification of when the view was last updated. Click Refresh at any time to refresh the data. For information on how to create a custom time period view, see "Creating a Custom Time View" on page 234. Editing and scheduling buttons: On the right side of the dashboard above the top-most widgets, there are buttons for editing the perspective, scheduling a report, exporting report data and emailing report data. For information about how to edit a perspective, see "Editing or Deleting a Dashboard Perspective" on page 234. For information about how to use the other buttons, see "Generating Perspective Reports" on page 235. Left navigation bar: The left navigation bar changes depending on whether you are viewing an existing perspective or creating or modifying a perspective. If you are viewing a perspective, the left navigation bar displays filters that you can apply to the data you are viewing. If you are creating a new perspective, the left navigation bar displays the predefined widgets. You can add or remove these widgets for your custom perspective or for the default perspectives. For more information about widgets, see "Predefined Dashboard Widgets" on page 233. For more information about how to modify an existing perspective or create custom perspectives, see "Creating a Dashboard Perspective" on page 234.

Working with Dashboard Perspectives The dashboard provides four default perspectives and supports up to six perspectives. You can view data for the last hour, last day, last week, or create a custom time frame view. You can edit, schedule, export, or email the entire perspective, or each view on the perspective separately. HiveManager retains your network context across all perspectives and for multiple network administrators. Create your own perspectives using the wide variety of predefined widgets to define a workflow through which you can troubleshoot network issues and quickly view network activity.

Predefined Dashboard Widgets HiveManager 6.0r2 introduces a large selection of predefined widgets that give you multiple ways to view and manage your network. You can filter most widgets to provide data by device groups (location and network policy) and by data (SSIDs and user profiles). You can create up to six custom perspectives using these widgets, with up to ten widgets each. Many dashboard widgets contain informative pop-ups, or links you can click for more information. Hover the cursor over a pie-chart or a section of a graph to view pop-ups, or click on an application name (such as Skype) from an Application widget for a detailed view of the Skype usage information. To leave the detailed view, simply click on the original perspective tab, or click the Dashboard tab. Widget Selection Guidelines You can choose widgets that provide the most relevant information about your network at first glance. The following examples show how you might select various widgets based on your concerns: • Widgets of particular importance for troubleshooting dropped clients are those displaying CRC errors, such as "Errors over Time" and "Top 10 Devices by Errors." • If you are concerned about load balancing clients among your devices, you might choose to add the "Top 10 Wi-Fi Clients by Usage" or "Top10 Clients by Association Failures" widgets to a perspective. • To monitor network security, you can view the "Current Network Security (Network Wide)" widget, which contains information on friendly APs, rogue APs, and rogue clients.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 233 New HiveManager Dashboard

• If you are concerned with airtime usage, you can customize the dashboard to show the "Top 10 APs by Airtime Utilization", "Inbound Usage over Time", "Top 10 APs by Channel Utilization", "Top 10 Clients by Rx Airtime" and "Top 10 Clients by Tx Airtime" widgets. • If you are concerned with the wireless health of clients, you can customize the dashboard to show the "Client Device SLA Compliance over Time", or " Aerohive Device SLA Compliance over Time" widgets. For more information about all of the dashboard widgets, see the online Help.

Creating a Dashboard Perspective To create a new dashboard perspective, perform these steps: 1. Click the plus ( + ) icon next to the Troubleshooting perspective tab. Select the check boxes for up to 10 widgets in the left navigation bar. When you select a widget, HiveManager automatically adds it to your perspective page. 2. When you are satisfied with your selections, click Save. Your complete perspective appears, displaying data for the widgets you selected.

For existing network devices, widgets will generally be populated with data a few moments after you click Save. For new devices, the Last 24 Hours view will show data within one hour, and the Last Hour view will show data within 5 minutes.

Editing or Deleting a Dashboard Perspective To edit an existing perspective, perform the following steps: 1. Click the Edit button in the upper right corner of the dashboard. The perspective view will change, and you will see the list of widgets in the left navigation bar. The widgets that are currently selected for this perspective will have a check in the check box next to their names. 2. To remove a widget from the perspective, clear the check box. 3. To add widgets to the perspective, select their check boxes. 4. When you are finished, click Save.

For this release, you cannot rearrange widgets on a perspective. To change the order in which Y widgets appear, you must first remove all of the widgets, and then add them back in the order in which you want them to appear.

5. To remove a perspective completely from the dashboard, click the x next to the perspective name. A warning pop-up allows you to confirm or cancel the removal. 6. By default, all new perspectives are named "New Perspective". To change the name, double-click on the perspective name in the tab, type a new name, and then type Enter.

Creating a Custom Time View Each perspective offers four time spans for which you can view data, including a custom time span that you can define. To create a custom time period for which to view your perspective, complete the following steps: 1. Click the Custom button at the top of the perspective panel (to the right of the Last 7 Days button). 2. In the dialog box, make the following selections and then click OK. Start time: Select a day on which you want the perspective data to start. You can click the calender icon and select a month and day. Then select a start time from the drop-down list.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 234 New HiveManager Dashboard

End Time: Select a day on which you want the perspective data to end. Then select an end time from the drop-down list.

Perspective data is created and retained for the last 24 hours, for one week (7 days), for one month (30 days) and for one year (12 months). When you are configuring a custom time display, if you enter a start date and a report length that do not fall within one of these time periods, an error message appears directing you to change your start date, end date, or report length (or all) to accommodate the time frame for the retained data.

Generating Perspective Reports You can edit, schedule, export, and email reports from your dashboard perspectives. Use the buttons at the top of the perspective window to perform these tasks for the entire perspective, or the icons in top right of many of the individual widget views.

Some widget views do not give you the option to edit or schedule, but instead offer a zoom option that takes you to a more detailed view of the data.

The Edit, Export, and Email functions are self-explanatory. To configure report scheduling, click Schedule a Report, complete the following information, and then click Save: Name: Name your report. The name can contain up to 32 characters, including spaces. Report Description: Enter a helpful description for this report. The description can contain up to 64 characters, including spaces. Report Header: To add a header to your report, enter up to 128 characters, including spaces. Report Footer: To add a footer to your report, enter up to 128 characters, including spaces. Report Summary: Add a brief summary or this report, containing up to 1024 characters, including spaces. Report Frequency: Select one of the following schedule frequency options: Daily: For this option, you can either generate the report every day (the default), or you can customize the days for which this report should be generated (just on business days, for example). You can also customize the timespan that you want this report to cover. Select the Customize Days check box, and enter a check mark for each day for which you want to generate a report. Select the Customize Time check box, and enter a timespan that the report should cover. The default is 24 hours, from 12:00 AM to the following 12:00 AM. Weekly: When you select this option, you can also select the day of the week on which you want the report to be generated. The default is Sunday, and the report covers seven days. Monthly: Monthly reports are generated on the first day of every month and cover the entire month. Email Delivery Address: Enter a valid email address where you want the reports to be sent. For example, you can send reports to yourself, your supervisor, or other network administrators. When you click Save, a message gives you the option to view your report immediately or at a later time.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 235 Mobile Device Integration with AirWatch

Mobile Device Integration with AirWatch

In 6.0r2, Aerohive can integrate mobile device management with AirWatch. AirWatch provides enrollment services for iOS, Mac OS, Symbian OS, BlackBerry, and Android devices allowing a simple way to manage mobile devices in your network. When a wireless client connects to an Aerohive AP, the AP queries the enrollment status of the client before allowing it to connect to the network. If the client is already enrolled, the AP allows the device on the network. If the client is not yet enrolled, then the AP redirects it to the AirWatch enrollment portal. Upon successful enrollment, AirWatch might configure the client and the Aerohive AP allows it to access the network. To enable AirWatch or the Casper Suite MDM enrollment: 1. Log in to HiveManager, click Configuration, highlight a network policy for routing, and then click OK. 2. In the Configure Interfaces & User Access panel, click the name of an SSID for which you want to enable mobile device management with AirWatch. HiveManager displays the Edit SSID panel. 3. Expand the Advanced section, select Enable MDM Enrollment, and then click the New icon ( + ). The New MDM Configuration dialog box appears. 4. Enter the following, and then click Save: Name: Enter a name (1-32 characters) for the MDM configuration. This is the name that will appear in the drop-down list in the network policy. Description: Enter a description about the configuration for future reference. MDM Type: AirWatch OS Object: Chose the client operating system for the type of clients that you want Aerohive to enforce enrollment with AirWatch: Apple-iOS (iPod/iPhone/iPad) and Mac OS-Symbian, BlackBerry, and Android. Root URL: Enter the root URL path. To obtain the root URL path, log in to the AirWatch system. Click the Menu tab and then click System Settings in the Configuration section. The System/Advanced settings window appears. Click System > Advanced > Site URLs. The site URLs are listed. Copy the URL in the Enrollment URL field on the AirWatch site and paste it into the Root URL field in HiveManager. API URL: Enter the API URL for the AirWatch system. For the API URL, copy the REST API URL from the System > Advanced > Site URLs page on the AirWatch site. Paste it in the API URL field in HiveManager. API KEY: Enter the API KEY (1-32 characters). To obtain the API key, navigate to the System > Advanced > API > REST API page. Copy the displayed API Key and paste it into the API Key field in HiveManager. User Name: Enter the user name that an Aerohive device must submit when logging in to the MDM server to check the enrollment status of a client. Password: Enter the password that an Aerohive device must supply during the MDM server login process and then enter it again in the Confirm Password field.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 236 MAC-based Authentication on Router Ethernet Ports

MAC-based Authentication on Router Ethernet Ports

HiveManager 6.0r2 and HiveOS 6.0r2 releases support wired port authentication based on client MAC addresses for the Aerohive BR200 series routers, BR100 router, Aerohive AP330 and AP350 access points when configured to function as routers, and Aerohive SR2024 Switches for wired ports using MAC-based authentication.

MAC-based Authentication on Wired Ports Port access control authentication is now available on Aerohive routers and switches for wired ports using Layer 2 MAC-based authentication. You can choose either MAC-based authentication or IEEE 802.1X (RADIUS) authentication for primary and secondary access authentication. MAC-based authentication provides a certain level of security for older devices that do not support 802.1X authentication by preventing unauthorized users from accessing the private network. A RADIUS server can use a MAC-based port authentication method to authenticate clients using their MAC addresses for user names and passwords. Before configuring MAC-based authentication, you must set up user accounts in the RADIUS server by providing MAC addresses for user names and passwords. If you choose MAC-based authentication as your primary means of authentication, you apply one of the three MAC-based authentication protocols. If you choose 802.1X for primary access authentication, then authentication uses RADIUS for authentication.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 237 MAC-based Authentication on Router Ethernet Ports

To configure wired ports on Aerohive routers and switches to use MAC-based authentication, complete the following steps: 1. Log in to the HiveManager GUI, click Configuration, highlight an existing network policy, and then click OK. The Configure Interfaces & User Access panel appears for the selected network policy. 2. In the Port Type section, click the name of an access port type, edit the following, and then click Save: The Edit Port Types panel appears with Access selected and the Access Security section displayed. Description: Enter a description (0-62 characters) for the access-port type. Primary authentication using: (select) Choose 802.1X or MAC from the Primary authentication method drop-down list. If you choose Primary authentication using 802.1X, the Secondary authentication using MAC check box and its associated MAC authentication protocol drop-down list appears. If you want secondary authentication using MAC, click Secondary authentication using MAC check box and select the authentication protocol method from the drop-down list. If you choose Primary authentication using MAC, its associated MAC authentication protocol drop-down list and Secondary authentication using 802.1X check box appears. Select the MAC authentication protocol method from the drop-down list. If you want secondary authentication using 802.1X, click the Secondary authentication using 802.1X check box. Choose the authentication protocol method you want to use for MAC-based authentication from the protocol drop-down list: PAP, CHAP, or MS CHAP V2. This authentication protocol sends encrypted information from the client to the Aerohive AP, which in turn verifies the MAC user name and password with the RADIUS server.

If you choose MAC authentication as the primary authentication method, the secondary or backup authentication method is automatically configured as 802.1X. If you choose 802.1X authentication as the primary authentication method, the secondary or backup authentication method is automatically configured as MAC.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 238 Captive Web Portal Localization

Captive Web Portal Localization

In HiveManager, you can change the default language that a captive web portal uses to interact with users wanting Internet access. By changing the default language, you can deploy your Aerohive network in more locations worldwide.

Captive web portals are designed to provide a simple way for users to access the Internet in public areas in a way that provides protection both for the user and for the network owner. In scenarios where the users speak languages other than English, having a number of options from which to choose benefits users and network owners alike. When a user attempts to access the Internet, the browser sends a list of supported languages. The Aerohive device parses the list and checks the list of languages supported by the captive web portal. If there are one or more matching entries, then the captive web portal displays the login page in the shared language of the highest priority. If no matches are found, then the default language is displayed on the captive web portal. You can preview the captive web portal pages in any of the supported languages before you decide whether to use them in production. To preview the captive web portal pages in various languages, do the following: 1. Click Configuration > Advanced Configuration > Authentication > Captive Web Portals, and then open or create a new captive web portal. 2. To preview the login page, expand the Captive Web Portal Login Page Settings section, click Customize Login Page > Preview, and then choose a language from the Preview Language drop-down list.

The preview language changes immediate after you choose the language.

To return to the captive web portal configuration page, click Return > Cancel.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 239 Captive Web Portal Localization

3. To preview the success page, expand the Captive Web Portal Success Page Settings section, click Customize Success Page > Preview, and then choose a language from the Preview Language drop-down list.

The preview language changes immediate after you choose the language.

To return to the captive web portal configuration page, click Return > Cancel. To configure a captive web portal to use a language other than the default English, do the following: 1. Click Configuration > Advanced Configuration > Authentication > Captive Web Portals, and then open or create a new captive web portal. 2. Expand the Captive Web Portal Language Support section, select the languages that you want to be available to the captive web portal, choose a default language from the Default Language drop-down list, and then click Save.

When you select the default language from the drop-down list, the list is populated only by the languages that you selected to be available to the captive web portal. For example, if you select English, German, French, and Simplified Chinese, then only those four languages will appear as options in the Default Language drop-down list.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 240 TeacherView MAC Authentication

TeacherView MAC Authentication

You can now authenticate TeacherView students using MAC authentication, which uses the MAC address of the client device for identification. You can use MAC authentication in combination with 802.1X authentication. When a student signs in to a class, the student name and password are verified, and then the MAC address of the device is verified to ensure that it is an allowed client device. If the authentication fails, then the student is not allowed to join the class or to gain access to the network. To configure MAC authentication, you can create a local user group that contains the students’ information, and then create the students as local users. You can also authenticate students by configuring an external data store, such as a RADIUS or LDAP server, to use MAC authentication. This example assumes that you have an existing StudentManager installation that is configured with the information required to operate in a working school environment, and that you have configured StudentManager and HiveManager to work together. To set up StudentManager teacher, classes, and schedules, see the StudentManager Configuration Guide. This example concentrates on the configuration of HiveManager, and only treats the importation or entry of MAC addresses into StudentManager. The following steps are needed to configure HiveManager to use MAC address authentication in conjunction with StudentManager. 1. Configuring StudentManager to Use MAC Authentication 2. Importing or entering the MAC addresses into Student Manager 3. Creating local users and group in HiveManager 4. Creating the Aerohive RADIUS server 5. Configuring a network policy 6. Configuring user profiles

Configuring StudentManager

In StudentManager, you must prepare the class objects to use MAC authentication, and then import (or enter manually) the MAC addresses.

Configuring StudentManager to Use MAC Authentication For StudentManager and HiveManager to work together to authenticate students by the MAC address of their devices, you must configure both StudentManager and HiveManager to use MAC authentication. To configure StudentManager to use MAC authentication, log in to StudentManager, click TeacherView > Guided TeacherView > Classes, click the name of the class on which you want to enable MAC authentication, select MAC Auth, and then click Save.

Importing or Entering MAC Addresses into StudentManager Although you have the ability to enter MAC addresses manually for existing students, you can also import students and their MAC addresses together using a comma separated value (CSV) file. This example assumes that you are importing students and MAC addresses in this way. The format of the .csv file is such that blank lines or lines that begin with "#", "*", or "//", which are used for commenting the file, are ignored. Lines that contain information to be imported consist of the following six fields separated by commas: student ID, student name, grade level, school ID, description, and MAC address. Below are lines from an example .csv file: # List of student for MAC authentication # Prepared by John Smith, March 1, 2013

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 241 TeacherView MAC Authentication

wmozart, Wolfgang Mozart, 9, ps.2000, ,001122334455 aeinstein, Albert Einstein, 12, ps.2000, ,001122334466 sdali, Salvador Dali, 10, ps.2000, ,001122334477

Some fields are not required. For example, the description field in each of the lines here is empty.

To import a .csv file into StudentManager, click TeacherView > Students > Import, click the Choose File button, navigate to the .csv file that contains the information, and then click Import.

Configuring HiveManager After you have configured StudentManager, you must configure the SSID and user profiles to use MAC authentication. This example uses an SSID configured to authenticate MAC addresses using a local RADIUS service, creating the users and groups first, followed by an IP object to reference the RADIUS server, and then the network policy, SSID, RADIUS service, and user profiles.

Creating Local Users and Groups Local users are in part identified by the groups of which they are a part. Because users cannot exist in isolation, you must configure a local user group into which to you place the local users. For MAC authentication, the local user group is dedicated to containing users that you intend to authenticate using MAC authentication. The group that you create here is referenced by the Aerohive RADIUS server that you create in later steps. To create a local user group, do the following: Click Configuration > Advanced Configuration > Authentication > Local User Groups > New, enter the following information leaving the default values for the remaining fields, and then click Save: User Group Name: grp-mac-auth-students Description: Enter a brief description. User Type: RADIUS users User Profile Attribute: 1

The attribute number that you enter here is the same as the attribute number that you intend to use when you configure the user profile.

VLAN ID: 1 After you create the group, you must populate it with users (that is, with students). To import students using a .csv file, do the following: Click Configuration > Advanced Configuration > Authentication > Local Users > Import, click the Choose File button, navigate to and choose the .csv file that you have created for this purpose, and then click Import.

The format and order of the fields in this .csv file are different. Whereas the fields in the StudentManager .csv file were as follows: student_id, student_name, grade_level, school_id, description, mac_address The fields of the HiveManager .csv file are slightly different: user_name, user_type, user_group, password, description, vhm_name When you create the .csv files, student_name in StudentManager is analogous to user_name in HiveManager.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 242 TeacherView MAC Authentication

Configuring a Network Profile and SSID To create a network profile by clicking Configure > New, entering a name for the profile, selecting at minimum Wireless Access, and then clicking Create.

You can also use an existing network profile if you want to adapt a current policy to include MAC authentication for your StudentManager implementation. Likewise, you can modify existing SSIDs for the same purpose. This example, however, assumes no prior configuration.

To create a new SSID using MAC authentication with StudentManager, click Choose > New, enter the following information, and then click Save: Profile Name: student-access SSID: Student Access

When the focus leaves the Profile Name field, the SSID field automatically populates with the content of the Profile Name field; however, you can change the SSID name to be different. For example, whereas the profile name cannot contain spaces ("student-access"), the SSID name can, and you can change the SSID to reflect that ("Student Access").

SSID Access Security: WPA/WPA2 802.1X (Enterprise) Enable MAC authentication: (select) Authentication Protocol: MS CHAP v2 When you click Save, you are returned to the Choose SSIDs dialog box. By default, the SSID you just created is highlighted. Verify that your newly created SSID is highlighted (you might have to scroll down to verify this), and then click OK. After you create the SSID using WPA/WPA2 802.1X, HiveManager prompts you to create a RADIUS client by clicking the link in the Authentication column. Click > New, enter the following information, and then click Save: RADIUS Name: student-access-radius-client Add a New RADIUS Server IP Address/Domain Name: click New ( + ), enter the following information, and then click Save: IP Address: (select) Object Name: aerohive-radius IP Entry: 10.10.10.50

This is the IP address of the device that is configured to be the RADIUS server. The RADIUS service will be created in a later step.

Server Type: Auth/Acct Shared Secret: s3cr3t Confirm Secret: s3cr3t Server Role: Primary Click Apply to save the configure of the current RADIUS instance.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 243 TeacherView MAC Authentication

Configuring User Profiles The user profile not only contains the various QoS and firewall configurations that you can apply to your users, it also contains the attribute number that binds it to the user group created in a previous step. By making the user group attribute number and the user profile attribute number the same, you are telling the devices to apply this user profile to any members of that user group automatically when they connect. To create a user profile, click Add/Remove in the User Profile column to display the Choose User Profiles dialog box, click New, enter the following information, and then click Save: Name: up-mac-auth-students

Because of possible naming confusion between the user group created previously and the user profile, an identifying prefix is added to distinguish their names. Distinguishing prefix are not necessary, nor do you have to name them similarly. You can use your own naming conventions in the configuration.

Attribute Number: 1 Default VLAN: 1 Click the Default tab, highlight your newly created user profile, and then click Save.

Creating the Aerohive RADIUS Server Creating the actual RADIUS service to run on an Aerohive device involves configuring the RADIUS service on the device itself through the device configuration. You can configure a RADIUS server on any Aerohive AP or router. To configure on an AP330, click Configuration > Devices > Aerohive APs > device_name, enter the following information, and then click Save: Network Policy: Choose your new network policy from the drop-down list. MGT0 Interface Settings Static IP: (select) Static IP Address: 10.10.10.50 Netmask: 255.255.255.0 Default Gateway: 10.10.10.1 Service Settings Device RADIUS Service: Click New ( + ), enter the following information, and then click Save: Name: radius-svr-students Description: Enter a brief description. Database Settings Local Database: (select) Highlight the grp-mac-auth-students group in the Available Local User Group list, and click > to move it into the Selected Local User Groups list. When you return to the device configuration page, the name of the RADIUS service appears in the Device RADIUS Service drop-down list.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 244 StudentManager Database Integration

The illustration below shows how the elements are configured and how they are related and bound.

StudentManager HiveManager

Enable MAC Import student Create Network authentication Policy Create SSID

Create local Attribute Import student Student/User user group. Number MAC addresses. Create user Name Import local profile user MAC Configuring StudentManager addresses and HiveManager to use MAC authentication involves Create RADIUS server several steps. Elements are IP bound by values such as the Create IP object Address student (user) name, attribute for RADIUS server number, and IP address.

StudentManager Database Integration

StudentManager now allows administrators to integrate StudentManager with student information systems (SIS) beyond PowerSchool. This is possible because StudentManager exposes the internal database objects by means of a RESTful API (an application programming interface that uses the REST, or Representational State Transfer, protocol). The REST protocol, in conjunction with a RESTful API allows you to query database objects using HTTP URLs that contain the text of the query. The following table describes how HTTP statements map to possible database query statements.

Database Keyword HTTP Method

SELECT GET

CREATE POST

UPDATE PUT

DELETE DELETE

The illustration below shows how StudentManager, the RESTful API, and the student information system interact to synchronize the database information.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 245 StudentManager Database Integration

Student Information StudentManager System

RESTful Adapter API Database Database

The adapter represents the code The RESTful API provides a standard that the Administrators provides to interface for interacting with the translate the information from the StudentManager database objects. SIS to be used by the RESTful API.

Example: Requesting a list of schools When the SIS queries for a list of all schools in the StudentManager database, it sends its query to the adapter, which translates the request to be compatible with the RESTful API. The output of the adapter is an HTTP URL: https:///rest/v1/school

The RESTful API relays the query to the StudentManager database and receives the response. The RESTful API then formats the response as XML: Get Schools Success Success School-01 Public School 1 School-02 Public School 2 ...

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 246 Unified Network Policy Configuration

The RESTful API forwards the XML formatted response to the adapter, which translates it into a format that the SIS can use, and then forwards it to the SIS.

To download the API files, log in to the Aerohive Support Portal and navigate to the StudentManager section of Downloads area. The files are posted there.

Unified Network Policy Configuration

The traditional approach to deploying wireless access points is to add a wireless network over an existing wired network and then to manage them with two separate network policies. Aerohive allows you to manage routers, switches, and APs together within a single policy. If you prefer, you can still use multiple network policies—one for routers and switches and one for APs—but by using one policy for everything, you can have unified management of all your APs, switches, and routers. The configuration and application of a network policy involves the following steps: 1 - Creating a network policy and choosing your deployment requirements 2 - Defining SSIDs for APs and routers with AP capabilities together with the corresponding authentication, user profile, and VLAN parameters 3 - Defining device templates and port types for switches and routers 4 - Applying authentication mechanisms, user profiles, and VLANs to port types 5 - Mapping VLANs to networks for router interfaces 6 - Configuring additional settings for management, Bonjour Gateways, and various network services 7 - Modifying device-specific settings 8 - Uploading the configuration to your Aerohive routers, switches, and APs The following sections explain these steps, with emphasis on those areas that are new in this release, particularly on configuration elements for the SR2024.

1 - Creating a Network Policy When you create a network policy, you first must define the type of Aerohive deployment for which you intend to use it. You can create a policy for one or more of the following types of functionality in any combination: Wireless access (All Aerohive APs and the BR100 and BR200-WP routers) Switching (SR2024 configured as a switch) Branch routing (All Aerohive routers and the AP330, AP350, or SR2024 configured as a router) Bonjour Gateway (AP121, AP141, AP330, AP350, BR200, BR200-WP, and SR2024 as a router)

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 247 Unified Network Policy Configuration

To create a network policy: 1. Click Configuration > New, enter a name for the policy, a descriptive note for future reference, select your Aerohive device deployment requirements, and then click Create.

2. In the Choose Network Policy panel, highlight the policy that you created, and then click OK.

2 - Defining SSIDs The creation of SSIDs in 6.0 remains the same as in the 5.0 and 5.1 releases; however, the assignment of VLANs to user profiles has been expanded to increase flexibility in two ways: • VLAN-to-user profile assignments are no longer locked together. Instead, you assign each user profile with a default VLAN, which you can override if you choose. • User profiles now only reference VLANs instead of VLANs or networks. You can map VLANs to IP subnetworks for use by Aerohive routers in a separate section in the network policy. (This is covered later in the “Mapping VLANs to Subnetworks” section.) After creating an SSID and configuring any corresponding authentication parameters, you assign one or more user profiles to the SSID as before. In each user profile, you assign a default VLAN. Each time you use this user profile, that VLAN is the one that Aerohive devices automatically assign to traffic for users to which they apply the profile. If you want the network policy to assign a different VLAN to that user profile from the default, you can modify it as follows: 1. Click Assign VLAN in the VLAN column for the VLAN-to-user profile assignment you want to change, and then click the default VLAN ID in the Assign VLAN to User Profiles dialog box that appears. A second dialog box appears within the first one.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 248 Unified Network Policy Configuration

2. Choose an existing VLAN, or create a new VLAN object by clicking Create new VLAN and then entering the VLAN ID, or by clicking the New icon ( + ) and defining a new VLAN object. 3. Click Done to close the secondary dialog box, and then click Save to close the primary dialog box.

Changing the VLAN-to-user profile assignment for one instance in a network policy also changes it for all other instances within that policy. For example, if a network policy references a user profile repeatedly in various places and you reassign the VLAN for it in one place, HiveManager automatically reassigns it in all other places where the same user profile-to-VLAN assignment occurs as well. However, this change does not affect the user profile-to-VLAN assignment in any other network policy.

3 - Defining Device Templates and Port Types The configuration of switches and routers involves two main components: device templates and port types. A device template provides a diagram of the physical ports for a specific Aerohive model and allows you to specify its functionality as a router, switch, or (for the BR100) AP. After you create a device template, you can then assign its ports to various port types. A port type defines how the ports assigned to it will function. Basically, a device template allows you to configure the default port settings for a type of Aerohive device and its function. For example, you can create a default device template for SR2024 devices configured as switches and a different default device template for SR2024 devices configured as routers. (Device functionality is set through the Device Function drop-down list on the device settings page.) If you require two different sets of port configurations for the same device type and function, you can create a different network policy with a different device template or use device classification tags to have different templates for the same device model and function in the same network policy.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 249 Unified Network Policy Configuration

Device Templates There are three main types of device templates for Aerohive platforms: • 24-port templates for the SR2024 as a switch or router • 5-port templates for the BR100 as a router or AP, and the BR200 and BR200-WP as routers • 2-port templates for the AP330 and AP350 as routers

Device 24-port template 5-port 2-port Templates template template

First, choose the appropriate device template for the Aerohive model that you are deploying and then choose its function as a switch, router, or AP.

The BR100 is the only platform that uses a device template when configured as an AP. The port settings for Aerohive AP models functioning as access points are still configured on the device settings page (Configuration > Devices > Aerohive APs > ap_name > Modify).

1. To create a pair of new device templates for the SR2024 switch and the BR200-WP router, click Choose for Device Templates, click New in the dialog box that appears, and then enter the following: For an SR2024 as a switch, click New again, and enter the following: Name: Type a name for this template, such as SR2024-Template. Description: Enter a useful description for later reference. Click Device Models, choose SR2024 from the drop-down list, and then click OK. Choose Switch from the second drop-down list, and then click Save.

To configure a SR2024 as a router, choose Router instead of Switch from the drop-down list.

For a BR200-WP as a router: Name: Type a name for this template, such as BR200-WP-Template. Description: Enter a useful description for later reference. Click Device Models, choose BR200-WP from the drop-down list, and then click OK. Choose Router from the second drop-down list, the only choice for this type of device, and then click Save. 2. When both templates are complete, highlight them, and then click OK to add them to the network policy.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 250 Unified Network Policy Configuration

Multiple Device Templates through Device Classification One of the benefits of Aerohive is that it allows you to standardize your configuration by applying one network policy to all Aerohive devices—APs, switches, and routers. If all your Aerohive devices of the same model and function have the same port settings, you can design a single device template in the same network policy for all of them. If the devices have different port settings, you can use device classification to distinguish one template from another. To do this, create one device template that applies to most of the devices with the same model, function, and port assignments. Then create another device template for the same model and function but with different port assignments. If you assign a device classification tag to it, apply the same classification tag to each physical device to which you want to apply the template. You can also distinguish device templates for specific physical devices by host name and topology node.

HiveManager applies the untagged device template to all untagged devices.

Device 24-port template-1 Template . . . . . Port Phone Access 802.1Q Mirror . Types & Data

HiveManager applies the tagged device template only to devices with a matching tag.

Device 24-port template-2 Template Tag=conf-ctr Tag=conf-ctr

Port Phone Access Mirror Types & Data 802.1Q Tag=conf-ctr

To use device classification tags to reference a second device template for the same device model and function in a network policy (for example, an SR2024 as a switch): 1. Configure two device templates for the SR2024 as a switch, and choose one as the default in a network policy. 2. To the right of "SR2024 as Switch" in the Device Templates section of the network policy, click Add/Remove. 3. In the Add Device Templates via Classification dialog box appears, click New, enter the following, and then click Apply: Template: From the drop-down list, choose the name of the previously defined device template. Type: You have three choices: Device Tags, Device Name, Topology Node. If you choose Device Tags, enter a value for Tag1, such as "conf-ctr" in the Value column and set "conf-ctr" for Tag1 on the devices that you want to configure with this device template. Use this

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 251 Unified Network Policy Configuration

option to apply the device template to all the SR20s4 switches to which you have previously set Tag1 as "conf-ctr". If you choose Device Name, choose the host name of a managed SR2024 switch from the drop-down list or, if the device is not yet under HiveManager management, type in its host name. Use this option to apply the device template to a single managed SR2024 device. If you choose Topology Node, choose a topology node from the drop-down list. Use this option to apply the device template to all the managed SR2024 switches on the chosen topology node. 4. If you have other device templates for an SR2024 switch (that is, for the same device model and function), click New and repeat the previous step. HiveManager assigns a device template definition to a device if it matches the classification method being used. Because it is possible for different classification methods to overlap, HiveManager applies the definitions in the following system-defined order of priority: 1. A definition with three device tags matching the same three tags on a device. 2. A definition with two device tags matching the same two tags on a device. 3. A definition with one device tag matching a tag on a device. 4. A definition with a device name that matches that of a device. 5. A definition with the name of a topology node where a device is located. 6. A global definition (that is, there is no special device classification). If you want to change the order in which HiveManager applies the various classification methods, click-drag a definition to a different position in the list. For example, if you want HiveManager to apply a definition with a topology node classification before it applies one with a device tag, position the topology node definition above all the device tag definitions. (To return to the system-defined order, click Reset Order.) 5. When you are done, click OK.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 252 Unified Network Policy Configuration

Port Types There are five port types, each defining how the ports assigned to it will function. For a 24-port device template, you can use all five port types shown below. For 5- and 2-port templates, you can use the Access, 802.1Q, and WAN port types.

The port types that you define for a 5-port and 2-port device template do not appear when you define a 24-port device template and vice versa.

Port Types

Phone & Data Assign to ports connected to IP phones and, through the phones, to computers

Access Assign to ports connected to individual hosts like printers or servers

802.1Q Assign to ports connected to network forwarding devices like switches and APs that must support multiple VLANs

Mirror Assign to one or more ports to which you want to copy network traffic from one or more other ports for diagnostic purposes

WAN Assign to ports that connect to an external DSL Modem network such as the Internet

Port Types for a 24-Port Device Template New installations of HiveManager 6.0r2 provide four predefined port types for use with 24-port device templates for SR2024 devices functioning as switches and five predefined port types for SR2024 devices functioning as routers (the additional port type for routers is for WAN connections). You can identify the predefined port types by the "QS-PortType-" text string with which their names begin. (The "QS" stands for "QuickStart", the intention of these predefined objects being to help you start using this feature quickly.) You can use these port types with their predefined settings, edit them, or clone them and use their settings as the basis for your own creations. You can also create new port types from scratch. To create a new port type for a 24-port device template and assign ports to it: 1. Expand the section for a 24-port device template, select one or more ports in the template, and then click Configure. 2. In the Choose Port Type dialog box that appears, click New. 3. In the New Port Types panel, enter the following and then click Save: Name: Type a name for the port type. Description: Type a useful description of the port type for future reference.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 253 Unified Network Policy Configuration

Port Type: Select one of the following port types, and configure its specific parameters. Phone & Data: Select this port type for ports connected to IP phones and optionally to computers cabled to the phones. Authentication: This section defines how the IP phones and computers behind them authenticate themselves. There are two check boxes: Primary authentication using 802.1X Secondary authentication using MAC, via { PAP | CHAP | MS CHAP V2 } protocol or Primary authentication using MAC, via { PAP | CHAP | MS CHAP V2 } protocol Secondary authentication using 802.1X If you do not require the devices to authenticate at all, leave both check boxes cleared (default). If you want to use 802.1X authentication only, choose 802.1X for primary authentication and leave the check box for secondary authentication cleared. If the client does not support 802.1X, the initial EAP Identity-Request message from the switch will not elicit a response. The switch will retry several times, progressively lengthening the interval it waits for a response from each Identity-Request: 3 seconds, 6 seconds, 12 seconds, and then 20 seconds. It then enters a 15-second quiet time before repeating process. If you require MAC authentication only, choose MAC for primary authentication and leave the check box for secondary authentication cleared. Note that when you enable MAC authentication, you must also choose the method for authentication protocol for communications between Aerohive RADIUS authenticators and the RADIUS authentication server authenticating clients by their MAC addresses. For an Aerohive RADIUS authentication server, use the default protocol: PAP (Password Authentication Protocol). For an external RADIUS authentication server, choose the protocol that it supports: PAP, CHAP (Challenge Handshake Authentication Protocol), or MS CHAP V2 (Microsoft CHAP version 2). For information about these options, see the HiveManager Help. If the switch does not receive a response from the RADIUS server for the first Access-Request message it sends it, the switch continues to send more messages every 9 seconds. Finally, if you want the IP phones and computers to authenticate themselves with either authentication method, choose the primary method, select its check box, and then choose the secondary method. If you put 802.1X first and the device (phone or computer) supports 802.1X, the switch only attempts to authenticate the device with 802.1X; it does not fail over to try MAC authentication. However, if the device does not support 802.1X, the switch first attempts 802.1X several times before failing over to MAC authentication. If you put MAC authentication first, the switch attempts MAC authentication and, if unsuccessful, it fails over to try 802.1X authentication several times. If it does not receive a response from the RADIUS server, the switch then enters a 15-second quiet time before starting over again and repeating the process. QoS Settings: This section defines the type of QoS (Quality of Service) that the Aerohive device provides to traffic to and from IP phones and computers. QoS Classification Trusted Traffic Sources: Select this option when you trust the source of the QoS classification markings in the Layer 3 packet header or Layer 2 frame header in incoming packets, and then select the type of priority classification system you want the device to check—DSCP or 802.1p. When the Aerohive device receives packets with the specified priority marker, it maps it to the Aerohive class defined on the Configuration > Advanced Configuration > QoS Policies > Classifier Maps > New page and referenced in the

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 254 Unified Network Policy Configuration

network policy in the Additional Settings > QoS Settings section. If a packet arrives without any classification marker, which can happen if a frame does not have a VLAN tag with an 802.1p marker (DSCP is always set), then the device can either map it to a default Aerohive class (2 – Best Effort 1) or you can specify another class to which you want the device to map it. To do the former, clear the Assign the following Aerohive class to all unmarked incoming traffic check box. To do the latter, select the check box, and then choose the Aerohive class to assign to all unmarked incoming traffic. Untrusted Traffic Sources: Select this option when you do not trust the source of the QoS classification markings on incoming traffic and do not want to map them to Aerohive classes. Instead choose an Aerohive class from the drop-down list to apply to all incoming traffic on the ports to which you apply this port type.

For Phone & Data port types, Aerohive recommends using trusted settings so that the phone can use higher queue settings for voice traffic (6 for example) than the computer uses for data traffic (for example, 2).

QoS Marking Map Aerohive classes to the following type of priority markers in all outgoing traffic: Select the check box to map Aerohive classes to a priority marking system in use by other devices in the network, and then select the system to which you want to map the classes: DSCP or 802.1p. If you do not want to mark outgoing traffic, clear the check box. Optional Settings: Select Report clients learned on the interfaces to display clients connecting to the interface in the Monitor > Clients > Active Clients and Monitor > Clients > Wired Clients pages. If wireless clients are connected to APs that are cabled to the ports, those clients might be reported twice: first as wireless clients by the APs and then again as wired clients by the switch after the APs forward traffic from these clients to the switch. To avoid this duplication clear the check box. By default, it is cleared for 802.1Q port types and selected for Access and Phone & Data port types. Mirror: (Aerohive SR series only) Select this port type to assign the ports you selected in the device template as the destination to which you want to mirror data from one or more other ports for diagnostic purposes. After you save a mirror port type and apply it to the device template, another dialog box appears called Additional Mirror Profile Settings for "". In this dialog box, you can choose the source ports from which you want to mirror traffic and the direction (ingress, egress, or both) and VLANs of the traffic to be mirrored. (To modify the port mirroring settings, do not select any ports in the device template, and click Additional Port Settings.) To view the mirrored data, connect an Ethernet cable from your management system to the mirror port and run a packet analyzer tool like Wireshark. (For more information, see "Port Mirroring" on page 278.) Access: Select this port type for ports connected to individual hosts such as printers, servers, and end users' computers. The authentication and QoS settings here are the same as those for the Phone & Data port type with two additional options: When you enable authentication, you can control whether one or multiple hosts can connect through the port concurrently (up to 32); and for devices functioning as routers, you can enable a captive web portal. When you select Allow multiple hosts (same VLAN), you must make sure that the user profile for all the connecting hosts assigns their traffic to the same VLAN. Note that you cannot allow multiple hosts and enable a captive web portal together on the same access port. If this were permitted, then after the first user registered, all subsequent users would be allowed access without being required to register. 802.1Q: Select this port type for ports connected to network forwarding devices such as switches and APs that support multiple VLANs on trunk ports. Because the intention of this type of port is to connect with other forwarding devices rather than individual hosts, there is no section for authentication. However, there is a section for QoS. For a description of the QoS settings, see "Phone & Data".

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 255 Unified Network Policy Configuration

4. After you configure the port type to which you want to assign the selected ports, highlight it in the Choose Port Type dialog box, and then click OK. 5. Repeat the selection of ports in the device template and the assignment of port types to the ports for as many ports as you want to use. (If you like, you can leave some ports initially unassigned for use later.)

You can create aggregate ports as well. For details, see "Link Aggregation" on page 312.

Port Types for a 5-Port Device Template New installations of HiveManager 6.0r2 provide three predefined port types for use with 5-port device templates for BR200-WP, BR200, and BR100 devices functioning as routers. For BR100 devices functioning as APs, there are two predefined port types (it does not support a WAN router port type). The names of all predefined port types begin with "QS-PortType-" ("QS" stands for "QuickStart"). You can use these port types with their predefined settings or clone them and use their settings as the basis for your own creations. You can also create new port types from scratch. To create a new port type for a 5-port device template and assign ports to it: 1. Expand the section for a 5-port device template, select one or more ports in the template, and then click Configure. 2. In the Choose Port Type dialog box that appears, click New. 3. In the New Port Types panel, enter the following and then click Save: Name: Type a name for the port type. Description: Type a useful description of the port type for future reference. Port Type: Select Access for ports connected to individual hosts, 802.1Q for ports providing network access through forwarding devices such as APs that support multiple VLANs, or WAN for a port acting as a backup WAN interface. Then configure parameters as appropriate for the selected port type. If you select Access, configure the following:

HiveManager 6.0r1: Enable 802.1X: Select this option if you want wired clients to use 802.1X authentication before being granted network access. Enable captive web portal: Select this option if you want to direct clients to a captive web portal before being granted network access. Enable MAC authentication: When enable a captive web portal, this option appears. Select it to enable devices to authenticate clients based on their MAC addresses. Authentication Protocol: Choose PAP, CHAP, or MS CHAP V2, depending on which protocol the RADIUS authentication server supports. If you are using an Aerohive RADIUS server, use the default choice: PAP. For an external RADIUS authentication server, choose the protocol that it supports. The Aerohive device functioning as the RADIUS authenticator uses the chosen protocol to authenticate communications between itself and the RADIUS server when submitting client credentials (its MAC address) for authentication.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 256 Unified Network Policy Configuration

HiveManager 6.0r2 (note that enabling MAC authentication is no longer dependent on enabling a captive web portal): Primary authentication using { 802.1X | MAC }: Choose the authentication method to attempt to use first. If you select the check box, you can also enable a secondary authentication method as a backup in case the first method proves unsuccessful. Secondary authentication using { 802.1X | MAC }: The secondary authentication method is automatically whichever method was not chosen as the primary method. Authentication Protocol: Choose PAP, CHAP, or MS CHAP V2, depending on which protocol the RADIUS authentication server supports. If you are using an Aerohive RADIUS server, use the default choice: PAP. For an external RADIUS authentication server, choose the protocol that it supports. The Aerohive device functioning as the RADIUS authenticator uses the chosen protocol to authenticate communications between itself and the RADIUS server when submitting client credentials (its MAC address) for authentication. Enable captive web portal: Select this option if you want to direct clients to a captive web portal before being granted network access.

Enable MDM Enrollment: To enable mobile device management of devices connected to the network through the ports to which you apply this port type configuration, select the check box and then choose a mobile device management configuration from the drop-down list. Aerohive devices integrate with JAMF and AirWatch. For information about each type, see Aerohive and JAMF Software MDM Configuration Guide and "Mobile Device Integration with AirWatch" on page 236. Management Traffic Filter: From the drop-down list, choose a traffic filter to control which management and diagnostic services—SNMP, SSH, , and Ping—to allow to access the mgt0 interface through the LAN ports and to permit or deny traffic between clients connected to each other through these ports. User Profile Application Sequence: In cases where different components associated with a port type reference different user profiles, you can specify which one you want to apply to user traffic by reordering them so that that profile is applied last. (See the HiveManager Help for a full explanation.) If you select 802.1Q, you only have to set the management traffic filter. If you select WAN, there are no further settings to configure.

Port Types for a 2-Port Device Template When using an AP330 or AP350 as a router, you can assign its ETH1 port to either an Access, 802.1Q, or WAN port type. (For information about these port types, see "Port Types for a 5-Port Device Template" on page 256.)

Example Port Type Assignments The following illustration shows examples of how you might configure 24-, 5-, and 2-port device templates with ports assigned to various port types.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 257 Unified Network Policy Configuration

Device 24-port template 5-port 2-port Templates template template

Port Phone & Access 802.1Q Mirror WAN* WAN* Types Data Access Access or 802.1Q When making port type assignments, 802.1Q note that only ports 1-8 on the SR2024 can provide PoE to connected devices. * On 5-port and 2-port templates, (The ETH1/PoE and ETH2/PoE ports on you can only assign the WAN port the BR200-WP can also provide power.) type to the eth0 port.

In the previous illustration, all the ports assigned to the same port type are adjacent to each other. This is not a requirement and was only shown that way to illustrate port type assignments clearly. You can also assign nonadjacent ports to the same port type. Also, you can create different varieties of the same port type and use them in the same device template.

After uploading a configuration containing a network policy for Aerohive routers, switches, and APs; the device templates configured with different port types might be applied to the routers and switches as shown below. (The Ethernet cables and connected devices are included to illustrate the use of the port types more clearly.)

Internet BR200-WP WAN Mirror DSL Modem 802.1Q 802.1Q Server Access

SR2024 Phone & Data APs

Servers IP Phones Access and Computers Printers

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 258 Unified Network Policy Configuration

4 – Applying Authentication Mechanisms, User Profiles, and VLANs After you construct a device template consisting of different port types, you can expand each template to view the port assignments. You can modify the port assignments by selecting the ports that you want to reassign and then clicking Configure. You can then apply them to a different port type, or you can clear their current assignment so that they become unassigned.

To select an entire group of ports, hover the pointer over a port that belongs to a group of port types. Then click the pop-up statement Select all ports using this port type.

In the Port Types section, you can configure authentication mechanisms, user profiles, and VLANs for the ports assigned to the various port types.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 259 Unified Network Policy Configuration

Phone & Data For Phone & Data port types that do not require authentication, the switch applies a single (default) user profile to voice traffic and a single (default) user profile to data traffic. The switch informs the phone through LLDP to tag voice traffic with the VLAN ID for the default voice user profile. The switch assigns any untagged data traffic that the phone forwards from a computer connected through its data port to the VLAN for the default data user profile.

The switch only assigns the VLAN for the data user profile to data traffic. It does not apply any other elements of the user profile such as QoS and firewall policies.

For Phone & Data port types that do require authentication, you can configure a RADIUS server to authenticate IP phones and users. In addition, the RADIUS server returns attributes that the switch uses to assign user profiles to voice traffic from IP phones and separate user profiles to data traffic from computers connected to the switch through data ports on the phones. For a switch to distinguish voice communications from data traffic, you must configure the RADIUS server to return the following AV (attribute value) pair in its Access-Accept messages along with attributes identifying a voice user profile: Cisco-AVPair: "device-traffic-class=voice" When the switch receives an Access-Accept message containing a Cisco-AVPair attribute along with attributes identifying a user profile, it takes the following actions: • It checks if the VLAN for that user profile is in its list of allowed VLANs. • If the VLAN is allowed, the switch sends an LLDP message to the phone informing it to tag voice traffic with that VLAN ID. If the identified VLAN is not in the allowed list, then the phone cannot access the network. • The switch applies voice QoS settings for the user profile to tagged traffic from the authenticated IP phone. If the switch receives an Access-Accept message containing a Cisco-AVPair attribute but no attributes identifying a user profile, the switch informs the phone through LLDP to use the VLAN associated with the default user profile for voice communications. When the switch receives an Access-Accept message from the RADIUS server that does not include the Cisco-AVPair attribute—but does have attributes identifying a user profile—the switch takes the following actions: • It checks if the VLAN for that user profile is in its list of allowed VLANs. • If the VLAN is allowed, the switch assigns the VLAN for that user profile as the native (untagged) VLAN on the port to which the IP phone connects. If the VLAN is not in the list of allowed VLANs, then the switch does not allow data traffic from the computer to access the network.

If multiple data clients connect through a hub or switch to the data port on an IP phone, the SR2024 puts traffic from all clients in the same native VLAN determined for the first authenticated client, regardless of the user profile assigned to the others.

If the RADIUS server does not include a Cisco-AVPair attribute nor any attributes identifying a user profile or a VLAN, the switch assigns traffic from the computer to the VLAN for the default user profile. In short, when a phone sends its own voice traffic, it tags it with the VLAN ID learned through LLDP. When the phone forwards traffic from the computer, it does not tag it, and the switch assigns the untagged traffic to the native VLAN.

You can also replace the VLANs that user profiles reference with different ones for this network policy. (For details, see "2 - Defining SSIDs" on page 291.) Include the native VLAN in the Allowed VLAN list.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 260 Unified Network Policy Configuration

Finally, the ports must be STP (Spanning Tree Protocol) edge ports so that they can come up quickly after you connect IP phones to them. To enable ports as edge ports, expand the STP Settings section on the device settings page for the switch, select Override STP settings in the network policy, select Enable STP, expand Port Level Settings, and select the Enable and Edge Port check boxes for the interfaces that belong to the Phone & Data port type. With a Phone & Data port type that requires authentication, configure a RADIUS authentication server and these user profile types: • A default user profile that the switch assigns to traffic from either an IP phone or computer after successful authentication when the RADIUS server returns an Access-Accept message without attributes indicating a specific VLAN or user profile (which itself references a VLAN), or it returns attributes matching the default user profile attribute • One or more user profiles for voice traffic assigned after successful authentication of an IP phone • One or more user profiles for data traffic that is assigned after successful authentication of a computer connected to the port through the IP phone 802.1Q For 802.1Q port types, you configure the native VLAN and the allowed VLANs on the ports. Be sure to include the native VLAN in the list of allowed VLANs. Access For Access port types, depending on whether you enabled 802.1X, MAC authentication, and a captive web portal, you configure a RADIUS authentication server, a captive web portal, and three types of user profiles: • A default profile to assign users who successfully completed 802.1X or MAC authentication or who registered successfully through a captive web portal requiring authentication, but the RADIUS authentication server returned no attributes in its Access-Accept message indicating which user profile to apply or it returned attributes matching the default profile attribute • One or more user profiles to assign users who have authenticated themselves successfully and the RADIUS server did return attributes indicating these user profiles • A user profile to assign users who do not successfully authenticate or register themselves after three authentication attempts If you did not enable authentication for the Access port type, then the Aerohive device can only apply a single (default) user profile. The above settings for Ethernet ports bear a number of similarities to the settings for SSIDs, allowing you to define a unified network policy for both wired and wireless clients.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 261 Unified Network Policy Configuration

5 – Mapping VLANs to Networks (For Aerohive devices configured as routers) HiveManager provides a simple yet flexible way to link IP networks to VLANs on Aerohive router interfaces. A list of all the VLANs that are referenced in user profiles appears in the VLAN-to-Subnet Assignments for Router Interfaces section.6 (You can also add additional VLANs for those indicated by returned RADIUS attributes but not mentioned specifically in user profiles.) You can then associate network objects defining management, internal, and guest networks with selected VLANs. When HiveManager uploads the network policy to routers that have those VLANs assigned to their Ethernet ports, it also assigns the network object to those ports as well. To map a VLAN to a network: 1. Click Choose for the VLAN that you want to map to a network. 2. In the Choose Network dialog box that appears, choose an existing network, or click New to create a new one. (If you are defining a new network object, see the HiveManager Help for descriptions of the settings in the New Network dialog box.) 3. When ready, highlight the network object in the Choose Network dialog box, and then click OK.

The VLANs in the VLAN-to-Network Mapping section only appear for VLANs referenced by user profiles assigned to SSIDs. If you do not define SSIDs, no VLANs appear in this section. If the VLAN you want to configure does not appear, click Add to add it.

6 – Configuring Additional Network Policy Settings A network policy contains additional settings than those described in the preceding sections. There are settings for management and native VLANs, a router firewall policy, IPsec VPN tunnels, Bonjour Gateways, router- and switch-specific settings, and various network services. Some of these are configurable in their own individual sections in the Configure Interfaces & User Access panel. Other settings are accessible in the Additional Settings section. Before uploading a network policy configuration to your Aerohive devices, configure settings for any other features here.

For instructions on configuring features introduced in releases before 6.0r1, see the HiveManager Help. For information about new switch features, see separate sections in this guide.

When done, click Continue to save the settings in the Configure Interfaces & User Access panel and advance to the Upload Configure & Update Devices panel.

7 – Modifying Device-Specific Settings Before uploading the network policy to your Aerohive devices, you might want to configure some devices differently than the rest. From the Upload Configure & Update Devices panel, click the host name of a device to access its device settings page. There you can configure settings for just the selected device. For example, you define the device function of an SR2024 as either switch (default) or router on the device settings page.

If a feature is configurable on a device settings page and in a network policy, the device-level settings always override the network policy settings.

6. The VLANs in the VLAN-to-Network Mapping section only appear for VLANs referenced by user profiles assigned to SSIDs. If you do not define SSIDs, no VLANs appear in this section. If the VLAN you want to configure does not appear, click Add to add it.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 262 Unified Network Policy Configuration

Switch Features at the Network Policy and Device Levels Most networks have the following fundamental needs: • A generic top-level policy that is broadly applicable to the network – This is the network policy. • Device-level settings for certain devices that deviate from the generic policy – These types of changes can be done at the device level. You can configure most of the switch features within a network policy and override them, if necessary, for individual devices. However some settings are only available at the device level. The following table summarizes which features are configurable at network policy and switch levels.

Switch Features Configure in Configure in Network Policy Device Settings

Forwarding database and MAC learning for Layer 2 switching 

Link aggregation 

IGMP snooping 

Port mirroring 

STP configuration 

STP edge port, priority, and path cost settings 

Traffic storm control 

LLDP/CDP 

Port-based and MAC-based 802.1X 

RADIUS authenticator 

VLAN reservation 

PSE mode and priority 

QoS settings 

Bonjour Gateway configuration 

MTU settings 

8 – Uploading the Configuration to Devices When your network policy and any specific device configurations are complete, you are then ready to upload the configuration to your devices. HiveManager offers to options for uploading configurations: auto provisioning and manual provisioning. Automatically provisioning routers is a good approach because routers are typically deployed at various branch sites at different times, making it difficult to know when they will connect to HiveManager and be ready for you to upload their configuration to them. With auto provisioning, HiveManager will automatically upload a configuration to them (and upgrade the HiveOS image running on them too if you like) whenever they connect to it. For automatically provisioning routers, reference the network policy that you just

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 263 Map Enhancements

configured in an auto-provisioning profile for the router models that you are deploying. In addition to determining which devices to auto provision by device model, you can also use their serial numbers to make an even finer determination. (For more information about auto provisioning, see the HiveManager Help and the Aerohive Deployment Guide. Manually provisioning APs and switches is a good approach because their deployment is typically performed at a single location at a known time, so you can better predict when they will connect to HiveManager and be standing by to push a configuration to them when they do. To upload a configuration consisting of network policy settings and device-specific settings, do the following. From the Upload Configure & Update Devices panel, set the Filter to None or Current and Default Policy, select the check boxes of the devices to which you want to upload the configuration, and then click Upload. The first time you push a configuration to a device, it must be a full configuration, which requires the device to reboot to activate its new configuration. Depending on your upload settings, the reboot operation will either happen automatically or you might need to reboot them manually. To view and modify the upload and reboot parameters, click the Settings button in the Configure & Update Devices panel.

Map Enhancements

In HiveManager 6.0r1, a new Maps section replaces the Topology section from earlier versions. Mapping functionality can now be linked to Google Maps to give you an accurate campus view that you can use to create building perimeters and plan and deploy your network devices:

You can use your own images or floor plans with or without Google Maps, or you can draw building perimeters onto a blank background. To disable Google Maps, click Maps > Global Settings and clear the check box for Use Street Maps.

Using Street Maps to Create and Manage Your Network The new Street Maps feature links your network location to Google Maps to provide precise aerial views of your campus and buildings. The Google Maps link is activated in HiveManager accounts in the following ways: • All HiveManager Online, HiveManager Planner, and HiveManager Demo accounts are automatically linked to Google Maps when they are activated. • HiveManager accounts on physical and virtual HiveManager appliances with static IP addresses can also use Street Maps once their URLs are registered.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 264 Map Enhancements

HiveManager Online and HiveManager Planning Accounts If you have a HiveManager Online or HiveManager Planning account, the first time you access the Maps section of the GUI you will see this dialog box:

Enter an address for your organization and click Get Started. HiveManager provides a satellite map of your location similar to what is shown next.

HiveManager Physical and Virtual Appliance Accounts If you have a physical or virtual HiveManager appliance and you are using a static IP address for the URL, you can enable Street Maps once the URL has been confirmed and registered with Aerohive.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 265 Map Enhancements

Perform the following steps to register your URL: 1. From the Maps > View window, click Operation… > Global Settings. Select the check box for Use Street Maps. The first time you do this, you will see a message similar to the following:

2. Click the form link, complete the fields in the form that appears, and then click Submit.

HiveManager automatically populates the System ID and Domain/IP fields

The registration process can take up to 24 hours. You will receive an email notification from Aerohive saying that your registration to access Google Maps is approved. You can now use the Street Maps feature as described in the following sections.

In some cases, your registration request might be denied; for example, if you are not using a static IP address, if the address you provided is invalid, or if there is a typo in the address. For this reason, it is preferable to use the DNS A record name of the server instead of an IP address.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 266 Map Enhancements

Using Street Maps to Draw Building Perimeters Draw building perimeters by clicking your mouse on one corner of the building, then dragging it in succession to each corner. Double-click the mouse to close the perimeter. Your completed building perimeters will resemble the ones shown below (the building perimeters are indicated by blue lines). After you complete this step, you can begin to add floors and plan device deployments in the same manner as in previous HiveManager releases.

When you are satisfied with your building parameter, click Create Floor Plan to continue with your planning.

Improved Internal Wall Tools This release adds the functionality to clone and move walls. The short-cut menu that appears when you right-click now includes Move and Clone options.

The Move option converts the wall into a movable object. Right-click on a wall that you want to move, select Move from the drop-down list, and drag the wall to the new location. When you release the mouse, HiveManager updates the coverage information for the new location. To clone a wall, right-click the mouse on a wall segment and select Clone. HiveManager creates a copy of the original wall. You can then move the new wall to any desired location.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 267 Map Enhancements

Configurable Network Folder Sorting As in previous versions of HiveManager, your network hierarchy appears in the left panel of the Maps section, starting with the root folder at the top, with region, building, and floor folders underneath. You can now organize your network folders in one of two ways: • When you select the check box for Sort Folders, your network folders appear in alphabetical order under the root folder. Sub folders are listed alphabetically underneath parent folders. • If you clear this check box, your network folders appear in the order in which they are created, which is the default sort order.

Migrating Map Information between HiveManager VHM Accounts This release adds the ability to export folders out of one HiveManager VHM and import them into another HiveManager VHM, eliminating the need to manually recreate the network hierarchy for each VHM. The options for exporting and importing map data include: • Export a single floor from one HiveManager Online account and then import it under an existing building in another account. • Export a hierarchy of folders, for example a building with multiple floors, from one HiveManager Online account and import this hierarchy under an existing region folder in another account. You can export data from all three folder types (region, building, and floor), but only region folders and buildings accept imported information. If you try to import data into a floor, HiveManager displays an error message. If that happens, select the correct folder type for importing (a region or a building), and try again. 1. To export map data from the first account, highlight the folder you want to export. From the View window, click Operations… > Export Folder. If the export is successful, the following message appears:

2. To save or open the file, click Download. In the dialog box that appears, select the Save option and save it in a location of your choice. If your browser does not offer a browse option for saving, when you click Save, the file is automatically saved to your Downloads folder. 3. In the new HiveManager Online account, highlight a region or building folder into which you want to import the data. From the View window, click Operations… > Import Folder. Browse for the data you just exported (or locate the file in the Downloads folder) and click Import.

If you import data that already exists in the destination folder, for example identical background images, you have the option to override the existing information.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 268 Device Classification

Device Classification

You can classify multiple definitions of a single configuration object (a VLAN object for example) as a means of controlling which devices receive which definitions. By using classification techniques, your configuration can reference one object, but HiveManager applies specific definitions for that object to different managed devices. In this release, several enhancements were made to this feature: the application of the various classification types has been refined, you can reorder the priority of the classification types, you can rename device tag labels, and you can use device tags to filter dashboard content. By default, HiveManager applies classification types to configuration object definitions in the following order:

Types of classifications Definition Assignment (in order of priority) Device tag (3 matching device tags) HiveManager assigns a configuration object definition to a device if the device and the definition have three matching device tags. Device tag (2 matching device tags) HiveManager assigns a definition if there are two matching device tags and there is no other definition with three matching tags. (If there are multiple definitions with two matching device tags, HiveManager assigns the first definition with two matches in the list.) Device tag (1 matching device tag) HiveManager assigns a definition if the device and definition share at least one matching device tag. (If other object definitions have a tag matching that for the device, then HiveManager assigns the first match in the list.) Device name HiveManager assigns a definition only to a device with this host name and there are no other definitions with matching device tags. Map name HiveManager assigns a definition to a device if it is on the specified map and none of the previous classification types apply to it. Global HiveManager assigns a definition to a device if there are no other matching classifications. All configuration objects must have at least one global definition, which essentially acts as the default.

The above list shows the system-defined priorities in HiveManager. In 6.0r1, you can reorder which classification type takes precedence over another. After adding multiple definitions to a configuration object, simply drag and drop the definitions into new positions to effect a change in their priority, those near the top of the list taking precedence over those below them. For example, to reorder them from most to least specific, move device name to the top (a host name must be unique and is, therefore, the most specific of all classification types), followed by map name second, then by device tags (which can span multiple maps and are, therefore, less specific than map name), and finally by the global classification at the bottom. By clicking the tools icon ( ), you can check for conflicting definition classifications, see which devices match the classifications, edit the definitions, and remove them from the configuration object.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 269 Link Aggregation

You can also rename device tags from Tag1, Tag2, and Tag3 to other more meaningful names. For example, you might change Tag1 to Branch-Size and then use device tags small, medium, and large for subnetworks that you want to assign to devices at differently sized branch sites. Other ideas for categories might be Access-Types with device tags like staff, equipment, guest; or Functions with device tags like users, locationing, security. To change device tag labels: 1. Click Home > Administration > HiveManager Settings, and then click Settings for the Custom Tag Label Settings section. 2. Click the check box for a device tag, and rename it. 3. Rename the other device tags if you like. 4. Click the Save icon in the upper right corner of the expanded section. Finally, if you add device tags to your devices, they appear in the Device Groups hierarchy in the top left panel on dashboard. You can then select any of the device tags to filter the views on the dashboard.

Link Aggregation

Link aggregation—also called port-channel—logically bundles multiple physical ports so that they act as a single logical port. You can use this feature to provide active link redundancy.

Aggregated Link

Four aggregated 1-gigabit ports provide almost as much bandwidth as a single 4-gigabit link.

To group a set of ports into an aggregate port:

Creating a New Network Policy with Switching Features 1. Click Configuration, create a new policy by clicking New beneath the Choose Network Policy list, configure the following, and then click Create: Name: Enter a descriptive name for the network policy. Description: Enter a brief description of the policy. Switching: (select)

By default, Wireless Access and Bonjour Gateway are selected. You can leave these features selected without interfering with the configuration of the switching features. Although you can create a port-channel on any device with multiple ports, this example uses an SR2024 switch as the model device. If you want you create a port-channel using an Aerohive router, you can select Branch Routing as well.

2. In the Choose Network Policy panel, highlight the policy that you created, and then click OK. HiveManager automatically advances to the Configure Interfaces & User Access panel.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 270 Link Aggregation

Creating a Device Template 1. In the Configure Interfaces & User Access panel, click Choose next to Device Templates, click New, configure the following, and then click Save: Name: Enter a descriptive name for the template. Because you can configure multiple device templates, it is helpful to include brief, descriptive details in the template name. Such details might include the number of ports, device model, and role of the device as a switch, router, or (for the BR100) AP. Description: Enter a description of the template. Port setting for: Click Device Models, choose the device model template that you want to use from the Device Models dialog box, and then click OK. (When you click OK, returning to the network configuration, the name of the model you selected in the previous step appears after the Device Models button.) When functioning as: choose Switch from the drop-down list. 2. In the Choose Device Templates dialog box, highlight only the template you created, and then click OK.

Aggregating the Ports Expand the section named for the template you just created in step 2, select ports 1 through 8 by clicking each port icon individually, select Aggregate selected ports to a logical interface with channel number, and then enter 5 in the channel number field.

Defining the Port Type After you create your port-channel, you must define the role of the port-channel. To configure the port-channel role: 1. Click Configure > New to create a new port type, enter the following information, and then click Save: Name: Enter a descriptive name for the new port type. Description: Enter a brief description. Port Type: 802.1Q

It is common to aggregate ports to create port-channel links between switches that can perform load balancing and provide link redundancy. When this is the case, multiple VLANs are generally involved, so configuring the aggregate ports as an 802.1Q port type is the most likely scenario.

QoS Classification Trusted Traffic Sources: Select to use 802.1p or DSCP (differentiated services code point) to establish the priority of traffic. DSCP code: Select to use the contents of the DSCP field of incoming packets to determine the priority. 802.1p: Select to use the contents of the User Priority field within the 16-bit VLAN tag to determine the priority. Assign the following Aerohive class to all unmarked incoming traffic: Select to specify a priority between 0 – Background and 7 – Network Control from the drop-down list for traffic that is otherwise not explicitly prioritized.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 271 Link Aggregation

Untrusted Traffic Sources: Select to ignore priority fields and specify a default priority. Assign the following Aerohive class to all incoming traffic on ports in this port group: Choose a priority between 0 – Background and 7 – Network Control from the drop-down list. QoS Marking Map Aerohive QoS classes to the following type of priority markers in all outgoing traffic: Select to insert the current priority value into the appropriate field in the traffic header. DSCP: Select to set the DSCP code field of the outgoing packet to current QoS priority. 802.1p: Select to set the User Priority field in the VLAN tag to the current QoS priority.

The values to be encoded into the traffic header come from the respective QoS priority fields of the traffic when it arrives. If no priority information is available on arrival, the traffic header is encoded with the default priority.

2. Highlight the port type you just created in the Choose Port Type dialog box, and then click OK. The following illustrates your current switch port configuration:

The icon indicates an 802.1Q trunk port.

Assigning VLANs to the Channel In the Port Types section, the aggregate channel port type you created appears as an editable profile. Click Add/Remove in the VLAN column, enter the following, and then click OK. Native VLAN: Choose the native VLAN from the drop-down list. If the native VLAN does not appear, you can create a new VLAN object by click New ( + ). Allowed VLAN: Enter the VLANs—including the native VLAN—that you want to support on this trunk.

You can list the VLANs individually (separated by commas) or as a range of VLANs using a hyphen. You must include the native VLAN in the Allowed VLANs field. Alternatively, you can enter the word all into this field to support all VLANs.

When you complete this stage, the native VLAN appears in blue, and all supported VLANs appear below the native VLAN in black.

Click Continue to save the configuration and prepare to upload your configuration to the device.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 272 LLDP and CDP

Uploading the Configuration Before you attempt to upload, verify the upload settings by clicking the Settings button. Ensure that Auto (First time with complete upload; subsequent uploads compare with running AP config) is selected. If so, click Save to return to the upload page. To complete the upload of your current configuration to the switch, select the switch to which you would like to upload the configuration, and then click Upload.

You can upload the configuration directly from the Device Upload Options dialog box, but to do so, you must first have selected the switch to which you want to upload the configuration.

LLDP and CDP

LLDP (Link Layer Discovery Protocol) and CDP (Cisco Discovery Protocol) are Layer 2 protocols that allow network devices to advertise their current status and capabilities. Aerohive switches have the ability to transmit and receive LLDP frames, and to receive CDP frames.

LLDP Aerohive switches use LLDP, as defined in the IEEE 802.1AB standard, to communicate their capabilities to neighboring switches using a special frame, the payload of which is called an LLDPDU (LLDP Data Unit). LLDP frames always contain the following informational fields, each in the form of a triplet of subfields called a TLV (type-length-value): Chassis ID: Identifies the switch, often by using the MAC address or network address as the value. Port ID: Identifies the originating port of the switch. This also is often the MAC address or network address.

Chassis ID and Port ID are concatenated to provide the receiving switch with a unique identifier of the sending switch.

Time to live: This indicates to the receiving switch the number of second it is to regard the information contained in the frame as valid. Optional informational TLVs are inserted after this TLV. End of LLDPDU: This is the final TLV in the LLDPDU, and consists only of 16 bits of zeros Whereas LLDP must transmit the preceding information, it can also transmit other information, depending on the switch. Aerohive switches support the transmission of additional information, including capabilities discovery, LAN speed and duplex discovery, network policy discovery, power, and so on.

LLDP-MED LLDP-MED (LLDP-Media Endpoint Discovery) extends the capabilities of LLDP specifically for media endpoint devices such as VoIP phones. Unlike LLDP, which carries information between switches, LLDP-MED carries information from a switch to a VoIP phone end point. In particular, LLDP-MED is used to carry location information to the VoIP phone so that when the VoIP phone initiates a call—for example, to dial 911, it sends its location information to the 911 control center. Because of the different purposes of using LLDP versus LLDP-MED, they are not used at the same time on the same link. Aerohive switches will first use LLDP; however, if it receives an indication that LLDP-MED is required instead, then the switch makes the change automatically.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 273 LLDP and CDP

CDP CDP is a proprietary discovery protocol developed by Cisco that functions similar to LLDP, while provided additional information specific to Cisco devices. Aerohive switches do not transmit CDP frames, however they can receive and parse them. In this way, Aerohive switches can coexist in a network with Cisco devices running CDP.

Configuring Discovery Protocols in a Network Policy When you configure LLDP and CDP settings in the network policy, the settings apply to all the ports on the switch. To configure LLDP and CDP in the network policy: 1. To create a new network policy that includes switching features, click Configuration, create a new policy by clicking New beneath the Choose Network Policy list, configure the following, and then click Create: Name: Enter a descriptive name for the network policy. Description: Enter a brief description of the policy. Switching: (select)

By default, Wireless Access and Bonjour Gateway are selected. You can leave these features selected without interfering with the configuration of the switching features. The Branch Routing option is not required to configure link aggregation.

2. In the Choose Network Policy panel, highlight the policy that you created, and then click OK. HiveManager automatically advances to the Configure Interfaces & User Access panel. 3. In the Additional Settings section, click Edit, expand Service Settings, configure the following, ignoring all other settings, and then click Save: Link Discovery Protocol: Choose the link discovery protocol you want to use in the network policy. If the desired protocol is not in the drop-down list, click New ( + ), enter the following information, and then click Save: Name: Enter a descriptive name for the LLDP/CDP profile. Description: Enter a brief description. Enable LLDP (for APs and BRs): Select to enable LLDP specifically on Aerohive access points and Aerohive routers. Enable LLDP on host ports (for SR2024): Select to enable LLDP specifically on Aerohive SR2024 switch ports that are configured to be host ports. Enable LLDP on non-host ports (for SR2024): Select to enable LLDP specifically on Aerohive SR2024 switch ports that are not configured to be host ports. LLDP Settings Receive Only: Select to configure the switch to receive LLDP advertisements, but to prevent the switch transmitting them. Maximum cached LLDP Entries: Enter the number of LLDP entries you want the switches using this profile to store locally in cache memory. Aerohive switches can store up to 128 entries. This value is independent of the number of CDP entries stored. Period for neighbors to keep Aerohive advertisements: Enter the amount of time you want non-Aerohive switches to retain LLDP advertisements received from Aerohive switches. If you

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 274 LLDP and CDP

configure this value to be zero seconds, then you are instructing non-Aerohive devices not to retain Aerohive advertisements. LLDP Advertisement Interval: Enter the amount of time between the LLDP advertisements of the Aerohive switches. Maximum power for sending LLDP advertisements: Enter the maximum power (in deciwatts; that is, 1/10th of a watt) at which you want to allow LLDP advertisements to occur. Entering 154 (the default value) is equivalent to 15.4 watts. LLDP Initialization Delay Time: Enter the minimum amount of time LLDP waits to initialize on the interface. Fast Start Repeat Count: Enter the number of times you want the switch to repeat Fast Start advertisements. Fast Start advertisements are only used when the switch changes to the LLDP-MED protocol for VoIP phones. Enable CDP (for APs and BRs): Select to enable CDP specifically on Aerohive access points and Aerohive routers. Enable CDP on host ports (for SR2024): Select to enable CDP specifically on Aerohive SR2024 switch ports that are configured to be host ports. Enable CDP on non-host ports (for SR2024): Select to enable CDP specifically on Aerohive SR2024 switch ports that are configured to be host ports. CDP Settings Maximum Cached CDP Entries: Enter the number of CDP entries you want the switches using this profile to store locally in cache memory. Aerohive switches can store up to 128 CDP entries. This value independent of the number of LLDP entries stored.

Configuring LLDP CDP on a Device You can configure LLDP and CDP settings at the device level because some LLDP and CDP setting are applied on a port by port basis. To configure LLDP and CDP on an Aerohive switch, click Configure > Devices > Switches > device_name, expand Switch Ethernet Port Settings, configure the following, and then click Save: Override LLDP/CDP Settings: Select to override the default LLDP and CDP switch settings. By default, LLDP and CDP are enabled on all ports.

LLDP Transmit: Select to allow Aerohive switches to transmit LLDP advertisements to its neighbor switches. LLDP Receive: Select to allow Aerohive switches to receive and cache LLDP advertisements from its neighbor switches. CDP Receive: Select to allow Aerohive switches to receive and cache CDP advertisements from its non-Aerohive neighbor devices that are capable of transmitting CDP frames.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 275 IGMP Snooping

IGMP Snooping

IGMP (Internet Group Multicast Protocol) snooping involves the switch examining IGMP traffic between an IGMP-enabled router and its multicast destinations to determine the ports to which the multicast group member hosts are attached. In this way, the switch can forward multicast traffic specifically to those ports where the traffic is needed without flooding the multicast VLAN with unnecessary multicast traffic. You can set the IGMP feature on a network policy, a device, and an individual VLAN. Naturally, the IGMP settings on the network policy apply to all the devices within the policy. The IGMP settings on a device apply only to the device specified and override the IGMP settings on a network policy if they conflict. The IGMP settings on an individual VLAN apply to the specified VLAN only and override both the IGMP settings on the network policy and the device.

Configuring IGMP Snooping in a Network Policy 1. To create a new network policy that includes switching features, click Configuration, create a new policy by clicking New beneath the Choose Network Policy list, configure the following, and then click Create: Name: Enter a descriptive name for the network policy. Description: Enter a brief description of the policy. Switching: (select)

By default, Wireless Access and Bonjour Gateway are selected. You can leave these features selected without interfering with the configuration of the switching features. The Branch Routing option is not required to configure link aggregation.

2. In the Choose Network Policy panel, highlight the policy that you created, and then click OK. HiveManager automatically advances to the Configure Interfaces & User Access panel. 3. In the Additional Settings section, click Edit, expand Switch Settings > IGMP Settings, configure the following, and then click Save: Enable IGMP Snooping: (select) Enable Immediate Leave: Select to instruct the switch to remove a multicast host from the multicast forwarding table immediately on receipt of a leave group membership message. By default the switch takes no action, and it is up to the IGMP-enabled router to poll for membership, and then wait for a predetermined period of time before pruning the unresponsive multicast host. Enable Report Suppression: Select to suppress redundant IGMP membership reports from multiple hosts on a subnet. By default, this option is selected. When the switch receives several IGMP membership reports, it suppresses the multitude of reports in favor of sending a single report to the IGMP-enabled router. This option thereby reduces traffic.

Configuring IGMP Snooping on a Device To configure port-specific traffic storm control directly on the device, click Configuration > Devices > Switches > device_name, expand the IGMP Settings section. Select Override the IGMP Settings in the network policy and then click Default Global IGMP settings. Configure the following, and then click Save: Enable Immediate Leave: Select to instruct the switch to remove a multicast host from the multicast forwarding table immediately on receipt of a leave group membership message. By default the switch takes no action, and it is up to the IGMP-enabled router to poll for membership, and then wait for a predetermined period of time before pruning the unresponsive multicast host.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 276 IGMP Snooping

Enable Report Suppression: Select to suppress redundant IGMP membership reports from multiple hosts on a subnet. By default, this option is selected. When the switch receives several IGMP membership reports, it suppresses the multitude of reports in favor of sending a single report to the IGMP-enabled router. This option thereby reduces traffic. Delay Leave Query Interval: Select to set a time, in seconds, the switch requires an IGMP-enabled router to respond to queries sent by the switch to delay a leave request. After this time expires, the IGMP-enabled router is dropped from the Multicast Groups table. The default value is 1 second. The range is from 1 to 25 seconds. In general, the IGMP client responds with a join message less than one second after it receives a query message. There are two reasons you might want to increase the number of seconds in this interval. You might want to increase the value of this field if it takes longer for an IGMP client to respond. In addition, if an IGMP client is not connected directly to the SR2024 you might want to increase the value of this field. Delay Leave Query Count: Select to set the number of times that a query from the switch is sent to the IGMP-enabled router. The default value is 2. The range is from 1 to 7. This value is based on the quality of the network connection between the client and the SR2024. Increase this parameter when you expect a lot of packet loss on the network. Router Port Aging Time: Select to determine the time, in seconds, that the switch waits for a response from the IGMP-enabled router before the switch drops the router from the Multicast Groups Table. The default is 4 minutes and 10 seconds (250 seconds). The range is 30 to 1,000 seconds. Each vendor has a different default query interval. Use the following calculation to determine the setting for this field: (uplink router query interval) x 2 +10. Robustness Count: Select to tune the expected packet loss on a network. Increase this parameter when you expect a lot of packet loss on the network. The default value is 2. The range is 1 to 3.

Configuring IGMP Snooping on an Individual VLAN To configure IGMP Snooping directly on a VLAN, do the following:

Use this set of controls to override the network policy and device settings for the specified VLAN.

1. Click Configuration > Devices > Switches > device_name, expand the IGMP Settings section 2. Expand the IGMP Settings for Individual VLAN section. Click the New icon ( + ) next to the Robustness Count (1-3) field. The table expands. Specify the VLAN that you want to configure with IGMP Snooping settings in the VLAN (1-4094) field. You must select a VLAN that has already been configured. 3. Configure the remaining fields with information from the preceding Configuring IGMP Snooping on a Device procedure and then click the done icon.

Configuring Static Multicast Groups for IGMP Snooping To populate the Static Multicast Groups table for IGMP Snooping, click Configuration > Devices > Switches > device_name, expand Static Multicast Groups Settings, configure the following, and then click Save: VLAN (1-4094): Select to specify the VLAN that you want to configure with IGMP Snooping settings. You must select a VLAN that has already been configured. Multicast IP Address: Select to specify an IPv4 multicast IP address that you want to associate with a VLAN. Interfaces: Select one or more port interfaces on a switch to associate with a VLAN.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 277 Port Mirroring

Port Mirroring

Port mirroring is a feature that allows you to monitor the traffic of one or more ports by configuring the switch to generate a copy of the ingress and egress traffic of a specified port (called the source port) or VLAN, and forward the copy to a second interface (called a destination port) to monitor the traffic. Copying traffic to a second port in this way allows monitoring to occur without the need to place additional monitoring equipment in the signal path to do so. Aerohive switches allow you to mirror multiple ports to a single monitor port. To configure port mirroring: 1. Click Configuration, highlight a network policy that includes switching, and then click OK. 2. Expand an existing device template, and then click the port that you want to use as the destination port for mirrored traffic (a blue border appears around selection), and then click Configure. 3. In the Choose Port Type dialog box, click New. 4. In the New Port Types panel that appears, enter a name for the port type, select Mirror, and then click Save. 5. Highlight the port type that you just created for mirroring, and then click OK. The Additional Mirror Port Settings for "device_template" dialog box appears.

6. To monitor VLAN traffic, select VLAN-Based under Source Port Monitoring Specifications, and then enter the VLAN whose traffic you want to monitor.

When using the VLAN-Based option, you can only have one destination port, and can only monitor ingress traffic.

7. To monitor the ingress or egress traffic from a specific port, select Port-Based under Source Port Monitoring Specifications, enter the following information, and then click OK: Destination Port: (read-only) This is the destination port for mirroring traffic. Ingress: Click Choose, select the interfaces whose ingress (that is, incoming) traffic you want to monitor, and then click OK at the bottom of the list. Egress: Click Choose, select the interfaces whose egress (that is, outgoing) traffic you want to monitor, and then click OK at the bottom of the list. Ingress & Egress: Click Choose, select the interfaces whose bidirectional traffic you want to monitor, and then click OK at the bottom of the list.

You can create up to four destination ports and monitor four separate sets of ports independently.

8. Save and upload your network policy to the switch.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 278 Port Mirroring

Viewing Mirrored Traffic You can view the traffic that you monitor using a laptop and a packet analyzer such as Wireshark. While the laptop is connected to the mirror destination port, all mirrored traffic is forwarded to the laptop where you can capture the traffic with any packet analyzer. In this example Wireshark is the selected analyzer. To view monitored traffic, do the following: 1. Connect your monitoring device-commonly a laptop running a packet analyzer-to the switch port that you have previously configured to be the destination port using an Ethernet cable.

Aerohive switch

Laptop running a To the network packet analyzer or other traffic source Destination Port

2. Start your packet analyzer application and configure it to monitor traffic arriving only on the Ethernet interface that is connected to the Aerohive switch.

3. Begin the capture and allow it to continue until you believe you have collected enough packet information.

As the packets are collected, the display might scroll by rapidly because, by default, packet analyzers display information on all incoming packets. You can apply a filter by entering an expression into the filter field, or by choosing an expression from the drop-down list. For example the following screen shot shows a capture filtered for ARP traffic.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 279 Spanning Tree Protocol

Spanning Tree Protocol

Spanning Tree Protocol (STP) is a bridging protocol defined in 802.1 that prevents broadcast and multicast frames from propagating uncontrollably, and unicast frames from arriving at their destination in duplicate by allowing only one path between any two network switches. STP allows switches to elect a root bridge from among all the switches in the network, establish a loop-free working topology, and monitor the topology to remediate link failures or loops that can arise during operation.

The protocol specification uses the term bridge, but the term also includes switches—which are multiport bridges—as well.

Core Distribution Access LANs/Clients Layer Layer Layer routers switches switches

Internet

Switched networks often have redundant paths built into them to provide fault tolerance, but which can cause frame delivery problems, such as frame duplication. Spanning Tree Protocol helps to prevent these problems.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 280 Spanning Tree Protocol

Electing the Root Bridge To elect the root bridge in a network, the process requires two values: the switch priority and the bridge address. The switch priority is a value that you can modify on Aerohive switches within HiveManager. By default, the value is set to 32768, but you can set this in HiveManager to any value from 0 to 61440 in steps of 4096. The bridge address is the MAC address of the mgt0 interface.

If you have several switches in your network, it is advantageous to configure the priority value on a particular switch to ensure that the most appropriate switch (as determined by its position or role in the network) is elected to be the root bridge. Setting a secondary priority on a second switch can also provide some control over the STP topology in the event that root bridge fails. Because the priority values of all switches are the same by default, and the lowest MAC addresses exist on the oldest switches or specific vendors, using default priority can mean that an unintended switch becomes the root.

To configure the priority on an Aerohive switch in HiveManager, click Configuration > Devices > Switches > device_name, expand the STP section under Optional Settings, configure the following, and then click Save: Override STP Settings: (select) Enable STP: (select) STP Mode: STP Device Settings: (expand) Priority for root calculation: 28672

Lower priority values indicate a higher priority. Whereas you can set the priority values to anything below the default 32768, setting it to the first value below the default is generally enough to ensure its election to the root bridge role, as long as all other switches are configured with the default priority.

Calculating Link Cost After STP elects the root bridge, it then evaluates the cost of each path that exists between the root bridge and all other switches. Link cost is based on the data throughput capacity—or bandwidth—of the link (a higher capacity translates to a lower cost), and the total link cost between the root bridge and another switch is the sum of the costs of all the links in that path. For example, if the link between Switch A and Switch B is 1 Gbps (cost 20000), and the link between Switch B and Switch C is 1 Gbps (cost 20000), then the total link cost between Switch A and Switch C is 40000. In the 802.1D-1998 standard, path cost values were not available for bandwidth values above 10 Gbps, which is inadequate for modern switched networks. The current 802.1D-2004 standard uses a new scheme for assigning path cost. The table below illustrates how the old scheme maps to the new scheme.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 281 Spanning Tree Protocol

Aerohive uses the 802.1D-2004 values, but other vendors might use 802.1D-1998 values by default, even STP Elects a switch if they support the newer values. If you have a mixed Root to become the root network, be sure to check your vendor bridge. documentation. If all your switches do not use the same cost calculation mode, inconsistencies in cost calculation and convergence problems can result. STP Calculates the path cost of each Root link between the root bridge and all Bandwidth 802.1D-1998 Cost 802.1D-2004 Cost other switches. <=100 Kbps N/A 200000000

1 Mbps N/A 20000000 Where STP calculates 10 Mbps 100 2000000 Root multiple paths, it disables the slowest 100 Mbps 19 200000 paths. 1 Gbps 4 20000 10 Gbps 2 2000 If an active link 100 Gbps N/A 200 Root fails, STP quickly 1 Tbps N/A 20 activates one of the redunant paths. 10 Tbps N/A 2

Although the root bridge and link selection process might appear random, STP uses priority settings within the switches and the port MAC addresses to make its decisions.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 282 Spanning Tree Protocol

To simplify calculations, all interfaces are the same speed.

Root Bridge Inactive links on blocking mode ports

Active links on forwarding mode ports

Without STP, all ports are in forwarding Spanning Tree Protocol determines the most mode, meaning that the links are active and efficient paths and disables less efficient forwarding frames. redundant paths, removing loops.

Because of the redundant links, loops occur that cause frame delivery problems.

Configuring STP STP is disabled by default in HiveOS, and the STP controls are disabled by default in HiveManager.

The default settings are generally tuned for efficient operation in most networks and very seldom require change. Make sure that you know what behavior to expect before changing the default values in a production network.

To change the default behavior of STP, click Configuration > Devices > Switches > device_name, expand the STP Setting section in Optional Settings, configure the following, and then click Save: Override the STP Settings in the network policy: (select) Enable STP: (select) Device Settings: (expand) Forwarding delay: Enter the time that you want the switch to remain in the learning and listening states. By default, this is 15 seconds. Hello Time: Enter the BPDU (Bridge Protocol Data Unit) send interval. Each BPDU contains information about the switches, and is sent every 2 seconds by default in part to notify neighboring switches that the link is still active. If you choose RSTP (Rapid Spanning Tree Protocol) for the STP Mode, then this option is not available.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 283 Traffic Storm Control

Max Age: Enter the maximum amount of time that a switch retains Spanning Tree information since the most recent Hello message if it does not get refreshed. By default, if a switch does not receive Hello messages or receives inferior Hello messages on a port, it will discard the Spanning Tree information for that port after 20 seconds, which might cause the switch to change port states.

This only affects STP operation, and not RSTP.

Priority for root calculation: Set the switch priority. This value is used during the process of electing a root bridge. Force Version: Enter the BPDU protocol version number to use on the switch. If you are using legacy STP, then this value must be 0, which is the protocol version for legacy STP. If you are using RSTP, then you can enter 2 (RSTP version number) or 0, if you want to force STP compatibility.

A value of 1 is not supported for any STP setting.

Port Level Settings: (expand) Enable: Select to enable a switch port. By default, all ports are enabled, but you can clear this check box to disable a port. Priority (0-240): Choose the priority value of the port. By default, this value is 128, and is configurable in step of 16 from 0 to 240.

You can use the port priority value as a way to control which ports are preferred when downstream switches elect their root ports. A lower priority value indicates a greater preference.

Path Cost (1-200000000): Enter the path cost that you want to use for the link. By default, the path cost of a port is determined by the link speed; however, you can favor certain STP behavior by explicitly configuring the path cost of a link instead of allowing STP to determine it automatically. The maximum setting (200000000) is equivalent to a link whose speed is less than or equal to100 Kbps.

Traffic Storm Control

Aerohive switches provide a means of protecting the network from traffic storms. Traffic storms can result accidentally from unmitigated network loops, or as a result of purposeful, coordinated attacks by rogue users. You can configure storm control switch-wide within the network policy, or you can override these global settings and configure port-by-port storm control parameters.

Configuring Traffic Storm control in a Network Policy 1. Create a new network policy that includes switching features. Click Configuration, create a new policy by clicking New, configure the following, and then click Create: Name: Enter a descriptive name for the network policy. Description: Enter a brief description of the policy. Switching: (select)

By default, Wireless Access and Bonjour Gateway are selected. You can leave these features selected without interfering with the configuration of the switching features.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 284 Traffic Storm Control

2. Select the network policy that you just created in the Choose Network Policy panel, and then click OK, HiveManager automatically advances to the Configure Interfaces & User Access panel. 3. In the Additional Settings section, click Edit, expand Switch Settings > Storm Control, configure the following, and then click Save: Byte Based: Select if you want to enter your storm control values in terms of the number of bytes. Packet Based: Select if you want to enter your storm control values in terms of the number of packets. All Type: Select to include broadcast, unknown unicast, multicast, and TCP-SYN traffic when choosing what traffic to determine to be storm traffic. When you select this check box, all available traffic types are selected as well. Subsequently clearing any of the traffic type check boxes automatically clears the All Types check box. Broadcast: Select to include broadcast traffic; that is, traffic that is forwarded to all destinations simultaneously. Unknown Unicast: Select to include unicast traffic whose destination address does not appear in the forwarding database. Multicast: Select to include traffic whose destination is a multicast address. TCP-SYN: Select to include TCP-SYN flood traffic. Rate Limit Type: (Available only when Byte Based is selected) Choose whether you want to enter values explicitly using the number of bytes per second (BPS) or as a percentage of total interface capacity. Rate Limit Value: Enter the threshold value beyond which point you want the switch to discard traffic of the types selected above.

You can adjust the setting of access traffic and 802.1Q (VLAN) traffic independently.

Configuring Traffic Storm Control on a Switch To configure port-specific traffic storm control directly on a switch, click Configuration > Devices > Switches > device_name, expand the Storm Control section, configure the following, and then click Save: Override storm control in the network policy: (select) Byte Based: Select if you want to enter your storm control values in terms of the number of bytes. Packet Based: Select if you want to enter your storm control values in terms of the number of packets. All Types: Select to include broadcast, unknown unicast, multicast, and TCP-SYN traffic when choosing what traffic to determine to be storm traffic. When you select this check box, all available traffic types are selected as well. Subsequently clearing any of the traffic type check boxes automatically clears the All Types check box. Broadcast: Select to include broadcast traffic; that is, traffic that is forwarded to all destinations simultaneously. Unknown Unicast: Select to include unicast traffic whose destination address does not appear in the forwarding database. Multicast: Select to include traffic whose destination is a multicast address. TCP-SYN: Select to include TCP-SYN flood traffic. Rate Limit Type: (Available only when Byte Based is selected) Choose whether you want to enter values explicitly using the number of bytes per second (BPS) or as a percentage of total interface capacity. Rate Limit Value: Enter the threshold value beyond which point you want the switch to discard traffic of the types selected above.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 285 Traffic Storm Control

P/N 330096-02, Rev. A

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 286 Aerohive 6.0r1 New Features Guide

Aerohive 6.0r1 New Features Guide

This guide describes the new features and feature enhancements introduced in the HiveOS and HiveManager 6.0r1 releases, including support for the new SR2024 platform.

New Features and Feature Enhancements

Several new features and feature enhancements have been introduced in the HiveManager 6.0r1 beta release. You can read summaries of these features and enhancements below. Major features are covered in more detail in individual sections later in this guide. For more information about known and addressed issues for this release, refer to the Aerohive 6.0r1 Release Notes.

New Features and Enhancements in the 6.0r1 Release The following are the new features and feature enhancements in the HiveManager 6.0r1 release for beta.

New Hardware Platforms SR2024: This release introduces the SR2024 switch, the first in the Aerohive SR series of switches that provide Layer 2 wired network access. Aerohive switches are configured, managed, and monitored through the cloud-enabled HiveManager and run HiveOS. The SR2024 switch provides twenty-four non-blocking 10/100/1000 copper RJ-45 Ethernet ports, eight with 802.3af and 802.3at PoE capability. This switch also provides four 1-gigabit fiber ports, an RJ-45 console port, and a 3G/4G USB modem port. If you designate one or more switch ports as WAN ports, the switch also functions as a router with full Aerohive router functionality. HiveManager Appliance: This release also introduces the new 1U HiveManager Appliance with a global power supply, six gigabit Ethernet ports, 8 gigabytes of memory, an RJ-45 serial console port, two USB 2.0 ports, a 500-GB hard disk drive. It supports up to 10,000 Aerohive devices and provides one year of data retention.

The actual number of APs supported is still being confirmed at the start of beta testing.

New and Enhanced HiveManager Online 6.0r1 Features Unified Network Policy Configuration: Several significant enhancements have been made to network policies in HiveManager 6.0r1. You can now use the same user profile in different network policies but have different VLANs for each one. Also, network objects are no longer bound to user profiles for use by router interfaces, eliminating the distinction between Layer 2 and Layer 3 user profiles. In HiveManager 6.0r1, you map VLANs to networks at the network policy level. Instead of LAN profiles, which were used for configuring the LAN ports on routers, you now configure ports for both routers and switches through device templates and port type definitions. Finally, you can specify one or more deployment requirements for the network policy in any combination: wireless access, switching, branch routing, and Bonjour Gateway. By choosing your deployment requirements, HiveManager automatically generates the appropriate configuration elements for you, which helps simplify the policy configuration process. Topology (Maps) Enhancements: The Topology section has been renamed Maps and contains both the planning tool and the network mapping features. Both planning and mapping functions have been greatly enhanced with the addition of the following features:

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 287 New Features and Feature Enhancements

• Google Maps: HiveManager Maps is now linked to Google Maps to give you a precise view of your building or campus. Use the Google Maps view to draw your building perimeters, or create your own perimeters from a floor plan. Goggle Maps eliminates the need to manually import area maps. Addresses are geocoded and maps are automatically generated. Google Maps is enabled by default for HiveManager Online accounts, and can also be used with HiveManager On-Premise accounts after they are initialized through a URL registration process. The network planning tool has been relocated from the Tools section of the GUI to the Maps section. HiveManager remembers zoom and pan activities for a map and presents the last view the next time you visit the map using the Home button. • Map Migration between HiveManager Online accounts: This release simplifies the process of moving or sharing maps and floor plans from one HiveManager Online account to another. You can now select a folder in the map hierarchy and export that folder and all its sub-folders, including background images, interior walls, perimeter walls, and the type, power, and channel settings of all planned APs. You can then import that information into another HiveManager Online account for use there.

Actual APs and devices are ignored in the export process.

• Reusable Floor Names: Unique floor names are no longer required for each building in your network hierarchy. Floor names are now automatically linked to their corresponding buildings. In drop-down lists, for example, floor names now always include the name of the building in which they are located. • Improved Internal Wall Creation: You can now clone and move internal walls for reuse on a floor plan. • Configurable Network Folder Sorting: You can now organize your network folders in alphabetical order or by the default method, which is the order in which they were created. Customizable Time Format: You can now configure HiveManager to display the proper time format for your location. The default has also been changed from MM-DD to MM-DD-YYYY. Network Summary Report: The Network Summary Report has been enhanced to build scheduled historical reports with customized report content. You can now customize report headers, footers, and logos. New HiveManager Dashboard: This release introduces a unified dashboard for wired and wireless networks that provides detailed network visibility into applications, users, devices, and clients, while retaining your network context. The dashboard can be customized by geographic region, department, campus, building, floor, SSID, or user profile. Using the dashboard perspective feature, you can create multiple, customized network perspectives that provide specific information by application, user, client, Aerohive device, and a variety of other options. Use the perspective views to troubleshoot your network, identify user activity, and confirm that your firewall and user profiles are configured correctly. The Dashboard remembers your contextual filters across logins and across perspectives. Perspective reports are easily created using a wide variety of predefined dashboard widgets (up to ten widgets per perspective), or you can customize your own widgets. You can easily generate real-time and historical reports. Configuration Object Classification: The classification of configuration object definitions has been revised to make their assignments and viewing easier. By default, HiveManager applies classification types to configuration object definitions in the following order: (1) device tag; (2) device name; (3) map name; (4) global. In 6.0r1, you can reorder which classification type takes precedence over another through an easy drag-and-drop interface. You can view the device tags that have already been created and assigned to devices so that you can simply choose them, saving time and avoiding potential misconfigurations. You can also rename classifier tags from “tag 1”, “tag 2”, and “tag 3” to other more meaningful names. Switch Features: The following features are available on the SR2024 switch:

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 288 New Features and Feature Enhancements

• Layer 2 Forwarding Database: An Aerohive switch can learn MAC addresses dynamically or you can configure them statically. The switch saves dynamically learned addresses in its Layer 2 MAC learning table. By default, a MAC address remains in the table for 300 seconds (five minutes) after the last communication from a device. After that, the switch deletes, or ages out, the MAC address from its table. You can set this idle timeout from 10 to 650 seconds (almost 11 minutes), or to never time out, as best suits the needs of your network. You can also add static MAC addresses to the forwarding database manually. When you add a static MAC address, it does not age out but remains there until you delete it. Finally, you can configure the switch to disable learning MAC addresses on specific VLANs or on all VLANs • Link Aggregation: You can configure up to eight physical ports to act as a single logical port (called a port-channel) on an Aerohive switch, increasing the effective bandwidth of the link and providing link redundancy. When you create a port-channel, the switch balances traffic across all physical ports using the source and destination MAC addresses of the frames as a key factor by default; however, you can configure the switch to load balance the traffic by considering the IP addresses and port information as well. • LLDP Support: Aerohive switches support transmission and reception of 802.1AB LLDP (Link Layer Discovery Protocol). These protocols provide a means for network switches to advertise identity, status, and capability information to neighboring switches and collect and retain similar information from them. • LLDP-MED Support: Aerohive switches support the use of LLDP-MED (LLDP Media Endpoint Discovery). LLDP-MED allows Aerohive switches to advertise location information to VoIP phones. • CDP Support: Aerohive switches support the reception of CDP (Cisco Discovery Protocol). CDP support allows Aerohive switches to receive and parse CDP frames, which allows them to coexist within a mixed-vendor network. • IGMP (Internet Group Management Protocol) Snooping: Aerohive switches are capable of monitoring IGMP transactions between multicast routers and client devices, and maintain a local table of IGMP groups and group members. Aerohive switches use this information to track the status of multicast clients attached to the switch ports so that it can forward multicast traffic efficiently. Aerohive switches support IGMPv3, which provides the ability for a host to request or filter traffic selectively from individual sources within a multicast group, is backward compatible with both IGMPv2 and the original IGMP specification. • Port Mirroring: You can configure a physical port to produce a copy of all frames that are being sent or received through another physical port, port-channel, or group of ports and port-channels. You can use port mirroring to monitor traffic out of band for intrusion detection or auditing without causing latency delays inherent when using in-band monitoring. • Spanning Tree Protocol: (802.1D, STP; 802.1w, RSTP) Aerohive switches support 802.1D STP (Spanning Tree Protocol) and 802.1w RSTP (Rapid STP). Switches use STP to establish links that have the lowest cost (highest bandwidth), to establish backup links where possible, and to prevent Layer 2 network loops, which can result in duplicate unicast frames and exacerbate broadcast storms. • Traffic Storm Control: Aerohive switches can mitigate traffic storms due to a variety of causes by tracking the source and type of frames to determine whether they are legitimately required. The switches can then discard frames that are determined to be the products of a traffic storm. Within HiveManager, you can configure thresholds for broadcast, multicast, unknown unicast, and TCP-SYN packets as a function of the percentage of interface capacity, number of bits per second, or number packets per second. • Port- and MAC-based 802.1X Authentication: Aerohive switches support robust port-based and MAC-based 802.1X authentication of clients. When using port-based 802.1X authentication, you can configure the switch to allow a single client per port, multiple clients within a single domain and VLAN, or multiple clients across multiple domains. When using MAC-based authentication, the switch compares the client MAC address with the MAC address that is in its database, and then either authenticates the client or denies the client access to the network. You can use both authentication modes simultaneously and specify which authentication mode you want to occur first.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 289 Unified Network Policy Configuration

• Jumbo Frame Support: For a switch to support jumbo frames, you can set the MTU (Maximum Transmission Unit) for its Ethernet interfaces as high as 9600 bytes. This setting is in the Advanced Settings section on the device settings page Bonjour Gateway Enhancements: Several Bonjour Gateway enhancements have been made in this release. Two major enhancements are described here. First, the SR2024 can be a Bonjour Gateway when it is set to operate as a router. Second, you can now create filter policy rules to control which Bonjour services Bonjour Gateways share with each other. The filter rules use source and destination VLANs, the number of wireless hops away the BDDs (Bonjour Designated Devices) are from each other, and realm names to enforce policy.

Unified Network Policy Configuration

The traditional approach to deploying wireless access points is to add a wireless network over an existing wired network and then to manage them with two separate network policies. Aerohive allows you to manage routers, switches, and APs together within a single policy. If you prefer, you can still use two network policies—one for routers and switches and one for APs—but by using one policy for everything, you can have unified management of all your APs, switches, and routers. The configuration and application of a network policy involves the following steps: 1 - Creating a network policy and choosing your deployment requirements 2 - Defining SSIDs for APs and routers with AP capabilities together with the corresponding authentication, user profile, and VLAN parameters 3 - Defining device templates and port types for switches and routers 4 - Applying authentication mechanisms, user profiles, and VLANs to port types 5 - Mapping VLANs to networks for router interfaces 6 - Configuring additional settings for management, Bonjour Gateways, and various network services 7 - Modifying device-specific settings 8 - Uploading the configuration to your Aerohive routers, switches, and APs The following sections explain these steps, with emphasis on those areas that are new in this release, particularly on configuration elements for the SR2024.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 290 Unified Network Policy Configuration

1 - Creating a Network Policy When you create a network policy, you first must define the type of Aerohive deployment for which you intend to use it. You can create a policy for one or more of the following types of functionality in any combination: • Wireless access (All Aerohive APs and the BR100 and BR200-WP routers) • Switching (SR2024 configured as a switch) • Branch routing (All Aerohive routers and the SR2024 configured as a router) • Bonjour Gateway (AP121, AP141, AP330, AP350, BR200, BR200-WP, and SR2024 as a router) To create a network policy: 1. Click Configuration > New, enter a name for the policy, a descriptive note for future reference, select your Aerohive device deployment requirements, and then click Create.

2. In the Choose Network Policy panel, highlight the policy that you created, and then click OK.

2 - Defining SSIDs The creation of SSIDs in 6.0r1 remains the same as in the 5.0 and 5.1 releases; however, the assignment of VLANs to user profiles has been expanded to increase flexibility in two ways: • VLAN-to-user profile assignments are no longer locked together. Instead, you assign each user profile with a default VLAN, which you can override if you choose. • User profiles now only reference VLANs instead of VLANs or networks. You can map VLANs to IP subnetworks for use by Aerohive routers in a separate section in the network policy. (This is covered later in the “Mapping VLANs to Subnetworks” section.) After creating an SSID and configuring any corresponding authentication parameters, you assign one or more user profiles to the SSID as before. In each user profile, you assign a default VLAN. Each time you use this user profile, that VLAN is the one that Aerohive devices automatically assign to traffic for users to which

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 291 Unified Network Policy Configuration

they apply the profile. If you want the network policy to assign a different VLAN to that user profile from the default, you can modify it as follows: 1. Click Assign VLAN in the VLAN column for the VLAN-to-user profile assignment you want to change, and then click the default VLAN ID in the Assign VLAN to User Profiles dialog box that appears. A second dialog box appears within the first one.

2. Choose an existing VLAN, or create a new VLAN object by clicking Create new VLAN and then entering the VLAN ID, or by clicking the New icon ( + ) and defining a new VLAN object. 3. Click Done to close the secondary dialog box, and then click Save to close the primary dialog box.

Changing the VLAN-to-user profile assignment for one instance in a network policy also changes it for all other instances within that policy. For example, if a network policy references a user profile repeatedly in various places and you reassign the VLAN for it in one place, HiveManager automatically reassigns it in all other places where the same user profile-to-VLAN assignment occurs as well. However, this change does not affect the user profile-to-VLAN assignment in any other network policy.

3 - Defining Device Templates and Port Types The configuration of switches and routers involves two main components: device templates and port types. A device template provides a diagram of the physical ports for a specific Aerohive model and allows you to specify its functionality as a router, switch, or (for the BR100) AP. After you create a device template, you can then assign its ports to various port types. A port type defines how the ports assigned to it will function. Basically, a device template allows you to configure the default port settings for a type of Aerohive device and its function. For example, you can create a default device template for SR2024 devices configured as switches and a different default device template for SR2024 devices configured as routers. (Device functionality is set through the Device Function drop-down list on the device settings page.) If you require two different sets of port configurations for the same device type and function, you can create a different network policy with a different device template. In a later release, you will be able to use device classification tags to have different templates for the same device model and function in the same network policy.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 292 Unified Network Policy Configuration

Device Templates There are three main types of device templates for Aerohive platforms: • 24-port templates for the SR2024 as a switch or router • 5-port templates for the BR100 as a router or AP, and the BR200 and BR200-WP as routers • 2-port templates for the AP330 and AP350 as routers

First, choose the appropriate device template for the Aerohive model that you are deploying and then choose its function as a switch, router, or AP.

The BR100 is the only platform that uses a device template when configured as an AP. The port settings for Aerohive AP models functioning as access points are still configured on the device settings page (Configuration > Devices > Aerohive APs > ap_name > Modify).

1. To create a pair of new device templates for the SR2024 switch and the BR200-WP router, click Choose for Device Templates, click New in the dialog box that appears, and then enter the following: For an SR2024 as a switch, click New again, and enter the following: Name: Type a name for this template, such as SR2024-Template. Description: Enter a useful description for later reference. Click Device Models, choose SR2024 from the drop-down list, and then click OK. Choose Switch from the second drop-down list, and then click Save.

To configure a SR2024 as a router, choose Router instead of Switch from the drop-down list.

For a BR200-WP as a router: Name: Type a name for this template, such as BR200-WP-Template. Description: Enter a useful description for later reference. Click Device Models, choose BR200-WP from the drop-down list, and then click OK. Choose Router from the second drop-down list, the only choice for this type of device, and then click Save. 2. When both templates are complete, highlight them, and then click OK to add them to the network policy.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 293 Unified Network Policy Configuration

Port Types There are five port types, each defining how the ports assigned to it will function. For a 24-port device template, you can use all five port types shown below. For 5- and 2-port templates, you can use just the Access and 802.1Q port types. The 5- and 2-port device templates will offer more choices when they support a 6.X release.

The port types that you define for a 5-port and 2-port device template do not appear when you define a 24-port device template and vice versa.

Port Types for a 24-Port Template To create a new port type for a 24-port template and assign ports to it: 1. Expand the section for a 24-port device template, select one or more ports in the template, and then click Configure. 2. In the Choose Port Type dialog box that appears, click New. 3. In the New Port Types panel, enter the following and then click Save: Name: Type a name for the port type. Description: Type a useful description of the port type for future reference. Port Type: Select one of the following port types, and configure its specific parameters. Phone & Data: Select this port type for ports connected to IP phones and optionally to computers cabled to the phones. Authentication: This section defines how the IP phones and computers behind them authenticate themselves. There are two check boxes:

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 294 Unified Network Policy Configuration

Enable 802.1X as { first | second } authentication choice Enable MAC as { first | second } authentication choice If you do not require the devices to authenticate at all, leave both check boxes cleared (default). If you want to use 802.1X authentication only, select its check box and leave the check box for MAC authentication cleared. If the client does not support 802.1X, the initial EAP Identity-Request message from the switch will not elicit a response. The switch will retry several times, progressively lengthening the interval it waits for a response from each Identity-Request: 3 seconds, 6 seconds, 12 seconds, and then 20 seconds. It then enters a 15-second quiet time before repeating process. If you require MAC authentication only, select just its check box. Note that when you enable MAC authentication, you must also choose the method for authentication protocol for communications between Aerohive devices and the external RADIUS server authenticating clients by their MAC addresses: PAP, CHAP, and MS CHAP V2. For information about these three options, see the HiveManager Help. If the switch does not receive a response from the RADIUS server for the first Access-Request message it sends it, the switch continues to send more messages every 9 seconds. Finally, if you want the IP phones and computers to authenticate themselves with either authentication method, select both and then choose which one you want to use first and second by making appropriate choices from the drop-down lists. If you put 802.1X first and the device (phone or computer) supports 802.1X, the switch only attempts to authenticate the device with 802.1X; it does not fail over to try MAC authentication. However, if the device does not support 802.1X, the switch first attempts 802.1X several times before failing over to MAC authentication. If you put MAC authentication first, the switch attempts MAC authentication and, if unsuccessful, it fails over to try 802.1X authentication several times. If it does not receive a response from the RADIUS server, the switch then enters a 15-second quiet time before starting over again and repeating the process. QoS Settings: This section defines the type of QoS (Quality of Service) that the Aerohive device provides to traffic to and from IP phones and computers. QoS Classification Trusted Traffic Sources: Select this option when you trust the source of the QoS classification markings in the Layer 3 packet header or Layer 2 frame header in incoming packets, and then select the type of priority classification system you want the device to check—DSCP or 802.1p. When the Aerohive device receives packets with the specified priority marker, it maps it to the Aerohive class defined on the Configuration > Advanced Configuration > QoS Policies > Classifier Maps > New page and referenced in the network policy in the Additional Settings > QoS Settings section. If a packet arrives without any classification marker, which can happen if a frame does not have a VLAN tag with an 802.1p marker (DSCP is always set), then the device can either map it to a default Aerohive class (2 – Best Effort 1) or you can specify another class to which you want the device to map it. To do the former, clear the Assign the following Aerohive class to all unmarked incoming traffic check box. To do the latter, select the check box, and then choose the Aerohive class to which you want to assign all unmarked incoming traffic. Untrusted Traffic Sources: Select this option when you do not trust the source of the QoS classification markings on incoming traffic and do not want to map them to Aerohive

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 295 Unified Network Policy Configuration

classes. Instead choose an Aerohive class from the drop-down list to apply to all incoming traffic on the ports to which you apply this port type.

For phone & data port types, Aerohive recommends using trusted settings so that the phone can use higher queue settings for voice traffic (6 for example) than the computer uses for data traffic (for example, 2).

QoS Marking Map Aerohive classes to the following type of priority markers in all outgoing traffic: Select the check box to map Aerohive classes to a priority marking system in use by other devices in the network, and then select the system to which you want to map the classes: DSCP or 802.1p. If you do not want to mark outgoing traffic, clear the check box. Mirror: (Aerohive switch products only) Select this port type to assign the ports you selected in the device template as the destination to which you want to mirror data from one or more other ports for diagnostic purposes. After you save a mirror port type and apply it to the device template, another dialog box appears called Additional Mirror Profile Settings for "". In this dialog box, you can choose the source ports from which you want to mirror traffic and the direction (ingress, egress, or both) and VLANs of the traffic to be mirrored. Finally, when you are ready to start mirroring traffic from one or more ports, you can enable it. (If do not want to choose the source ports or enable mirroring at the time that you reserve the destination ports for mirroring, you can leave those settings initially unconfigured. When you are ready, click Additional Port Settings.) Access: Select this port type for ports connected to individual hosts such as printers, servers, and end users’ computers. The authentication and QoS settings here are the same as those for the Phone & Data port type with one additional option: You can enable a captive web portal for devices configured as routers. 802.1Q: Select this port type for ports connected to network forwarding devices such as switches and APs that support multiple VLANs on trunk ports. Because the intention of this type of port is to connect with other forwarding devices rather than individual hosts, there is no section for authentication. However, there is a section for QoS. For a description of the QoS settings, see "Phone & Data". 4. After you configure the port type to which you want to assign the selected ports, highlight it in the Choose Port Type dialog box, and then click OK. 5. Repeat the selection of ports in the device template and then the assignment of port types to the ports for as many ports as you want to use. (If you like, you can leave some ports initially unassigned for use later.)

You can create aggregate ports as well. For details, see "Link Aggregation" on page 312.

Port Types for a 5-Port Template To create a new port type for a 5-port template and assign ports to it: 1. Expand the section for a 5-port device template, select one or more ports in the template, and then click Configure. 2. In the Choose Port Type dialog box that appears, click New. 3. In the New Port Types panel, enter the following and then click Save: Name: Type a name for the port type. Description: Type a useful description of the port type for future reference.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 296 Unified Network Policy Configuration

Port Type: Select Access for ports connected to individual hosts or 802.1Q for ports connected to network forwarding devices such as APs and configure parameters as appropriate for the selected port type. If you select Access, configure the following: Enable 802.1X: Select this option if you want wired clients to use 802.1X authentication before being granted network access. Enable captive web portal: Select this option if you want to direct clients to a captive web portal before being granted network access. Enable MAC authentication: When enable a captive web portal, this option appears. Select it to enable devices to authenticate clients based on their MAC addresses. Authentication Protocol: Choose PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), or MS CHAP V2 (for use when authenticating clients on an Active Directory server) to determine how the Aerohive router forwards authentication requests from clients to an external RADIUS server or, when acting as a RADIUS server itself, to an Active Directory server. Management Traffic Filter: From the drop-down list, choose a traffic filter to control which management and diagnostic services—SNMP, SSH, Telnet, and Ping—to allow to access the mgt0 interface through the LAN ports and to permit or deny traffic between clients connected to each other through these ports. User Profile Application Sequence: In cases where different components associated with a port type reference different user profiles, you can specify which one you want to apply to user traffic by reordering them so that that profile is applied last. (See the HiveManager Help for a full explanation.) If you select 802.1Q, you only have to set the management traffic filter.

Port Types for a 2-Port Template When using an AP330 or AP350 as a router, you can assign its ETH1 port to either an Access or 802.1Q port type. (See the previous section about a 5-port template for information about these two port types.)

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 297 Unified Network Policy Configuration

Example Port Type Assignments The following illustration shows examples of how you might configure 24-, 5-, and 2-port templates with ports assigned to various port types.

In the previous illustration, all the ports assigned to the same port type are adjacent to each other. This is not a requirement and was only shown that way to illustrate port type assignments clearly. You can also assign nonadjacent ports to the same port type. Also, you can create different varieties of the same port type and use them in the same device template.

After uploading a configuration containing a network policy for Aerohive routers, switches, and APs; the device templates configured with different port types might be applied to the routers and switches as shown below. (The Ethernet cables and connected devices are included to illustrate the use of the port types more clearly.)

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 298 Unified Network Policy Configuration

4 – Applying Authentication Mechanisms, User Profiles, and VLANs After you construct a device template consisting of different port types, you can expand each template to view the port assignments. You can modify the port assignments by selecting the ports that you want to reassign and then clicking Configure. You can then apply them to a different port type, or you can clear their current assignment so that they become unassigned.

Clicking a port that belongs to a group of port types selects the entire group of ports.

In the Port Types section, you can configure authentication mechanisms, user profiles, and VLANs for the ports assigned to the various port types. Phone & Data For phone & data port types, you configure a RADIUS authentication server and these user profile types: • A default user profile that the switch assigns to traffic from either an IP phone or computer after successful authentication when the RADIUS server returns an Access-Accept message without attributes indicating a specific VLAN or user profile (which itself references a VLAN), or it returns attributes matching the default user profile attribute • One or more user profiles for voice traffic assigned after successful authentication of an IP phone • One or more user profiles for data traffic that is assigned after successful authentication of a computer connected to the port through the IP phone

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 299 Unified Network Policy Configuration

The switch identifies a device as an IP phone if the following attribute is in the Access-Accept message that the RADIUS server returns: Cisco-AVPair = "device-traffic-class=voice". If that attribute is present in the Access-Accept message plus attributes identifying a VLAN or a user profile, then the switch checks if the identified VLAN is in its list of allowed VLANs. If it is, the switch sends an LLDP message to the phone informing it to use that for its voice VLAN. If the identified VLAN is not in the allowed list, then the phone cannot access the network. If the RADIUS server does not include any attributes identifying a VLAN, the switch informs the phone through LLDP to use the default VLAN. The switch identifies a device as a computer if the Cisco-AVPair = "device-traffic-class=voice" attribute is not present in the Access-Accept message. If the message contains attributes identifying a VLAN or user profile, the switch checks if that VLAN is in its allowed VLAN list. If it is, then the switch assigns traffic from that computer to that VLAN and it can access the network. If the identified VLAN is not in the list of allowed VLANs, then the switch does not allow the computer to access the network. If the RADIUS server does not include any attributes identifying a VLAN, the switch assigns traffic from the computer to the default VLAN.

You can also replace the VLANs that user profiles reference with different ones for this network policy. (For details, see "2 - Defining SSIDs" on page 291.)

802.1Q For 802.1Q port types, you configure the native VLAN and the allowed VLANs on the ports. Access For access port types, depending on whether you enabled 802.1X, MAC authentication, and a captive web portal, you configure a RADIUS authentication server, a captive web portal, and three types of user profiles: • A default profile to assign users who successfully completed 802.1X or MAC authentication or who registered successfully through a captive web portal requiring authentication, but the RADIUS authentication server returned no attributes in its Access-Accept message indicating which user profile to apply or it returned attributes matching the default profile attribute • One or more user profiles to assign users who have authenticated themselves successfully and the RADIUS server did return attributes indicating these user profiles • A user profile to assign users who do not successfully authenticate or register themselves after three authentication attempts The above settings for Ethernet ports bear a number of similarities to the settings for SSIDs, allowing you to define a unified network policy for both wired and wireless clients.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 300 Unified Network Policy Configuration

5 – Mapping VLANs to Networks (Aerohive router products only) HiveManager provides a simple yet flexible way to link IP networks to VLANs on Aerohive router interfaces. A list of all the VLANs that are referenced in user profiles appears in the VLAN-to-Subnet Assignments for Router Interfaces section.7 (You can also add additional VLANs for those indicated by returned RADIUS attributes but not mentioned specifically in user profiles.) You can then associate network objects defining management, internal, and guest networks with selected VLANs. When HiveManager uploads the network policy to routers that have those VLANs assigned to their Ethernet ports, it also assigns the network object to those ports as well. To map a VLAN to a network: 1. Click Choose for the VLAN that you want to map to a network. 2. In the Choose Network dialog box that appears, choose an existing network, or click New to create a new one. (If you are defining a new network object, see the HiveManager Help for descriptions of the settings in the New Network dialog box.) 3. When ready, highlight the network object in the Choose Network dialog box, and then click OK.

6 – Configuring Additional Network Policy Settings A network policy contains additional settings than those described in the preceding sections. There are settings for management and native VLANs, a router firewall policy, IPsec VPN tunnels, Bonjour Gateways, router- and switch-specific settings, and various network services. Some of these are configurable in their own individual sections of the network policy. Other settings are accessible in the Additional Settings section. Before uploading a network policy configuration to your Aerohive devices, configure settings for any other features here.

For instructions on configuring features introduced in releases before 6.0r1, see the HiveManager Help. For information about new switch features, see separate sections in this guide.

When done, click Continue to save the settings in the Configure Interfaces & User Access panel and advance to the Upload Configure & Update Devices panel.

7 – Modifying Device-Specific Settings Before uploading the network policy to your Aerohive devices, you might want to configure some devices differently than the rest. From the Upload Configure & Update Devices panel, click the host name of a device to access its device settings page. There you can configure settings for just the selected device. For example, you define the device function of an SR2024 as either switch (default) or router on the device settings page.

If a feature is configurable on a device settings page and in a network policy, the device-level settings always override the network policy settings.

7. The VLANs in the VLAN-to-Network Mapping section only appear for VLANs referenced by user profiles assigned to SSIDs. If you do not define SSIDs, no VLANs appear in this section. If the VLAN you want to configure does not appear, click Add to add it.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 301 Unified Network Policy Configuration

Switch Features at the Network Policy and Device Levels Most networks have the following fundamental needs: • A generic top-level policy that is broadly applicable to the network – This is the network policy. • Device-level settings for certain devices that deviate from the generic policy – These types of changes can be done at the device level. You can configure most of the switch features within a network policy and override them, if necessary, for individual devices. However some settings are only available at the device level. The following table summarizes which features are configurable at network policy and switch levels.

Switch Features Configure in Configure in Network Policy Device Settings

Forwarding database and MAC learning for Layer 2 switching 

Link aggregation 

IGMP snooping 

Port mirroring 

STP configuration 

STP edge port, priority, and path cost settings 

Traffic storm control 

LLDP/CDP 

Port-based and MAC-based 802.1X 

RADIUS authenticator 

VLAN reservation 

PSE mode and priority 

QoS settings 

Bonjour Gateway configuration 

MTU settings 

8 – Uploading the Configuration to Devices When your network policy and any specific device configurations are complete, you are then ready to upload the configuration to your devices. HiveManager offers to options for uploading configurations: auto provisioning and manual provisioning. Automatically provisioning routers is a good approach because routers are typically deployed at various branch sites at different times, making it difficult to know when they will connect to HiveManager and be ready for you to upload their configuration to them. With auto provisioning, HiveManager will automatically upload a configuration to them (and upgrade the HiveOS image running on them too if you like) whenever they connect to it. For automatically provisioning routers, reference the network policy that you just

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 302 Map Enhancements

configured in an auto-provisioning profile for the router models that you are deploying. In addition to determining which devices to auto provision by device model, you can also use their serial numbers to make an even finer determination. (For more information about auto provisioning, see the HiveManager Help and the Aerohive Deployment Guide. Manually provisioning APs and switches is a good approach because their deployment is typically performed at a single location at a known time, so you can better predict when they will connect to HiveManager and be standing by to push a configuration to them when they do. To upload a configuration consisting of network policy settings and device-specific settings, do the following. From the Upload Configure & Update Devices panel, set the Filter to None or Current and Default Policy, select the check boxes of the devices to which you want to upload the configuration, and then click Upload. The first time you push a configuration to a device, it must be a full configuration, which requires the device to reboot to activate its new configuration. Depending on your upload settings, the reboot operation will either happen automatically or you might need to reboot them manually. To view and modify the upload and reboot parameters, click the Settings button in the Configure & Update Devices panel.

Map Enhancements

In HiveManager version 6.0r1, a new Maps tab replaces the Topology tab from earlier versions. Mapping functionality can now be linked to Google Maps to give you an accurate campus view that you can use to create building perimeters, and plan and deploy your network devices:

You can also disable Google Maps and use your own images or floor plans, or you can draw building perimeters onto a blank background. To disable Google Maps, click Maps > Global Settings and clear the check box for Use Street Maps.

Using Street Maps to Create and Manage Your Network The new Street Maps feature links your network location to Google Maps to provide precise aerial views of your campus and buildings. The Google Maps link is activated in HiveManager accounts in the following ways: • All HiveManager Online, HiveManager Planner, and HiveManager Demo accounts are automatically linked to Google Maps when they are activated. • On-Premise HiveManager accounts with static IP addresses can also use Street Maps once their URLs are registered.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 303 Map Enhancements

HiveManager Online and HiveManager Planning Accounts If you have a HiveManager Online or HiveManager Planning account, you will see this screen when you access the Maps section of the GUI for the first time:

Enter an address for your organization and click Get Started. HiveManager provides a satellite map of your location similar to what is shown next.

HiveManager On-Premise and HiveManager Virtual Appliance Accounts If you have an on-premise HiveManager account, (either a physical appliance or a virtual appliance) and you are using a static IP address for the URL, you can enable Street Maps once the URL has been confirmed and registered with Aerohive.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 304 Map Enhancements

Perform the following steps to register your URL: 1. From the Maps > View window, click Operation… > Global Settings. Select the check box for Use Street Maps. The first time you do this, you will see a message similar to the following:

2. Click the form link, complete the fields in the form that is displayed, and then click Submit.

HiveManager automatically populates the System ID and Domain/IP fields

The registration process can take up to 24 hours. You will receive an email notification from Aerohive saying that your registration to access Google Maps is approved. You can now use the Street Maps feature as described in the following sections.

In some cases, your registration request might be denied; for example, if you are not using a static IP address, if the address you provided is invalid, or if there is a typo in the address.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 305 Map Enhancements

Using Street Maps to Draw Building Perimeters Draw building perimeters by clicking your mouse on one corner of the building, then dragging it in succession to each corner. Double-click the mouse to close the perimeter. Your completed building perimeters will resemble the ones shown below (the building perimeters are indicated by blue lines). After you complete this step, you can begin to add floors and plan device deployments in the same manner as in previous HiveManager releases.

When you are satisfied with your building parameter, click Create Floor Plan to continue with your planning.

Improved Internal Wall Tools This release adds the functionality to clone and move walls. The short-cut menu that appears when you right-click now includes Move and Clone options.

The Move option converts the wall into a movable object. Right-click on a wall that you want to move, select Move from the drop-down list, and drag the wall to the new location. When you release the mouse, HiveManager updates the coverage information for the new location. To clone a wall, right-click the mouse on a wall segment and select Clone. HiveManager creates a copy of the original wall. You can then move the new wall to any desired location.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 306 Map Enhancements

Configurable Network Folder Sorting As in previous versions of HiveManager, your network hierarchy is displayed in the left panel of the Maps section, starting with the root folder at the top, with region, building, and floor folders underneath. You can now organize your network folders in one of two ways: • When you select the check box for Sort Folders, your network folders appear in alphabetical order under the root folder. Sub folders are listed alphabetically underneath parent folders. • If you clear this check box, your network folders appear in the order in which they are created, which is the default sort order.

Migrating Map Information between HiveManager VHM Accounts This release adds the ability to export folders out of one HiveManager VHM and import them into another HiveManager VHM, eliminating the need to manually recreate the network hierarchy for each VHM. The options for exporting and importing map data include: • Export a single floor from one HiveManager Online account and then import it under an existing building in another account. • Export a hierarchy of folders, for example a building with multiple floors, from one HiveManager Online account and import this hierarchy under an existing region folder in another account. You can export data from all three folder types (region, building, and floor), but only region folders and buildings accept imported information. If you try to import data into a floor, HiveManager displays an error message. If that happens, select the correct folder type for importing (a region or a building), and try again. 1. To export map data from the first account, highlight the folder you want to export. From the View window, click Operations… > Export Folder. If the export is successful, the following message appears:

2. To save or open the file, click Download. In the dialog box that appears, select the Save option and save it in a location of your choice. If your browser does not offer a browse option for saving, when you click Save, the file is automatically saved to your Downloads folder. 3. In the new HiveManager Online account, highlight a region or building folder into which you want to import the data. From the View window, click Operations… > Import Folder. Browse for the data you just exported (or locate the file in the Downloads folder) and click Import.

If you import data that already exists in the destination folder, for example identical background images, you have the option to override the existing information.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 307 New HiveManager Dashboard

New HiveManager Dashboard

HiveManager 6.0r1 introduces a completely new dashboard experience that combines the existing Network Summary with multiple, configurable perspectives into network activity. Multiple network administrators can customize their own dashboard perspectives to accommodate their particular management requirements. The following illustration identifies some of the new dashboard tools.

Edit, schedule, export, or email network data for the entire perspective using these tools... Four default perspectives

or for each view separately Multiple time coverage options using these icons.

Device groups show your network hierarchy as defined in maps

Left navigation bar. When editing perspectives, this area changes to show the predefined widgets.

This area is the main perspective panel. Data filters for Each perspective can have up to ten the active reports. You can customize the default perspective perspectives or add your own perspective (for a maximum number of six).

Working with Dashboard Perspectives The new HiveManager dashboard provides a one-screen network management view into your entire deployment of Aerohive devices. Real-time monitoring views help you identify usage and trends by applications, users, clients, and wired and wireless Aerohive devices on your network. The dashboard provides three default perspectives and supports up to six perspectives. You can view data for the last hour, last day, last week, or set a custom time frame. You can edit, schedule, export, or email the entire perspective, or each view on the perspective separately. HiveManager retains your network context across all perspectives and for multiple network administrators. Create your own perspectives using the wide variety of predefined widgets available. The following section describes how to create a custom dashboard perspective.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 308 New HiveManager Dashboard

Creating a Custom Dashboard Perspective Create up to six customized perspectives using a wide variety of predefined widgets. The widgets available in this release are shown below:

To create a new dashboard perspective, perform these steps: 1. Click the plus ( + ) icon next to the Troubleshooting perspective tab. Select up to 10 predefined widgets. When you select a widget, HiveManager automatically adds it to your perspective page, as shown in this example containing four widgets.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 309 New HiveManager Dashboard

2. To remove a widget, click the X in the top right corner of the widget, and then click Save. You can edit a perspective at any time to remove and replace widgets. 3. When you are satisfied with your selections, click Save. Your complete perspective appears, displaying data for the widgets you selected. 4. By default, all new perspectives are named "New Perspective". After you save your perspective, click in the perspective tab to change its name.

Generating Perspective Reports You can edit, schedule, export, and email reports from your dashboard perspectives. Use the buttons at the top of the perspective window to perform these tasks for the entire perspective, or the icons in top right of many of the individual widget views.

Some widget views do not give you the option to edit or schedule, but offer a zoom option instead which takes you to a more detailed view of the data. In the example above, the Aerohive Device Status view offers more details. Click the zoom icon to see more information about this report.

To configure report scheduling, click the Schedule a Report button, complete the following information, and then click Save: Report Name: Name your report. The name can contain up to 32 characters, including spaces. Report Description: Enter a helpful description for this report. The description can contain up to 64 characters, including spaces. Report Header: To add a header to your report, enter up to 128 characters, including spaces. Report Footer: To add a footer to your report, enter up to 128 characters, including spaces. Report Summary: Add a brief summary or this report, containing up to 1024 characters, including spaces. Report Frequency: Select one of the following schedule frequency options: Daily: For this option, you can either generate the report every day (the default), or you can customize the days for which this report should be generated (just on business days, for example). You can also customize the timespan that you want this report to cover. Select the Customize Days check box, and enter a check mark for each day for which you want a report to be generated. Select the Customize Time check box, and enter a timespan that the report should cover. The default is 24 hours, from 12:00 AM to the following 12:00 AM. Weekly: When you select this option, you can also select the day of the week on which you want the report to be generated. The default is Sunday, and the report covers seven days. Monthly: Monthly reports are generated on the first day of every month and the cover the entire month. Email Delivery Address: Enter a valid email address where you want the reports to be sent. You can send reports to yourself, your supervisor, or other network administrators, for example. After clicking Save, HiveManager presents an option to view the report immediately. You can also view it later in Reports > Network Summary.

Depending on how you configured your reports, they might not contain data immediately.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 310 Device Classification

Device Classification

You can classify multiple definitions of a single configuration object (a VLAN object for example) as a means of controlling which devices receive which definitions. By using classification techniques, your configuration can reference one object, but HiveManager applies specific definitions for that object to different managed devices. In this release, several enhancements were made to this feature: the application of the various classification types has been refined, you can reorder the priority of the classification types, you can rename device tag labels, and you can use device tags to filter dashboard content. By default, HiveManager applies classification types to configuration object definitions in the following order:

Types of classifications Definition Assignment (in order of priority) Device tag (3 matching device tags) HiveManager assigns a configuration object definition to a device if the device and the definition have three matching device tags. Device tag (2 matching device tags) HiveManager assigns a definition if there are two matching device tags and there is no other definition with three matching tags. (If there are multiple definitions with two matching device tags, HiveManager assigns the first definition with two matches in the list.) Device tag (1 matching device tag) HiveManager assigns a definition if the device and definition share at least one matching device tag. (If other object definitions have a tag matching that for the device, then HiveManager assigns the first match in the list.) Device name HiveManager assigns a definition only to a device with this host name and there are no other definitions with matching device tags. Map name HiveManager assigns a definition to a device if it is on the specified map and none of the previous classification types apply to it. Global HiveManager assigns a definition to a device if there are no other matching classifications. All configuration objects must have at least one global definition, which essentially acts as the default.

The above list shows the system-defined priorities in HiveManager. In 6.0r1, you can reorder which classification type takes precedence over another. After adding multiple definitions to a configuration object, simply drag and drop the definitions into new positions to effect a change in their priority, those near the top of the list taking precedence over those below them. For example, to reorder them from most to least specific, move device name to the top (a host name must be unique and is, therefore, the most specific of all classification types), followed by map name second, then by device tags (which can span multiple maps and are, therefore, less specific than map name), and finally by the global classification at the bottom. By clicking the tools icon ( ), you can check for conflicting definition classifications, see which devices match the classifications, edit the definitions, and remove them from the configuration object.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 311 Link Aggregation

You can also rename device tags from Tag1, Tag2, and Tag3 to other more meaningful names. For example, you might change Tag1 to Branch-Size and then use device tags small, medium, and large for subnetworks that you want to assign to devices at differently sized branch sites. Other ideas for categories might be Access-Types with device tags like staff, equipment, guest; or Functions with device tags like users, locationing, security. To change device tag labels: 1. Click Home > Administration > HiveManager Settings, and then click Settings for the Custom Tag Label Settings section. 2. Click the check box for a device tag, and rename it. 3. Rename the other device tags if you like. 4. Click the Save icon in the upper right corner of the expanded section. Finally, if you add device tags to your devices, they appear in the Device Groups hierarchy in the top left panel on dashboard. You can then select any of the device tags to filter the views on the dashboard.

Link Aggregation

Link aggregation—also called port-channel—logically bundles multiple physical ports so that they act as a single logical port. You can use this feature to provide active link redundancy.

Aggregated Link

Four aggregated 1-gigabit ports provide almost as much bandwidth as a single 4-gigabit link.

To group a set of ports into an aggregate port:

Creating a New Network Policy with Switching Features 1. Click Configuration, create a new policy by clicking New beneath the Choose Network Policy list, configure the following, and then click Create: Name: Enter a descriptive name for the network policy. Description: Enter a brief description of the policy. Switching: (select)

By default, Wireless Access and Bonjour Gateway are selected. You can leave these features selected without interfering with the configuration of the switching features. Although you can create a port-channel on any device with multiple ports, this example uses an SR2024 switch as the model device. If you want you create a port-channel using an Aerohive router, you can select Branch Routing as well.

2. In the Choose Network Policy panel, highlight the policy that you created, and then click OK. HiveManager automatically advances to the Configure Interfaces & User Access panel.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 312 Link Aggregation

Creating a Device Template 1. In the Configure Interfaces & User Access panel, click Choose next to Device Templates, click New, configure the following, and then click Save: Name: Enter a descriptive name for the template. Because you can configure multiple device templates, it is helpful to include brief, descriptive details in the template name. Such details might include the number of ports, device model, and role of the device as a switch, router, or (for the BR100) AP. Description: Enter a description of the template. Port setting for: Click Device Models, choose the device model template that you want to use from the Device Models dialog box, and then click OK. (When you click OK, returning to the network configuration, the name of the model you selected in the previous step appears after the Device Models button.) When functioning as: choose Switch from the drop-down list. 2. In the Choose Device Templates dialog box, highlight only the template you created, and then click OK.

Aggregating the Ports Expand the section named for the template you just created in step 2, select ports 1 through 8 by clicking each port icon individually, select Aggregate selected ports to a logical interface with channel number, and then enter 5 in the channel number field.

Defining the Port Type After you create your port-channel, you must define the role of the port-channel. To configure the port-channel role: 1. Click Configure > New to create a new port type, enter the following information, and then click Save: Name: Enter a descriptive name for the new port type. Description: Enter a brief description. Port Type: 802.1Q

It is common to aggregate ports to create port-channel links between switches that can perform load balancing and provide link redundancy. When this is the case, multiple VLANs are generally involved, so configuring the aggregate ports as an 802.1Q port type is the most likely scenario.

QoS Classification Trusted Traffic Sources: Select to use 802.1p or DSCP (differentiated services code point) to establish the priority of traffic. DSCP code: Select to use the contents of the DSCP field of incoming packets to determine the priority. 802.1p: Select to use the contents of the User Priority field within the 16-bit VLAN tag to determine the priority. Assign the following Aerohive class to all unmarked incoming traffic: Select to specify a priority between 0 – Background and 7 – Network Control from the drop-down list for traffic that is otherwise not explicitly prioritized.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 313 Link Aggregation

Untrusted Traffic Sources: Select to ignore priority fields and specify a default priority. Assign the following Aerohive class to all incoming traffic on ports in this port group: Choose a priority between 0 – Background and 7 – Network Control from the drop-down list. QoS Marking Map Aerohive QoS classes to the following type of priority markers in all outgoing traffic: Select to insert the current priority value into the appropriate field in the traffic header. DSCP: Select to set the DSCP code field of the outgoing packet to current QoS priority. 802.1p: Select to set the User Priority field in the VLAN tag to the current QoS priority.

The values to be encoded into the traffic header come from the respective QoS priority fields of the traffic when it arrives. If no priority information is available on arrival, the traffic header is encoded with the default priority.

2. Highlight the port type you just created in the Choose Port Type dialog box, and then click OK. The following illustrates your current switch port configuration:

The icon indicates an 802.1Q trunk port.

Assigning VLANs to the Channel In the Port Types section, the aggregate channel you created appears as an editable profile. Click Add/Remove in the VLAN column, enter the following, and then click OK. Native VLAN: Choose the native VLAN from the drop-down list. If the native VLAN does not appear, you can create a new VLAN object by click New ( + ). Allowed VLAN: Enter the VLANs—including the native VLAN—that you want to support on this trunk.

You can list the VLANs individually (separated by commas) or as a range of VLANs using a hyphen. You must include the native VLAN in the Allowed VLANs field. Alternatively, you can enter the word all into this field to support all VLANs.

When you complete this stage, the native VLAN appears in blue, and all supported VLANs appear below the native VLAN in black.

Click Continue to save the configuration and prepare to upload your configuration to the device.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 314 LLDP and CDP

Uploading the Configuration Before you attempt to upload, verify the upload settings by clicking the Settings button. Ensure that Auto (First time with complete upload; subsequent uploads compare with running AP config) is selected. If so, click Save to return to the upload page. To complete the upload of your current configuration to the switch, select the switch to which you would like to upload the configuration, and then click Upload.

You can upload the configuration directly from the Device Upload Options dialog box, but to do so, you must first have selected the switch to which you want to upload the configuration.

LLDP and CDP

LLDP (Link Layer Discovery Protocol) and CDP (Cisco Discovery Protocol) are Layer 2 protocols that allow network devices to advertise their current status and capabilities. Aerohive switches have the ability to transmit and receive LLDP frames, and to receive CDP frames.

LLDP Aerohive switches use LLDP, as defined in the IEEE 802.1AB standard, to communicate their capabilities to neighboring switches using a special frame, the payload of which is called an LLDPDU (LLDP Data Unit). LLDP frames always contain the following informational fields, each in the form of a triplet of subfields called a TLV (type-length-value): Chassis ID: Identifies the switch, often by using the MAC address or network address as the value. Port ID: Identifies the originating port of the switch. This also is often the MAC address or network address.

Chassis ID and Port ID are concatenated to provide the receiving switch with a unique identifier of the sending switch.

Time to live: This indicates to the receiving switch the number of second it is to regard the information contained in the frame as valid. Optional informational TLVs are inserted after this TLV. End of LLDPDU: This is the final TLV in the LLDPDU, and consists only of 16 bits of zeros Whereas LLDP must transmit the preceding information, it can also transmit other information, depending on the switch. Aerohive switches support the transmission of additional information, including capabilities discovery, LAN speed and duplex discovery, network policy discovery, power, and so on.

LLDP-MED LLDP-MED (LLDP-Media Endpoint Discovery) extends the capabilities of LLDP specifically for media endpoint devices such as VoIP phones. Unlike LLDP, which carries information between switches, LLDP-MED carries information from a switch to a VoIP phone end point. In particular, LLDP-MED is used to carry location information to the VoIP phone so that when the VoIP phone initiates a call—for example, to dial 911, it sends its location information to the 911 control center. Because of the different purposes of using LLDP versus LLDP-MED, they are not used at the same time on the same link. Aerohive switches will first use LLDP; however, if it receives an indication that LLDP-MED is required instead, then the switch makes the change automatically.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 315 LLDP and CDP

CDP CDP is a proprietary discovery protocol developed by Cisco that functions similar to LLDP, while provided additional information specific to Cisco devices. Aerohive switches do not transmit CDP frames, however they can receive and parse them. In this way, Aerohive switches can coexist in a network with Cisco devices running CDP.

Configuring Discovery Protocols in a Network Policy When you configure LLDP and CDP settings in the network policy, the settings apply to all the ports on the switch. To configure LLDP and CDP in the network policy: 1. To create a new network policy that includes switching features, click Configuration, create a new policy by clicking New beneath the Choose Network Policy list, configure the following, and then click Create: Name: Enter a descriptive name for the network policy. Description: Enter a brief description of the policy. Switching: (select)

By default, Wireless Access and Bonjour Gateway are selected. You can leave these features selected without interfering with the configuration of the switching features. The Branch Routing option is not required to configure link aggregation.

2. In the Choose Network Policy panel, highlight the policy that you created, and then click OK. HiveManager automatically advances to the Configure Interfaces & User Access panel. 3. In the Additional Settings section, click Edit, expand Service Settings, configure the following, ignoring all other settings, and then click Save: Link Discovery Protocol: Choose the link discovery protocol you want to use in the network policy. If the desired protocol is not in the drop-down list, click New ( + ), enter the following information, and then click Save: Name: Enter a descriptive name for the LLDP/CDP profile. Description: Enter a brief description. Enable LLDP (for APs and BRs): Select to enable LLDP specifically on Aerohive access points and Aerohive routers. Enable LLDP on host ports (for SR2024): Select to enable LLDP specifically on Aerohive SR2024 switch ports that are configured to be host ports. Enable LLDP on non-host ports (for SR2024): Select to enable LLDP specifically on Aerohive SR2024 switch ports that are not configured to be host ports. LLDP Settings Receive Only: Select to configure the switch to receive LLDP advertisements, but to prevent the switch transmitting them. Maximum caches LLDP Entries: Enter the number of LLDP entries you want the switches using this profile to store locally in cache memory. Aerohive switches can store up to 128 entries. This value is independent of the number of CDP entries stored. Period for neighbors to keep Aerohive advertisements: Enter the amount of time you want non-Aerohive switches to retain LLDP advertisements received from Aerohive switches. If you

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 316 LLDP and CDP

configure this value to be zero seconds, then you are instructing non-Aerohive devices not to retain Aerohive advertisements. LLDP Advertisement Interval: Enter the amount of time between the LLDP advertisements of the Aerohive switches. Maximum power for sending LLDP advertisements: Enter the maximum power (in deciwatts; that is, 1/10th of a watt) at which you want to allow LLDP advertisements to occur. Entering 154 (the default value) is equivalent to 15.4 watts. LLDP Initialization Delay Time: Enter the minimum amount of time LLDP waits to initialize on the interface. Fast Start Repeat Count: Enter the number of times you want the switch to repeat Fast Start advertisements. Fast Start advertisements are only used when the switch changes to the LLDP-MED protocol for VoIP phones. Enable CDP (for APs and BRs): Select to enable CDP specifically on Aerohive access points and Aerohive routers. Enable CDP on host ports (for SR2024): Select to enable CDP specifically on Aerohive SR2024 switch ports that are configured to be host ports. Enable CDP on non-host ports (for SR2024): Select to enable CDP specifically on Aerohive SR2024 switch ports that are configured to be host ports. CDP Settings Maximum Cached CDP Entries: Enter the number of CDP entries you want the switches using this profile to store locally in cache memory. Aerohive switches can store up to 128 CDP entries. This value independent of the number of LLDP entries stored.

Configuring LLDP CDP on a device: You can configure LLDP and CDP settings at the device level because some LLDP and CDP setting are applied on a port by port basis. To configure LLDP and CDP on an Aerohive switch, click Configure > Devices > Switches > device_name, expand Switch Ethernet Port Settings, configure the following, and then click Save: Override LLDP/CDP Settings: Select to override the default LLDP and CDP switch settings. By default, LLDP and CDP are disabled on all ports.

LLDP Transmit: Select to allow Aerohive switches to transmit LLDP advertisements to its neighbor switches. LLDP Receive: Select to allow Aerohive switches to receive and cache LLDP advertisements from its neighbor switches. CDP Receive: Select to allow Aerohive switches to receive and cache CDP advertisements from its non-Aerohive neighbor devices that are capable of transmitting CDP frames.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 317 IGMP Snooping

IGMP Snooping

IGMP (Internet Group Multicast Protocol) snooping involves the switch examining IGMP traffic between an IGMP router and its multicast destinations to determine the ports to which the multicast group member hosts are attached. In this way, the switch can forward IGMP traffic specifically to those ports where the traffic is needed without flooding the multicast VLAN with unnecessary IGMP traffic.

Configuring IGMP Snooping in a Network Policy 1. To create a new network policy that includes switching features, click Configuration, create a new policy by clicking New beneath the Choose Network Policy list, configure the following, and then click Create: Name: Enter a descriptive name for the network policy. Description: Enter a brief description of the policy. Switching: (select)

By default, Wireless Access and Bonjour Gateway are selected. You can leave these features selected without interfering with the configuration of the switching features. The Branch Routing option is not required to configure link aggregation.

2. In the Choose Network Policy panel, highlight the policy that you created, and then click OK. HiveManager automatically advances to the Configure Interfaces & User Access panel. 3. In the Additional Settings section, click Edit, expand Switch Settings > IGMP Settings, configure the following, and then click Save: Enable IGMP Snooping: (select) Enable Immediate Leave: Select to instruct the switch to remove a multicast host from the multicast forwarding table immediately on receipt of a leave group membership message. By default the switch takes no action, and it is up to the IGMP router to poll for membership, and then wait for a predetermined period of time before pruning the unresponsive multicast host. Enable Report Suppression: Select to suppress redundant IGMP membership reports from multiple hosts on a subnet. By default, this option is selected. When the switch receives several IGMP membership reports, it suppresses the multitude of reports in favor of sending a single report to the IGMP router. This option thereby reduces traffic.

Configuring IGMP Snooping on a Device To configure port-specific traffic storm control directly on the device, click Configuration > Devices > Switches > device_name, expand the IGMP Settings section, configure the following, and then click Save: Override the IGMP settings enabled in the network policy: (select) Default Global IGMP Settings: (expand) Enable Immediate Leave: Select to instruct the switch to remove a multicast host from the multicast forwarding table immediately on receipt of a leave group membership message. By default the switch takes no action, and it is up to the IGMP router to poll for membership, and then wait for a predetermined period of time before pruning the unresponsive multicast host.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 318 IGMP Snooping

Enable Report Suppression: Select to suppress redundant IGMP membership reports from multiple hosts on a subnet. By default, this option is selected. When the switch receives several IGMP membership reports, it suppresses the multitude of reports in favor of sending a single report to the IGMP router. This option thereby reduces traffic. Delay Leave Query Interval: Select to set a time, in seconds, the switch requires an IGMP router to respond to queries sent by the switch to delay a leave request. After this time expires, the IGMP router is dropped from the Multicast Groups table. The default value is 1 second. The range is from 1 to 25 seconds. Delay Leave Query Count: Select to set the number of times that a query from the switch is sent to the IGMP router. The default value is 2. The range is from 1 to 7. Router Port Aging Time: Select to determine the time, in seconds, that the switch waits for a response from the IGMP router before the switch drops the router from the Multicast Groups Table. The default is 4 minutes and 10 seconds (250 seconds). The range is 30 to 1,000 seconds. Robustness Count: Select to tune the expected packet loss on a network. Increase this parameter when you expect a lot of packet loss on the network. The default value is 2. The range is 1 to 3.

Configuring IGMP Snooping on an Individual VLAN To configure IGMP Snooping directly on a VLAN, click Configuration > Devices > Switches > device_name, expand the IGMP Settings for Individual VLAN section, configure the following, and then click Save:

Use this set of controls to override the global settings for specified VLANs.

VLAN (1-4094): Select to specify the VLAN that you want to configure with IGMP Snooping settings. You must select a VLAN that has already been configured. Enable IGMP Snooping: Select to enable IGMP Snooping on a VLAN. By default, IGMP Snooping is disabled on all VLANs on the switch. Enable Immediate Leave: Select to instruct the specified VLAN to remove an interface from the IGMP Snooping group member port list immediately after receiving an IGMP Leave message. If this interface is the last member of the group, the VLAN removes the IGMP Snooping group and sends an IGMP Leave message to the multicast router. This is the recommended setting when the SR2024 is connected directly to a device acting as an IGMP client. By default, Immediate Leave is disabled on all VLANs. In this state, the SR2024 sends an IGMP group specific query to the interface after receiving an IGMP Leave message. If the VLAN receives a report, it keeps the interface in the IGMP Snooping group list. If the switch does not receive a report, the SR2024 removes the interface from the IGMP Snooping group. This is the recommended setting when the SR2024 is not connected directly to a device acting as an IGMP client. In other words, there is another switch between the SR2024 and the IGMP client device. Delay Leave Query Interval: Select to set a time, in seconds, the VLAN requires an IGMP router to respond to queries to delay a leave request. After this time expires, the IGMP router is dropped from the Multicast Groups table. The default value is 1 second. The range is from 1 to 25 seconds. Delay Leave Query Count: Select to set the number of times that a query from a VLAN is sent to the IGMP router. If an IGMP router does not respond to the query message within the number of times specified, the host is removed from the Multicast Groups Table. The default value is 2. The range is from 1 to 7 times. Router Port Aging Time: Select to determine the time, in seconds, that the VLAN waits for a response from the IGMP router before the VLAN drops the router from the Multicast Groups table. The default is 4 minutes and 10 seconds (250 seconds). The range is 30 to 1,000 seconds. Robustness Count: Select to tune the expected packet loss on a network. Increase this parameter when you expect a lot of packet loss on the network. The default value is 2. The range is 1 to 3.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 319 Port Mirroring

Configuring Static Multicast Groups for IGMP Snooping To populate the Static Multicast Groups table for IGMP Snooping, click Configuration > Devices > Switches > device_name, expand Static Multicast Groups Settings, configure the following, and then click Save: VLAN (1-4094): Select to specify the VLAN that you want to configure with IGMP Snooping settings. You must select a VLAN that has already been configured. Multicast IP Address: Select to specify an IPv4 multicast IP address that you want to associate with a VLAN. Interfaces: Select one or more port interfaces on a switch to associate with a VLAN.

Port Mirroring

Port mirroring is a feature that allows you to monitor the traffic of one or more ports by configuring the switch to generate a copy of the ingress and egress traffic of a specified port (called the source port) or VLAN, and forward the copy to a second interface (called a destination port) to monitor the traffic. Copying traffic to a second port in this way allows monitoring to occur without the need to place additional monitoring equipment in the signal path to do so. Aerohive switches allow you to mirror multiple ports to a single monitor port. To configure port mirroring: 1. Click Configuration, highlight a network policy that includes switching, and then click OK. 2. Expand an existing device template, and then click the port that you want to use as the destination port for mirrored traffic (a blue border appears around selection), and then click Configure. 3. In the Choose Port Type dialog box, click New. 4. In the New Port Types panel that appears, enter a name for the port type, select Mirror, and then click Save. 5. Highlight the port type that you just created for mirroring, and then click OK. The Additional Mirror Port Settings for "device_template" dialog box appears.

6. Enter the following under Source Port Monitoring Specifications, and then click OK: Destination Port: (read-only) This is the destination port for mirroring traffic. Ingress: Click Choose, select the interfaces whose ingress (that is, incoming) traffic you want to monitor, and then click OK at the bottom of the list. Egress: Click Choose, select the interfaces whose egress (that is, outgoing) traffic you want to monitor, and then click OK at the bottom of the list.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 320 Port Mirroring

Ingress & Egress: Click Choose, select the interfaces whose bidirectional traffic you want to monitor, and then click OK at the bottom of the list.

You can create up to four destination ports and monitor four separate sets of ports independently.

7. Save and upload your network policy to the switch.

Viewing Mirrored Traffic You can view the traffic that you monitor using a laptop and a packet analyzer such as Wireshark. While the laptop is connected to the mirror destination port, all mirrored traffic is forwarded to the laptop where you can capture the traffic with any packet analyzer. In this example Wireshark is the selected analyzer. To view monitored traffic, do the following: 1. Connect your monitoring device-commonly a laptop running a packet analyzer-to the switch port that you have previously configured to be the destination port using an Ethernet cable.

Aerohive switch

Laptop running a To the network packet analyzer or other traffic source Destination Port

2. Start your packet analyzer application and configure it to monitor traffic arriving only on the Ethernet interface that is connected to the Aerohive switch.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 321 Spanning Tree Protocol

3. Begin the capture and allow it to continue until you believe you have collected enough packet information.

As the packets are collected, the display might scroll by rapidly because, by default, packet analyzers display information on all incoming packets. You can apply a filter by entering an expression into the filter field, or by choosing an expression from the drop-down list. For example the following screen shot shows a capture filtered for ARP traffic.

Spanning Tree Protocol

Spanning Tree Protocol (STP) is a bridging protocol defined in 802.1 that prevents broadcast and multicast frames from propagating uncontrollably, and unicast frames from arriving at their destination in duplicate by allowing only one path between any two network switches. STP allows switches to elect a root bridge from among all the switches in the network, establish a loop-free working topology, and monitor the topology to remediate link failures or loops that can arise during operation.

The protocol specification uses the term bridge, but the term also includes switches—which are multiport bridges—as well.

Core Distribution Access LANs/Clients Layer Layer Layer routers switches switches

Internet

Switched networks often have redundant paths built into them to provide fault tolerance, but which can cause frame delivery problems, such as frame duplication. Spanning Tree Protocol helps to prevent these problems.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 322 Spanning Tree Protocol

Electing the Root Bridge To elect the root bridge in a network, the process requires two values: the switch priority and the bridge address. The switch priority is a value that you can modify on Aerohive switches within HiveManager. By default, the value is set to 32768, but you can set this in HiveManager to any value from 0 to 61440 in steps of 4096. The bridge address is the MAC address of the mgt0 interface.

If you have several switches in your network, it is advantageous to configure the priority value on a particular switch to ensure that the most appropriate switch (as determined by its position or role in the network) is elected to be the root bridge. Setting a secondary priority on a second switch can also provide some control over the STP topology in the event that root bridge fails. Because the priority values of all switches are the same by default, and the lowest MAC addresses exist on the oldest switches or specific vendors, using default priority can mean that an unintended switch becomes the root.

To configure the priority on an Aerohive switch in HiveManager, click Configuration > Devices > Switches > device_name, expand the STP section under Optional Settings, configure the following, and then click Save: Override STP Settings: (select) Enable STP: (select) STP Mode: STP Device Settings: (expand) Priority for root calculation: 28672

Lower priority values indicate a higher priority. Whereas you can set the priority values to anything below the default 32768, setting it to the first value below the default is generally enough to ensure its election to the root bridge role, as long as all other switches are configured with the default priority.

Calculating Link Cost After STP elects the root bridge, it then evaluates the cost of each path that exists between the root bridge and all other switches. Link cost is based on the data throughput capacity—or bandwidth—of the link (a higher capacity translates to a lower cost), and the total link cost between the root bridge and another switch is the sum of the costs of all the links in that path. For example, if the link between Switch A and Switch B is 1 Gbps (cost 20000), and the link between Switch B and Switch C is 1 Gbps (cost 20000), then the total link cost between Switch A and Switch C is 40000.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 323 Spanning Tree Protocol

In the 802.1D-1998 standard, path cost values were not available for bandwidth values above 10 Gbps, which is inadequate for modern switched networks. The current 802.1D-2004 standard uses a new scheme for assigning path cost. The table below illustrates how the old scheme maps to the new scheme.

Aerohive uses the 802.1D-2004 values, but other vendors might use 802.1D-1998 values by default, even STP Elects a switch if they support the newer values. If you have a mixed Root to become the root network, be sure to check your vendor bridge. documentation. If all your switches do not use the same cost calculation mode, inconsistencies in cost calculation and convergence problems can result. STP Calculates the path cost of each Root link between the root bridge and all Bandwidth 802.1D-1998 Cost 802.1D-2004 Cost other switches. <=100 Kbps N/A 200000000

1 Mbps N/A 20000000 Where STP calculates 10 Mbps 100 2000000 Root multiple paths, it disables the slowest 100 Mbps 19 200000 paths. 1 Gbps 4 20000 10 Gbps 2 2000 If an active link 100 Gbps N/A 200 Root fails, STP quickly 1 Tbps N/A 20 activates one of the redunant paths. 10 Tbps N/A 2

Although the root bridge and link selection process might appear random, STP uses priority settings within the switches and the port MAC addresses to make its decisions.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 324 Spanning Tree Protocol

To simplify calculations, all interfaces are the same speed.

Root Bridge Inactive links on blocking mode ports

Active links on forwarding mode ports

Without STP, all ports are in forwarding Spanning Tree Protocol determines the most mode, meaning that the links are active and efficient paths and disables less efficient forwarding frames. redundant paths, removing loops.

Because of the redundant links, loops occur that cause frame delivery problems.

Configuring STP STP is enabled by default in HiveOS, but the STP controls are disabled by default in HiveManager. This means that, although STP is running on your Aerohive devices by defaults, when you create a new network policy, the Enable STP check box is cleared.

The default settings are generally tuned for efficient operation in most networks and very seldom require change. Make sure that you know what behavior to expect before changing the default values in a production network.

To change the default behavior of STP, click Configuration > Devices > Switches > device_name, expand the STP Setting section in Optional Settings, configure the following, and then click Save: Override the STP Settings in the network policy: (select) Enable STP: (select)

STP is enabled by default in HiveOS, so if you leave this check box cleared, then STP will be disabled on the switch when you save the configuration and upload the changes to the device. If you want to keep STP active on the switch, then you must select this check box.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 325 Spanning Tree Protocol

Device Settings: (expand) Forwarding delay: Enter the time that you want the switch to remain in the learning and listening states. By default, this is 15 seconds. Hello Time: Enter the Bridge Protocol Data Unit (BPDU) send interval. Each BPDU contains information about the switches, and is sent every 2 seconds by default in part to notify neighboring switches that the link is still active. If you choose RSTP for the STP Mode, then this option is not available.

Only the root bridge sends Hello messages, which are then relayed by the other switches throughout the network.

Max Age: Enter the maximum amount of time that a switch retains Spanning Tree information since the most recent Hello message if it doesn’t get refreshed. By default, if a switch does not receive Hello messages or receives inferior Hello messages on a port, then after 20 seconds it will discard the Spanning Tree information for that port, which might cause the switch to change port states.

This only affects STP operation, and not RSTP.

Priority for root calculation: Set the switch priority. This value is used during the process of electing a root bridge. Force Version: Enter the BPDU protocol version number to use on the switch. If you are using legacy STP, then this value must be 0, which is the protocol version for legacy STP. If you are using RSTP, then you can enter 2 (RSTP version number) or 0, if you want to force STP compatibility.

A value of 1 is not supported for any STP setting.

Port Level Settings: (expand) Enable: Select to enable a switch port. By default, all ports are enabled, but you can clear this check box to disable a port. Priority (0-240): Choose the priority value of the port. By default, this value is 128, and is configurable in step of 16 from 0 to 240.

You can use the port priority value as a way to control which ports are preferred when downstream switches elect their root ports. A lower priority value indicates a greater preference.

Path Cost (1-200000000): Enter the path cost that you want to use for the link. By default, the path cost of a port is determined by the link speed; however, you can favor certain STP behavior by explicitly configuring the path cost of a link instead of allowing STP to determine it automatically. The maximum setting (200000000) is equivalent to a link whose speed <=100 Kbps.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 326 Traffic Storm Control

Traffic Storm Control

Aerohive switches provide a means of protecting the network from traffic storms. Traffic storms can result accidentally from unmitigated network loops, or as a result of purposeful, coordinated attacks by rogue users. You can configure storm control switch-wide within the network policy, or you can override these global settings and configure port-by-port storm control parameters.

Configuring Traffic Storm control in a Network Policy 1. Create a new network policy that includes switching features. Click Configuration, create a new policy by clicking New, configure the following, and then click Create: Name: Enter a descriptive name for the network policy. Description: Enter a brief description of the policy. Switching: (select)

By default, Wireless Access and Bonjour Gateway are selected. You can leave these features selected without interfering with the configuration of the switching features. The Branch Routing option is not required to configure link aggregation.

2. Select the network policy that you just created in the Choose Network Policy panel, and then click OK, HiveManager automatically advances to the Configure Interfaces & User Access panel. 3. In the Additional Settings section, click Edit, expand Switch Settings > Storm Control, configure the following, and then click Save: Byte Based: Select if you want to enter your storm control values in terms of the number of bytes. Packet Based: Select if you want to enter your storm control values in terms of the number of packets. All Type: Select to include broadcast, unknown unicast, multicast, and TCP-SYN traffic when choosing what traffic to determine to be storm traffic. When you select this check box, all available traffic types are selected as well. Subsequently clearing any of the traffic type check boxes automatically clears the All Types check box. Broadcast: Select to include broadcast traffic; that is, traffic that is forwarded to all destinations simultaneously. Unknown Unicast: Select to include unicast traffic whose destination address does not appear in the forwarding database. Multicast: Select to include traffic whose destination is a multicast address. TCP-SYN: Select to include TCP-SYN flood traffic. Rate Limit Type: (Available only when Byte Based is selected) Choose whether you want to enter values explicitly using the number of bytes per second (BPS) or as a percentage of total interface capacity. Rate Limit Value: Enter the threshold value beyond which point you want the switch to discard traffic of the types selected above.

You can adjust the setting of access traffic and 802.1Q (VLAN) traffic independently.

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 327 Bonjour Gateway Enhancements

Configuring Traffic Storm Control on a Switch To configure port-specific traffic storm control directly on a switch, click Configuration > Devices > Switches > device_name, expand the Storm Control section, configure the following, and then click Save: Override storm control in the network policy: (select) Byte Based: Select if you want to enter your storm control values in terms of the number of bytes. Packet Based: Select if you want to enter your storm control values in terms of the number of packets. All Types: Select to include broadcast, unknown unicast, multicast, and TCP-SYN traffic when choosing what traffic to determine to be storm traffic. When you select this check box, all available traffic types are selected as well. Subsequently clearing any of the traffic type check boxes automatically clears the All Types check box. Broadcast: Select to include broadcast traffic; that is, traffic that is forwarded to all destinations simultaneously. Unknown Unicast: Select to include unicast traffic whose destination address does not appear in the forwarding database. Multicast: Select to include traffic whose destination is a multicast address. TCP-SYN: Select to include TCP-SYN flood traffic. Rate Limit Type: (Available only when Byte Based is selected) Choose whether you want to enter values explicitly using the number of bytes per second (BPS) or as a percentage of total interface capacity. Rate Limit Value: Enter the threshold value beyond which point you want the switch to discard traffic of the types selected above.

Bonjour Gateway Enhancements

The SR2024, when configured as a router, can act as a Bonjour Gateway. If chosen to be the BDD (Bonjour Designated Device) for the VLANs/subnets to which it belongs, it scans those VLANs for Bonjour services and then shares them with other BDDs in different VLANs/subnets within the same realm. In addition, the SR2024 also advertises services that the other BDDs share with it.

The SR2024 only supports Bonjour when it is in router mode. All other Aerohive products running 5.1r1 or later, except the BR100, can act as Bonjour Gateways.

You can control which Bonjour services the Bonjour Gateways share with each other by creating filter rules. A filter rule can control the sharing of services by source and destination VLANs, by the number of wireless hops away the receiving BDD (Bonjour Designated Device) is from the sending BDD, and by realm name. A realm consists of one or more hive members within radio range of one another but in different subnets/VLANs. These devices can detect each other automatically. If the hive members are not within radio range, then you can put them in the same realm by doing one of the following on the Device Settings page: Place all of the devices on the same map.

or

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 328 Bonjour Gateway Enhancements

Manually set the same Bonjour realm name in the Bonjour Gateway Configuration section.

To create a filter rule, edit a previously defined Bonjour Gateway Settings profile or create a new one, and then click the New ( + ) icon at the top of the Bonjour filter rules section.

Enter the following to define a Bonjour filter rule, and then click the Save icon: Service: Choose the name of a service. Type: (read-only) The service name and protocol for the resource record in the following format: _._. From VLAN Group: Choose the VLAN group from which services are advertised. If you do not see a VLAN group that you want to use, click the New ( + ) icon, and create one. To VLAN Group: Choose the VLAN group to which services are advertised. Action: Choose the action for the Bonjour Gateway filter to take on services between the specified source and destination VLAN groups: Permit the sharing of service advertisements or Deny them. Metric (0-255): Enter the maximum number of hops away from the local BDD to accept service advertisements. (An immediately neighboring BDD is one hop away, a neighbor of that neighbor is two hops away, and so on.) The range of metric values is from 0 to 100. A value of 0, the default, means that there is no maximum distance. Realm: Choose the name of an existing realm to apply this rule only to members of that realm (for information about defining a realm, see the preceding section). To apply it to members of all realms, choose [-any-] from the drop-down list. The filter rules are applied in order from the top until a match is found. Because of this, the order of the rules is important. Put more specific rules near the top so that broader rules do not occlude them. If necessary, you can reposition rules with the list by drag-and-dropping them.

P/N 330096-01, Rev. A

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 329 Bonjour Gateway Enhancements

For more information: 6.0r1 Release Notes Online Docs and Videos HiveMind 330