Accton Technology HIVEAP20AG User Manual

Chapter 7 Using HiveManager

Ø·ª»- ·² ¼·ºº»®»²¬ -«¾²»¬-

Û¿½¸ ¸·ª» ½±²¬¿·²-

Ø·ª»- ·² ¼·ºº»®»²¬ -«¾²»¬-

Û¿½¸ ¸·ª» ½±²¬¿·²-

• HiveAP management traffic for CAPWAP, SNMP monitoring and notifications, and SCP configuration, captive

web portal file, and HiveOS firmware uploads to managed HiveAPs

When you enable both interfaces, HiveManager management traffic uses the MGT interface while HiveAP
management traffic uses the LAN interface, as shown in Figure2.

Figure 2 Using Both MGT and LAN Interfaces

пртптктпо

᫬»®

пртптнтрсом

пртптмтрсом

пртптлтрсом

³«´¬·°´» Ø·ª»ßÐ-ò

ÔßÒ

пртптптисом

ÓÙÌ

пртптотисом

Ø·ª»Ó¿²¿¹»®

ß¼³·²

пртптйтнм

Static Routes: HiveManager sends traffic destined for 10.1.6.0/24 to 10.1.2.1.

HiveManager sends traffic destined for 10.1.7.0/24 to 10.1.2.1.

Default Gateway:10.1.1.1 (HiveManager sends traffic here when there are no specific routes to a destination.)

Í©·¬½¸

пртптотп

пртптптп

᫬»®

ÍÝÐ Í»®ª»®

Note: To set static routes after you log in to the GUI, click HM Admin > HiveManager Settings > Routing >

Add, set the destination IP address/netmask and gateway, and then click Apply.

When only the MGT interface is enabled, both types of management traffic use it. A possible drawback to this
approach is that the two types of management traffic cannot be separated into two different networks. For
example, if you have an existing management network, you would not be able to use it for HiveManager
management traffic. Both HiveManager and HiveAP management traffic would need to flow on the operational
network because HiveManager would need to communicate with the HiveAPs from its MGT interface (see

Figure3). However, if the separation of both types of traffic is not an issue, then using just the MGT interface is

a simple approach to consider.

Figure 3 Using Just the MGT Interface

ÔßÒ

ртртртрср

ÓÙÌ

пртптптисом

Ø·ª»Ó¿²¿¹»®

Í©·¬½¸ ᫬»®

пртптптп

пртптнтрсом

пртптмтрсом

пртптлтрсом

ß¼³·²

пртптйтнм

Default Gateway:10.1.1.1 (HiveManager sends all traffic to the default gateway.)

ÍÝÐ Í»®ª»®

пртптктпо

³«´¬·°´» Ø·ª»ßÐ-ò

8.After you finish configuring the network settings, return to the main menu, and reboot the HiveManager
appliance by entering 5 (5 Reboot HM Appliance).

You can now disconnect the serial cable.

80 Aerohive

INSTALLINGAND CONNECTINGTOTHE HIVEMANAGER GUI

Connecting to the GUI through the MGT Interface

1.Connect Ethernet cables from the MGT interface and LAN interface—if you are using it—to the network.

2.Connect an Ethernet cable from your management system to the network so that you can make an HTTPS
connection to the IP address that you set for the MGT interface.

3.Open a web browser and enter the IP address of the MGT interface in the address field. For example, if you
changed the IP address to 10.1.1.8, enter this in the address field: https://10.1.1.8

Note: If you ever forget the IP address of the MGT interface and cannot make an HTTP connection to

HiveManager, make a serial connection to its console port and enter this command: ifconfig . The
output displays data about the MGT interface (internally called "eth0"), including its IP address. The
serial connection settings are explained in "Changing Network Settings" on page79.

A login prompt appears.

4.Type the default user name (admin) and password ( aerohive ) in the login fields, and then click Login.

5.If prompted to enter a license key, click Browse, navigate to and select the text file containing the license key
that Aerohive provided when HiveManager was purchased, and then click OK.

You are now logged in to the HiveManager GUI. After logging in, you can check details about the license you
installed on the HM Admin > License Management page.

Deployment Guide 81

Chapter 7 Using HiveManager

INTRODUCTIONTOTHE HIVEMANAGER GUI

Using the HiveManager GUI, you can set up the configurations needed to deploy, manage, and monitor large
numbers of HiveAPs. The configuration workflow is described in "HiveManager Configuration Workflow" on page85.
The GUI consists of several important sections, which are shown in Figure4.

Figure 4 Important Sections of the HiveManager GUI

Menu Bar: The items in the menu bar open
the major sections of the GUI. You can then
use the navigation tree to navigate to more
specific topics within the selected section.

Navigation Tree: The navigation tree contains
all the topics within the GUI section that you
chose in the menu bar. Items you select in the
navigation tree appear in the main panel.

Notifications: HiveManager displays a
summary of new HiveAPs, rogue APs, rogue
clients, and alarms detected on managed
HiveAPs here. Clicking a displayed number
opens the relevant page with more details.

Main Panel: The main panel contains
the windows in which you set and view
various parameters.

Some convenient aspects that the HiveManager GUI offers are the ability to clone configurations, apply
configurations to multiple HiveAPs at once, and sort displayed information. Brief overviews of these functions are
presented in the following sections.

82 Aerohive

INTRODUCTIONTOTHE HIVEMANAGER GUI

Cloning Configurations

When you need to configure multiple similar objects, you can save time by configuring just the first object, cloning
it, and then making slight modifications to the subsequent objects. With this approach, you can avoid re-entering
repeated data.

Figure 5 Cloning a Hive

To clone an object, select it in an open window, and then click the Clone button.
Retain the settings you want to keep, and modify those you want to change.

îò Ý´·½µ

ïò Í»´»½¬

Multiselecting

You can select multiple objects to make the same modifications or perform the same operation to all of them at
once.

Figure 6 Selecting Multiple New HiveAPs

Select the check boxes to select multiple noncontiguous objects, or shift-click to select check
boxes for multiple contiguous objects.

Then click Accept to accept all the selected HiveAPs for HiveManager management, or click
the Modify button to configure them with the same settings.

Here, you use the shift-click multiselection method to select a set of the topmost eight HiveAPs in
the list; that is, you select the check box for the top HiveAP and hold down the SHIFT key while
selecting the check box for the eighth HiveAP from the top.

Deployment Guide 83

Chapter 7 Using HiveManager

By default, displayed objects are

sorted alphanumerically from the

top by name. If you click the

Sorting Displayed Data

You can control how the GUI displays data in the main panel by clicking a column header. This causes the displayed
content to reorder itself alphanumerically or chronologically in either ascending or descending order. Clicking the
header a second time reverses the order in which the data is displayed.

Figure 7 Sorting Event Log Entries by HiveAP Host Name and then Chronologically

name again, the order is reversed; that is, the objects are ordered alphanumerically from the bottom.

By clicking the heading of a column, you can reorder the display of objects either alphanumerically or
chronologically, depending on the content of the selected column. Here you reorder the data chronologically.

ײ¼·½¿¬»- ¬¸¿¬ ¬¸» ´·-¬ ¿°°»¿®- ·²
¼»-½»²¼·²¹ ±®¼»® º®±³ ¬¸» ¬±°

ײ¼·½¿¬»- ¬¸¿¬ ¬¸» ´·-¬ ¿°°»¿®- ·²
¿-½»²¼·²¹ ±®¼»® º®±³ ¬¸» ¾±¬¬±³

84 Aerohive

HIVEMANAGER CONFIGURATION WORKFLOW

1.If you need to reference network objects in another part of the

configuration, you must define them first. Otherwise, this step

• Management services (DNS, NTP, SNMP, syslog, location)

HIVEMANAGER CONFIGURATION WORKFLOW

Assuming that you have already installed your HiveAPs, uploaded maps (see "Setting Up Topology Maps" on page91),
accepted the HiveAPs for management, and decided on the features and settings you want to use, you are now
ready to start configuring the HiveAPs through HiveManager1. You can configure numerous objects, some of which
might need to reference other objects. An efficient configuration strategy is to first define any objects that you will
later need to use when configuring others. The typical workflow, shown in Figure8, proceeds like this:

1.Define network objects. You can then reference them when defining other parts of the configuration. If you do
not plan to use network objects, you can skip this step.

2.Configure various features.

3.Define radio profiles (or use default settings).

4 and 5.Compile the features from step 2 into a WLAN policy, assign the radio profiles and WLAN policy to one or

more HiveAPs, and then push the configurations to the physical devices on the network.

Figure 8 Configuration Workflow

is unnecessary.

2. Use default settings or configure new settings for various
features that, when combined, constitute a WLAN policy:

• Mobility policies

• Firewall policies

• QoS traffic classification and marking

• MAC Filters

• SSIDs

• User profiles

• AAA settings (for user authentication using IEEE 802.1X)

• Wireless IDS policy

• Hive

3.Use default settings or define one or more radio profiles.

4.Compose a WLAN policy by referencing items set in Step 2.

5.Apply the WLAN policy and radio profiles to one or more
HiveAPs, and then push the configuration to the physical
devices across the network.

1

Network Objects:

VLANs

2

Mobility
Policies

User

Profiles

IP

Addresses

Firewall
Policies

Mgt

Services

Services

QoS Traffic

Classification

and Marking

Settings

HiveManager

MAC
OUIs

MAC Filters

SSIDs

AAA

MAC

Addresses

IDS

Policy

Hive

3

Radio ProfilesWLAN Policy

1.When HiveAPs are in the same subnet as HiveManager, they can use CAPWAP (Control and Provisioning of Wireless Access Points)
to discover HiveManager on the network. CAPWAP works within a layer-2 broadcast domain and is enabled by default on all
HiveAPs. If the HiveAPs and HiveManager are in different subnets, then you can use one of several approaches to enable
HiveAPs to connect to HiveManager. For information about these options, see "How HiveAPs Connect to HiveManager" on

page95.

4 5

Deployment Guide 85

Managed

HiveAP

Chapter 7 Using HiveManager

UPDATING SOFTWAREON HIVEMANAGER

You can update the software running on HiveManager from either a local directory on your management system or
an SCP (Secure Copy) server. If you download an image and save it to a local directory, you can load it from there. If
you save the image to an SCP server, you can direct HiveManager to log in and load it from a directory there.

1.If you do not yet have an account on the Aerohive Support portal, send an email request to

(support@aerohive.com) to set one up.

2.When you have login credentials, visit www.aerohive.com/support/login, and log in.

3.Navigate to the software image that you want to load onto HiveManager (Customer Support > Software

Downloads > HiveManager software images) and download the file.

4.Save the HiveManager image file to a local directory or an SCP server.

5.Log in to HiveManager and navigate to HM Admin > HiveManager Operations > Update Software.

6.To load files from a directory on your local management system, choose either Update and clear alarm and

event logs or Full update (to keep existing log entries after the upgrade), and then enter the following:

• File from local host: (select); type the directory path and a file name; or click Browse, navigate to the

software file, and select it.

or

To load a file from an SCP server:

• File from remote server: (select)

• IP Address: Enter the IP address of the SCP server.

• SCP Port: Enter the port number of the SCP server (the default port number for SCP is 22).

• File Path: Enter the directory path and HiveManager software file name. If the file is in the root directory of

the SCP server, you can simply enter the file name.

• User Name: Type a user name with which HiveManager can access the SCP server.

• Password: Type a password with which HiveManager can use to log in securely to the SCP server.

7.To save the new software and reboot HiveManager, click OK.

86 Aerohive

UPDATING HIVEOS FIRMWARE

UPDATING HIVEOS FIRMWARE

HiveManager makes it easy to update HiveOS firmware running on managed HiveAPs. First, you obtain new HiveAP
firmware from Aerohive Support and upload it onto HiveManager. Then you push the firmware to the HiveAPs and
activate it by rebooting them.

Note: When upgrading both HiveManager software and HiveOS firmware, do so in this order:

• Upgrade HiveManager (HiveManager can manage HiveAPs running the current version of HiveOS and
also previous versions).

• Upload the new HiveOS firmware to the managed HiveAPs, and reboot them to activate it.

• Reload the HiveOS configurations to the managed HiveAPs—even if nothing in the configurations has

changed—and reboot them to activate the configuration that is compatible with the new HiveOS image.

1.Log in to the Aerohive Support portal to obtain a new HiveOS image.

2.Save the HiveOS image file to a directory on your local management system or network.

3.Log in to HiveManager and navigate to Configuration > HiveAP File Management.

4.On the HiveAP Files page, select HiveOS Image for the file type, enter one of the following—depending on how
you intend to upload the HiveOS image file to HiveManager—and then click OK:

To load a HiveOS image file from a directory on your local management system:

• Local File: (select); type the directory path and image file name, or click Browse, navigate to the image

file, and select it.

To load a HiveOS image file from an SCP server:

• SCP Server: (select) IP Address : Enter the IP address of the SCP server.

• SCP Port: Enter the port number of the SCP server (the default port number for SCP is 22).

• File Path: Enter the path to the HiveOS image file and the file name. If the file is in the root directory of the

SCP server, you can simply enter the file name.

• User Name: Type a user name with which HiveManager can access the SCP server.

• Password: Type a password that HiveManager can use to log in securely to the SCP server.

Note: To delete an old image file, select the file in the "Available Images" list, and then click Remove.

5.Click Access Points > ManagedHiveAPs.

6.In the Managed HiveAPs window, select one or more HiveAPs, and then click Update > Upload and Activate SW
Image.

The Upload and Activate SW Image dialog box appears.

7.Enter the following, and then click Upload:

• From the HiveOS Image drop-down list, select the image that you want to load onto managed HiveAPs.

• In the Activation Time section, select one of the following options, depending on when you want to activate

the software—by rebooting the HiveAPs—after HiveManager finishes loading it:

• Activate at: Select and set the time at which you want the HiveAPs to activate the software. To use this

option accurately, make sure that both HiveManager and managed HiveAP clocks are synchronized.

• Activate after: Select to load the firmware on the selected HiveAPs and activate it after a specified
interval. The range is 0 – 3600 seconds; that is, immediately to one hour. The default is 5 seconds.

Deployment Guide 87

Chapter 7 Using HiveManager

• Activate at next reboot: Select to load the software and not activate it. The loaded software gets
activated the next time the HiveAP reboots.

Note: When choosing which option to use, consider how HiveManager connects to the HiveAPs it is updating.

See "Updating HiveAPs in a Mesh Environment".

• Select the check box for each HiveAP whose software you want to update.

Updating HiveAPs in a Mesh Environment

When updating hive members in a mesh environment, be careful of the order in which the HiveAPs reboot. If a
portal completes the upload and reboots before a mesh point beyond it completes its upload—which most likely
would happen because portals receive the uploaded content first and then forward it to mesh points—the reboot
will interrupt the data transfer to the mesh point. This can also happen if a mesh point linking HiveManager to
another mesh point reboots before the more distant mesh point completes its upload. As a result of such an
interruption, the affected mesh point receives an incomplete firmware or configuration file and aborts the update.

Note: A mesh point is a hive member that uses a wireless backhaul connection to communicate with the rest of

the hive. HiveManager manages mesh points through another hive member that acts as a portal, which
links mesh points to the wired LAN.

Figure 9 HiveAPs in a Mesh Environment

ɸ»² «°¼¿¬·²¹ Ø·ª»ßÐ- ·² ¿ ³»-¸ »²ª·®±²³»²¬ô ¬¸» Ø·ª»Ó¿²¿¹»® ½±³³«²·½¿¬»- ©·¬¸ ³»-¸ °±·²¬- ¬¸®±«¹¸
¬¸»·® °±®¬¿´ ¿²¼ô ·º ¬¸»®» ¿®» ¿²§ ·²¬»®ª»²·²¹ ³»-¸ °±·²¬-ô ¬¸®±«¹¸ ¬¸»³ ¿- ©»´´ò ɸ·´» «°¼¿¬·²¹ Ø·ª»ßÐ- ·²

-«½¸ ¿² »²ª·®±²³»²¬ô ·¬ ·- ·³°±®¬¿²¬ ¬± µ»»° ¬¸» °¿¬¸ º®±³ ¬¸» Ø·ª»Ó¿²¿¹»® ¬± ¿´´ Ø·ª»ßÐ- ½´»¿® -± ¬¸¿¬ ¬¸»
¼¿¬¿ ¬®¿²-º»® ¿´±²¹ ¬¸¿¬ °¿¬¸ ·- ²±¬ ¼·-®«°¬»¼ò ̸»®»º±®»ô ©¸»² «°¼¿¬·²¹ ¿ º·®³©¿®» ·³¿¹» ±® ½±²º·¹«®¿¬·±²
±² Ø·ª»ßÐ- ·² ¿ ³»-¸ »²ª·®±²³»²¬ô ³¿µ» -«®» ¬¸¿¬ ¬¸» °±®¬¿´ ±® ¿ ³»-¸ °±·²¬ ½´±-»® ¬± ¬¸» °±®¬¿´ ¼±»- ²±¬
®»¾±±¬ ¾»º±®» ¬¸» «°´±¿¼ ¬± ¿ ³»-¸ °±·²¬ º¿®¬¸»® ¿©¿§ ½±³°´»¬»-ò

Ø·ª»Ó¿²¿¹»®

ã É·®»¼ Ô·²µ

ã É·®»´»-- Ô·²µ

To avoid the reboot of an intervening HiveAP from interfering with an ongoing upload to a mesh point beyond it,
allow enough time for the firmware to reach the farthest mesh points before activating the firmware. After all the
HiveAPs have the firmware, rebooting any HiveAPs between them and HiveManager becomes inconsequential.

Í©·¬½¸ Ø·ª»ßÐ

øᮬ¿´÷

Ø·ª»ßÐ

øÓ»-¸ б·²¬ ï÷

Ø·ª»ßÐ

øÓ»-¸ б·²¬ î÷

88 Aerohive

Chapter 8HiveManager Configuration Examples

The following examples in this chapter show how to install over 70 HiveAPs at three locations in a corporate
network, use HiveManager to create configurations for them, and then push the configurations to them over the
network. The high-level deployment scheme is as follows:

Headquarters - Building 1 (HQ-B1) Headquarters - Building 2 (HQ-B2) Branch Office (Branch1)

32 HiveAPs32 HiveAPs8 HiveAPs

1 Hive (hive1)1 Hive (hive2)1 Hive (hive3)

1 WLAN policy (WLANpolicy-hq1)1 WLAN policy (WLANpolicy-hq2)1 WLAN policy (WLANpolicy-branch1)

The general design of the deployment is shown in Figure1.

Figure 1 Deployment Overview

¨ è

Ú´±±®-

ШПуЮпШПуЮо

Ø·ª»ï

ÉÔßÒ°±´·½§ó¸¯ï

ì Ø·ª»ßÐ-

°»® Ú´±±®

êì

Ø·ª»ßÐ-

̱¬¿´

ݱ®°±®¿¬»

Ø»¿¼¯«¿®¬»®-

Ø·ª»Ó¿²¿¹»®

ш·² •ШПуЮпŒч

¨ è

Ú´±±®-

Ø·ª»î

ÉÔßÒ°±´·½§ó¸¯î

ÊÐÒ Ì«²²»´

î Ø·ª»ßÐ-

°»® Ú´±±®

è

Ø·ª»ßÐ-

̱¬¿´

Þ®¿²½¸

Ѻº·½»

ÉÔßÒ°±´·½§ó¾®¿²½¸ï

¨ ì

Ú´±±®-

Þ®¿²½¸ï

Ø·ª»í

You can look at any of the following examples individually to study how to configure a specific feature or view all of
them sequentially as a set to study the workflow for deploying large numbers of HiveAPs and configuring them
through HiveManager.

Deployment Guide 89

Chapter 8 HiveManager Configuration Examples

This chapter contains a sequential flow of examples that show how to import and organize maps, install HiveAPs on
the network and link them to maps, configure typically needed features, assign these features to HiveAPs, and push
configurations to the HiveAPs across the network. The examples are as follows:

• "Example 1: Mapping Locations and Installing HiveAPs" on page91

Upload image files of topology maps to HiveManager and use one of two ways to associate physical HiveAPs
with their corresponding icons on the maps.

• "Example 2: Defining Network Objects and MAC Filters" on page97

Define a MAC OUI (organizationally unique identifier), VLANs, and IP addresses for use by other
configuration objects. Define a MAC filter so that QoS classifiers and SSID profiles can reference them. Map
the MAC OUI and several services to Aerohive classes.

• "Example 3: Providing Guest Access" on page104

Provide controlled and limited network access for guests. Two approaches are presented.

• "Example 4: Creating User Profiles" on page113

Define several user profiles, their companion QoS forwarding rates and priorities, and their VLANs.

• "Example 5: Setting SSIDs" on page117

Define sets of authentication and encryption services that wireless clients and HiveAPs use when
communicating with each other.

• "Example 6: Setting Management Service Parameters" on page120

Configure DNS, syslog, SNMP, and NTP settings for HiveAPs.

• "Example 7: Defining AAA RADIUS Settings" on page123

Define AAA RADIUS server settings to use when HiveAPs send 802.1X authentication requests.

• "Example 8: Creating Hives" on page125

Create hives so that sets of HiveAPs can exchange information with each other over the network to
coordinate client access, provide best-path forwarding, and enforce QoS policies.

• "Example 9: Creating WLAN Policies" on page126

Define WLAN policies. These are sets of configuration objects (defined in previous examples) that HiveAPs
use to control how wireless clients access the network.

• "Example 10: Assigning Configurations to HiveAPs" on page135

Assign WLAN policies, radio profiles, and maps to detected HiveAPs so that you can begin managing them
through HiveManager. Also change HiveAP login settings and country codes.

90 Aerohive

EXAMPLE 1: MAPPING LOCATIONSAND INSTALLING HIVEAPS

on on the CorpOffices map

Topology Maps section of the navigation tree in the

EXAMPLE 1:MAPPING LOCATIONSAND INSTALLING HIVEAPS

HiveManager allows you to mark the location of HiveAPs on maps so that you can track devices and monitor their
status. First, you must upload the maps to HiveManager, and then name and arrange them in a structured hierarchy
(see "Setting Up Topology Maps"). After that, you can follow one of two ways to install HiveAPs so that you can later
put their corresponding icons on the right maps (see "Preparing the HiveAPs" on page94).

Note: All image files that you upload to HiveManager must be in .png or .jpg format.

Setting Up Topology Maps

In this example, you upload maps to HiveManager showing floor plans for three office buildings and organize them in
a hierarchical structure. You need to make .png of .jpg files of drawings or blueprints showing the layout of each
floor. Also, as an easy means of organizing the maps in the HiveManager GUI, you create a file showing the three
buildings HQ-B1, HQ-B2, and Branch-1. By using this drawing at the top topographical level, you can display icons for
each floor of each building. You can then click an icon to link to its corresponding map. This is shown in Figure2.

Figure 2 Organizational Structure of Level-1 and -2 Maps

Ô»ª»´ ï

̸·- ³¿° -¸±©- í ¾«·´¼·²¹- ¿²¼ îð ·½±²- ¬¸¿¬ ´·²µ ¬± ´»ª»´óî ³¿°-ò

ݱ®°Ñºº·½»- øÔ»ª»´óï Ó¿°÷

Double-clicking a floor ic
(level 1) opens the corresponding level-2 map.

You can also navigate to any map within the

HiveManager GUI.

è ·½±²- ´·²µ·²¹

¬± ´»ª»´óî ³¿°-

Ô»ª»´ î

Ш»¿¼¯«¿®¬»®- Ю«·´¼·²¹ п шШПуЮпч У¿°-Ш»¿¼¯«¿®¬»®- Ю«·´¼·²¹ о шШПуЮоч У¿°-Ю®¿²½¸уп У¿°-

•ШПуЮпуЪиŒ

è Ó¿°-

ø±²» °»® º´±±®÷

•ШПуЮпуЪпŒ

è ·½±²- ´·²µ·²¹

¬± ´»ª»´óî ³¿°-

ì ·½±²- ´·²µ·²¹

¬± ´»ª»´óî ³¿°-

•ШПуЮоуЪиŒ

è Ó¿°-

•ШПуЮоуЪпŒ

•Ю®¿²½¸упуЪмŒ

ì Ó¿°-

•Ю®¿²½¸упуЪпŒ

Uploading Maps

1.Log in to the HiveManager GUI as explained in " Installing and Connecting to the HiveManager GUI" on page79.

2.Click Topology, right-click World, and then choose Add/Delete Image from the pop-up menu that appears.

3.In the Add/Delete Image window, click Browse, navigate to the directory containing the image files that you

want to upload, and select one of them.

4.Click Upload.

Deployment Guide 91

Chapter 8 HiveManager Configuration Examples

The selected image file is transferred from your management system to HiveManager as shown in Figure3.

Figure 3 Uploading a Map of a Building Floor Plan

Map showing one

of the floor plans

Management System HiveManager

Uploading map to HiveManager

5.Repeat this for all the image files that you need to load. In this example, you load 21 files:

• 8 maps for the eight floors in HQ-B1 (Headquarters Building 1)

• 8 maps for the eight floors in HQ-B2 (Headquarters Building 2)

• 4 maps for the four floors in Branch-1

• 1 file (named "corp_offices.png" in this example) that shows a picture of the three buildings

Naming and Arranging Maps within a Structure

1.Click Topology, right-click the top level map "World", and then choose Edit from the pop-up menu that appears.

2.In the Edit Map - World dialog box, enter the following, and then click Update:

• Map Name: CorpOffices (Note that spaces are not allowed in map level names.)

• Map Icon: Building

• Background Image: Choose corp_offices.png from the drop-down list.

• Environment: Because the CorpOffices "map" does not contain any HiveAP icons—it is an illustration of three

buildings that you use to organize the submaps of the floors in each building—the environment setting is
irrelevant. Leave it at its default, Free Space.

• Width (optional): Because the corp_offices.png depicts buildings instead of a floor plan, it is not necessary

to specify the width of the image.

3.Click Topology, right-click the top level map "CorpOffices", and then choose New from the pop-up menu that

appears.

4.In the New Map (Submap for CorpOffices) dialog box, enter the following, and then click Create:

• Map Name: HQ-B1-F

• Map Icon: Floor

• Background Image: Choose HQ-B1-F1.png from the drop-down list.

• Environment: Because the environment is that of a typical office building, choose Enterprise. The

environment assists in the prediction of signal strength and attenuation shown in the heat maps.

• Width: 80 feet (HiveManager automatically calculates the height based on the aspect ratio of the image.)

A white floor icon () labeled "HQ-B1-F1" appears on the CorpOffices image, and a new entry named
"HQ-B1-F1" appears nested under "CorpOffices" in the navigation tree.

5.Click Unlock, select the icon, drag it to the location you want, and then click Save.

6.Click Topology, right-click the top level map "CorpOffices", and then choose New from the pop-up menu that

appears.

92 Aerohive

EXAMPLE 1: MAPPING LOCATIONSAND INSTALLING HIVEAPS

7.In the New Map (Submap for CorpOffices) dialog box, enter the following, and then click Create:

• Map Name: HQ-B1-F2

• Map Icon: Floor

• Background Image: Choose HQ-B1-F2.png from the drop-down list.

• Environment: Enterprise

• Width: 80 feet

A white floor icon labeled "HQ-B1-F2" appears on the CorpOffices image, and a new entry named "HQ-B1-F2"
appears nested under "CorpOffices" in the navigation tree.

8.Click Unlock, select the icon, drag it to the location you want, and then click Save.

After adding the CorpOffices "map" (really an illustration showing three buildings), two floor plans for the first
and second floors of "HQ-B1", and dragging the floor icons into position, the display of the CorpOffices map
looks similar to that in Figure4.

Figure 4 CorpOffice Map (Level 1) with Links to Level-2 Maps HQ-B1-F1 and HQ-B1-F2

The submaps in the
navigation tree and the
icons on this map link
to other maps.

Click a submap or
double-click an icon to
open the map to which
it links.

9.Repeat this process until you have arranged all the maps and icons in place as shown in Figure5.

Figure 5 CorpOffice Map with Links to All Level-2 Maps

Note: You can add as many levels as necessary to the map hierarchy. You can also delete maps as long as they

do not have any submaps or HiveAP icons on them.

Deployment Guide 93

Chapter 8 HiveManager Configuration Examples

Preparing the HiveAPs

There are several approaches that you can take when mapping the location of installed HiveAP devices. Two
possible approaches are presented below. With the first approach ("Using SNMP"), HiveManager automatically assigns
HiveAPs to maps. This approach does require a small amount of configuration of each HiveAP up front, but after the
HiveAPs form a CAPWAP connection with HiveManager, the automatic assignment of HiveAPs to their appropriate
maps on HiveManager occurs without any further effort. The second approach ("Using MAC Addresses" on page95)
allows you to install HiveAPs without needing to do any extra configurations, but you later have to match each
HiveAP with the right map in HiveManager manually.

Note: For a summary of how HiveAPs use CAPWAP to discover and connect to HiveManager, see "How HiveAPs

Connect to HiveManager" on page95.

Using SNMP

This approach makes use of the SNMP (Simple Network Management Protocol) sysLocation MIB (Management
Information Base) object, which you define on HiveAPs. HiveManager can use this information to associate a HiveAP
with a map and provide a description of where on the map each HiveAP belongs.

1.Make copies of the maps you uploaded to HiveManager, label them, and take them with you for reference when
installing the HiveAPs.

2.For each HiveAP that you install, do the following:

1.Make a serial connection to the console port, and log in (see "Log in through the console port" on page150).

2.Enter the following command, in which string1 describes the location of the HiveAP on the map (in open

format) and string2 is the name of the map:

snmp location string1@string2

For example, if you install a HiveAP in the northwest corner on the first floor of building 1, enter
snmplocation northwest_corner@HQ-B1-F1. If you want to use spaces in the description, surround
the entire string with quotation marks: snmp location "northwest corner@HQ-B1-F1".

If the name of a map is not unique, then include the map hierarchy in the string until the path to the map is
unique. For example, if you have two maps named "floor-1", and the one you want to use is nested under a
higher level map named "building-1" while the other is nested under "building-2", then enter the command
as follows: snmplocation northwest_corner@floor-1@building-1 . Similarly, if there are two
maps named "building-1" nested under higher level maps for two different sites ("campus-1" and "campus-2",
for example), then include that next higher level in the string to make it unique:

snmplocation northwest_corner@floor-1@building-1@campus-1

3.Mount and cable the HiveAP to complete its installation. (For mounting details, see "Mounting the HiveAP

20" on page29. For information about the PoE port on the HiveAP, see "Ethernet and Console Ports" on
page26.)

When a HiveAP connects to HiveManager, HiveManager checks its SNMP location. When you accept the HiveAP for
management, then HiveManager automatically associates it with the map specified in its SNMP location description.
You can then click the icon to see its location and drag it to the specified location on the map. Also, on the Access
Points > New HiveAPs > Automatically Discovered window in the HiveManager GUI, you can sort detected HiveAPs by
map name to assign them more easily to WLAN policies and radio profiles.

94 Aerohive

EXAMPLE 1: MAPPING LOCATIONSAND INSTALLING HIVEAPS

Using MAC Addresses

With this approach, you write down the MAC address labelled on the underside of each HiveAP and its location while
installing the HiveAPs throughout the buildings. The MAC address on the label is for the mgt0 interface. Because the
MAC addresses of all HiveAPs begin with the Aerohive MAC OUI 00:19:77, you only need to record the last six
numerals in the address. For example, if the MAC OUI is 0019:7700:0120, you only need to write "000120" to be able
to distinguish it from other HiveAPs later.

1.Make copies of the maps you uploaded to HiveManager, label them, and take them with you when installing the
HiveAPs.

2.When you install a HiveAP, write the last six digits of its MAC address at its location on the map.

When HiveAPs automatically connect with HiveManager, HiveManager displays them in the Access Points > New
HiveAPs > Automatically Discovered window. You can differentiate them in the displayed list by MAC address (node
ID), which allows you to match the HiveAPs in the GUI with those you noted during installation so that you can
properly assign each one to a map, a WLAN policy, and two radio profiles.

How HiveAPs Connect to HiveManager

If HiveAPs are in the same layer-2 broadcast domain (and same VLAN) as HiveManager, they broadcast CAPWAP
(Control and Provisioning of Wireless Access Points) Discovery Request messages to discover and establish a secure
connection with HiveManager automatically. There is no need for any extra configuration on your part.

When HiveAPs and HiveManager are in different subnets, the HiveAPs will not be able to discover HiveManager by
broadcasting CAPWAP Discovery Request messages. In this case, you can use one of the following methods to
configure HiveAPs with the HiveManager IP address or configure them so that they can learn it through DHCP or DNS.
When HiveAPs have the HiveManager IP address, they then send unicast CAPWAP Discovery Request messages to that
address.

• Log in to the CLI on each HiveAP and enter the HiveManager IP address with the following command, in which
the variable ip_addr is the address of the interface through which HiveManager communicates with HiveAPs:

hivemanager ip_addr

• Configure the DHCP server to supply the HiveManager domain name as DHCP option 225 or its IP address as
option 226 in its DHCPOFFER. (If you use a domain name, the authoritative DNS server for that domain must also
be configured with an A record that maps the domain name to an IP address for HiveManager.) HiveAPs request
DHCP option 225 and 226 by default when they broadcast DHCPDISCOVER and DHCPREQUEST messages.

Note: If you need to change the DHCP option number (perhaps because another custom option with that

number is already in use on the DHCP server), enter this command on each HiveAP with a different
option number for the variable number:

interface mgt0 dhcp client option custom hivemanager number { ip | string }

• If HiveManager continues to use its default domain name ("hivemanager"), configure the local authoritative DNS
server with an A record that resolves that name to an IP address. If the HiveAPs do not have a static IP address
configured for HiveManager and do not receive an address or domain name returned in a DHCP option, then they
try to resolve the domain name "hivemanager" to an IP address.

Within the framework of the CAPWAP protocol, HiveAPs are CAPWAP clients and HiveManager is a CAPWAP server.
The client proceeds through a series of CAPWAP states. These states and the basic events that trigger the client to
transition from one state to another are shown in Figure6 on page96.

Note: To illustrate all possible CAPWAP states, Figure6 on page96 begins by showing a HiveAP and HiveManager

already in the Run state. When a HIveAP first attempts to discover a HiveManager—after the HiveAP has an
IP address for its mgt0 interface and has been configured with (or has discovered) the HiveManager IP
address—it begins in the Discovery state.

Deployment Guide 95

Chapter 8 HiveManager Configuration Examples

Figure 6 CAPWAP Process—Beginning from the Run State

ЭЯРЙЯР Э´·»²¬

øØ·ª»ßÐ÷

Ϋ²

ͬ¿¬»

×¼´»

ͬ¿¬»

Ü·-½±ª»®§

ͬ¿¬»

Í«´µ·²¹

ͬ¿¬»

Ü·-½±ª»®§

ͬ¿¬»

ЭЯРЙЯР Н»®ª»®

øØ·ª»Ó¿²¿¹»®÷

М¸» ЭЯРЙЯР ½´·»²¬ шШ·ª»ЯРч °·²¹- ¬¸» ЭЯРЙЯР -»®ª»® шШ·ª»У¿²¿¹»®ч
¾«¬ ®»½»·ª»- ²± ®»-°±²-»- ©·¬¸·² ¬¸» ²»·¹¸¾±®у¼»¿¼у·²¬»®ª¿´т

ò ò ò

ɸ»² ¬¸» ½´·»²¬ ¼»¬»®³·²»- ·¬- ²»·¹¸¾±® ·- ¼»¿¼ô ·¬ ¬®¿²-·¬·±²­º®±³ ¬¸» Ϋ² -¬¿¬» ¬± ¬¸» ×¼´» -¬¿¬»ò

̸» ½´·»²¬ ¬®¿²-·¬·±²- ¬± ¬¸» Ü·-½±ª»®§ -¬¿¬» ¿²¼ ¾»¹·²- -»²¼·²¹
Ü·-½±ª»®§ λ¯«»-¬ ³»--¿¹»- ø¾®±¿¼½¿-¬ ±® «²·½¿-¬÷ò

ò ò ò

׺ ¬¸» ½´·»²¬ ½±²¬·²«»- ¬± -»²¼ Ü·-½±ª»®§ λ¯«»-¬ ³»--¿¹»- «²¬·´ ·¬
®»¿½¸»- ¬¸» ³¿¨ó¼·-½±ª»®§ó·²¬»®ª¿´ ¿²¼ ³¿¨ó¼·-½±ª»®§ó½±«²¬ ¾«¬
®»½»·ª»- ²± Ü·-½±ª»®§ λ-°±²-»-ô ¬¸» ½´·»²¬ ¬¸»² »²¬»®- ¬¸» Í«´µ·²¹

-¬¿¬» ¿²¼ ®»³¿·²- ·² ¬¸·- -¬¿¬» «²¬·´ ¬¸» -·´»²¬ó·²¬»®ª¿´ »´¿°-»-ò

М¸» ЭЯРЙЯР ½´·»²¬ ®»¬«®²- ¬± ¬¸» Ь·-½±ª»®§ -¬¿¬» ¿²¼ -»²¼­Ь·-½±ª»®§ О»¯«»-¬ ³»--¿¹»-т

М¸» ЭЯРЙЯР -»®ª»® ®»½»·ª»- ¬¸» Ь·-½±ª»®§ О»¯«»-¬ ³»--¿¹»
¿²¼ ®»-°±²¼- ©·¬¸ ¿ Ь·-½±ª»®§ О»-°±²-»т

М¸» ЭЯРЙЯР ½´·»²¬ ¿²¼ -»®ª»® °»®º±®³ ¿ ЬМФН шЬ¿¬¿¹®¿³ М®¿²-°±®¬
Ф¿§»® Н»½«®·¬§ч ¸¿²¼-¸¿µ» ¬± »-¬¿¾´·-¸ ¿ -»½«®» ЬМФН ½±²²»½¬·±²т

Ö±·²

ͬ¿¬»

׺ ¬¸» Ö±·² λ-°±²-» ·²¼·½¿¬»- •-«½½»--Œô ¬¸» ½´·»²¬
½´»¿®- ·¬- É¿·¬Ö±·² ¬·³»® ¿²¼ »²¬»®- ¬¸» Ϋ² -¬¿¬»ò

Ò±¬»æ ׺ ¬¸» É¿·¬Ö±·² ¬·³»® »¨°·®»- ¾»º±®» ¬¸» ½´·»²¬
®»½»·ª»- ¿ -«½½»--º«´ Ö±·² λ-°±²-»ô ¬¸» ½´·»²¬
¬»®³·²¿¬»- ¬¸» ÜÌÔÍ ½±²²»½¬·±² ¿²¼ ®»¬«®²- ¬± ¬¸»
Ü·-½±ª»® -¬¿¬»ò

̸» ½´·»²¬ -»²¼- ¿ Ö±·² λ¯«»-¬ò

̸» -»®ª»® -»²¼- ¿ Ö±·² λ-°±²-»ò

Чº ¬¸» Ц±·² О»-°±²-» ·²¼·½¿¬»- •º¿·´«®»Œф
¬¸» ЭЯРЙЯР -»®ª»® »²¬»®- ¿ О»-»¬

-¬¿¬» ¿²¼ ¬»®³·²¿¬»- ¬¸» ÜÌÔÍ -»--·±²ò

96 Aerohive

EXAMPLE 2: DEFINING NETWORK OBJECTSAND MAC FILTERS

EXAMPLE 2:DEFINING NETWORK OBJECTSAND MAC FILTERS

Network objects are the most basic objects that you can configure and only function when other objects such as QoS
classifiers, SSID profiles, and firewall policy rules reference them. IP addresses, network services (HTTP, SMTP,
FTP, … ), MAC addresses, MAC OUIs (organizationally unique identifiers), VLANs, Ethernet profiles, and radio profiles
are network objects that make no reference to any other previously defined object.

You define the following network objects that you reference in other examples later in this chapter:

• MAC OUI for filtering VoIP phone traffic

• VLANs that you can apply to user profiles

• IP addresses that you can assign to management services and RADIUS servers

In addition, you define a MAC filter to control access to the SSID for VoIP traffic.

Defining a MAC OUI

You define a MAC OUI for the type of VoIP (Voice over IP) phones in use in the network and assign traffic from it to
Aerohive class 6. Other critical IP telephony services are DHCP and DNS for address and domain name assignments,
and TFTP and HTTP for configuration downloads and software updates. You map traffic using destination port
numbers 53 (DNS) and 67 (DHCP) to Aerohive class 5. This is a fairly high priority level because these services are
vital for VoIP to work properly; however, they are not as high as that for the voice traffic itself. Finally, you map
traffic using destination port numbers 69 (TFTP) and 80 (HTTP) to Aerohive class 2. This is a much lower priority
level, but it is appropriate for these resilient and less time-sensitive services. HiveAPs check if an incoming packet
matches a classifier map by checking for matches in the following order. They then use the first match found:

1.Service

2.MAC OUI

3.Ingress interface

4.Existing priorities used by various standard QoS classification systems (802.11e, 802.1p, and DSCP)

After VoIP clients associate with an SSID and begin sending traffic, the HiveAP maps all DNS and DHCP traffic to class
5, all TFTP and HTTP traffic to class 2, and all remaining traffic—voice traffic in this case—to class 6 (see Figure7).

Figure 7 MAC OUI and Service Classifier Maps for VoIP Phones

Ø·ª»ßÐ

К±ЧР Р¸±²»- º®±³ ¬¸» -¿³»
ª»²¼±® шУЯЭ СЛЧ рпжоожнмч

Ø·ª»ßÐ

ß»®±¸·ª» Ý´¿--

é

ê
ë

ì
í

î

ï
ð

рпжоожнмжЮЪжкЭжрм

рпжоожнмжлйжрЮжнЪ

рпжоожнмжлЬжрржро

ɸ»² ¬¸» ¼»-¬·²¿¬·±² °±®¬ ²«³¾»® ·² ¬¸» Ôì
¸»¿¼»® ·- ëí шЬТНч ±® êé шЬШЭРчф ¬¸»
Ш·ª»ЯР ³¿°- ¬¸» °¿½µ»¬ ¬± Я»®±¸·ª» ½´¿-- лт

ɸ»² ·¬ ·- êç шМЪМРч ±® èð шШММРчф ¬¸»
Ш·ª»ЯР ³¿°- ·¬ ¬± Я»®±¸·ª» ½´¿-- от

ÓßÝ ÑË×

É·®»´»-- Ôî

Ø»¿¼»®

ɸ»² ¬¸» ÓßÝ ÑË× ·² ¬¸» Ôî ¸»¿¼»® ·­рпжоожнмô ¬¸» Ø·ª»ßÐ ³¿°- ¬¸» °¿½µ»¬ ¬±
ß»®±¸·ª» ½´¿-- êò

Ü»-¬·²¿¬·±² ᮬ Ò«³¾»®

Ôí

Ø»¿¼»®ÔìØ»¿¼»®

Ü¿¬¿

Deployment Guide 97

Chapter 8 HiveManager Configuration Examples

By distinguishing voice traffic by the clients’ OUI and mapping it to class 6, HiveAPs can prioritize it above other
traffic types (see "Example 4: Creating User Profiles" on page113).

1.Log in to the HiveManager GUI.

2.Click Configuration > Network Objects > MAC Addresses/OUIs > New.

3.Enter the following, and then click Save:

• MAC OUI: (select)

• MAC Name: Type a name such as "VoIP_Phones". You cannot include any spaces when defining a MAC name.

Enter the following, and then click Apply:

• MAC Entry: Type the OUI for the VoIP phones used in the network; that is, type the first six numbers

constituting the vendor prefix of the MAC address. For example, if a MAC address is 01:22:34:AB:6C:04,
the OUI is 01:22:34. Type only the hexadecimal numerals without any formatting symbols such as colons
or dashes. If you do type such symbols, the GUI ignores—and does not display—them.

• Type: Choose Global because you do not need to restrict this network object to a particular set of

HiveAPs, which is what the other three options allow you to do.

• Description: Type a meaningful comment for the MAC OUI, such as the vendor that the OUI identifies.

Note: If there are phones from more than one vendor, make a separate MAC OUI entry for each one.

Mapping the MAC OUI and Services to Aerohive Classes

First, map VoIP phone MAC OUIs to Aerohive class 6. Next, map DNS and DHCP services to Aerohive class 5 and TFTP
and HTTP services to class 2. Because voice traffic is the only remaining type of traffic from phones whose MAC OUIs
you have already mapped to class 6, HiveAPs map voice traffic from those phones to class 6. Although all these
services are critical for IP telephony to function properly, voice traffic is the least resistant to delay, and TFTP and
HTTP file downloads are the most resistant. Therefore, you prioritize the different types of traffic accordingly.

1.Click Configuration > QoS Policies > Classifiers and Markers > New.

The New Classifiers and Markers dialog box appears.

2.Enter the following, and then click Save:

• Name: VoIP-QoS (You cannot include any spaces when defining a QoS policy name.)

• Description: Add a descriptive comment, such as "Mapping for VoIP phone traffic".

• Network Services: (select)

• MAC OUIs: (select)

3.Click Configuration > QoS Policies > Classifier Maps > New > General.

The New Classifier Maps dialog box appears.

4.Enter the following on the General page:

• Name: VoIP-Mapping (You cannot include any spaces when defining the name of a classifier map.)

• Description: Add a descriptive comment, such as "Mapping services and OUIs for VoIP phone traffic".

• Network Services: (select)

• MAC OUIs: (select)

98 Aerohive

EXAMPLE 2: DEFINING NETWORK OBJECTSAND MAC FILTERS

5.Click the Network Services tab, enter the following, and then click Apply:

• Service: DNS

• QoS Class: 5 - Video

• Action: Permit

• Logging: Select the check box to enable HiveAPsto log traffic that matches the service-to-Aerohive class

mapping. (HiveAPs log traffic whether the action is permit or deny.) The main use of logging traffic is to see
if the HiveAPs are receiving expected—or unexpected—types of traffic when you debug connectivity issues.
You can see the log entries in the event log on the HiveAPs (show logging buffered). Also, if you
configure the HiveAP to send event logs to a syslog server, you can see the log entries there (see "Example

6: Setting Management Service Parameters" on page120).

6.Enter the following, and then click Apply:

• Service: DHCP-Server

• QoS Class: 5 - Video

• Action: Permit

• Logging: Select the check box to enable traffic logging, or clear the check box to disable it.

7.Enter the following, and then click Apply:

• Service: TFTP

• QoS Class: 2 - Best Effort 1

• Action: Permit

• Logging: Select the check box to enable traffic logging, or clear the check box to disable it.

8.Enter the following, and then click Apply:

• Service: HTTP

• QoS Class: 2 - Best Effort 1

• Action: Permit

• Logging: Select the check box to enable traffic logging, or clear the check box to disable it.

9.Click the MAC OUIs tab, click New, enter the following, and then click Apply:

• MAC OUIs: Choose the name of the MAC OUI that you defined in "Defining a MAC OUI", such as "VoIP_Phones".

• QoS Class: 6 - Voice

• Action: Permit

• Comment: Enter a meaningful comment about the MAC OUI for future reference.

• Logging: Select the check box to enable log traffic that matches the MACOUI-to-Aerohive class mapping, or

clear the check box to disable it.

10.To save the configuration and close the dialog box, click Save.

Deployment Guide 99

Chapter 8 HiveManager Configuration Examples

Defining VLANs

You define three VLANs that you will later assign to various user profiles (see "Example 4: Creating User Profiles" on

page113). By assigning different VLANs to different user roles, their traffic remains isolated from each other; that

is, voice traffic never shares a broadcast domain with data traffic; and data traffic from guests never shares the
same broadcast domain with employee data traffic. The result is that you can provide access for certain types of
traffic to select areas of the network while blocking unauthorized access to other areas.

The VLAN IDs and the user profiles to which you will assign them are as follows:

• VLAN ID 1 for the Emp and IT user profiles (and for users not yet registered through a captive web portal)

• VLAN ID 2 for the VoIP user profile

• VLAN ID 3 for the Guests user profile

Note: When defining the following VLANs, choose Global as the VLAN type because you do not need to restrict

these VLANs to a particular set of HiveAPs, which is what the other three options allow you to do.

1.Click Configuration > Network Objects > VLANs > New, enter the following, and then click Save:

• VLAN Name: VLAN-1-EmployeeData

• Enter the following, and then click Apply:

• VLAN ID: 1

• Type: Global

• Description: VLAN for Emp, IT, and unregistered CWP users

2.Click Configuration > Network Objects > VLANs> (check box) VLAN-1-EmployeeData > Clone, make the
following changes, and then click Save:

• VLAN Name: VLAN-2-EmployeeVoice

• VLAN ID: 2

• Type: Global

• Description: VLAN for VoIP traffic

3.Click Configuration > Network Objects > VLANs> (check box) VLAN-2-VoIP > Clone, make the following
changes, and then click Save:

• VLAN Name: VLAN-3-Guests

• VLAN ID: 2

• Type: Global

• Description: VLAN for guests visiting corporate

1

1.There is a predefined VLAN definition for VLAN ID 1, so it is not really necessary to create a new VLAN object for it. However,

because later examples in this chapter refer to VLAN 1 by the name defined here ("VLAN-1-EmployeeData"), its purpose will
hopefully be clearer than if it were referred to by the simpler name of the predefined VLAN ("1").

100 Aerohive

EXAMPLE 2: DEFINING NETWORK OBJECTSAND MAC FILTERS

Creating IP Addresses

You use the IP addresses that you create here when defining management services for the HiveAPs (see "Example 6:

Setting Management Service Parameters" on page120). The IP addresses are used for DNS, SNMP, syslog, and NTP

servers. To understand the locations of the different servers on the network, see Figure15 on page120.

DNS Servers

1.Click Configuration > Network Objects > IP Addresses > New, and after entering all the following, click Save:

• Address Name: DNS-Primary

Enter the following, and then click Apply:

— IP Address: 10.1.1.25
— Netmask: 255.255.255.255
— Type: Classifier
— Value: Tag 1: hq

By classifying the IP address definition as "hq" and then later classifying all HiveAPs deployed at
headquarters as "hq", only those HiveAPs will use the 10.1.1.25 address for their primary DNS
server.

— Description: Primary DNS server located at HQ

Enter the following, and then click Apply:

— IP Address: 10.2.2.251
— Netmask: 255.255.255.255
— Type: Classifier
— Value: Tag 1: branch1

By classifying the IP address definition as "branch1" and then later classifying all HiveAPs deployed
at the branch site as "branch1", only those HiveAPs will use the 10.2.2.251 address for their primary
DNS server. Classifying the different IP address definitions within the same IP address object allows
you to use this one object in multiple locations that have different addressing schemes.

2.Click Configuration > Network Objects > IP Addresses > New, and after entering all the following, click Save:

• Address Name: DNS-Secondary

Enter the following, and then click Apply:

— IP Address: 10.1.1.26
— Netmask: 255.255.255.255
— Type: Global

Because all the HiveAPs at both the headquarters and branch site use the same secondary DNS
server, you classify it as Global. The server is located at headquarters and HiveAPs at the branch
site reach it through a VPN tunnel.

— Description: Secondary DNS server located at HQ

Deployment Guide 101

Chapter 8 HiveManager Configuration Examples

Syslog Server

Click Configuration > Network Objects > IP Addresses > New, and after entering all the following, click Save:

• Address Name: Syslog-Server

Enter the following, and then click Apply:

— IP Address: 10.1.1.23
— Netmask: 255.255.255.255
— Type: Global

Because all the HiveAPs at both the headquarters and branch site use the same syslog server, you
classify it as Global. The HiveAPs at the branch site reach the syslog server, which is also located at
headquarters, through a VPN tunnel.

— Description: Syslog server at HQ

SNMP Server

Click Configuration > Network Objects > IP Addresses > (check box) Syslog-Server > Clone, change the
following settings, click Save:

• Address Name: SNMP-Server
— IP Address: 10.1.1.24 (This is the IP address of the SNMP management system to which the SNMP

agent running on the HiveAPs sends SNMP traps.)

— Description: SNMP server at HQ

NTP Server

Click Configuration > Network Objects > IP Addresses > (check box) SNMP-Server > Clone, change the
following settings, click Save:

• Address Name: NTP-Server
— IP Address: 207.126.97.57
— Description: NTP admin wjones@time.org

RADIUS Servers

1.Click Configuration > Network Objects > IP Addresses > New, and after entering all the following, click Save:

• Address Name: RADIUS-Server-Primary

Enter the following, and then click Apply:

— IP Address: 10.1.1.15
— Netmask: 255.255.255.255
— Type: Global

Because all the HiveAPs at both the headquarters and branch site use the same RADIUS servers, you
classify them as Global. The HiveAPs at the branch site reach the RADIUS servers, which are also
located at headquarters, through a VPN tunnel.

— Description: Primary RADIUS server at HQ

2.Click Configuration > Network Objects > IP Addresses > (check box) RADIUS-Server-Primary > Clone, and
after making the following changes, click Save:

• Address Name: RADIUS-Server-Secondary
— IP Address: 10.1.2.16
— Description: Secondary RADIUS server at HQ

102 Aerohive

EXAMPLE 2: DEFINING NETWORK OBJECTSAND MAC FILTERS

Creating a MAC Filter

A MAC filter is a type of security policy that you can apply to an SSID to allow or deny access to clients attempting to
form associations based on their source MAC addresses. In this example, you define a MAC filter based on the VoIP
phone OUI and apply it to the SSID to which you want VoIP clients to associate. HiveAPs can then filter association
requests and respond only to clients whose OUI matches that in the filter (see "Example 5: Setting SSIDs" on

page117).

The MAC filter that you create here becomes useful when you define the SSID for voice traffic (see "voip SSID" on

page118). You apply this filter to the SSID so that only VoIP phones with the MAC OUI 01:22:34 can form an

association with the HiveAPs.

1.Click Configuration > Security Policies > MAC Filters > New.

The New MAC Filters dialog box appears.

2.Enter the following name and description for the MAC filter:

• Name: corpVoIPphones (You cannot include any spaces when defining a MAC filter name.)

• Description: Use this filter for "voip" SSID

Choose the name that you gave the OUI, such as "VoIP_Phones" (see "Defining a MAC OUI" on page97) from the
MAC Address/OUI drop-down list, choose Permit as the action, and then click Apply.

3.To save the MAC filter configuration and close the dialog box, click Create.

Deployment Guide 103

Chapter 8 HiveManager Configuration Examples

EXAMPLE 3:PROVIDING GUEST ACCESS

As a convenience for guests visiting the corporate headquarters or branch office, you provide them with wireless
network access. To preserve bandwidth for employees, the rate limit for guests is somewhat minimized. To maintain
security, visitors are restricted to accessing just the public LAN.

Two approaches are presented in this section:

• "Guest Access with Preshared Keys": This approach provides visitors with secured network access by using WPA

or WPA2 with preshared keys and TKIP or CCMP (AES) encryption. It does not include a means for enforcing
visitors to accept a network usage policy before receiving network access.

• "Guest Access with Captive Web Portal" on page105: A captive web portal is a way to control network access by

requiring users to authenticate or register before assigning them network and user profile settings that allow
them network access beyond the HiveAP with which they associated. With this approach, registered visitors’
activity can be tracked and stored in historical logs on a syslog server for security and compliance auditing.

For the first approach, no extra configuration is necessary other than configuring a guest user profile and SSID. For
the second approach, you might want to customize the registration form used on the captive web portal. To do that,
see "Customizing the Registration Page" on page108 and "Loading Customized Captive Web Portal Files" on page111.

Guest Access with Preshared Keys

You can provide visitors with secure but unregistered network access by issuing them a preshared key to use when
associating with the guest SSID. A receptionist can provide visitors with the preshared key along with access
instructions upon their arrival, as shown in Figure8.

Figure 8 Guest Access Using a Preshared Key

λ½»°¬·±²·-¬

The guest SSID provides secure network access for visitors. Also, by linking visitors to the guest SSID, you can
differentiate them from employees—who associate with other SSIDs (voip and corp)—so that you can apply one set
of QoS (Quality of Service) settings for visitors and other settings for employees. In addition, the user profiles for
employees and guests further separate their traffic into two different VLANs. For instructions on setting up guest
access with a preshared key, see "Guests QoS and User Profile" on page115 and "guest SSID" on page119.

Ê·-·¬±®

̸» ª·-·¬±® »²¬»®- ¬¸»
°®»-¸¿®»¼ µ»§

•¹«»-¬ïîíŒ ©¸»²
º±®³·²¹ ¿² ¿--±½·¿¬·±²
©·¬¸ ¬¸» Ø·ª»ßÐ «-·²¹
¬¸» ÍÍ×Ü •¹«»-¬Œò

Ê·-·¬±®Ž- Ô¿°¬±°

Ø·ª»ßÐ

ײ¬»®²»¬

104 Aerohive

EXAMPLE 3: PROVIDING GUEST ACCESS

Guest Access with Captive Web Portal

A captive web portal provides registered users with network access while containing unregistered users. Aerohive
offers two approaches to applying a captive web portal, one using external DHCP and DNS servers on the network
and the other using internal DHCP and DNS servers on the HiveAP itself. In the first approach, both registered and
unregistered users must be in the same VLAN because the DHCP and DNS servers that they use initially before they
register will be the same ones that they continue using after they register. In the second approach, you can separate
the unregistered and registered users into two separate VLANs because the unregistered users access the internal
DHCP and DNS servers on the HiveAPs, whereas the registered users access the external DHCP and DNS servers,
which can be in a different VLAN from the internal servers on the HiveAP.

Captive Web Portal with External DHCP and DNS Servers

With this approach, when the client of a previously unregistered visitor first associates with the guest SSID, the
HiveAP assigns the "Unregistered-Guests" user profile to the visitor. It allows DHCP and DNS traffic to pass through so
that the client can receive its address and TCP/IP assignments and resolve domain names to IP addresses. It also
allows ICMP traffic for diagnostic purposes. However, the HiveAP intercepts all HTTP and HTTPS traffic from that
client—and drops all other types of traffic—thereby limiting its network access to just the HiveAP with which it
associated. No matter what website the visitor tries to reach, the HiveAP directs the visitor’s browser to a
registration page. After the visitor registers, the HiveAP stores the client’s MAC address as a registered user, applies
the "Guests" user profile to the visitor, and stops keeping the client captive; that is, the HiveAP no longer intercepts
HTTP and HTTPS traffic from that MAC address, but allows the client to access external web servers. The entire
process is shown in Figure9.

Figure 9 Captive Web Portal Exchanges Using External DHCP and DNS Servers

ß--±½·¿¬·±² Ë-·²¹ ÍÍ×Ü •¹«»-¬Œ Я¼¼®»-- ¿²¼ МЭРсЧР Я--·¹²³»²¬-

ï î

É·®»´»-- Ý´·»²¬ É·®»´»-- ß½½»-- б·²¬ÜØÝÐ Ý´·»²¬ ÜØÝÐ Í»®ª»®

ÜØÝÐ Ü·-½±ª»®

ß--±½·¿¬·±² λ¯«»-¬

ß--±½·¿¬·±² λ-°±²-»

М¸» ½´·»²¬ º±®³- ¿² ¿--±½·¿¬·±² ©·¬¸ ¬¸» Ш·ª»ЯР
¾«¬ ¬¸» ª·-·¬±® ¸¿- ²±¬ §»¬ ®»¹·-¬»®»¼т М¸»
Ш·ª»ЯР ¿´´±©- ЬШЭРф ЬТНф ¿²¼ ЧЭУР ¬®¿ºº·½
¬¸®±«¹¸т Ч¬ ®»¼·®»½¬- ¿´´ ШММР ¿²¼ ШММРН ¬®¿ºº·½
¬± ·¬- ±©² ©»¾ -»®ª»® ¿²¼ ¼®±°- ¿´´ ±¬¸»® ¬®¿ºº·½т

ÜØÝРλ¯«»-¬

̸» Ø·ª»ßÐ ¿´´±©- ÜØÝÐ ¬®¿ºº·½ ¬± °¿-­¾»¬©»»² ¬¸» ½´·»²¬ ±º ¿² «²®»¹·-¬»®»¼ «-»® ¿²¼
¿ ÜØÝÐ -»®ª»® -± ¬¸¿¬ ¬¸» ½´·»²¬ ½¿² ®»½»·ª»

·¬- ЧР ¿¼¼®»-- ¿²¼ МЭРсЧР ¿--·¹²³»²¬-т

ÜØÝРѺº»®

ÜØÝÐ ßÝÕ

Deployment Guide 105

Chapter 8 HiveManager Configuration Examples

í ì

ÜÒÍ ß¼¼®»-- λ-±´«¬·±² ØÌÌРݱ²²»½¬·±² ¬± ¬¸» Ý¿°¬·ª» É»¾ ᮬ¿´

ÜÒÍ Ï«»®·»²¬ ÜÒÍ Í»®ª»®ØÌÌÐ Ý´·»²¬ ØÌÌÐ Í»®ª»®

ÜÒÍ Ï«»®§

ÜÒÍ Î»°´§

̸» Ø·ª»ßÐ ¿´´±©- ÜÒÍ ¯«»®·»- ¿²¼ ®»°´·»­¾»¬©»»² ¬¸» ½´·»²¬ ±º ¿² «²¹®»¹·-¬»®»¼ «-»®
¿²¼ ¿ ÜÒÍ -»®ª»®

Й¸»² ¬¸» ½´·»²¬ -»²¼- ¿² ШММР ±® ШММРН
ЩЫМ ½±³³¿²¼ф ¬¸» Ш·ª»ЯР ·²¬»®½»°¬- ·¬ ¿²¼

-»²¼- ·¬ ¬± ·¬- ØÌÌÐ -»®ª»®ô ©¸·½¸ ®»°´·»- ©·¬¸

ØÌÌÐ ÙÛÌ

λ°´§

¿ ¹«»-¬ ¿½½»-- ®»¹·-¬®¿¬·±² °¿¹»ò ̸» «-»®
³«-¬ ¿¹®»» ¬± ¿² ¿½½»°¬¿¾´» «-» °±´·½§ô º·´´ ·²

-±³» º·»´¼-ô ¿²¼ ¬¸»² -«¾³·¬ ¬¸» º±®³ò

λ¹·-¬®¿¬·±² ЬШЭРф ЬТНф ¿²¼ ШММР Ъ±®©¿®¼·²¹ë ê

ØÌÌÐ Ý´·»²¬ ØÌÌÐ Í»®ª»®

λ¹·-¬®¿¬·±²

Ï«¿®¿²¬·²»

УЯЭж ррпкж½ºи½жлй¾½

О»¹·-¬»®»¼
УЯЭж ррпкж½ºи½жлй¾½

É·®»´»--

Ý´·»²¬

É·®»´»--

ß½»-- б·²¬

Í»®ª»®-

ÜØÝÐ

ÜÒÍ

ØÌÌÐ

ߺ¬»® ¿ ¹«»-¬ ¿¹®»»- ¬± ¬¸» ¿½½»°¬¿¾´» «-»
°±´·½§ô º·´´- ·² ¬¸» º±®³ô ¿²¼ -«¾³·¬- ¬¸»
®»¹·-¬®¿¬·±²ô ¬¸» Ø·ª»ßÐ ³±ª»- ¬¸» ½´·»²¬Ž­ÓßÝ ¿¼¼®»-- º®±³ ¿ ¯«¿®¿²¬·²»¼ ´·-¬ ¬± ¿

̸» Ø·ª»ßÐ ¬¸»² ¿°°´·»- ¬¸» ®»¹·-¬»®»¼ «-»®
°®±º·´» •Ù«»-¬-Œ ¿²¼ º±®©¿®¼- ¿´´ ¬§°»- ±º ¬®¿ºº·½
¬± ¬¸» ®»-¬ ±º ¬¸» ²»¬©±®µô ¿- °»®³·¬¬»¼ ¾§
º·®»©¿´´ °±´·½·»- ¿--·¹²»¼ ¬± ¬¸¿¬ «-»® °®±º·´»ò

®»¹·-¬»®»¼ ´·-¬ò

To enable the captive web portal to forward DHCP and DNS traffic from unregistered users to external servers on the
network, click Configuration > Authentication > Captive Web Portal > New, and select Use external DHCP and
DNS servers on the network.

Note: With this captive web portal implementation, you must assign unregistered and registered users to the

same VLAN.

106 Aerohive

EXAMPLE 3: PROVIDING GUEST ACCESS

ØÌÌРݱ²²»½¬·±² ¬± ¬¸» Ý¿°¬·ª» É»¾ ᮬ¿´

Captive Web Portal with Internal DHCP and DNS Servers

With this approach, when the client of a previously unregistered visitor first associates with the guest SSID, the
HiveAP acts as a DHCP server, DNS server, and web server, limiting the client’s network access to just the HiveAP
with which it associated. No matter what website the visitor tries to reach, the HiveAP directs the browser to a
registration page. After the visitor registers, the HiveAP stores the client’s MAC address as a registered user and
stops keeping the station captive; that is, the HiveAP no longer acts as a DHCP, DNS, and web server for traffic from
that MAC address, but allows the client to access external servers. The entire process is shown in Figure10.

Figure 10 Captive Web Portal Exchanges Using Internal Servers

ß--±½·¿¬·±² Ë-·²¹ ÍÍ×Ü •¹«»-¬Œ Я¼¼®»-- ¿²¼ МЭРсЧР Я--·¹²³»²¬-

ï î

É·®»´»-- Ý´·»²¬ É·®»´»-- ß½½»-- б·²¬ÜØÝÐ Ý´·»²¬ ÜØÝÐ Í»®ª»®

ÜØÝÐ Ü·-½±ª»®

ß--±½·¿¬·±² λ¯«»-¬

ß--±½·¿¬·±² λ-°±²-»

ÜØÝРѺº»®

ÜØÝРλ¯«»-¬

ÜØÝÐ ßÝÕ

ÍÍ×Ü •¹«»-¬Œ
̸» ½´·»²¬ º±®³- ¿² ¿--±½·¿¬·±² ©·¬¸ ¬¸» Ø·ª»ßÐ

¾«¬ ¬¸» ª·-·¬±® ¸¿- ²±¬ §»¬ ®»¹·-¬»®»¼т М¸»
Ш·ª»ЯР ¼·®»½¬- ¿´´ ЬШЭРф ЬТНф ¿²¼ ШММР
¬®¿ºº·½ º®±³ «²®»¹·-¬»®»¼ ¹«»-¬- ¬± ·¬-»´º ·²-¬»¿¼
±º ¿´´±©·²¹ ·¬ ¬± ¬¸» ®»-¬ ±º ¬¸» ²»¬©±®µт

í ì

ÜÒÍ Ï«»®·»²¬ ÜÒÍ Í»®ª»®ØÌÌÐ Ý´·»²¬ ØÌÌÐ Í»®ª»®

É·´¼½¿®¼ ß ®»½±®¼ ·² ¬¸» ®±±¬ ¦±²» •òŒ ±² ¬¸»
Ø·ª»ßÐ ÜÒÍ -»®ª»®æ ц ·² ¿ пйотпктптп

М¸» ЬТН -»®ª»® ®»-±´ª»- ¿´´ ¼±³¿·²
²¿³»у¬±у¿¼¼®»-- ¯«»®·»- ¬± ¬¸» -¿³» ЧР
¿¼¼®»--ф ©¸·½¸ ·² ¬¸·- ½¿-» ·- пйотпктптпт

ÜÒÍ ß¼¼®»-- λ-±´«¬·±²

ÜÒÍ Ï«»®§

ÜÒÍ Î»°´§

ЧР Я¼¼®»--ж пйотпктпто
Т»¬³¿-µж оллтоллтоллтр
Ь»º¿«´¬ Щ¿¬»©¿§ж пйотпктптпц
ЬШЭР Н»®ª»®ж пйотпктптпц
ЬТНж пйотпктптпц
Ф»¿-»ж пр Н»½±²¼-

ö Þ§ ¼»º¿«´¬ô ¿ Ø·ª»ßÐ ¿--·¹²- ×Ð ¿¼¼®»--»- ¬±

-«¾·²¬»®º¿½»- º±® ½¿°¬·ª» ©»¾ °±®¬¿´ «-» ¿- º±´´±©-æ

©·º·ртп Š ©·º·ртй пйотпктптп Š пйотпктйтп
©·º·птп Š ©·º·птй пйотпктпптп Š пйотпктпйтп

ØÌÌÐ ÙÛÌ

λ°´§

ɸ»² ¬¸» ØÌÌÐ ½´·»²¬ -»²¼- ¿ ÙÛÌ
½±³³¿²¼ô ¬¸» ØÌÌÐ -»®ª»® ®»°´·»- ©·¬¸ ¿
¹«»-¬ ¿½½»-- ®»¹·-¬®¿¬·±² °¿¹»ò ̸» «-»®
³«-¬ ¿¹®»» ¬± ¿² ¿½½»°¬¿¾´» «-» °±´·½§ô º·´´

·² -±³» º·»´¼-ô ¿²¼ ¬¸»² -«¾³·¬ ¬¸» º±®³ò

Deployment Guide 107

Chapter 8 HiveManager Configuration Examples

ë ê

ØÌÌÐ Ý´·»²¬ ØÌÌÐ Í»®ª»® É·®»´»--

ߺ¬»® ¿ ¹«»-¬ ¿¹®»»- ¬± ¬¸» ¿½½»°¬¿¾´» «-»
°±´·½§ô º·´´- ·² ¬¸» º±®³ô ¿²¼ -«¾³·¬- ¬¸»
®»¹·-¬®¿¬·±²ô ¬¸» Ø·ª»ßÐ ³±ª»- ¬¸» ½´·»²¬Ž­ÓßÝ ¿¼¼®»-- º®±³ ¿ ¯«¿®¿²¬·²»¼ ´·-¬ ¬± ¿
®»¹·-¬»®»¼ ´·-¬ò

To enable the captive web portal to forward DHCP and DNS traffic from unregistered users to its internal servers,
click Configuration > Authentication > Captive Web Portal > New, and select Use internal DHCP and DNS servers
on the HiveAP. By default, the internal DHCP server issues leases with a ten-second lifetime, and if a client with a
nonexistent lease requests a lease renewal, the HiveAP responds by broadcasting a DHCP NAK. You can change the
HiveAP response so that it sends a unicast NAK or ignores the request completely (Keep Silent).

Note: With this captive web portal implementation, you can assign unregistered and registered users to the same

VLAN or to different VLANs.

λ¹·-¬®¿¬·±² ЬШЭРф ЬТНф ¿²¼ ШММР Ъ±®©¿®¼·²¹

Í»®ª»®-

λ¹·-¬®¿¬·±²

Ï«¿®¿²¬·²»

УЯЭж ррпкж½ºи½жлй¾½

О»¹·-¬»®»¼
УЯЭж ррпкж½ºи½жлй¾½

Ý´·»²¬

М¸» Ш·ª»ЯР ¿°°´·»- ¬¸» •Щ«»-¬-Œ «-»® °®±º·´»
¿²¼ º±®©¿®¼- º«®¬¸»® ЬШЭРф ЬТНф ¿²¼ ШММР
®»¯«»-¬- ¬± »¨¬»®²¿´ -»®ª»®- ±² ¬¸» ²»¬©±®µт
Ю»½¿«-» ¬¸» ЬШЭР ´»¿-» ·- ±²´§ пр -»½±²¼-ф
¬¸» ¬®¿²-·¬·±² ¬± ¬¸» »¨¬»®²¿´ -»®ª»®- ±½½«®­ª»®§ -±±² ¿º¬»® ¬¸» ®»¹·-¬®¿¬·±² ½±³°´»¬»-т

É·®»´»--

ß½»-- б·²¬

ÜØÝÐ

ÜÒÍ

ØÌÌÐ

Customizing the Registration Page

Although Aerohive provides .html and .jpg files for use on the captive web portal server, you might want to
customize them to better suit your organization. There are six files, four of which are shown in Figure11:

• index.html (the main registration page) • loginscreen_02.jpg (image at the top of web pages)

• success.html (page that appears after registering) • loginscreen_03.jpg (yellow line near top of web pages)

• reg.php (script stored on internal web server) • loginscreen_05.jpg (image at bottom of index.html)

108 Aerohive

EXAMPLE 3: PROVIDING GUEST ACCESS

Figure 11 Captive Web Portal Registration Page

¸¬¬°жсс©©©т½©°у´±¹·²урупт½±³с·²¼»¨т¸¬³´

̱ ³±¼·º§ ¬¸» ®»¹·-¬®¿¬·±² °¿¹»ô

ß«¬¸»²¬·½¿¬»¼ Ò»¬©±®µ ß½½»--

Ë-»® Ò¿³»æ

п--©±®¼æ

Ñ°»² Ù«»-¬ Ò»¬©±®µ ß½½»--

ß½½»°¬¿¾´» Ë-» б´·½§

ïòð Ѫ»®ª·»©
̸·- ½±³°¿²§Ž- ·²¬»²¬·±²- º±® °«¾´·-¸·²¹ ¿²
ß½½»°¬¿¾´» Ë-» б´·½§ ¿®» ²±¬ ¬± ·³°±-»
®»-¬®·½¬·±²- ¬¸¿¬ ¿®» ½±²¬®¿®§ ¬± ¬¸·­½±³°¿²§ò Û-¬¿¾´·-¸»¼ ½«´¬«®» ±º ±°»²²»--ô
¬®«-¬ ¿²¼ ·²¬»¹®·¬§ò ̸·- ½±³°¿²§ ·­½±³³·¬¬»¼ ¬± °®±¬»½¬·²¹ ¬¸·- ½±³°¿²§Ž-

× ¿¹®»»

Ú·®-¬ Ò¿³»æ

ö

Ô¿-¬ Ò¿³»æ

ö

Û³¿·´æ

ö

и±²»æ

Ê·-·¬·²¹æ

ö

ݱ³³»²¬æ

Í«¾³·¬

Ú·»´¼- ³¿®µ»¼ ©·¬¸ ¿² ¿-¬»®·-µ ö ¿®» ®»¯«·®»¼ò

Í«¾³·¬

´±¹·²-½®»»²Áðîò¶°¹ øíðì ¨ ëê °¨÷

´±¹·²-½®»»²Áðíò¶°¹ øìëð ¨ ì °¨÷

д¸¬³´в
д¸»¿¼в
д¬·¬´»в´±¹·²-½®»»²дс¬·¬´»в
д³»¬¿ ¸¬¬°у»¯«·ªгюЭ±²¬»²¬уМ§°»ю
½±²¬»²¬гю¬»¨¬с¸¬³´е ½¸¿®-»¬г·-±уиилзупюв
д-¬§´» ¬§°»гю¬»¨¬с½--юв
дяуу
т-¬§´»п ¥
º±²¬уº¿³·´§ж Я®·¿´ф Ш»´ª»¬·½¿ф

-¿²-ó-»®·ºå
º±²¬ó©»·¹¸¬æ ¾±´¼å
º±²¬ó-·¦»æ ïì°¨å
£
ò ò ò

·²¼»¨ò¸¬³´

´±¹·²-½®»»²Áðëò¶°¹ øìëð ¨ ëð °¨÷

¼± ¬¸» º±´´±©·²¹æ

ïò Í»¬ «° ¿ ½¿°¬·ª» ©»¾ °±®¬¿´ ±²

¿² ННЧЬт

îò ß½¬·²¹ ¿- ¿ ½´·»²¬ô ³¿µ» ¿²

¿--±½·¿¬·±² ©·¬¸ ¬¸¿¬ ННЧЬт

íò ɸ»² §±« -»» ¬¸» ®»¹·-¬®¿¬·±²

°¿¹» ·² §±«® ¾®±©-»®ô -¿ª» ·¬
¿²¼ ·¬- ¿½½±³°¿²§·²¹ ·³¿¹»-ò

ìò Ë-» ¿ ¹®¿°¸·½- °®±¹®¿³ ¬±

½®»¿¬» ²»© ò¶°¹ ·³¿¹»-ò

ëò Ë-» ¿ ¬»¨¬ »¼·¬±® ¬± ³±¼·º§ ¬¸»

¬»¨¬ ·² ¬¸» ·²¼»¨ò¸¬³´ º·´»ò

êò Ë°´±¿¼ ¬¸» º·´»- ¬± ¬¸» Ø·ª»ßÐò

Ò±¬»æ ̸» ®»-±´«¬·±² º±® ¿´´ ·³¿¹»-

·- çê ¼°·ò ̸» ¾·¬ ¼»°¬¸ ·- îìò

Unregistered users’ browsers are redirected to the registration page (index.html) of the captive web portal for the
SSID to which they associate (the guest SSID in the examples here). You can have a different registration page for
each SSID.

To access the default set of .html and .jpg files on a HiveAP, do the following:

1.Configure a guest SSID as explained in "guest SSID" on page119 and complete the rest of the HiveAP steps
explained in this chapter to bring a HiveAP under HiveManager management.

Note: An alternative approach is to log in to the console port of an individual HiveAP that you have

connected to the network—see "Step 1 Log in through the console port" on page150—and enter the
following commands:

ssid guest

ssid guest security additional-auth-method captive-web-portal

interface wifi0 ssid guest

save config

2.Position your management system near the HiveAP and form an association with it using the guest SSID.

3.Open a web browser. When it tries to open its home page, the HiveAP intercepts the HTTP traffic and redirects
it to the captive portal web server.

4.Save the registration page to your local system. In Microsoft Internet Explorer®, for example, click File >
SaveAs, name it index, and in the Save as type field, choose Webpage, complete (*.htm, *.html) .

5.Open the directory where you saved the index.html file.

In addition to the index.html file, there is also an images directory containing the three .jpg files that
index.html references: loginscreen_02.jpg, loginscreen_03.jpg, and loginscreen_05.jpg.

6.Because the directory structure in the HiveAP is different, move the three .jpg files to the same directory as
index.html. Optionally, delete those three images and create your own new images, saving them in the same
directory as the index.html file.

7.Open index.html with a text editor and make the following changes:

Deployment Guide 109