Aerohive Configuration Guide

RADIUS Authentication
 Aerohive Configuration Guide: RADIUS Authentication | 2

Copyright © 2012 Aerohive Networks, Inc. All rights reserved

Aerohive Networks, Inc.
330 Gibraltar Drive
Sunnyvale, CA 94089
P/N 330068-03, Rev. A

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 3

Contents
Contents ...................................................................................................................................................................................................................... 3

IEEE 802.1X Primer................................................................................................................................................................................................... 4

Example 1: Single Site Authentication .................................................................................................................................................................... 6

Step 1: Configuring the Network Policy ..............................................................................................................................................................7
Step 2: Configuring the Interface and User Access .........................................................................................................................................7
Step 3: Uploading the Configuration and Certificates ..................................................................................................................................... 9

Example 2: Remote Site Authentication................................................................................................................................................................ 10

Step 1: Preliminary VPN Tunnel Configuration .................................................................................................................................................11
Step 2: Configuring the Network Policy ............................................................................................................................................................11
Step 3: Configuring the Interface and User Access ........................................................................................................................................11

Step 4: Uploading the Configuration and Certificates .................................................................................................................................... 15

Example 3: Remote Site Authentication with Aerohive RADIUS ...................................................................................................................... 15
Overview of the Complete DHCP Exchange .................................................................................................................................................... 16
Configuration Steps ............................................................................................................................................................................................. 18

Step 1: Cloning a Working Network ................................................................................................................................................................... 18

Step 2: Configuring the User Data Store .......................................................................................................................................................... 19
Step 3: Configuring a Network Policy and SSID ............................................................................................................................................. 19
Step 4: Configuring User Profile and Network Settings ................................................................................................................................ 21

Step 5: Uploading the Configuration and Certificates .................................................................................................................................... 21

Integrating Active Directory with an Aerohive RADIUS Server ...................................................................................................................... 22
Configuration Steps ............................................................................................................................................................................................ 22
Step 1: Cloning a Working Network .................................................................................................................................................................. 23

Step 2: Configuring the User Data Store ......................................................................................................................................................... 23

Step 3: Configuring a Network Policy and SSID ............................................................................................................................................ 24
Step 4: Configuring User Profile and Network Settings ............................................................................................................................... 26
Step 5: Uploading the Configuration and Certificates ................................................................................................................................... 26

Step 6: Installing the Root Certificate on a Windows Client ......................................................................................................................... 27

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 4

IEEE 802.1X Primer

The IEEE 802.1X-2010 standard defines an authentication framework that provides for the secure exchange of information that is
independent of the architecture of the network. IEEE 802.1X authentication was first created before the rapid adoption of wireless
networking and can be deployed on both wired and wireless networks. Figure 1 below illustrates the basic 802.1X authentication
process in the context of a wireless network.

Figure 1 Basic 802.1X/EAP authentication exchange

In the vocabulary of 802.1X, the client device (for example, laptop) is called the supplicant. Supplication is the formal request for
services; an 802.1X supplicant is a device that requests access to network services.
The 802.1X authenticator is, in a wireless network, the access point. The authenticator acts as the intermediary between the
supplicant and the authentication server, making certain that only authentication traffic is allowed to pass until the supplicant
device is properly authenticated. To accomplish this, the authenticator must also accept EAPOL (Extensible Authentication Protocol

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 5

over LAN) frames (EAP—Extensible Authentication Protocol—is a Layer 2 authentication protocol) from the supplicant and convert
them to RADIUS packets (RADIUS is a Layer 3 protocol) to send to the RADIUS server. The conversion must be reversed for
messages traveling from the RADIUS server to the supplicant.

The authenticator does not take an active role in the identity verification process; rather, it only acts as a gatekeeper device.

The 802.1X authentication server contains the information used to authenticate the supplicant. If the credentials supplied by the
supplicant match information in the data store, then the authentication server notifies the authenticator that the supplicant is
authorized to access the network; the authenticator in turn notifies the supplicant by means of an EAP-Success frame. If the
credentials do not match, then the authentication server notifies the authenticator that the supplicant has no access to the network;
the authenticator in turn notifies the supplicant by means of an EAP-Failure frame.
Implementing different EAP types changes how the authentication process exchanges occur. For example, when using EAP-TLS
(Transport Layer Security), the server and supplicant have authoritative certificates that each uses to identify the other, so no
username or password is required. The exchange that results necessarily includes much additional information. Similarly, if EAP-
PEAP (Protected EAP)—which uses no client side certificates—is used, then the server and supplicant build a special TLS tunnel
specifically for exchanging identity information and cryptobinding (a verification process that helps prevent man-in-the-middle
attacks). Figure 2 below illustrates the EAP-PEAP process.

Figure 2 Protected EAP (PEAP) authentication exchange

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 6

Example 1: Single Site Authentication

In situations where there is a single site, it is important to have secure network authentication. Unfortunately, with small or single
site networks, security too often becomes secondary to ease-of-setup when this need not be the case.
You can achieve secure network authentication in a small, self-contained network using a RADIUS server. RADIUS servers are
available bundled with network operating systems such as Windows Server 2008 (the RADIUS implementation of Window Server
2008 is called Network Policy Server, or NPS), or as free services that you can install on server hardware running Windows,
MacOS, or Linux.
In this example you configure Aerohive APs to send authentication requests from users to a RADIUS server that is on the local
network (Figure 3). Once authenticated, the client devices can access network resources and the Internet. In this configuration,
there is a RADIUS service running on non-Aerohive hardware and local network resources, but no remote sites or VPN tunnels.

Figure 3 Single site configuration

When a client associates with an AP, it uses standard 802.11 association processes. After the association is complete, the AP, now
aware of the presence of the client and configured to do so, initiates an 802.1X/EAP (Extensible Authentication Protocol)
authentication process by sending the client device an EAP-Request/Identity frame. The client responds with its EAP-
Response/Identity frame.
Because the users must authenticate against the RADIUS server, the AP unpacks the EAP-Response/Identity frame, which includes
user or client identification information such as username and hashed password, and repackages it as a RADIUS Access-Request
packet. In this way, the AP acts as an intermediary device, relaying authentication information between the user and the RADIUS
server.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 7

Step 1: Configuring the Network Policy

A network policy is a collection of configuration settings that can apply to multiple Aerohive devices. For example, when
configuring 802.1X/EAP on your network, you can create a network policy and upload it only to specific devices, such as only
where 802.1X authentication is needed. This arrangement provides a great deal of flexibility in your network design.
In this example you create a wireless-only network policy called "Corp-Net-Policy", the first step of which is creating the container
object that will, on completion, contain an SSID, VLAN, VPN, and other settings. Here you specify only the name of the policy, the
hive in which it operates, and whether routing is configured.

To begin, you can configure the network policy, either by creating a new policy or by editing or using a previously created one.
Aerohive also provides a basic working wireless-only network policy called QuickStart-Wireless-Only that you can clone and use to
build a custom network policy, which is the process that Aerohive recommends, and which this example uses. To clone the policy,
highlight the QuickStart-Wireless-Only policy in the Choose Network Policy dialog box, click the More icon that appears as two fitted
gears, and choose Clone from the drop-down list, which creates a copy of the QuickStart-Wireless-Only policy that you can rename,
enter the following information in the New Network Policy dialog box, and then click Clone:

The More icon appears only when you highlight a list item. Hereafter the sequence of cloning a list item is “click More > Clone”.

Name: Corp-Wireless

Description: Enter a helpful description of the policy that you can use for simple reference.

Hive: Choose the hive that you want this policy to govern.

Step 2: Configuring the Interface and User Access

When you clone QuickStart-Wireless-Only network policy, the new policy contains no configuration information at all. On completing
the steps above, HiveManager automatically advances to the Configure Interface & User Access panel, where you configure the SSID,
authentication, user profile, VLAN settings, and so on.

Configuring the SSID

The SSID configuration is where the access security, beacon properties, radio settings, and so on are defined. In this example you
configure an SSID that uses WPA/WPA2 802.1X Enterprise security.

Click the Choose button next to SSIDs, click New, enter the following information, leaving all other settings at their default values,
and then click Save:

Profile Name: Corp-8021X

SSID: Enter the SSID you want broadcast in beacons and probe responses. HiveManager populates this field with the contents
of the Profile Name field by default, but you can change it.

SSID Broadcast Band: 2.4 GHz & 5 GHz (11n/a + 11n/b/g)

Description: Enter a brief, helpful description.

WPA/WPA2 802.1X (Enterprise): (select)

Because this selection requires you to configure a RADIUS instance, when you select WPA/WPA2
802.1X (Enterprise), HiveManager automatically prepares the appropriate prompts for you to use to
create the RADIUS instance required.

Select Corp-8021X from the Choose SSIDs dialog box, and then click OK to return to the Configure Interface & User Access panel.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 8

Because you selected WPA/WPA2 802.1X (Enterprise), a <RADIUS_Settings> link is now available in the Authentication column.
This link allows you to configure an Aerohive AP to be NAS (network access server). In this role, the Aerohive AP takes EAPOL
request packets from the client, reencapsulates the request as RADIUS packets, and then forwards the requests to the RADIUS
server.

Configuring the RADIUS settings

Here you configure the AP to communicate with the RADIUS server. To configure this section successfully, you must have the IP
address and authentication port number of the RADIUS server, and the shared secret.

Click <RADIUS_Settings>, and then click New to create a RADIUS client (that is, a NAS, or network access server) with the
settings necessary to communicate with a RADIUS authentication server, enter the following information, and then click Save.

RADIUS Name: Corp-RADIUS-Profile

Description: Enter a helpful description.

RADIUS Servers

For the Aerohive APs to function as NAS devices, they must be able to find and communicate with the RADIUS server. In
this section you configure the settings necessary for a NAS to find, authenticate, and communicate with the RADIUS
server. To do so, enter the following information in the Add a New RADIUS Server section, leaving all other fields at their
default values, and then click Apply:

Obtain an Aerohive RADIUS server address through DHCP options: (clear)

Clearing this checkbox reveals the additional settings below.

IP Address/Domain Name: 10.0.0.13

The IP address given here is the static IP address of the RADIUS server.

Server Type: Authentication

Shared Secret and Confirm Secret: S3cr37

In normal operating circumstances, the shared secret is typically very long and secure. RADIUS
servers use the shared secret to verify that the incoming RADIUS messages are sent by authorized
NAS devices.

Server Role: Primary

The primary RADIUS server is the server that the authenticator queries first when authenticating user.
If you have multiple RADIUS servers acting in backup roles in the event the primary loses connection,
you can configure additional backup RADIUS servers and priority roles on this page as well.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 9

Configuring the User Profile

The user profile contains, at minimum, the attribute number and VLAN information that the Aerohive authenticator uses to identify
the user and applies to user traffic on successful authentication. An Aerohive AP can assign different user profiles to a user based
on the attributes that the RADIUS server returns: if the RADIUS authenticates a user and returns a specific attribute value, the AP
maps the user profile containing the matching attribute number and applies it to the user. There are three outcomes of this
process:

 User is not authenticated. If a user fails authentication, then the AP assigns no attribute and denies the user access to the
network.
 User is authenticated, but the RADIUS server returns no attribute. Upon successful user authentication, the RADIUS
might be configured not to return an attribute for that particular user or group. When this occurs, you configure the AP to
apply a default user profile to the user. All authenticated users that have no RADIUS attributes returned receive this
profile.
 User is authenticated and the RADIUS server returns an attribute. Upon successful user authentication, if the RADIUS
returns an attribute for that user (or the group to which he belongs), then the AP applies the user profile with the
matching attribute to traffic from the user.

Click the Add/Remove link in the User Profile column to choose a user profile, click New, enter the following information, leaving
all others as their default values, and then click Save:

Name: Corp-User-Wireless

Attribute Number: 5

This is the RADIUS attribute you want to map to this user profile. You can configure a RADIUS server
to return a set of three attribute-value pairs that, together, Aerohive devices can use to map to specific
user profiles. For example, if you configure your RADIUS server to return “Tunnel-Medium-Type =
IPv4”, “Tunnel-Type = GRE”, and “Tunnel-Private-Group-Id = ‘5’" on successful authentication,
Aerohive devices automatically decode this to mean that the authenticated user receives the user
profile with an attribute of 5.

Network or VLAN-only Assignment: 1

This example assigns authenticated user traffic to VLAN 1, which is the default VLAN for most
networks. If your network uses a different default VLAN, or if you have a specific VLAN already
configured on your network that you want to use for this configuration, enter the VLAN ID here.

Description: Enter a helpful description.

Highlight Corp-User-Wireless(5) in the dialog box, and then click Save.

The settings available within the Management VLAN, L2 VPN, and Additional Settings sections are not required to be adjusted and
can be left unconfigured.

Step 3: Uploading the Configuration and Certificates

You must update the configurations of all Aerohive APs that you want to use with the RADIUS server. If you add or make changes
to your RADIUS or VPN implementation, you must also upload the certificates that the devices use to authenticate one another. By
default, HiveManager uploads certificates for RADIUS and VPN services automatically; however, you can opt not to upload
certificates (when you have made no changes to these services) by clearing the Upload and activate certificates for RADIUS and
VPN services check box on the Monitor > All Devices > device_name > Update > Upload and Activate Configuration page.

To update your APs, click the Configure & Update Devices collapsible tab at the bottom of the Configuration module, select the
check boxes next to the APs you want to update, and then click Upload.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 10

Example 2: Remote Site Authentication

If your corporate RADIUS server is authenticating remote users, it must do so through a VPN. You can accomplish this by using a
Layer 2 or Layer 3 VPN. In this example you configure a Layer 3 VPN from an Aerohive router to a CVG. RADIUS messages are
sent through the tunnel to the RADIUS authentication server at the corporate site.
Using the Aerohive router, you can easily construct a Layer 3 VPN tunnel between the router and the CVG (Cloud VPN Gateway).
Figure 4 below shows how authentication occurs when using an Aerohive router both for originating the VPN tunnel and accessing
the wireless network. It is also possible to attach Aerohive access points to the branch router to extend the wireless coverage. In
that case, whichever access point it is to which the user associates acts as the 802.1X authenticator, and forwards the
authentication exchanges through the tunnel to the RADIUS authentication server at the corporate site.

Figure 4 Remote site authentication

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 11

Step 1: Preliminary VPN Tunnel Configuration

To configure networking among one or more branch offices, you must first install and configure the CVG (Cloud VPN Gateway).
You install the CVG on a virtualization server, such as ESXi 4 or later, and then use HiveManager to configure the Layer 3 VPN
tunnels between the CVG and the Aerohive routers at the remote sites.

For more information on installing and configuring the CVG, please refer to the Aerohive Deployment Guide.
After you configure the CVG and verify that it has a CAPWAP connection to HiveManager, you can continue with the configuration
of the APs and routers.

Step 2: Configuring the Network Policy

In this example you clone the existing QuickStart-Wireless-Routing network policy as the basis for your new wireless routing policy.
Because the QuickStart-Wireless-Routing policy is a fully operational network policy, when you clone it, the resulting policy is also
fully functional and has a default SSID, and wireless and LAN settings already configured. Customizing your network policy
requires only that you substitute the default settings with your custom settings.

If you followed the steps in the Aerohive Deployment Guide to install and configure the CVG and used the names provided in the
procedure, then you have already created a cloned a network policy (QuickStart-Wireless-Routing2), and can use that network
policy here by highlighting the name, clicking OK, and then skipping to step 4 below.

To clone the QuickStart-Wireless-Routing network policy highlight QuickStart-Wireless-Routing in the dialog box, and then click
More > Clone, enter the following information in the Clone Network Policy dialog box, and then click Clone:

Name: Corp-Net-Routing

Description: Replace the default description with a helpful description of the policy that you can use for later reference.

Hive: Choose the hive that you want this policy to govern.

When you click Clone, the New Network Policy dialog disappears and your new policy becomes available in the Choose Network
Policy dialog box. Highlight Corp-Net-Policy, and then click OK.

Step 3: Configuring the Interface and User Access

Network policies cloned from the existing QuickStart-Wireless-Routing already contain working configurations, including a default
SSID (QS-SSID) and LAN profile (QS-LAN), and a default user profile and network for both the wireless and routing settings.
Replace each default setting in turn with the settings described in the following sections.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 12

Step 3.1: Configuring the SSID

The SSID configuration is where you define the access security and wireless properties. In this example you configure an SSID
that uses WPA/WPA2 802.1X Enterprise security.

Click the Choose button next to SSIDs, click New, enter the following information, leaving all other settings at their default values,
and then click Save:

Profile Name: Corp-8021X-2

SSID: Corp-8021X-2

HiveManager populates this field with the contents of the Profile Name field by default, but you can
change it.

SSID Broadcast Band: 2.4 GHz & 5 GHz (11n/a + 11n/b/g)

Description: Enter a brief, helpful description.

WPA/WPA2 802.1X (Enterprise): (select)

By default, both QS-SSID and Corp-8021X-Routing SSIDs are highlighted. Highlight Corp-8021X-Routing only in the Choose SSIDs
dialog box, and then click OK to return to the Configure Interface & User Access panel.

Clicking a highlighted item in the dialog box clears the selection.

Configuring the RADIUS settings

Because the Corp-RADIUS-Profile configuration is defined in the previous example, you do not need to configure a new RADIUS
server for this example. To use the existing Corp-RADIUS-Profile settings, click <RADIUS_Settings>, highlight Corp-RADIUS-
Profile in the dialog box, and then click OK.

You can view the details of the existing configuration by referring to the “Configuring the RADIUS settings” section on page 8.

Configuring User Profiles

The user profile contains, at minimum, the attribute number and VLAN information that the Aerohive authenticator uses to identify
the user and applies to user traffic on successful authentication. An Aerohive device can assign different user profiles to a user
based on the attributes that the RADIUS server returns: if the RADIUS authenticates a user and returns a specific attribute value,
the AP maps the user profile containing the matching attribute number and applies it to the user. As explained in the “Configuring
the User Profile“ section on page 9, you can assign a default profile for authenticated users for whom the RADIUS server returns
no attributes, and explicitly specify user profiles for users according to attributes that the RADIUS server returns on
authentication.

To configure a user profile for the LAN ports, return to the Configure Interfaces & User Access panel (by clicking Configuration to
display the guided configuration module, and expanding the Configure Interfaces & User Access panel), click the Add/Remove link in
the User Profile column to choose a user profile, click New, enter the following information, leaving all others as their default
values, and then click Save:

Name: Corp-User

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 13

Attribute Number: 10

This is the RADIUS attribute you want to map to this user profile. You can configure a RADIUS server
to return a set of three attribute-value pairs that, together, Aerohive devices can use to map to specific
user profiles. For example, if you configure your RADIUS server to return “Tunnel-Medium-Type =
IPv4”, “Tunnel-Type = GRE”, and “Tunnel-Private-Group-Id = ‘10’" on successful authentication,
Aerohive devices automatically decode this to mean that the authenticated user receives the user
profile with and attribute of 10.

Network or VLAN-only Assignment: New ( + )

Because you cannot use a wireless only user profile in a wireless routing network, you must either use
the built-in QS-176.28.0.0/16 network or create a new network here. In this example you create a new
10.0.0.0/16 network. In more complex networks or environments you have the option of creating
additional custom networks.
When you click New ( + ) to create a new network, a new dialog box appears. To create a new 10.0.0.0/16 network, enter
the following information:

Name: 10.0.0.0/16

You can enter any name you choose up to 32 characters long; however, using the actual network name
and prefix of the network you intent to use is generally more intuitive for most implementations.

Description: Replace the default description with a brief, helpful description.

Subnetworks

In this example, you create a single 10.0.0.0/16 network to replace the default network of 176.28.0.0/16.
To configure this network, do the following:

1. Configure the network you want to use. To do this, click New, enter the following information, and then click
Save:

IP Network: 10.0.0.0/16

IP Address Allocation: Position the slider to configure 256 branches with 253 clients per branch.

Each position on the slider represents the netmask of each possible subnet, doubling or halving the
number of branches. Moving the slider to the right increases the number of subnets, whereas moving
the slider to the left decreases the number of subnets you configure. Because the total number of IP
addresses is constant (defined by the IP Network value), increasing the number of branches decreases
the number of clients per branch.
Enable DHCP server: (select)

When Enable DHCP server is selected, the router acts as a DHCP server, providing IP addresses to
DHCP clients on the network. For each subnet, the router reserves the first available IP address in the
subnet for itself.

2. Remove the default network. To do this, select the 172.28.0.0/16 network, and then click Remove.

You can perform the two preceding steps in any order.

Click Save to create the network and return to the user profile configuration.

Description: Enter a helpful description.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 14

After you create the user profile, you are returned to the Choose User Profiles dialog box. Click the Default tab on the left side of the
dialog box, highlight Corp-User(10), and then click Save.

You must select one and only one default user profile. If you only create one user profile for use in your network, then that user
profile must be the default. When you create a user profile, then user profile appears in the selection dialog box with the attribute in
parentheses for your convenience.

Step 3.2: Configuring the Router LAN Ports

The LAN profile contains the settings for how users attach to the network through the Ethernet ports. The Ethernet ports on the
BR100, BR200, and BR200-WP routers are individually configurable, but you have the option to include multiple—or all—ports in a
single LAN profile. If you use an AP330 or 350 configured as a router, then only one port is available to configure.
In this example you configure only Ethernet ports ETH1 and ETH2 to use 802.1X/EAP authentication.

To configure an Ethernet port, click the Choose button next to LANs, click New, enter the following information, leaving all other
settings at their default values, and then click Save:

Profile Name: Corp-8021X-LAN

Description: Enter a brief, helpful description.

Interfaces: Highlight ETH1 and ETH2. Click ETH3 and ETH4 to clear the selections.

Enable 802.1X: (select)

By default, both QS-LAN and Corp-8021X-LAN profiles are highlighted. Highlight Corp-8021X-Routing only in the Choose LANs
dialog box, and then click OK to return to the Configure Interface & User Access panel.

Configuring the RADIUS settings

Because the Corp-RADIUS-Profile configuration is already defined, you do not need to configure a new RADIUS server in
HiveManager. To use the existing Corp-RADIUS-Profile settings, click <RADIUS_Settings>, highlight Corp-RADIUS-Profile in the
dialog box, and then click OK.

You can view the details of the existing configuration by referring to the “Configuring the RADIUS settings” section on page 8.

Configuring User Profiles

You can use the same user profile on the LAN ports that you use on the SSIDs, or you can create custom user profiles for use
specifically with the LAN ports. In this example you choose the same user profiles (Corp-User) that was chosen for use with the
SSID in step 2.

To choose the existing user profile, click Add/Remove in the User Profile column of the Router LAN Ports section, click the Default
tab on the left side of the dialog box, highlight only Corp-User, and then click Save.

Because the network is defined within the user profile, choosing the Corp-User user profile sets the network automatically. In
addition, because you cloned a functioning network policy (QuickStart-Wireless-Routing), the settings available within the
Management VLAN, Router Firewall, Layer 3 IPsec VPN, and Additional Settings sections are not required to be adjusted futher
and can be left unconfigured.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 15

Step 4: Uploading the Configuration and Certificates

You must update the configurations of all Aerohive APs that you want to use with the RADIUS server. If you add or make changes
to your RADIUS or VPN implementation, you must also upload the certificates that the devices use to authenticate one another. By
default, HiveManager uploads certificates for RADIUS and VPN services automatically; however, you can opt not to upload
certificates (when you have made no changes to these services) by clearing the Upload and activate certificates for RADIUS and VPN
services check box on the Monitor > All Devices > device_name > Update > Upload and Activate Configuration page.

To update your APs, click the Configure & Update Devices collapsible tab at the bottom of the Configuration module, select the
check boxes next to the APs you want to update, and then click Upload.

Example 3: Remote Site Authentication with Aerohive RADIUS

You can configure RADIUS servers on Aerohive routers to transmit their network settings by means of DHCP options. Aerohive
does this by changing the RADIUS configuration workflow so that all RADIUS servers running on routers in a specific network
policy are configured and deployed simultaneously by default. Each router is configured to use the same local user store or point to
the same external user store such as Active Directory or other LDAP server. This unifies the network so that any AP that receives
its network settings via DHCP also receives information about the location of the RADIUS server during those DHCP exchanges.

If you do not want to transmit the IP address of the RADIUS server through the DHCP options, then you also have the option of
configuring your Aerohive devices with the network settings of your RADIUS server, as explained in Example 2, “Example 2:
Remote Site Authentication” on p. 10.

The BR200 and BR200-WP routers, and devices configured as routers support advertising the RADIUS service through DHCP
options, but the BR100 routers do not.

When you enable this functionality on the router, the router responds to the DHCP requests of the APs with a typical offer of an IP
address (for the AP), netmask, default gateway, and so on; however, the router adds additional fields and inserts its own IP
address, which the AP uses to direct all future RADIUS requests to the router. Figure 5 on the next page shows the DHCP options
that the AP is configured to use (left), as well as a sample set of DHCP options returned by the router in its DHCP messages (right).
You can see these settings by logging in to the respective devices and entering the following commands—also represented in the
Figure 5 on the next page in bold text—at the command line:

 On the AP: show interface mgt0 dhcp client

 On the router: show interface mgt0 dhcp-server

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 16

BR200-WP#show interface mgt0 dhcp-server

DHCP server parameters on interface mgt0 (VLAN 4094).
DHCP server: enabled
Authoritative-flag: enabled
Arp-check: enabled
Lease time: 86400 secs
AP350#show interface mgt0 dhcp client Netmask: 255.255.255.128
HM=HiveManager; SLS=system log server; Default gateway: 172.18.0.1
DHCP client: Enabled
...
...

Get options from server: Option(229): 172.18.0.1

Netmask (option number 1): 255.255.255 Option(230): 172.18.0.1
Router (option number 3): 172.18.0.1 Option(231): 172.18.0.1
DNS server (option number 6): 172.18.0.1 IP pools:
Log server (option number 7): 172.18.0.2 - 172.18.0.126
DNS domain (option number 15):
NTP server (option number 42):
HM string(custom option 225):
HM ip(custom option 226):
SLS string(custom option 227):
SLS ip(custom option 228):
PPSK server ip(custom option 229): 172.18.0.1
RADIUS server ip(custom option 230): 172.18.0.1
RADIUS accounting server ip(custom option 231): 172.18.0.1

Figure 5 Verifying DHCP Option support and configuration

Overview of the Complete DHCP Exchange

After the devices are configured and, when necessary, restarted, the DHCP client on an AP begins the standard DHCP exchange,
which occurs in the following way:

1. DHCP Discover: The AP sends a DHCP Discover message (see Figure 6, step 1), which is a broadcast message that informs
any DHCP servers on the network that the AP is attached to the network and has no network settings. This message does not
request network settings from the server.
2. DHCP Offer: In response, the router reserves an IP address, and then offers to lease the AP network settings for a specific
length of time. In addition, the router also includes the specific options that direct the AP to use the router as its RADIUS
authentication (option 230) and accounting (option 231) server. If there are multiple DHCP servers, the AP might receive
multiple offers.
3. DHCP Request: The AP responds in turn with a formal request to use the network settings the DHCP server offered. This
message is not only a response to the router, but is also a notification to other DHCP servers, if present, that they may now
release any DHCP offers they made to the AP.
4. DHCP ACK: As a final step, the DHCP server acknowledges the request and reiterates the DHCP options sent previously in the
DHCP Offer. When the AP receives this message, it sets its network setting accordingly.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 17

Figure 6 Remote site authentication using an Aerohive RADIUS server

Step 2 combines the DHCP Request, DHCP Offer, and DHCP ACK messages, and assumes that the AP sets its network settings in
accordance with those offered.
At this point in the process, the network is ready and the user can attempt to authenticate against the RADIUS server using
802.1X/EAP. When the user attempts to authenticate (step 3), the credentials are passed to the AP as EAPOL frames. The AP then
reframes and packetizes them as RADIUS packets, and forwards them to the router running the RADIUS service.
Depending on how you configure the RADIUS server, the server either uses a local user database to authenticate the user or it
authenticates the user against an external user database such as an Active Directory or LDAP server. If you configure the router to
use an external user store, then when the router receives the RADIUS request from the AP, it forwards the request to the user
database server (step 4). If user database server authentication is successful, then the user gains access to the network (step 5).

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 18

Configuration Steps
When configuring RADIUS authentication, you must do so in the following order:
1. Clone a working network profile for use in the new configuration
2. Create a local user data store on the Aerohive RADIUS server or point the Aerohive RADIUS server to an existing user
database server
3. Create a network policy, SSID, and RADIUS service
4. Configure a user profile and a network
5. Upload the configuration and users (for local RADIUS authentication) or certificates (for use with an external user database
server)
Because the changes in the work flow impact steps one, three, and four the most, they are treated here in detail. Steps two and five
are presented here as overviews of the process with directions on how to find detailed information in the Help system.

Step 1: Cloning a Working Network

Before creating a new network configuration, Aerohive recommends that you first clone the built-in QS-176.28.0.0/16 network
profile (or other working network profile) so that you can begin with a working network without compromising the existing
network profile. To clone the QS-176.28.0.0/16 network profile, click Configuration > Show Nav > Networks, select QS-
176.28.0.0/16, click Clone, enter the following information, and then click Save:

Name: 10.1.0.0/16

You can enter any name you choose up to 32 characters long; however, using the actual network name
and prefix of the network you intent to use is generally more intuitive for most implementations.

Description: Replace the default description with a brief, helpful description.

Subnetworks

In this example, you create a single 10.1.0.0/16 network to replace the default network of 176.28.0.0/16. To configure this
network, do the following:

1. Configure the network you want to use. To do this, click New, enter the following information, and then click Save:

IP Network: 10.1.0.0/16

IP Address Allocation: Position the slider to configure 256 branches with 253 clients per branch.

Each position on the slider represents the netmask of each possible subnet, doubling or halving the
number of branches. Moving the slider to the right increases the number of subnets, whereas moving
the slider to the left decreases the number of subnets you configure. Because the total number of IP
addresses is constant (defined by the IP Network value), increasing the number of branches decreases
the number of clients per branch.

Enable DHCP server: (select)

When Enable DHCP server is selected, the router acts as a DHCP server, providing IP addresses to
DHCP clients on the network. For each subnet, the router reserves the first available IP address in the
subnet for itself.

2. Remove the default network from the network policy. To do this, select the 172.28.0.0/16 network, and then click
Remove.

You can perform the two preceding steps in any order.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 19

Step 2: Configuring the User Data Store

A user data store can be a centralized server, such as an external RADIUS or Active Directory server, or it can be a user group
that you configure directly on the routers through HiveManager. The most common configuration uses an external authentication
server.
The configuration of an external authentication server user store is beyond the scope of this document. To configure a user store
on an external authentication server, consult the documentation from your authentication server vendor.
For information on how to configure users and user groups in HiveManager, see the detailed information in the Help system at
Configuration > Advanced Configuration > Authentication > Local Users and Configuration > Advanced Configuration > Authentication >
Local User Groups.

Step 3: Configuring a Network Policy and SSID

A network policy is a logical container that incorporates the entire set of control configurations associated with a fully functioning
network, including the network access settings used in the network, VPN settings, and so on. When creating the network policy
initially, however, you are only creating the container—all other configurations follow independently, but are contained within your
new network policy.

1. To create a new network policy, click Configuration > New, enter the following information, and then click Create:

Name: Corp-Network

Description: Enter a note about the network policy for future reference.

Hive: Choose the hive that you want to assign to devices to which you apply this policy.

Wireless + Routing: (select)

When you create your network policy, HiveManager returns you to the Choose Network Policy panel with your new policy
already highlighted in the dialog box. Click OK to continue to the Configure Interfaces & User Access panel.

If you do not see your new network policy in the list, you might need to scroll down the list to find it.

2. To create a new SSID that uses a local RADIUS server, click the Choose button next to SSIDs, click New to create a new SSID,
enter the following information, leaving all other settings at their default values, and then click Save:

Profile Name: Employee

SSID: By default, HiveManager automatically populates this field with the SSID profile name that you enter. You can change the
SSID name if you choose.

SSID Broadcast Band: 2.4 GHz & 5 GHz (11n/a + 11n/b/g)

Description: Enter a brief description of the SSID profile for future reference.

WPA/WPA2 802.1X (Enterprise): (select)

3. When you save your new SSID, HiveManager displays the Choose SSIDs dialog box. Choose the SSID profile that you just
created, and then click OK.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 20

4. To configure RADIUS settings, click <RADIUS_Settings>, click New, enter the following information, and then click Save:

Name: Employee-RADIUS

Description: Enter a brief description for future reference.

Obtain an Aerohive RADIUS server address through DHCP options: (select)

When you select this, the APs receive information regarding the network settings of the RADIUS
server running on the router through the DHCP messages they receive. For example, if the router gets
an IP address of 10.1.10.1/24 for its mgt0 interface, which is the interface to which the APs in the same
management network can connect, then the router passes that information to the APs along with other
options such as default gateway and DNS server information. When the APs have this information, they
have everything they need to act as RADIUS authenticators and process authentication exchanges
between RADIUS supplicants and the RADIUS authentication server (that is, the router). Clearing this
check box disables the automatic process and prompts you to configure the RADIUS server manually.

5. To create a RADIUS server that runs on the router, click the Modify button at the bottom next to Additional Settings, expand the
Router Settings section, enter the following information, and then click Save:

RADIUS Service: Click the New ( + ) icon to create a new RADIUS server instance, enter the following information, and then
click Save:

Name: Aerohive-RADIUS

Description: Enter a brief description for future reference.

Expand the Database Settings section.

External Database: (select)

Local Database: (clear)

A single External Database tab appears containing configuration options. Although this configuration example uses only an
external database, you can configure the router to use multiple databases. When you do this, multiple tabs appears in the
Database Settings section, and there are considerations of priority in terms of which database the router uses in what
order. You can find more information on these priorities in the Help system.

Under the External Database tab, select the appropriate radio button for the type of server (Active Directory, LDAP Server,
or Open Directory) against which you are authenticating users. The configuration controls under the tab change according
to the type of authentication server you select.
Select the user database server that you want to use from the drop-down list. If the server is not listed, you can create it
by clicking the New ( + ) icon. For information about configuring user database servers, see the detailed Help system
information at Configuration > Advanced Configuration > Authentication > Defining HiveAP AAA Server Settings.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 21

Step 4: Configuring User Profile and Network Settings

To complete the configuration of your network, you must configure the user profiles and networks.

To configure a user profile for the LAN ports, return to the Configure Interfaces & User Access panel (by clicking Configuration to
display the guided configuration module, and expanding the Configure Interfaces & User Access panel), click the Add/Remove link in
the User Profile column to choose a user profile, click New, enter the following information, leaving all others as their default
values, and then click Save:

Name: Corp-Employee

Attribute Number: 15

This is the RADIUS attribute you want to map to this user profile. You can configure an LDAP or Active
Directory server—as you can a RADIUS server—to return attributes that Aerohive devices can use to
map to specific user profiles. For example, if you configure your LDAP server to return
“radiusCallbackNumber: ‘15’" on successful authentication, Aerohive devices automatically decode this
to mean that the authenticated user receives the user profile with and attribute of 15.

Network or VLAN-only Assignment: 10.1.0.0/16

Choose the 10.1.0.0/16 network you created in step 1 from the drop-down list. In more complex
networks or environments you have the option of creating additional custom networks and
subnetworks.

Description: Enter a helpful description.

After you create the user profile, you are returned to the Choose User Profiles dialog box. Click the Default tab on the left side of the
dialog box, highlight Corp-Employee(15), and then click Save.

Step 5: Uploading the Configuration and Certificates

You must update the configurations of all Aerohive APs that you want to use with the RADIUS server. If you add or make changes
to your RADIUS or VPN implementation, you must also upload the certificates that the devices use to authenticate one another. By
default, HiveManager uploads certificates for RADIUS and VPN services automatically; however, you can opt not to upload
certificates (for example, when you have made no changes to these services) by clearing the Upload and activate certificates for
RADIUS and VPN services check box on the Monitor > All Devices > device_name > Update > Upload and Activate Configuration page.
In addition, because the Aerohive RADIUS server uses certificates during the authentication process with external database
servers, you might need to import the CA (certification authority) and server certificates that the external database server requires.
You can find comprehensive information regarding certificate roles, generation, and management in the Help system by navigating
to the pages within the Configuration > Advanced Configuration > Keys and Certificates directory.

To update your APs, click the Configure & Update Devices collapsible tab at the bottom of the Configuration module, select the
check boxes next to the APs you want to update, and then click Upload.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 22

Example 4: Integrating Active Directory with an Aerohive RADIUS

Server
Because the majority of directory services deployments are Microsoft Active Directory deployments, this section specifically deals
with integrating an Aerohive RADIUS server with the user database and authentication capabilities of Active Directory. Many of the
steps taken in previous sections are repeated in this section.

To integrate an Aerohive RADIUS and an Active Directory server, you must have your Active Directory server running with at least
the following two user accounts (the account user names can be anything you choose):

 Aerohive administrator: You must create an account whose minimum privileges include the ability to add computers to the
domain. When you join your Aerohive RADIUS to the domain, the Active Directory server uses this account to add it to the
domain, and places it in the Computers OU by default. You can change the OU when you configure the Active Directory setting
on the Aerohive RADIUS server.
 Aerohive user: You must also create a limited user account whose minimum privileges include the ability to perform user
lookups in the Active Directory user database. When a user authenticate to Active Directory through the Aerohive RADIUS
server, Active Directory uses this account to verify that the identity of the user attempting to log in.

Figure 7 User authentication using Aerohive RADIUS with Active Directory

Configuration Steps
When configuring RADIUS authentication, you must do so in the following order:
1. Clone a working network profile for use in the new configuration
2. Create a local user data store on the Aerohive RADIUS server or point the Aerohive RADIUS server to an existing user
database server
3. Create a network policy, SSID, and RADIUS service
4. Configure a user profile and a network
5. Upload the configuration and users for local RADIUS authentication and certificates for use with an external user database
server
6. Install the Root Certificate on a Windows Client

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 23

Because the changes in the work flow impact steps one, three, and four the most, they are treated here in detail. Steps two and five
are presented here as overviews of the process with directions on how to find detailed information in the Help system.

Step 1: Cloning a Working Network

Before creating a new network configuration, Aerohive recommends that you first clone the built-in QS-176.28.0.0/16 network
profile (or other working network profile) so that you can begin with a working network without compromising the existing
network profile. To clone the QS-176.28.0.0/16 network profile, click Configuration > Show Nav > Networks, select QS-
176.28.0.0/16, click Clone, enter the following information, and then click Save:

Name: 10.2.0.0/16

You can enter any name you choose up to 32 characters long; however, using the actual network name
and prefix of the network you intent to use is generally more intuitive for most implementations.

Description: Replace the default description with a brief, helpful description.

Subnetworks

In this example, you create a single 10.2.0.0/16 network to replace the default network of 176.28.0.0/16. To configure this
network, do the following:

Configure the network you want to use. To do this, click New, enter the following information, and then click Save:

IP Network: 10.2.0.0/16

IP Address Allocation: Position the slider to configure 256 branches with 253 clients per branch.

Each position on the slider represents the netmask of each possible subnet, doubling or halving the
number of branches. Moving the slider to the right increases the number of subnets, whereas moving
the slider to the left decreases the number of subnets you configure. Because the total number of IP
addresses is constant (defined by the IP Network value), increasing the number of branches decreases
the number of clients per branch.

Enable DHCP server: (select)

When Enable DHCP server is selected, the router acts as a DHCP server, providing IP addresses to
DHCP clients on the network. For each subnet, the router reserves the first available IP address in the
subnet for itself.

Remove the default network from the network policy. To do this, select the 172.28.0.0/16 network, and then click Remove.

Step 2: Configuring the User Data Store

The user data store used in this configuration example exists on an Active Directory server, which is the most common external
database configuration.
The configuration of Active Directory server user store is beyond the scope of this document. To configure Active Directory,
consult the documentation from Microsoft.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 24

Step 3: Configuring a Network Policy and SSID

A network policy is a logical container that incorporates the entire set of control configurations associated with a fully functioning
network, including the network access settings used in the network, VPN settings, and so on. When creating the network policy
initially, however, you are only creating the container—all other configurations follow independently, but are contained within your
new network policy.

1. To create a new network policy, click Configuration > New, enter the following information, and then click Create:

Name: Corp-Network

Description: Enter a note about the network policy for future reference.

Hive: Choose the hive that you want to assign to devices to which you apply this policy.

Wireless + Routing: (select)

When you create your network policy, HiveManager returns you to the Choose Network Policy panel with your new policy
already highlighted in the dialog box. Click OK to continue to the Configure Interfaces & User Access panel.

If you do not see your new network policy in the list, you might need to scroll down the list to find it.

2. To create a new SSID that uses a local RADIUS server, click the Choose button next to SSIDs, click New to create a new SSID,
enter the following information, leaving all other settings at their default values, and then click Save:

Profile Name: Employee

SSID: By default, HiveManager automatically populates this field with the SSID profile name that you enter. You can change the
SSID name if you choose.

SSID Broadcast Band: 2.4 GHz & 5 GHz (11n/a + 11n/b/g)

Description: Enter a brief description of the SSID profile for future reference.

WPA/WPA2 802.1X (Enterprise): (select)

3. When you save your new SSID, HiveManager displays the Choose SSIDs dialog box. Choose the SSID profile that you just
created, and then click OK.
4. To configure RADIUS settings, click <RADIUS_Settings>, click New, enter the following information, and then click Save:

Name: Employee-RADIUS-2

Description: Enter a brief description for future reference.

Obtain an Aerohive RADIUS server address through DHCP options: (select)

When you select this, the APs receive information regarding the network settings of the RADIUS
server running on the router through the DHCP messages they receive. For example, if the router gets
an IP address of 10.1.10.1/24 for its mgt0 interface, which is the interface to which the APs in the same
management network can connect, then the router passes that information to the APs along with other
options such as default gateway and DNS server information. When the APs have this information, they
have everything they need to act as RADIUS authenticators and process authentication exchanges
between RADIUS supplicants and the RADIUS authentication server (that is, the router). Clearing this
check box disables the automatic process and prompts you to configure the RADIUS server manually.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 25

5. To create a RADIUS server that runs on the router, click the Modify button at the bottom next to Additional Settings, expand the
Router Settings section, enter the following information, and then click Save:

RADIUS Service: Click the New ( + ) icon to create a new RADIUS server instance, enter the following information, and then
click Save:

Name: Aerohive-RADIUS-2

Description: Enter a brief description for future reference.

Expand the Database Settings section.

External Database: (select)

Local Database: (clear)

A single External Database tab appears containing configuration options. Although this configuration example uses
only an external database, you can configure the router to use multiple databases. When you do this, multiple tabs
appears in the Database Settings section, and there are considerations of priority in terms of which database the
router uses in what order. You can find more information on these priorities in the Help system.

Under the External Database tab, select Active Directory.

Click New ( + ) to create a new Active Directory server, enter the following information, and then click
Save:

Name: BR-AD

Description: Enter a helpful description.

Active Directory: (select)

Aerohive device for Active Directory connection setup: Choose your router from the drop-down list.

IP Address: 172.18.0.1

The correct IP address appears in the field by default. Leave the IP address as the default setting.

Netmask: 255.255.0.0

Default Gateway: 172.18.0.1

The default gateway address is the same as the IP address.

DNS Server: 10.2.0.13

The DNS service is provided by the Active Directory server. If you enter the IP address of another DNS
server, then the authentication will fail.

Domain: Enter the domain to which the user authenticates (for example, aerohive.com)

Active Directory Server: 10.2.0.13

Click Retrieve Directory Information to have HiveManager query the Active Directory server for the
BaseDN and organizational unit where the Aerohive router information will be stored.

Domain Admin: Enter the username of an Active Directory use with administrator privileges.

Password: Enter the password of the user entered in the previous step.

Click Join to join the Aerohive router to the Active Directory domain.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 26

Domain User: Enter the username of an Active Directory user. The Aerohive router and Active
Directory use this account to look up and validate users in the Active Directory user database.

Password: Enter the user password.

Click Validate User to ensure that the user is configured properly, and that the user information on the
Aerohive router and the Active Directory user database match.

Click Apply to complete the configuration.

Enable RADIUS Server Credential Caching: (select)

For more information about configuring user database servers, see the detailed Help system information at
Configuration > Advanced Configuration > Authentication > Defining HiveAP AAA Server Settings.

Ensure that Aerohive-RADIUS-2 from the RADIUS Service drop-down list before you click Save to save your
changes.

Step 4: Configuring User Profile and Network Settings

To complete the configuration of your network, you must configure the user profiles and networks.

To configure a user profile for the LAN ports, return to the Configure Interfaces & User Access panel (by clicking Configuration to
display the guided configuration module, and expanding the Configure Interfaces & User Access panel), click the Add/Remove link in
the User Profile column to choose a user profile, click New, enter the following information, leaving all others as their default
values, and then click Save:

Name: Corp-Employee-2

Attribute Number: 25

Network or VLAN-only Assignment: 10.2.0.0/16

Description: Enter a helpful description.

After you create the user profile, you are returned to the Choose User Profiles dialog box. Click the Default tab on the left side of the
dialog box, highlight Corp-Employee(25), and then click Save.

Click Continue.

Step 5: Uploading the Configuration and Certificates

You must update the configurations of all Aerohive APs that you want to use with the RADIUS server. If you add or make changes
to your RADIUS or VPN implementation, you must also upload the certificates that the devices use to authenticate one another. By
default, HiveManager uploads certificates for RADIUS and VPN services automatically; however, you can opt not to upload
certificates (for example, when you have made no changes to these services) by clearing the Upload and activate certificates for
RADIUS and VPN services check box on the Monitor > All Devices > device_name > Update > Upload and Activate Configuration page.
In addition, because the Aerohive RADIUS server uses certificates during the authentication process with external database
servers, you might need to import the CA (certification authority) and server certificates that the external database server requires.
You can find comprehensive information regarding certificate roles, generation, and management in the Help system by navigating
to the pages within the Configuration > Advanced Configuration > Keys and Certificates directory.

To update your APs, click the Configure & Update Devices collapsible tab at the bottom of the Configuration module, select the
check boxes next to the APs you want to update, and then click Upload.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive Configuration Guide: RADIUS Authentication | 27

Step 6: Installing the Root Certificate on a Windows Client

For Active Directory authentication to function properly, you must download the root certificate from HiveManager, and then install
the HiveManager root certificate on the Active Directory client devices. To download and install the certificate, do the following:

1. To download the root certificate, click Configuration > Show Nav > Advanced Configuration > Keys and Certificates >
Certificate Management, select Default_CA.pem, and then click Export. When prompted for the save location, save the file on
the desktop or in another location that is easy to find. Because Windows clients do not recognize the .pem extension, rename
the Default_CA.pem file to Default_CA.cer.
2. To install the certificate, simply double click the Default_CA.cer file, and then click Install Certificate when prompted. This
starts the Certificate Import Wizard. Click Next.
3. When you are prompted to choose a certificate store, select Place all certificates in the following store, click Browse, select
Trusted Root Certification Authorities (the default location), click OK, and then click Next.
4. Complete the importation by clicking Finish to close the wizard, clicking Yes to acknowledge the security warning, and then
clicking OK.

You can verify the validity of the certificate by opening the Default_CA.cer file again to view the contents. Under the General
tab, a valid certificate is issued to HiveManager, issued by HiveManager, and has a valid date range within which today’s date
lies; under the Details tab in the Subject field, the certificate contains HiveManager and location information.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.