Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Router QoS to Support VoIP: In addition to existing Aerohive scheduling, queuing, and rate limiting for wireless interfaces, you can now limit the bandwidth used by non-VoIP traffic when a router detects that a VoIP call is occurring. This ensures that VoIP call traffic through the router receives higher-priority treatment, preserving call quality when in competition with lower-priority network traffic such as email and web traffic. You can enable this feature in network policies in the Configuration section of the GUI or for specific routers in the Monitor section. You can also set maximum download and upload bandwidth rates for non-VoIP traffic. Static Routes on Routers: You can configure static routes on an Aerohive router so that it can route traffic to hosts in different subnets reached through non-Aerohive routers. You can set static routes in the Static Routes section on the Monitor > Devices > Routers > Modify page. (Note: Routers do not advertise their static routes to the CVG.) Wireless USB Modem as the Primary WAN Interface with Ethernet Backup: You can now set a wireless USB modem as the primary WAN interface on an Aerohive router with its eth0 interface specified as backup. 802.1X on Ethernet Ports (BR200 and BR100): BR100 and BR200 routers now support 802.1X/EAP authentication on their Ethernet ports. After a supplicant authenticates successfully through an Ethernet port, the router dynamically assigns that port a VLAN based on the user profile determined by returned RADIUS attributes. Currently one 802.1X/EAP device can authenticate per port. Electing to authenticate via 802.1X in a LAN profile allows you to move on directly to creating a RADIUS server to handle the authentication. RADIUS Operation and NAS Identifier Attributes: Aerohive now provides a means to authenticate users to a home network from a foreign network and track connection sources by injecting operator ID and NAS identifiers into the RADIUS packets, identifying the domain from which the user authenticates to the network. In geographically disperse systems such as regional or global education and research networks in which users might authenticate separately from many different domains, including the operator ID and NAS identifier in RADIUS authentication messages provides a means to handle regionally or globally dispersed users. HTTP Proxy Added to the CVG Initial Setup Wizard: When deploying a CVG (Cloud VPN Gateway) on an ESXi hypervisor, the Initial Setup Wizard now provides settings for configuring the CVG to send outbound traffic to an HTTP proxy server if necessary. Once configured to do so, the CVG can then contact the license server through the HTTP proxy so that it can activate its license. CVG Support of Internal Network Route Advertisements: In addition to setting static routes for a CVG, you can control which destinations it includes in the route updates it advertises to routers. Using TCP-MSS when Path MTU Discovery is Disrupted: When devices such as firewalls along a data path between two hosts disrupt the Path MTU (Maximum Transmission Unit) Discovery mechanism so that the transmitting host cannot determine the maximum packet size it can send without fragmentation, you can configure Aerohive routers and VPN gateways with TCP-MSS (Maximum Segment Size) thresholds to notify the host when to reduce the size of the TCP packets it transmits. TeacherView Blocked URL Notification: When a student attempts to access a blocked URP or website, TeacherView now notifies the student that the connection is disallowed rather than silently discarding the request. Reporting the blockage in this way reduces student confusion, which in turn reduces the time the teacher must spend handling the confusion.
ensure all devices can reach the new HiveManager. If any Aerohive devices cannot reach the new server, HiveManager Online will notify you to update firewall or connection settings before upgrading. HiveOS Version Notification: HiveManager queries devices to collect their HiveOS version, compares it to the available versions, and then displays a notice if the devices are not running the latest versions available. It is not necessary to run identical versions across your network, but many features require updates to both HiveOS and HiveManager for full functionality. For example, HiveManager running 5.0r3 can safely manage AP120 devices running HiveOS 4.1r3 because HiveOS 4.1r3 is the latest version for those models. Note, however, that the new features listed here require 5.0r3 to operate. Adjusting the Refresh Rate on Monitor Pages: You can now disable the auto-refresh feature on many of the Monitor pages for managed devices and their clients. This stops the screen from automatically refreshing whenever a new device or client connects, or when devices report updated information to HiveManager, which can cause you to lose your place if you are working in a page with numerous entries. By default, Auto Refresh is on. Select off to disable it. To re-enable it, check on. Cloning Buildings and Floors: When you are adding buildings and floors to topology maps, you now have the option to clone existing buildings or floors. Right-click a building or floor, and then select Clone from the drop-down list of options. Name the clone and click Create. The cloned building or floor now appears in the map navigation tree. Hiding Device Tags in Maps: This feature is currently supported for the planning map tool only. When you are viewing network topology maps, if there are too many devices in close proximity, it can be difficult to identify individual devices if the device tags are displayed. This feature adds an option to turn off the device display tags in your planning maps. You can do this in the View mode for any map by opening the drop-down list for AP Labels and selecting No Label. Labels are displayed by default. To turn label display back on, simply select one of the other options from the drop-down list Wi-Fi Station and Interface Statistics Summary: You can see a summarized report of wireless interfaces and client statistics and states by selecting an Aerohive device with currently connected clients and clicking Tools > Statistics > Wifi Status Summary on the All Devices, HiveAPs, or Routers page in the Monitor section. Band Steering and Load Balancing Improvements: HiveManager now provides more granular and flexible control over trafficoptimizing features. This is particularly useful for implementations in which there is relatively dense client deployment without dense (that is, overlapping) AP deployment, such as in schools, training facilities, and similar environments. When you create or edit an existing radio profile, you can now find the options that are used specifically to optimize traffic in a new, separate expandable section called Optimizing Management Traffic Settings. In addition, you now have the ability to control to a fine degree how the APs handle band usage and steering.
In initial and all subsequent CAPWAP connection attempts between Aerohive devices and HiveManager, the devices first try to use UDP port 12222 and then switch to TCP port 80 only if connection attempts on the UDP port are unsuccessful. In previous releases, when devices formed CAPWAP connections to HiveManager on TCP port 80, HiveManager would push a configuration to them so that they would bypass the effort to use UDP port 12222 in all subsequent connection attempts to accelerate the connection process. However, CAPWAP connections using TCP consume more system resources than those using UDP, and HiveManager enforces a limit of 2000 TCP connections in contrast to 20,000 for UDP. Therefore, to conserve system resources and reduce the number of CAPWAP TCP connections when possible, Aerohive devices now continue trying to use UDP port 12222 before switching to TCP port 80 in all connection attempts. The email field in User Manager has been expanded from 32 characters to 64. The name of the predefined network policy for wireless-only deployments has been changed to QuickStart-Wireless-Only. In previous releases, the manual classification of APs as either rogue or friendly only affected the way that HiveManager displayed the APs that managed Aerohive APs reported to it. In this release, HiveManager pushes the rogue and friendly classifications to the Aerohive APs under its management so that if you enable semi-automatic or automatic mitigation of rogue APs, the mitigator APs will not mitigate any APs classified as friendly. Conversely, the mitigator APs will mitigate any APs manually classified as rogue. As soon as you put an AP in one of the two categories, HiveManager communicates its classification to managed APs. As a result, if you manually classify an AP as rogue and automatic mitigation is enabled, mitigator APs immediately take action to attack the rogue. On the other hand, classifying an AP as friendly immediately cancels any attack currently underway against it. When a network policy is active in the HiveManager GUI, clicking Continue or the title of a different network policy section does not cause HiveManager to save the configuration automatically unless there are unsaved changes in the policy. You can access context-sensitive Help from pop-up dialog boxes in the HiveManager GUI. The configuration audit icons indicating if the configuration on a managed device matches that for it on HiveManager have changed from to (match) and from to (mismatch). There is also a new icon for staged configuration updates:
Make an HTTP connection to the IP address of your Aerohive Router. (You can learn its address by connecting your management system as a DHCP client to one of its LAN interfaces and checking the default gateway.) Log in using admin and aerohive as the name and password. You can then use the NetConfig UI to set the HiveManager IP address. Make a wireless Telnet or SSH connection to a HiveAP through a virtual access console or, if the device has a console port, use a serial connection to log in to the CLI and enter the IP address of the CAPWAP server with the following command: capwap client server name <string> Configure the DHCP server to supply the domain name of the CAPWAP server as DHCP option 225 or its IP address as option 226 in its DHCPOFFER. (If you use a domain name, the authoritative DNS server for that domain must also be configured with an A record that maps the domain name to an IP address for the CAPWAP server.) Aerohive devices request DHCP option 225 and 226 by default when they broadcast DHCPDISCOVER and DHCPREQUEST messages.
The IP address of the CAPWAP server must be accessible from the HiveAP VLAN. If you need to change the DHCP option number (perhaps because another custom option with that number is already in use on the DHCP server), enter this command with a different option number for the variable "<number>": interface mgt0 dhcp client option custom hivemanager
<number> { ip | string }
If HiveManager continues to use its default domain name ("hivemanager") plus the name of the local domain to which it and the devices belong, configure an authoritative DNS server with an A record that resolves "hivemanager.<local_domain>" to an IP address. If devices do not have an IP address or domain name configured for the CAPWAP server and do not receive an address or domain name returned in a DHCP option, then they try to resolve the domain name to an IP address. When an Aerohive device goes online for the first time without any specific CAPWAP server configuration entered manually or received as a DHCP option, it progresses through the cycle of CAPWAP connection attempts shown below. (Note that the "HiveManager" in the upper semicircle can be either a physical HiveManager appliance or HiveManager Virtual Appliance, and that the HiveAP shown can be an access point, router, or CVG.)
1
The device tries to connect to HiveManager using the default domain name "hivemanager. <local_domain>:12222", where <local_domain> is the domain name that a DHCP server supplied to the device and 12222 is the UDP port number. If a DNS server has been configured to resolve that domain name to an IP address, the device and HiveManager then form a secure CAPWAP connection on port 12222. If the device cannot make a CAPWAP connection to HiveManager on port 12222, it tries to reach it by using TCP port 80: hivemanager.<local_domain>:80.
2
If the DNS server cannot resolve the domain name to an IP address, the device broadcasts CAPWAP Discovery Request messages on its local subnet. If HiveManager is on the local network and responds with a Discovery Response message, they perform a DTLS (Datagram Transport Layer Security) handshake to establish a secure CAPWAP connection with each other.
HiveManager
HiveManager Online
If the first two searches for a local HiveManager produce no results, the device tries to contact HiveManager Online at redirector.aerohive.com :12222. If the redirection server has a serial number for that device in its ACL (access control list), it responds and they form a secure CAPWAP connection. If the device cannot make
If the first two searches for a local HiveManager produce no results, the device tries to contact HiveManager Online at redirector.aerohive.com :12222. If the redirection server has a serial number for that device in its ACL (access control list), it responds and they form a secure CAPWAP connection. If the device cannot
If the device forms a CAPWAP connection with the Aerohive redirection server and its serial number has been entered in an ACL, the redirection server automatically redirects its CAPWAP connection to the corresponding HiveManager Online VHM (virtual HiveManager). The redirection server does this by sending the device the HiveManager domain name or IP address as its new CAPWAP server and the name of the appropriate VHM. If the device is currently using HTTP, the redirection server includes the configuration needed for it to continue using it. Similarly, if the device is configured to access the public network through an HTTP proxy server, the redirection server saves the relevant settings on the device so it will continue using the HTTP proxy server when connecting to HiveManager. If the redirection server does not have the device serial number, then the ACL on the server ignores the CAPWAP connection attempts, and the device repeats the connection cycle shown above.
3.2 On the Auto Provisioning page, click New, enter the following, and then click Save: Enable Auto Provisioning: (select) Device Model: Choose the appropriate HiveAP model from the drop-down list. Apply to devices with the following identification: (select) Select the serial number that you just entered in the previous step and click the right arrow ( > ) to move it from the Available Serial Numbers column to the Selected Serial Numbers column. 3.3 Reboot the device to reset its CAPWAP state to Discovery. When it contacts the redirection server this time, HiveManager Online will apply the access control defined in the automatic provisioning configuration and redirect the device to your VHM.
Documentation
Most of the product documentation is still in progress at the time of these releases and is not yet available. However, the Aerohive New Features Guide as well as Help for all HiveOS CLI commands are ready. To use the Help, enter "keyword-SPACE-? for example: qos ? In addition, there are online CLI reference guides that provide the syntax and explanations for every command in the CLI. They also include information on accessing the CLI through console, Telnet, and SSH connections, tips on using the CLI, and some keyboard shortcuts.
Known Issues
The following are known issues at the time of the HiveOS and HiveManager 5.0r3 releases.
16266
15210
When a MAC DoS event occurs and an AP is configured to disconnect the offending station and ban it from forming future associations, the AP disassociates the station but does not ban it from reassociating. If you enable OSPF route advertisements on both the eth0 and eth1 interfaces of the CVG, traffic from hosts in the corporate site might be routed through the CVG to the public network instead of taking a different path. WA: Only advertise routes on one interface, either eth0 or eth1.
14603
16893 16866
Addressed Issues
The following are addressed issues in the HiveOS and HiveManager 5.0 releases. If no entries are listed for a particular release, no known major issues were addressed in it.
16710
16697
16745
16612
16288 16158
16045
15931
15905
In places where cellular coverage is weak, an Aerohive router sometimes did not attempt to re-establish a dialup link due to temporary connectivity losses and network delays on its dialup connection. When the region code on a HiveAP was world and it was configured for outdoor mode, pushing a delta configuration to it after previously pushing a complete configuration caused some or all of the updated settings to fail. When the track IP group for WAN connectivity testing only targeted the default gateway, the BR100 sometimes did not fail over to a USB modem and fail back to the eth0 interface. APs were unable to determine the location of a client when the APs were connected over a wireless backhaul link through a router. When sending traffic through a VPN tunnel and the size of an HTTP packet returned from a web server exceeded the MTU that the CVG supported, the CVG dropped the packet because it could not send it through the tunnel to the router.
15881
15871
15821
15753
16795
16718
16560 16504
16334 16160
16033 15928
15921
The default APN (access point name) for both the AT&T Shockwave and Momentum modems was ISP.CINGULAR in the GUI although the APN for new AT&T data accounts established after 9/12/2011 was Broadband.. If you made any changes to a LAN profile, you had to push a complete configuration update to all the routers and CVG. Barracuda and Websense whitelists erroneously appeared in the Tunnel Exception Destination List on the VPN Services page and in the Device Domain Name drop-down list in the Client Classification Policy section on the User Profiles page. A network policy could support only one private PSK server; therefore, to use Aerohive routers as private PSK servers at different remote sites, you had to assign each router to a separate network policy from the connecting HiveAPs. HiveManager was unable to upload a delta configuration to a router with changes to network objects or LAN profiles. You could configure an AP330 or AP350 as both a router and a RADIUS server; however, because you could not know what IP address HiveManager would dynamically assign it, you could not set the RADIUS server IP address on HiveAP RADIUS authenticators (AAA clients). When accessing the HiveManager GUI with a Chrome browser, it was not possible to choose the action and logging options for a rule in a network firewall policy.
15914 15834
15672
15393 15178
15132