aerohive wi-fi - a3 integration...the document provides configuration examples for delivering radius...

To learn more about Aerohive products, visit www.aerohive.com/techdocs

© 2018 Aerohive Networks, Inc. p/n 3301XX-01, Rev. A

Aerohive Wi-Fi and A3 Integration

This document will demonstrate how to use HiveManager to configure your Aerohive wireless network to onboarding various types of devices with an A3. The document provides configuration examples for delivering RADIUS attributes from the A3 to your Aerohive access, provisioning the endpoint, and allowing administrators to define and enforce identity-based violation policies based on various criteria such as device type, authentication method etc .

The following instructions are intended to provide a quick way to configure an Open Aerohive wireless network with MAC authentication enabled using HiveManager NG and A3 as NAC. These instructions are not intended to provide a complete guide to configuring Aerohive or A3 products. Some familiarity with both platforms is expected.

The instructions in this document were verified using:

Aerohive HiveManager NG 12.7.4.1

Aerohive AP250 running HiveOS 8.2r1

A3 Version 1.0

This Guide Version Number 1.03


Aerohive A3 Configuration Guide | 2

TABLE OF CONTENTS

A3 integration with Aerohive WiFi Network in this guide 3

Configuration in a snapshot 3 Client Onboarding process 5 Client association after onboarding 6

Configuration Step for this integration 7 HiveManager NG Configuration 7

Onboarding SSID Configuration 7 Secure SSID Configuration for corporate owned and BYOD devices 10 Secure SSID Configuration for school using Gsuite(google login) 12

PKI server setup 14 Generate Server Certificate for A3 14

A3 Configuration 17 Authentication Source Configuration 17 RADIUS Configuration 25 Provisioners Configuration 27 Portal Configuration 27

Postural Assessment Enforcement 31 Scanner Configuration 32 Violations Configuration 33 Assign Scan definition to connection profiles 35



A3 INTEGRATION WITH AEROHIVE WIFI NETWORK IN THIS GUIDE

Using HiveManager NG network management system, you can configure Aerohive access points to support other RADIUS standard or vendor-specific attributes instead of the three-attribute methodology. These attribute values are delivered from the RADIUS server and mapped to different user profiles using user profile assignment rules.

In the following section, you will use Aerohive HiveManager NG to configure multiple user profiles and related user profile redirection rules to take Filter-ID attribute values delivered from RADIUS and map those attribute values to user profiles on an Aerohive AP.

CONFIGURATION IN A SNAPSHOT

You will create an onboarding SSID A3-Onboarding which also deliver client profile through A3 provisioning service if applicable, so wireless client could onboarding through username password, sponsorship, social login or guest self-registration.

You will also create two 80x.1X/TLS SSIDs which employee (corp user) or students (K12 student) could connect by provisioned certificate or username/password

• For Corp Demo: A3-.1x

• For School Demo: A3-K12

Here is the snapshot of Network Policy on HiveManager after configuration:



HiveManager will leverage A3’s registration and Isolation network for onboarding enforcement. Registration is default role the first client connects. Here are the registration and isolation network settings on A3 in this demo setup. Those are setup during A3 initialization process, A3 is the gateway for clients in those networks.



On A3, You will need to configure Onboarding portal (Connection Profiles) and create rules to set client to Roles based on authentication Sources. And mapping Roles to user profile defined in HiveManager. Provisioners and Compliance could also be configured if needed.

Here are the screenshot of Onboarding portal once a user connects to Onboarding SSID A3-Onboarding for the first time.

CLIENT ONBOARDING PROCESS

Here is the workflow after configuration is completed:

When users try to onboard device on the SSID Onboarding, here is what happens

1) Authenticated through Student Onboarding (google login setup in this case)

o All devices will be provisioned certificate with the enterprise wireless network SSID: A3-K12

2) Authenticated through Employee Onboarding (domain username password will be needed)

o Windows and Mac OS devices will be provisioned certificate with the enterprise wireless network SSID: A3-.1x

o Android devices will be provisioned with the enterprise wireless network SSID A3-.1x with username password login

3) Authenticated through Github social login, device will be put into guest user profile and could access internet only (HiveOS enforced by firewall on guest user profile)

4) There are various options for Guest Signup



o Self-registered through SMS-based registration or Email-based registration, device will be put into guest user profile and could access internet only

o Self-registered through Null Source (Acceptable Use Policy), device will be put into guest user profile and could access internet only

o Registered through Sponsor-based registration , device will be put into contactors user profile

CLIENT ASSOCIATION AFTER ONBOARDING

After onboarding successfully, user will connect Access SSIDs based on its role type

• Onboarding SSID is also network access SSID for guest, contactors user profiles in this example.

• Student will connect to SSID A3-K12 and device will be put into student user profile.

• Employee will connect to SSID A3-.1x

o If certificate is used for RADIUS authentication, it will be set to Employee user profile

o If username password is used for RADIUS authentication, it will be set to BYOD user profile

• The default user profile for both secure SSIDs A3-K12 and A3-.1x are set to Registration. Only if device belong to the configured user profiles for SSID could access network resources. Or it will set to Registration user profile and traffic will go through A3 gateway (inline enforcement in this case).



CONFIGURATION STEP FOR THIS INTEGRATION

HIVEMANAGER NG CONFIGURATION

First, create new network policy called A3-Demo

ONBOARDING SSID CONFIGURATION

Create a new wireless network for client onboarding SSID using the following settings:

SSID Name: A3-Onboarding

SSID Broadcast Name: A3-Onboarding

SSID Authentication: Open

MAC Authentication: On

Create a new Default RADIUS Server Group called A3_radius, make sure “Permit Dynamic Change of Authorization Messages (RFC3576)” is checked.

Add a new External RADIUS Server with these settings:

Name: A3_RADIUS

IP Address/HostName:

RADIUS Shared Secret:



Create a new User Profile:

Name: Registration

VLAN: [A3 Registration VLAN]

Check Apply a different user profile to various clients and user groups

Check Allow user profiles assignment using RADIUS attributes in addition to three tunnel RADIUS attributes

Select Standard RADIUS attributes, and choose 11_Filter-ID from the drop-down box

Add a new user profile with the following settings and then save the user profile:

Name: Isolation-A3

In the row containing your new Isolation user profile, add a new user profile assignment rule with the following settings and then save the assignment rule:

Name: Isolation

Add RADIUS Attribute: isolation


Name: Contractors

VLAN: 1

Firewall Rule: On

IP Firewall: WebOnly



In the row containing your new Employees user profile, add a new user profile assignment rule with the following settings and then save the assignment rule:

Name: Contractors-A3

Add RADIUS Attribute: Contractors

Add a second user profile with the following settings and then save the user profile:

Name: Guest

VLAN: 1

Firewall Rule: On

IP Firewall: Guest-Internet-Access-only



In the row with your new Contractors user profile, add a new user profile assignment rule with the following settings, then save the assignment rule:

Name: Guest-A3

Add RADIUS Attribute: guest

SECURE SSID CONFIGURATION FOR CORPORATE OWNED AND BYOD DEVICES

Now create a new wireless network for corporate and BYOD devices access after successfully onboarding using the following settings:

SSID Name: A3-.1x

SSID Broadcast Name: A3-.1x

SSID Authentication: Enterprise

Default RADIUS Server Group: A3_radius

Default User Profile: Registration



Check Apply a different user profile to various clients and user groups

Check Allow user profiles assignment using RADIUS attributes in addition to three tunnel RADIUS attributes

Select Standard RADIUS attributes, and choose 11_Filter-ID from the drop-down box

Add a user profile with the following settings and then save the user profile:

Name: Isolation

In the row containing your new Isolation user profile, add a new user profile assignment rule with the following settings and then save the assignment rule:

Name: Isolation

Add RADIUS Attribute: isolation

Create a new User Profile:

Name: Employees

VLAN: 1


Name: Employees

VLAN: 1

In the row containing your new Employees user profile, add a new user profile assignment rule with the following settings and then save the assignment rule:



Name: Employees-A3

Add RADIUS Attribute: Employees

Add a second user profile with the following settings and then save the user profile:

Name: BYOD

VLAN: 1

In the row with your new Contractors user profile, add a new user profile assignment rule with the following settings, then save the assignment rule:

Name: BYOD-A3

Add RADIUS Attribute: BYOD

Note: When adding the RADIUS attribute value to each of the user profile assignment objects above, make sure to the value is mapping to the roles definition in A3.

SECURE SSID CONFIGURATION FOR SCHOOL USING GSUITE(GOOGLE LOGIN)

The configuration is very similar to A3-.1x. Just clone the SSID for A3-.1x, rename it to A3-K12 and then modify the User Access Settings accordingly.



Save the SSID and then push the configuration to your APs.



PKI SERVER SETUP

A PKI server needed to be setup first before you could configure A3 to delivery certificate during onboarding process and enable certificate based authentication on secure SSID.

A3 PKI is installed by default for demo purposed. It is not recommended for production use. Access https port 9393 to access and configuration.

Please refer to Microsoft PKI (MSPKI) Quick Installation Guide for A3 integration details.

GENERATE SERVER CERTIFICATE FOR A3

In this configuration, we are using the Microsoft PKI. It involves that all your certificates will be delivered by the root CA of the MSPKI.

As for RADIUS EAPTLS authentication you will also need to generate a certificate for Aerohive A3.

To generate the server certificate, the template WebServer will be used.

The next step is to create the request (CSR), a private key from the Aerohive A3 server and submit the CSR to the NDES server. Connect to Aerohive A3 via SSH and type the following in the CLI to generate the CSR and sign it with the private key:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

You will be prompted for some information; here is an example of a valid configuration.

• CN=Aerohive A3

• C=US

• ST=CA

• Locality=Milpitas

• Organization=Aerohive A3

• Organization Unit=TME



No fields are mandatory other than the CN.

Once you have your CSR you will submit it to the NDES server.

To submit the request you need to copy the content of the request (CSR) on the MSPKI enrollment website. The URL to input the request will be: http:///CertSrv/.

When reaching the website, click Request a certificate, select advanced certificate request. Paste the content of your CSR file and select the template Web Server. Click Submit. On this page select Base 64 encoded and click Download certificate.

This will give you the certificate (public key) for Aerohive A3.

Now download the CA file by reaching the following URL in your browser: http:///CertSrv/.

Click Download a CA certificate, certificate chain or CRL, select your CA certificate in the list, select Base 64 as the encoding method and finally click Download CA certificate.



It is recommended to create separate certs to separate EAP-TLS certificates from PKI server certificates:

Copy those files to Aerohive A3. Ensure that the files are readable by the user pf:

# chown pf:pf /usr/local/pf/conf/ssl/tls_certs/*

One set of certs will have three files, the CA certificate, the server certificate and the server private key.

• Private Key of the server (obtained while generating the CSR) • Certificate for server (obtained from the submitted CSR) • CA Certificate (downloaded from the NDES website)

All three files will be needed RADIUS EAPTLS authentication later.

Only the CA certificate and the server certificate will be needed for PKI provider configuration.



A3 CONFIGURATION

AUTHENTICATION SOURCE CONFIGURATION

DEFINE THE ROLES MAPPING TO USER PROFILE IN HIVEMANAGER

Before you proceed with the A3 configuration, make sure you have the mapping user profile defined in Role of the A3. It is under Configuration > POLICIES AND ACCESS CONTROL > Roles.

Those roles will be used for Filter-ID in A3 RADIUS Access Accept response to Aerohive APs. To enable this, go to Configuration > ADVANCED ACCESS CONFIGURATION > Filter Engines > Switch filters and add the following lines in the screen capture.



A3 can authenticate users that register devices via the captive portal using various methods.

Each authentication sources you define will have a set of rules, conditions and actions.

Multiple authentication sources can be defined. Each source can have multiple rules, which will also be tested in the order specified. Rules can also be reordered. Finally, conditions can be defined for a rule to match certain criteria. If the criteria match (one or more), action are then applied and rules testing stop, across all sources as this is a "first match wins" operation.

When no condition is defined, the rule will be considered as a catch-all. When a catch-all is defined, all actions will be applied for any users that match in the authentication source.

Once a source is defined, it can be used from Configuration > Policies and Access Control > Connection Profiles. Each connection profile has a list of authentication sources to use.

WINDOW AD AUTHENTICATION FOR ENTERPRISE ACCESS AND SPONSOR-BASED REGISTRATION

Configuration > POLICIES AND ACCESS CONTROL > Domains

To authentication users on Windows AD, you need to join the domain first by going to Configuration > POLICIES AND ACCESS CONTROL > Domains > Active Directory Domains. In this configuration guide, the IP address of Window AD is 10.16.196.10.

Also remember to setup REALMS to Domain mappings under Configuration > POLICIES AND ACCESS CONTROL > Domains > REALMS



Configuration > POLICIES AND ACCESS CONTROL > Authentication Sources

Now go to Configuration > POLICIES AND ACCESS CONTROL > Authentication Sources, create a new internal AD type authentication source named WindowsAD. Please refer to configuration details in the screenshots below.



Configured Authentication Rules will set role to BYOD if a user is authenticated through WindowsAD.



Configured Administration Rules will only allow Windows AD user belong to group Sponsor to approve a sponsor-based registration.

EAPTLS AUTHENTICATION

Now it is time to setup EAPTLS authentication method for client provisioned with certificate.

Configuration > ADVANCED ACCESS CONFIGURATION > PKI Providers

Assume you already have PKI server setup. In this example and generated/signed A3 server certs and copy those files to a folder on A3.

• Certificate for server (obtained from the submitted CSR)

• CA Certificate (downloaded from the NDES website)

Add PKI providers under Configuration > ADVANCED ACCESS CONFIGURATION > PKI Providers and select SCEP.

Fill out the form for a PKI provider according to your Certificate of Authority configuration.

For the URL it will be http:///CertSrv/mscep/.

You do not need any Username/Password combination for this configuration.

The "Server cert path" and "CA cert path" both need to be absolute.

The "Common name attribute" field defines how the certificate will be generated and what type of "ownership" will associate the certificate to the connection. If you select MAC address, a certificate will be generated using the MAC address as the identifier. If you select Username, a certificate will be generated using his login name on the authentication backend.




Now go to Configuration > POLICIES AND ACCESS CONTROL > Authentication Sources, create a new internal EAPTLS type authentication source named EAPTLS. Please refer to configuration details in the screenshots below. Pay attention to Authentication Rules. A3 will set role to Employee if a user is authenticated this EAPTLS.

As in K12 use case, student will also authentication through EAPTLS, does this mean even K12 student will also be set to user role Employee? Read through the document and you will find your answer.



Note: You also need to update A3 server cert for RADIUS EAP-TLS authentication. In order to use the certificates generated by the MSPKI, edit the radius EAP configuration file.

Edit /usr/local/pf/conf/radiusd/eap.conf and replace the following lines with references to your new certificates in the tls configuration block:

private_key_file = [% install_dir %]/conf/ssl/tls_certs/server.key

certificate_file = [% install_dir %]/conf/ssl/tls_certs/server.pem

ca_file = [% install_dir %]/conf/ssl/tls_certs/MyCA.pem

Certificate revocation checks have to be configured in the OCSP sub-block of tls.

For example:

ocsp {

enable = yes

override_cert_url = yes

url = "http:///ocsp"



}

Restart radiusd to regenerate the new configuration files and enable EAP-TLS using your CA signed certificates:

# /usr/local/pf/bin/pfcmd service radiusd restart

OTHER TYPES OF AUTHENTICATION

Now it is time to setup other authentication method such as social login or billing gateway setup.


Now go to Configuration > POLICIES AND ACCESS CONTROL > Authentication Sources, create authentication source for

o Add External> Github Source named GitHub. Setup Authentication Rules such that A3 will set role to Guest if a user is authenticated by this method.

o Add External> Google Source Google social login named Google_PF. Setup Authentication Rules such that

A3 will set role to Student if a user is authenticated by this method.

o Modify External source named Null, configure Authentication Rules such that A3 will set role to guest if a

user is authenticated by this method.



o Modify External source named email, configure Authentication Rules such that A3 will set role to guest if a user is authenticated by this method.

o Modify External source named sms, configure Authentication Rules such that A3 will set role to guest if a user is authenticated by this method.

o Modify External source named sponsor, configure Authentication Rules such that A3 will set role to Contractors if a user is authenticated by this method.

* Refer to this link for details on how to setup Oauth2 Authentication

https://packetfence.org/doc/PacketFence_Administration_Guide.html#_oauth2_authentication

RADIUS CONFIGURATION

Now that all needed authentication sources have been configured, it is time to setup devices access settings for A3 and Aerohive APs could communicated.

Configuration > POLICIES AND ACCESS CONTROL > Network Devices > Switch Groups

Go to Configuration > POLICIES AND ACCESS CONTROL > Network Devices > Switch Groups, click Add Switch Groups, it is the place holder for devices settings.

Configure Aerohive Devices as follows:

Definition

Group Name: Aerohive

Type: Aerohive AP

Mode: Production

Deauthentication Method: RADIUS

User CoA: check to enable

External Portal Enforcement: uncheck to disable

Roles

Role by VLAN ID: uncheck to disable

Role by Switch Role: check to enable

Fill the user Role name in the text filed:



RADIUS

Secret Passphrase: [RADIUS share secret]

Go to Configuration > POLICIES AND ACCESS CONTROL > Network Devices > Switch, click Add Switch to Group, type the corresponding Aerohive APs’ network in field IP Address/MAC Address/Range (CIDR).

You could also override the values defined in the Switch Group here if needed.



PROVISIONERS CONFIGURATION

You could skip this section if provisioning devices is not required.

Go in Configuration > Advanced Access Configuration > Provisioners.

Select android / ios / Windows provisioner. Enter the SSID information and roles for which the provisioner applies. Repeat for all desired provisioners.

You have to create a provisioner for each type of OS on your network.

If EAP-TLS provisioning is desired, you have to configure a PKI before going any further.

You will need to add those provisioners to your Connection Profile configuration later.

Please find the following screenshot for sample provisioner configuration for Corp Access SSID A3-.1x.

PORTAL CONFIGURATION

Depends on the workflow you are trying to deploy, There are a couple ways to customize the A3 onboarding portal:

• Basic approach

o Add authentication source under Configuration > POLICIES AND ACCESS CONTROL > Connection Profiles

o Leave Root Portal Module as default

o suitable for solution such as no customized work flow for various types of Roles



• Advanced approach

o Leave authentication source empty under Configuration > POLICIES AND ACCESS CONTROL > Connection Profiles

o Root Portal Module customization is needed for workflow we described in the previous section.

Configuration > POLICIES AND ACCESS CONTROL > Connection Profiles

If basic approach is sufficient to use, all you need to configure is just add the needed authentication sources in your connection profile. The default connection profile is including all the authentication sources you defined in the previous steps.

Filters are used when there is multiple connection profiles, A3 will response with the corresponding Portal page based on Filters condition settings.

To enable provisioning during onboarding, add the Provisioners defined in the previous step.

To enable Postural Assessment, add the Scanners here as well if applicable.

In this guide, we do need to create 3 difference connection profiles:

• Onboarding Connection Profile for all type of users : K12, guest, corporate user

• K12 Connection profile for secure SSID: A3-K12

• Corporate Connection profile for secure SSID: A3-.1x

In this configuration guide we will need advanced approach to customized A3 onboarding portal, which is configured in Root Portal Module.

But for the other 2

• K12 Connection profile for secure SSID: A3-K12

• Corporate Connection profile for secure SSID: A3-.1x

We will use basic approach to configure.

CONNECTION PROFILE CONFIGURATION FOR K12 Configure SSID A3-K12 as Filters connection profile will be used for corporate secure SSID connection.

Uncheck checkbox for Dot1x recompute role from portal, which will re-user the value initially computed on the Onboarding portal, in this case: google login will set user to student role.

Add EAPTLS in Sources so only certificate authentication (provisioned after google oAuth) will be support for this connection.

CONNECTION PROFILE FOR CORPORATE USERS Configure SSID A3-.1x as Filters connection profile will be used for corporate secure SSID connection.



Add both WindowsAD and EAPTLS in Sources so both username password and certificate authentication will be support for this connection.

Enable checkbox for Dot1x recompute role from portal, which will compute user role from dot1x user name instead re-user the value initially computed on the Onboarding portal. The following rules are defined in the authentication sources.

• Username password login will set client’s role to BYOD

• certificate will set client’s role to Employee

ONBOARDING CONNECTION PROFILE CONFIGURATION Here is the screenshot of onboarding profile settings; it is relatively simple as most of configuration is done through Root Portal Module.



Configuration > ADVANCED ACCESS CONFIGURATION > Portal modules

The A3 captive portal flow is highly customizable. This section will cover the Portal Modules which are used to define the behavior of the captive portal.

First, a brief description of the available Portal Modules:

• Root: This is where it all starts, this module is a simple container that defines all the modules that need to be applied in a chained way to the user. Once the user has completed all modules contained in the Root, he is released on the network.

• Choice: This allows to give a choice between multiple modules to the user. The default_registration_policy is a good example of a choice that is offered to the user.

• Chained: This allows you to define a list of modules that a user needs to go through in the order that they are defined - ex: you want your users to register via Google+ and pay for their access using PayPal.

• Authentication: The authentication modules can be of a lot of types. You would want to define one of these modules, in order to override the required fields, the source to use, the template or any other module attribute.

o Billing: Allows to define a module based on one or more billing sources

o Choice: Allows defining a module based on multiple sources and modules with advanced filtering options. See the section Authentication Choice module below for a detailed explanation.



o Login: Allows you to define a username/password based module with multiple internal sources (Active Directory, LDAP, …)

o Other modules: The other modules are all based on the source type they are assigned to, they allow to select the source, the AUP acceptance, and mandatory fields if applicable.

• Authentication: The authentication modules can be of a lot of types. You would want to define one of these modules, in order to override the required fields, the source to use, the template or any other module attribute.

To create the onboarding portal page in this guide, here is the full configuration in Portal Modules:

As you could see from about configuration, as authentication sources are already specified in the Portal Modules, there is no need to configure those in the Connection Profiles in this case.

POSTURAL ASSESSMENT ENFORCEMENT

A3 can ensure a high-level of security on your network by enforcing compliance of your acceptable use policy. There is no configuration needed on HiveManager to enable this functionality.

There are 3 compliance modules for this feature:

Fingerbank Profile: using the Fingerbank solution to accurately identify an endpoint on your network (device profiling or fingerprinting). No configuration needed as it is initialized during setup process.

Scans: A3 can use active vulnerability like Nessus, OpenVAS or Windows Management Instrumentation (WMI) to proactively scan endpoints for security problems. You can define the scanners being used here.



Violations: where you tie security events (malware detection, unauthorized operating system, etc.) with actions such as quarantining endpoints, sending email alerts and showing remediation instructions from captive portal.

SCANNER CONFIGURATION

First we need to create scan definition by go into Configuration > Compliance > Scans > Scans Engines, Then add a scan:

If you have configured a WMI scan engine then you need to define WMI Rules. WMI is a sort of database on each windows device, to retrieve information on the device you need to know the sql request. In order to help you to find and make a rule you can use a third party tool like WMI Explorer.

Go in Configuration > Compliance > Scans > WMI Rules Definition:

There are already 7 rules defined:



Let’s take a look at predefined Software_Installed rule:

This rule will do the following:

• Retrieve all the installed software on the device and test if the attribute Caption contain Google.

• If it matched then we will trigger a violation (with the trigger internal::888888) for the mac address of the device.

VIOLATIONS CONFIGURATION

There are tons of predefined violation rules in A3 already, create new violation definition if needed.



When you create a new violation section and have to specify:

• Using Nessus:

trigger=Nessus::

• Using OpenVAS:

trigger=OpenVAS::

Where violationId is either the ID of the Nessus plugin or the OID of the OpenVAS plugin to check for.

To create WMI vilation of the rule Software_Installed we defined in earlier section, we should pick Internal and type in 888888 and click Add

Then enable the rule in the Definiton Tab and set the Actions accordingly. Depends on your use case, you may also need to add Whiltelisted Roles as well.

In the Remediation Tab, set the following fields accordingly: Auto Enable, Template, etc. Template will set the look and feel of redriect page for the host in violation.



ASSIGN SCAN DEFINITION TO CONNECTION PROFILES

The last step is to assign one or more scanner you configured to one or more connection profiles. Go in Configuration > Policies and Access Control > Connection Profiles > Edit a Profile > Add Scan

*Once you have finished the configuration, any windows client with Google application installed will be set to Isolation role. You may need to reload the violation related database contents using:

$ pfcmd reload violations

aerohive wi-fi - a3 integration...the document provides configuration examples for delivering radius...

Documents