Friday, December 9, 2016

SNMPv3 with Aerohive APs and Net-SNMP

In this blog post I am going to explain how to configure SNMPv3 in Aerohive APs and test using Net-SNMP,














SNMPv3 introduce 3 different types of authentication/security methods,

1) NoauthNoPriv - only username is used, NO encryption
2) authNoPriv      - username and password is used but NO encryption
3) authPriv           - username, password and encryption




Give below are few thing that need to be configured to allow SNMP access to the Aerohive AP,













1) This is how to configure NoauthNoPriv in Aerohive AP (using HiveManager)





Use this command in Net-SNMP to do a snmpwalk,



snmpwalk -v 3 -u user1 -l NoauthNoPriv 172.16.1.75







2) This is how to configure authNoPriv in Aerohive AP (using HiveManager)




Use this command in Net-SNMP to do a snmpwalk,


snmpwalk -v 3 -u user1 -l authNoPriv 172.16.1.75 -a MD5 -A aerohive123 







3) This is how to configure authPriv in Aerohive AP (using HiveManager)




Use this command in Net-SNMP to do a snmpwalk,


snmpwalk -v 3 -u user1 -l authNPriv 172.16.1.75 -a MD5 -A aerohive123 -x AES -X 123aerohive






Monday, October 17, 2016

Enable https management interface in Aerohive SR2208P, SR2224P, SR2324P and SR2348P

1) SSH in to the switch,

username : admin
password  is under device management settings

















2) (AH-Switch) (Config)#crypto certificate generate


3) (AH-Switch) #ip http secure-server


4) (AH-Switch) #show ip http

HTTP Mode (Unsecure)........................... Disabled
Java Mode.................................................. Enabled
HTTP Port........................................................... 80
Maximum Allowable HTTP Sessions................... 3
HTTP Session Hard Timeout...................... 24 hours
HTTP Session Soft Timeout...................... 5 minutes

HTTP Mode (Secure)............................. Enabled
Secure Port..................................................... 443
Secure Protocol Level(s)................... TLS1 SSL3
Maximum Allowable HTTPS Sessions............. 4
HTTPS session hard timeout................. 24 hours
HTTPS session soft timeout................ 5 minutes
Certificate Present........................................ True
Certificate Generation In Progress............. False



5) Access the web interface using the management IP address



Monday, October 10, 2016

Aerohive SR2224P port routing configuration example

With this configuration one physical port need to be allocated per subnet





---  in configure ----



ip routing         %enable routing globally 


interface 1/0/1
routing
ip address 192.168.1.1 255.255.255.0
exit
                  

interface 1/0/2
routing
ip address 192.168.2.1 255.255.255.0
exit





Sunday, October 9, 2016

Aerohive 2324P , 2348P SFP not working, how to fix ?

If you run in to the issue that in SR2348P and SR2324 SFPs doesn’t link up (LED not turning on when the SFP and cables are connected from one switch to another),

probably its a speed mismatch issue , SFP doesn’t work in auto mode. Set the speed according to the SFP module you are using, 

(AH-Switch)# show port all 

1/0/49           Enable    Auto                  Down   Enable  Enable long
1/0/50           Enable    Auto                  Down   Enable  Enable long
1/0/51           Enable    Auto                  Down   Enable  Enable long
1/0/52           Enable    10G Full   10G Full   Up     Enable  Enable long



Check the SFP ports to see whether they are set to auto or a specific speed. Set the speed in the switch port in both sides of the switch ,

(AH-Switch) (Interface 1/0/49)#speed 10G full-duplex
(AH-Switch) (Interface 1/0/50)#speed 10G full-duplex
(AH-Switch) (Interface 1/0/51)#speed 10G full-duplex

(AH-Switch) (Interface 1/0/52)#speed 10G full-duplex

Tuesday, September 6, 2016

Aerohive ID Manager (IDM) private pre shared key (PPSK), how does it work ?

Aerohive IDM is a AAA server, it use radsec protocol. Usually if you authenticate against a AAA server like RADIUS the users need to enter a username and password,

Whats interesting with Aerohive PPSK+IDM is that you can create a PSK (WPA2-Personal) SSID and provide PSK per user. And these PSKs can be authenticated against a PSK list in IDM, so how does this work ?





For this the SSID should be configured in the HiveManager as below,






Lets say you pushed this configuration to 3 access points or more, two of the access points will become IDM proxy. All the access points talk to IDM through the two APs which are elected to be the radsec proxy,






Lets say the client is connecting to the AP with hostname AH-016e80 (172.16.1.55), how does the authentication pkts flow through ?  AH-016e80 (172.16.1.55) communicate to AH-0168c0 (172.16.1.56) using RADIUS and AH-0168c0 (172.16.1.56) autheticate the user with IDM using radsec ,


client --- AH-016e80 (172.16.1.55) ----- RADIUS ---- AH-0168c0 (172.16.1.56) --- radsec ----IDM






Pkt capture : https://drive.google.com/open?id=0B3ctVg8ubiwUdmd0T0FKM0Z2S2M

Pkt capture : Client --- AH-016e80 (172.16.1.55) 



Pkt capture : AH-016e80 (172.16.1.55) ----- RADIUS ---- AH-0168c0 (172.16.1.56)




Pkt capture : AH-0168c0 (172.16.1.56) --- radsec ----IDM





How would you see this process in Aerohive _debug messages, 


_debug auth all 

Tech data : https://drive.google.com/open?id=0B3ctVg8ubiwUX0YySndaOElWMnM

---- First connection log @ AH-016e80 (172.16.1.55)  -----

[auth_info]: received EAPOL-Key frame (4/4 Pairwise)

[auth_info]: sending 3/4 msg of 4-Way Handshake

[auth_basic]: Obtain PPSK PMK: 451F***
[auth_basic]: Query PPSK success for sta 286a:ba44:1de4, username: ruwanindika+user2@gmail.com, session-timeout: 
notice  ah_auth: authentication OK, username '28-6A-BA-44-1D-E4', service (unknown)

[auth_basic]: Sending PPSK request to external server for sta 286a:ba44:1de4

[auth_info]: ah_wpa_gen_ptk: wpa_verify_key_mic failed

[auth_basic]: try PMK stored in roaming cache, username ruwanindika+user1@gmail.com

[auth_fsm]: WPA: 286a:ba44:1de4 WPA_PTK entering state PTKCALCNEGOTIATING
[auth_info]: received EAPOL-Key frame (2/4 Pairwise)

[auth_info]: WPA: Send EAPOL(version=2 secure=0 mic=0 ack=1 install=0 pairwise=8 kde_len=0 keyidx=0 encr=0)
[auth_info]: sending 1/4 msg of 4-Way Handshake

--------------------------------------------------------


Tech data : https://drive.google.com/open?id=0B3ctVg8ubiwUNm5Qdk5GTmZyTGM

---- After first connection (authenticate from cache) log @ AH-016e80 (172.16.1.55)  -----

[auth_info]: received EAPOL-Key frame (4/4 Pairwise)


[auth_info]: sending 3/4 msg of 4-Way Handshake


[auth_basic]: STA(286a:ba44:1de4) successfully match PPSK user(ruwanindika+user2@gmail.com)
[auth_info]: wpa_verify_key_mic: data_len 121, sizeof(*hdr) + sizeof(*key) 99
[auth_dump]: PTK - hexdump(len=48): 7a bf ** **
[auth_dump]: PMK - hexdump(len=32): 45 1f ** **
[auth_info]: WPA: PTK derivation - A1=9c5d:1201:6ea4 A2=286a:ba44:1de4
[auth_info]: wpa_derive_ptk: pmk pointer 1101200632, sm->wpa_key_mgmt 2, sm->wpa_auth->addr 9c5d:1201:6ea4 sm->addr 286a:ba44:1de4
[auth_basic]: try PMK stored in roaming cache, username ruwanindika+user2@gmail.com


[auth_fsm]: WPA: 286a:ba44:1de4 WPA_PTK entering state PTKCALCNEGOTIATING
[auth_info]: received EAPOL-Key frame (2/4 Pairwise)

[auth_info]: WPA: Send EAPOL(version=2 secure=0 mic=0 ack=1 install=0 pairwise=8 kde_len=0 keyidx=0 encr=0)
[auth_info]: sending 1/4 msg of 4-Way Handshake

--------------------------------------------------------



Friday, September 2, 2016

Aerohive HiveManager not showing the correct wifi client number

I was troubleshooting an issue where the customer was complaining that the client count displayed in the HiveManager is not accurate.

There is one client connected but the HiveManager shows that the client number for that AP is "0"




I though, lets use the "show  station" command in the AP to see whether the AP has this client connected, and as you can see the client with mac 286a:ba44:1de4 is connected to the AP,

-------------------------------------------------------------
AH-0168c0#show station

Chan=channel number; Pow=Power in dBm;
A-Mode=Authentication mode; Cipher=Encryption mode;
A-Time=Associated time; Auth=Authenticated;
UPID=User profile Identifier; Phymode=Physical mode;
Ifname=wifi0.1, Ifindex=17, SSID=GUEST-PPSK:
Mac Addr       IP Addr         Chan Tx Rate Rx Rate Pow(SNR)              
-------------- --------------- ---- ------- ------- -------- 
Mac Addr       IP Addr         Chan Tx Rate Rx Rate Pow(SNR) 
-------------- --------------- ---- ------- ------- -------- 
286a:ba44:1de4 10.100.0.27       36      6M     65M  -48(42)  wpa2-psk aes ccmp 
-------------------------------------------------------------
After looking in to the logs I figured out the cause of this issue was that the customer had disabled traps over CAPWAP,


Aerohive HiveOS running in APs send a traps over CAPWAP to the HiveManager every time a client connect or disconnect, thats how the HiveManager know when a client connect or disconnects to the AP.  If you enable capwap trap debug, you can see the trap message,

AH-0168c0#_debug capwap trap

or
 
AH-0168c0#_debug capwap all
debug trap turned on (0x10)

AH-0168c0#show log buffer

----- client just connected ------

debug   capwap: [capwap_trap]: printf capwap send trap buffer:
debug   capwap: [capwap_trap]: Send capwap trap sequence number:6, total len:198
debug   capwap: [capwap_trap]: total trap len:190
debug   capwap: [capwap_trap]: trap management status:0
debug   capwap: [capwap_trap]: option55 :, len:0
debug   capwap: [capwap_trap]: trap os name :, len:0
debug   capwap: [capwap_trap]: trap MBA used:2
debug   capwap: [capwap_trap]: trap sta's SNR:-48
debug   capwap: [capwap_trap]: trap user profile name :USERMGR, len:7
debug   capwap: [capwap_trap]: trap sta's rssi :42
debug   capwap: [capwap_trap]: trap ifname :wifi1.1, len:7
debug   capwap: [capwap_trap]: trap association time :1472799491
debug   capwap: [capwap_trap]: trap bssid:9c5d:1201:68e4
debug   capwap: [capwap_trap]: trap client channel :36
debug   capwap: [capwap_trap]: trap user profile id :1
debug   capwap: [capwap_trap]: trap client vlan id :1
debug   capwap: [capwap_trap]: trap mac protocol :3
debug   capwap: [capwap_trap]: trap encrypt method :0
debug   capwap: [capwap_trap]: trap auth method :5
debug   capwap: [capwap_trap]: trap cwp used :2
debug   capwap: [capwap_trap]: trap client username :GUEST-PPSK, len:10
debug   capwap: [capwap_trap]: trap client username :, len:0
debug   capwap: [capwap_trap]: trap client host name :ruwans-ipad, len:11
debug   capwap: [capwap_trap]: trap client ip:10.100.0.27
debug   capwap: [capwap_trap]: trap object type:1
debug   capwap: [capwap_trap]: trap current state:1
debug   capwap: [capwap_trap]: trap remote id:286a:ba44:1de4
debug   capwap: [capwap_trap]: trap interface index:19
debug   capwap: [capwap_trap]: fill trap header len:97
debug   capwap: [capwap_trap]: trap code:5
debug   capwap: [capwap_trap]: trap description:Station 286a:ba44:1de4 is 
authenticated to 9c5d:1201:68e4 thru SSID GUEST-PPSK vid 1, length:84
debug   capwap: [capwap_trap]: trap object name:AUTH, length:4
debug   capwap: [capwap_trap]: trap type is:4
debug   capwap: [capwap_trap]: CAPWAP receive connection change trap!
debug   capwap: [capwap_trap]: Get trap information, total len:830, 
data len 816, trap type:1 internal alarm ID:0xffffffff clear:0

2016-09-02 16:58:12 info    ah_auth: Station 286a:ba44:1de4 
ip 10.100.0.27 username n/a hostname ruwans-ipad OS Apple iOS, flag = DHCP


----------------------------------


Thursday, September 1, 2016

Useful information in Aerohive Techdata file


The free disk space on your HiveManager is insufficient

If you see the error below in HiveManager when trying to generate a backup, you may still be able to generate a backup using the command line interface in the HiveManager. This could be a simpler solution than trying to clear logs and free up space. Try this at your own risk as the backup command through CLI doesn't do a disk space check. Usually the disk space required for a "config only" backup is much lower than what is estimated by the HiveManager,

---
Unable to execute backup operation.
The free disk space on your HiveManager is insufficient:
Required free disk space:49590 M
Actual free disk space:48508 M
---





Follow the steps below to by pass the disk space check and generate a backup through the command line interface, select the option to generate a "configuration only" backup,

Follow the menu options , 3 --> 1 --> 7

1) Network Settings and Tools
2) Display System Information
3) Advanced Product Configuration
4) Reboot Appliance
5) Shut down the System
6) Change CLI Shell Password
7) Logout of shell
Please make a choice:

1) Configure HiveManager
2) Configure VM Params
3) Configure DB Params
4) Back to Parent Menu
Please make a choice:

1) Restart HM Software
2) Shut down HM Software
3) Re-initialize HM Database
4) Change HM Database Settings
5) Restore default HM HTTPS certificate
6) Revert to Previous Version of HM
7) Backup operation
8) Restore operation
9) Get Technical Support
10) Clear HM Logs
11) Clear HiveManager Access Control
12) Change HM Admin Password
13) HA Operations
14) Customize the Common Image
15) Replacement DB sync
16) Display HM Update/Restore Progress
17) Display HM version
18) Back to Parent Menu
Please make a choice:
7
The function backs up the HiveManager database and user files
Backup Content: [1] Configuration backup only; [2] Full backup
Choose a backup option:1
Remote File Server Type: [1] SCP server; [2] FTP server
Choose a remote file server type:2
IP Address/Domain Name:101.187.x.x
[If Enter nothing, will use default value 21] Port:
File Path on the remote file server:/
Login User Name:ftpuser
Login password:
23

=======================================================
Database Backup Parameters
  Backup Content: Configuration backup only
  Remote File Server Type: TCP server
  IP Address/Domain name:Port: 101.187.x.x:21
  File Path: /
Do you want to backup the database? [yes | no]
Enter "yes" or "no" :yes
backup progress  |==================================================| 100%

FTP progress     |=========================           



Wednesday, August 24, 2016

Aerohive AP packet trace using CLI

In Aerohive HiveOS you can do a packet trace to see whether the packets sent by wifi clients are forwarded to the ethernet port or dropped by the AP for some reason. This is a very useful tool for troubleshooting. To enter these commands either you need to SSH in to the AP or use console cable. To forward these logs to a syslog server enter the command below,


logging server syslog server IP level debug 








Lets say that you want to see whether the ICMP (ping) request sent by the wifi client is forwarded to the ethernet interface of the AP and to the router,

1) Create a filter that match the pkt you would like to trace


_ff id 1 src-ip 172.16.1.49 dst-ip 172.16.1.1 protocol 1 bidirectional 


_ff  : is the command to create a filter

id 1 : is the filter ID, you can create several filters with different ID numbers 

protocol : UDP:17; TCP:6; ICMP:1


2) Enable forwarding engine debug to print the pkts that match the filter we created in step 1. 

_kdebug fe basic 


3) Enter the command "clear log all" , ping from wifi client to 172.16.1.1 and the enter the command "show log buffered" to display the pkt trace,


clear log all

ping 172.16.1.1 from the PC 

show log buffered


defc3c80::L*: (i) wifi1.1 172.16.1.49->172.16.1.1(60810) ttl(64) icmp-echo-req(35330/2) 84 bytes
--> This line shows that icmp request is coming in from wifi1.1 interface

defc3c80::L*: (o) eth0 172.16.1.49->172.16.1.1(60810) ttl(64) icmp-echo-req(35330/2) 98 bytes

--> This line shows that icmp request was forwarded to ethernet interface

dede0560::L*: (i) eth0 172.16.1.1->172.16.1.49(39153) ttl(64) icmp-echo-reply(35330/2) 84 bytes
-->This line shows that icmp reply came in from ethernet interface

dede0560::L*: (o) wifi1.1 172.16.1.1->172.16.1.49(39153) ttl(64) icmp-echo-reply(35330/2) 98 bytes
--> This line shows that icmp reply was sent to the wifi client via wifi1.1 interface

*** check the time stamps to read the log messages in order 



(i) = pkt coming in
(o) = pkt going out
(!) = pkt dropped





Friday, August 5, 2016

Juniper SSG20 firewall DNS proxy

I got a used Juniper SSG20 and trying to use it as my Internet gateway device. I did a factory reset (https://kb.juniper.net/InfoCenter/index?page=content&id=KB4749&actp=search), followed the wizard and setup PPPoE, DMZ and two subnets. Usually when this is done the DNS proxy works by default in most home router type devices I have worked with, but not in SSG20 (and SSG20 is not a home router),




This is how to enable DNS proxy using GUI,











Wednesday, July 20, 2016

Find IP range used by Aerohive HMNG hosted in Amazon cloud EC2

In this example I am going demonstrate how to find the IP ranges used by Aerohive HMNG which is hosted in Amazon cloud EC2 service. At the moment all HMNG instance for International (all customers out side of Americas) are hosted in the "eu-west-1" servers.


1) Download "AWS Tools for Windows PowerShell" from https://aws.amazon.com/powershell/

2) Install it in a Windows server, in this example I am using Windows 2008 R2.

3) Open Windows power shell and enter the command "Set-ExecutionPolicy RemoteSigned"



4) Import the module AWSPowerShell




5) Now you can search for the IP address range using command "Get-AWSPublicIpAddressRange"

In this example I want to filter the result by region (eu-west-1) and service (EC2)

Get-AWSPublicIpAddressRange -Region eu-west-1 -Service EC2






PS C:\>  Get-AWSPublicIpAddressRange -Region eu-west-1 -Service EC2




IpPrefix Region Service

-------- ------ -------

46.51.128.0/18 eu-west-1 EC2

46.51.192.0/20 eu-west-1 EC2

46.137.0.0/17 eu-west-1 EC2

46.137.128.0/18 eu-west-1 EC2

52.16.0.0/15 eu-west-1 EC2

52.18.0.0/15 eu-west-1 EC2

52.30.0.0/15 eu-west-1 EC2

52.48.0.0/14 eu-west-1 EC2

52.95.244.0/24 eu-west-1 EC2

52.95.255.64/28 eu-west-1 EC2

52.208.0.0/13 eu-west-1 EC2

54.72.0.0/15 eu-west-1 EC2

54.74.0.0/15 eu-west-1 EC2

54.76.0.0/15 eu-west-1 EC2

54.78.0.0/16 eu-west-1 EC2

54.154.0.0/16 eu-west-1 EC2

54.155.0.0/16 eu-west-1 EC2

54.170.0.0/15 eu-west-1 EC2

54.194.0.0/15 eu-west-1 EC2

54.216.0.0/15 eu-west-1 EC2

54.220.0.0/16 eu-west-1 EC2

54.228.0.0/16 eu-west-1 EC2

54.229.0.0/16 eu-west-1 EC2

54.246.0.0/16 eu-west-1 EC2

54.247.0.0/16 eu-west-1 EC2

79.125.0.0/17 eu-west-1 EC2

176.34.64.0/18 eu-west-1 EC2

176.34.128.0/17 eu-west-1 EC2

185.48.120.0/22 eu-west-1 EC2

Monday, July 11, 2016

Aerohive IPsec VPN - Phase 1 proposal mismatch with peer


2016-07-11 13:22:36:Phase 1 proposal mismatch with peer (172.16.1.5[500]->172.16.1.254[500])

I was setting up a VPN using Aerohive VPN gateway(CVG) and Aerohive BR200 branch router. and the VPN gateway was up but the VR200 was not forming the VPN,


1) The next step is to check the ike events in both VPN gateway and the BR200, SSH in, 

2) BR200 is saying that there is no response from the VPN GW

AH-3f9dc0#show vpn ike event (BR200)

2016-07-11 13:58:36:Phase 1 deleted(10.100.4.237[4500]->172.16.1.5[4500]) 
2016-07-11 13:58:37:Phase 1 started(10.100.4.237[500]->172.16.1.5[500]) 
2016-07-11 13:59:26:Peer not responding(10.100.4.237[500]->172.16.1.5[500]) 2016-07-11 13:59:26:Phase 1 deleted(10.100.4.237[500]->172.16.1.5[500]) 
2016-07-11 13:59:32:Phase 1 started(10.100.4.237[4500]->172.16.1.5[4500]) 
2016-07-11 14:00:21:Peer not responding(10.100.4.237[4500]->172.16.1.5[4500])

3) VPN gateway is saying that there is a Phase 1 proposal mismatch
CVG#show vpn ike even (VPN GW) 
2016-07-11 14:06:55:Phase 1 proposal mismatch with peer(172.16.1.5[4500]->172.16.1.254[4500])2016-07-11 14:06:55:Phase 1 deleted(172.16.1.5[4500]->172.16.1.254[4500])
2016-07-11 14:07:05:Phase 1 started(172.16.1.5[4500]->172.16.1.254[4500])
2016-07-11 14:07:05:Phase 1 proposal mismatch with peer(172.16.1.5[4500]->172.16.1.254[4500])2016-07-11 14:07:05:Phase 1 deleted(172.16.1.5[4500]->172.16.1.254[4500])
2016-07-11 14:07:15:Phase 1 started(172.16.1.5[500]->172.16.1.254[500])


4) Compare the phase 1 proposals in the VPN GW and BR200, and you see that 
the AES key length is not matching 

AH-3f9dc0#show vpn ike conf (BR200)
 /* prop_no=1, trns_no=1, rmconf=172.16.1.5[500] */
 phase1 proposal {
  lifetime time 84669 sec;
  lifetime bytes 0;
  dh_group modp1024;
  encryption_algorithm aes;
  encryption_algorithm length 256;
  hash_algorithm sha1;
  authentication_method hybrid_rsa_client;
 }

CVG#show vpn ike configuration (VPN Gateway)
/* prop_no=1, trns_no=1, rmconf=anonymous */
 phase1 proposal {
 lifetime time 86400 sec;
 lifetime bytes 0;
 dh_group modp1024;
 encryption_algorithm aes;
 encryption_algorithm length 128;
 hash_algorithm sha1;
 authentication_method hybrid_rsa_server;
 }

5) Goto the VPN configuration and change the AES key length to 128,
6) Upload the configuration to the CVG(VPN gateway) and BR200,
7) VPN is UP

Friday, July 1, 2016

Using Aerohive Certificate Authority

You can use HiveManager to generate certificates. These certificates are used by APs which are working as the RADIUS servers. In this example I will generated a root CA and generate a public/private key pair for the RADIUS server,

1) Generate a new CA root certificate, and self sign it,




2) Generate a certificates signing request for the certificates of the RADIUS server,



3) Get the certificate signed by the root CA we generated in step 1



4) In the certificates section you can see the 4 certificates. The Defaut_CA.pem certificate must be installed in clients --> check the blog post :  How to install certificate in clients 




5) Create a new RADIUS server instance and assign the certificates as below,




6) Assign this RADIUS server instance to an AP, the AP will act as the RADIUS server for the clients using the settings above.