Thursday, February 9, 2012

Aerohive at Wireless Field Day 2

DSC04144

Aerohive was first to kick off 
Wireless Field Day 2, and we were first treated to a presentation by Matthew Gast Director of Product Management and author of 802.11: Networks the Definitive Guide and 802.11n: A Survival Guide.



Aerohive at WFD2 Part 1: Devin Akin, Matthew Gast, Founders from Stephen Foskett on Vimeo.

Matthew Gast did an incredible d
eep dive into the trouble with CCMP, Galois Counter Mode, 802.11w (CMAC/signing based on AES), 802.11ac draft 2.0, constellation diagrams and multi user beam forming in 802.11ac.

In order to get the speeds defined in 802.11ac the crypto method has to change in order to make that possible. Make sure the hardware you're buying is capable of supporting GCMP.

New Technology Aerohive is coming out with was presented by Abby Hassel Strong:
New 3x3:3 AP, outdoor AP and the BR-100 and their new Cloud VPN Gateway.

HiveOS 4.0 Networkbased MDM & private key self registration. The 
5.0 GUI complete redesign to accommodate wired and wireless policies.
Pseudomanager logging, integration with Pearson's PowerSchool solution more robust implementation of TeacherView.

As part of HiveOS 4.0 there is WIPS distributed with Automatic Mitigation - where the infrastructure can send deauth packets to rogue clients, and 
Spectrum Analysis on APs and viewable from an iPad.

Paul Levasseur presented the Aerohive solution for 
Secure Guest Access with Private PSK self registration (requires multiple SSIDs).

Mobile device management can be agent based or network based.
The first step is to connect to registration SSID, open the captive web portal, login or validate with Radius. You could also use permanent PSK for corporate SSID.

We all then had a hands on demonstration of the self registration component of the Aerohive BYOD solution.



Aerohive demos at Wireless Field Day 2 from Stephen Foskett on Vimeo.

Staging your access points at Aerohive online if there's no local Hive Manager:
To find a local hive manager you can set a DNS entry for hivemanager.yourdomain.com, or a DHCP option 225 or 226 to find local Hive manager. Now Aerohive has a way to use port 80 to find a Hive Manager online if no local hive manager is found for staging the access points.
When you use the Aerohive redirector (staging@aerohive.com) can use serial numbers that are entered to redirect to your hive manager. Now you can deploy your devices to anywhere in the world and your access points will be primed and programmed to the right location over port 80 and 443. It is also possible to do automatic provision based on serial numbers, subnets or device types.

Color code meaning for Aerohive access points:
Blue light when booting/talking online 
White when it finds the hive manager
Yellow means the access point is meshing.

Out of the box, you can use the USB port to insert a cellular network connection card to initiate the connection to talk to the remote hive manager to redirect to the correct hive manager, and prime the access point for the appropriate location. The access points can use LTE as the main network connection or for backup connectivity.

The 
branch router (BR100) has integrated WiFi, 4 LAN Ethernet ports, 1 WAN Ethernet port, 1 usb port, Firewall/VPN/QoS/16 vlans/DHCP/RADIUS server/3g/4g LTE and it integrates with Websense and Barracuda via n-way proxy. The Aerohive Cloud VPN gateway is essentially virtualized HiveOS supports RIPv2 and OSPF. Routing and network decisions are made at the device itself. The Aerohive access point can operate as it's own standalone branch router, IPv6 support in the works.

They can whitelist based on user profiles or destination (Salesforce) to not send that traffic through a security profile. Guest networks can only get NATted out to the internet, and they can't VPN because it's a route based VPN and the routes won't work across the internet.

The BR100 has static routes (reverse link state routing updates) for connectivity for internet gateways. The Cloud VPN gateway can add routes to BR100s as scheduled. Convergence time is about a couple minutes when new changes are added. Timers can be tweaked, but the default is a minute. The BR100 supports 500 or 1000 tunnels on the Cloud VPN Gateway (virtual appliance on VMware ESX or ESXi).

The Aerohive hybrid xauth auto creates unique access accounts for the BR100s, and you can revoke that credential so that device can't ever re-connect to the hive/network.

I have not yet had a chance to plug in and test the BR100 or the AP350 unit that Aerohive presented to all the delegates. I'm working on setting up a home vm server, but it isn't ready yet. Expect more information to follow once I've started testing.

--------------

Full disclosure: Wireless Field Day 2 Disclaimer

Aerohive was a sponsor of Wireless Field Day 2.  As such, they were responsible for covering a portion of my travel and lodging expenses while attending Wireless Field Day 2. In addition, they presented each delegate with an Aerohive backpack, water bottle, pen and notepad set, an Aerohive BR100 evaluation unit, and an Aerohive AP 350 evaluation unit.  They did not ask for, nor where they promised any kind of consideration in the writing of this review/analysis.  The opinions and analysis provided within are my own and any errors or omissions are mine and mine alone. (disclosure verbiage snatched from 
http://networkingnerd.net/)