Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Configuring Aerohive access points using the CLI

Aerohive

Initial setup

  1. Reset to factory defaults

     reset config bootstrap
     reset config
    
  2. Configure interfaces

     interface mgt0 vlan [management VLAN]
     interface mgt0 native-vlan [native VLAN]
    
  3. Update firmware. AP230-10.0r8.img.S

     save image <location> now
                # tftp://location:path/filename
                # scp://username@location:path/filename
     
     save image <url> now
                # http://domain/path/file
    
  4. Set admin password

     admin root-admin admin password [password]
    
  5. Create a hive for all access points to join.

     hive MyHive
     hive MyHive password [password]
    
  6. A few miscellaneous things

     system led brightness off
     no capwap client enable
    

The switch ports should be trunk ports passing all the VLANs you need. Make sure the native VLAN configuration on the switch matches the AP.

I recommend using a parked VLAN (such as 1) for trunk ports. But it is simpler if the native VLAN is the management VLAN. That means you can plug in the AP without first having to console in and set the management VLAN.

Create Basic Objects

Once everything is configured, run save config so it persists across reboot.

User Profiles

A user profile sets the VLAN, QoS policy, and firewall rules

user-profile Guest vlan-id 1 attribute 1
user-profile Inside vlan-id 5 attribute 5
user-profile IOT vlan-id 10 attribute 10

User Profile Policies

User profile policies map users to user profiles based on rules. This is only necessary if you're using PPSKs.

Rules are evaluated in sequential order based on the rule number. Leave some space between the rule numbers, such as 10, 20, 30, etc., to allow for inserting rules in between other rules later.

Note: Be sure to create the user groups first. See the users section.

user-profile-policy <name> action-for-upid-change switch
user-profile-policy <name> rule <number>
user-profile-policy <name> rule <number> user-profile-attr-id <new attribute if rule matches>
user-profile-policy <name> rule <number> group-name <group>

Security Objects

Security objects control the authentication mechanism (PSK, PPSK, RADIUS, etc.) and the default user profile attribute for an SSID.

security-object Guest
security-object Guest security protocol-suite wpa2-aes-psk ascii-key [PSK]
security-object Guest security private-psk
security-object Guest default-user-profile-attr 1

security-object Inside
security-object Inside security protocol-suite wpa2-aes-psk ascii-key [PSK]
security-object Inside security private-psk
security-object Inside default-user-profile-attr 5

security-object IOT
security-object IOT security protocol-suite wpa2-aes-psk ascii-key [PSK]
security-object IOT security private-psk
security-object IOT default-user-profile-attr 10

If/when you switch to using PPSK, you'll need to add these lines to each security object:

security-object <name> security private-psk default-psk-disabled    # Only if you don't want to use the default PSK
security-object <name> user-profile-policy <user profile policy name>

SSIDs

Create the SSIDs which you will later add to interfaces. You can have tons of SSIDs but they do not become live until you assign them to interfaces.

Note: Rather than creating several SSIDs, consider using one SSID with PPSKs and user profile policies to put users in the correct VLAN based on their user group.

ssid Guest
ssid Guest security-object Guest
ssid Guest 11g-rate-set 11-basic 12 18 24 36 48 54

ssid Inside
ssid Inside security-object Inside
ssid Inside 11g-rate-set 11-basic 12 18 24 36 48 54

ssid IOT
ssid IOT security-object IOT
ssid IOT 11g-rate-set 11-basic 12 18 24 36 48 54

For PPSKs, add the groups to the SSID:

Note: This is important. If you do not associate user group with an SSID, devices will not be able to connect.

ssid <name> user-group <group>

Create Radio Profiles

These are the nitty gritty radio behaviors. You can just use the default profiles (show radio profile). These are mine which I've tweaked a bit.

radio profile radio_ng_bandsteering1
radio profile radio_ng_bandsteering1 phymode 11ng
radio profile radio_ng_bandsteering1 frameburst
radio profile radio_ng_bandsteering1 band-steering enable
radio profile radio_ng_bandsteering1 band-steering mode prefer-5g
radio profile radio_ng_bandsteering1 band-steering prefer-5g suppression-limit 3
radio profile radio_ng_bandsteering1 weak-snr-suppress enable
radio profile radio_ng_bandsteering1 weak-snr-suppress threshold 25

radio profile radio_ac1
radio profile radio_ac1 phymode 11ac
radio profile radio_ac1 channel-width 80
radio profile radio_ac1 weak-snr-suppress enable
radio profile radio_ac1 weak-snr-suppress threshold 25

Add SSID to interfaces

The 2.4 GHz interface is wifi0, the 5.0 GHz interface is wifi1.

interface wifi0 radio profile radio_ng_bandsteering1
interface wifi0 ssid "Nacho WiFi"

interface wifi1 radio profile radio_ac1
interface wifi1 ssid "Nacho WiFi"

Configure Wireless Mesh

Changing these settings are optional. By default, the AP will use wifi1 (5 GHz radio) for access and backhaul traffic and wifi0 (2.4 GHz radio) only for access. All APs in the same hive will create mesh connections if a wired connection is not present.

One important thing to note is that the "portal" AP (the AP with a wired backhaul connection) and the "mesh" AP must be using the same channel otherwise they will not connect. By default, the channels are set automatically. You can manually set the channel to help the mesh link come up faster.

There are three modes for an interface:

  • access: only allow wireless clients
  • backhaul: do not allow clients and only use for wireless mesh
  • dual: use for both wireless clients and wireless mesh

If the 5 GHz radio isn't providing a reliable mesh connection, using the 2.4 GHz radio will usually provide better results.

Here is an example of configuring the 2.4 GHz interface for mesh connectivity.

On the portal (non-mesh) AP(s):

interface wifi0 mode dual
interface wifi0 radio channel <int>  # Optional. If set, it must be set the same as the mesh AP(s).

interface wifi1 mode access  # Optional. Set this to prevent the 5 GHz radio from being used for mesh connectiviy.

On the mesh AP(s):

interface wifi0 mode dual
interface wifi0 radio channel <int>  # Optional. If set, it must be set the same as the portal AP(s).

To verify the interfaces are configured correctly, run show interfaces. Look for Wifi0.1 and Wifi0.2 interfaces. One should be in backhaul mode the other in access mode.

To verify mesh connectivity, run show hive <hive> neighbor. On the portal and access APs you should see the MAC of the AP(s) to which they are connected and other useful information.

The last thing to check is that the roaming cache is being updated with the MAC of clients connected to the mesh AP. Run show roaming cache | i <mesh mac> to see that the mesh AP has reported clients to other APs in the hive.

Users

Because Aerohive APs use a Trusted Platform Module for storing user information, it's best to think of user settings and other configuration as two separate files that need to be managed. Saving the running config does not save the user config. Likewise, showing the running config does not show the user config.

Create a new user group

    user-group <string>
    user-group <string> user-attribute <default attribute ID>

Create new PPSK user

user <string> password <string>
user <string> group <string>

Save user config so it persists across reboots

save config users

Note: If show users lists any user accounts as invalid, that is because a user group needs to be created.

Backup and Restore Configs

There are four different config files in HiveOS: current, backup, bootstrap, and default. The current config is what is loaded on boot. It is what is updated by default when running save config. Details on the different config files can be found here.

Backup running config

show running-config password > scp://username@location:path/filename

Backup PPSK passwords

show running-config users password > scp://username@location:path/filename

Restore running config

save config scp://username@location:path/filename current

Restore PPSK passwords

save users updating-config scp://username@location:path/filename

Easy Login to APs

Since HiveOS doesn't support SSH keys, I wrote a TCL script that pulls the password from the macOS system keychain to ease logging in.

Open Keychain Access and create a new password object. The "Account" field is what you'll use to look it up.

To run the command: networklogin.tcl [username] [FQDN or IP] [account name].

I went a step further and created Profiles in iTerm2 for each AP to make it even easier to jump into the AP.

#!/usr/bin/expect
# Automatically login using password from system keychain

set timeout 20
set prompt \[Pp\]assword:
set account [ lindex $argv 0]
set host [ lindex $argv 1 ]
set keychain_account [ lindex $argv 2 ]
set host_string "$account@$host"
set password [ exec /usr/bin/security find-generic-password -a $keychain_account -w ]

if { $account == "" || $host == "" || $keychain_account == "" } {
    puts "Please enter a host, account, and keychain account"
    exit 1
}

spawn -noecho ssh -A $host_string

expect {
    # Accept SSH host key
    yes/no {
        send yes\r
        exp_continue
    }

    # Wait for login prompt, then send password
    -re $prompt {
        send $password\r
    }
}

interact

Fine Tuning

It may be necessary to turn down interface power and/or remove slower data rates to encourage clients to roam faster and prevent APs from interfering with each other.

This article has excellent details on troubleshooting RF issues.

To get an overall idea of interface health:

show interface wifi0
show interface wifi1

The Summary should be "Good" or "Fair". Anything other than that indicates a problem.

Disabling Lower Data Rates

Telling the AP not to advertise slower data rates can help clients roam to a different AP rather than hanging on to an AP at a slow data rate. The advertised rates are set per SSID per mode. Here is how to disable rates below 11 Mbps for 802.11g:

ssid <your SSID> 11g-rate-set 11-basic 12 18 24 36 48 54

It's possible to do this for 802.11ac as well, but there are many rate sets that have to specified using the proper MCS value. The issue is usually with 2.4 GHz data rates, not the 5 GHz rates, so don't worry about adjusting the 5 GHz rates unless you really need to.

Reducing Interface Power

EIRP (Effective Isotropic Radiated Power) will show the current Transmit Power.

You can also run show acsp (Aerohive Channel Selection Protocol) to show the current Transmit Power. The default setting is auto which will select a number between 1-20.

Ideally APs will see a signal strength of -75 or lower from their neighbors. Higher than that and there is potential for interference (which can also come from other APs).

show acsp neighbor | include <your SSID>

Once you determine which interface (wifi0 is 2.4 GHz, wifi1 is 5 GHz) on which AP to adjust, dial it down 2 dBm from its current value:

interface wifi0 radio power 10

You need to wait a while for the ACSP scan to run again (the default interval is 10 minutes) before the signal strength measuremetns update. You may wish to reset interface counters and wait about an hour before rechecking the packet loss rates.

clear interface wifi0 counter

Useful Ops Commands

Show who is connected to an AP:

show auth

Show devices on an AP:

show station
show station | include <regexp>
show station <mac>

Show devices on an AP with MAC, user name, hostname, and IP:

_show rt-sta

Show devices on an AP in JSON:

show _client detail info

Kick a device off an AP to force roam/reauth:

clear auth station mac <mac>
clear auth username <user>

Secret command to enable debug logging:

_debug <options>

Show logs:

show log buffered
show log buffered tail <number>
show log buffered | include <regexp>

Show neighboring SSIDs and their signal strength:

show acsp neighbor

Show details on each channel:

show acsp channel-info detail

Show interface details:

show interface <interface>

Show interface counters:

show interface <interface> _count

Reset interface counters for troubleshooting:

clear forwarding-engine counters interface <interface>

Test the trunk port to an AP to make sure VLANs are working and there in DHCP on the VLAN:

interface mgt0 dhcp-probe vlan-range <VLANs>

Shut down a wireless interface. A virtual interface, wifi0.x, is created for each SSID:

interface wifi0.1 shutdown

# An alternative command to do the same thing

interface wifi0 ssid <SSID> shutdown
@zlinuxboy
Copy link

zlinuxboy commented Feb 21, 2022

thank you for the detailed explanation.
have you try to create a authentication server for local ppsk? I found it's two trivial to CRUD a user if deployed many AP on site with cli.

@zlinuxboy
Copy link

zlinuxboy commented Feb 21, 2022

There is another question.
the result of show running-config users password didn't contain the full config of user-group.
here is mine:

user-group ppsk_hkxd_wifi
user zlinuxboy
user zlinuxboy password <strip out manually>
user zlinuxboy group ppsk_hkxd_wifi

actually, the correct config should be:

user-group ppsk_hkxd_wifi
user-group ppsk_hkxd_wifi password-generation-method manual
user-group ppsk_hkxd_wifi cache-mode mandatory
user-group ppsk_hkxd_wifi psk-format character-pattern digits
user-group ppsk_hkxd_wifi psk-format character-pattern letters
user-group ppsk_hkxd_wifi psk-format character-pattern special-characters
user-group ppsk_hkxd_wifi psk-format combo-pattern or
user-group ppsk_hkxd_wifi psk-generation-method password-only
user-group ppsk_hkxd_wifi reauth-interval 1800
no user-group ppsk_hkxd_wifi voice-device

any idea to export full config of user group?

@samdoran
Copy link
Author

samdoran commented Feb 21, 2022

have you try to create a authentication server for local ppsk? I found it's two trivial to CRUD a user if deployed many AP on site with cli.

Managing many APs is what ExtremeCloud IQ does well. Managing PPSKs from the CLI is tedious, but I'm using these for my home so it's doable. One of these days I will get around to finishing up Ansible modules for HiveOS and that will make managing APs without ExtremeCloud IQ much easier.

the result of show running-config users password didn't contain the full config of user-group.

I'm not 100% sure, but it seems like default settings are omitted from the output of show running-config users password.

For example, user-groups [GROUP] password-generation-method manual is the default, so it doesn't show in the running config.

If you set the method to auto, it will show in the config since it is different from the default.

@zlinuxboy
Copy link

zlinuxboy commented Feb 22, 2022

yes, I saw your ansible module yesterday. Hmm, I was trying to write my own script with scrapli/netmiko last month, but as a newbie of python. It's a long time job to finished.

I have some problem with aerohive's rrm, acsp didn't work properly. I have been crawl the kb/community of extremenetworks, didn't found a solution, for the moment, I have to adjust the radio power manually. have you ever encounter rrm problem?

@samdoran
Copy link
Author

samdoran commented Mar 11, 2022

I have adjusted radio power in my environment to reduce interference, but overall ACSP works properly in my experience. The information in the Fine Tuning section is what I came up with after reading all the information I could find about ACSP. This is everything I've collected related to Aerohive over the years.

@hall757
Copy link

hall757 commented May 2, 2022

This is some good info and nice presentation of that info.
I didn't accept that the AP's would not use ssh key. It's not the easiest procedure, but is sure is nice knowing you have root on the devices to own.
My detailed notes: https://github.com/hall757/aerohacking
Once the firmware is "fixed", you can drop an autorized_keys file in not only admin's directory, but also root.

@samdoran
Copy link
Author

samdoran commented May 3, 2022

Wow, that's some really great work! I love HiveOS and am going to be sad when the day comes that the AP230 is no longer viable. No one else offers PPSK and I use the heck out of those with user profiles for putting devices on different VLANs from a single SSID.

@NHAS
Copy link

NHAS commented May 21, 2022

I've done some work on reverse engineering and writing my own software for the AP230, and other devices. Its super similar to the work that hall757 did, which is kind of neat!

https://research.aurainfosec.io/hacking-the-hive/

@samdoran
Copy link
Author

samdoran commented May 23, 2022

Wow, that's really cool!

@anubis640
Copy link

anubis640 commented Jul 15, 2022

Do you know how to enable a wireless interface again after shutting it down? I don't see an option for that when using '?' on the command. Thanks!

@samdoran
Copy link
Author

samdoran commented Jul 15, 2022

@anubis640 Just put no in front of the shutdown command: no int wifi1.1 shut.

@scerazy
Copy link

scerazy commented Oct 6, 2022

One of these days I will get around to finishing up Ansible modules for HiveOS and that will make managing APs without ExtremeCloud IQ much easier

That would be extremely nice (as the free Connect does not allow PPSK at all)

@samdoran
Copy link
Author

samdoran commented Oct 6, 2022

Yeah, that's one of the reasons I just manage the APs manually, and why I'm an avid AeroHive user: I use PPSKs a lot.

@Odenorde
Copy link

Odenorde commented Nov 30, 2022

Thank you, this helped me alot configuring my AP-130!

I have tried some things out, added SSIDs, etc...

Now I'm wondering how I can cleanup the virtual interfaces?

I can remove the assignment of a SSID to a virtual interface with follow command:
no interface Wifi1.1 SSID siddname

I can remove SSIDs with:
no SSID siddname

When I look at my interfaces I see that the virtual interfaces still exists:
image

Do you know how to remove the virtual interface? I have tried following command:
#no interface Wifi1.1
ERROR: Incomplete command

@samdoran
Copy link
Author

samdoran commented Nov 30, 2022

Removing the SSID from the interface should also remove the virtual interface. It's odd that the interface in your screenshot doesn't seem to have an SSID but the virtual interface still exists.

I just tested quite a bit and I was always able to remove the interface just by removing the SSID. Seems like you might be hitting a bug of some sort. Maybe a reboot is in order.

It shouldn't make a big difference but generally you specify the interface, not the virtual interface, when adding/removing an SSID.

no int wifi1 sssid <string>

@hall757
Copy link

hall757 commented Nov 30, 2022

@Odenorde
Copy link

Odenorde commented Dec 1, 2022

Ok, I did seem to have an older firmware (10.3r4).

I re enabled connection to the cloud service for upgrading the device with the capwap command
capwap client enable

Having the latest supported firmware for my device now (cloud sevice suggested 10.5r2)

It seems the cloud service pushed the original settings back to the device, my settings were overridden with my old settings.
My problem with removing entry interface Wifi1.1 isn't an issue anymore (I've now overriden the interface in stead of creating a new interface)

Anyhow, I've managed to use the AP with to SSID, one on 2.4 for my IOT devices, and one for our home network thanks to your guide!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment