Manualshelf

User's Manual

ManualsBrandsAerohive Networks ManualsElectronics802.11 a/b/g/n access point
71727374757677787980
Deployment Guide 179
EXAMPLE 5: LOADING A BOOTSTRAP CONFIGURATION
Step 5 Configure RADIUS server attributes
1. Log in to the RADIUS server and define the three HiveAPs as RADIUS clients.
2. Configure the following attributes for the realm to which the wireless user accounts in network-1, -2, and -3
belong:
Tunnel Type = GRE (value = 10)
Tunnel Medium Type = IP (value = 1)
Tunnel Private Group ID = 2
The RADIUS server returns the above attributes for all wireless users it authenticates from network-1, -2, and -3.
The HiveAP uses the combination of returned RADIUS attributes to assign users to the user group 2 ("employee-net").
It does not use them to create a GRE tunnel, which the tunnel type attribute might lead you to think.
When there is more traffic than available bandwidth, the HiveAP applies the "voice" policy. It performs strict
forwarding for voice and uses a WRR (weighted round robin) scheduling discipline for directing streaming media and
data traffic to queues to await forwarding. The QoS configuration is complete.
EXAMPLE 5: LOADING A BOOTSTRAP CONFIGURATION
As explained in "HiveOS Configuration File Types" on page 157, a bootstrap config file is typically a small set of
commands to which a HiveAP can revert when the configuration is reset or if the HiveAP cannot load its current and
backup configs. If you do not define and load a bootstrap config, the HiveAP reverts to the default config in these
situations, which can lead to two potential problems:
If both the current and backup configs fail to load on a HiveAP acting as a mesh point in a hard-to-reach
location—such as a ceiling crawlspace—the HiveAP would revert to the default config. Because a mesh point
needs to join a hive before it can access the network and the default config does not contain the hive settings
that the mesh point needs to join the hive, an administrator would need to crawl to the device to make a
console connection to reconfigure the HiveAP.
If the location of a HiveAP is publicly accessible, someone could press the reset button on the front panel of the
device to return the configuration to its default settings, log in using the default login name and password
(admin, aerohive), and thereby gain complete admin access. (Note that you can disable the ability of the reset
button to reset the configuration by entering this command: no reset-button reset-config-enable)
A bootstrap configuration can help in both of these situations. For the first case, a bootstrap config with the
necessary hive membership settings can allow the HiveAP to connect to the network and thereby become accessible
over the network for further configuring. For the second case, a bootstrap config with a number of obstacles such as
a hard-to-guess login name and password and a disabled access subinterface can make the firmware inaccessible
and the device unusable.
HiveAP-1 and -2 are in locations that are not completely secure. HiveAP-3 is a mesh point in a fairly inaccessible
location. To counter theft of the first two HiveAPs and to avoid the nuisance of physically accessing the third HiveAP,
you define a bootstrap config file that addresses both concerns and load it on the HiveAPs.