This guide describes how to set up and test your Aerohive environment so you can use it with Cloud4Wi Passpoint service
Log in to the ExtremeCloud IQ Dashboard
To start the configuration process, log in to the ExtremeCloudIQ Dashboard as admin. For existing environments with additional users, log in as a user with administrative privileges.
The ExtremeCloud IQ Dashboard appears. Your access points are displayed.
Note: There are a number of options you can set. Only the options that require your input are shown. Default values are used for options that don’t need adjustment.
Configure the wireless LAN
To configure the wireless LAN, you create a network policy (profile), an SSID, and RADIUS servers.
Create a network policy
- Click Configure in the menu bar on the left of the Dashboard.
- Select Network Policies.
The Network Policy page appears. - Click Add Network Policy.
The Network Policies New Policy page appears. The Policy Details tab is open. - Under What type of policy are you creating?, leave the box checked next to Wireless. Uncheck the boxes next to Switches and Routing.
- Enter a Policy Name, such as “Cloud4Wi_network_policy”.
- Click Save on the bottom right.
The Wireless Networks page appears.
Create an SSID
- Click Configure in the menu bar on the left of the dashboard.
- Select Network Policies under Configure.
- Select Wireless Networks at the top.
- Click + to create an SSID.
- Select All other Networks (standard).
A page appears where you’ll define the SSID and authentication settings. - Enter an SSID Name for internal purposes, such as “Cloud4Wi_Secure_WiFi” and a Broadcast Name that your clients will see. The names can be the same.
- For SSID Usage, select Enterprise. (The default is Private Pre-Shared Key.)
In the field Key Management select WPA2-802.1X and as Encryption Method chose CCMP (AES)
Add RADIUS authentication servers to the network policy
It’s important to set up a secure RADIUS connection between the wireless LAN controller and Cloud4Wi.
To add RADIUS authentication servers to your network policy, you create a server group and then add servers to the group.
- Still on the Wireless Networks page, scroll down to Authentication Settings.
- Under Authenticate via RADIUS Server, click + to add a RADIUS server group.
The Configure RADIUS Servers dialog box appears. - Enter a RADIUS Server Group Name, such as “Cloud4Wi_radius_group”.
- Click Settings to the right of the server group description.
The Select RADIUS Settings dialog box appears. - Change the Accounting interim update interval to 300 (seconds).
- Click Save RADIUS Settings on the bottom right.
You return to the Configure RADIUS Servers dialog box. - Click + under External RADIUS Server to add a RADIUS server to the server group.
The dialog box expands to display a New External RADIUS Server section. - Enter the Name, such as “Primary_radius”.
- Click + next to IP/Host Name.
- Select IP Address.
The New IP Address or Host Name dialog box appears. - Enter the object Name, such as “Primary”.
- Enter the Primary RADIUS IP Address (52.48.102.108) in IP Address.
- Click Save IP Object on the bottom right.
You return to the New External RADIUS Server section. You see the name of the object you created in the IP/Host Name field. - Enter the Shared Secret communicated by Cloud4Wi team during delivery of your Cloud4Wi account
- Click Save External RADIUS on the bottom right.
You return to the Configure RADIUS Servers page where you see the server you added (Primary_radius). - Check the box next to the server you added. This indicates you want to add it to the server group.
- Click Save RADIUS on the bottom right to save your RADIUS configuration.
You return to the Authenticate via RADIUS Server section of the Wireless Networks page. You see the RADIUS server group and server you created. - Repeat steps 7-17 to add the secondary RADIUS server for high availability. The secondary RADIUS IP address is 34.252.97.217
- Click Save on the bottom right to save your network policy configuration.
You return to the Wireless Networks page where you see the SSID you created.
Assign the SSID to the network policy
- Still on the Wireless Networks page, select the SSID by clicking the checkbox next to the SSID (Cloud4Wi_Secure_WiFi).
- Click Next on the bottom right. Clicking Next assigns the selected SSID to the network policy.
The network policy configuration is complete.
Configure Hotspot 2.0
Hotspot 2.0 allows mobile devices to join a WiFi network automatically via Passpoint when the devices enter the Hotspot 2.0 area.
You’ll use the supplemental CLI option to configure Hotspot 2.0. When you enable supplemental CLI, you enter the commands into the GUI. For that reason, we recommend composing the commands in a text file beforehand so you have them ready when enabling the supplemental CLI.
Compose your CLI
Create a text file with the commands that link your network policy to Hotspot 2.0.
- Create a hotspot profile with a profile name “Cloud4Wi-profile”, anqp domain ID, and network type.
anqp-domain-id default is 0, which means that the ANQP information is unique to this access point. A network type of 1 indicates a private network.
hotspot profile Cloud4Wi-profile
hotspot profile Cloud4Wi-profile anqp-domain-id 0
hotspot profile Cloud4Wi-profile network-type 1 access-internet - Configure the operator name “Cloud4Wi-Operator” and the language (English).
hotspot profile Cloud4Wi-profile operator-name Cloud4Wi-Operator language-code eng
- Configure the hotspot to support IPv4 with a single NAT private IPv4 address by configuring ip-type ipv4 3. ipv6 0 indicating that IPv6 is not available.
hotspot profile Cloud4Wi-profile ip-type ipv4 3 ipv6 0
- Configure the domain name as set in your Cloud4Wi Passpoint configuration page, for example: “<companyname>.securewifi.io” (read more here on how to find this value)
hotspot profile Cloud4Wi-profile domain-name companyname.securewifi.io
- Create the NAI-realm “Cloud4Wi-Realm” by specifying these parameters:
Encoding type—”0” (the default)
EAP method—”21” for EAP-TTLS
Inner authentication—”4” for MS-chapv2
hotspot profile Cloud4Wi-profile nai-realm Cloud4Wi-Realm encoding-type 0
hotspot profile Cloud4Wi-profile nai-realm Cloud4Wi-Realm eap-method 21 inner-auth 4
- Configure Cloud4Wi SSID to use WPA2-AES 802.1X authentication.
security-object Cloud4Wi security protocol-suite wpa2-aes-8021x
- Apply the Cloud4Wi-profile hotspot profile to the Cloud4Wi SSID.
ssid Cloud4Wi_Secure_WiF hotspot-profile Cloud4Wi-profile
- Save the configuration.
save configuration
Enable the supplemental CLI
- Select Global Settings on the top right of the Dashboard under your user icon.
- On the left side of the Dashboard, click VIQ Management under Administration.
The VIQ Management page appears.
- Verify that Supplemental CLI is ON. If not, enable it.
Add the Hotspot 2.0 configuration to the network policy
- Click Configure in the menu bar on the left of the Dashboard.
- Select Network Policies.
The Network Policy page appears.
You see the network policy you created, “Cloud4Wi_network_policy”. - Click the name of the SSID you created, “Cloud4Wi_Secure_WiFi”.
The Wireless Network page appears. - Click Additional Settings in the top menu bar.
The DNS Server page appears. - Under Policy Settings in the menu bar on the left, click Supplemental CLI.
The Supplemental CLI page appears. - Verify that Supplemental CLI is ON. If not, enable it
- Enter a Name, such as “Hotspot”.
- Paste the CLI commands in your text file into the CLI Commands box.
- Click Save on the bottom right.
A message appears on the top left indicating that the supplemental CLI was saved. - Click Next.
The Apply the network policy to selected devices page appears. - Click Eligible to display your access points.
- Select your access points by checking the box next to them in the Status column.
- Click Upload on the bottom right.
The Device Update dialog box appears. - Under Update Network Policy and Configuration, select Complete Configuration Update. (Delta Configuration Update is the default; you want a complete update.)
- Click Perform Update on the bottom right of the dialog box to save your configuration.
The access points are rebooted (this can take a few minutes). You see a message on the upper left indicating that the devices are successfully deployed.