Proper DHCP setup for Aerohive APs

  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
For my Guest VLAN, I have my HiveAPs acting as the DHCP server. I'm wondering about traffic, do I need to put the DHCP server on every AP for it to work correctly? I have 35 in this building.
Photo of Robert Haviland

Robert Haviland

  • 29 Posts
  • 6 Reply Likes
  • happy

Posted 5 years ago

  • 1
Photo of Antonio Medina

Antonio Medina

  • 7 Posts
  • 2 Reply Likes
You will need to make sure that all of the other AP's can see the VLAN you assinged to the DHCP server when you created it. Example if you assigned the scope the VLAN id of 250 then you need to allow that VLAN on the switch ports of all of the AP's on the network. You can verify this by going to tools and then select the VLAN probe tool and probe the VLAN from each AP.
Photo of Robert Haviland

Robert Haviland

  • 29 Posts
  • 6 Reply Likes
Thanks. I've got all that covered. It's working great and I get DHCP services everywhere in the building. I was more wondering do I need a DHCP server on every AP. I was told once that I would so I did. I'm just hoping to have it on one AP and for it to handle all DHCP traffic in the building.
Photo of Antonio Medina

Antonio Medina

  • 7 Posts
  • 2 Reply Likes
You don't need every AP as a DHCP server just one.
Photo of Robert Haviland

Robert Haviland

  • 29 Posts
  • 6 Reply Likes
Thanks. I'm now removing all but one in a smaller building. Will that also cut down on traffic?
Photo of Robert Haviland

Robert Haviland

  • 29 Posts
  • 6 Reply Likes
I should have said also, that I would move to the other buildings after testing here in the smaller building!
Photo of Robert Haviland

Robert Haviland

  • 29 Posts
  • 6 Reply Likes
I went to a school and tried taking all DHCP servers out except for one AP. Epic fail unless you were near the AP with DHCP. As you moved away, you lose your IP address. I may be missing a setting.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
For each DHCP scope you can have up to two DHCP server APs - one primary and one secondary - with all other APs configured as DHCP relays.

I found that with BYOD devices chopping the DHCP scope into two and placing each half onto one DHCP server AP configured as an authoritative DHCP server worked best. The remaining APs are configured as DHCP relays with the two previously mentioned DHCP server APs configured in the "Primary DHCP Server" and "Secondary DHCP Server" fields.
Photo of Robert Haviland

Robert Haviland

  • 29 Posts
  • 6 Reply Likes
Sounds great. I'll work on that today. Just to be clear, I'll need to uncheck "Set the DHCP Server as Authoritative" on the secondary DHCP server? What about the mgt0 interface. If I was using mgt0.4, do I use that number on both DHCP servers and the Relay?

And do both DHCP server need static IP addresses MGT0 Interface Settings?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The "Set the DHCP server as authoritative" option should be enabled for both the primary and secondary DHCP server definitions.

So let's say you want to use the scope 192.168.100.0/24 across two APs acting as DHCP servers. For the primary DHCP Server definition you would use:

* Interface - mgt0.4 (taken from your question)
* Enable a DHCP server on this interface
* Set the DHCP server as authoritative
* Use ARP to check for IP address conflicts
* Start IP Address - 192.168.100.10 (I always leave a few IP addresses spare)
* End IP Address - 192.168.100.132

For the secondary DHCP Server definition:

* Interface - mgt0.4 (taken from your question)
* Enable a DHCP server on this interface
* Set the DHCP server as authoritative
* Use ARP to check for IP address conflicts
* Start IP Address - 192.168.100.133
* End IP Address - 192.168.100.244 (I always leave a few IP addresses spare)

For the DHCP Relay definition:

* Interface - mgt0.4 (taken from your question)
* Enable a DHCP relay agent on this interface
* Primary DHCP Server - IP address of the AP acting as the primary DHCP server
* Secondary DHCP Server - IP address of the AP acting as the secondary DHCP server

You will notice that the IP ranges allocated to each DHCP Server have no overlap. With authoritative DHCP servers this is a requirement.

Any access point that acts as a server (whether RADIUS or DHCP) must have a static IP address assigned to its MGT0 interface.
Photo of Robert Haviland

Robert Haviland

  • 29 Posts
  • 6 Reply Likes
I thought my only mistake was the Interface. I was using different mgt0.x on the two DHCP server and the Relay. (mgt0.4, mgt0.5, mgt0.6) I changed all three to mgt0.4.

Does the IP address of the AP acting as DHCP server, need to be the address of the WLAN (192.168.100.x) or the static IP address assigned to its MGT0 interface, in my case 10.189.216.95?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The IP address of the AP, as used in the DHCP Relay definition, is the static IP address assigned to the AP's MGT0 interface.
Photo of Duane Hensley

Duane Hensley

  • 1 Post
  • 0 Reply Likes
What were the steps used to setup DHCP for the guests only?
Photo of Robert Haviland

Robert Haviland

  • 29 Posts
  • 6 Reply Likes
I actually abandoned this method. I got to thinking about BYOD and how many devices I may have on the network. So I'm using my DHCP to handle the VLAN'd DHCP requests.

My main problem in the original question: lack of enough routing switches.
Photo of Larry

Larry

  • 55 Posts
  • 1 Reply Like
Would there be an advantage to using the Aerohive AP's as a DHCP server rather than just having a DHCP server handing out IPs?
Photo of Robert Haviland

Robert Haviland

  • 29 Posts
  • 6 Reply Likes
No. The issue is that the AP can only handle 512 (give or take) addresses. Not very future proof. It turned out to be MUCH easier to issue DHCP from my server. Once the VLANs were in place and had the proper Layer 3 switch handling the "ip helper-address" command, it was a snap.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The Aerohive integrated DHCP server functionality is really useful for guest access. Rather than expose your corporate DHCP server(s), which may be domain controllers, to an unknown wireless device use the integrated DHCP server with the DNS settings configured for an external service, such as Google DNS. Creating a Guest traffic filter than denies inter-station traffic and using the integrated firewall functionality to drop all DNS traffic other than the configured external DNS service helps secure your guest access.

To service DHCP requests from domain devices and other trusted devices use your corporate DHCP server(s) as they have more functionality than the Aerohive integrated DHCP server.
Photo of Larry

Larry

  • 55 Posts
  • 1 Reply Like
Robert - I just set up my second school like that. Honestly, I never even though that a radio would handle it's own DHCP. May be a good idea for our athletic fields guest access though.
Photo of Justin Merwin

Justin Merwin

  • 18 Posts
  • 0 Reply Likes
Can someone provide a tutorial on setting up DHCP as Crowdie explained?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
For our example we need to authenticate guest users into VLAN 100 that is routed out to the Internet. There is no access to the internal LAN from VLAN 100 but we will configure the Aerohive access point’s integrated firewall service to protect the internal LAN anyway.

Once guest users have authenticated to the Guest SSID the Aerohive access point’s integrated DHCP service will service DHCP requests from the guest’s wireless clients. The DNS servers in the DHCP scope will be configured for Google DNS (8.8.4.4 and 8.8.8.8) and the Aerohive access point’s integrated firewall service will drop any DNS traffic not routed to Google DNS.

Finally we will configure a Guest traffic filter to stop guest users communicating with each other. This is extremely important as some guest’s wireless clients may be running a DHCP server, for example, and it could start servicing other guest’s requests.

The following is based on the HiveManager and HiveOS 6.1r1 code.

Step 1 - Create the SSID

1. Configure -> SSIDs
2. Click on the “New” button
3. Configure the SSID as follows:

* Profile Name - “Guest”
* SSID - “Guest”
* SSID Broadcast Band - “2.4 GHz & 5 GHz (11n/a + 11n/b/g)”
* Description - “Guest SSID”
* SSID Access Security - “Private PSK”
* Expand the “DoS Prevention and Filters” option
* Click on the “+” icon to the right of the “Traffic Filter” drop down menu
* The “SSIDs > New > Traffic Filters > New” screen will appear
* Configure the traffic filter as follows:

• Name - “Guest_Traffic_Filter”
• Description - “Guest Traffic Filter”
• Disable the “Enable SSH” option
• Disable the “Enable Telnet” option
• Disable the “Enable Ping” option
• Disable the “Enable SNMP” option
• Disable the “Enable Inter-station Traffic” option (Important)
• Click on the "Save" button

"The traffic filter will stop wireless clients (called stations) communicating with each other when they are associated to the "Guest" SSID. This should always be done for any SSID that un-managed wireless clients associate to."

* Click on the “Save” button
* You will be returned to the “SSIDs > New” screen
* Click on the “Save” button

Step Two - Create the User Profile

1. Configure -> User Profiles
2. Click on the “New” button
3. Configure the user profile as follows:

* Name - “Guest”
* Attribute Number - 100
* Default VLAN - 100 (You will need to click on the “+” icon to the right of the “Default VLAN” drop down menu and create a new VLAN object)
* Description - “Guest User Profile”
* Expand the “Firewalls” option
* In the “IP Firewall Policy” area click on the “+” icon to the right of the “From-Access” drop down menu
* Enter “Guest_From_IP_Policy” into the “Policy Name” field
* Enter “Outbound Firewall IP Policy for Guests” into the “Description” field
* Click on the “+ icon
* Click on the “Select one of the Following” drop down menu in the “Service” column
* Select “Application Services”
* Select “DHCP” from the “Select Applications” window
* The Action for the rule should be “Permit”
* Click on the floppy disk icon to save the firewall rule
* Click on the “+” icon
* Click on the “+” icon in the “Destination IP” column
* In the “IP Policies > New > IP Objects/Host Names > New” screen enter the following:

• Select “IP Address”
• Object Name - Google DNS 8.8.4.4
• IP Entry - 8.8.4.4
• Description - “Google DNS 8.8.4.4”
• Click on the "Save" button

* Click on the “Select one of the Following” drop down menu in the “Service” column
* Select “Application Services”
* Select “DNS” from the “Select Applications” window
* The Action for the rule should be “Permit”
* Click on the floppy disk icon to save the firewall rule
* Click on the “+” icon
* Click on the “+” icon in the “Destination IP” column
* In the “IP Policies > New > IP Objects/Host Names > New” screen enter the following:

• Select “IP Address”
• Object Name - Google DNS 8.8.8.8
• IP Entry - 8.8.8.8
• Description - “Google DNS 8.8.8.8”
• Click on the “Save” button

* Click on the “Select one of the Following” drop down menu in the “Service” column
* Select “Application Services”
* Select “DNS” from the “Select Applications” window
* The Action for the rule should be “Permit”
* Click on the floppy disk icon to save the firewall rule
* Click on the “+” icon
* Click on the “Select one of the Following” drop down menu in the “Service” column
* Select “Application Services”
* Select “DNS” from the “Select Applications” window
* The Action for the rule should be “Deny”
* Click on the floppy disk icon to save the firewall rule

"What you have just configured are three firewall rules affecting DNS traffic:

* Allow DNS traffic to and from 8.8.4.4
* Allow DNS traffic to and from 8.8.8.8
* Drop all other DNS traffic"


* Click on the “+” icon
* Click on the “Destination IP” drop down menu and select “10.0.0.0/255.0.0.0”
* Click on the “Select one of the Following” drop down menu in the “Service” column
* Select “Network Services”
* In the “Select Services” window select “any” and click on the “OK” button.
* The Action for the rule should be “Deny”
* Click on the floppy disk icon to save the firewall rule
* Click on the “+” icon
* Click on the “Destination IP” drop down menu and select “172.16.0.0/255.240.0.0”
* Click on the “Select one of the Following” drop down menu in the “Service” column
* Select “Network Services”
* In the “Select Services” window select “any” and click on the “OK” button.
* The Action for the rule should be “Deny”
* Click on the floppy disk icon to save the firewall rule
* Click on the “+” icon
* Click on the “Destination IP” drop down menu and select “192.168.0.0/255.255.0.0”
* Click on the “Select one of the Following” drop down menu in the “Service” column
* Select “Network Services”
* In the “Select Services” window select “any” and click on the “OK” button.
* The Action for the rule should be “Deny”
* Click on the floppy disk icon to save the firewall rule
* Finally add any “Permit” rules to allow HTTP, HTTPS and any other traffic types you want guests to be able to access.
* Click on the “Save” button to save the firewall IP policy.
* In the "IP Firewall Policy" area click on the "Default Action" and select "Deny".

"As the default firewall action is now "deny" any wireless traffic that does not have a specific "permit" rule will be dropped"

* Expand the “QoS Settings” area
* In the “Policing Rate Limit” area set the “a/b/g mode (0-54000 Kbps)” and “11n mode (0-2000000 Kbps)” fields to 1000.

"The policing rate limit restricts the guest wireless client's throughput to 1 Mbps (1,000 Kbps)."

* Click on the “Save” button to save the user profile.

Step 3 - Create the PPSK Local User Group

1. Configuration -> Advanced Configuration -> Authentication -> Local User Groups
2. Click on the “New” button
3. Create a local user group as follows:

* User Group Name - “Guest_One_Day”
* Description - “Guest Private PSK”
* User Type - “Automatically generated private PSK users”
* User Profile Attribute - 100
* VLAN ID - Leave blank
* Reauthorization Time - 1800
* User Name Prefix - “Guest_One_Day_”
* Private PSK Secret - Click on the “Generate” button
* Location - Your home town’s name
* Password Length - 12
* PSK Generation Method - “Password Only”
* Time Zone - Your home town’s time zone
* PSK Validity Period - “Recurring”
* Select the “Enable the automatic creation and rotation of private PSK users and their keys” option
* Private PSK Start Time - Today’s date 00 hr 00 min
* Private PSK Lifetime - 1 day 00 hr 00 min
* Private PSK Rotation Interval - 1 day 00 hr 00 min
* Private PSK Rotations - 365
* Private PSK Users to Create per Rotation - 20
* Configure the characters type as you want
* Click on the “Save” button

"Each day twenty guest PPSKs will be created that are valid for a day."

Step 4 - Create the Network Policy

1. Configuration -> Network Policies
2. Click on the “New” button
3. Click on the “New” button
4. In the “New Network Policy” window enter the following:

* Name - “Guest”
* Description - “Guest Network Policy”
* Wireless Access - Enabled

* Click on the “Create” button
* Click on the “Choose” button to the right of the “SSIDs” heading
* In the “Choose SSIDs” window click on the “Guest” SSID and then the “OK” button
* In the “Authentication” column click on the “PSK User Groups” link
* In the “Local User Groups” window select the “Guest_One_Day” entry and click on the “OK” button
* In the “User Profile” column click on the “Add/Remove” link and select the “Guest” user profile
* Click on the “Save” button
* Click on the “Save” button to save the network policy

Step 5 - Create the DHCP Server

1. Configuration -> Advanced Configuration -> DHCP Server & Relay
2. Click on the “New” button
3. Create a DHCP server as follows:

• Name - “Guest_DHCP_Server”
• Interface - mgt0.1

"The MGT sub-interface allocated to the DHCP Server must be the same one allocated to the DHCP Relay. For each new DHCP service use a unique MGT sub-interface."

• Description - “Guest DHCP Server”
• Select the “Enable a DHCP server on this interface” option
• Enable the “Set the DHCP server as authoritative” option

"If you do not enable the "authoritative" option some wireless clients may maintain their existing IP address rather than taking the IP address allocated out of the DHCP scope."

• Enable the “Use ARP to check for IP address conflicts” option.

"The "Use ARP" option ensures that the same DHCP scope IP address is not allocated to two or more wireless clients."

• In the “IP Pools” area enter the DHCP scope’s start IP address and end IP address
• Expand the “DHCP Server Options” entry
• Enter the DHCP scope’s default gateway into the “Default Gateway” field
• Netmask - Network's subnet mask
• DNS Server1 IP - 8.8.4.4
• DNS Server2 IP - 8.8.8.8
• Click on the “Save” button

Step 6 - Create the DHCP Relay (Optional)

1. Configuration -> Advanced Configuration -> DHCP Server & Relay
2. Click on the “New” button
3. Create a DHCP Relay as follows:

• Name - “Guest_DHCP_Relay”
• Interface - mgt0.1
• Description - “Guest DHCP Relay”
• Select the “Enable a DHCP relay agent on this interface” option
• Primary DHCP Server - Enter the static IP address of the Aerohive access point that will act as a DHCP server
• Click on the “Save” button

Step 7 - Assign the DHCP Server Role to the Access Point

"The access point that will service DHCP requests from guest wireless clients must be assigned the DCHP Server role."

1. Monitor -> Access Points -> Aerohive APs
2. Place a tick in the checkbox to the left of the access point that will act as a DHCP server
3. Click on the “Modify” button
4. Change the "Network Policy" to "Guest"
5. If the access point does not have a static IP address (a requirement for access points acting as a DHCP server):

• Expand the “MGT0 Interface Settings” entry
• Select the “Static IP” option
• Enter the appropriate values into the “Static IP Address”, “Netmask” and “Default Gateway” fields

* Expand the “Service Settings” entry
* In the “DHCP Server & Relay” area select “Guest_DHCP_Server” and click on the “>” button
* Click on the “Save” button

Step 8 - Assign the DHCP Relay Role to the Access Point (Optional)

"Any access point that supports the Guest SSID but are not the DHCP Server for that SSID must forward the DHCP requests to an access point configured as a DHCP Server for that SSID. These access points are called DHCP Relays."

1. Monitor -> Access Points -> Aerohive APs
2. Place a tick in the checkbox to the left of the access point that will not act as a DHCP server
3. Click on the “Modify” button
4. Change the "Network Policy" to "Guest"
5. Expand the “Service Settings” entry
6. In the “DHCP Server & Relay” area select “Guest_DHCP_Relay” and click on the “>” button
7. Click on the “Save” button
8. Repeat for all the access points with the “Guest” SSID that aren’t acting as the DHCP server

Step 9 - Update the Access Points

1. Monitor -> All Devices -> Aerohive APs
2. Place a tick in the checkbox to the left of all the access points that will act as DHCP servers or relays.
3. Click on the "Update..." button
4. Select "Upload and Activate Configuration" from the drop down menu
5. Click on the "Settings" link (top right hand corner )
6. Select "Complete Upload" from the upload types
7. Select "Activate after 5 seconds"
8. Enable the "Upload and activate configuration" and "Upload and activate employee, guests, and contractor credentials" options
9. Click on the floppy disk icon in the top right hand corner to save the changes
10. Click on the "Upload" button to upload the new configuration

Step 10 - Create a Lobby Administrator Account

1. Home -> Administration -> Administrators
2. Click on the “New” button
3. Create an administrator account using the following:

• Email address - Your E-mail address
• Name - Lobby.Admin
• Password - Pick an appropriate password
• Confirm Password - Repeat the password previously entered
• Full Name - Your name
• Time Zone - Your home town’s time zone
• Group Name - “User Manager Operator”
• Select the “Limit operator access to the selected Private PSK User Groups” option
• Click on the “Guest_One_Day” Private PSK group and then the “>” button
• Select the “Limit operator access to the selected SSID Profiles” option
• Click on the “Guest” SSID and then the “>” button
• Click on the “Save” button

Testing

1. Log into the HiveManger using the Lobby Administrator account and create a one day guest Private PSK account
2. With a wireless client log into the “Guest” SSID using the previously created Private PSK
3. Once authentication has occurred the wireless client should have an IP address from the configured DHCP scope.

Hopefully that will help you Justin.
Photo of Tri Ctt

Tri Ctt

  • 1 Post
  • 0 Reply Likes
Hi crowdie
I want use Ap as dhcp server with 3 ssid(internal,vip,guest) with 3 vlan and subnet /23,gw 3 vlan are on fw fortinet.how can i do dhcp server as it,please help me step to configure that
Photo of Brian

Brian

  • 2 Posts
  • 0 Reply Likes

Hi There,

Thanks Crowdie for this guide, I've found it very useful.

I've followed the guide and implemented it on an AP-350 in my test lab, without DHCP relay. I've logged into the Lobby Assistant account, got my key and that works just fine, however the wireless devices are not getting IP addresses. They only get 169.x.x.x self assigned addresses. I plugged my laptop into Eth1 on the AP-350 and the same happens, no DHCP. Further details of the lab are below, any assistance would be greatly appreciated.

AP-350 - HiveOS 6.6r2a Irvine 2309
Linksys SD208D Hub (I'm uncertain if this allows VLAN tagged traffic)
Linksys ADSL Modem (Offers DNS & DHCP to wired clients)

The Linksys ADSL modem
IP 192.168.99.1
DHCP Scope 192.168.99.50 - 192.168.99.150
Sub 255.255.255.0
G/W 192.168.99.1
DNS 8.8.8.8

The AP-350
IP 192.168.99.10
Sub 255.255.255.0
G/W 192.168.99.1
DNS 208.67.222.222

DHCP Server on AP-350
VLAN 101
Interface Mgt0.1
IP 192.168.99.20 (No conflicts)
Sub 255.255.255.0

Enable DHCP on Interface - Yes
Set as Authoritative - Yes
Use ARP - Yes
DHCP Scope 192.168.99.30 - 192.168.99.200
Sub 255.255.255.0
G/W 192.168.99.1
DNS 8.8.8.8

In Monitor -> All Devices the AP-350 has the DHCP Server (Blue circle) showing, but it's not working for me. Have I got something obviously wrong please ?

Thanks in advance.

Brian.

Photo of Brian

Brian

  • 2 Posts
  • 0 Reply Likes

Further testing reveals the following: 

I connect using the PSK and under monitor -> Clients my wireless device is visible.

I still do not get a DHCP address so I changed my wireless device to the following, as if it had received an address from DHCP. 

IP 192.168.99.31
Sub 255.255.255.0
G/W 192.168.99.1
DNS 8.8.8.8

I was not able to ping the gateway (Okay, the hub probably doesn’t allow VLAN traffic), nor was I able to ping 192.168.99.20 (AP-350 DHCP Server IP) or indeed the AP-350 itself.

One theory is that because the hub doesn’t allow VLAN traffic, DHCP and the AP-350 in general don’t allow client connections. Could this really be the case ?

Thanks again.


Brian.

Photo of Justin Merwin

Justin Merwin

  • 18 Posts
  • 0 Reply Likes
This is exactly what I was looking for thanks crowdie
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Not a problem. I hope it helped.
Photo of Justin Merwin

Justin Merwin

  • 18 Posts
  • 0 Reply Likes
alright I spoke too soon. I'm not sure where to create the new user profile from step 2. I don't see any area in HIveManager to do so.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
User profiles are created in the User Profiles area (Configuration -> User Profiles).

The firewall settings are hidden in the "Firewalls" area:

Photo of James Cook

James Cook

  • 2 Posts
  • 0 Reply Likes
Is it possible to have the Aerohives give out DHCP addresses to a particular SSID? We're not using VLAN's - we have the second NIC on the primary DHCP Aerohive going into a Sonicwall WAN interface so the guests can use VPN into the main LAN interface. This allows some guests who need corporate LAN access to get it without giving them the corporate LAN SSID shared key.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
> This allows some guests who need corporate LAN access to get it
> without giving them the corporate LAN SSID shared key

So you are using open authentication on a WLAN granting access to the corporate LAN?