Aerohive Updates for HiveOS 4.0By CWNP On 06/01/2011 - 22 Comments
In a conversation last week, I was asked about hot topics in Wi-Fi. My list went something like this: • Mobile, mobile, and more mobile device management and control • Simple guest access and provisioning • Spectrum analysis • Architecture
I find Aerohive speaking to each of the hot topics. In some ways, Aerohive instigated the architecture fight, and as a company, they set up camp on that point. But in yesterday’s press, I find affirmation of Aerohive’s commitment to the enterprise WLAN by focusing on all of the hot topics—and beating several of their larger competitors to the punch.
The first two topics—mobile devices and guest access—are inter-related, though still separate.
Mobile Device Control
When we face the challenges of mobile devices, two primary needs stand out. The first is device-specific policies on the network. The second need is device management and control to eliminate security threats from consumer devices. In my opinion, the first issue can be answered by WLAN vendors, and the second is really a broader security concern that should be addressed by device manufacturers and third-party software vendors. On the WLAN, controlling who, what, when, and where of client access is key to both performance and security; such control is the need that Aerohive addresses.
Aerohive’s management system (HiveManager) is designed to be flexible; IMO, it’s one of the more graceful solutions for managing user and group policies for QoS, firewall, authentication, and more. In version 4.0 of Aerohive’s HiveManager and AP software, they’ve added an Operating System detection feature. OS detection allows network admins to add the OS type into policy definitions, giving administrators greater control over network permissions and usage by wireless devices. Administrators can use the OS object in a policy to define separate access rules for mobiles and laptops, even if the user has a single PSK or EAP credential for their laptop, tablet, and phone. This eases the administrative burden of creating new SSIDs and issuing different credentials for each user/device.
In practical terms, administrators could permit only Internet and email access for iPhones, then add remote desktop applications for iPads, for example. Then give corporate users full rights with their company-issued laptops. Such a simple example doesn’t do justice to the capabilities. For example, time of day, rate limiting, SLA guarantees, airtime fairness, QoS, and many other factors can be controlled based on device type, whether company or user owned. OS type thus becomes another variable—an important one—in the policy.
As we look at the problem of mobile device management and guest network access, one key feature for Aerohive is Private PSK. A PPSK is a unique PSK for each user. In both corporate and guest access use cases, PPSKs have several strengths:
- Ease of use
- Can be provisioned and revoked one by one
- Each key can be tied to a different set of user/group policies
- With proper length, they’re plenty secure
One advantage of the PPSK is to secure guest networks. Guests come to your facility, connect to your open network (an access network for provisioning purposes) and are provisioned a temporary PPSK—via their browser. Since everyone knows how to use a PSK, the guests can copy the PSK and use it to connect to your secure guest network. Administrators (and other office personnel) don’t have to be involved, and guests get secure access. You can apply guest policies (time of day, length of session, rate limits, VLANs, QoS, firewalls, etc.) to their connection as appropriate.
Similarly, the same open network could be used by corporate users to self-provision their own PSK for personal devices like phones or tablets. With proper policies in place, a corporate user could use their PSK to access some corporate resources (as defined by your company’s usage policies), but may be prevented from accessing others.
I’m not convinced that self-provisioned PPSKs are the ultimate answer to guest access, but I see it as a secure and easy-to-use step towards an automated solution. I’m still surprised that only two vendors have a per-user PSK feature since it has many use cases and is a “best of both worlds” between 802.1X and PSK.
Joining the ranks of other WLAN leaders, Aerohive has also announced spectrum analysis support in HiveManager and HiveOS 4.0. Like Aruba, spectrum analysis support is based on the Atheros chipset, which I’ve written about previously. For the 4.0 software release, spectrum support is for the 100 series APs only. Future software updates will add spectrum support to the 300 series APs, which will likely be announced this summer along with a new triple stream 300 series AP (clarification: a 300 series AP is my prediction; I do not know Aerohive's actual product roadmap). Other than a few screenshots, I haven’t seen the quality of the new spectrum features yet, but will report on them after testing firsthand. Spectrum visibility enhances monitoring and troubleshooting, particularly when added to Aerohive’s existing client health and SLA features.
Other features were announced in Aerohive’s press release:
- Along with new OS objects, HiveManager also now uses domain objects, allowing administrators to assign user profiles based on a Windows domain
- RADIUS functionality in the AP supports native Active Directory integration
- User credential caching at the AP provides authentication resiliency if the WAN link (and thus access to the remote user database) fails
- Wi-Fi Planner capability enhancements
- Cloud-based HiveManager improvements that facilitate managed service models for resellers
Final Comments and Suggestions (FCS)
Aerohive’s Cooperative Control architecture is new and exciting…we’ve heard that a million times by now. Feature updates like guest access provisioning, mobile device control, and spectrum analysis are solid enhancements to their platform. They’re still a young company, but are focusing on the right features, making big strides in the enterprise. I don’t see “world domination” on the horizon, but with every new release, their role as an up-and-coming WLAN leader is confirmed.
Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.