hiveos hivemanager releasenotes
TRANSCRIPT
Aerohive 5.0r3 Release Notes
Release Versions: HiveOS and HiveManager 5.0r3
Platforms: BR200-WP, BR200, BR100, AP330, AP350, Cloud VPN Gateway, HiveManager,
High Capacity HiveManager, HiveManager Online, HiveManager Virtual Appliance
Release Date: April 10, 2012
These are the release notes for HiveOS 5.0r3 firmware and HiveManager 5.0r3 software. These releases support the addition of several new and enhanced features, which are summarized in the following section. The known issues are described in the "Known Issues" section near the end of this document.
Although HiveOS 3.4r4 was the last release for the HiveAP 20 series, HiveManager 5.0r3 can continue to manage all HiveAP platforms running releases from HiveOS 3.4r1 to 3.4r4. However, you must push full configuration updates to them because some commands have been removed which would cause delta configuration updates to fail. HiveManager can support full and delta configuration updates to HiveAPs running HiveOS 4.0, 4.1, and 5.0.
New Features and Feature Enhancements
Several new features and feature enhancements have been introduced in the HiveOS and HiveManager 5.0 releases. You can read summaries of these features and enhancements below. If there are no entries listed for a particular release, no new major features or feature enhancements were added in that release.
New Features and Enhancements in the 5.0r3 Releases
HiveManager 5.0r1 in Enterprise mode and HiveOS 5.0r1 releases introduce new and enhanced routing features for the Aerohive BR200 series routers, BR100 router, and Aerohive AP 330 and AP350 access points when configured to function as routers. With this functionality, you can construct and manage cloud-enabled networks using routers and a CVG (Cloud VPN Gateway) or a pair of CVGs, one in each of two datacenters. You can enable, configure, and monitor all of your Aerohive routing devices through HiveManager 5.0 in Enterprise mode. The following features are supported in the HiveOS and HiveManager 5.0r3 releases.
New and Enhanced HiveOS 5.0r3 Features
BR200-WP and BR200 Routers as RADIUS Servers: This feature removes the need to configure a static IP address on the router at each branch location because the router informs the APs of its IP address and RADIUS settings through DHCP options.
BR200-WP and BR100 as Private PSK Servers: The BR200-WP and BR100 routers can function as private PSK servers to provide self-registration services and the automatic binding of private PSKs to client MAC addresses. A router advertises its private PSK server capabilities in responses to DHCP requests from Aerohive devices on the same management network.
BR200-WP Routers as PSE Devices: Aerohive BR200-WP routers can function as 802.3af or 802.3at PSE (Power Sourcing Equipment) through the Eth1/PoE and Eth2/PoE (Power over Ethernet) ports to devices such as Aerohive APs, other wireless access points, network cameras, and VoIP phones.
PPPoE Support: For many cable and DSL internet connections, ISPs require customers to authenticate using a PPPoE username and password. Aerohive routers running HiveManager and HiveOS 5.0r3 support PPPoE connections on the Eth0 WAN interface to accommodate this requirement.
HiveOS and HiveManager 5.0r3 Release Notes | 2
Router QoS to Support VoIP: In addition to existing Aerohive scheduling, queuing, and rate limiting for wireless interfaces, you can now limit the bandwidth used by non-VoIP traffic when a router detects that a VoIP call is occurring. This ensures that VoIP call traffic through the router receives higher-priority treatment, preserving call quality when in competition with lower-priority network traffic such as email and web traffic. You can enable this feature in network policies in the Configuration section of the GUI or for specific routers in the Monitor section. You can also set maximum download and upload bandwidth rates for non-VoIP traffic.
Static Routes on Routers: You can configure static routes on an Aerohive router so that it can route traffic to hosts in different subnets reached through non-Aerohive routers. You can set static routes in the Static Routes section on the Monitor > Devices > Routers > Modify page. (Note: Routers do not advertise their static routes to the CVG.)
Wireless USB Modem as the Primary WAN Interface with Ethernet Backup: You can now set a wireless USB modem as the primary WAN interface on an Aerohive router with its eth0 interface specified as backup.
802.1X on Ethernet Ports (BR200 and BR100): BR100 and BR200 routers now support 802.1X/EAP authentication on their Ethernet ports. After a supplicant authenticates successfully through an Ethernet port, the router dynamically assigns that port a VLAN based on the user profile determined by returned RADIUS attributes. Currently one 802.1X/EAP device can authenticate per port. Electing to authenticate via 802.1X in a LAN profile allows you to move on directly to creating a RADIUS server to handle the authentication.
RADIUS Operation and NAS Identifier Attributes: Aerohive now provides a means to authenticate users to a home network from a foreign network and track connection sources by injecting operator ID and NAS identifiers into the RADIUS packets, identifying the domain from which the user authenticates to the network. In geographically disperse systems such as regional or global education and research networks in which users might authenticate separately from many different domains, including the operator ID and NAS identifier in RADIUS authentication messages provides a means to handle regionally or globally dispersed users.
HTTP Proxy Added to the CVG Initial Setup Wizard: When deploying a CVG (Cloud VPN Gateway) on an ESXi hypervisor, the Initial Setup Wizard now provides settings for configuring the CVG to send outbound traffic to an HTTP proxy server if necessary. Once configured to do so, the CVG can then contact the license server through the HTTP proxy so that it can activate its license.
CVG Support of Internal Network Route Advertisements: In addition to setting static routes for a CVG, you can control which destinations it includes in the route updates it advertises to routers.
Using TCP-MSS when Path MTU Discovery is Disrupted: When devices such as firewalls along a data path between two hosts disrupt the Path MTU (Maximum Transmission Unit) Discovery mechanism so that the transmitting host cannot determine the maximum packet size it can send without fragmentation, you can configure Aerohive routers and VPN gateways with TCP-MSS (Maximum Segment Size) thresholds to notify the host when to reduce the size of the TCP packets it transmits.
TeacherView Blocked URL Notification: When a student attempts to access a blocked URP or website, TeacherView now notifies the student that the connection is disallowed rather than silently discarding the request. Reporting the blockage in this way reduces student confusion, which in turn reduces the time the teacher must spend handling the confusion.
New and Enhanced HiveManager 5.0r3 Features
Staged Configuration and Image Updates: Prior to this release, whenever you push firmware or a configuration update to an Aerohive device that is temporarily offline, the update eventually times out and fails. This feature pushes firmware and configuration updates in stages; first to all online devices, and then automatically to any offline devices the next time they connect to HiveManager, ensuring that no devices are missed during an update push. Pending updates can be cancelled or overwritten with newer information at any time.
HiveManager Online Connectivity Test: When you choose to upgrade your HiveManager Online instance to the latest release, this feature allows HiveManager Online to conduct a connectivity test from the managed devices to the upgraded instance to
HiveOS and HiveManager 5.0r3 Release Notes | 3
ensure all devices can reach the new HiveManager. If any Aerohive devices cannot reach the new server, HiveManager Online will notify you to update firewall or connection settings before upgrading.
HiveOS Version Notification: HiveManager queries devices to collect their HiveOS version, compares it to the available versions, and then displays a notice if the devices are not running the latest versions available. It is not necessary to run identical versions across your network, but many features require updates to both HiveOS and HiveManager for full functionality. For example, HiveManager running 5.0r3 can safely manage AP120 devices running HiveOS 4.1r3 because HiveOS 4.1r3 is the latest version for those models. Note, however, that the new features listed here require 5.0r3 to operate.
Adjusting the Refresh Rate on Monitor Pages: You can now disable the auto-refresh feature on many of the Monitor pages for managed devices and their clients. This stops the screen from automatically refreshing whenever a new device or client connects, or when devices report updated information to HiveManager, which can cause you to lose your place if you are working in a page with numerous entries. By default, Auto Refresh is on. Select off to disable it. To re-enable it, check on.
Cloning Buildings and Floors: When you are adding buildings and floors to topology maps, you now have the option to clone existing buildings or floors. Right-click a building or floor, and then select Clone from the drop-down list of options. Name the clone and click Create. The cloned building or floor now appears in the map navigation tree.
Hiding Device Tags in Maps: This feature is currently supported for the planning map tool only. When you are viewing network topology maps, if there are too many devices in close proximity, it can be difficult to identify individual devices if the device tags are displayed. This feature adds an option to turn off the device display tags in your planning maps. You can do this in the View mode for any map by opening the drop-down list for AP Labels and selecting No Label. Labels are displayed by default. To turn label display back on, simply select one of the other options from the drop-down list
Wi-Fi Station and Interface Statistics Summary: You can see a summarized report of wireless interfaces and client statistics and states by selecting an Aerohive device with currently connected clients and clicking Tools > Statistics > Wifi Status
Summary on the All Devices, HiveAPs, or Routers page in the Monitor section.
Band Steering and Load Balancing Improvements: HiveManager now provides more granular and flexible control over traffic-optimizing features. This is particularly useful for implementations in which there is relatively dense client deployment without dense (that is, overlapping) AP deployment, such as in schools, training facilities, and similar environments. When you create or edit an existing radio profile, you can now find the options that are used specifically to optimize traffic in a new, separate expandable section called Optimizing Management Traffic Settings. In addition, you now have the ability to control to a fine degree how the APs handle band usage and steering.
Changes to Behavior and Appearance
The following changes to default behavior have been introduced in the 5.0r3 releases:
Network policies no longer apply to CVGs. CVGs do not provide network access to users through SSIDs or LAN interfaces, so most of the settings contained in a network policy do not apply to them. The only element that does is the management network setting. A CVG must be on the same management network as the routers with which it communicates. That setting has now been added to the VPN Gateway configuration page.
You can assign multiple LAN profiles to a wireless + routing network policy.
You can set the native VLAN for each LAN port on a BR100 independently from one another. (This is true for all routers but is a change in behavior only for the BR100.) By default, the native VLAN for all LAN interfaces comes from the mgt0 interface.
You can now select multiple router and VPN gateway devices from the Monitor pages to make bulk changes. For multiple routers, you can modify all the fields that appear in the general information, Port Settings, Credentials, and Advanced Settings sections. For multiple CVGs, you can change the topology map and location settings, and everything inside the Optional Settings section.
HiveOS and HiveManager 5.0r3 Release Notes | 4
In initial and all subsequent CAPWAP connection attempts between Aerohive devices and HiveManager, the devices first try to use UDP port 12222 and then switch to TCP port 80 only if connection attempts on the UDP port are unsuccessful. In previous releases, when devices formed CAPWAP connections to HiveManager on TCP port 80, HiveManager would push a configuration to them so that they would bypass the effort to use UDP port 12222 in all subsequent connection attempts to accelerate the connection process. However, CAPWAP connections using TCP consume more system resources than those using UDP, and HiveManager enforces a limit of 2000 TCP connections in contrast to 20,000 for UDP. Therefore, to conserve system resources and reduce the number of CAPWAP TCP connections when possible, Aerohive devices now continue trying to use UDP port 12222 before switching to TCP port 80 in all connection attempts.
The email field in User Manager has been expanded from 32 characters to 64.
The name of the predefined network policy for wireless-only deployments has been changed to QuickStart-Wireless-Only.
In previous releases, the manual classification of APs as either rogue or friendly only affected the way that HiveManager displayed the APs that managed Aerohive APs reported to it. In this release, HiveManager pushes the rogue and friendly classifications to the Aerohive APs under its management so that if you enable semi-automatic or automatic mitigation of rogue APs, the mitigator APs will not mitigate any APs classified as friendly. Conversely, the mitigator APs will mitigate any APs manually classified as rogue. As soon as you put an AP in one of the two categories, HiveManager communicates its classification to managed APs. As a result, if you manually classify an AP as rogue and automatic mitigation is enabled, mitigator APs immediately take action to attack the rogue. On the other hand, classifying an AP as friendly immediately cancels any attack currently underway against it.
When a network policy is active in the HiveManager GUI, clicking Continue or the title of a different network policy section does not cause HiveManager to save the configuration automatically unless there are unsaved changes in the policy.
You can access context-sensitive Help from pop-up dialog boxes in the HiveManager GUI.
The configuration audit icons indicating if the configuration on a managed device matches that for it on HiveManager have changed from to (match) and from to (mismatch). There is also a new icon for staged configuration updates:
Automatically Discovering the CAPWAP Server
Aerohive devices (HiveAPs, routers, and CVGs) and HiveManager communicate with one another through CAPWAP (Control and Provisioning of Wireless Access Points). The devices act as CAPWAP clients and HiveManager acts as a CAPWAP server. Aerohive devices can form a CAPWAP connection with HiveManager in any of the following ways:
When Aerohive devices are in the same Layer 2 broadcast domain as a HiveManager appliance or HiveManager Virtual Appliance, the devices broadcast CAPWAP Discovery Request messages to discover HiveManager and establish a secure connection with it automatically.
Aerohive routers and CVGs cannot use the CAPWAP broadcast method to discover HiveManager.
If there is no HiveManager in the same broadcast domain but the devices can reach the HiveManager Online redirection server—and serial number entries for the devices have already been added to the HiveManager Online ACL (access control list)—then they can form secure CAPWAP connections with the redirection server. From there, an administrator can assign the connected devices to a VHM (virtual HiveManager) at the MyHive site or to a HiveManager appliance—virtual or otherwise—at another site.
Finally, the Aerohive devices and a local HiveManager might be in different subnets and the HiveAPs either cannot reach HiveManager Online or they can but they are not listed in the ACL (perhaps because they are not included in any HiveManager Online account). In this case, the devices cannot discover HiveManager by broadcasting CAPWAP Discovery Request messages, nor can they reach the redirector. So that the devices can form a CAPWAP connection to HiveManager, you can use one of the following methods to configure them with the HiveManager domain name or IP address or configure them so that they can learn it through DHCP or DNS settings. When devices have the IP address of the CAPWAP server, they then send unicast CAPWAP Discovery Request messages to that address.
HiveOS and HiveManager 5.0r3 Release Notes | 5
Make an HTTP connection to the IP address of your Aerohive Router. (You can learn its address by connecting your management system as a DHCP client to one of its LAN interfaces and checking the default gateway.) Log in using admin and aerohive as the name and password. You can then use the NetConfig UI to set the HiveManager IP address.
Make a wireless Telnet or SSH connection to a HiveAP through a virtual access console or, if the device has a console port, use a serial connection to log in to the CLI and enter the IP address of the CAPWAP server with the following command: capwap client server name <string>
Configure the DHCP server to supply the domain name of the CAPWAP server as DHCP option 225 or its IP address as option 226 in its DHCPOFFER. (If you use a domain name, the authoritative DNS server for that domain must also be configured with an A record that maps the domain name to an IP address for the CAPWAP server.) Aerohive devices request DHCP option 225 and 226 by default when they broadcast DHCPDISCOVER and DHCPREQUEST messages.
The IP address of the CAPWAP server must be accessible from the HiveAP VLAN. If you need to change the DHCP option number (perhaps because another custom option with that number is already in use on the DHCP server), enter this command with a different option number for the variable "<number>": interface mgt0 dhcp client option custom hivemanager <number> { ip | string }
If HiveManager continues to use its default domain name ("hivemanager") plus the name of the local domain to which it and the devices belong, configure an authoritative DNS server with an A record that resolves "hivemanager.<local_domain>" to an IP address. If devices do not have an IP address or domain name configured for the CAPWAP server and do not receive an address or domain name returned in a DHCP option, then they try to resolve the domain name to an IP address.
When an Aerohive device goes online for the first time without any specific CAPWAP server configuration entered manually or received as a DHCP option, it progresses through the cycle of CAPWAP connection attempts shown below. (Note that the "HiveManager" in the upper semicircle can be either a physical HiveManager appliance or HiveManager Virtual Appliance, and that the HiveAP shown can be an access point, router, or CVG.)
HiveManager
HiveManager
Online
If the first two searches for a local HiveManager
produce no results, the device tries to contact
HiveManager Online at redirector.aerohive.com
:12222. If the redirection server has a serial
number for that device in its ACL (access
control list), it responds and they form a secure CAPWAP connection. If the device cannot make
If the first two searches for a local HiveManager
produce no results, the device tries to contact
HiveManager Online at redirector.aerohive.com
:12222. If the redirection server has a serial
number for that device in its ACL (access
control list), it responds and they form a secure CAPWAP connection. If the device cannot
3
The device tries to connect to
HiveManager using the default
domain name "hivemanager.
<local_domain>:12222", where
<local_domain> is the domain name
that a DHCP server supplied to the
device and 12222 is the UDP port
number. If a DNS server has been
configured to resolve that domain
name to an IP address, the device
and HiveManager then form a secure
CAPWAP connection on port 12222.
If the device cannot make a
CAPWAP connection to
HiveManager on port 12222, it tries
to reach it by using TCP port 80:
hivemanager.<local_domain>:80.
1
If the DNS server cannot resolve
the domain name to an IP address,
the device broadcasts CAPWAP
Discovery Request messages on
its local subnet. If HiveManager is
on the local network and responds
with a Discovery Response
message, they perform a DTLS
(Datagram Transport Layer
Security) handshake to establish a
secure CAPWAP connection with
each other.
2
HiveOS and HiveManager 5.0r3 Release Notes | 6
If the device forms a CAPWAP connection with the Aerohive redirection server and its serial number has been entered in an ACL, the redirection server automatically redirects its CAPWAP connection to the corresponding HiveManager Online VHM (virtual HiveManager). The redirection server does this by sending the device the HiveManager domain name or IP address as its new CAPWAP server and the name of the appropriate VHM. If the device is currently using HTTP, the redirection server includes the configuration needed for it to continue using it. Similarly, if the device is configured to access the public network through an HTTP proxy server, the redirection server saves the relevant settings on the device so it will continue using the HTTP proxy server when connecting to HiveManager.
If the redirection server does not have the device serial number, then the ACL on the server ignores the CAPWAP connection attempts, and the device repeats the connection cycle shown above.
Troubleshooting the Initial CAPWAP Connection to HiveManager Online
As explained in the previous section, when you connect a HiveAP, Aerohive router, or CVG to the network and power it on, it first tries to connect to a local HiveManager. If it cannot do that, the device automatically tries to connect to the redirection server. This server checks if the serial number of the device is listed in its ACL—which should be the case as Aerohive enters the serial numbers of newly purchased devices in the appropriate ACL as part of the sales process. If the ACL contains the device serial number, the redirection server then redirects it to the correct HiveManager Online VHM, where the device appears on the Monitor > Devices > All Devices page. Log in to your MyHive account, click HiveManager Online and navigate to the All Devices page. If you do not see the device listed there, take the following steps to resolve the situation:
Depending on network conditions and firewall policies, it can sometimes take up to ten minutes for an Aerohive device to connect to the redirection server and be redirected to the HiveManager Online VHM to which it belongs. Be sure to give the device enough time to complete the connection process before proceeding.
1. Click Redirector > Monitor > HiveAP Access Control List, and check if the device serial number is listed there.
2. If the serial number is absent from the ACL, do the following:
2.1 Click Enter, type the serial number, and then click Save.
If an error message appears stating that the serial number already exists in the system, contact Aerohive Technical Support for further assistance.
2.2 Check if the device now appears on the Monitor > Devices > All Devices page in HiveManager Online. Remember that it might take up to ten minutes for it to complete the connection process.
2.3 If the device still does not appear on the All Devices page, power off the device, wait five seconds, power it back on, and then check the All Devices page again.
2.4 If the device still does not appear on the All Devices page, check that the device can access the Internet and that any firewall between it and the redirection server allows outbound traffic using either UDP 12222 or TCP 80.
If the device connects and appears on the All Devices page in your HiveManager Online VHM, you have successfully resolved the issue and can stop troubleshooting. If not, continue to the next step.
3. If the serial number of the device is listed in the ACL on the redirection server but the device does not appear on the All Devices page in HiveManager Online, first follow steps 2.3 and 2.4 (if you have not already done so). If it still does not appear, the device might be redirected to the HiveManager Online home system, which can occur if the CAPWAP server name on the device was accidentally misconfigured. To reassign it your VHM, do the following:
3.1 In HiveManager Online, click Configuration > Auto Provisioning > SN Management > Scan SN, type the 14-digit serial number for the device, and then click Save. After that, click Cancel to close the Imported Serial Numbers dialog box.
HiveOS and HiveManager 5.0r3 Release Notes | 7
3.2 On the Auto Provisioning page, click New, enter the following, and then click Save:
Enable Auto Provisioning: (select)
Device Model: Choose the appropriate HiveAP model from the drop-down list.
Apply to devices with the following identification: (select)
Select the serial number that you just entered in the previous step and click the right arrow ( > ) to move it from the Available Serial Numbers column to the Selected Serial Numbers column.
3.3 Reboot the device to reset its CAPWAP state to Discovery. When it contacts the redirection server this time, HiveManager Online will apply the access control defined in the automatic provisioning configuration and redirect the device to your VHM.
Upgrading HiveManager Software and HiveOS Firmware
Aerohive supports upgrading to the 5.0r3 HiveManager software and HiveOS firmware from the HiveManager and HiveOS 4.0r1 releases or later. If your systems are running images earlier than 4.0r1, follow the steps in the 4.0r1 Aerohive release notes to upgrade HiveManager software and HiveOS firmware to 4.0r1 first before upgrading them to 5.0r3.
Step 1: Upgrade 4.0r1 or later 5.0r3
When upgrading HiveManager software and HiveOS firmware to 5.0r3, upgrade HiveManager first and then the Aerohive devices second. The full upgrade procedure is outlined below.
From To
HiveManager 4.0r1 or later
Upgrade to HiveManager 5.0r3.
HiveManager 5.0r3
HiveOS 4.0r1 or later
Use HiveManager running HiveManager 5.0r3 to upgrade managed HiveAPs to HiveOS 5.0r3.
HiveOS 5.0r3
1. Save the following files to a directory on your management system or SCP server:
HiveManager 5.0r3 software file
HiveOS 5.0r3 firmware file
2. Log in to HiveManager running 4.0r1 or later, upload the HiveOS 5.0r3 firmware file and the HiveManager 5.0r3 software file, and then reboot HiveManager to activate its new software.
3. Log back in to HiveManager, which is now running 5.0r3, and upload HiveOS 5.0r3 from HiveManager to all managed devices, and then reboot them to activate their new firmware.
Step 2: Reload the HiveOS Configurations
1. Check that the firmware upgrade is complete (see Monitor > Devices > Device Update Results).
2. Upload the full configurations from HiveManager to the devices, and then reboot them to activate the 5.0r3-compatible configurations.
HiveManager running HiveManager 5.0r3 can support hives running HiveOS 4.0r3 through 5.0r3. Based on the HiveOS version that the members of each hive are using, HiveManager generates different configurations. Therefore, it is necessary to activate the HiveOS 5.0r3 firmware on managed devices before updating their configurations so that the updated configurations will use the new 5.0r3 format.
HiveOS and HiveManager 5.0r3 Release Notes | 8
Documentation
Most of the product documentation is still in progress at the time of these releases and is not yet available. However, the Aerohive New Features Guide as well as Help for all HiveOS CLI commands are ready. To use the Help, enter "keyword-SPACE-?” for example: qos ? In addition, there are online CLI reference guides that provide the syntax and explanations for every command in the CLI. They also include information on accessing the CLI through console, Telnet, and SSH connections, tips on using the CLI, and some keyboard shortcuts.
Known Issues
The following are known issues at the time of the HiveOS and HiveManager 5.0r3 releases.
Known Issues in HiveOS 5.0r3
16885 Instead of supporting 9999 private PSK users, BR200 series routers limit the maximum to 4096.
16863 The CVG erroneously shows its Ethernet interface operating at half-duplex and 10 Mbps in the output of the show interface { eth0 | eth1 } command.
16266 The application of an HTTP ALG on an Aerohive device is incompatible with any Websense solution except the web security feature that you can set on Aerohive routers and disrupts HTTP traffic proxied to a Websense server.
WA: Disable the HTTP ALG, but note that doing so removes the ability of TeacherView to identify URLs that students visit and the ability of Aerohive devices to perform client OS detection, which is used for user profile reassignments.
15732 The CVG deployment with both eth0 (WAN) and eth1 (LAN) interfaces in the same subnet is not supported.
WA: Assign eth0 and eth1 on the CVG to separate subnets, or only use eth0.
15523 If you define an SSID with private PSK self-registration and the wireless + routing network policy does not contain a network object using VLAN 1 with a subnetwork that has a DHCP server enabled, the clients of unregistered users will be unable to get network settings through DHCP.
WA: Because private PSK self-registration always assigns unregistered user clients to the default user profile, which puts them in VLAN 1, the network policy must also include a network object that binds a subnetwork with a DHCP server enabled to VLAN 1 so that clients assigned to that VLAN can get their network settings through DHCP.
15474 With its default configuration, an AP mesh point cannot join the hive and then connect to the network using a BR100 as its portal because the BR100 wifi0 interface is in access mode.
WA: Deploy the BR100 first and set its wif0 interface in dual mode so that it can provide network access to users and a wireless backhaul link for HiveAPs.
15388 The BR100 cannot reassign the VLAN on its LAN ports in trunk mode, so it cannot support Ethernet phones, which typically boot up in one VLAN and then switch to another after receiving their configuration through DHCP or BOOTP.
HiveOS and HiveManager 5.0r3 Release Notes | 9
15210 When a MAC DoS event occurs and an AP is configured to disconnect the offending station and ban it from forming future associations, the AP disassociates the station but does not ban it from reassociating.
14603 If you enable OSPF route advertisements on both the eth0 and eth1 interfaces of the CVG, traffic from hosts in the corporate site might be routed through the CVG to the public network instead of taking a different path.
WA: Only advertise routes on one interface, either eth0 or eth1.
Known Issues in HiveManager 5.0r3
16988 Changing the base URL for the HiveManager Help in the Help > Settings dialog box can affect your ability to download the Cloud VPN Gateway VMware file from Monitor > All Devices > Update > Download VA image for VPN Gateways.
16893 It is not possible to upgrade a HiveOS image if the image file name includes special characters such as these: [ ] { } & | \
16866 If you move a CVG to a new server, the MAC address of its eth0 interface changes. As a result, HiveManager can no longer recognize it as the same one and instead treats it as a new CVG.
WA: Move the CVG in such a way that the original eth0 interface MAC address does not change, or delete the existing CVG entry from HiveManager and then add the new CVG after the move is complete.
15225 For a VHM on a physical HiveManager appliance or HiveManager Virtual Appliance, it is not possible to auto provision devices by specifying their subnetworks.
WA: Use device serial numbers.
15224 HiveManager does not include user profiles that are only used for user profile reassignment but are not referenced by an SSID or LAN object when uploading a configuration to HiveAPs.
WA: Reference the user profile in an SSID or LAN object so that HiveManager will include it when uploading a configuration to its HiveAPs.
15162 Although Wi-Fi statistical reports show data at one-minute intervals accurately, they do not normalize the data for ten-minute intervals, which causes the data to appear exaggerated in the charts.
HiveOS and HiveManager 5.0r3 Release Notes | 10
Addressed Issues
The following are addressed issues in the HiveOS and HiveManager 5.0 releases. If no entries are listed for a particular release, no known major issues were addressed in it.
Addressed Issues in HiveOS 5.0r3
16862 In 5.0r1, it was not possible to configure an AP as a DHCP server and use NAT to translate the source address of client traffic to the IP address of the mgt0 interface 5.0 when operating in wireless-only mode.
16710 When Aerohive devices sent RADIUS messages to a backup RADIUS server because the primary server was unavailable, the NAS-IP-Address attribute was included twice in Access-Request messages, which the server rejected.
16697 When a client had a DHCP lease that was greater than 24 days, the Aerohive device to which it was connected marked the client’s lease as expired and displayed a network health score of 0 although the client still had a valid lease.
16745 When ALG packet processing was enabled on an AP and it received a packet with IP options set, the extra packet length could trigger the AP to reboot.
16612 When executing an Active Directory/LDAP connectivity test, an Aerohive device always stripped the domain name from user@domain before sending the message to the LDAP server which would cause the test to fail for those LDAP servers that required the full user name.
16558 Client throughput on an SSID using 802.1X authentication was considerably lower than on one using PSK.
16494 A user could modify the text in the use policy form in a captive web portal before accepting it.
16464 Clients generating large numbers of IP sessions could cause an Aerohive device to reboot.
16351 Aerohive devices were unable to support wireless clients using supplicants such as Cisco ACU and Dell Broadcom if they specified authentication type 128 for LEAP authentication.
16288 Aligning antennas on an AP170 mesh point with the exec antenna-alignment command disrupted the mesh link.
16158 If user profile reassignment was applied to a client and it then roamed to another device, the new device would apply the SSID-assigned user profile instead of the reassigned profile.
16045 If clients sent a large number of HTTP or HTTPS requests to the mgt0 interface on an AP110 device, it could become overloaded and reboot.
15931 Older versions of ASUS Skype phones could not make wireless connections to APs.
HiveOS and HiveManager 5.0r3 Release Notes | 11
15905 In places where cellular coverage is weak, an Aerohive router sometimes did not attempt to re-establish a dialup link due to temporary connectivity losses and network delays on its dialup connection.
15881 When the region code on a HiveAP was “world” and it was configured for outdoor mode, pushing a delta configuration to it after previously pushing a complete configuration caused some or all of the updated settings to fail.
15871 When the track IP group for WAN connectivity testing only targeted the default gateway, the BR100 sometimes did not fail over to a USB modem and fail back to the eth0 interface.
15821 APs were unable to determine the location of a client when the APs were connected over a wireless backhaul link through a router.
15753 When sending traffic through a VPN tunnel and the size of an HTTP packet returned from a web server exceeded the MTU that the CVG supported, the CVG dropped the packet because it could not send it through the tunnel to the router.
Addressed Issues in HiveManager 5.0r3
16987 When there were more than 15 managed devices, HiveManager did not always display the upload status when pushing a configuration to devices through the Configure & Update Devices panel in the guided network configuration section.
16795 When the lifetime of a private PSK user with rotating keys spanned two calendar years and the user was in a region of the Southern Hemisphere where daylight saving time occurs over the new year, the keys that HiveManager and the APs generated after the new year would become unsynchronized and the clients using them could not be authenticated.
16718 (HiveManager Online) When APs on one floor in a building had mesh links with APs on another floor, clicking the Interference check box above the topology map for one of the floors displayed the “Calculating interference map…” message but never displayed the interference map.
16560 An admin with super user privileges logged in to HiveManager using RADIUS authentication could not run reports.
16504 Because the HTTP ALG was enabled by default in HiveManager Express mode, it disrupted HTTP traffic proxied to any Websense server other than one used by the web security feature set on Aerohive routers.
16334 Aerohive devices did not recognize all Apple OUIs properly.
16160 Modifying any configuration object caused HiveManager to display a configuration audit mismatch for all devices, even those that did not make use of the modified object.
16033 The dashboard did not display accurate data in the Devices with the Most Bandwidth (Last Hour) widget.
15928 If you created a new auto provisioning profile by cloning another one, it was possible to include the same set of serial numbers in multiple profiles, which made the profile assignment by serial number unpredictable.
HiveOS and HiveManager 5.0r3 Release Notes | 12
15921 The default APN (access point name) for both the AT&T Shockwave and Momentum modems was ISP.CINGULAR in the GUI although the APN for new AT&T data accounts established after 9/12/2011 was Broadband..
15914 If you made any changes to a LAN profile, you had to push a complete configuration update to all the routers and CVG.
15834 Barracuda and Websense whitelists erroneously appeared in the Tunnel Exception Destination List on the VPN Services page and in the Device Domain Name drop-down list in the Client Classification Policy section on the User Profiles page.
15672 A network policy could support only one private PSK server; therefore, to use Aerohive routers as private PSK servers at different remote sites, you had to assign each router to a separate network policy from the connecting HiveAPs.
15393 HiveManager was unable to upload a delta configuration to a router with changes to network objects or LAN profiles.
15178 You could configure an AP330 or AP350 as both a router and a RADIUS server; however, because you could not know what IP address HiveManager would dynamically assign it, you could not set the RADIUS server IP address on HiveAP RADIUS authenticators (AAA clients).
15132 When accessing the HiveManager GUI with a Chrome browser, it was not possible to choose the action and logging options for a rule in a network firewall policy.
P/N 330061-03, Rev. A