Aerohive Migrated Content

Expand all | Collapse all

lan port security

  • 1.  lan port security

    Posted 11-28-2018 04:03

    Is there a way to lock the lan trunk ports through an external firewall to just Aerohive traffic. We have students unplugging APs and using private routers or laptops with hotspots



  • 2.  RE: lan port security

    Posted 11-28-2018 20:16

    We don't have a way to set MAC auth for AP ports, however we do have a community user who built a physical security bracket for his AP to help with this kind of problem, you might want to check out what he did- https://thehivecommunity.aerohive.com/s/question/0D50c00006G0OsiCAF/physical-security-for-ap-130-ethernet-reset-and-console



  • 3.  RE: lan port security

    Posted 11-29-2018 10:55

    You can realize 802.1x authentication with Aerohive Accesspoints. But this only works on physical interfaces. If you have an Authentication Server(i use freeradius) you can setup your Switch to handle the Authentication to change the port from Access to trunk. We have Cisco Switches and they work really well(look Cisco NEAT). Only the option for 802.1x in the GUI HM NG still missing. You have to do a supplemental CLI for enabling this feature on Aerohive Accesspoint.

    Best regards



  • 4.  RE: lan port security

    Posted 12-03-2018 01:00

    so you have 802.1x without using aerohive switches? the documentation lists using their SR switches



  • 5.  RE: lan port security

    Posted 12-03-2018 06:53

    Yes I have Aerohive access point and the switch technology is Cisco (Catalyst 3850).

    If you also use Cisco technology, I can recommend Cisco NEAT. In order to realize this one only needs a freeradius which delivers a corresponding attribute with successful authentication, in the case of Cisco the Cisco AVPair would be Cisco-AVPair = "device-traffic-class=switch" (vendor specific attribute). Of course, the switches also need a configuration to exchange with the radius. On the Aerohive side you currently need a supplemental CLI. There you can specify your authentication method with the command "supplicant".