Aerohive GuestManager

Overview:

Aerohive's GuestManager, offered as part of a complete Aerohive guest access solution, provides powerful guest management delegation that combines security with ease-of-use features. In combination with HiveAPs, GuestManager enables any authorized employee (e.g. lobby ambassador) to create an account via an intuitive Web interface, ensuring that guests can get the access they need while the network remains secure.

Aerohive Networks GuestManager is a guest account management and authentication server that completes Aerohive’s robust and secure guest access solution. In combination with HiveAPs, the GuestManager enables guest users to be simply and securely authorized for access to a guest network. Aerohive GuestManager makes it simple for authorized employees to create guest accounts while keeping the guest network secure by authenticating and reporting on all guest users.

GuestManager is a central resource in the network that acts as a RADIUS server for guest access. Authorized employees access an intuitive web interface to register guest accounts. Guests then use the credentials provided to authenticate through the captive web portal on a HiveAP to access the Internet. Additionally, different types of guests such as contractors, consultants, and visitors can be placed on separate networks with different policies.

GuestManager, which is delivered as either a hardened network appliance or as part of HiveManager, acts as a RADIUS server ensuring authentication and reporting on all guest users. Different user types – such as contractors, consultants, or visitors – can be placed on different networks with access policies tailored to suit their requirements.

Role-Based Administration of Guests
GuestManager, in conjunction with the overall Aerohive solution, enables granular management of different types of guest roles, while the HiveAPs can enforce different security, QoS, or segmentation requirements based upon roles communicated to them from GuestManager. This enables, for example, contractors to get extended access to a network and a visitor to get access for only a few hours. This functionality also enables contractors to get access to different network resources, while visitors may be allowed to access only the Internet. These two types of guests both authenticate using the same SSID and web portal interface but have different policies applied based upon their user credentials.

GuestManager and the Aerohive Guest Access Solution
In order to enable guest access to a corporate network securely with the least operational effort, an entire guest solution must be in place. The chart below shows the key requirements and how Aerohive provides a complete solution.

Problem	The Aerohive Solution
Segment guest traffic from secure corporate traffic	Aerohive enables segmentation through a rich identity-based policy engine. Based upon user identity, guests can be put on a separate VLAN or be tunneled to the DMZ to ensure that guest and employee traffic does not mix.
Apply QoS and security policies to guest users as they join the network	Aerohive can apply complete access policy at the HiveAP including time-of-day and day-of-week access, firewall, DoS prevention, and QoS policies based on the identity or role of the guest.
Quickly and easily create unique guest credentials	GuestManager makes it simple for authorized employees to create and distribute guest credentials and instructions for joining the network.
User-friendly authentication and authorization process	As guests log into a guest SSID, they are presented with a login page on a captive web portal hosted on the HiveAP. The users' credentials are passed via RADIUS to GuestManager where they are authenticated and authorized for access to the guest network.

Features and Benefits:

Role-Based Administration of Guests
GuestManager, in conjunction with the overall Aerohive solution, enables granular management of different types of guest roles, while the HiveAPs can enforce different security, QoS, or segmentation requirements based upon roles communicated to them from GuestManager. This enables, for example, contractors to get extended access to a network and a visitor to get access for only a few hours. This functionality also enables contractors to get access to different network resources, while visitors may be allowed to access only the Internet. These two types of guests both authenticate using the same SSID and web portal interface but have different policies applied based upon their user credentials.

A Complete Guest Access Solution
In order to enable guest access to a corporate network securely with the least operational effort, an entire guest solution must be in place. The chart below shows the key requirements and how Aerohive provides a complete solution.

Account Creation & Management
GuestManager also provides flexible guest account management, allowing guest access and accounts to be audited, canceled, or tracked. The creation of guest accounts enables an enterprise to set up a system that matches the security and operational goals of the enterprise.

Here are a few examples of guest account registration available in GuestManager:

• Lobby ambassador registration enables receptionists or security personnel to provide access to the network as guests enter the building
• Employee registration enables any employee to create guest accounts. GuestManager integrates with Active Directory to enable employee access to GuestManager based on group policy.
• Self-registration enables guests touse a kiosk in the lobby or secure area to create their own accounts. This presumes physical access in order to get network access.
• Bulk account registration enables conference or training organizers to create large numbers of user credentials easily.

Distributing Credentials
The simple distribution of unique guest credentials is one of the key operational benefits of GuestManager. Credentials can be randomly generated or specified during registration to provide a unique login identity for the guest. Once the user credentials are created, the credentials can be emailed or printed out on letter-sized paper or a label printer along with instructions on how to access the network.

Centralized Authentication
GuestManager runs on RADIUS so it can be used to authenticate guests on wired portals as well as wireless portals and enables an entire multi-site enterprise to use a single instance or regionalized instance of the platform to cover an entire company or just one part of it.

Delivered as an Appliance
GuestManager is delivered as an appliance to ease deployment and maintenance of guest services. The GuestManager appliance has been "hardened" or secured against malicious attack and vulnerabilities are fixed as the system is upgraded.

Deployment:

Specifications:

GuestManager
Device Specifications
Form factor	1U rack-mountable device
Chassis dimensions	16 13/16" W x 1 3/4" H x 15 13/16" D (42.7 cm W x 4.4 cm H x 40.2 cm D)
Weight	13.75 lb. (6.24 kg)
Serial port	Male DB-9 RS-232 port (bits per second: 9600, data bits: 8, parity: none, stop bits: 1, flow control: none)
USB port	Standard Type A USB 2.0 port
Ethernet ports	MGT and LAN – autosensing 10/100/1000Base-T
Power Specifications
ATX autoswitching power supply with PFC	Input: 100 – 240 VAC Output: 250 watts
Power supply cord	Standard three conductor SVT 18AWG cord with an NEMA5-15P threeprong male plug and three-pin socket
Environmental Specification
Operating Temperature	32 to 140°F (0 to 40°C)
Storage Temperature	-4 to 176°F (-20 to 80°C)
Relative Humidity	10% – 90% (noncondensing)

Screenshots:

Documentation:

Aerohive GuestManager Datasheet (.PDF)