Aerohive (Extreme Networks) APs - No Controller Needed

BlueFox

Well-Known Member
Oct 26, 2015
1,267
671
113
I found essentially no info on Aerohive products here, so I thought a new thread was befitting. Aerohive was acquired by Extreme Networks in late 2019, but their hardware really hasn't changed since. Like Meraki, Aerohive APs are generally meant to be cloud managed, but you can just SSH into them and configure them via the console. No need to flash a different firmware or the likes. I'm not sure if I'm the only one running one of these at home (I have an AP650), but I'm sure that won't be for long.

Observations on my part:

The good:​
  • 802.11ac models are dirt cheap on eBay. As of this post, an AP230 can be had for under $30 shipped
  • 802.11ax models are fraction of the price of the competition (like Ruckus)
  • Performance and range are great. Where I live, both bands are incredibly saturated (scan shows a whopping 89 APs at 2.4GHz and 51 at 5GHz), but I can still get 100MB/s+ on 802.11ac
  • Very comprehensive CLI
  • Basic setup can be done in under 60 seconds through CLI
  • Nice hardware options (redundant PoE, software defined radios permit dual 5GHz, 2.5GbE, etc)
  • Power usage well below specifications (under 10W on my AP650)

The so-so bits:​
  • CLI can be a bit overwhelming for complex configurations if you're not already well versed on setting up similar products
  • Enthusiast user-base is currently tiny, so limited info available
  • There is apparently still a free cloud managed option that I've never used. See: ExtremeCloud IQ

The bad:​
  • Support? I wouldn't count on it without a contract
  • Downloads are pay-walled (but see below)

Basic setup:

Default username: admin
Default password: aerohive

First thing you will want to do is ensure you're running HiveOS 10.0.r4 or later (see below for updating firmware) since it adds more functionality (like DFS, but model dependent). You can either do the initial network configuration through SSH/serial console or the web UI. I'm going to assume you have DHCP on your network and can figure out what IP the AP grabs. If you want to set a static one through the web UI, navigate to the IP, login, and set it there (all self explanatory).

Next, disable the cloud functionality:
no capwap client enable

Set a new admin password:
admin root-admin admin password [password]

After that, wireless configuration goes through the following flow:
  1. Create radio profile(s)
  2. Create security object
  3. Create SSID
  4. Assign security object to SSID
  5. Assign radio profile(s) to interface(s)
  6. Assign SSID to interface(s)
In my personal setup, which is on an AP650 that has 2 radios, it looks like the following:
radio profile [radioprofile1]
radio profile [radioprofile1] phymode 11ax-2g - Sets the profile to 802.11ax in the 2.4GHz band (still retains backwards compatibility)
radio profile [radioprofile1] short-guard-interval - 400ns guard interval helps with performance
radio profile [radioprofile1] band-steering enable - This helps distribute the load between 2.4GHz and 5GHz bands
radio profile [radioprofile1] weak-snr-suppress enable - Ignore clients with bad signal to noise ratios
radio profile [radioprofile1] band-steering mode prefer-5g - Force clients to 5GHz if possible
radio profile [radioprofile2]
radio profile [radioprofile2] phymode 11ax-5g - Sets the profile to 802.11ax in the 5GHz band (still retains backwards compatibility)
radio profile [radioprofile2] dfs - Enables dynamic frequency selection, which helps with crowding
radio profile [radioprofile2] channel-width 160 - Enable 160MHz channel width for maximum throughput
radio profile [radioprofile2] short-guard-interval
security-object [objectname]
security-object [objectname] security protocol-suite wpa2-aes-psk ascii-key [password] - You could set this to WPA3 if you want
ssid [ssidname]
ssid [ssidname] security-object [objectname]
interface wifi0 radio profile [radioprofile1]
interface wifi1 radio profile [radioprofile2]
interface wifi0 ssid [ssidname] - Same SSID broadcasts on both bands. You could set up multiple if you want, but with band steering, I didn't see a point
interface wifi1 ssid [ssidname]

Other things I've done:
no system led power-saving-mode - Bright LEDs are annoying
system led brightness off
dns server-ip [ipaddress]
ntp server [ipaddress]
clock time-zone [GMToffset]
console timeout 0

My complete configuration, which you can copy/paste if you want:
Code:
radio profile [radioprofile1]
radio profile [radioprofile1] phymode 11ax-2g
radio profile [radioprofile1] short-guard-interval
radio profile [radioprofile1] band-steering enable
radio profile [radioprofile1] weak-snr-suppress enable
radio profile [radioprofile1] band-steering mode prefer-5g
radio profile [radioprofile2]
radio profile [radioprofile2] phymode 11ax-5g
radio profile [radioprofile2] dfs
radio profile [radioprofile2] channel-width 160
radio profile [radioprofile2] short-guard-interval
security-object [objectname]
security-object [objectname] security protocol-suite wpa2-aes-psk ascii-key [password]
ssid [ssidname]
ssid [ssidname] security-object [objectname]
interface wifi0 radio profile [radioprofile1]
interface wifi1 radio profile [radioprofile2]
interface wifi0 ssid [ssidname]
interface wifi1 ssid [ssidname]
no system led power-saving-mode
system led brightness off
admin root-admin admin password [password]
dns server-ip [ipaddress]
ntp server [ipaddress]
clock time-zone [GMToffset]
console timeout 0
no capwap client enable
Don't forget to save your configuration after you're done or else it won't be applied upon reboot.


Guest VLANs:

Create another security object and SSID. You will then need to create user profiles for each of the SSIDs to specify which VLAN they need to access:
user-profile [profilename] qos-policy [policyname] vlan-id [vlan #] attribute [attribute #]

Then assign the profiles to the security objects:
security-object [objectname] default-user-profile-attr [attribute #]

Finally don't forget to also assign the SSIDs to the interfaces (each can have multiple).


Roaming with multiple APs:

For this, you create a hive (hence Aerohive), and then tell the APs which radio and interface to use for communication between them. 5GHz radio is preferred since you have more than 3 usable channels.
hive [hivename]
hive [hivename] password [password]
interface [wireless interface] radio channel [channel #]
interface mgt0 hive [hivename]


More complex setups:

You're best off referring to the official CLI guide: https://docs.aerohive.com/330000/do...ation/cli_guide_ap630_ap650_ap650x-10-0r5.htm


Upgrading firmware:

Firmware upgrades are handled through the web UI. It's pretty self explanatory as you just upload the file and hit start. The trouble is of course locating the files if you don't have a contract. I'm not sure if it's appropriate to post copies of the firmware publicly since they're pay-walled, but I'm happy to provide them to anyone that wants a copy. I have the following on hand, and if you're going to purchase an AP, I would recommend sticking to one of these are they are current models:
  • AP122
  • AP130
  • AP150W
  • AP230
  • AP250
  • AP510C
  • AP550
  • AP650
  • AP1130

Wrapping up:

I think that about covers things? I've been using my AP650 for a few months now and have been quite pleased with it. I regrettably have no first hand experience with other models, so hopefully others can share that here. Please let me know if you have any suggestions for improvements or things I may have omitted.
 
Last edited:

wifiholic

New Member
Mar 27, 2018
8
7
3
34
Thanks for putting this guide together! I switched out my UniFi wireless gear at home for a pair of Extreme AP410C APs a couple of weeks ago because I wanted to dogfood equipment that I'm now starting to use professionally, and the experience has been largely positive so far.

AP Comparison

In addition to my AP410Cs, courtesy of my employer I've gotten to bring home and test an Extreme AP305C and a lightly rebranded Aerohive AP650 (it has an E on the front face but still says Aerohive on the back).

The Extreme AP510C and Aerohive AP650 appear to be almost identical, with a band-selectable 2.4 or 5 GHz 4x4:4 radio and a second 4x4:4 5 GHz radio. The Extreme AP410C's band-selectable radio is only 2x2:2, but its 5 GHz-only radio is 4x4:4, and it has a sensor radio that really only works if you have a paid ExtremeCloud IQ subscription, which includes an entitlement for their "AirDefense Essentials" WIPS solution. The AP410C and AP650 showed very similar single-client throughput on 5 GHz in my testing.

While I'll grant that I don't have an ideal isolated test environment, the Extreme AP305C performed well with direct line of sight within 10 feet, but faltered when the client moved into the next room through a wide open door, using a DFS channel with negligible interference. I had higher hopes for the AP305C, but unfortunately that wasn't borne out in test results compared to the AP410C and AP650 / AP510C.

Extreme Model Numbering Scheme

Looking for an Aerohive / Extreme AP can be complicated by the fact that besides their Aerohive-based APs, Extreme also still sells WiNG APs from their Motorola / Zebra acquisition, and has also sold IdentiFi and Avaya APs as well. For any APs that came out since the Aerohive acquisition, if the part number ends in a C or CX, that means Aerohive or Aerohive with external antenna connectors (e.g. AP410C, AP305CX). If the part number ends in i or e (e.g. AP410i, AP310e), that's a WiNG-based AP with internal or external antennas, respectively.

Mounting Brackets

Check the AP's data sheet to confirm, but as far as I'm aware, the WiFi 6 APs use the same style of mounting bracket. The bracket that is included in the box with the AP410C and AP650 is intended to snap onto the T-bar of the kind of drop ceiling where the ceiling tiles are flush with the surface of the T-bar. The included brackets do not work well with drop ceilings where the tiles have beveled edges that leave the T-bars in a recessed position (Extreme sells a separate bracket for this ceiling style, as well as other types of ceilings found in commercial construction).

The included brackets have two holes that can be used with drywall anchors to affix the bracket to a flat surface. If you want to mount your AP to a junction box, as I needed to do with one of mine, you'll probably want to order the ACC-BKT-AX-JB bracket for that purpose.

Cloud Management

The ExtremeCloud management portal has a free tier (Connect) and a paid tier (Pilot). You can sign up for the free tier from the beginning and use it perpetually. If you sign up for a trial of the paid tier, you will not be able to convert your account to the free tier later, so when it expires, you'll need to remove your APs from the expired account and create a different free account to onboard them there.

Several notable limitations of the free (Connect) tier are that it does not include:
  • Private Pre-Shared Keys (multiple PSKs on one SSID with different user profiles)
  • Cloud-hosted RADIUS (you can still use WPA/EAP with local RADIUS for free, but dynamic user profile / VLAN assignment based on RADIUS attributes is restricted to the paid tier)
  • WEP (but nobody should be using this anyway)
  • WIPS ("AirDefense")
  • Data retention longer than 30 days
  • Advanced analytics
While firmware updates are paywalled on Extreme's site, the free tier of ExtremeCloud IQ will let you update firmware on onboarded APs without a support contract, so that is one benefit of using the cloud if you can live with the missing features.

Thanks again for sharing that detailed CLI guide and other info!
 
Last edited:

gabb

New Member
Jan 17, 2021
2
0
1
it's nice to find other AH users here. I too have been using these for the past 3+ years. Started with 3 AP230s then replaced them with 3x AP250
I initially disabled the cloud mgmt but after a while decided it's just easier with the free tier described above by wifiholic

I've had all great experience with these APs with one exception - about a year ago after a fw upgrade the AP would come up, respond to a few ping packets then reboot. With the serial console connected, I discovered that the AP would reboot after turning on the radios and adjusting (turning up) their power. Eventually it turned out to be that my cisco WS-C3750G-24PS would max out the power on the port where the AP was plugged in and reset the port. ALL this after a fw upgrade. I had then since switched to aruba s2500 that doesn't have this problem...
 

ilporcupine

New Member
Oct 12, 2020
9
0
1
@BlueFox
I have a AP230 coming from ebay. Trying to figure this stuff out, meanwhile.
In your initial post, you refer to a "web UI". Do you mean the cloud portal? Or is there a webservice on the device? (Not finding anything in the user guide, or hardware guide, or the CLI "reference".)

I'm a little confused. The documentation seems to say the SSH is disabled on factory device, so it seemed after rereading
many times, that you would have to use console serial port to enable it, in order to reach the SSH. Can you clarify?
Can I SSH into the device from Ethernet port, from factory restore?
Do you have to register a cloud management account, and onboard the devices to update firmware?

Can you explain to my thick mind, just how to get into the device, again, slowly:) I'm not a IT guy, just a tinkerer...
 
Last edited:

BlueFox

Well-Known Member
Oct 26, 2015
1,267
671
113
The APs run a basic web server, from which you can set some networking info and upgrade the firmware, which is what I refer to when I mean the web UI. Hit the device's IP in your web browser and you'll see.

As for SSH, at least on my AP650, it's enabled by default from the factory. You can use the serial port too, but I didn't have to.

In order to update the firmware, you can use the aforementioned web UI, where you just browse to a firmware image on your PC and upload it. No cloud registration required.
 

ilporcupine

New Member
Oct 12, 2020
9
0
1
@BlueFox
Thanks! That clears that up!
Documentation on these is scattered all over the old site and the Extreme site, and is not at all clear.
I guess I just need to wait 'til I have it in hand, and mess about with it....
I am used to consumer level AP's and routers, which all have Web interface. Docs on Extreme/Aero are pushing the cloud management thing, and everything else is only referred in a paragraph or two, until you happen upon the CLI manual.
I appreciate the clarification! I am still seeking docs which explain how all the "moving parts" work, but your post and a couple others have been very helpful.
Does registering the "connect" free management tier get access to the updates? I hate "cloud" stuff, but might be worth it in that case, if only temporary registration (like anything is temporary on the 'net).
Otherwise, you offered the update files on your post. How to get that? PM you an email addy? Or is there a way in the PM system?( I read forum, but have not used the amenities)
 

BlueFox

Well-Known Member
Oct 26, 2015
1,267
671
113
While I've not personally tried it, the free tier does apparently give you the ability to upgrade the firmware through it. If you want a copy from me, PM me and I'll get you what you need.
 

wifiholic

New Member
Mar 27, 2018
8
7
3
34
Does registering the "connect" free management tier get access to the updates? I hate "cloud" stuff, but might be worth it in that case, if only temporary registration (like anything is temporary on the 'net).
The free tier does enable registered APs to be updated. It is still possible to configure APs using their built-in CLI while they're managed by the cloud service; you'll see an error that the configuration between the cloud and the AP is out of sync, but as long as you don't push the configuration to the APs, it shouldn't get overwritten automatically.
 

ilporcupine

New Member
Oct 12, 2020
9
0
1
The free tier does enable registered APs to be updated. It is still possible to configure APs using their built-in CLI while they're managed by the cloud service; you'll see an error that the configuration between the cloud and the AP is out of sync, but as long as you don't push the configuration to the APs, it shouldn't get overwritten automatically.
Hey, Thanks. These are the kind of things that should be on the first page of the manual! Now I just gotta sit on my hands until they get it shipped!
 

mneleventhirty

New Member
Jan 31, 2021
2
0
1
Thanks for this thread. I have an AP550 I was able to source for a good price, but it didn't come with a wall/ceiling bracket or power. I tried to find the bracket on ebay but no luck. I was able to source one from Provantage for $11 shipped in case someone is looking for one, part number is AH-ACC-BKT-AC-WALL. Fits 130/230/250/550 and couple of others as well. I was also able to get a brand new 30 W Aerohive injector from ebay for $20, these regularly sell for $100. Yay depreciation.
Just to report on the performance, my 2 story 2500 sq ft house was covered by a single Linksys Velop AC1200 wifi router placed centrally and was getting great coverage and speeds throughout the house. I had two of these that I planned to use with wired backhaul, but found out that one router was sufficient, besides I did not want to deal with client roaming if I didn't have to, also I want to be a responsible WiFi citizen and not pollute the spectrum.
So I was curious about Aerohive and the possibility of using used enterprise gear and messing with CLI etc. appealed to me. Started out looking for a Ruckus 610 or 710, but the prices are ridiculous on ebay. So I got the AP550 and added it to ExtremeCloud Connect and upgraded to latest HiveOS. I had great expectations from this 4x4 AP, but lets just say I was underwhelmed, even at full power settings on 5Ghz which I suppose is what the consumer router is set at. I had to lower the 2.4Ghz power to almost half, so that devices would not jump off of the 5Ghz band. The 5Ghz band would start out strong but would decline after some time. I wouldn't attribute it to channel interference as I had my Linksys Velop on the same channel before and the wifi analyzer did not show any issues. Maybe a unit with bad 5 Ghz RF, I am not sure or a different use case maybe.
 
Last edited:

BlueFox

Well-Known Member
Oct 26, 2015
1,267
671
113
I noticed the same thing and also reduced the power output on the 2.4GHz radio to 12dBm since clients were reverting to it even with band steering and OS set to prefer 5GHz. Seems at any given distance, 5GHz propagation is worse, so the 2.4GHz signal is always stronger (with equal output power). Commands for reference:

interface [wireless interface] radio power 12
interface [wireless interface] radio tx-power-control 12


Guess this isn't a problem if you're running dual 5GHz, but I still have a few older devices that are 2.4GHz only. Even with this quirk, my AP650 was still a fraction of the price of the competition, so no complaints.
 

mneleventhirty

New Member
Jan 31, 2021
2
0
1
I noticed the same thing and also reduced the power output on the 2.4GHz radio to 12dBm since clients were reverting to it even with band steering and OS set to prefer 5GHz. Seems at any given distance, 5GHz propagation is worse, so the 2.4GHz signal is always stronger (with equal output power). Commands for reference:

interface [wireless interface] radio power 12
interface [wireless interface] radio tx-power-control 12


Guess this isn't a problem if you're running dual 5GHz, but I still have a few older devices that are 2.4GHz only. Even with this quirk, my AP650 was still a fraction of the price of the competition, so no complaints.
I had 2.4 Ghz set at 12 as well and 5 Ghz slightly higher at about 15 first and then against my better judgement tried full power at 20 as well. All my 5 Ghz devices would connect fine but then would move to 2.4 Ghz after some time, even the stationary ones and sure enough the wifi strength would show somewhere in the lower -70s. I would try to check the spectrum for any changes in the channel, but nothing would show up. It's as if the power would diminish over a couple of hours. I have a couple of 2.4 Ghz smart devices and 2 Rokus, so can't forgo 2.4 Ghz and with two of us working from home and 1 virtual learning, I did not want to roll the dice. So for now the 550 has been set aside. I may sound vain, but I was so much into the Stealth bomber look and for the price, I was rooting for it. Will try to mess with it a bit more during spring break.
 

BlueFox

Well-Known Member
Oct 26, 2015
1,267
671
113
I haven't touched my 5GHz radio's power. It seems to be considerably higher by default:

Freq(Chan)=5220Mhz(44); EIRP power=26.01dBm(17dBm + 6.00dBi + 3.01dBi); Diversity=disabled;

Here's the 2.4GHz one after the change:

Freq(Chan)=2462Mhz(11); EIRP power=16.50*dBm(12dBm + 4.50dBi + 0.00dBi); Diversity=disabled;

Here's what my devices look like:

Code:
Ifname=wifi0.1, Ifindex=19, SSID=Aerohive:
Mac Addr       IP Addr         Chan Tx Rate Rx Rate Pow(SNR)         A-Mode   Cipher  A-Time  VLAN Auth UPID Phymode LDPC Tx-STBC Rx-STBC    SM-PS Chan-width   MU-MIMO Release Station-State
-------------- --------------- ---- ------- ------- -------- -------------- -------- -------- ---- ---- ---- ------- ---- ------- ------- -------- ---------- --------- ------- -------------
0000:0000:0000 0.0.0.0           11      0M      0M  -74(20)       wpa2-psk aes ccmp 00:00:31    1  Yes    0    11ng   No    No     Yes     static    20MHz          No      No data collecting...
0000:0000:0000 10.10.11.112      11     65M     52M  -55(39)       wpa2-psk aes ccmp 154:50:40    1  Yes    0    11ng   No    No      No     static    20MHz          No      No High Retries

Ifname=wifi1.2, Ifindex=21, SSID=Aerohive:
Mac Addr       IP Addr         Chan Tx Rate Rx Rate Pow(SNR)         A-Mode   Cipher  A-Time  VLAN Auth UPID Phymode LDPC Tx-STBC Rx-STBC    SM-PS Chan-width   MU-MIMO Release Station-State
-------------- --------------- ---- ------- ------- -------- -------------- -------- -------- ---- ---- ---- ------- ---- ------- ------- -------- ---------- --------- ------- -------------
0000:0000:0000 10.10.11.101      44  866.7M      6M  -45(45)       wpa2-psk aes ccmp 01:01:01    1  Yes    0    11ac  Yes   Yes     Yes     static    80MHz         Yes      No Good
0000:0000:0000 10.10.11.103      44 1733.3M   1560M  -49(41)       wpa2-psk aes ccmp 04:40:42    1  Yes    0    11ac  Yes   Yes     Yes     static   160MHz          No      No Good
0000:0000:0000 10.10.11.144      44    780M      6M  -51(39)       wpa2-psk aes ccmp 28:01:31    1  Yes    0    11ac  Yes   Yes     Yes     static    80MHz         Yes      No Good
 

ilporcupine

New Member
Oct 12, 2020
9
0
1
@BlueFox @wifiholic
Thank you for your help! My AP230 is up and running and seems stable. I did sign up for the free tier cloud thingy, to initially set it up, but then I could SSH into it. Got it updated to latest firmware.
A question--- What do you use to get a readout of signal strength, etc. like in above post? Software or special analyzer equipment?
 

BlueFox

Well-Known Member
Oct 26, 2015
1,267
671
113
They can all be obtained from the CLI:

show interface [wireless interface]
show station
 

Originalus

New Member
Dec 22, 2020
4
0
1
Interested in ap650. Do these have web ui or only cli (ssh)?
Not the fan of cloud.
 
Last edited:

femi

New Member
Apr 13, 2021
3
0
1
Hello,
i have 27 AP-650 from Motorola, can you tell me how to access the CLI?
I found 4 pins on the circuit board, but my usb to serial adapter does not work.
I also tried to connect by SSH, but i don´t know the Password.
Please excuse my bad English, i am from Germany
 

gabb

New Member
Jan 17, 2021
2
0
1
Hello,
i have 27 AP-650 from Motorola, can you tell me how to access the CLI?
I found 4 pins on the circuit board, but my usb to serial adapter does not work.
I also tried to connect by SSH, but i don´t know the Password.
Please excuse my bad English, i am from Germany
you can reset the settings to default, then use ssh with user/password from above (top of this thread)
 

BlueFox

Well-Known Member
Oct 26, 2015
1,267
671
113
Have you tried the factory defaults?

Default username: admin
Default password: aerohive

There is a serial port on the side that uses an 8P8C connector (similar to Cisco) that will provide access to the CLI, but it will also require the password.

If you are fine with doing a factory reset and do not need to keep the current settings, you can press and hold the reset button on the side of the unit with a paperclip.

If you don't want to do a factory reset and the default password doesn't work, I don't think there's a way to get in unfortunately.