Active Directory Problems

  • 1
  • Question
  • Updated 3 years ago
I wish I had a better handle on what exactly is happening in order to explain this better.  Currently, I've set up a network with Radius authentication in a sort of hybrid manner.  I'm hoping this isn't the cause, but I have three attribute groups set up, two on user groups roughly relating to Students and Staff and a third on a group containing computer accounts.

All in all, this works.  Except for one glaring problem, no attributes are ever passed.  For some strange reason, everyone can log into the radius enabled wifi, but they are all dumped into the same default profile, because the Radius never passes an attribute.  The computer accounts all work fine, and are given the right profile somehow.

I did a test AD lookup as well, and for some reason it fails on almost every single user (except a few domain admin accounts).  It tells me no such user exists.

I'm not sure why the AD lookup claims no user exists, but the Radius still allows them to logon, but I imagine that this all links to the fact that the Radius doesn't give any attributes.  Any insight would be appreciated.
Photo of Brandyn Baryski

Brandyn Baryski

  • 8 Posts
  • 0 Reply Likes
  • Confused

Posted 3 years ago

  • 1
Photo of Brandyn Baryski

Brandyn Baryski

  • 8 Posts
  • 0 Reply Likes
For anyone who might have the same problem in the future, after spending an hour with technical support we have tracked down the root cause.

It turns out that the Aerohive radius server does not really support a multiple domain setup.  Our Base DN and the Domain associated with most of our users are actually different.  This is more of an office 365 setting than anything, but it means that the radius server cannot read most of the users (Anyone with an Office 365 account which is most everyone).  Currently, I am trying to find confirmation if this is a permanent issue or something that may be fixed one day.
Photo of Gary Babin

Gary Babin

  • 21 Posts
  • 5 Reply Likes
Brandyn,

If you move Radius off the Aerohive and onto an Active Directory server it may allow you to fix this (as long as there is a trust between the domains).

Gary
Photo of Brandyn Baryski

Brandyn Baryski

  • 8 Posts
  • 0 Reply Likes
I could certainly try to move the Radius server.  Although, I don't really know how to create a trust between the two.  It isn't as though we have two domains fully configured, just two names for the same domain.

And, after several minutes of trying to find the wording I needed, I stumbled upon it by accident.  Note: There are not two domains, simply that we have an alternate UPN setup.  Most users use the alternate UPN as is a requirement for our Office 365 active directory integration.  I can't imagine any trust is required in this setup.
Photo of Gary Babin

Gary Babin

  • 21 Posts
  • 5 Reply Likes
Thanks for that clarification but, even so, I suspect your problems will be solved by using Windows Radius. Look at it this way; if logging on to a domain-joined Windows workstation works with either name, then authenticating to a domain-joined Radius server should work too. It may involve a bit more in the way of certificate configuration.

Although I have not seen your particular situation I recall evaluating the use of Aerohive for Radius. There are limitations to this arrangement and you have likely discovered one of them.