Active Directory connecting to Local User Database?

  • 2
  • Question
  • Updated 4 years ago
  • Answered
Is is possible for an Active Directory database to communicate with the Aerohive Local User Database (P-PSK users) so that if users from the internal Active Directory are removed, the user will also be automatically removed from the P-PSK database list. I suspect this will not be possible, but would like to see if anybody has configured for a similar scenario. Perhaps an API is available??

The hardware is Active Directory running on Windows Server 2008.
This SSID will be used for untrusted mobiles and tablet devices only with access restricted to the internet only so it will not see the Active Directory nor any file servers/printers etc.
The initial set of PPSKs will be emailed to all users on their AD list.
The customer likes the idea of having a private PSK for each staff member which does not expire (since the user does not need to change passwords on multiple devices), but they wish to avoid having to involve the extra process for IS following a staff member leaving, of removing the user from the Aerohive local user list, after manually having removed the same user from the Active Directory. Ideally they would like the PPSK user automatically removed from this list.

One solution suggested was:
If the AD was able to be accessed by the subnet allocated to this SSID then we could avoid using PPSK, and authenticate untrusted mobiles/tablets via configuring APs as RADIUS clients/servers with connection to the AD database server. However, they also did not favour this idea because they wish to avoid having the end user have to enter their AD password on multiple devices, eg corporate laptops then to mobile/tablets.

In addition to the above SSID for untrusted mobile devices, the customer will have two additional SSIDs:
One will full corporate domain access, ie to the AD, file servers,with authentication handled by the APs looking for a Trusted Certificate on Corp-issued trusted laptops. ie users will not require to enter any AD password here.
The other SSID is a simple Visitor one using temporary P-PSK keys that is on an isolated subnet with internet only access.

Any idea of how similar scenarios have been solved would be much appreciated!

Thanks and regards,
Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes

Posted 4 years ago

  • 2
Photo of Ismaine Ayouaz

Ismaine Ayouaz

  • 1 Post
  • 0 Reply Likes
please answer that question. I have the same needs
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 119 Reply Likes
As you anticipated, there is not a way to delete a PPSK based on deleting a user from Active Directory.  That would be a nice feature request though!

Looking at the deployment scenario you outlined above, there doesn't seem to be any behavioral or access differences between the BYOD network and the guest network.  Only the key duration seems to be different (one day vs forever).  Both could be done on the same network, no need for different SSIDs.

However, that does not solve your one-step user deletion question.

Client Management might be a good option for this particular use case.  Instead of PPSK, you could use 802.1X with Client certificates for your BYOD devices (IOS, OSX, Android, Chromebook) as well.  It sounds like you are already using an AP integrated with AD, so you would have the directory tie-in you are looking for.