Aerohive AP 230 refuses to be setup as a radius server AAA User Directory Settings fails every time

  • 1
  • Question
  • Updated 2 years ago
AP 230 will not be setup as a radius server.
Heres the setup
  • seperate subnet
  • firewall rules are open 
  • ipv6 is enabled so udp 389 can work
  • reverse dns lookup is on ad server
  • site is on ad server
  • subnet is on ad server
  • I can tracert to the ad server from the ad server and to it
  • I can ping the ad server
Will take any suggestions as I have been having this issue for awhile.
Thanks!
Photo of Spencer Bischof

Spencer Bischof

  • 11 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
It's not clear from your description where you are having the problem. Please describe what you are trying to do in full:
- AP230 is a RADIUS server. Is it using a local database or an external database such as Active Directory?

Some tips to get you started... give the AP a static IP address. If you are joining the AP to AD for the user database, make sure you use a DNS address that works for your domain, not the default DNS servers.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Make sure the AP is using your AD DNS for its DNS server. "Show dns" on the AP CLI will ensure that for you.

Also, what HiveManager version and HiveOS version are you using? I know there were some issues with mapping the directory structure in HiveOS 6.5r3 (since fixed in 6.5r3a and 6.6r2a), but it sounds like you have a different problem.

I'm a little bit confused about your IPv6 comments above. To be clear, the AP will only speak to your AD using IPv4 at this time.
Photo of Spencer Bischof

Spencer Bischof

  • 11 Posts
  • 0 Reply Likes
I am using the newest hive manager, the ad is using the proper dns server, in windows ad there is an issue where if you uncheck ipv6 it will disable the ability to use udp 389 which is one of the primary connectionless ports that aerohive devices use. 
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
What HiveOS version are you using?
Are you using HiveManager 6.6r3a or HiveManager NG?
(Edited)
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
"I am using the newest hive manager, the ad is using the proper dns server,"

Your AD server is no doubt using proper DNS, but by default your Aerohive Network Policy uses public Aerohive DNS servers.  Under Additional Settings and Management Server Settings.  This is what Andrew is referencing.

Default DNS service profile:
208.67.222.222
208.67.220.220
Photo of Spencer Bischof

Spencer Bischof

  • 11 Posts
  • 0 Reply Likes
Brian - I see thank you for clarifying Brian and yes I have changed this as well to my dns server.
Andrew - I am using HiveOS HiveOS 6.6r2a Irvine.2309 
(Edited)
Photo of Spencer Bischof

Spencer Bischof

  • 11 Posts
  • 0 Reply Likes
So I have not had an update on this in awhile. Thoughts anyone?
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Can you share a screen grab of the error message and the screen where you are encountering the issue?
Photo of Spencer Bischof

Spencer Bischof

  • 11 Posts
  • 0 Reply Likes
Of course, this is where I am encountering the error. 
Photo of Spencer Bischof

Spencer Bischof

  • 11 Posts
  • 0 Reply Likes
Thoughts on this anyone? I have not seen an update in a while. 
Photo of Spencer Bischof

Spencer Bischof

  • 11 Posts
  • 0 Reply Likes
Thoughts on this since I sent the screen grab. :) 
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
I just tested this with an AP230 running 6.6r2a and HiveManager 6.6r3a, it worked fine. (AP and AD are in same subnet, FYI. IPv6 is enabled on AD, 2008R2 domain)

- I assigned my AP a static IP address and pushed a complete config (with reboot) to ensure the static IP address is applied fully with static gateway information. 
-Once the AP came back up, I used the workflow you show above. I selected my AP with static IP and I changed the DNS server value listed there to be my AD server, and I clicked UPDATE. This pushes the DNS value to the AP.
- Then I typed in my domain (format domain.tld), then clicked Retrieve Directory Information. This populated the Active Directory Server and BaseDN fields.
- I then input my AD credentials and joined the AP to the domain.

From the screen shot it, looks like your setup is failing at my 3rd step. The only way I have been able to generate that error message in my tests, was that the AP was actually not connected to HM as the error message indicates - either because the AP was down or there is some firewall blocking the APs ability to talk to HM correctly.  This doesn't mean there are not other reasons that error message may appear, but I have not found what those conditions are.

So, what exactly are the steps you are following? Are you changing only the DNS server or are you also changing IP address or gateway or netmask? 
Photo of Spencer Bischof

Spencer Bischof

  • 11 Posts
  • 0 Reply Likes
So the only thing that I have in there is the static IP that the device has, the gateway for the device and the dns entry that we use on this domain.
The only difference is the ad server is not on the same subnet.

When I configure this when the ad is on the same subnet it logs in fine.
When it is on a different subnet it fails out.
Whats strange is everything can communicate from aerohive device to ad and back but this will not authenticate for w/e reason.
Thoughts? 
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
OK, I tried moving my AP to a different subnet from the AD DC. Keep in mind that this is only routed between subnets. There is no NAT or no firewall in between my AP subnet and DC subnet.

Following the steps above, I was still able to complete the same steps as before. Set static IP and reboot AP, select AP from drop-down and modify DNS to point to AD (and press update), lookup domain and Retrieve, join AD, verify admin account.

So, it sounds like the problem is something particular to your environment.
- Make sure port 389 open between your AP subnet and AD subnet (no firewall blocking the port, or no NAT)
- Make sure your AP is online and operational in the AP subnet before trying the AD test. If you are switching the AP between subnets as you test, you obviously need to change the AP static IP address to work in the AP subnet before it will talk to anything.