Aerohive integration with Packetfence

  • 2
  • Question
  • Updated 2 years ago
  • Answered
Hi,
We are attempting to install PacketFence in our environment that uses AeroHive Access points.
Actually we want to use it's Captive Portal and Radius (802.1x) feature. We still can't properly integrated it with Aerohive by following the administrator guide here:
http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Network_Devices_Configuration_Guide...

Based on the PF documentation, Aerohive AP's and controller are supported:
http://www.packetfence.org/about/supported_switches_and_aps.html

Can anyone from Aerohive read the admin guide above and explain if it is really possible to integrate with Aerohive.

I am new to Aerohive and just learning so any help would be appreciated. 

thanks,
Michael
Photo of dee 2

dee 2

  • 14 Posts
  • 2 Reply Likes

Posted 3 years ago

  • 2
Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
Hi Michael,

First off. Yes, it's completely possible to use packetfence with Aerohive but their manual is outdated. I really wanted to do this a year ago but never got round to it. Let me see if I can spin something up here and walk you through the configuration. Please be advised it might take me a day or two if anything unsuspected pops up.

Edit: What type of 802.1x authentication will you be using?

Cheers,

Stefan
(Edited)
Photo of dee 2

dee 2

  • 14 Posts
  • 2 Reply Likes
Hi Stefan,

Any good news?
Please help me...i need this to up asap..our customer are waiting..

Thanks,
Michael
Photo of dee 2

dee 2

  • 14 Posts
  • 2 Reply Likes
Hi Stefan,

You've made my day!
Your reply make me so happy.....
I'm really frustrated from a week ago trying to integrate this thing not knowing the guide is completely outdated. Finally got someone to help me...
Btw, i'm really love Aerohive!

Edit :
Stevan, this is regarding "type of 802.1x authentication" you asking.

EAP | EAP-TLS | EAP-MS-CHAP v2 ?

Any type can be used as long as it supported by both Aerohive and Packetfence.

:)
Thanks,
Michael
(Edited)
Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
Hi Michael,

Sorry, had no time to test yesterday but I did get everything spun up properly. Today I'll continue working on the system. So I probably should have an answer by the end of the day. Otherwise I'll at least have an update. As an extra I've also got some outstanding questions with people that have done this before succesfully many times. but the problem is that it's nearing Christmas and everybody decided to take a week off.

Will get back to you asap
Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
Right, I got it working, could you tell me what your configuration wishes are? Which types of users you have, which SSID's etc. I'll write a short tutorial on configuring this from an Aerohive side including screenshots etc.

Thanks,

Stefan 
Photo of dee 2

dee 2

  • 14 Posts
  • 2 Reply Likes
Thanks a lot guys....
You all are really very helpful.

Cheers,
Michael
Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
Aerohive configuration with PacketFence

This document describes how to configure Aerohive Networks AP’s to work with the PacketFence RADIUS and Captive Web Portal. This document will only deal with the Aerohive side of configuration and works under the following assumptions:

·         AP’s have been defined in PacketFence.

·         PacketFence is receiving SNMP traps to support roaming.

·         The RADIUS server is configured to return attributes based on roles.

Configuring an open[1] network with PacketFence CWP that authenticates on RADIUS.

First a network policy is needed under which the SSID’s and User Profiles will be defined. In this scenario we will only be using wireless access.


After clicking ‘Create’ click on ‘Choose’ next to SSID’s and click on ‘New’. Here we will define an SSID profile with among other things the authentication. In this case we will choose ‘open’ since we will be authenticating to an external Captive web portal (CWP).


When the configuration looks like the screen above, press ‘Save’.

Next the Captive Web Portal needs to be defined, press the ‘Captive Web Portal’ link and press ‘New’. After naming it, select ‘External Authentication’ as the registration type and click on ‘Captive Web Portal Login Page Settings’ define the authentication method (PAP, CHAP, MS-CHAP V2). The login URL and set ‘Password Encryption’ to ‘No Encryption’.

After that open ‘Optional Advanced Configuration’. Open ‘Walled Garden’ and create a new rule for the PacketFence Captive Web Portal. It’s possible to Override the VLAN ID during registration here. But in this example will be using the VLAN ID we define in the default user profile.


When the page looks something like this, press ‘Save’.

Now we need to configure the RADIUS server, click ‘RADIUS Settings’ and click ‘New’. Here you define the PacketFence RADIUS server IP address/Domain name and the shared secret. After that press ‘Apply’ and open ‘Optional Settings’ make sure to tick the ‘Permit Dynamic Change of Authorization Messages’ box as it is needed for PacketFence.


When the configuration resembles the above screen press ‘Save’


Now it’s time to define the UserProfiles, these should reflect the roles defined in PacketFence. In this instance we will define two. A default profile and one authentication profile for ‘Users’. Click on ‘Add/Remove’ and notice how the ‘Default’ Tab is selected on the left. click ‘New’ Name the user profile and assign an attribute number and VLAN to it.

As the default User profile is used during registration make sure it can reach the PacketFence. Since the default profile is used for nothing but enrollment, it should be limited in bandwidth. The rest of the configuration is optional.


When complete press ‘Save’ and verify that the profile you just created is selected. Then select the ‘authentication’ tab. User profiles under the authentication tab will be assigned when a RADIUS attribute is returned. Click on ‘New’ and name the profile. In this profile the ‘Attribute Number’ needs to correspond with the categories defined in PacketFence. That way, when PacketFence authenticates and returns the RADIUS Attribute number, Aerohive will know which user profile to apply and it will allow for multiple user profiles under one SSID. Define the user profile for the users and press ‘Save’


Make sure that both the default and authentication profiles are selected and press ‘Save’. Now your configuration should look something like this.


When this is done, press ‘Continue’ and push the configuration to the access points, make sure to use a complete configuration update. When the reboot is complete the configuration is ready to be tested.


[1] Open is an unsafe method since clients will be left open to Man-in-the-middle attacks. It might be advisable to define a static WPA2 key as an initial security method.


Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
Right, above is a configuration based on using a CWP authentication with RADIUS at the backend. I'll tweak the rest of the configuration document based on what I've read in the Packetfence manual and upload the document later this week. Also, since I don't currently have the hardware at my disposal to test this fully (Holiday and all) I'm not sure if it fully works. If not just let me know what part doesn't work and I'll help troubleshoot.

Cheers,

Stefan
Photo of dee 2

dee 2

  • 14 Posts
  • 2 Reply Likes
Hi Stefan,

Great...really appreciate your support.
I will test it out and let you know the results.

Happy Holiday!

Regards,
Michael
Photo of Brenton Briggs

Brenton Briggs

  • 1 Post
  • 0 Reply Likes
Stefan,

Is is possible to get the above walkthru published as a KB article or other more shareable document? It's a great guide, but a little frustrating to share this link then say to someone, "Yeah, just crtl+f for such and such, then you'll see it"
Photo of dee 2

dee 2

  • 14 Posts
  • 2 Reply Likes
Hi Stefan,

I'm still not able to make this success..
I'mable to see the CWP but after provide the correct credentials, it will not change the VLAN... i'm still stucks inside Registration VLAN.

Can you share your packetfence settings as well.. i want to differentiate what i have done wrong.

Thanks,
Michael
Photo of Fabrice

Fabrice

  • 5 Posts
  • 3 Reply Likes
Hi,
the documentation above is based on external captive portal, not on VLAN change.
It mean that by default you are already in the production vlan but your status on the Aerohive is to be forwarded to the portal. Once you register then pf will change your role
Btw use "AeroHIVE AP with web auth" switch module in packetfence.
Regards
Fabrice
Photo of dee 2

dee 2

  • 14 Posts
  • 2 Reply Likes
Hi Fabrice,

This is my PF config.
Need your help to verify which part is wrong:





So, based on my PF settings above,  this is my Aerohive settings:



Is it correct?


Thanks,
Michael
Photo of Fabrice

Fabrice

  • 5 Posts
  • 3 Reply Likes
Hi Michael,
i never tried external captive portal (i know it work) so let ́s try vlan enforcement.
So use "AeroHIVE AP" switch module (also set v2c as snmp version) and in the aerohive config instead of "Enable Captive Web Portal" use "Enable Mac Authentication".
Then when you will try to connect pf will return the vlan id  2 (reg vlan) , you will hit the portal and register then pf will send a CoA (udp port 3799) to ask the aerohive to desasociate the device to have a new radius reques and based on the device role pf will return the production vlan.
Also take a look at the logs files (/usr/local/pf/logs) radius.log and packetfence.log it is very usefull to know what happen.
Regards
Fabrice
Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
Great to hear it works, the CWP was my fault. I gathered from your earlier remarks that you were set on using the CWP from PF in your configuration. which would force an external CWP configuration on the Aerohive side. It also means that I'm going to spend some time with that functionality to see if I can get it to work.

Thanks for an interesting question and happy holidays!
 
Photo of dee 2

dee 2

  • 14 Posts
  • 2 Reply Likes
Hi Stefan,
Thanks a lot for providing initial idea for me to configure the aerohive.
It was my fault....At first i thought must configure the CWP in aerohive to make PF CWP appear..but pf works differently.. :)

I have one more question regarding the AP roaming.
Just want to verify which setting need to configure in both aerohive and PF for roaming support?

Thanks!
Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
Hi Michael,

From what I understand there's two ways to make roaming happen without a hitch on Aerohive when using PF. One is to tweak the Ageout and Update Interval of the roaming cache. The other is using SNMP traps to tell PF that a client has roamed. I guess this is all depending on the size of the installation. How many AP's/Clients will you have on this platform and how much will it grow in the future?

Cheers,

Stefan
Photo of Fabrice

Fabrice

  • 5 Posts
  • 3 Reply Likes
Hi Guys,

good to heard that it works ;-)
Just some remarks about previous discussion.

Use snmp v2c, i think aerohive send snmp v2 trap and not v1.
Deauth method should be blank but RADIUS is the default one.
User profile can be use if you select role by switch role (ie: https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Network_Devices_Configuration...)

For the roaming support we use ahConnectionChangeEvent snmp trap to detect that the device move from one access point to another. The issue i have sometime is that you can only configure snmp trap to an ip address but you can ́t define what sort of trap. So for 10 AP it doesn ́t really matter but for 1000 .... so if there is another solution it will be cool.

Also you can use CWP in aerohive, the workflow is different as VLAN ENFORCEMENT but the goal is to never change the vlan of the device (prevent iphone issue per example). So if you want you can try to use 'AeroHIVE AP with web auth'  switch module and with this config it will only use the default vlan of the ssid but depending of the status of the device it will be redirect or no to the captive portal.

Last point, can i use the previous config and screenshot for the pf network documentation (i have to remove the user profile and set to english the pf screenshot) ?

Regards
Fabrice
Photo of dee 2

dee 2

  • 14 Posts
  • 2 Reply Likes
Hi Guys,

Sorry for late reply..
Fabrice, yes you can use the screenshot.. :) hope this will also help other people..

Stefan,
I have no idea how it will grow in future. But we plan to implement this to multiple sites with HiveAP.
Eg:
1 Site with 5 AP


Regarding the SNMP trap, can verify if this is correct:

PF IP : 192.168.0.50

Aerohive AP IP : 192.168.0.77

On PF side, i have configure to use v2c on both Read/Write & Trap settings

This is on Aerohive side:



Thanks,
Michael
Photo of Gary Ossewaarde

Gary Ossewaarde

  • 12 Posts
  • 0 Reply Likes
I know this was awhile ago, but I'm curious about something you said about roaming. You said:
From what I understand there's two ways to make roaming happen without a hitch on Aerohive when using PF. One is to tweak the Ageout and Update Interval of the roaming cache. The other is using SNMP traps to tell PF that a client has roamed. I guess this is all depending on the size of the installation. How many AP's/Clients will you have on this platform and how much will it grow in the future?

So my question is, what way is roaming tweaked? I currently have both Roaming Cache Update Interval and Roaming Cache Ageout set to 60 seconds. Should it be higher? Lower?

The problem I'm trying to solve is that people connected and register, but new get put on to the registered clients VLAN, they're stuck in the old one. Packetfence sees and acknowledges this is wrong, but the AP leaves them in the old VLAN.
(Edited)
Photo of Fabrice Durand

Fabrice Durand

  • 1 Post
  • 0 Reply Likes
Sorry for the late reply, in fact we changed the way to do roaming between packetfence and the access point. Before we used snmp trap and now we use radius accounting data to be able to know where the device is connected.
Photo of Houssem Haddad

Houssem Haddad

  • 1 Post
  • 0 Reply Likes
Hi , can i find who can help me to to active the captive portal and configure packetfence? thx