Aerohive WIN2012 NPS as RADIUS for wifi clients

  • 1
  • Question
  • Updated 3 years ago
  • (Edited)
I have been reading a lot of documentation and post about NPS as radius. I cannot connect any mac or pc computers; however, did some test and looks like Radius Client is talking to the NPS.

RADIUS server is reachable. Get attributes from RADIUS server: User-Attribute-ID:0=10;



I have to admit that I don't use any certificates. 
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
HiveOS is acting RADIUS client when it talks to NPS. You look like you are configuring in the wrong area. Why are you configuring a RADIUS proxy?

(You probably do not want to configure a RADIUS proxy in your environment unless you are specifically attempting to work around a RADIUS client limit in NPS under the Standard editions of Windows Server <= 2008 R2. You mention in your question title that you are using Server 2012 where this limit does not apply for the Standard edition.)

Can you first check that you are only configuring things so that the APs are RADIUS clients... and, if things don't work out, then describe your environment and your configuration in quite a bit more detail so that we can try to help you.

How have you configured NPS, for example?
(Edited)
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Nick, in my experience you DO want to configure a RADIUS proxy because you need to specifically authorize each RADIUS client to talk to the RADIUS server, and with a even a small deployment that gets out of hand quickly. Have I missed a significant detail?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Eh??? :P

You can configure NPS by range: https://technet.microsoft.com/en-us/library/cc731824%28v=ws.10%29.aspx

You can configure FreeRADIUS by range.

You can configure Radiator by range.

Which RADIUS server are you using!? :P

What I was trying to say is that you should not make the core service of RADIUS for your access layer equipment dependent on other bits of access layer equipment. (Your APs and your switches.)

I am not against RADIUS proxies in principle. There are cases where they are necessary and serve a completely legitimate purpose. I am against adding unnecessary links in the chain.

Scalability is a big one, if the proxy is something like an AP, it can easily drop packets under sporadic load conditions that maximises the much smaller CPU in such devices. Such load can be transient, come from many sources in access layer equipment and causes availability/reliability issues if-and-when this happens.

You also get availability issues if you need to reboot the access layer equipment that is acting as a RADIUS proxy.

APs also tend to be far less physically secure and can easily get unplugged etc.
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
[facepalming intensifies]

somehow I missed in NPS2012 that you can configure clients by range

good thing summer is coming up and I can rebuild that configuration, jeez
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
To be fair, the user interface in NPS is not great. Need to know that it can do IP ranges from the docs. It's not discoverable.
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
Hi Nick, thank you for replying. In regards of radius proxy, it was already there, when Aerohive did demo they set it up to use Active Directory credentials and assigned one access point as radius server. We don't use that configuration since our goal was to use NPS Radius. I was trying to remove it but it complains that is in use:

"The removal failed because "Aerohive_Proxy" is still in use by another configuration item. Please disassociate references to this item from other configuration items before removing it."

Here is our NPS server configuration: 








Like I mentioned before i did not get to the certificates steps, so none of them is used on NPS server.

NPS Radius will be used by Aerohive infrastructure to use active directory credentials for teachers , students, and faculty. I have to add that I will be connecting non domain devices (laptops ipads chrome books, etc.) I assume NPS does not have to be installed on the AD server, since NPS is separate server. 

Thank You,
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I would make your Connection Request Policy look more like:



I would make your Network Policy look more like:

If you want to apply a user profile, use the Filter-Id attribute to achieve this. I can link you to the documentation for this if you want it.

I cannot see what attributes you are returning to the APs are the list is truncated in the screenshot.
(Edited)
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
Yes please provide the documentation. I probably should described my environment and requirements. All school devices that use wifi consist: most of them are apple laptops, ipads, ipfones, chrome books, and most of them used local accounts. We have AD setup and would like to use it for students, teachers, school stuff as security for wifi. We have decided to use NPS as radius since it looks like this is the most secure way. Its probably not easy way - maybe you can advice something ease, but since we have NPS setup up & rerunning probably we can stay with this scenario. In regards of certificate can we use the one that is issued by Aerohive HM? 
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
I have send attachments in the email and attaching 




I used the tool for checking the Radius and now I have:

The RADIUS server rejected the Access Request message. Check the submitted user name and password.
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi,

Remember the tool only checks for RADIUS server availability, it is not acting as your clients will.

That tool will use plain PAP, CHAP or CHAPv2.

Your clients will be using something like PEAP with CHAPv2 that is an entirely different means of authentication. (It's a TLS-based EAP type.)

If you want the tool to succeed, you ought to have separate Connection Request Policy that allows CHAPv2 and disable it when you are finished testing.

As far as what attributes to return to HiveOS in the Access-Accept that is sent, see the following:

https://community.aerohive.com/aerohive/topics/what_radius_attributes_can_i_configure_in_hivemanager...

and

https://community.aerohive.com/aerohive/topics/radius-nps-server-configurations

Nick
(Edited)
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
After tweaking of network policy & connection request:





my radius test looks like:


my 802x ssid and default vlan is set to 1:



when I try to use apple macbook pro I have:

the authentication server is unresponsive .....
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Do you have a separate Connection Request Policy configured with PEAP too (with MS-CHAP-v2 configured as the inner EAP)? That's the EAP type that your MacBook Pro will be using - not PAP or CHAP or CHAPv2.
(Edited)
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
The only question is if my mac will still connect without any certificates set up on the NPS server if the network policy is set to EAP?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
There no way to limit current connections yet but things should be coming to improve on that in the not too distant future.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
There no way to limit current connections yet but things should be coming to improve on that in the not too distant future.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
There's a bug in the forum software and I can't remove the duplicate post it put when I edited the old one. I meant concurrent, not current.
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
No worries, I have noticed that. Thank You for all the help You provide. I will start testing Tunnel-Type set to VLAN, Tunnel-Medium-Type set to 802, using the Tunnel-Private-Group-Id as the actual VLAN id, then setting the user profile via the Filter-Id attribute. I think this "simple scenario is achieved and complied.  Now its time for more complex settings and tighten school users to school owned devices vs. non school owned devices. 
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
Like I mentioned previously we are a school with hundreds of different type of devices. Basically we have teachers, students, administration employees, and guest ( for guests its separate topeic). As far as I read the forums how to divide equipment to "school owned" and "non school owned" we are using JSS Casper and at least school device like IPODS and MAC BOOK PRO are enrolled in casper. School Ipods and laptops are enrolled by students and teachers. However, they both are allowed to bring their own devices and connect to our network. I would not give them the same network resources as best practice and place school and non school devices in different vlans. 

  I know I should avoid using MAC based technology since this is not secure. All school owned laptops and ipods are already enrolled in casper and this step is done. Can I use the casper and aerohive to distinguish bot types of ipods and laptops used by teachers and students:
1. school owned
2. non school owend.


Another problem  would be teacher and students can use iPhone's and their active directory credentials but I think I can use client classification and assign them to yet separate vlan.

lastly I will be dealing with android problem since this can be used by again both teacher and student and they will use private cell phones and school use "Chromebooks" as school owned devices. I am not trying to worry about students bringing their own Chromebooks from home and use school logins to get to the school wifi based on 802.1x. 

So now its time for "user distribution based on "school" vs "non school devices" - big topic. 

Thank you