AP as Radius server

  • 2
  • Question
  • Updated 5 years ago
  • Answered
I have set up an AP121 as a RADIUS server connected to an LDAP local server. How do I let the other APs (in the same Hive) know to direct Authentication traffic to the designated AP handling the RADIUS AAA? Is a Proxy required for this?
Currently any clients who are not in range of the designated RADIUS AP are unable to Authenticate as the AP they connect to cannot pass on te Authentication traffic.
Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes
  • confident

Posted 5 years ago

  • 2
Photo of Glenn De Haes

Glenn De Haes

  • 1 Post
  • 3 Reply Likes
Hi Jason.

Did you configure the radius client settings?
Configuration > Show Nav > Advanced Configuration > Authentication > AAA Client Settings > New
This indicates for the AP who is the RADIUS server it should send EAP messages to.

A proxy is a RADIUS server itself which you would use in your case if there was an external RADIUS next to your AP121 RADIUS so that you can first have a look in the local (AP) RADIUS server and then forward it to the external one.

Hope this helps.

Best regards

Glenn
Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes
Thanks Glenn.
In AAA Client Settings I configured one AP as the Primary Server and have been able to use the RADIUS Test Tool successfully, but only with this AP as the client.
Photo of Nicolas D

Nicolas D

  • 2 Posts
  • 4 Reply Likes
Hi,

Here are some complements from Glenn answer.

In order for an AP to be allowed to ask the RADIUS server, this AP has to be defined in the "NAS settings" section of your "AAA server" objet.
You can set the specific IP address of the AP or the whole subnet in which it is.

You can test the configuration directly on the HiveManager from the "Tools" tab > "Server Access Tests" > "RADIUS test".
If the AP is not allowed to communicate with the RADIUS server, you should have the following result: There is no configuration on the HiveAP for the specified RADIUS server

Hope this help

Regards

Nicolas
Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes
This is the part I was missing. Excellent.

I only had one AP specified in the NAS/RADIUS Clients list (the same AP which functions as the RADIUS/LDAP authentication).

Now that I have added all the remaining APs to this list, the RADIUS Test Tool now confirms the RADIUS server is reachable when an 'ordindary' AP is selected as the client. Previously it said "The RADIUS server rejected the Access Request message."

I will test this as soon as I'm on site, with client devices.

Next task is to select another AP as a Backup RADIUS server.

Thanks again.
Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes
Presume it is better to select the APs which are used the least as RADIUS Servers. Or in the scheme of things, is the Authentication traffic minimal anyway.
Photo of Nicolas D

Nicolas D

  • 2 Posts
  • 4 Reply Likes
From what I experienced, the authentication traffic is not really impacting.
Photo of Amanda

Amanda

  • 396 Posts
  • 25 Reply Likes
One quick thing to add - this exact scenario is covered in our training class for the AAWC (topic 6).

Aerohive Advanced WLAN Configuration (AAWC)