AP RADIUS configuration for BR200s (Hive OS 6.x)

  • 1
  • Question
  • Updated 5 years ago
  • Answered
I have an AD server located in a cable modem's subnet, (in fact the server is directly connected to the modem) I'm trying to configure a BR200 as a RADIUS server for the Aerohive wireless network below the BR.

The BR obtains an IP address for the WAN interface from the cable modem's built-in DHCP server (the same subnet as the AD server). I checked the interface addresses but the AP doesn't seem to have an IP address for the WAN interface, even if you configure it statically from the HM.

This makes difficult to configure the AP RADIUS service as actually you don't have an interface that could have bidirectional communication between the AP and the AD server.

Obviously, you can connect directly the AD server to the AP. However, if those AD servers on the modem's subnet need to be there for any customer circumstances, that might not be an option.

Does anybody have seen this situation yet?
Photo of Erick Muller

Erick Muller

  • 35 Posts
  • 8 Reply Likes

Posted 5 years ago

  • 1
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
I sketched out what it sounds like your network looks like. Is this about right?

If so, I'm curious why you would want the traffic from the wireless APs to go through the BR200, instead of connecting them directly to the cable modem subnet.

Also, is your AD server also running NPS for RADIUS service (with the BR200 acting as a RADIUS proxy), or are you trying to tie the BR200 RADIUS server directly into Active Directory?

To answer your question in the RADIUS Proxy scenario, the BR200 would use it's MGT0 IP address as the source for any RADIUS requests to your NPS server. The BR200 NATs the MGT0 subnet behind the ETH0 WAN IP address on the BR200.

You actually can turn off NAT on the BR200 from the device settings page in HM, to make it a regular router between your Cable modem subnet and the subnets behind the BR to provide a direct connection. But your cable modem would need to be configured with the routes to the subnets behind the BR, if it supports that function.

Photo of Erick Muller

Erick Muller

  • 35 Posts
  • 8 Reply Likes
Hi Andrew,

So sorry that I'm just answering but a couple of customers had terrible bad days with their network, not with Aerohive I should say.

First things first, yes that's actually the topology I have in my test lab. I'm testing this as a prospect has that topology on several small offices and branches and I want to pre-test things before I offer a PoC.

The AP is actually working as the RADIUS server in order to not enable that service on the server. So yes, it is not a proxy and authenticator but the auth server.

I tested what you told me in this response already. However, I have problems on making the AP talk with the server as it appears it doesn't have an IP address for the MGT0 interface (actually I cannot reach the AP GUI at the address I see in DHCP lease assigned to the AP in the cable modem)

I tried disabling NAT but unfortunately the modem doesn't allows to create static routes back to the AP.

Have you seen anything like this before?