Authenticate only users from Active Directory Group

  • 2
  • Question
  • Updated 1 month ago
  • Answered
Hi,

I have RADIUS authenticate against our AD domain to allow users to login to our WiFi. At the moment every AD user can login but I want to narrow this down to only allow a specific AD group of users to login.

I've changed the settings in Aerohive AAA Server Settings, chosen External Database > Active Directory, and selected the group I want and applied it to the user profile, but still every user in my AD domain can authenticate and login to the SSID.

What am I doing wrong?
Photo of ClassThink

ClassThink

  • 5 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 2
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
What I usually recommend is taking a look at how you have your User Profiles configured for users authenticating against the SSID in question. If you have a group, for example "Staff", assigned to User Profile "Staff_Users", any user in that group will be placed in "Staff_Users" upon authentication. In this example, only users in the "Staff" group will have an attribute returned by the AP RADIUS server, all other users will have no attribute returned, getting placed in the "All_Users" profile.

User Profile Assignment:


Attribute Return Config for Staff Users:


To restrict which users can authenticate, I would recommend assigning all groups you wish to allow to authenticate, then assign a null VLAN for the default User Profile. This will place allowed users in a routable VLAN, but place users who are not returning an attribute in a User Profile that does not exist on the network. It is not possible to block users from authenticating if they have valid domain credentials, so the next best thing is to place them in a VLAN on which they do not receive a DHCP address or have access to any network resources. You can configure such a VLAN on your network, but it is just as easy to configure the default User Profile with a null VLAN.

User Profile Assignment:


VLAN Assignment:


Null VLAN Definition:


Attribute Return Config for Staff and Student Users:


Let me know if you have any further questions, I'd be happy to explain further if needed.
Photo of Crowdie

Crowdie, Champ

  • 938 Posts
  • 269 Reply Likes
Just to add a bit of sneakiness to Brian's solution try the following changes:

1. Staff should be assigned to a Staff user profile by returning the Staff user profile's attribute via RADIUS.

2. Create a new user profile called "Deauth_Client" and create a schedule for it that can never be valid:



The user profile should look like:



3. In the network policy the Deauth_Client user profile should be the default user profile:



If a user authenticates but is not assigned to the Staff user profile with a RADIUS attribute then the user is placed into the Deauth_Client user profile. As the schedule assigned to the Deauth_Client user profile is never active the user will be deauthenticated, which is what I believe you wanted.
Photo of ClassThink

ClassThink

  • 5 Posts
  • 0 Reply Likes
Thanks for both your replies. Very helpful!

I've set it up as you suggested, but I'm now having a problem where every user seems to being dropped into the NoAccess user profile.

The only thing I can think is that the users aren't being authenticated correctly. I've double checked the Aerohive AAA Server Settings and it appears to be set up correctly.



I've checked the user I'm logging in with is a member of the correct group.



What am I doing wrong?
Photo of Crowdie

Crowdie, Champ

  • 938 Posts
  • 269 Reply Likes
A couple of comments:

1. Depending on which version of HiveManager you are using a number of attributes (normally in the 1-10 range) are reserved for HiveManager's internal use. I tend to start my attributes at 100 to avoid any of the internally reserved ones. The attribute numbers can go up to 4,095 so you shouldn't run out of attribute numbers anytime soon.



In your example you have used the attribute number 1 for the TeacherAccess user profile but this is reserved for the "Super User" administrator group.

2. The integrated FreeRADIUS server in each Aerohive access point cannot traverse the AD structure so if your AD structure is similar to:

* Staff Groups
* Staff Groups\Senior Teachers
* Staff Groups\Junior Teachers

and you want members of all three AD groups to be matched into the TeacherAccess user profile then you will need to make three rules to cover all three membership situations.

With your current single rule members of Staff Groups\Senior Teachers and Staff Groups\Junior Teachers would not be mapped to the TeacherAccess user profile.

3. If you want to test what the integrated FreeRADIUS server is responding try using the RADIUS Test in HiveManager (Tools -> Server Access Tests -> RADIUS Test). Set the "RADIUS Server" and "Aerohive Device RADIUS Client" to an access point that is configured as a RADIUS server and then enter a user's credentials into the "User Name or Barcode" and "Password or PIN" fields. The "Test Result" area should then display that a RADIUS Access-Accept was received and the attribute(s) returned.
Photo of ClassThink

ClassThink

  • 5 Posts
  • 0 Reply Likes
Thanks for your reply Crowdie.

I've changed the attribute number to 100.

On the RADIUS test I get the response: RADIUS server is reachable. Get attributes from RADIUS server: None

I assume this means the required attributes are not being pulled from AD and therefore the match is failing.

What can I do to resolve this? I can't see any relevant settings in the RADIUS options to choose attributes.

Thanks
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
I would check what the Primary Group of these users is set to in Active Directory as memberOf does not happen on the Primary Group. As an illustration, I ran an LDAP lookup and RADIUS test on a teacher and student user in my lab. For the first test I have my Staff/Student group assigned to teacher01/student01 with the primary group set to Domain Users. For the second test I assigned Staff/Students as the Primary Group for teacher01/student01 with Domain Users as the second group. As you can see below, this directly influences how the AP RADIUS server returns attributes.

My Active Directory memberOf mapping on my AP RADIUS Server:



My memberOf mapping in Active Directory for teacher01 with Domain Users as the Primary Group:


Test #1: LDAP Lookup and RADIUS Test for teacher01 from my AP RADIUS Server:
labap#exec aaa ldap-search username teacher01
Exec-Program output:
Search user 'teacher01' under baseDN dc=mydomain,dc=net from forest mydomain successful.
filter: (userPrincipalName=teacher01@mydomain.net)
dn: CN=Teacher01,OU=Staff,OU=EduTest,DC=mydomain,DC=net
memberOf: CN=Staff,OU=Staff,OU=EduTest,DC=mydomain,DC=net

labap#exec aaa radius-test 10.4.4.80 username teacher01 password ************
RADIUS server is reachable. Get attributes from RADIUS server: User-Attribute-ID:0=100; Session-Timeout=1800;

My memberOf mapping in Active Directory for student01 with Domain Users as the Primary Group:


Test #1: LDAP Lookup and RADIUS Test for student01 from my AP RADIUS Server:
labap#exec aaa ldap-search username student01
Exec-Program output:
Search user 'student01' under baseDN dc=mydomain,dc=net from forest mydomain successful.
filter: (userPrincipalName=student01@mydomain.net)
dn: CN=Student01,OU=Students,OU=EduTest,DC=mydomain,DC=net
memberOf: CN=Students,OU=Students,OU=EduTest,DC=mydomain,DC=net

labap#exec aaa radius-test 10.4.4.80 username student01 password ************
RADIUS server is reachable. Get attributes from RADIUS server: User-Attribute-ID:0=101; Session-Timeout=1800;

From these two tests, you can see that with Domain Users as the Primary Group teacher01 and student01 are returning the proper attributes (100 and 101 respectively) which will place them in the proper User Profiles.

However, if I change the Primary Group to Staff/Students, you will notice that the LDAP Lookup is returning that the memberOf return is for Domain Users, which will return no attribute, placing teacher01 and student01 in the default, noaccess User Profile.

My memberOf mapping in Active Directory for teacher01 with Staff as the Primary Group:


Test #2: LDAP Lookup and RADIUS Test for teacher01 from my AP RADIUS Server:
labap#exec aaa ldap-search username teacher01
Exec-Program output:
Search user 'teacher01' under baseDN dc=mydomain,dc=net from forest mydomain successful.
filter: (userPrincipalName=teacher01@mydomain.net)
dn: CN=Teacher01,OU=Staff,OU=EduTest,DC=mydomain,DC=net
memberOf: CN=Domain Users,CN=Users,DC=mydomain,DC=net

labap#exec aaa radius-test 10.4.4.80 username teacher01 password ************
RADIUS server is reachable. Get attributes from RADIUS server: None

My memberOf mapping in Active Directory for student01 with Students as the Primary Group:


Test #2: LDAP Lookup and RADIUS Test for student01 from my AP RADIUS Server:
labap#exec aaa ldap-search username student01
Exec-Program output:
Search user 'student01' under baseDN dc=mydomain,dc=net from forest mydomain successful.
filter: (userPrincipalName=student01@mydomain.net)
dn: CN=Student01,OU=Students,OU=EduTest,DC=mydomain,DC=net
memberOf: CN=Domain Users,CN=Users,DC=mydomain,DC=net

labap#exec aaa radius-test 10.4.4.80 username student01 password ************
RADIUS server is reachable. Get attributes from RADIUS server: None

Hopefully this is the issue you are experiencing, but it not, let me know and we can take another approach.
Photo of Adrian Juhl

Adrian Juhl

  • 2 Posts
  • 0 Reply Likes
That is a really good write up. It is working up to a point but failing as our domain as two UPN suffixes. May I take this question one step further please.

Our AD users have an alternate UPN which is used for cloud accounts.
The aerohive AP seems to be looking up users with their AD UPN and not the assigned 'foreign' UPN.

When I run a lookup for john with the default upn (domain name) it works however when I change Johns UPN to the alternate upn (external cloud) the lookup fails.

Is their anywhere I can tell Aerohive to search by not using UPN's.
The AD lookup is based on 'memberof' and all the other defaults.
Global Catalogue is ticked.

Thank you.
Photo of ClassThink

ClassThink

  • 5 Posts
  • 0 Reply Likes
Thanks for the reply. I hope I understood all of it!

The user's primary group is Domain Users, and I'm trying to allow only members of the the group "Staff Wifi".

I've run the AD/LDAP test and it correctly recognises that the user is a member of the group "Staff Wifi":

Search user '******' under baseDN dc=******,dc=local from forest ****** successful.
filter: (sAMAccountName=******)

dn: CN=******,OU=Teachers,OU=Staff,OU=BUS-Users,DC=******,DC=local

memberOf: CN=Staff Wifi,OU=WiFi Authentication,OU=BUS-Groups,DC=******,DC=local

But when I run the RADIUS test it still comes back with "RADIUS server is reachable. Get attributes from RADIUS server: None"
Photo of Adrian Juhl

Adrian Juhl

  • 2 Posts
  • 0 Reply Likes
Hi ClassThink,

Is the radius showing up in all of your DNS as well as your AD?
Photo of ClassThink

ClassThink

  • 5 Posts
  • 0 Reply Likes
Yes. The RADIUS is showing in DNS.
Photo of Nick Kanaef

Nick Kanaef

  • 4 Posts
  • 1 Reply Like
I'm still stuck on this issue.

The documentation is different from the forums, and the forums say different from the aerohive walkthroughs and setup guides.

* I have VLans
* I have RADIUS authentication on an SSID
* RADIUS is hosted by NPS on Server 2008.
* I want users who connect via RADIUS to be put in a certain User Profile
* The User Profile is assigned a VLAN
* This is elementary and should be a 5 minute setup, but here I am week TWO of trying to get this to work. I am very very tired of looking at the MyHive page.

Can someone put up a guide for the successful deployment of this?

I have tried many many different set ups (including trying to get the AP's to be a RADIUS server) and still get this nonsense: RADIUS server is reachable. Get attributes from RADIUS server: None

GRRRRRRRRR!!!!!!!!!!!!!

Photo of Crowdie

Crowdie, Champ

  • 938 Posts
  • 269 Reply Likes
What are the RADIUS attributes that you are returning to the wireless network? If there aren't any RADIUS attributes being passed back then the wireless client will be assigned to the default user profile for the WLAN.

The following RADIUS attributes are to assign the wireless client to the user profile with an attribute of 100:



From your earlier post:

But when I run the RADIUS test it still comes back with "RADIUS server is reachable. Get attributes from RADIUS server: None"
Photo of Nick Kanaef

Nick Kanaef

  • 4 Posts
  • 1 Reply Like
Ok great, I'm a step closer! Thanks Crowdie. I hadn't set up any attributes on the RADIUS server.

User accounts now show up the correct attribute in the RADIUS test under Tools. FYI I also added 'Filter-ID' attribute on NPS and made it the same as the User Group attribute on HMOL just to be sure.

Going to upload the configs and test now.
Photo of Nick Kanaef

Nick Kanaef

  • 4 Posts
  • 1 Reply Like
Ok here's how I deployed this from start to finish.

On Server 2008:

1. Set up RADIUS clients - matching IP address and shared secret to the Aerohive AP's.

2. Create Network Policies in NPS - one Admin (and added the OU to the conditions):

3. Set RADIUS attributes : Tunnel-Medium-Type: IPv4, Tunnel-Pvt-Group-ID: 500 (which matches the User Profile for Admin) and Tunnel-type: GRE.


On Aerohive HMOL:

1. Set up SSID with WPA2 802.1X.
2. Go to Configuation > Advanced Configuration > AAA Client Settings and add your Server 2008 NPS host and shared secret.

3. Next go to Configuration > User Profiles and set up the user profiles Admin (attribute number 500, matching the NPS policy) and appropriate VLAN.



4. Add user profile to the SSID and upload configuration.



This was it.

As they say, the path to simplicity is a long and complex one....
Photo of Victor Rodriguez

Victor Rodriguez

  • 4 Posts
  • 0 Reply Likes
Hello!
How we can reach it in Hive Manager NG. I am able to create a AD Join and authentication but not different profiles??
Photo of Victor Rodriguez

Victor Rodriguez

  • 4 Posts
  • 0 Reply Likes
It works, new capability Added


Value for user Group with  more than 32 characteres on Groups Selected available:
(Edited)