Authentication and authorization profile/policies..

  • 1
  • Question
  • Updated 1 year ago

how to create different authentication/ authorization  policies in Aerohive NG Platform..

I am just relating it with Cisco ISE.. where we are creating different authentication and authorization policy as per the requirement..

Photo of Anil Singh

Anil Singh

  • 12 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Anil,

Your question is wide open so it's hard to give a specific response. Please start here;

Let us know if there is something more specific that you need.

Kind Regards,
Gary Smith
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
It sounds like you're wanting to do vlan assignment thru RADIUS:
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
In HiveManager/HiveManager NG create a user profile for each user type (domain device, BYOD, guest, etc.).  When you create each user profile you will need to assign a unique attribute number.  Record each user profile's attribute number as you will need these when you configure the authorization policies in the Identity Services Engine.

For people not too familiar with Aerohive wireless a user profile is just a container where settings (firewall rules, QoS settings, etc.) to be applied to users in that user profile are defined. This concept is not unique, Aruba call these "roles", but if you come from a Cisco background, who were extremely late to the party, it may be new to you.  

Create your Authentication Profile in the Identity Services Engine as you normally.  In the Authorization Policy configure the conditions as normal with the result including the following RADIUS attributes:

  • IETF 64 (Tunnel-Type) = GRE
  • IETF 65 (Tunnel-Medium-Type) = IP
  • IETF 81 (Tunnel-Private-Group-ID) = The attribute of the user profile (domain device, BYOD, guest, etc.) the authenticating device should be assigned to.
When the Aerohive access point receives the RADIUS ACCEPT_ACCEPT response with the above RADIUS attributes it will place the wireless client into the user profile with the attribute number returned by the Tunnel-Private-Group-ID.   If there is no matching user profile an alarm will be recorded against the access point.

Remember that with Aerohive each access point can forward RADIUS requests so either configure some access points as RADIUS proxies (like a Cisco WLC) or add each as the Aerohive access points as network devices in the Identity Services Engine.