Configuring EAP TLS Questions

  • 1
  • Question
  • Updated 2 years ago
Hi, we currently have a customer running HiveManager on premise 6.6 with their AP's running 6.4 who is looking to start using EAP TLS with their existing Microsoft NPS server. Do we know if there is any configuration guides available which details the required change on both the HiveManager and MS NPS side?

They are currently using 802.1x (I don't have access to the Hivemanager at the moment to confirm their current EAP type) and I would need to find a way to direct the user to the correct NPS profile whilst we are testing the EAP TLS connection. Do you know if this is possible?

Is it possible that if client XXXX connects to a particular SSID, we can send an attribute of some sort to the RADIUS server to use the EAP TLS NPS policy?

You'll have to excuse my lack of understanding with Microsoft NPS... :/

Thanks
Photo of Craig

Craig

  • 4 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Craig,

So, this is not an Aerohive specific concern as it is NPS that is terminating the EAP. If HiveManager is already configured to supply configuration to the APs to point to NPS, you need to do no more there.

It is, at that point, just an NPS concern, so you can therefore follow general NPS documentation and advice that is available on the Web for EAP-TLS/EAP-PEAP with TLS.

You know the SSID based on the Called-Station-Id attribute value in the Access-Request packets that HiveOS sends.

You can check for this using a regular expression in NPS if you wish to discriminate in a connection request or network policy on a per-SSID basis:

For example:

^(?:[0-9A-F]{2}[-:]?){5}[0-9A-F]{2}:testSSID$

^(?:[0-9A-F]{2}[-:]?){5}[0-9A-F]{2}:productionSSID$

The format of the Called-Station-Id attribute value is BSSID:SSID

Cheers,

Nick
(Edited)
Photo of Craig

Craig

  • 4 Posts
  • 0 Reply Likes
Hey Nick, many thanks for the response! I did think that was the case, that the AP merely passes on the authentication requests to the auth server. I wasn't aware of that attribute! I think it will certainly help us in this instance..thanks again.