I have followed the Aerohive configuration Guide "Radius Authentication". I was trying Example 1 "Single Site Authentication". But my windows clients can't connect to the SSID. These windows clients are not in a domain but are BYOD clients.
If I use the radius test in Hivemanager I receive "RADIUS server is reachable. Get attributes from RADIUS server: User-Attribute-ID:0=5; " So he can reach the radius server and get back the user-attribute-id 5. For my SSID I have created a User profile with Attribute number 5.
Can someone help me? Can I debug something else?
You should be returning a Service-Type attribute of Framed along with a Framed-Protocol attribute of PPP.
Are you using VLANs? If so, you should add and set:
1) Tunnel-Type attribute to VLAN
2) Tunnel-Medium-Type attribute to IEEE-802.
3) Tunnel-Private-Group-Id attribute to the desired VLAN ID in string (ASCII / UTF-8 encoded) format.
I would suggest using the Filter-Id attribute to set the user profile attribute as this is the RADIUS standards based way of doing this.
What EAP type are you using and how have you configured it?
Thanks for the reply.
At the moment i'm configuring it without vlans. (AP is not connected with a trunk port) In the future it must work also with different vlans.
I have added the filter id on the radius server and created a user group with the value of the filter id. But it is still not working. In attachment you can find some printscreens of the configuration. http://www.hhvm.be/externalradius.docx
If you monitor the authentication process using the Client Monitor Tool, you may get some useful insights as to which step in the authentication process is failing.
Simplest way to set up Client Monitor is to create a new Open SSID called Test, attach a device to it, pick up that device in Monitor/Wireless Clients, select the check box next to the client, then go Operation/Client Monitor and add the device (This captures the MAC address of the device in the system, otherwise you could manually add it to the Client Monitor tool)
Filter out the Probe requests, start Client Monitor, disconnect from Test and try to connect to the RADIUS SSID. You will see every step of the process that the AP sees.
Then, look in the Windows event log on the server to see if the error messages there give any clues as to why the authentication failed.
The combination of these two together can usually get you out of trouble.
I suggest you use something like Wireshark at the RADIUS server to get a capture of the RADIUS traffic while an authentication attempt is made.
The other place to look is the Windows Event Log for the NPS role.
We should be able to piece what is going wrong from those three bits of information.
I think you are right that there is something wrong with the certificate. In the event viewer I found the following error: The certificate chain was issued by an authority that is not trusted.
Since these computers are not on your domain, you will need to do a few things to the wireless configuration on the client to get them to authenticate. You will need to make 3 changes from the default setup when you create the wireless network configuration on the client. I'm assuming you are using WPA2-Enterprise. So go through the steps of manually creating the wireless network profile on your Windows device. Before you close out of the "Manually connect to a wireless network" wizard, click on the "Change connection settings" button instead of the "Close" button. From here you will be able to make the 3 changes to allow your non-domain computers to connect.
First, change the 802.1X authentication mode to "User authentication". By default, this is set to "User or computer authentication". Since these computers are not on the domain, anytime they try to authenticate with the computer account instead of the user account they will get denied. Second, disable the certificate check. In the Protected EAP properties, uncheck the "Verify the server's identity by validating the certificate" check box. And while you are here, the third thing you need to do is change the EAP MSCHAPv2 properties to not use the Windows logon name and password. You do this by clicking the "Configure" button next to the "Secured password (EAP-MSCHAP v2)" drop-down box under "Select Authentication Method:".
What will happen now is when the user tries to connect to this network, they will be prompted for their user credentials. After they enter their user credentials, they will be authenticated and connected. The default Windows settings for 802.1X settings are for domain joined computers. So you have to make these changes to allow non-domain computers to connect. If you used a certificate issued by a trusted root certificate authority that is already in Windows, then the second change would not be needed. Or you could have the user import your certificate into their trusted root certificate authorities. But this is a pain for the user. If you have a domain with PKI setup, this is all taken care of for you on domain joined computers.
I can provide step-by-step instructions if needed. I have some for XPSP3, Vista/7, and 8/8.1.
Also, with your Android phone, make sure you have your Phase 2 Authentication set to "MSCHAPV2". I believe that by default this is set to "None".