could anyone help me to setup An AP as Radius server to access external AD

  • 1
  • Question
  • Updated 4 years ago
  • Answered
1. setup a AAA User Direcotry
select AD, filled domain name, AD server address,
the retrieved get BaseDN.
input an existed Computer OU
filled admin user and password to join AD, successfully,
filled admin user as domain user, validated successfully,
save

2. Aerohive AAA Server Setting
database sellected External DB and select my AD as primary
enable Radius server credential caching
at Radius setting set key file password as share scret. leave other as default.
save

3.setup AAA client

4 default user profile point to my vlan. commit but it doesn't work.

Anybody can give some hints?

Thanks
Photo of bin yu

bin yu

  • 26 Posts
  • 2 Reply Likes

Posted 5 years ago

  • 1
Photo of Kell Van Daal

Kell Van Daal

  • 9 Posts
  • 1 Reply Like
Hi,

There are two steps you didn't explicitly mention, so I want to make sure you have done them.

First, you said you configured the Aerohive AAA Server Setting, which is good. Did you also actually configured one or more APs to use this service? With this you tell the AP to become a RADIUS server. To do this, go to Configuration -> Devices and edit the AP you want to be a RADIUS Server. Under Service Settings -> Device RADIUS Service make sure your configured RADIUS Service is selected.



And second, make sure the AAA Client Settings you configured is selected in the Network Policy.



Let me know if this helped, and if not, we can do some more troubleshooting :)

Kell
Photo of bin yu

bin yu

  • 26 Posts
  • 2 Reply Likes
Thanks for your quick reply

I did this. When I try to use tool AD/LDAP Test to debug.

I selected my RADIUS Service and selected Test Aerohive device credentials for Active Directory Integration

Then I input my user name, password and domail in my External AD.

I got
NT_STATUS_ACCESS_DENIED: access denied(###0zxc0000022###)

Regards
Photo of Kell Van Daal

Kell Van Daal

  • 9 Posts
  • 1 Reply Like
When you try the RADIUS test (right above the AD/LDAP test), what is the message the test comes back with?
Photo of bin yu

bin yu

  • 26 Posts
  • 2 Reply Likes
NT_STATUS_ACCESS_DENIED: access denied(###0zxc0000022###)
Photo of Kell Van Daal

Kell Van Daal

  • 9 Posts
  • 1 Reply Like
That is a weird message to get from the RADIUS test. Usually the RADIUS test comes back with either an Access-Accept (with possible attributes), an Access-Reject or a simple time-out.

The NT_STATUS_ACCESS_DENIED is something that is generated on the server side. Can you check if the time between the AP and the server are the same? Ideally using the same NTP server.
Also, are you using multiple Domain Controllers? If so, can you make sure they are all synced? Especially if you have multiple sites, depending on how they are configured, they might not be synced.

Lastly, if that fails, can you try joining the AP again to AD? Delete it first from AD Computers and Users and then add it again through HiveManager.

If that all doesn't help, can you check the eventviewer on the Domain Controller that the AP is using? There should be an event (or multiple) that correlates with the NT_STATUS_ACCESS_DENIED. If you find that one, can you post the details of it? It could give us some more insight into what is going wrong.
Photo of bin yu

bin yu

  • 26 Posts
  • 2 Reply Likes
it has been solved

thanks
Photo of Kell Van Daal

Kell Van Daal

  • 9 Posts
  • 1 Reply Like
That's great to hear!

Would you mind sharing how you solved it? That way if someone else has the same problem, they can find the answer here :)
Photo of bin yu

bin yu

  • 26 Posts
  • 2 Reply Likes
Hi

I just adjust the Time. Then it works.
Photo of Edwin Amoo

Edwin Amoo

  • 3 Posts
  • 0 Reply Likes
Hi All, Can anyone point me in the right direction, i just need to know step by step on how to configure my AP as a RADIUS Server and have Active Directory authenticate against users when you log into an SSID.  I have been searching all over and cant seem to get any help not even from support.....Please help