CWP AD User Auth via AP RADIUS vlan redirect IP issue

  • 1
  • Question
  • Updated 3 years ago
I am setting up a new SSID for Employee BYOD.

We are initially using MAC auth so if the employee registers the devices with us, they are added to the mac auth group. This is working just fine. We are also allowing employees to use unregistered devices if they go to the CWP and successfully authenticate to AD via an AP running RADIUS. I have manually mapped to AD User Groups to the employee User profile. I have verified the Attribute matches the VLAN. Once authenticated, they change VLANs. On a client, I can connect to the SSID, successfully authenticate, but never see my IP change to the employee vlan. Through client monitor, I see the client go from the default vlan and show moving to the employee vlan, I see the Attribute correctly change, but never see the IP change. I have tried forcing a ipconfig /renew on the client, but still do not change IP's. I do not see anything in the config missing to force this, but please help?
Photo of Bill H

Bill H

  • 1 Post
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes

Most devices wont change their IP address when the VLAN changes.  In order to address this requirement you may need to use Internal DHCP and DNS option. 

Open captive web portal settings and in the optional Advanced Configuration, select “ Use Internal DHCP and DNS servers on the Aerohive devices”.

This will allow a client to use the virtual network on the AP with a temporary IP address during authentication. By default the lease is 10 seconds and a DHCP client typically renews its lease at the midpoint of its lease lifetime. In this case it renews its lease every 5 seconds. After the user has been authenticated and been assigned to a VLAN, the AP will allow the next DHCP lease request to pass to an external DHCP server which will then issue an IP address to the user.

Please also do VLAN probe to check if the VLAN is connected to the AP and can issue an IP address.

I hope this answers your question.