CWP with Meru IDM

  • 3
  • Question
  • Updated 4 years ago
  • Answered
Maybe someone has done this before or has an idea?

We have a setup where we need to implement Aerohive Access Points (6.1r1) with Meru's Identity Manager (IDM 13.6.0). I had it already working a long time ago, with different versions of both, but now it doesn't work anymore.

On Aerohive I have configured a Radius client and CWP with external authentication. On Meru IDM I have configured the whole possible subnet for clients as one device entry with native Aerohive type. The redirection to the IDM server works, so I receive the captive web portal page. I can log in, which works, but then the redirection back to the Aerohive AP fails:

The browser cannot open URL "https://1.1.1.1/reg.php"

Now, I know that these IPs are different for each interface (eth0, eth1, wifi0, wifi1) and SSID, and I know I can set those manually. Which I tried, but no luck.

Does anyone have any idea how I make those two systems work together?

Thanks,
carsten
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes

Posted 5 years ago

  • 3
Photo of Sarah Banks

Sarah Banks

  • 75 Posts
  • 4 Reply Likes
Hi Carsten, I see that noone here has posted a response to this, and indeed, I haven't seen this done before. A support engineer might be able to best help you here, but when I read what you wrote above, "The browser cannot open URL https://1.1.1.1/reg.php" I immediately wonder if the client is even able to reach the 1.1.1.1 subnet; whats the client's current IP, is the 1.1.1.1 reachable, etc. Often times, https versus http can be the issue. These are a few troubleshooting tips that might help
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Hi Sarah,

Thanks for your reply!

I do have a ticket open as well, and I still need to update it. I actually solved it with an interesting and reproducible fix:

- Change CWP mode to internal authentication, delta upload
- Change CWP mode back to external authentication, delta upload

Now the AP answers on https://1.1.1.1/reg.php.

Weird, no?

carsten
Photo of Sarah Banks

Sarah Banks

  • 75 Posts
  • 4 Reply Likes
I agree, that seems a bit wonky; when I make changes like that, I tend to not do a delta upload but rather, a complete upload. I'm happy to see that it's responding now, though. Good luck! :)
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Hi Sarah,

Sorry, I didn't post the full summary of 2 hours troubleshooting :-)

Of course, I tried a lot of ways, including default resets and re-adding to Hivemanager, and a complete upload is always on top of my list. At the end of the day, and I can reproduce this, the procedure MUST include to configure the Access Points once with a CWP in internal authentication mode, and then I can go back to external authentication mode. And if I do this, it doesn't matter whether I do a complete or delta upload, that's why I wrote it that way.

I will add the same information to my support ticket, and hopefully in a few days I will have time to a "How to" to this ticket :-)

carsten
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Little add-on: It appears that the problem is somewhere around using the right certificate. Before the "workaround", when uploading the configuration (even with a complete upload), I do get:

CLI command failed:
security-object CITEU-Premium web-server ssl server-key 0
Photo of Gianlu Bol

Gianlu Bol

  • 11 Posts
  • 0 Reply Likes
Hi Carsten,
I have the same problem still with 6.1r3a: "security-object GUEST web-server ssl server-key 1"
Do you have some news?

Change CWP mode to internal authentication all the time tha we add a new AP isn't funny...
thank
Gianluca


Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Sorry Gianluca, I should have posted an update here.

Aerohive support has identified this behaviour as bug, and they told me that this will be fixed with 6.1r4. But I have no release date for this.

Believe me, I am desperately waiting for this, too...

carsten
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Carsten,
If you know the bug-id, I can look that up for you and confirm/deny where the fix will appear. 
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Hi Mike,
I was not given a bug-id, but the case number is 00056957. Thanks for checking!


12/27/2013 2:33 AM | Chris Bourroughs
Hi Carsten

We have confirmed this behavior is a bug and engineering are now working on a resolution, the target software release this will be fixed in is 6.1r4.   I don't have any timeframe for this release, but are you happy for me to close the support case?

Thanks

Chris


(Edited)
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Hi Mike,
Did you have a chance to find out more about this bug, and to confirm/deny where and when the fix will appear?
Photo of Gianlu Bol

Gianlu Bol

  • 11 Posts
  • 0 Reply Likes
Hi Carsten,
thank you for the update!
Good news.

Gianluca
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Thanks to Carsten for reminding me I owed an answer on this thread.

I can confirm the bug was fixed after the release of 6.1r3. The HiveOS software version that first received this fix was 6.1r4 but that is unlikely to be interesting to most readers of this thread since we only offered HiveOS images for the new switches in that release.

HiveOS 6.1r6, currently in beta testing, will be the version that brings this fix to the AP product line. Barring any unforeseen events, it should be released around the middle of June.

For those of you who actually read the release notes, you can look for bug-id 30665.
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
That's great news - thanks a lot for the research, Mike!
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Sorry for not updating this thread earlier...

I can confirm that this bug is fixed now with HiveOS 6.1r6. I can configure an external CWP with a custom CWP certificate package, which gets uploaded successfully, and thus the security warning when accessing the CWP disappears.

carsten