dynamic vlan assigment based on the AD user group.

  • 1
  • Question
  • Updated 5 years ago
  • Answered
can dynamic vlan assignment based on the AD user group ?

I have 1 SSID and using 80.1X authentication using Hive AP Radius Server. In the Active Directory the users has been grouped based on department and each department is in different Vlan. in the User properties the user is assigned to Vlan under the "Member of" TAB. How can i achieve this configuration. can someone assist me.
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
There are two easy ways to achieve this:

Option 1 - IETF RADIUS Attributes

You can use IETF RADIUS attributes to return the desired VLAN to the Aerohive wireless system.

When you create your RADIUS rules to look up membership of each department group in Active Directory return the following RADIUS attributes:

* IETF 64 (Tunnel-Type) = VLAN (13)
* IETF 65 (Tunnel-Medium-Type) = 802 (6)
* IETF 81 (Tunnel-Private-Group-ID) = [VLAN ID]

So, for example, if you wanted to return VLAN 100 with the RADIUS Access-Accept response you would configure the following IETF RADIUS attributes in the RADIUS rule:

* IETF 64 (Tunnel-Type) = VLAN (13)
* IETF 65 (Tunnel-Medium-Type) = 802 (6)
* IETF 81 (Tunnel-Private-Group-ID) = 100

Option 2 - Aerohive User Profiles

You can use IETF RADIUS attributes to return the desired Aerohive User Profile, which maps to a unique VLAN or client classifier.

When you create your RADIUS rules to look up membership of each department group in Active Directory return the following RADIUS attributes:

* IETF 64 (Tunnel-Type) = GRE (10)
* IETF 65 (Tunnel-Medium-Type) = IP (1)
* IETF 81 (Tunnel-Private-Group-ID) = [User Profile Attribute]

So, for example, if you wanted to return User Profile Attribute 50 with the RADIUS Access-Accept response you would configure the following IETF RADIUS attributes in the RADIUS rule:

* IETF 64 (Tunnel-Type) = VLAN (13)
* IETF 65 (Tunnel-Medium-Type) = 802 (6)
* IETF 81 (Tunnel-Private-Group-ID) = 50

The user would then be placed into the User Profile whose attribute is defined as 50. That User Profile may have a static VLAN assignment, say VLAN 60, or a client classifier.

A client classifier allows you to create a list of different values in a single object. For example, a client classifier of VLANs could be created as such:

* Tag1: London - 100
* Tag1: Matamata - 110
* Tag1: New York - 120
* Tag1: Paris - 130
* Tag1: Global - 140

The "Global" value is used in case none of the other values are set.

Each of the access points would have the name of the city it is located in (one of the four previously mentioned cities) defined as its TAG value (Monitor -> [AP Name] -> Modify -> Device Classification -> Tag1). Therefore, a user who is assigned to the User Profile whose attribute is 50 would be assigned to a VLAN dependent on which city the user is in.

This is a really powerful feature and, if you are running the 6.1r1 firmware, you can rename the TAG names or Tag1 could be renamed to "City" or "Office", for example.
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
Hi Crowdie,

Thank you for your prompt reply on this matter. do you have any guide on this.. and this can be achive using our hiveap radius server right ? in this case i will create multiple user profile based on the users group in the AD ?

regards,
Mohan
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
If you are using the FreeRADIUS server integrated into each Aerohive access point it is a simple matter of configuring the FreeRADIUS server for PEAP MSCHAPv2 (or TLS if you want you use client side certificates) [both at Configuration -> Advanced Configuration -> Authentication -> Aerohive AAA Server Settings -> Database Settings -> Optional Settings -> RADIUS Settings and Configuration -> Advanced Configuration -> Authentication -> AAA User Directory Settings] and then assign the Active Directory groups to User Profiles [Configuration -> Advanced Configuration -> Authentication -> Aerohive AAA Server Settings -> External Database -> Active Directory -> Manually map LDAP user groups to user profiles].

The official Aerohive documentation on this is available at http://www.aerohive.com/330000/docs/h...

To debug any issues with the integrated FreeRADIUS server in each access point you will need the following CLI commands:

1. If the AP cannot join the domain use the command:

exec aaa net-join primary username password

2. If the AP has joined the domain but users are not authenticating:

exec aaa ntlm-auth username password

3. If the AP has joined the domain and some users work the following debug commands may help:

* _debug radiusd comm
* _debug radiusd excessive
* _debug radiusd verbose

If the above commands do not work try:

* _debug auth all

To see the traffic to and from an access point use the remote sniffer functionality in the access point:

1. SSH to the HiveAP (via an SSH client or via the HM/HMOL integrated SSH client) and log in.

2. Enter the command exec capture remote-sniffer to enable remote sniffing

3. Additionally, you may enter the following optional commands:

* exec capture remote-sniffer user username password (if you require un/pw authentication)

* exec capture remote-sniffer host-allowed X.X.X.X (if you require that only a specific IP host perform sniffing)

* exec capture remote-sniffer local-port port-number (if you require a different port number for sniffing)

* exec capture remote-sniffer promiscuous (if you require that the HiveAP capture all traffic that it can hear instead of only the traffic destined to/through the HiveAP itself).

4. When you have completed your sniffing, you should enter the command no exec capture remote-sniffer to disable remote sniffing.
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
when u mean free radius server, does it mean using a Aerohive AP as a radius server ?
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
hi Crowdie, I have done the AD integration with aerohive HiveAP Radius and all working find...

now all the users in the AD are grouped based on department and each user are members of different vlan based on the AD groups.

I need to authenticate each user and assign the user to the respective vlan based on their vlan member group. how can I achive this set of config.. please assist.. thank you
mohan
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Are you able to traverse the Active Directory structure in the Aerohive AAA Server Settings area of the HiveManager? (Configuration -> Advanced Configuration -> Authentication -> Aerohive AAA Server Settings -> Database Settings -> External Database -> Manually map LDAP user groups to user profiles)
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
yes I can see that.. will try on the mapping now.. tq
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Traverse the Active Directory structure in the "Select an OU or type a User Group Name to map to a User Profile" area and highlight the Active Directory group you want to map to a user profile. Click on the "User Profile" drop down menu, select the user profile you want to map the Active Directory group to and click on the "Apply" button.

Repeat this process until you have mapped all the required Active Directory groups to the appropriate user profiles.
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
i have done the mapping and shoud i tick the option at the user profile for theradius attributes.. what should i choose.. ?

Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The default user profile is matched if the user authenticates correctly but the Aerohive wireless system cannot determine which user profile to match the wireless client to. It is really a "catch all" user profile.

Some installations create a guest user profile with only Internet access and that user profile is defined as the default user profile. Hence, if a user authenticates but is not matched to a user profile by the Active Directory group -> User Profile mappings you have created they just get Internet access. Another option is to create a user profile that has a schedule availability that cannot be matched (say 00:00 to 00:01 on the 1st of January 2012) so that if a wireless client is authenticated but not matched into a User Profile they will be de-authenticated.

The user profile(s) you are matching the AD groups to should be selected in the "Authentication" tab (as shown on the screenshot above).

If you are wondering where the RADIUS attributes go they are not required when using the integrated FreeRADIUS server in each Aerohive access point. They are required, however, if you are using an external RADIUS server; such as an IAS or NPS server.
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
it looks all ok but.. in the client monitor it say "(3019)station sent out DHCP DISCOVER message " but am not getting DHCP.. the same AP i have tested without this radius mapping am getting ip address.. how to check whther my authentication was correct to the vlan assigned or mapped.. ?

mohan
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
should it be something like attached..
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
All access points that broadcast any SSID requiring RADIUS authentication must be configured as a RADIUS server or a RADIUS proxy. Have you configured any non-RADIUS server access points as RADIUS proxies? (Configuration -> Advanced Configuration -> Authentication -> RADIUS Proxy).

If you haven't done this then a wireless client authenticating to an access point acting as a RADIUS server should be placed into the correct user profile while wireless clients authenticating into other access points should fail to authenticate.

If you look at the Wireless Clients section in the Monitor area which user profile is the wireless client assigned to? If the wireless client is being assigned to the "default-profile" user profile then there is an issue with your RADIUS configuration.
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
NO i didn't configure any radius proxy, all my access point are assigned as a "Radius Client/NAS client" as attached. i will check again all my configuration. dos the user profile configuration right ?

Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Did you assign the access points you want to act as RADIUS servers the RADIUS severs role? (Monitor -> All Devices -> Aerohive APs -> [Select the access point] -> Modify -> Service Settings -> Device RADIUS Service).

To test if the RADIUS is working; and I suspect it is not; go to the RADIUS Test tool (Tools -> Server Access Tests -> RADIUS Test) and select one of your RADIUS access points as the "RADIUS Server" and "Aerohive Device RADIUS Client". Enter valid Active Directory credentials into the "User Name or Barcode" and "Password or PIN" fields and then click on the "Test" button.
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
Hi,

with one vlan assign to the ssid and using 802.1x, hiveOS radius and AD at the backend can get the user get connected.. now i just need to assign the vlan to the users based on the user credential when they login to the wireless.. i have tested the above and i passed it. now am using just 1 accees point and i radius in the network to try this set of configuration.

mohan
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
When using the integrated FreeRADIUS server in Aerohive access points you have to configure five things:

1. The supplicant. This is the RADIUS term for a wireless client that is attempting to authenticate.

2. The RADIUS client. This is the service that receives the RADIUS request from the supplicant and forwards the request to the RADIUS server. The RADIUS client is configured to point to the access points configured as a RADIUS server. A shared secret (some text) is defined here and that is used when a RADIUS request is passed to an access point acting as a RADIUS server.

3. The RADIUS server. This is the service that receives the RADIUS request from the RADIUS client and checks with the authentication server whether authentication should occur (are the Active Directory credentials valid?). In these areas you define which RADIUS clients the RADIUS server service will accept RADIUS requests from and you include the shared secret here. Sometimes it is easier to define the NAS Clients (which access points the RADIUS server will accept RADIUS requests from) as an entire subnet rather than individual access points as there is a limit to the number of individual access points that can be defined as NAS clients.

4. The RADIUS proxy. This configuration allows non-RADIUS server access points to forward RADIUS requests from wireless client authenticated to them to access points acting as RADIUS servers.

5. The authentication server. The server housing the user database - in this case Active Directory.

The RADIUS client service is configured in the AAA Client Settings area (Configuration -> Advanced Configuration -> Authentication -> AAA Client Settings).

The RADIUS server service is configured in the AAA User Directory Settings and the Aerohive AAA Server Settings areas (Configuration -> Advanced Configuration -> Authentication -> AAA User Directory Settings/Aerohive AAA Server Settings).

The RADIUS proxy settings are defined in the RADIUS Proxy area (Configuration -> Advanced Configuration -> Authentication -> RADIUS Proxy).

As long as your Active Directory user and computer accounts are in the right Active Directory groups you don't really need to configure anything in the Active Directory authentication server.
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
HI Crowdie,

Thank you so much for your support. i manage to bring up all based on the customer's requirement. its actually the user never allow the vlan information in the AP trunk ports. really appreciate your time on this matter.. tq n cheers

Regards,
Mohan
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Not trunking the switch ports (or not trunking them correctly) is definitely a show stopper :-)
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
hi friend.. all of a sudden ntg is working now.. even normal 802.1x also not working it saying " Sta(at if=wifi1.1) is de-authenticated because of notification of driver"
any suggestion. ?
mohan
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
Time Client MAC Addr BSSID Device Name Level Description
=================================================================================
08/20/2013 05:58:42 PM 183DA2121FE4 4018B1405395 POC-AP01 DETAIL (963)Rx probe req (rssi 51dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1405395 POC-AP01 BASIC (964)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1405395 POC-AP01 BASIC (964)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B14053A8 POC-AP01 DETAIL (965)Rx probe req (rssi 47dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B14053A8 POC-AP01 BASIC (966)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B14053A9 POC-AP01 DETAIL (967)Rx probe req (rssi 47dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B14053A9 POC-AP01 BASIC (968)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B14053A8 POC-AP01 DETAIL (969)Rx probe req (rssi 48dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B14053A8 POC-AP01 BASIC (970)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B14053A9 POC-AP01 DETAIL (971)Rx probe req (rssi 48dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B14053A9 POC-AP01 BASIC (972)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 BASIC (2691)Rx auth (frame 1, rssi 0dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 BASIC (2692)Tx auth (frame 2, status 0, pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 BASIC (2693)Rx assoc req (rssi 54dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 BASIC (2694)Tx assoc resp (status 0, pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 INFO (2695)IEEE802.1X auth is starting (at if=wifi0.1)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 INFO (2696)Rx deauth (reason 1 , rssi 60dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 BASIC (2697)Sta(at if=wifi0.1) is de-authenticated because of notification of driver08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 DETAIL (2698)Rx probe req (rssi 46dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 BASIC (2699)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 DETAIL (2700)Rx probe req (rssi 46dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 BASIC (2701)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 DETAIL (2702)Rx probe req (rssi 51dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 BASIC (2703)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 DETAIL (2704)Rx probe req (rssi 51dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 BASIC (2705)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 DETAIL (2706)Rx probe req (rssi 14dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 BASIC (2707)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 DETAIL (2708)Rx probe req (rssi 14dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 BASIC (2709)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 DETAIL (2710)Rx probe req (rssi 47dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 BASIC (2711)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 DETAIL (2712)Rx probe req (rssi 47dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 BASIC (2713)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 DETAIL (2714)Rx probe req (rssi 51dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 BASIC (2715)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 DETAIL (2716)Rx probe req (rssi 51dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 BASIC (2717)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 DETAIL (2718)Rx probe req (rssi 48dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 BASIC (2719)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 DETAIL (2720)Rx probe req (rssi 48dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 BASIC (2721)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 DETAIL (2722)Rx probe req (rssi 48dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 BASIC (2723)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 DETAIL (2724)Rx probe req (rssi 48dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 BASIC (2725)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 DETAIL (2726)Rx probe req (rssi 46dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407814 POC-AP02 BASIC (2727)Tx probe resp (pwr 11dBm)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 DETAIL (2728)Rx probe req (rssi 46dB)08/20/2013 05:58:42 PM 183DA2121FE4 4018B1407815 POC-AP02 BASIC (2729)Tx probe resp (pwr 11dBm)
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
wow sorry..
refer the below

08/20/2013 06:00:28 PM 183DA2121FE4 4018B1407815 POC-AP02 INFO (2971)IEEE802.1X auth is starting (at if=wifi0.2)

08/20/2013 06:00:28 PM 183DA2121FE4 4018B1407815 POC-AP02 INFO (2972)Rx deauth (reason 1 , rssi 53dB)

08/20/2013 06:00:28 PM 183DA2121FE4 4018B1407815 POC-AP02 BASIC (2973)Sta(at if=wifi0.2) is de-authenticated because of notification of drive

r08/20/2013
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
hi,

is there any way the client click on the ssid and the wireless profile created automatically.. cos now i have to create the profile first before can join the wireless network.

mohan
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Is the wireless client you are testing with Windows based? If so the wireless profile cannot be created by a user attempting to associate to the SSID. That said, if the wireless client is a domain device you can use Group Policy to push the wireless profile to the domain device.
Photo of Mohanantass

Mohanantass

  • 45 Posts
  • 0 Reply Likes
hi crowdie.. hope you good and sound... thank you for your update.. yes all windows client. will do the necessary. thank you