El Capitan and AD RADIUS authentication not working well

  • 1
  • Question
  • Updated 2 years ago
I have multiple users whom after switching to El Capitan operating system can no longer properly authenticate through RADIUS server.  I have the radius assigning an attribute to users to only allow those users to access the network and dump the rest into a dead vlan. The users work fine on other systems but not on their El Capitan OS.  Has anyone else had this issue?
Photo of Aaron Valente

Aaron Valente

  • 42 Posts
  • 3 Reply Likes
  • Befuddled

Posted 2 years ago

  • 1
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
Yes, had a customer with earlier OSx versions working but not El Capitan with 802.1x.  Had them call Cisco since the TAC usually keeps up with Apple stuff (and it's easier to open a case with Cisco than Apple).  Not sure what happened there. 
Photo of Aaron Valente

Aaron Valente

  • 42 Posts
  • 3 Reply Likes
I am debating changing my entire BYOD model because of this and pulling away from an AD verified RADIUS authentication in exchange for a PSK Authentication.... Any thoughts?
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
Depends on the scale of your deployment. I would tend to favour the use of 802.1X authentication where applicable/possible. However given your situation I would probably lean towards the use of PPSK's. This allows to you issue each user with there own passphrase which can be used to identify them through the HM monitor and reporting functions. 
Photo of Aaron Valente

Aaron Valente

  • 42 Posts
  • 3 Reply Likes
That's a lot of setup and maintenance work with turnover though, no? It would certainly be more reliable than what I have going on now but I worry about causing myself a ton of extra work.  Does Aerohive have an authentication method through Google login that operates differently than the AD Radius Server? or is it similar in that it would experience the same outage with Mac OS?
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
I did inquire about this August 19 - some wireless vendors support Google/SAML but not Aerohive as yet:
Yes Dianne, we are aware and have been tracking this. I hope that we will have a solution in the future.
Could you not do captive portal with RADIUS/ldap?
Photo of Aaron Valente

Aaron Valente

  • 42 Posts
  • 3 Reply Likes
I am currently using Captive Web Portal with RADIUS/LDAP but it is failing on some android devices/mac osx el capitan.... 
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
Potentially - again it really does depend on your specific requirements. How would you be issuing PSK/PPSK's. Would you take advantage of self registration? How long will the keys be valid? - I'm simply playing devils advocate at this point but thinking of use case scenarios will definitely help towards finding your answer.
Photo of Aaron Valente

Aaron Valente

  • 42 Posts
  • 3 Reply Likes
Hmm.. I've never done self registration... how would that work/how would I go about setting that up? I see potential in this solution, thank you.  I would love to learn more!
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
If you care to provide me with some more information I'm sure we can sort something. What version of HiveManager are you currently running? Are you using the cloud based solution (HMOL) or on premise virtual appliance? Are you aware of a product called ID Manager? 
Photo of Aaron Valente

Aaron Valente

  • 42 Posts
  • 3 Reply Likes
Im using HMOL 6.8r3   I have seen ID Manager in the main screen of the hive after login but I have never requested a trial or seen it operate. Is this how I could do self registration?