HiveAP121 Authentication via AD is not working

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Hi
My Authentication via AD is not working.
When I go to Tools->Servers Access Test ->AD/LDAP
there is nothing in the drop down for Radius server.. Where do I look to see what is wrong?
Just a newbie at this
thanks

(Using HiveManager Enterprise 6.0r2a)
Photo of Abby Thomas

Abby Thomas

  • 13 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
hi Abby - are you using an Aerohive device as your RADIUS server or are you using an external RADIUS server like IAS/NPS or FreeRADIUS?
Photo of Abby Thomas

Abby Thomas

  • 13 Posts
  • 0 Reply Likes
I'm using the Aerohive as radius and having it connect to AD as external.
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
ok. So there a couple steps in setting this up. If you aren't using the workflow within the network policy, then in order to use the AD/LDAP lookup you have to configure the device as a RADIUS server before it shows up.

1. Set up the directory integration via Configuration - Authentication - AAA User Directory Settings.
2. Set up the RADIUS server instance - this is two parts.
A) Configuration - Authentication - AAA Server Settings. Make sure External database is selected. Make sure the directory integration you configured in step 1 is selected.
B) Configuration - Devices - Modify - Service Settings: Select the RADIUS server instance above to assign to the AP you are using as your RADIUS server. This will require a static IP if you don't already have one configured for that AP.

Now once you have the server instance assigned to a specific Aerohive device, that device should show in the AD test tool.

Don't forget in the Network Policy, there is a third step where you point your SSID to authenticate against that RADIUS server instance. This is a workflow in Express or Enterprise mode initially, but it sounds like that step of assigning the server instance to the AP was somehow missed.

Let me know if this works for you!
Photo of Abby Thomas

Abby Thomas

  • 13 Posts
  • 0 Reply Likes
Ok - Step B was missing.
I added the Radius server to the AP.

Now the AP shows on the drop down of the test. The test hangs..but at least I can test.
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
did you happen to configure NAS settings (or shared secret) on either your RADIUS client object or in your RADIUS server object? We purposely tried to hide this because we will automatically generate the shared secret and NAS settings for devices in the same Hive, but sometimes if you go outside the workflow it is easy to accidentally type in a shared secret, especially on the AAA Client settings.
Photo of Abby Thomas

Abby Thomas

  • 13 Posts
  • 0 Reply Likes
I talked with tech support - he said the Tools->Server access test -> AD/Ldap test does not work and that the problem is with WIndows XP and certificates.

I was sent a link to HansenOnline.net about configuring the WLAN client for use with Radius and told to read it.

Got the sense that it is dumb luck getting Window AD authenticate with wireless.

I will check the shared secret.
thanks
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
hi Abby,
I'm really sorry you're struggling with this setup. Do you have an SE or local partner who can assist you? The AD lookup works great. Here is a screenshot of my demo test, which I just did right now. What version of software are you running?

Maybe can you show us some screenshots of the issues you're seeing so we can attempt to assist from here?
Photo of Abby Thomas

Abby Thomas

  • 13 Posts
  • 0 Reply Likes


Is what is happening.
The AAA user directory setting menu does retrieve the OU information.
But the test just hangs.
Thanks for any advice
Photo of Abby Thomas

Abby Thomas

  • 13 Posts
  • 0 Reply Likes
Also the Radius test for RADIUS authentication server does work.
I am running Enterprise 6.0r2a
Photo of Abby Thomas

Abby Thomas

  • 13 Posts
  • 0 Reply Likes
What started me looking at the test was when I try to connect to the Aerohive I get the following message-
"Windows was unable to find a certificate to log you on to the network"

This is on a Windows XP SP3 laptop.

The laptop does connect on the WPA/WPA2 PSK (Personal) SSID on the Aerohive just not the WPA/WPA2 802.1X (Enterprise) SSID

Sorry for babbling - I was told these devices were setup and ready to go... Now it is my problem with little time to solve.
Photo of Abby Thomas

Abby Thomas

  • 13 Posts
  • 0 Reply Likes


XP wireless connection screen
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
Ah, I see what's happening. So Windows XP by default will try to use EAP-TLS instead of EAP-PEAP to login to 802.1X SSIDs. So let's get that working first, and then we can troubleshoot the RADIUS server side. Let's see if I can still do this ;-):

1. From the wireless network connections window - go to Change Advanced Settings
2. In the Wireless Network Connection Properties - Preferred Networks - Add (if your network is already here, I think you can just click advanced)
3. Enter the name of the SSID, Choose WPA2-Enterprise, and AES encryption
4. Now you may need to either click Advanced or get back into the properties of the SSID - you want the screen with the tabs that say "Connection" and "Security". In the Security tab, and make sure "Protected EAP (PEAP" is in the dropdown. Then click Configure Settings
5. Now on the next page, there is a check box to "Validate Server Certificate". If you are using our AP as the RADIUS server with HiveManager-generated certificates, the easiest (although slightly less secure) option is to uncheck this box. I recommend for testing purposes to uncheck it. If it works, we can continue to how to install the Certificate Authority certificate on XP so you can have a trust.
6. Final option - is the XP machine in the domain? If so, you're done, click Done and Apply and all the times it takes to exit and try connecting to the SSID. If the machine is NOT in the domain, you need to hit "Configure" next to the EAP-MSCHAPv2 dropdown so you can uncheck the box that says to automatically use domain credentials to login.

Let me know how this goes and if it works - if you get a different error, then we can start looking at the RADIUS server :-)
Photo of Abby Thomas

Abby Thomas

  • 13 Posts
  • 0 Reply Likes


Here is the XP setup
Photo of Abby Thomas

Abby Thomas

  • 13 Posts
  • 0 Reply Likes


here is the result
Photo of Abby Thomas

Abby Thomas

  • 13 Posts
  • 0 Reply Likes
This time I got prompted for a username password and domain

I entered them... but still attempting to authenticate
(yes I'm on a domain)

Got the prompt again...

Photo of Abby Thomas

Abby Thomas

  • 13 Posts
  • 0 Reply Likes
Hang on a bit... I've been authenticated..
I'm going to reboot.. and test it out...
This is way better than what I got from support--- thanks a bunch
Photo of Abby Thomas

Abby Thomas

  • 13 Posts
  • 0 Reply Likes
Ok XP is authenticating w/o "Validate Server Certificate" turned on.
What would be the steps to get the certificate working?

Really appreciate this..
Photo of Tim Ruda

Tim Ruda, Official Rep

  • 40 Posts
  • 56 Reply Likes
Abby,

The reason the option needs to be unchecked is that the default Aerohive certificates used on a radius AP are signed by the HiveManager. When the Microsoft device attempts to validate the server certificate against it's list of certificate authorities, the HiveManager is not a default Microsoft listed CA.

There are two ways to address this problem-

1.) Use HiveManager to generate a CSR (Certificate Signing Request) which can be sent to a certificate authority to sign. The subsequent certificate, key file, and any intermediate certificates they send back can be uploaded to the radius AP to use. You'll typically want to select a certificate authority that is recognized by Windows operating systems by default. (Verisign / Digicert / Godaddy etc.)

You'll find this option under Configuration > Advanced Configuration > Keys and Certificates > Server CSR.


2.) With an existing domain environment, you can push a group policy to domain members so that the HiveManager is in fact used as a trusted CA. When they try to validate our default certs, it will have this entry for HiveManager and successfully validate it to the CA.
This solution typically only works for an environment where all users are already part of the domain, and does not serve well using a BYOD network... since you would need to push the GPO to the device before it will validate the CA.

Let us know if this helps or if you have other questions.