How to Setup a Radius Proxy With 2 Different Radius Servers

  • 1
  • Question
  • Updated 10 months ago
We are a school district with roughly 250 schools that up until recently were all on their own separate networks.  We now have most of them on a single WAN, but most sites are still running their own separate Windows Domains.  We have Windows Radius Server (NPS) setup on each school server to authenticate staff/student personal devices again their user account on the school server.
Now that we want to move to a single Windows Domain, we need to setup a Radius (NPS) server in this new domain and are adding a new SSID to allow District Transient staff to travel to any site and get authenticated against this new Radius Server while still allowing the old Radius server in each site to work for local authentication for local staff/students on their current SSID.
We would like to leverage the Radius Proxy feature of Aerohive on this new domain so that we don't have to enter the IP of every AP at a particular site as a Radius Client on the new NPS server, but rather would simply need to add the IP of the Radius proxy for that site.  Can we achieve this in our current setup, have two different Radius Servers, one for each of the two SSIDs, the old one not using Radius Proxy (authenticating against the local school server) and the new one using Radius Proxy (authenticating against the new district domain) and if so, how can we achieve this?
Finding the topic of Radius Proxy and it's configuration a little on the confusing side, any help would be great, thanks!
Photo of Peter Walach

Peter Walach

  • 8 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Absolutely!


First you choose one AP to act as Radius Proxy and configure it with a static IP. Ideally you should always have 2 per site, for redundancy reasons, but for simplicity of this textI am assuming 1 for now. This AP is your Proxy AP.


You then configure 3 "AAA Client Settings" Objects:


1) One referencing your old Radius Servers. This object will be linked directly with your old SSID as Radius object.


2) One referencing your Proxy AP as Radius Server. This object will be linked directly with your new SSID as Radius object.


3) One referencing the central new Radius Servers. See next point...


Next step is to create a RADIUS Proxy object. Here you are referencing the 3rd AAA Client Object you had previously created - the one with your central new Radius Servers.


And finally, you configure your Proxy AP again and select under Service Settings / Device Radius Proxy your Proxy object.


The trick to understand is this:

- For your Access Points the Proxy is a full Radius server. They don't know it's a Proxy - hence they need normal AAA Client Settings.

- For your central Radius Server the Proxy is an Access Point, it does not know it's a Proxy - hence you configure the Proxy with AAA Client Settings as well.

- The Proxy object itself is just a way to link those AAA Client settings to the AP acting as Proxy.


Hope that helps...
(Edited)
Photo of Peter Walach

Peter Walach

  • 8 Posts
  • 0 Reply Likes
Thanks for the quick reply and great description, makes sense.  Having never setup a Radius Proxy before, I am a little confused as to what to enter for the preferences under Realms and then what to enter under the RADIUS Clients/NAS Settings sections based on what you have described above.  Thanks again for your help with this.
Photo of Peter Walach

Peter Walach

  • 8 Posts
  • 0 Reply Likes
Oh, and do I need to specify anything under Realm Settings, i.e. change it from the default of NAI (Network Access Identifier) to Windows NT Domain?
(Edited)
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
It depends a bit if you want users to log in as username, username@domain or domain\username.

In the screenshot below we strip all realm names (= all domain parts), no matter if provided or not. NAI means we expect username@domain (if domain part is provided).
The 3rd entry matches the local domain we use in this network.

See more precise explanations to realm name, default, null etc. here:
http://docs.aerohive.com/330000/docs/...



RADIUS Clients/NAS Settings: Ah, yes :-) The IP Object must match all Access Points that us this AP as Radius Server. The Shared Secret (important!) must be configured as well inside the AAA Clients Object for all those Access Points.
Photo of Peter Walach

Peter Walach

  • 8 Posts
  • 0 Reply Likes
Hi Carsten,

Thanks again for your assistance.  I managed to get this working fine in my test site using the instructions you have provided.

The issue I have now is that when I try and set this up in a second school/site, when I add the new SSID to this Network Profile, it keeps all of the settings from when I configured it on the Network Profile for my test site.  Thus, I can't change the Authentication for this SSID to the Radius Proxy for this second site as it's locked on using the Radius Proxy for the first site.  We have about 120 sites, each with their own Network Policy and each site requiring a Radius Proxy, but the new SSID can only have one Radius Proxy specified for it.  How do I get around this issue?  Thanks again in advance.

Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
So you'd like to avoid having to create 120 SSID profiles, right? ;-)

When you configure your AAA Client profile that is linking to your Radius Proxy APs, you configure the IP addresses of your Radius Proxy APs inside an IP/host-name object. And here you actually have the possibility to define the chosen IP address dynamically, based on several mechanisms. The one I am using most is the device tag. Have a look at this example:



If no device tag is set, the Proxy AP with IP 10.0.0.99 is used. But if Tag1 is set to "Site1", then the Proxy AP with IP 10.0.1.99 is used.

To make this work you must then configure all APs at Site1 with device tag "Site1" etc.

By the way, this mechanism works for other objects as well, e.g. VLAN objects. Very handy... And I would not be surprised if you find out that you could actually handle all your sites with only one Network Policy.

Cheers,
carsten
Photo of Eric Kloss

Eric Kloss

  • 2 Posts
  • 0 Reply Likes
Is there any way to use Tags for redundancy as well? 

I want to deploy only a handful (maybe 6) Radius Proxies and have APs in multiple branches pointed to each. I'm looking for a way to redirect the RADIUS traffic if that original proxy target is down or inaccessible that would be dynamic, ie The branches in this county have priority A,B,C while branches in County 2 have priority (or tags) C,A,B.  

Any advice would be awesome. Thanks.
(Edited)
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Eric,

Exactly as I wrote in my last comment above, by using device-tags in IP-Objects that define your Radius Proxy servers.

For example, you configure your AAA-Client-Settings Object with Radius servers like this:

Primary:  Radius-Proxy-1
                   if device-tag1 = A then 10.0.0.1
                   if device-tag1 = B then 10.0.0.2
                   global (no tag or not matching) = 10.0.0.3
Backup1: Radius-Proxy-2
                   if device-tag1 = A then 10.0.0.2
                   if device-tag1 = B then 10.0.0.3
                   global (no tag or not matching) = 10.0.0.1
Backup2: Radius-Proxy-3
                   if device-tag1 = A then 10.0.0.3
                   if device-tag1 = B then 10.0.0.1
                   global (no tag or not matching) = 10.0.0.2

You need to play around with this a bit, and then you see how it works :-)
Photo of Eric Kloss

Eric Kloss

  • 2 Posts
  • 0 Reply Likes
I've got the dynamic aspect of the proxies where tag1 on the AP = tag1 Proxy. What i'm struggling to figure out is if there's a way to create redundancy with tags so I wouldn't have to configure every location with Primary, Backup1, Backup2, ect.

For example: 

Location A is using Tag 1 to find its proxy, no problem its using Proxy 1 to authenticate. Proxy 1 goes down for whatever reason, I would like it to dynamically reach out to next in line, Proxy 2.

Again, I know this can be done in the Radius configuration but there is a ton of overhead to order all of the Proxies on each network policy (branch).

Thanks.
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
There is no redundancy / round-robin in IP-address Objects, if this is what you are looking for. If the Proxy address is resolved via Tag-1 to 10.0.0.1, for example, and 10.0.0.1 goes down, there is no way this same IP address object suddenly gives back 10.0.0.2.

But I really don't see the problem with Primary and Backup1 - this gives you all flexibility you need! And you still have only one Network Policy, one AAA Client Radius Profile for Access Points (and one for the PRoxies) and one Proxy Profile. Couldn't be any better ;-)