Initial Setup of AP230 with Active Directory

  • 1
  • Question
  • Updated 3 years ago
  • Answered
I purchased 5 Aerohive AP230's back in December and was unable to get the to authenticate with Active Directory.  I was told by Aerohive Support that this was because my domain name has a "." in it.

Has anyone been able to setup active directory authentication with AP230's that happens to have a "." in their domain name?

Or does anyone have technical documentation for setting up AP230's using one of them as a RADIUS Server?
Photo of Michael Yurick

Michael Yurick

  • 2 Posts
  • 0 Reply Likes
  • frustrated that I was sold a product that appears not to work in my environment.

Posted 3 years ago

  • 1
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Hello Michael

I don't think the '.' should be an issue, the . is very common in domain names. Do you configure the AP as Radius server or are you using an external RADIUS?
We configured AP230's as radius and as authenticators for external RADIUS servers, this should work perfect. Can you describe what goes wrong?
Photo of Michael Yurick

Michael Yurick

  • 2 Posts
  • 0 Reply Likes
Hi Hans,

It would just hang when I tried to authenticate wirelessly.  We were using our Windows Server 2012 as the  RADIUS server.

I would be happy to setup our AP230's as a RADIUS Server.  Do you have documentation or know where I could find some on how to setup the AP230's as a RADIUS Server?

Thank you!
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
That's not correct for Active Directory integration.

From the documentation for AAA User Directory Settings:

Domain: Enter the Windows domain name to which the RADIUS authentication server and Active Directory server both belong, including parent domains, such as .com, .net, .org, and so on; for example, aerohive.com. The domain name can be up to 64 characters long. 
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Michael

Nick is wright, you only configure the IP of the NPS and the shared secret.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
That was well timed, I removed my reply to edit the one above to make it clear that you don't need to touch AAA User Directory Settings... and Hans replied so I now can't. :D

Anyway, posting again what I had, sorry it's out of order...

-----

If you're running Network Policy Server (NPS) under Server 2012 you definitely don't want to go anywhere near AAA User Directory Settings, and no Active Directory integration is required.

I suspect this is where the confusion has arisen.

The APs are just acting as RADIUS clients when you use NPS so you just need to configure under AAA Client Settings and link to it appropriately.
(Edited)
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Michael

You create an SSID with authentication WPA/WPA2 802.1(Enterprise), next you configure the RADIUS by entering the IP and the shared secret. Afterwards uploading the config and that's it (offcours you also have to configure the usergroup/profiles).
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
You also have to configure the NPS correctly (receiving authentication requests of the AP and the shared secret should be well configured, ...)
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
A thing that you can do to see what's going on during the authentication proces is using the client monitor (tools -> client monitor). You enter the MAC-adres of a client and start the association/authentication. You see more information about what's goes wrong.