LDAP / RADIUS Setup for CWP Use

  • 1
  • Question
  • Updated 4 years ago
  • Answered
We tried to setup a CWP using RADIUS/LDAP (HiveOS 6.1r3):

1. LDAP Server specified
2. RADIUS Server specified (Primary DB LDAP/Secondary Local), the RADIUS Server was setup on a SR2024P with static IP (we checked NAS client setting as shared secred and IP)
3. RADIUS Client/CWP with correct RADIUS Server IP specified

* LDAP User Lookup Server Test > stated that user lookup for correct user was successfull and for a tested wrong user not successful
* RADIUS Server Test > local user tested ok stating RADIUS server available
* RADIUS Server Test > LDAP User (Access Request rejected, check Username/Password) -> username/password of that LDAP server (user lookup was correct) was successfully tested on an other ldap client service

Where could be the problem?

* Is anything to be setup on the LDAP side (any usergroup/attribute/etc?)
Photo of sbx


  • 28 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Hard to say

but I would guess it is the protocol being used.

I have seen some supplicants only use pap to the NAS and fail because the protocol was not supported or disabled.

I just tested with external radius server and had to enable Authentication Method: MSCHAP
for a successful result.

While using an Aerohive device as a client try different protocols, I think you have the choice of pap, chap or mschap.

I have tested this with clearpass and cisco acs and I have to enable pap, chap or mschap for the test to work.


Photo of sbx


  • 28 Posts
  • 0 Reply Likes

Thanks for the reply:

* I've checked all three (PAP/MSCHAPv2/chap) -> configured this on the cwp, correct?
* none of them had any impact.

I've also checked:
* ca certificate on LDAPS side, but didn't have any impact as well

Not sure what else could be check:
* Is there any way to enable more detailed logging on the ap to see what exactly is happening here?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
My suggestion would be to use port mirroring on an intermediary managed switch or an intermediary hub to get a packet capture with something like Wireshark to see what is going on.

I have to admit to never having tested in depth what HiveOS's RADIUS client behaviour is for CWP or MAC address authentication as I personally have had no direct use case for the features. I will try and do so over the next few days however.

I do, incidentally, want to test it for conformance with the RADIUS RFCs, especially to see if the Message-Authenticator is present to sign and protect the packets from tampering/forgery as many other RADIUS clients that I have tested 'forget to' for non-EAP based authentication. (Where it is missing, it is a security vulnerability, explained in RFC 5080.)

Aerohive ought to improve their implementation to protect user credentials via a TLS-based EAP type such as EAP-TTLS or EAP-PEAP... Today, as you have seen from the choices available, they do not which is a security vulnerability in the implementation. This is because user credentials can be acquired and reversed by an attacker if they are able to observe the RADIUS traffic by some means.
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
Hi there,

Can you post the running configuration? How the user password is configured on the LDAP? is it encrypted or clear text? encrypted password can only work with PAP. MS-CHAP will need a clear text in order to hash the password.