Machine Authentication with AP Radius Server (no external NPS)?

  • 1
  • Question
  • Updated 5 years ago
  • Answered
I am trying to set up an SSID for our internal network that will only allow domain joined computers to access the network. For this SSID I am not concerned with the user account that a user is logged in with.

The simplest option seemed to be to use the inbuilt RADIUS server in the Access Points rather than setting up another external NPS server (either FreeRadius or Windows Radius). I have worked through example 4 of the following guide - http://www.aerohive.com/330000/docs/h...

I have everything set up in HiveManager and have distributed Wireless Settings and the Trusted Root Cert via GPO. Domain joined computers connect to the SSID and have network connectivity at the log in prompt.

However. A user can take a personal non domain joined computer, click on the SSID, enter their AD username/password, accept the certificate warning and get onto the internal SSID. From reading around this forum it seems that I need to only be using Machine rather than User Authentication, and in all of the discussions people are using an external NPS rather than the built in AeroHive AP Radius - http://community.aerohive.com/aerohiv... and http://community.aerohive.com/aerohiv...

My question is, can this be achieved using the inbuilt Aerohive AP Radius (and if so how) or do I need to set up an external NPS?
Photo of Jack Davidson

Jack Davidson

  • 2 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of thewifigeek

thewifigeek, Champ

  • 86 Posts
  • 12 Reply Likes
Aerohive APs essentially map users (based on AD/LDAP attributes) to user profiles. If you want to progress with AP radius then you could map domain users into a "dead" user profile - vlan assigned to nothing.

If you deploy NPS on another domain-member server then you setup RADIUS > Network Policy > conditions to key on NAS-PORT-TYPE=Wireless and Windows-Group=Domain Computers.

For your stated purpose I would go the NPS approach.

My 2 cents.
Photo of Jack Davidson

Jack Davidson

  • 2 Posts
  • 0 Reply Likes
Thanks, so just to clarify, if I go to 'AAA Server Settings' and 'LDAP Server Attribute Mapping'. I select for instance Domain Users and link that group to a AeroHive User Profile that doesn't have a VLAN assigned.



Will it not allow people to connect using their domain username/password from a non-domain joined laptop. But still allow domain joined computers to connect to the SSID at the login prompt before anyone has logged in?

This seems the only thing to try before we look at implementing an NPS... which isn't a massive problem but I wanted to keep things as simple as possible.

Thanks
Photo of thewifigeek

thewifigeek, Champ

  • 86 Posts
  • 12 Reply Likes
You will require a VLAN assigned under the User Profile however the VLAN will not be available on switch. The user will connect, map to this User Profile and not get a correct DHCP address (169.x.x.x).

The preference is NPS so the authentication will be denied.
Photo of thewifigeek

thewifigeek, Champ

  • 86 Posts
  • 12 Reply Likes
If you would like to progress with the Aerohive RADIUS approach then I would recommend creating an Internet_only (VLAN + FW policy) user profile then you can assign your Domain Users to this VLAN so at minimum they have Internet access rather than 169.x.x.x address.

Hope this helps.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Just to note that if you are using the "memberOf" attribute in Active Directory to match on group membership (which is the default attribute in the AAA Directory Settings screen), the one group you will not be able to match on is the user account's Primary Group (which by default will be "Domain Users" for user accounts and "Domain Computers" for computer accounts). This is because the Primary Group is not added to the memberOf attribute for reasons best known to someone at Microsoft with a pathalogical hatred of IT professionals.

Also, if you map groups that you don't want to authenticate to a specific "dummy" user profile with a "dummy" VLAN as described earlier, you can actually have such users be automatically disconnected by the AP - to achieve this, you need to ensure that user profile is NOT in the list of allowed user profiles for that SSID and then check the checkbox "Only the selected user profiles can be assigned via RADIUS for use with this SSID" with action "Disconnect".
Photo of thewifigeek

thewifigeek, Champ

  • 86 Posts
  • 12 Reply Likes
Ahh nice trick Roberto.. The other alternative is to assign a Identify Based Tunnel Policy to the dummy user profile and this will also simulate a disconnect user experience. This method doesn't rely on RADIUS.

Jack you have two viable options.

Hopefully this answers your original question.
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Wow, TWO champs chiming in, both with excellent answers! Way to go, guys, I'm really glad to see community members helping other community members!