Need help with setting up AD integration

  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi there,

I have been trying to get AD integration working with a Aerohive 330 AP and I am having absolutely no luck. Essentially what I want to happen is the user jumps onto the wireless network, the AP authenticates to my radius server running on my windows 2003 server, they enter their network credentials and they are allowed access onto the network.

I have configured the aaa user directory settings and the aaa server settings to use an external ad server. The config page successfully drew from the AD environment.

When I go to test the system tells me Error: local RADIUS server does not enabled.

If someone could please just point me to a configuration document or a step by step guide to achive this I would be very grateful. I don't want to have to roll out certificates on the client side either please.

Photo of Al Pacino

Al Pacino

  • 1 Post
  • 0 Reply Likes
  • sad

Posted 5 years ago

  • 1
Photo of Gary Smith

Gary Smith, Official Rep

  • 298 Posts
  • 61 Reply Likes
Hi Al Pacino,

Have you taken a look at the guide here?

By the way, there is lots of great information in the Help guide on HiveManager and here;

Kind Regards,
Gary Smith
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
Hi Al,

One quick thing to note here: do you want to use the RADIUS server on your Windows 2003 server or do you want to use the RADIUS integrated into HiveOS? If you want to use your external Win2k3 server, the only option you need to configure is the AAA Client Settings. In fact, you are only prompted for this option when configuring an SSID in the Network Policy workflow. The AAA User Directory and AAA Server are for when you want to use a HiveOS device as a RADIUS server.
Photo of Lenya


  • 18 Posts
  • 5 Reply Likes
I know this post is quite old, but I'll ask away nontheless.
I want our employees to connect to internal resources via WiFi, using Active Directory; but I don't want the Access Points act as Radius servers. How do I set up my WiFi and the AD to accomplish this? I was looking for a guide to do that, but wasn't successful. Any hint is appreciated.
Photo of Mohanantass


  • 45 Posts
  • 0 Reply Likes
am trying to retrieve the directory information I have the following error "
Directory information could not be retrieved because the Aerohive RADIUS server does not have DNS server settings in its configuration. " but am AP is online in the hivemanger. am using HMOL, do I need to open any ports for AD integration and authentication.

Pease advice..
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
You do not need to open ports to HiveManager because keep in mind that HiveManager is just displaying what is happening on the AP. We are not a controller solution, so even complex features like AD integration happen directly on the AP :-). Now there are some prerequisites that have to be met in order to make an AP into a RADIUS server and connect to your AD. Mainly, the AP needs to have a static IP address and needs DNS configured statically as well (preferably the DNS that will resolve your domain name. Often this is the same IP as your AD server). The static IP and DNS server can be configured directly from the AAA Server configuration settings for the AP you want to turn into a RADIUS server.
Photo of Andy Gascoigne

Andy Gascoigne

  • 1 Post
  • 0 Reply Likes
I've been trying to do this under 6.41 but could not get anything to work. I've since discovered that I can add MAC authentication but only using PAP (unencrypted) which isn't ideal. Trying either CHAP or MS-CHAPV2 doesn't work. I find the documentation on this very vague or out of date. I have added some basic MAC-based users for my wifi devices into my AD using this guide (but blocked them from being able to log in using group policy) and this works, however it's not secure. Ideally I want to have an encrypted method in use,
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2479 Posts
  • 447 Reply Likes
CHAP and CHAPv2 does work. I would therefore review the configuration that you have at the RADIUS server and any logs there. Remember that it is plain CHAP or CHAPv2, and not encapsulated in an EAP type, such as PEAP with an inner of CHAPv2.

As the client MAC address is also, by design/spec, intentionally unencrypted in the Calling-Station-Id attribute, I wouldn't worry too much here! A client MAC address isn't in any way security sensitive information.

HiveOS currently sends the client MAC in the User-Name attribute too.

(You should technically make sure that you auth off of the Calling-Station-Id attribute value once you have accepted the username/password presented via PAP/CHAP/CHAPv2 as the Service-Type attribute has a value of of Call-Check.)

(It would be nice for HiveOS to be able to use a fixed username and password for MAC address authentication. At that point, it would make sense to use stronger encryption for the credentials.)