New AP 245x stuck on default (guest) VLAN

  • 1
  • Question
  • Updated 2 years ago
We recently deployed two AP245x access points using the same policy as our other older APs (330, 350). We have a couple of SSIDs and a few different VLANs configured so that a supplicant gets put on a given VLAN based on how the end-user registers his/her device. We use a NAC device, so the behavior is that a user connects device to an SSID, then the NAC redirects the user to a captive portal page asking the user to login. Base on the login credentials, the user is identified as staff, student, guest, etc... and the NAC sends back a response to Aerohive telling it which VLAN to put that supplicant. This behavior is working fine with all our other APs, except for the newly deployed AP245x devices. They're getting the same exact policy as the other older APs and the configurations are identical to the ones that the older APs are using. The only difference is that the AP330 and AP350 APs are running HiveOS 6.4r1d.2111 while the new AP245x APs came with HiveOS 7.0r2 (the OS is actually displayed in HiveManager as HiveOS 7.0r2 Bay.-131568 - not sure what the "Bay..." part means).

The problem is that when a supplicant gets near the new AP245x APs, the supplicant gets automatically dumped onto the default vlan that is configured for the AP, which happens to be the guest vlan. This is the same default vlan that is in the policy used by all other APs, but that behavior is only observed on the AP245x. It's as if the AP245x APs aren't able to receive the response back from our NAC telling them which VLAN to put the supplicant on. We can observe in logs for our NAC device that the AP245x successfully send supplicants to the NAC, and the NAC responds with a VLAN id that the supplicant should be put on, based on the user credentials of the supplicant... however, the AP245x APs don't seem to be honoring that response from the NAC device and just keeps puts clients onto the default vlan that is configured in the Aerohive Network Policy.

We've contacted support and so far have not been able to find a solution to this problem. Our best guess at this point is that it's an issue with the new HiveOS that the AP245x APs are running, but we are unable to downgrade, as that is the only OS available to that model.

Any ideas or suggestions very much welcome!
Photo of Joe Adu

Joe Adu

  • 3 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Joe Adu

Joe Adu

  • 3 Posts
  • 0 Reply Likes
Additional information... 
Aerohive support team thought the issue was the model of our NAC, which was apparently not compatible with the new AP245x, so we were asked to upgrade our NAC to v8. We did that, but the issue still persists. Appreciate any ideas or suggestions, as this is becoming a real issues because we bought a few these APs and they aren't working as expected. We are on the verge of returning them and switching to another brand.
Photo of Joe Adu

Joe Adu

  • 3 Posts
  • 0 Reply Likes
Resolved this issue by setting the User Profile Application Sequence in the SSID settings to SSID - Mac Authentication - Captive Web Portal. We also updated our version of Bradford Networks Network Sentry NAC from v7.x to 8. Hope this is helpful to someone in the future. 
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Thank you for sharing the resolution to your problem! Glad to hear you were able to get it working.