PPSK clients at remote location cannot authenticate, HMNG VM

  • 1
  • Question
  • Updated 10 months ago
Our guest clients at a remote site cannot log into the guest SSID which is using PPSK auth.
We have the following setup:
Hive Manager NG VM at main site.
IPsec tunnel to remote site.
2 APs at remote site. They are connected to the HMNG.
Different IP ranges at main site and remote site, however both networks can reach each other, there are no limitations. Radius auth against a windows radius server situated at main site works.

2 APs at main site are listed as having the role of a radsec proxy. The APs at the remote site however state that the radsec proxy could not be reached every once in a while. 

When a client tries to connect via PPSK at the remote site, I get an error entry in the log: Issue type "authentication", "Guest Access Unreachable". 
When I look at the details I see "Could not reach the "hostname-of-hive-manager" ID Manager server at "ip-address-of-access-point".

Any idea what goes wrong here? Option 225 was set, but the APs apparently had some problems in identifying the Hive Manager, so I gave them the capwap address via SSH and they promptly showed up in the hive manager, continued configuring them from there.
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes

Posted 10 months ago

  • 1
Photo of Hans

Hans

  • 68 Posts
  • 8 Reply Likes
Hello Tobias
Maybe because the Radsec proxy port is blocked outbound on the firewall? I believe it is TCP 2083.
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
I thought so too, but there is no active firewall between the two networks - all ports are open for all protocols, and everything is sent through the same tunnel.
Is Port 2083 also used for the APs to communicate with the 2 APs currently elected as radsec proxys? Or just between those two and the HMNG?

I also tried adding the other network to the "internal network only" firewall policy, but that one is apparently not used for the settings of the HMNG itself, but only in network settings inside SSIDs that are rolled out.
(Edited)
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
Addition: I can connect to port 2083 on my HiveManager NG VM from a different machine that is in the same subnet as the APs are.
Now I am really running out of ideas.
Photo of Hans

Hans

  • 68 Posts
  • 8 Reply Likes
Tobias
You can configure to place the password DB local instead of the cloud, does this do anything? You can configure it under the user group settings (Password DB location).
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
I already have 30 APs up and running at my main location, and I need to use the same user DB. I don't think that I can change the location of the active DB for all user groups, can I? (I got several, with dozens of already registered users that need to stay active with their current passwords - user groups are separated by password validity duration).
Putting the passwords on the devices also negates the option of using a CWP or renewing the passwords, both are needed functions.

Still,I am able to configure the APs from the HMNG VM and I can reach the HMNG VM and the TCP port 2083 from a machine in the same subnet as the APs.
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
For anyone having the same problem, the solution was provided by a very nice Aerohive employee:
Create a second Hive for the remote location, even though both locations can "see" each other without restrictions through the iPSec tunnel. Assign it to the configuration for the branch office (create a separate one if necessary, you can recycle your SSIDs with all their settings in it).
Do a full update, not a delta update.

Then, after creating it, select all APs from the branch office and choose "Actions -> Reset IDM Client Certificate". 
Then they should elect a local Radsec Proxy after a few minutes - took almost 15mins here.