RADIUS authentication always authenticates to default group

  • 1
  • Question
  • Updated 2 years ago
I have begun setting up RADIUS based authentication for our organisation, with the intent of using Aerohives RADIUS authenticating using our Active Directory.    When a user is a member of a group, they get access and when a user is not a member of a group, they get no access.

Up to now I have the following working, using the RADIUS test tool:

When testing my account (which is a member of a group) it returns:

RADIUS server is reachable. Get attributes from RADIUS server: User-Attribute-ID:0=25; Session-Timeout=1800;

When testing my account (when its removed from the group) it returns:

RADIUS server is reachable. Get attributes from RADIUS server: None

I basically know in essence its detecting authentication properly, and integrating with Active Directory.  I also generated Windows CA certificates and the main server cert on the Hivemanager was changed to a windows domain based one.    When I have a single 'Wireless_EAP' profile, active directory authentication works and I can get on the WIFI fine, assigning the right VLAN IP.

However when it comes to the denial of access, i know because the user is still in AD, Aerohive will assign the user to the default user profile anyway, which in the end grants access with a single user profile set up.   So I created a 'blackhole' user group to initially test,  by assigning that profile a VLAN of 18, and my main WIFI profile EAP_Users 175.    I set the default profile to 'DeniedUsersBlackhole' and the authentication profile to 'Wireless_EAP'.

However the problem with this is no matter whether I am a member of the group or not, it default adds me into the Blackhole user profile.

I wasn't concerned by making the Blackhole profile unroutable yet, because I want to see it get a different IP to verify if users are dropping into the wrong aerohive user profile.  Basically because when i connect I get a routable IP with the VLAN from the Blackhole profile, I know im not being assigned to Wireless_EAP properly.  But when I revert Wireless_EAP to the default profile, I get an IP from its VLAN.

Can anyone assist as to why when I set the default profile to my blackhole profile, no matter if users authenticate as per AAA rules, they still go in that group and not the authentication one?

Photo of ourkidpauluk


  • 1 Post
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Dawn Douglass

Dawn Douglass

  • 67 Posts
  • 3 Reply Likes
It's a little difficult to figure out what the problem is with the information provided.  However, my suspicion is that the radius tunnel-pvt-group-ID value set in the NPS policy does not match the attribute # in the Hive user profile.  Does it sound like I could be on the right track?