Radius authentication for hivemanager classic doesn't work after upgrade to 8.1r1

  • 2
  • Question
  • Updated 6 months ago
Hello, 

We've upgraded our hivemanager on prem to the version 8.1r1, and we were suddenly not able to logon with our AD credentials any more.. Nothing changed on the radius configuration, while we see on the NPS (RADIUS) that we get full access ('Network Policy Server granted access to the user').. But the web interface says ->"The login information you entered does not match an account on record. Please try again."
Is this an known issue on 8.1r1





Thanks in advance 
Photo of joy

joy

  • 21 Posts
  • 0 Reply Likes

Posted 8 months ago

  • 2
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Joy,

What RADIUS attributes are you returning in the Access-Accept?

Are you returning the AH-HM-Admin-Group-Id VSA?

If you are not returning one of the predefined values below, are you returning a user group attribute number that maps to a defined admin group?

VALUE   AH-HM-Admin-Group-Id            Read-Only-Admin         0

VALUE   AH-HM-Admin-Group-Id            Super-Admin             1

VALUE   AH-HM-Admin-Group-Id            Read-Write-Admin        2

I suspect that NPS may be misconfigured.

Please can you first ensure that you have the applicable Aerohive dictionary imported and that you are only returning the AH-HM-Admin-Group-Id VSA in the Access-Accept.

HM 8.0r1 and later are stricter about having the correct RADIUS attributes returned.

Thanks,

Nick
(Edited)
Photo of joy

joy

  • 21 Posts
  • 0 Reply Likes
Hi Nick, 

The NPS doesn't return one of the above attributes.. It worked always for the previous versions, without these attributes. Will configure this in the NPS, and let you know.. 

Thanks  much for your reply, appreciated. 

Joy
Photo of joy

joy

  • 21 Posts
  • 0 Reply Likes
Hi Nick, 

I'm trying to configure a VSA.. What's the attribute number for AH-HM-Admin-Group-Id ? how should vsa be configured in the ms NPS, see the image below.. 





Kind regards, 
Photo of joy

joy

  • 21 Posts
  • 0 Reply Likes
Ok, have fixed this.. 

Vendor code 26928, attribute numer=1, value= 0,1 or 2 (0=RO, 1=SA, 2=RWA)
These config worked for me.. 




VENDOR Aerohive 26928
BEGIN-VENDOR Aerohive
# The following ATTRIBUTE and VALUE definitions are required.
ATTRIBUTE   AH-HM-Admin-Group-Id 1 integer

VALUE AH-HM-Admin-Group-Id Read-Only-Admin 0
VALUE AH-HM-Admin-Group-Id Super-Admin 1
VALUE AH-HM-Admin-Group-Id Read-Write-Admin 2

# The following is an example of an admin group that you can define.
#VALUE AH-HM-Admin-Group-Id Admin-Group100 100
END-VENDOR Aerohive

Thanks, 

Joy 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Joy,

Looks good!

Thanks,

Nick
Photo of Scott Anderson

Scott Anderson

  • 3 Posts
  • 0 Reply Likes

How does the dictionary file get imported? Do you import it into the Hive Manager or the NPS server?