Setup AP's to authenticate to AD server

  • 1
  • Question
  • Updated 3 months ago
I have 75 AP230's running 8.3r2.  I'm tired of the students getting the password from laptops in the lab and putting them on their phones.  Is there a way to force all devices to authenticate either thru our CipaFilter firewall or AD?  Or is there a better way to do what I'm needing?  
Photo of Donnie Mayes

Donnie Mayes

  • 16 Posts
  • 0 Reply Likes
  • frustrated

Posted 3 months ago

  • 1
Photo of Sam Lynn

Sam Lynn, Moderator

  • 96 Posts
  • 12 Reply Likes
You could also implement MAC authentication, so that the MAC address acts as the username and password. The user never enters anything, and the MAC address is submitted automatically. That way only the machine that you want to connect will be able to connect to that SSID.

Or you could also implement PPSK and MAC binding, which binds the PPSK credentials to the machine that you use it on first. That way even if the students get the password, they won't be able to log on, as their MAC address will not match.
(Edited)
Photo of Donnie Mayes

Donnie Mayes

  • 16 Posts
  • 0 Reply Likes
Sam thanks!  Is there any documentation out there to help me with that, I'm still working my way thru this setup.
Photo of Sam Lynn

Sam Lynn, Moderator

  • 96 Posts
  • 12 Reply Likes
I do have some guides, I could email them to the email you registered for HiveNation with if you'd like. Can you confirm if you are using HiveManager NG (cloud.aerohive.com) or HiveManager Classic (myhive.aerohive.com)? Instructions will differ depending on the platform you are using. 
Photo of Donnie Mayes

Donnie Mayes

  • 16 Posts
  • 0 Reply Likes
Sam, we are on cloud.aerohive.com, thank you!
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
A couple of ideas:
  • Implement computer authentication using 802.1x.  This way only domain devices would be able to authenticate.
  • If you want to use PSK or PPSK authentication use client classification to place Android and iOS into another user profile.  That user profile could have a schedule applied that cannot be matched (say the 1st of Jan 1970 to the 2nd of Jan 1970) and clients placed into the user profile would be deauthenticated. 
Photo of Sam Lynn

Sam Lynn, Moderator

  • 96 Posts
  • 12 Reply Likes
Thanks Donnie. I've emailed two guides to you including the page numbers you will need, one covering MAC Binding and one covering MAC Authentication. Please let me know if you don't get them and I can resend.