UPN Alias

  • 2
  • Question
  • Updated 2 years ago
Hello,We have an Aerohive Infrastructure, using 802.1x authenticating the users to our Active Directory without any issues.

We are migrating our mail to Exchange online and we need to change our domain name due to requirements of the provider.
We create an alias in our domain and we must change all UPNs (User principal names). It's a mandatory requeriment

When we change the UPN of the users, automatically Aerohive drops the connection and can't validate the user....

Any Idea?

thanks
Photo of Joan

Joan

  • 16 Posts
  • 1 Reply Like

Posted 3 years ago

  • 2
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Do you mean the RADIUS server is rejecting the authentication request after the change?  If so:
  • Is the RADIUS service utilising the internal Aerohive RADIUS server or an external RADIUS server such as Microsoft's NPS?
  • If you use the Client Monitor to monitor a wireless client authenticating what is the host and/or username being passed to the RADIUS service?
(Edited)
Photo of Raúl

Raúl

  • 13 Posts
  • 0 Reply Likes
Hi, we are in a likely situation.

A user logs on in windows with abc\user (UPN=user@abc.company.com), and this credentials are used to authenticate the user in Wifi. Everythinks works fine.

But, wen a user logs on in wondows with abc\user (UPN=user@company.com), he goes into windows, but Aerohive puts the user into null vlan.

The domain is abc.company.com, and the alias created is company.com.

Some clue about aerohive aaa user authentication configuration?
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
I think Crowdie was attempting to ascertain whether you have the APs configured to act as the authenticator or the authentication server for you supplicants. Once that is established, we should be able to assist.  

Best,
BJ
Photo of Raúl

Raúl

  • 13 Posts
  • 0 Reply Likes
An AP is the gateway between the rest of APs/users and the Active Directory Server.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
If you use Client Monitor to watch a client login which user profile attribute is the RADIUS service returning?  Do you have a user profile assigned to the SSID in the network policy that matches the RADIUS returned attribute?
Photo of Raúl

Raúl

  • 13 Posts
  • 0 Reply Likes
Hi, when i use client monitor, i obtain this log:
-----------------------------------
BASIC   (749)Rx assoc req (rssi -54dB)
BASIC   (750)Tx assoc resp <accept> (status 0, pwr 13dBm)
INFO    (751)IEEE802.1X auth is starting (at if=wifi0.2)
DETAIL  (9)RADIUS: EAP start with type peap
DETAIL  (10)RADIUS: SSL negotiation, receive client hello message
DETAIL  (11)RADIUS: SSL negotiation, send server certificate and other message
DETAIL  (12)RADIUS: SSL connection established
DETAIL  (13)RADIUS: SSL negotiation is finished successfully
DETAIL  (14)RADIUS: PEAP inner tunneled conversion
DETAIL  (15)RADIUS: PEAP inner tunneled conversion
DETAIL  (16)RADIUS: PEAP tunneled authentication was successful

DETAIL  (17)RADIUS: accepted user 'SJD-OFI\prueba' through the NAS at 172.30.16.62.
DETAIL  (752)Send message to RADIUS Server(172.30.16.52): code=1 (Access-Request) identifier=247 length=163,  User-Name=SJD-OFI\prueba NAS-IP-Address=172.30.16.62 Called-Station-Id=9C-5D-12-5C-10-15:RJ_Corporate Calling-Station-Id=9C-4E-36-93-C6-1C

DETAIL  (753)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=247 length=64
DETAIL  (754)Send message to RADIUS Server(172.30.16.52): code=1 (Access-Request) identifier=248 length=290,  User-Name=SJD-OFI\prueba NAS-IP-Address=172.30.16.62 Called-Station-Id=9C-5D-12-5C-10-15:RJ_Corporate Calling-Station-Id=9C-4E-36-93-C6-1C

DETAIL  (755)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=248 length=1090
DETAIL  (756)Send message to RADIUS Server(172.30.16.52): code=1 (Access-Request) identifier=249 length=168,  User-Name=SJD-OFI\prueba NAS-IP-Address=172.30.16.62 Called-Station-Id=9C-5D-12-5C-10-15:RJ_Corporate Calling-Station-Id=9C-4E-36-93-C6-1C

DETAIL  (757)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=249 length=320
DETAIL  (758)Send message to RADIUS Server(172.30.16.52): code=1 (Access-Request) identifier=250 length=500,  User-Name=SJD-OFI\prueba NAS-IP-Address=172.30.16.62 Called-Station-Id=9C-5D-12-5C-10-15:RJ_Corporate Calling-Station-Id=9C-4E-36-93-C6-1C
      
DETAIL  (759)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=250 length=123
DETAIL  (760)Send message to RADIUS Server(172.30.16.52): code=1 (Access-Request) identifier=251 length=168,  User-Name=SJD-OFI\prueba NAS-IP-Address=172.30.16.62 Called-Station-Id=9C-5D-12-5C-10-15:RJ_Corporate Calling-Station-Id=9C-4E-36-93-C6-1C
    
DETAIL  (761)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=251 length=101
DETAIL  (762)Send message to RADIUS Server(172.30.16.52): code=1 (Access-Request) identifier=252 length=221,  User-Name=SJD-OFI\prueba NAS-IP-Address=172.30.16.62 Called-Station-Id=9C-5D-12-5C-10-15:RJ_Corporate Calling-Station-Id=9C-4E-36-93-C6-1C

DETAIL  (763)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=252 length=133
DETAIL  (764)Send message to RADIUS Server(172.30.16.52): code=1 (Access-Request) identifier=253 length=269,  User-Name=SJD-OFI\prueba NAS-IP-Address=172.30.16.62 Called-Station-Id=9C-5D-12-5C-10-15:RJ_Corporate Calling-Station-Id=9C-4E-36-93-C6-1C
    
DETAIL  (765)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=253 length=149
DETAIL  (766)Send message to RADIUS Server(172.30.16.52): code=1 (Access-Request) identifier=255 length=205,  User-Name=SJD-OFI\prueba NAS-IP-Address=172.30.16.62 Called-Station-Id=9C-5D-12-5C-10-15:RJ_Corporate Calling-Station-Id=9C-4E-36-93-C6-1C
    
DETAIL  (767)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=255 length=101
DETAIL  (768)Send message to RADIUS Server(172.30.16.52): code=1 (Access-Request) identifier=0 length=205,  User-Name=SJD-OFI\prueba NAS-IP-Address=172.30.16.62 Called-Station-Id=9C-5D-12-5C-10-15:RJ_Corporate Calling-Station-Id=9C-4E-36-93-C6-1C
     
DETAIL  (769)Receive message from RADIUS Server: code=2 (Access-Accept) identifier=0 length=176

INFO    (770)Sending 1/4 msg of 4-Way Handshake (at if=wifi0.2)
INFO    (771)Received 2/4 msg of 4-Way Handshake (at if=wifi0.2)
INFO    (772)Sending 3/4 msg of 4-Way Handshake (at if=wifi0.2)
INFO    (772)Sending 3/4 msg of 4-Way Handshake (at if=wifi0.2)
INFO    (773)Received 4/4 msg of 4-Way Handshake (at if=wifi0.2)
INFO    (773)Received 4/4 msg of 4-Way Handshake (at if=wifi0.2)
INFO    (774)PTK is set (at if=wifi0.2)
INFO    (774)PTK is set (at if=wifi0.2)
BASIC   (775)Authentication is successfully finished (at if=wifi0.2)
BASIC   (775)Authentication is successfully finished (at if=wifi0.2)
-----------------------------------------------

But, i can see this, too:
--------------
INFO    (666)Rx deauth (reason 1 <unspecified>, rssi -59dB)
BASIC   (667)Sta(at if=wifi0.2) is de-authenticated because of notification of driver
--------------

Prueba UPN is prueba@company.com, from domain sjd-ofi.company.com

So, there are auth. messages, but the client goes to NULL VLAN.

The AP have an user to join the domain, an user required to user lookup
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The Client Monitor logs show a standard PEAP authentication process with the RADIUS service returning an Access-Accept response (line 769) with no RADIUS attributes.  What this tells us is that this user successfully completed 802.1x authentication.

Do you have a screenshot of your network policy?

If you are mapping user profiles in the AAA Server Settings area (Configuration -> Advanced Configuration -> Authentication -> Aerohive AAA Server Settings) a screenshot of that area would be useful as well.
(Edited)
Photo of Raúl

Raúl

  • 13 Posts
  • 0 Reply Likes


Thank you so much.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
If you renumber your user profile attributes so they start at 100 does this resolve your issue?  A number of the user profile attribute numbers below 15 are reserved for internal use (the default administrator groups).
Photo of Joan

Joan

  • 16 Posts
  • 1 Reply Like
I renumber the user profile (from 11 to 111) and the problem remains.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
If you use the RADIUS test tool (Tools -> Server Access Tests -> RADIUS Test) what test result do you get?

My gut feeling is that the HiveOS RADIUS service is not handling the change you made and utilising an external RADIUS server, such as Microsoft's NPS, may resolve your issue.  A few people have reported strange issues with the HiveOS RADIUS service.
(Edited)
Photo of Raúl

Raúl

  • 13 Posts
  • 0 Reply Likes


We've started to try the authentication with external NPS....
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
There is quite a complex series of interactions that the AP running RADIUS will go through when authenticating which are only really visible when you enable radiusd debug logging on the AP running RADIUS. I suspect the RADIUS AP is perfoming an LDAP query for group membership lookup with a filter that is using the wrong UPN.

In the RADIUS Server settings object, do you have the "Query databases to check if the user exists" enabled for PEAP authentication? Try toggling this option, as it is likely to change the exact sequence of LDAP queries that the RADIUS AP goes through.

Or you can just use NPS :)
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I have found over the years that the HiveOS RADIUS service is useful for site survivability but is, in comparison to external RADIUS servers, a little limited.  As the complexity of the RADIUS rules increases the limitations of the HiveOS RADIUS service become obvious.  
(Edited)
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
I tend to agree Crowdie. While it is nice to have everything configurable in HiveManager, there are quite a few little gotchas and quirks, especially when it comes to multiple domains. We tend to use it on smaller deployments with fairly simple authentication requirements or, as you say, for site survivability purposes.
Photo of Joan

Joan

  • 16 Posts
  • 1 Reply Like
Hello ,
I mounted a Windows 2008R2 NPS and I configured the authentication with It .
When I log with a user With the new UPN (an alias) , the NPS Authenticates the user (see the picture ) . But I have the same Issue . I can not connect to any ressource through Wifi ( I can not ping to any resource ).

When I change the UPN, and reconnect the WiFi, the user has no problems.....

Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
How are you assigning users to an Aerohive user profile?

You can have the RADIUS server pass back the user profile in an attribute (and pass back different attributes for different groups of users), or if you only have one user profile, you can dispense with the "null" user profile in your Aerohive configuration and make the default user profile be "RjGroup" and use group filters in NPS to only successfully authenticate users that are a member of the AD groups you are interested in...
Photo of David

David

  • 11 Posts
  • 0 Reply Likes
Hi

is this problem ever resolved we have the same problem here.
realy need some help

same setup
Photo of Joan

Joan

  • 16 Posts
  • 1 Reply Like
We installed an NPS server , but I also like to know if the problem is resolved
thanks
Photo of David

David

  • 11 Posts
  • 0 Reply Likes

dont thinks so

i find this strange more and more customers will have this problem.


was installing a nps server a big change ?

Photo of Joan

Joan

  • 16 Posts
  • 1 Reply Like
No, it's very easy (if you have MS Active Directory) ... but in my point o view, we loss a great Aerohive's functionality (Redundant APs acting as a Radius server....)

If you need the steps for installing it, i can send you some manuals i did (in spanish... I'm sorry)
Photo of David

David

  • 11 Posts
  • 0 Reply Likes

i found the redundancy great to. problem is we have 4 sites so i wel have to do it 4 times if i want it to be a little redundant.

if you want you can send the manuals to darksync@Hotmail.com.

Thanks in advance !