User profile assignment not working in NG (clients get default profile)

  • 2
  • Question
  • Updated 1 year ago
Several customers mentioned that clients sometimes receive the default user profile instead of the linked User profile. We had this problem with 802.1x and with ppsk.

Even a simple User Profile Asssignment based on the user group (PPSK) sometimes go wrong.
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes

Posted 1 year ago

  • 2
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Jonas,

Can you elaborate on the configuration? How exactly is the SSID configured?

Kind Regards,
Gary Smith
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
Hi Gary,

It's just an easy ssid with 4 user groups (ppsk in the cloud).

4 user profiles with 4 user profile assignments that are linked to the user groups.

Sometimes the users from one of the 4 user groups get the default user profile instead of the right user profile.
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Are there any CWPs involved? Can you share screenshots of the config?
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
No they don't use a CWP. They have also an user profile Assignment based on OS type but this doesn't work either.
(Edited)
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
I am sorry, but has anything come out of this? I am experiencing the exact same thing, apart from the fact that the clients will always receive the default profile.

current Hive ManagerNG with one AP 250, connected to a Windows Radius server.
Radius auth itself is working fine, but no profiles are assigned (the clients should be moved to different VLANs based on their OS).
Photo of J Kremer

J Kremer

  • 11 Posts
  • 0 Reply Likes
I have the same issue too. Looks like there is no OS checking done during connection setup, so apply different user profile based on OS is not working. When they connect with the default profile, they usually show the correct OS.
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
Thanks, this matches with my findings: https://community.aerohive.com/aerohive/topics/identify-and-block-ios-android-from-radius-network-hi...
Same apparently here:
https://community.aerohive.com/aerohive/topics/user-profile-assignment-not-working-in-ng-clients-get...

If anybody has any information about this or a newer software release please come forward
Photo of J Kremer

J Kremer

  • 11 Posts
  • 0 Reply Likes
I tried these settings, it simply doesnt work. It seemed to work on the default profile when I played with it there, but not in the production SSID. It's annoying.
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Guys,


Just so I am clear; The issue being reported here is that the Client OS detection is not working and therefore the client is not being assigned the correct UPID?

Kind Regards,
Gary Smith
Photo of J Kremer

J Kremer

  • 11 Posts
  • 0 Reply Likes
When I look at connected devices, I see a device being labled as android or Apple IOS, but the policy assigned is the default one for that SSID. The option below where you assign the default option, with the checkbox ticked at; pply a different user profile to various clients and user groups; and a diffrent user policy selected (labled devices here) and assignment selection for; Android, iOS Device, iPad, iPhone, it does not get used. All qualifying devices get recognized in the connected devices list, but all get the default userpolicy to work with.
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Guys,



In your tests, can you add these lines to the AP running config?;



os-object "iOS Device" os-version "Apple iPod, iPhone or iPad"


os-object Android os-version "HTC Android"
os-object Android os-version "Sony Ericsson Android"
os-object Android os-version "Generic Android"
os-object Android os-version "Samsung Android"
os-object Android os-version "Android Tablet"
os-object Android os-version "Unknown Android"
os-object Android os-version "Motorola Android"
os-object Android os-version "ZTE N9120 Android"
os-object Android os-version "Android LG Nexus 5 & 7"
os-object Android os-version "Kyocera Android"

Can you then retry your tests and let me know if this resolves the issue please?

Kind Regards,
Gary Smith
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
Will do this afternoon, the issue here is though that the client os is correctly recognized and categorized (i.e. "debian based Linux" for my Ubuntu machine, although I have no Linux OS profile anywhere, respectively "iOS" for the iPad or "generic Android" for my Cyanogenmod-based phone), but the user profile is not assigned to the device. (and therefore the VLAN assignment doesn't work)

The default profile is always chosen, and also its vlan setting. All "client-os" rules are being ignored. This happens with Android, iOS, Linux and MacOS as well as Windows (all tested, none of them are affected by the rules)

What I want to achieve is the following:
when connecting to a radius protected SSID (external radius server)
- Based on the OS the device shall be assigned a certain VLAN. 
- Only notebooks (Windows, MacOS and Linux) shall be allowed into the VLAN where the Radius server resides
- all mobile phones and tablets shall be routed to a different VLAN where they are basically isolated and cannot authenticate / won't get any IP

AP is an AP250 running the latest software version.
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
Same here, did nothing.
As I said before, the OS based user profile assignment (and therefore vlan assignment) doesn't work for any device, regardless of its operating system - not even laptops.

It seems that there was a change in how this was handled in the old HiveManager (pre-NG)?
Photo of J Kremer

J Kremer

  • 11 Posts
  • 0 Reply Likes
it's just an idea, it worked, at least more or less for android and two of those devices I tested with, still show up on the required policy. It stopped adding new ones until the moment I activated AD authentication on another SSID hosted on all the AP's also. 
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Could you send me an email with AP techdata attached? If possible, please run the debug "_debug auth info" and then connect the client, and then collect the techdata. I'm hoping that I might be able to get some clues.

gsmith@aerohive.com

Kind Regards,
Gary Smith
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
Mail sent :) I hope it will help, maybe there's just a misconfiguration somewhere.
Photo of J Kremer

J Kremer

  • 11 Posts
  • 0 Reply Likes
Reply sent; log shows unknown device, yet the NG environment shows Apple IOS
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
For the os fingerprinting: Aerohive told us that they will fix this issue in a future release. As temporary solution a customer of us used the below configuration.
Photo of J Kremer

J Kremer

  • 11 Posts
  • 0 Reply Likes
(question removed)
edited; never mind, found it; Configure, common objects, basic, OS objects.
(Edited)
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
In Hive Manager NG under Configure -> Common Objects -> Basic -> OS Objects, you can add additional objects there and this looks just like the customer added some kind of "mobile device" object with the DHCP options for Android and iOS.
The device OS is identified by its DHCP request, there are more fingerprints here: 
https://github.com/inverse-inc/fingerbank/blob/master/dhcp_fingerprints.conf
Photo of J Kremer

J Kremer

  • 11 Posts
  • 0 Reply Likes
It seems to be working, for at least most devices. I've one samsung phone that stays unknown. Maybe it will resolve after reconnect. Thx!!