User profile based on RADIUS

  • 1
  • Question
  • Updated 2 years ago
Hi

We are running OS X 10.11 server with radius. This works fine. Now we want our users (iPads, students and teachers) in different vlans, based on their primary group in Open Directory.

I created three User Profiles: 100, 200 and 300. In Radius I defined this:

if (Group == "ToestellenSchool") { 		update reply {
Tunnel-Private-Group-ID=100 
Tunnel-Type=GRE 
Tunnel-Medium-Type=IP
}
}
elsif (Group == "Leraren") {
update reply { 
Tunnel-Private-Group-ID=200 
Tunnel-Type=GRE 
Tunnel-Medium-Type=IP

}
else{
update reply {
Tunnel-Private-Group-ID=300 
Tunnel-Type=GRE 
Tunnel-Medium-Type=IP
}
}

This seems to work and when I test Radius using Radius Test, I see this:
RADIUS server is reachable. Get attributes from RADIUS server: User-Attribute-ID:0=200;


Now I added those three user profiles to our SSID. Students User Profile (300) as default, 100 and 200 as Authentication.

I also check "Assign user profiles based on values returned in the following RADIUS attribute" and assign attribute 81_Tunnel-Private-Group-ID.

But when I check this option, a new option <RADIUS User Groups> appears. When I try to push this new policy, HiveManager asks me to fill in Radius Users Groups.

What do I have to use there? It seems that Radius Users Groups is about local Radius groups, not about my external Radius server.

Thanks in advance for your help!

Photo of Geert Huylebroeck

Geert Huylebroeck

  • 6 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Geert,

Do not check "Assign user profiles based on values returned in the following RADIUS attribute" because you do not want that.

You are using the traditional method of user profile assignment.

The following documentation that originates from Aerohive explains the newer and alternative, standards compliant method that uses that check box:

https://mega.nz/#!mtd0UaTD!s25Kk1bZkEtMvOIqlnsTeAZx5fY67FjmQcVPQ1QljiQ

The following discussion further explains the two methods that Aerohive supports for assigning the user profile:

https://community.aerohive.com/aerohive/topics/radius-nps-server-configurations

Nick
(Edited)
Photo of Geert Huylebroeck

Geert Huylebroeck

  • 6 Posts
  • 0 Reply Likes
Thank you for your reply. It works now!

But now we have another issue: we also have a separate SSID for special use. It is also bound to the radius server. It also has his specific user profile (default) with it's own vlan.

When a teacher uses this SSID, he is also redirected to the user profiles mentioned before. The user is not using the default user profile with that vlan.

Is there a way to force users not to use the user profile coming from radius for this SSID but instead using the default profile set for this SSID?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Geert,

Let's take step back first.

Why do you think that you need this additional SSID?

In most cases, you would want to use user profiles rather than offering additional SSIDs.

If you want a different user profile applied, return different RADIUS attributes in the Access-Accept. You know to do that based on the configuration/policy that you have at the RADIUS server.

Cheers,

Nick
(Edited)
Photo of Geert Huylebroeck

Geert Huylebroeck

  • 6 Posts
  • 0 Reply Likes
Actually, we don't need an additional SSID for technical reasons. But for our colleagues it's more clear to have a different SSID.

And indeed, it works when I added an extra option in our Radius for these colleagues . Thank you very much!