User identification via Ethernet

  • 1
  • Question
  • Updated 5 years ago
  • Answered

since my employer is using some Aerohive devices (BR100 and AP121, maybe later an AP120 as well) for his home (-office) he came up with some questions, neither I nor Google could answer, which is why I ended up here ;D

He is running 6.1.r1 on both the BR100 and the AP121. Both are in AP mode.
Now he wants to use different user profiles with different firewall settings. He wants to use the Ethernet ports for this purpose (on the BR100 afaik).

His original question was, if it is possible to distinguish users, just by logging into Windows with a certain username. I don't know how this should work at all. Maybe with a RADIUS server?

Now my idea was to use CWP with user authentication. But than I saw that a RADIUS server and a local user database is needed (maybe the AP121 could take that role?). I don't know if this would even work, since I can't simply test it, because the devices aren't physically were I am.

My question is: Is there an elegant, simple to use (for ppl without technial background) solution to assign different user profiles to the same client device over Ethernet?

kind regards
Photo of Wolfgang


  • 4 Posts
  • 1 Reply Like

Posted 5 years ago

  • 1
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 119 Reply Likes
For the BR100 in AP mode, you can configure different user profiles (which contain the firewall policy) on each Ethernet port, if you want. For instance, you can assign user profile A to ETH1 and user profile B to ETH4. You can do this with or without authentication.

For ports 1-4 on the BR100 in AP mode, you can also authenticate via MAC authentication or Captive Web Portal (with RADIUS), provided the port is in access mode (not in trunk mode).

As you mentioned, Captive Web Portal with authentication could be a good option for you. The AP121 or the AP120 could act as the RADIUS server for the authentication, but RADIUS server is not supported on the BR100.

For the RADIUS server, you could create multiple local user groups, each with a different user attribute. Those user attribute numbers map to a user profile, which can have different firewall policies.

Sample configs below: