What is supported in 802.1x / AAA with Aerohive equipment

  • 1
  • Question
  • Updated 8 months ago
What of the following is supported on Aerohive AP devices (and with what limitation). Couldn't not find anything useful in Aerohive documentation on this topic. All links to relevant documentation/papers will be highly appreciated.

  • Support EAP-SIM, EAP-FAST, EAP-TLS, EAP-TTLS, and PEAP in IEEE 802.1x?
  • Support EAP-MD5 and MS-CHAPv2 in AAA?

Thank you!
Photo of lowk3y

lowk3y

  • 9 Posts
  • 0 Reply Likes
  • unsure

Posted 8 months ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi lowk3y,

HiveOS does not support EAP-MD5 for MAC auth or CWP auth, it does not serveĀ  a legitimate purpose these days and is a legacy, insecure EAP method.

EAP-MD5 cannot be used for a WPA2-Enterprise/802.1X as it does not return keying material via MPPE attributes in the RADIUS Access-Accept.

Plain MS-CHAP-v2 is supported for MAC auth and CWP auth.

If you are using a third-party RADIUS server with WPA2-Enterprise/802.1X, you can use whichever EAP type you like as long as keying material is returned. In practical, real world terms, this nearly always means a TLS-based EAP type must be used. The supplicant and the EAP-terminating RADIUS server have to support the EAP type and it is not a concern of the authenticator (the AP).

The TLS-based EAP types supported by the built-in RADIUS server for WPA2-Enterprise/802.1X are documented and should be apparent from the existing UI.

Thanks,

Nick
(Edited)