What RADIUS attributes can I configure in HiveManager and are required for NPS configuration?

  • 3
  • Question
  • Updated 5 years ago
  • Answered
OK. If you have been following my progress I have finally started configuring an NPS server for RADIUS.

We started testing and the clients in the first group we configured worked for a short period of time.

When we configured a second group we were no longer able to authenticate from NPS. Not even the original group we configured.

We looked at the RADIUS test in HiveManager and found we were not receiving the attributes from our NPS.

We have tested from a RADIUS client test program (NTRadPing Test utility) and we get all the attributes as set in NPS. We had to reduce the authentication options to only use CHAP for this test. But as we get all the NPS attributes we configured I believe the NPS is working correctly. Please let me know if there is something I need to check on my NPS.

What attributes can HiveManager accept from NPS?

We are trying to use computer authentication for college owned devices and user authentication for BYOD devices.

When we look at the User Profiles configured for each SSID and click on the Add/Remove at the bottom of the User Profile column, I can see that we have ticked the box next to "Assign user profiles based on values returned in the following RADIUS attribute. and the Standard Attribute that is set is "11_Filter_id"

The hive RADIUS test shows the attribute we were using with the HIVE RADIUS AP as "User-Attribute-ID", which is not available in NPS, and also is not the filter_id that I have configured in NPS.
Photo of Michael Drummond

Michael Drummond

  • 36 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 3
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Have you followed the instructions for setting up mapping via the Filter-Id fully?

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You should only be using PEAP as the outer with TLS (user or device certificate) or MS-CHAP-v2 (user name/password) as the inners for testing.

Please do not waste your time trying to use non-TLS based authentication types like plain CHAP.

Use the Tunnel-Private-Group-Id as the VLAN id, set the Tunnel-Type to VLAN (13) not to GRE (10) and match the user profile desired via the Filter-Id attribute.
Photo of Ernest Davis

Ernest Davis

  • 1 Post
  • 0 Reply Likes
Thank YOU! I've been asking AH for the specific attributes for the longest, but the above pic solved the issues with an external radius server providing the correct attributes for the user profiles.

Thanks again!