Scribd
Upload
4K views

Aerohive ActiveDirectoryIntegration

Aerohive HiveAP RADIUS functionality offers the ability to authenticate 802.1x methods such as PEAP, TTLS, TLS, and LEAP. In an Aerohive deployment, an administrator can designate an AP or two to become RADIUS servers. Only those two APs will require a connection to the authoritative store using NTLM / Kerberos or LDAP / LDAPS.

Uploaded by

jaoliva
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4K views

Aerohive ActiveDirectoryIntegration

Aerohive HiveAP RADIUS functionality offers the ability to authenticate 802.1x methods such as PEAP, TTLS, TLS, and LEAP. In an Aerohive deployment, an administrator can designate an AP or two to become RADIUS servers. Only those two APs will require a connection to the authoritative store using NTLM / Kerberos or LDAP / LDAPS.

Uploaded by

jaoliva
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

PAGE 1 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration


1. OverviewofActiveDirectoryIntegration AerohiveHiveAPRADIUSfunctionalityofferstheabilitytoauthenticate802.1XmethodssuchasPEAP, TTLS,TLS,andLEAPwithalocaluserdatabaseontheHiveAP,oragainstanauthoritativestorelike ActiveDirectory,OpenLDAP,oreDirectory.Thisgivesanadministratortheabilitytoimplementa centrallymanagedsecureWLANsolutionusing802.1Xwithouthavingtoconfigureormodifycorporate RADIUSservers,andalsoprovidestheabilitytosurvivethefailureofaWANlinkbycachingpreviously authorizedusers. InanAerohivedeployment,anadministratorcandesignateanAPortwotobecomeRADIUSservers,and thoseAPswillprovideAAAfunctionalityfortheotherAPsinthehive.OnlythosetwoAPswillrequirea connectiontotheauthoritativestoreusingNTLM/KerberosorLDAP/LDAPS.SinceActiveDirectoryis themostcommonlyconfigureddirectorystore,thisdocumentwilldescribehowtoconfigureAD integrationonanAerohiveHiveAP. HowitWorks

2.

UnderstandingthestepsthatoccurfortheActiveDirectoryintegrationmakesiteasiertodetermine whatelementsneedtobeconfiguredandtotroubleshootwhensomethingisntworking.Hereisalistof thenecessaryphasesforAerohiveADintegration: a. APattemptstojointheActiveDirectorydomainusingSAMBA(NTLMandKerberos) i. Requiresdomainadmincredentials ii. NowtheAPresemblesanylaptopjoinedtotheADdomain.Anyvaliddomainusercanlogin usingdomainusercredentials b. ThelaptopassociatestotheAccessPoint(AP) i. SupplicantsendsanEAPoLrequest c. APencapsulatestheEAPrequestintoRADIUS i. APsendsarequesttotheFreeRADIUSmoduleembeddedintheAP d. APusesLDAPtoqueryADuserdatabase i. Requiresanyvaliddomainusercredentials e. OnceUserisdiscoveredinthedatabase,RADIUSpassestheNThashpasswordfromthesupplicant totheAD i. ADrespondswithanacceptordeny f. APgetsseedkeyfromtheFreeRADIUSservertoinitiateencryption g. Supplicantusessameseedkeytogenerateencryptioninformation

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 2 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration


3. HiveManagerandAPConfiguration a. LogintotheHiveManager,andaccepttheEULA.SelectEnterpriseModewhenprompted

b. c.

NavigatetoMonitorHiveAPs,andselecttheAPthatwillbetheRADIUSserver.ClickModify IntheOptionalSettingssection,selectthecheckboxnexttoEthernetandNetworkSettings. UnchecktheboxtoEnableDHCP,andtypeinastaticIPaddress

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 3 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration


d. NavigatetoConfigurationWLANPolicies,andcreateanewWLANpolicy

e.

EnteraWLA Policyname,forexample:CorpWLAN N SelectaHive,ifyoudonothaveone,click+tocreateanewHive ClickthebuttontoAdd/RemoveSSIDProfile Click+toaddanewSSIDthatwilluse802.1XandaHiveAPRADIUSserver SSIDConfiguration

1. 2. 3. 4.

1. 2. 3. 4.

EnteranSSIDProfileName,forexample:ADTest EnteranSSID:ADTest ForSSIDAccessSecurityselect:WPA/WPA2802.1X(Enterprise) NexttoRADIUSServerclick+

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 4 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration


f. IntheHiveAPRADIUSServerConfigurationsection

g. 1. SelectHiveAPRADIUSServerandthenselectMoreSettings

InthedetailedAAAClientSettingsforspecifyingthelocationoftheRADIUSserver

1. 2. 3. 4. EnteranamefortheRADIUSobject,forexample:HiveAPRADIUS EntertheIPoftheMGT0interfaceoftheHiveAPRADIUSserver, forexample:10.5.50.71 EnterasharedsecretusedtosecurecommunicationbetweentheHiveAPRADIUS clients(NAS)andtheHiveAPRADIUSserver: ClickApply

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 5 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration


5. ClickSavetocreatetheRADIUSserverobject

h.

IntheSSIDconfiguration

1.

NexttoRADIUSservermakesureyourHiveAPRADIUSserverobjectisselected thensavetheSSID

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 6 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration


i. IntheWLANpolicyconfiguration

1. Movethe802.1XssidtotheSelectSSIDProfileslistandclickApply

2.

ThensaveyourWLANpolicy

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 7 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration


j. NowNavigatetoConfigurationAdvancedConfigurationAuthenticationAD/LDAPSettingsand clickNew

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 8 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration


k. IntheAD/LDAPSettingsfilloutthefields

1. 2. 3. 4. EnteranamefortheActiveDirectoryObject SelecttheActiveDirectoryradiobutton EntertheActiveDirectoryServerIPorresolvablehostname Enteranadminusernameandpasswordforadomainadministratorthathas privilegestojoinacomputertothedomainsothattheAPcanadditselftothe domain. NOTE:Theadminusernameandpasswordarenotrequiredtobeenteredin HiveManager.Ifyouprefer,youcanleavethissectionblank,finishtherestof thisdoc,andgototheCLIandtypeexecaaanetjoinprimaryusername <domainadminusername>password<domainadminpassword>tojointheAP tothedomain ComputerOU:OnlyrequiredifyouwanttheAPtojoinanOUotherthan Computers NOTE:Thestringcanbeupto256charactersandmustbeinthefollowing format:ou\subou\subou.Ifthereareanyspaces,enclosetheentirestringin quotationmarks.Youcanuseeitherforwardslashesorbackslashesbetween directorynamesinthecomputerou. Domain:EnterthenameoftheDomain(ex:AEROHIVE) FullName:FQDNoftheDomain(ex:aerohive.com)

5.

6. 7.

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 9 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration


8. RADIUSUserBaseDN:IfthewirelessusersareintheUserscontaineronyourAD server,leaveitblank,otherwisetypetheLDAPpathtotheusersfolder: Forexample,tobeginsearchingforuseraccountsin"employees",enter "CN=employees,CN=users,DC=aerohive,DC=com". TheBaseDNcanbeup256characterslong BindDNName:aregularDOMAINUSERaccount.Nospecialpermissionsrequired Forexample:[email protected] Default:checkthisboxIfyouhavemultipledomains,thisistheonethatis searchedifadomainisnotspecified. BindDNPassword:passwordfortheDomainUserspecified Whencomplete,clickApply Whencomplete,clickSavelocatedatthetopofthescreen

9. 10. 11. 12. 13.

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 10 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration


l. NextgotoConfigurationAdvancedConfigurationAuthenticationHiveAPAAAServerSettings andclickNewtocreateanewHiveAPRADIUSserverinstance

m. IntheHiveAPAAAServerSettings

1. 2. 3.

EnteranamefortheAAAServerobject,forexample:HiveAPRADIUS UnchecktheboxforLocalDatabase IntheDatabaseAccessSettingssection,selecttheAD/LDAPinstanceyoujust createdaboveandclickApply

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 11 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration


n. ScrolldownandexpandtheHiveAPNASOptionalsettings

1. SelectanIPobjectforthenetworkthemgt0interfaceoftheHiveAPsareusing. IfyoudonothaveanIPobjectforthenetworksyourHiveAPsareon,youcanclick+ tocreateanewIPnetworkobject

2.

3. 4.

EnterthesharedsecretyoudefinedintheAAARADIUSclientconfigurationin sectiong. ClickApply ClickSaveatthetopofthepage

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 12 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration


o. GobacktotheMonitorHiveAPsandModifytheHiveAPthatwillbetheRADIUSserver 1. IntheOptionalSettingsServiceSettingssection,choosetheRADIUSinstanceyou createdabovefromthedropdownbox

p.

ClickSave SelectalltheHiveAPsthatwillbeusingthe802.1XSSIDwithActiveDirectoryandclickmodify

2.

q.

AssignthemultipleselectedHiveAPstotheWLANpolicywiththe802.1XSSIDthat usesActiveDirectory 2. ClickSave SelectthecheckboxnexttotheHiveAPsandclickUpdate,andUploadandActivateConfiguration (Wizard) 1.

1. ClickNextwhenpromptedtouploadthecertificates

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 13 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

2.

EvenifyouhaveuploadedconfigstothisAPbefore,performaCompleteupload. ThecertificatechangesandtheADjoinworkbetterafterareboot.

r.

WindowsServerInformation 1. InyourActiveDirectoryServer,navigatetotheComputersOU(orthefolderyou specifiedfortheAPtojoinasacomputeraccount)

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 14 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

4.

ConfirmtheAPhasjoinedthedomain NOTE:Youmayhavetorightclickonthecomputerswindowpaneandclickrefresh s. Testthe802.1XSSID Troubleshooting a. IftheAPcannotjointhedomain,checktomakesuretheWORKGROUP(Domain)andDOMAIN(Full NameorFQDN)arecorrect. i. Fromtheconsole,testtoseeyoucanmanuallyjointheAPtothedomain 1. Execaaanetjoinprimaryusername<domainadmin>password<adminpassword> ii. Resultingerrormessagesoftenexplaintheissue b. IftheAPhasjoinedtothedomain,butusersarenotauthenticating,itispossibletotestuser authenticationfromtheAPtotaketheclientoutoftheequation i. Execaaantlmauthusername<domainuser>password<userpassword> ii. Resultingerrormessageexplainstheissue c. IftheAPhasjoinedthedomainandsomeuserswork,therearedebugcommandstoseewhatelseis goingon i. _debugradiuscomm ii. _debugradiusexcessive iii. _debugradiusverbose iv. debugconsole d. Iftheabovecommandsdonotwork,trydebuggingauthentication i. _debugauthall

2.

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

You might also like