Reset Search
 

 

Article

How to configure radius on an AP in XIQ

« Go Back

Information

 
TitleHow to configure radius on an AP in XIQ
Symptoms

Goals

  • How to make an internal Radius server (hosted on an AP)
  • How to make an external Radius server (hosted on your backend network)
  • How to set up Radius with MAC Authentication.

Background

  • Radius authentication requires a unique username and password for each user, with the added security of a NAS list, time checks, and an Active Directory.
Environment
  • HiveManager
  • Radius
Cause
Resolution
  • Configure> Network Policies> Open an existing policy or create a new one

  • Go to Wireless Networks> Create a new SSID

  • Name the SSID and select the SSID Authentication Enterprise WPA/WPA 802.1x


User-added image
  • Click on the plus icon next to Default RADIUS Server Group

  • Name the Radius server object

  • Choose the kind of Radius server to build:

    • External Radius Server (a Radius server built outside of the Aerohive equipment that we link to)

    • Extreme Networks Radius Server (a Radius server built on the APs, linking to an externally hosted database, or a local database)


User-added image
Creating an External Radius Server
  • Choose External Radius Server

  • Enter an object name

  • Create an IP object that matches the IP address of the Radius server by clicking on the plus icon next to IP/Host Name

  • (Optional) Enter a shared secret (if this has been set in the Radius server, be sure to match the shared secret here).


User-added image
  • Click Save External Radius in the lower right hand corner of the page.

  • The new server should now appear in the list on the Configure Radius Server Group page.

  • Check the box next to the External Radius server we just built

  • Click save again

  • Set the user profile and save the network policy

  • Push this out to the APs as a complete configuration update


User-added image

Creating an Internal Radius Server on an Aerohive AP linked to an External user database

Select Aerohive Radius Server
Click the plus icon to make a new internal Radius server.

User-added image
  • This will bring up the three step process for creating an Internal Radius server linked to an external database.

  • The first step is to select the device to use as the Radius server.

    • Keep in mind, the Radius server AP needs a static IP address set to it for proper function.
      • Set a static IP on the AP by going to Monitor> Select the check box next to the AP> Modify> Device Configuration> Static Address> enter the IP address, Netmask, and Default Gateway, then save.
    • Also try to select APs that aren’t heavily used and are the latest model AP possible.


User-added image
  • The second step covers choosing the kind of user database to use, deciding which APs are allowed to ask for authentication approvals, and setting up a certificate if needed.

    • Active Directory- Linking to an Active directory database that is already set up

    • Approved RADIUS Clients- setting the NAS list (the list of AP IP addresses allowed to access the Active Directory (AD) for authetnication requests)

      • Note: If the NAS list is left at default settings, all APs within the network will be allowed to contact the AD for authentication requests.

    • Security Options- The certificate to be used by the Radius server (this is not required, but adds a layer of security to the Radius set up)


User-added image
  • Step 3: Add the active directory (or LDAP) information for the Radius server to link up to.


User-added image
  • Enter the information for the Active Directory server the AP will be querying for user connection requests.


User-added image
Creating an Internal Radius Server on an Aerohive AP Linked to an Internal user database
  • Go to Configure> Users> User Group> ADD

Create a Radius User Group
User-added image

  • Save the User Group

  • Go to Configuration> Network Policy> Open the Network Policy> Create or open the Radius SSID> Click on the plus icon next to Default RADIUS Server Group

  • Select Extreme Networks Radius Server and then click the plus icon to make a new internal Radius server.


User-added image
  • Select the device to use as the Radius server.

  • Keep in mind, the Radius server AP needs a static IP address set to it for proper function.
    • ‹Set a static IP on the AP by going to Monitor> Select the check box next to the AP> Modify> Device Configuration> Static Address> enter the IP address, Netmask, and Default Gateway, then save.
  • Also try to select APs that aren’t heavily used and are the latest model AP possible.


User-added image
  • The second step covers choosing the kind of user database to use, deciding which APs are allowed to ask for authentication approvals, and setting up a certificate if needed.

    • User Database- Select Local Database to use clients created and hosted on the HiveManager/APs.

    • Approved RADIUS Clients- Setting the NAS list (the list of AP IP addresses allowed to access the Active Directory (AD) for authetnication requests)

      • Note: If the NAS list is left at default settings, all APs within the network will be allowed to contact the AD for authentication requests. 

    • Security Options- The certificate to be used by the Radius server (this is not required, but adds a layer of security to the Radius set up)



User-added image
  • To choose a user group that was made earlier, click on the icon next to the trashcan under Local Database.

  • Save and push this out as a complete configuration update to the APs.

Radius using MAC Authentication

  • Configuration> Users> User Groups> New

  • Use Local as the Password DB location.

  • Make sure the password type is Radius

  • Make sure the password can include both letters and numbers so that we can use the device MAC address as the user name and password.


User-added image

 

  • Go to the left hand side menu and select Users, and then create a new user.

  • Select the user group that was just made from the drop down menu at the top

  • Enter the user name and password as the MAC address of the device that will connect to this SSID, and save.

  • Note: The MAC address should be entered in to both username and password fields as all lower case, with no deliminators

  • Repeat this process with all users that need to connect to this SSID.

  • Create a new SSID and set it to Open. Then switch over to the MAC Authentication sub-tab.


User-added image
  • Toggle MAC Authentication to On.

User-added image
  • Make a new Radius Server Group. This is very similar to making a normal internal Radius server.

User-added image
  • Select Extreme networks Radius Server and then click the plus icon to make a new internal Radius server.


User-added image
  • Select the device to use as the Radius server.

    • Keep in mind, the Radius server AP needs a static IP address set to it for proper function.

      • Set a static IP on the AP by going to Monitor> Select the check box next to the AP> Modify> Device Configuration> Static Address> enter the IP address, Netmask, and Default Gateway, then save.

      • Also try to select APs that aren’t heavily used and are the latest model AP possible.


User-added image
    • User Database- Choose Local Database

    • Approved RADIUS Clients- Setting the NAS list (the list of AP IP addresses allowed to access the Active Directory (AD) for authetnication requests)

      • Note: If the NAS list is left at default settings, all APs within the network will be allowed to contact the AD for authentication requests.

    • Security Options- The certificate to be used by the Radius server (this is not required, but adds a layer of security to the Radius set up)


User-added image
  • Click on the icon next to the trashcan under Local Database and select the proper group name.

  • Save the Radius settings until the main SSID page returns.

  • Configure the SSID with any other settings needed, then save.

  • Finally, push this configuration out to the APs.

Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255