Reset Search
 

 

Article

Radius Server hosted on an AP

« Go Back

Information

 
TitleRadius Server hosted on an AP
Symptoms
A Radius SSID has a unique username and password for each client, as well as added levels of security that are not offered by other types of SSIDs.
This article covers how to set up an Aerohive AP to act as a Radius Server.
Environment
HiveManager
Cause
Resolution
Step one:

To create a Radius server on the AP we will want to create the Active Directory binding in Hive manager. To do this, login to Hive manager and go to Configuration>On the left hand side select 'show nav' if the left hand side menu is not already displayed and go to Advanced Configuration>Authentication>AAA Server Settings> New. In here Expand Database Settings first.

User-added image

Here we can tell the server it if it going to use a local database (local user group made on the hive manager) or an external database (AD sever). If you are using a local database, go to step two, if you are using an external data base, go to step Three.
 
Step Two:

If we are using a local user group, we need to set that up first. Once we’ve set that up, you should see the local user group you’ve created in that Available Local User Group list. We would just need to move that over to the Selected Local User Group list and the Radius will know to consult that list to check the username and password to make sure it’s correct. Next, skip to Step Four.

Step Three:

If we are using an external data base we would uncheck the local database box and check the External Database box.

User-added image

Here we would specify if we are using an AD or an LDAP. Then we would click on the plus button to create a new Active Directory.

User-added image

In this screen we need to provide the information that will allow us to tie the radius server to the active directory. First we need to select the Aerohive device for the Active Director set up. Then we will need to enter the IP address, Netmask, Default Gateway and DNS server for that Ap. Next, we need to enter the domain information and click ‘Retrieve Directory Information’. If it is successful, you will see a second box labled Domain Admin Credentials to Join Domain. Enter the Domain information here and click ‘Join’. If this is successful you will see a third and final box labeled Domain User Credentials Reuired for User Lookups. Enter this information and click ‘Validate User’. If this is successful, click Save at the top. Once you have created this object you should see it in the drop down menu under active directory. Click Apply.

Step Four:

The next section we want to expand is Radius Settings. This section is in regard to certifications. We have three options; we can use the default certifications that are already in there, we can create self signed certifications on the hive manager, or we can get third party certifications (for example from GoDaddy) and upload them to the hive manager. For reference, most customers go with the default certifications that are in the hive manager to begin with.

User-added image


Step Five:

The next section we want to expand is the Radius Clients/NAS settings. This is where we make the NAS list, or the list of APs that are allowed to ask for Radius authentication. If the IP address of the AP that is requesting authentication is not on this list, they will not be able to connect.


User-added image

To create a new NAS object, click on the plus button next to the Ip Object/HostName area.

User-added image

Here we have some options on how to define our NAS list. We can either enter one IP address, so only one AP can ask for Radius authentication. We can specify an IP range, we can enter a Host Name of one AP, we can specify our network so that any APs in that network are allowed to access the Radius server, or we can do it by web page. It is not necessary to hit new unless you are adding two objects. The first object can be specified in the boxes below IP entry. Save this once you are finished. Next we need to enter the Shared Secret. This is not going to need to be given to customers; however, we do need to match this password with another section in the hive manager for the Radius server to work, so make sure it’s something you can remember.

Step Six:

Next we need to define which AP is going to be the Radius Server. Go to Monitor> Select the check box next to the AP you want to make as a Radius server> Modify. The AP we want to act as a radius sever needs to have a static IP address. To do this we need to expand the Mgt0 interface settings and select the radio button next to Static IP. Here we will define the Static IP address, the Netmask, and the Default Gateway.

Next, we want to expand Service Settings and in the drop down menu next to Device Radius Service, select the object we just made in AAA Server Settings.

Step Seven:

Next we need to go to Configuration> Expand the left hand side menu> Advanced Configuration> Authentication> AAA client settings. Here we specify which AP will be acting as the Radius server, or the IP address of the external radius server you already have set up if you are using an external radius server. We need to click on the Plus button next to IP address and Domain Name.

User-added image


In the next page we will chose how we will define our radius server (IP address, IP Range, Host Name, etc.). Unless you are making several objects here it is again unnecessary to click new. Once you have specified the IP address of your Radius server, click Save.

User-added image

Lastly, we need to enter the Shared Secret. This is the same shared secret as the one we made in the AAA server settings area. If you don’t remember what it was, you need to go back to check it; if these don’t match, the Radius will fail. Once you’re done, click Apply, then Save.

Step Eight:

Now we need to tie this Radius server to our SSID. To do this we need to go to Configuration> Open the Network policy> If the SSID isn’t already set to use Radius open the SSID and chose the 802.1 security and save> Now under Authentication you should see an area for a Radius server. Click here and select the Object you just made under AAA Client Settings. Save this Network Configuration.

Step Nine:

Finally, we have to push it out to the AP. So to recap, we made the AAA server setting object which tied in to the Active Directory, dealt with certificates, and created a NAS list. Then we selected the AP we wanted to use as the Radius server, gave it a static IP address and tied it in to our AAA server setting object that we made. Then we created a AAA client settings object which specified which AP was our Radius server. Finally we created an SSID that tied in to our AAA client setting object. Now we push out the configuration to the AP and you will have a Radius Server tied in to your network.
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255