PAGE 1 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

1. OverviewofActiveDirectoryIntegration AerohiveHiveAPRADIUSfunctionalityofferstheabilitytoauthenticate802.1XmethodssuchasPEAP, TTLS,TLS,andLEAPwithalocaluserdatabaseontheHiveAP,oragainstanauthoritativestorelike ActiveDirectory,OpenLDAP,oreDirectory.Thisgivesanadministratortheabilitytoimplementa centrallymanagedsecureWLANsolutionusing802.1Xwithouthavingtoconfigureormodifycorporate RADIUSservers,andalsoprovidestheabilitytosurvivethefailureofaWANlinkbycachingpreviously authorizedusers. InanAerohivedeployment,anadministratorcandesignateanAPortwotobecomeRADIUSservers,and thoseAPswillprovideAAAfunctionalityfortheotherAPsinthehive.OnlythosetwoAPswillrequirea connectiontotheauthoritativestoreusingNTLM/KerberosorLDAP/LDAPS.SinceActiveDirectoryis themostcommonlyconfigureddirectorystore,thisdocumentwilldescribehowtoconfigureAD integrationonanAerohiveHiveAP. HowitWorks

2.

UnderstandingthestepsthatoccurfortheActiveDirectoryintegrationmakesiteasiertodetermine whatelementsneedtobeconfiguredandtotroubleshootwhensomethingisntworking.Hereisalistof thenecessaryphasesforAerohiveADintegration: a. APattemptstojointheActiveDirectorydomainusingSAMBA(NTLMandKerberos) i. Requiresdomainadmincredentials ii. NowtheAPresemblesanylaptopjoinedtotheADdomain.Anyvaliddomainusercanlogin usingdomainusercredentials b. ThelaptopassociatestotheAccessPoint(AP) i. SupplicantsendsanEAPoLrequest c. APencapsulatestheEAPrequestintoRADIUS i. APsendsarequesttotheFreeRADIUSmoduleembeddedintheAP d. APusesLDAPtoqueryADuserdatabase i. Requiresanyvaliddomainusercredentials e. OnceUserisdiscoveredinthedatabase,RADIUSpassestheNThashpasswordfromthesupplicant totheAD i. ADrespondswithanacceptordeny f. APgetsseedkeyfromtheFreeRADIUSservertoinitiateencryption g. Supplicantusessameseedkeytogenerateencryptioninformation

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 2 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

3. HiveManagerandAPConfiguration a. LogintotheHiveManager,andaccepttheEULA.SelectEnterpriseModewhenprompted

b. c.

NavigatetoMonitorHiveAPs,andselecttheAPthatwillbetheRADIUSserver.ClickModify IntheOptionalSettingssection,selectthecheckboxnexttoEthernetandNetworkSettings. UnchecktheboxtoEnableDHCP,andtypeinastaticIPaddress

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 3 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

d. NavigatetoConfigurationWLANPolicies,andcreateanewWLANpolicy

e.

EnteraWLA Policyname,forexample:CorpWLAN N SelectaHive,ifyoudonothaveone,click+tocreateanewHive ClickthebuttontoAdd/RemoveSSIDProfile Click+toaddanewSSIDthatwilluse802.1XandaHiveAPRADIUSserver SSIDConfiguration

1. 2. 3. 4.

1. 2. 3. 4.

EnteranSSIDProfileName,forexample:ADTest EnteranSSID:ADTest ForSSIDAccessSecurityselect:WPA/WPA2802.1X(Enterprise) NexttoRADIUSServerclick+

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 4 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

f. IntheHiveAPRADIUSServerConfigurationsection

g. 1. SelectHiveAPRADIUSServerandthenselectMoreSettings

InthedetailedAAAClientSettingsforspecifyingthelocationoftheRADIUSserver

1. 2. 3. 4. EnteranamefortheRADIUSobject,forexample:HiveAPRADIUS EntertheIPoftheMGT0interfaceoftheHiveAPRADIUSserver, forexample:10.5.50.71 EnterasharedsecretusedtosecurecommunicationbetweentheHiveAPRADIUS clients(NAS)andtheHiveAPRADIUSserver: ClickApply

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 5 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

5. ClickSavetocreatetheRADIUSserverobject

h.

IntheSSIDconfiguration

1.

NexttoRADIUSservermakesureyourHiveAPRADIUSserverobjectisselected thensavetheSSID

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 6 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

i. IntheWLANpolicyconfiguration

1. Movethe802.1XssidtotheSelectSSIDProfileslistandclickApply

2.

ThensaveyourWLANpolicy

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 7 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

j. NowNavigatetoConfigurationAdvancedConfigurationAuthenticationAD/LDAPSettingsand clickNew

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 8 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

k. IntheAD/LDAPSettingsfilloutthefields

1. 2. 3. 4. EnteranamefortheActiveDirectoryObject SelecttheActiveDirectoryradiobutton EntertheActiveDirectoryServerIPorresolvablehostname Enteranadminusernameandpasswordforadomainadministratorthathas privilegestojoinacomputertothedomainsothattheAPcanadditselftothe domain. NOTE:Theadminusernameandpasswordarenotrequiredtobeenteredin HiveManager.Ifyouprefer,youcanleavethissectionblank,finishtherestof thisdoc,andgototheCLIandtypeexecaaanetjoinprimaryusername <domainadminusername>password<domainadminpassword>tojointheAP tothedomain ComputerOU:OnlyrequiredifyouwanttheAPtojoinanOUotherthan Computers NOTE:Thestringcanbeupto256charactersandmustbeinthefollowing format:ou\subou\subou.Ifthereareanyspaces,enclosetheentirestringin quotationmarks.Youcanuseeitherforwardslashesorbackslashesbetween directorynamesinthecomputerou. Domain:EnterthenameoftheDomain(ex:AEROHIVE) FullName:FQDNoftheDomain(ex:aerohive.com)

5.

6. 7.

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 9 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

8. RADIUSUserBaseDN:IfthewirelessusersareintheUserscontaineronyourAD server,leaveitblank,otherwisetypetheLDAPpathtotheusersfolder: Forexample,tobeginsearchingforuseraccountsin"employees",enter "CN=employees,CN=users,DC=aerohive,DC=com". TheBaseDNcanbeup256characterslong BindDNName:aregularDOMAINUSERaccount.Nospecialpermissionsrequired Forexample:user@aerohive.com Default:checkthisboxIfyouhavemultipledomains,thisistheonethatis searchedifadomainisnotspecified. BindDNPassword:passwordfortheDomainUserspecified Whencomplete,clickApply Whencomplete,clickSavelocatedatthetopofthescreen

9. 10. 11. 12. 13.

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 10 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

l. NextgotoConfigurationAdvancedConfigurationAuthenticationHiveAPAAAServerSettings andclickNewtocreateanewHiveAPRADIUSserverinstance

m. IntheHiveAPAAAServerSettings

1. 2. 3.

EnteranamefortheAAAServerobject,forexample:HiveAPRADIUS UnchecktheboxforLocalDatabase IntheDatabaseAccessSettingssection,selecttheAD/LDAPinstanceyoujust createdaboveandclickApply

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 11 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

n. ScrolldownandexpandtheHiveAPNASOptionalsettings

1. SelectanIPobjectforthenetworkthemgt0interfaceoftheHiveAPsareusing. IfyoudonothaveanIPobjectforthenetworksyourHiveAPsareon,youcanclick+ tocreateanewIPnetworkobject

2.

3. 4.

EnterthesharedsecretyoudefinedintheAAARADIUSclientconfigurationin sectiong. ClickApply ClickSaveatthetopofthepage

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 12 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

o. GobacktotheMonitorHiveAPsandModifytheHiveAPthatwillbetheRADIUSserver 1. IntheOptionalSettingsServiceSettingssection,choosetheRADIUSinstanceyou createdabovefromthedropdownbox

p.

ClickSave SelectalltheHiveAPsthatwillbeusingthe802.1XSSIDwithActiveDirectoryandclickmodify

2.

q.

AssignthemultipleselectedHiveAPstotheWLANpolicywiththe802.1XSSIDthat usesActiveDirectory 2. ClickSave SelectthecheckboxnexttotheHiveAPsandclickUpdate,andUploadandActivateConfiguration (Wizard) 1.

1. ClickNextwhenpromptedtouploadthecertificates

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 13 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

2.

EvenifyouhaveuploadedconfigstothisAPbefore,performaCompleteupload. ThecertificatechangesandtheADjoinworkbetterafterareboot.

r.

WindowsServerInformation 1. InyourActiveDirectoryServer,navigatetotheComputersOU(orthefolderyou specifiedfortheAPtojoinasacomputeraccount)

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.

PAGE 14 OF 14

AD Integration

Aerohive Networks Configuring Active Directory Integration

4.

ConfirmtheAPhasjoinedthedomain NOTE:Youmayhavetorightclickonthecomputerswindowpaneandclickrefresh s. Testthe802.1XSSID Troubleshooting a. IftheAPcannotjointhedomain,checktomakesuretheWORKGROUP(Domain)andDOMAIN(Full NameorFQDN)arecorrect. i. Fromtheconsole,testtoseeyoucanmanuallyjointheAPtothedomain 1. Execaaanetjoinprimaryusername<domainadmin>password<adminpassword> ii. Resultingerrormessagesoftenexplaintheissue b. IftheAPhasjoinedtothedomain,butusersarenotauthenticating,itispossibletotestuser authenticationfromtheAPtotaketheclientoutoftheequation i. Execaaantlmauthusername<domainuser>password<userpassword> ii. Resultingerrormessageexplainstheissue c. IftheAPhasjoinedthedomainandsomeuserswork,therearedebugcommandstoseewhatelseis goingon i. _debugradiuscomm ii. _debugradiusexcessive iii. _debugradiusverbose iv. debugconsole d. Iftheabovecommandsdonotwork,trydebuggingauthentication i. _debugauthall

2.

2007-2010 Aerohive Networks Inc. All Rights Reserved For Aerohive internal use only.