This is a new configuration and the first time using HiveManager (NG upgraded to Select). These are brand new Access Points and a new config, only about 4 weeks old. The company it comes under is "EBIQUITY".
I have one network policy with 2 SSID's, they are EbiquityPLC and EbiquityGuest.
Under the EbiquityPLC I have setup the SSID as Private Pre-Shared Key and I have 4 User Groups aasigned with 4 User profiles mapping through to 4 different VLANS.
US-Trusted-Staff maps to VLAN 202
US-Trusted-Mobile maps to VLAN 204
US-Untrusted-BYOD maps to VLAN 205
US-Untrusted-Conf2 maps to VLAN 203
Each User group has one user setup.
Users can connect to EbiquityPLC using the PPSK for US-Trusted-Staff no problem.
But when a user tries to connect to the EbiquityPLC with the PPSK for US-Untrusted-BYOD they get an error Authenication Failed. When I look at "Tools - Client Monitor" I can see the error "PPSK Rejected by Guest Access" - "ID Manager did not accept the PPSK authentication request for the EbiquityPLC SSID". I have checked all the seeting and they look correct. I have checked the PPSK's and again they all look corredct.
Can any one help?
Do your attributes attached to each respective User Profile match the PPSK Group attribute? Thats where I see the most common issues with multi-PPSK Group attachments to SSIDs. The VLANs need to match as well (more obvious though).
Are you able to share any of the configuration from an AP? It'll be easier to see things there vs. screen shots of the GUI.
Sorry for the late reply. I have attached a copy of the config.
Kind of sorted this, delete all the users account and all the config settings for the user profiles. Then added them back on again but used local for password DB instead of Cloud. Had a user test and everything worked as it should.
There's a lot going on in that config file. :)
But the one thing that sticks out is - security-object EbiquityPLC default-user-profile-attr 3. That EbiquityPLC security-object ties to your EbiquityPLC (ssid EbiquityPLC security-object EbiquityPLC).
That default user profile attribute of 3 is also the US-Untrusted-BYOD user profile.
user-profile US-Untrusted-BYOD qos-policy def-user-qos
user-profile US-Untrusted-BYOD vlan-id 205
user-profile US-Untrusted-BYOD attribute 3
user-profile US-Untrusted-BYOD deny-action-for-schedule ban
I cant help but think that those should not be the same as the default user attributes for the before mentioned user profile. That in unless your default user profile on that SSID is the US-Untrusted-BYOD, which would make it make some logical sense.
The PPSK User Groups don't seem to be included in the config (or I'm missing them). So I'd need to see a bit of that info, but everything else looks like it lines up.
One of my engineers was testing the conference setup I have on the EbiquityPLC SSID and he could not connect to the Wifi. Conference and Guest are the only to user groups that are using Cloud password location.
Could this problem be with RADSEC connecting back to the cloud instance
When I run "sh idm" I get the following results.
IDM client: Enabled Per SSID
IDM Proxy IP: 10.22.200.22
IDM proxy: Enabled
IDM server: cloud-va2-idmauth.aerohive.com
IDM server IP: 220.127.116.11
RUN state: Connected securely to the IDM server
IDM transport mode: TCP
Server destination Port: 2083
RadSec Certificate state: Valid
RadSec Certificate Issued: 2018-09-27 09:20:35 GMT
RadSec Certificate Expires: 2019-09-27 09:20:35 GMT
I have just updated the AP's to 8.4R5 as they were running on 8.4R4. After the update all three AP's are showing as RADSEC proxy servers.
Contact Us:Sam PirokCommunity@extremenetworks.com