Solved

Can please someone provide the commands needed to configure Secure Port Settings via Supplemental CLI in Hivemanager NG?


  • Anonymous
  • 0 replies
icon

Best answer by s.heise 23 October 2019, 07:31

Probably our support got a feedback from Aerohive with the commands that where already mentioned in this feed.

I got the information that you will be unable to enter a password for the supplicant, but with the right firmware it is possible.

For AP141 it doesn't work as the commands doesn't exist there and also the configuration isn't supported as it is done by CLI only.

 

@Sam Pirok​  is it possible that you start a feature request for this, as it was already possible to configure it on the Hivemanager Classic Cloud GUI, so this configuration will be supported again?

View original

26 replies

That would be quite a few commands, and CLI configuration isn't supported. Can I ask why you aren't using the GUI to implement these settings?

Hi Sam,

 

as the option is no longer available in Hivemanager NG as far as I know.

In Hivemanager Classic this option was at:

Network Policy --> Additional Settings

 

At Hivemanager NG I haven't found it.

 

Best regards,

 

Sebastian Heise

If you go to Configure> Open the Network Policy> Go to the Device Templates tab within the Network Policy> Go to the Switch Templates sub-tab> Port configuration (left hand side menu)> Select a port> Assign> Create New> Scroll down and go to the Wired Connectivity sub-tab> Toggle User Authentication to ON, these should be equivalent settings for a secure port in HiveManager NG. Is that what you're looking for?

I don't think this is the right feature, as I have to assign a Radius server, which is normally not needed. Also this feature is only available when the port is used as an access port, but for me it has to stay as uplink port.

Attached you can find a screenshot of the settings I had to set in the Hivemanager classic, I hope this helps.SecurePort

Userlevel 1

Probably the commands are:

 

supplicant name_of_supplicant

supplicant name_of_supplicant username username password ***

interface eth0 supplicant name_of_supplicant

interface eth1 supplicant name_of_supplicant

 

I looked into an APs config created with HM classic. With HM (NG) I didn't find the settings, too.

Hello Gunter,

 

thank you for the feedback, unfortunately I don't have the command supplicant.

Which firmware are you using?

We have 6.5r12 on the AP141.

 

Best regards,

Sebastian

Userlevel 1

Hello Sebastian,

 

we have HiveOS V8.2r6. Are you sure that this worked with HM classic and AP141 with 6.5r12? (I had a look into the latest CLI-guide for AP141 and didn't find anything usefull. However, it's for V6.5r11.)

 

Hello Gunter,

 

I am sure it worked, as I had proper authentication of the APs on the Cisco ISE with the username configured over the HM Classic.

That's why I am curious, that there are no CLI commands for this settings and that I wasn't able to see it in the configuration.

 

Best regards,

Sebastian

Userlevel 1

That's indeed curious. Are all of your APs of type AP141? Maybe you have seen the auth of another AP on your Cisco ISE?

Most of the devices are AP141, we have only 4 other types. These have the firmware 10. and there I can find the CLI command.

Regarding the authentication I could see that the AP141 is authenticating, as they can be identified by IP and MAC.

Userlevel 1

In the CLI-guide of for example AP130 and version 6.6r1 I found the "supplicant" command. So it looks like this command was introduced with that version. I'm sorry, but I have no idea how to configure 802.1x port security with the older versions. I wonder why no one from Aerohive gives a statement to this.

That's true, Aerohive doesn't provide a statement on this post, on my case with our distributor and also not in direct contact.

At least they should know it better...

Unfortunately we don't support CLI configuration, only GUI configurations. I'm sorry we couldn't be more helpful here.

Userlevel 1

@Sebastian:

In case you still have an AP141 that was configured with HM-classic you could try "show config current". That should show the complete config including default settings. Maybe you then can identify the according cmds... What were the answers of your distributor and your direct contact?

 

@Sam:

Would you please submit a feature request making it possible to configure secure port with the GUI of NG?

 

 

I have checked a configured device in Hivemanager Classic and nowhere in the config I could found anything regarding this feature. The configured username for example appeared nowhere in the running config, also the term supplicant was missing.

The last questions from them where:

Which switchtype is used and how is the port configured?

Distributor (which also opened a case at Aerohive) and the direct Aerohive contact stopped responding...

While I respect that statement @Sam Pirok​ , I am now curious as to why Supplemental CLI was ever implemented as an option if using it is not supported by Aerohive. That was how it was pitched to us years back. A way to configure things the hardware was capable of but the GUI lacked at present. That and a way to alter settings on a subset of APs without impacting the whole by editing a more global object.

So on HiveOS8.4r2, the above commands @Gunter Reinhard​ provided are correct.

As these were added to a config audit of an AP - albeit an AP230.

 

supplicant BP-Office

supplicant BP-Office username bob

supplicant BP-Office password ******

supplicant BP-Office eap-type md5

 

But as soon as I swap the HiveOS over to 6.5r12, those commands are not part of the config audit.

 

I simply do not know how you were doing this on the 6.5 train of code @Sebastian Heise​. And with the AP141 not having a HiveOS 8.x code base I'm even more perplexed. I'm doing this testing on the legacy HM platform, so I'm struggling to see how those settings under Network Policy --> Additional Settings worked for you on the 6.5 code base for the older .11n based APs.

Yes, I'm struggling with it too, but I'm 100% sure that I was able to see working authentications.

Did you use HMOL or did you have an on-prem HM Classic platform? Or I guess I'm curious if you still have access to that platform. To move a single device back to it and gather a bit more information so we can see what's going on...

We use HMOL, but all devices are moved to the NG already and we let them authenticate by MAC-Address at the moment.

At the moment we are unable to move a device back to the old one, but as already written I haven't found any indicator for the supplicant configuration in the config file at an AP141.

Also there was never an error when pushing the config with "Secure Port Settings" to an AP141.

I gotcha. I don't expect you'd see any errors in pushing updates out. The commands simply wouldn't be applicable to the hardware.

 

I'd be curious if you come across a resolution, but I'm afraid I can't be of much more help. :(

If I should find a solution, I will post it here....but I don't believe that there will be one.

Probably our support got a feedback from Aerohive with the commands that where already mentioned in this feed.

I got the information that you will be unable to enter a password for the supplicant, but with the right firmware it is possible.

For AP141 it doesn't work as the commands doesn't exist there and also the configuration isn't supported as it is done by CLI only.

 

@Sam Pirok​  is it possible that you start a feature request for this, as it was already possible to configure it on the Hivemanager Classic Cloud GUI, so this configuration will be supported again?

Absolutely, I've submitted that feature request for you now. Please feel free to check in with me later on and I will check on the status of the feature request for you.

Userlevel 1

I’m also interested on being able to configure port security with the GUI. What is the status of the feature request?

Reply