This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

External CWP with mac-auth and CWP bypass. Users still have to open CWP even though user profile is allowall.

External CWP with mac-auth and CWP bypass. Users still have to open CWP even though user profile is allowall.

Go to solution
mickwombat9
New Contributor

‎11-05-2018 12:22 PM

I am trying to setup an external captive portal but with mac-auth. I have a user profile for users that have already registered (allowall) and set this in 'apply different user profile for different groups based on Filter-ID'.

When the user does the mac-auth, I see it with the allowall profile, but I still get redirected to the captive portal.

User profile application sequence is set to mac-auth > CWP > SSID.

Has anyone else setup something like this before.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
nlowe
New Contributor III

‎12-11-2018 12:59 PM

Hi all,

 

I think you just need to configure the fallback-to-ecwp command via supplemental CLI.

 

I double checked HiveOS 6.5r10 and this is supported there.

 

You will need to find the name of the security-object by reviewing the show run output.

 

show cmds | include fallback-to-ecwp

 

security-object <string> security additional-auth-method mac-based-auth fallback-to-ecwp

 

show version

 

Aerohive Networks, Inc.

Copyright (c) 2006-2018

 

Version: HiveOS 6.5r10 build-205308

Build time: Wed Aug 8 10:22:25 UTC 2018

Build cookie: 1808080322-205308

Platform: HiveAP330

Bootloader ver: v1.0.3.4d

TPM ver: v1.2.35.8

Uptime: 13 weeks, 3 days, 13 hours, 44 minutes, 32 seconds

 

Thanks,

 

Nick

View solution in original post

0 Kudos
20 REPLIES 20

Go to solution
samantha_lynn
Esteemed Contributor III

‎12-10-2018 08:14 PM

Thanks for your patience while I looked in to this further. If you are using an AP250 on 8.2r4 or AP330 on 6.5r10, the HiveOS does not recognize the command that enables the CWP bypass. If you are using an AP250, I would recommend moving to 8.4r7. Unfortunately that option is not available for the AP330 so those will have to wait for the next HiveOS release to fix this issue.

0 Kudos

Go to solution
sstowell
New Contributor

‎12-07-2018 10:53 PM

I have the same issue on my deployment.

0 Kudos

Go to solution
AnonymousM
Valued Contributor II

‎11-25-2018 09:06 PM

Nevermind it's doing it on my deployment as well.

0 Kudos

Go to solution
AnonymousM
Valued Contributor II

‎11-25-2018 03:44 AM

Perform full config update on AP. The deltas said they were successful for me and I had the same problem.

0 Kudos

Go to solution
mickwombat9
New Contributor

‎11-05-2018 07:57 PM

Hi Sam,

Thanks for responding to this. I don't have a support contract for this as I am just using a single AP for testing at this stage.

I was supporting aerohive a lot for customers in my previous job and this is something I tested at the time. There were many other limitations at the time also.
Whilst things seem to have improved, which is good, this particular thing still eludes me.

As far as I can tell also the setup is good. When I remove the CWP config and just have purely Filter-ID based assignment with mac-auth it works well.

The problem from what I can tell is that the CWP is assigned to the ssid rather than the user profile. 😞

I just can't seem to get around the portal being presented despite my user being in the allowall profile.

Also, I don't see anywhere in the radius server profile where to enable RFC3576. Is this enabled by default? I assume it is cause disconnect-message works. Also, what RFC3576 sort of messages are supported? Primarily wondering if we can change a users user-profile dynamically.

Regards

Michael Clarke
+44 7949383792
0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN