This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ
- Extreme Networks
- Community List
- Legacy
- Aerohive Migrated Content
- Re: External CWP with mac-auth and CWP bypass. Us...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
External CWP with mac-auth and CWP bypass. Users still have to open CWP even though user profile is allowall.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā11-05-2018 12:22 PM
I am trying to setup an external captive portal but with mac-auth. I have a user profile for users that have already registered (allowall) and set this in 'apply different user profile for different groups based on Filter-ID'.
When the user does the mac-auth, I see it with the allowall profile, but I still get redirected to the captive portal.
User profile application sequence is set to mac-auth > CWP > SSID.
Has anyone else setup something like this before.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā12-11-2018 12:59 PM
Hi all,
I think you just need to configure the fallback-to-ecwp command via supplemental CLI.
I double checked HiveOS 6.5r10 and this is supported there.
You will need to find the name of the security-object by reviewing the show run output.
show cmds | include fallback-to-ecwp
security-object <string> security additional-auth-method mac-based-auth fallback-to-ecwp
show version
Aerohive Networks, Inc.
Copyright (c) 2006-2018
Version: HiveOS 6.5r10 build-205308
Build time: Wed Aug 8 10:22:25 UTC 2018
Build cookie: 1808080322-205308
Platform: HiveAP330
Bootloader ver: v1.0.3.4d
TPM ver: v1.2.35.8
Uptime: 13 weeks, 3 days, 13 hours, 44 minutes, 32 seconds
Thanks,
Nick
20 REPLIES 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā12-10-2018 08:14 PM
Thanks for your patience while I looked in to this further. If you are using an AP250 on 8.2r4 or AP330 on 6.5r10, the HiveOS does not recognize the command that enables the CWP bypass. If you are using an AP250, I would recommend moving to 8.4r7. Unfortunately that option is not available for the AP330 so those will have to wait for the next HiveOS release to fix this issue.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā12-07-2018 10:53 PM
I have the same issue on my deployment.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā11-25-2018 09:06 PM
Nevermind it's doing it on my deployment as well.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā11-25-2018 03:44 AM
Perform full config update on AP. The deltas said they were successful for me and I had the same problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā11-05-2018 07:57 PM
Hi Sam,
Thanks for responding to this. I don't have a support contract for this as I am just using a single AP for testing at this stage.
I was supporting aerohive a lot for customers in my previous job and this is something I tested at the time. There were many other limitations at the time also.
Whilst things seem to have improved, which is good, this particular thing still eludes me.
As far as I can tell also the setup is good. When I remove the CWP config and just have purely Filter-ID based assignment with mac-auth it works well.
The problem from what I can tell is that the CWP is assigned to the ssid rather than the user profile. š
I just can't seem to get around the portal being presented despite my user being in the allowall profile.
Also, I don't see anywhere in the radius server profile where to enable RFC3576. Is this enabled by default? I assume it is cause disconnect-message works. Also, what RFC3576 sort of messages are supported? Primarily wondering if we can change a users user-profile dynamically.
Regards
Michael Clarke
+44 7949383792
Thanks for responding to this. I don't have a support contract for this as I am just using a single AP for testing at this stage.
I was supporting aerohive a lot for customers in my previous job and this is something I tested at the time. There were many other limitations at the time also.
Whilst things seem to have improved, which is good, this particular thing still eludes me.
As far as I can tell also the setup is good. When I remove the CWP config and just have purely Filter-ID based assignment with mac-auth it works well.
The problem from what I can tell is that the CWP is assigned to the ssid rather than the user profile. š
I just can't seem to get around the portal being presented despite my user being in the allowall profile.
Also, I don't see anywhere in the radius server profile where to enable RFC3576. Is this enabled by default? I assume it is cause disconnect-message works. Also, what RFC3576 sort of messages are supported? Primarily wondering if we can change a users user-profile dynamically.
Regards
Michael Clarke
+44 7949383792
