This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

External CWP with mac-auth and CWP bypass. Users still have to open CWP even though user profile is allowall.

External CWP with mac-auth and CWP bypass. Users still have to open CWP even though user profile is allowall.

Go to solution
mickwombat9
New Contributor

‎11-05-2018 12:22 PM

I am trying to setup an external captive portal but with mac-auth. I have a user profile for users that have already registered (allowall) and set this in 'apply different user profile for different groups based on Filter-ID'.

When the user does the mac-auth, I see it with the allowall profile, but I still get redirected to the captive portal.

User profile application sequence is set to mac-auth > CWP > SSID.

Has anyone else setup something like this before.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
nlowe
New Contributor III

‎12-11-2018 12:59 PM

Hi all,

 

I think you just need to configure the fallback-to-ecwp command via supplemental CLI.

 

I double checked HiveOS 6.5r10 and this is supported there.

 

You will need to find the name of the security-object by reviewing the show run output.

 

show cmds | include fallback-to-ecwp

 

security-object <string> security additional-auth-method mac-based-auth fallback-to-ecwp

 

show version

 

Aerohive Networks, Inc.

Copyright (c) 2006-2018

 

Version: HiveOS 6.5r10 build-205308

Build time: Wed Aug 8 10:22:25 UTC 2018

Build cookie: 1808080322-205308

Platform: HiveAP330

Bootloader ver: v1.0.3.4d

TPM ver: v1.2.35.8

Uptime: 13 weeks, 3 days, 13 hours, 44 minutes, 32 seconds

 

Thanks,

 

Nick

View solution in original post

0 Kudos
20 REPLIES 20

Go to solution
sstowell
New Contributor

‎01-21-2019 04:45 PM

I had an issue with CWP bypass via user profile as well. All of my APs were on 6.X HiveOS.. I have a mix of AP121s, 130s, and 230s.. Well I updated all of my APs that I could to 8.X hiveOS (golden) and the bypass now works via user profile on my AP130s and AP230s..

 

Well guess what? AP121s are not getting HiveOS 8.X and are stuck on 6.X.. so now I have about half my APs as 121s and cannot use that feature until I upgrade them to new APs 130s or 122s. That's about 40 APs. I understand they are a little dated but it's ridiculous to think they cannot get the newest code to do this bypass, it's not like it needs new hardware to do it.

0 Kudos

Go to solution
irteza_rana
New Contributor

‎01-21-2019 04:36 PM

Aerohive has one of the worst tech supports, the idiots at tech support were recommending me to turn off CWP.

I have similar issue where users would keep on getting CWP. I have also tried adding fallback-to-ecwp  via supplementary cli but it didn't work. I did confirm that aerohive NG is getting correct radius attributes required by user profile to bypass CWP.

I have a case open with them for a month and they still dont have any clue regarding this issue.

 

 

0 Kudos

Go to solution
samantha_lynn
Esteemed Contributor III

‎01-02-2019 09:14 PM

I think at this point we need to open a support case to dig in to this further with you. I have emailed you directly with details on how to open a case from here so the technician can begin where we have left off.

0 Kudos

Go to solution
mickwombat9
New Contributor

‎12-20-2018 11:14 AM

ok, so I tried that and now nothing seems to work. I see the mac.auth going through and it sending back the correct user-profile attribute, but the device gets dissassociated due to a vlan change. This is strange because every possible user-profile for this ssid is set to the same vlan.

 

2018-12-20 11:10:47 info   ah_auth: sta 6cc7:ec0c:d893 is disassociated from 4018:b1ae:b8e8(wifi1.1) in driver

2018-12-20 11:10:47 info   ah_auth: [Auth]: receive driver notification[0x8c04, IWEVEXPIRED] for Sta[6cc7:ec0c:d893] at Hapd[4018:b1ae:b8e8, wifi1.1]

2018-12-20 11:10:47 info   ah_auth: Notify driver to disassoc 6cc7:ec0c:d893 from wifi1.1

2018-12-20 11:10:47 info   ah_auth: Disconnect 6cc7:ec0c:d893 because VLAN change after UPID reassignment

2018-12-20 11:10:46 info   ah_auth: detect station(6cc7:ec0c:d893) os(Android) via DHCP fingerprint

2018-12-20 11:10:45 info   ah_auth: detect station(6cc7:ec0c:d893) os(Android) via DHCP fingerprint

2018-12-20 11:10:45 info   kernel: [qos]: add qos user 6cc7:ec0c:d893 idx 3 uppid 1

2018-12-20 11:10:45 info   kernel: [mesh]: set proxy : 6cc7:ec0c:d893 4018:b1ae:b8c0 wifi1.1 flag 0x1c03

2018-12-20 11:10:45 info   amrp2: set proxy route: 6cc7:ec0c:d893 -> 4018:b1ae:b8c0 ifp wifi1.1 upid 3 flag 0x1c03 monitor(0/0) pkt/sec ok

2018-12-20 11:10:45 info   amrp2: receive event <STA join>: 6cc7:ec0c:d893 (ip 0.0.0.0) associate wifi1.1 upid 3 vlan 13 flag 0x00000001

2018-12-20 11:10:45 info   ah_auth: [Auth]STA(6cc7:ec0c:d893) login to SSID(wifi1.1) by user_name=6cc7ec0cd893

 

I am using an AP121 on HiveOS 6.5r10 build-205308

0 Kudos

Go to solution
nlowe
New Contributor III

‎12-11-2018 12:59 PM

Hi all,

 

I think you just need to configure the fallback-to-ecwp command via supplemental CLI.

 

I double checked HiveOS 6.5r10 and this is supported there.

 

You will need to find the name of the security-object by reviewing the show run output.

 

show cmds | include fallback-to-ecwp

 

security-object <string> security additional-auth-method mac-based-auth fallback-to-ecwp

 

show version

 

Aerohive Networks, Inc.

Copyright (c) 2006-2018

 

Version: HiveOS 6.5r10 build-205308

Build time: Wed Aug 8 10:22:25 UTC 2018

Build cookie: 1808080322-205308

Platform: HiveAP330

Bootloader ver: v1.0.3.4d

TPM ver: v1.2.35.8

Uptime: 13 weeks, 3 days, 13 hours, 44 minutes, 32 seconds

 

Thanks,

 

Nick

0 Kudos
GTM-P2G8KFN