11-02-2013 02:25 AM - edited 03-10-2019 09:03 PM
Hi.
I have a setup with Aerohive AP's and ISE as radius-server.
To use User Profiles in Aerohive, I need ISE to send some information back to the Access point via an Authorization Profile, namely this:
Tunnel-Private-Group-ID=(4095)
Tunnel-Type=GRE
Tunnel-Medium-Type=IP
It's pretty straight forward to set it up, but as soon as I click save, and then goes back in to the profile, the Tunnel-type has changed to VLAN.
A quick look into the logs confirm that too:
Tunnel-Type | (tag=1) VLAN |
Tunnel-Medium-Type | (tag=1) 802 |
Tunnel-Private-Group-ID | (tag=1) 4095 |
With the result that the User Profile assignment is not working.
I have used this in ACS v5 for years, and it works like a charm.
But now I looking to move from ACS to ISE, but I need this to be in working order first.
Any ideas?
Thank you.
11-04-2013 07:09 AM
How did you go about setting the Authorization Profile?
If you go to Policy > Policy Elements > Results then choose Results > Authorization > Authorization Profiles from the menu on the left.
Click the +Add button
I created a tunnel with the name AEROHIVE_TUNNEL and the Access Type set to ACCESS_ACCEPT
Choose the DACL to which the policy should be applied and set the Advanced Attributes.
As you can see in the screenshot the Radius:Tunnel-Private-Group-ID = IdentityGroup:Name can be changed manually by deleting the word Name and replacing it with 4095:
You can also change the Tag ID:
Once you submit, you'll receive confirmation of the save. Leave that screen and go back in to confirm the Authorization Profile:
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton
11-04-2013 01:28 PM
Hi, and thanks for answering.
I did exaclty as you show in your attached pictures.
But the settings changes as soon as I submitted.
But I got it working in the end. What I did was to go back and EDIT the Auth Profile.
Then the settings stuck.
Strange. Maybe a case of usupported browsers or something.
I have another question for you: Why do you have the DACL in there? Does Aerohive support that? Isn't that cisco-av-pair?
Aerohive didn't support that before. Things can have changed now, though.
Thanks again.
- Dal
11-04-2013 01:36 PM
No, you're right. The DACL shouldn't be in there.
What browser were you using?
11-04-2013 01:57 PM
Firefox v24
11-04-2013 02:04 PM
Hmmm Firefox up to v24 is supported. v25 broke a few things, but 24 should work OK. Might want to check some logs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: