This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have a setup with Aerohive AP's and ISE as radius-server.
To use User Profiles in Aerohive, I need ISE to send some information back to the Access point via an Authorization Profile, namely this:
It's pretty straight forward to set it up, but as soon as I click save, and then goes back in to the profile, the Tunnel-type has changed to VLAN.
A quick look into the logs confirm that too:
With the result that the User Profile assignment is not working.
I have used this in ACS v5 for years, and it works like a charm.
But now I looking to move from ACS to ISE, but I need this to be in working order first.
How did you go about setting the Authorization Profile?
If you go to Policy > Policy Elements > Results then choose Results > Authorization > Authorization Profiles from the menu on the left.
Click the +Add button
I created a tunnel with the name AEROHIVE_TUNNEL and the Access Type set to ACCESS_ACCEPT
Choose the DACL to which the policy should be applied and set the Advanced Attributes.
As you can see in the screenshot the Radius:Tunnel-Private-Group-ID = IdentityGroup:Name can be changed manually by deleting the word Name and replacing it with 4095:
You can also change the Tag ID:
Once you submit, you'll receive confirmation of the save. Leave that screen and go back in to confirm the Authorization Profile:
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Hi, and thanks for answering.
I did exaclty as you show in your attached pictures.
But the settings changes as soon as I submitted.
But I got it working in the end. What I did was to go back and EDIT the Auth Profile.
Then the settings stuck.
Strange. Maybe a case of usupported browsers or something.
I have another question for you: Why do you have the DACL in there? Does Aerohive support that? Isn't that cisco-av-pair?
Aerohive didn't support that before. Things can have changed now, though.