11-02-2013 02:25 AM - edited 03-10-2019 09:03 PM
Hi.
I have a setup with Aerohive AP's and ISE as radius-server.
To use User Profiles in Aerohive, I need ISE to send some information back to the Access point via an Authorization Profile, namely this:
Tunnel-Private-Group-ID=(4095)
Tunnel-Type=GRE
Tunnel-Medium-Type=IP
It's pretty straight forward to set it up, but as soon as I click save, and then goes back in to the profile, the Tunnel-type has changed to VLAN.
A quick look into the logs confirm that too:
Tunnel-Type | (tag=1) VLAN |
Tunnel-Medium-Type | (tag=1) 802 |
Tunnel-Private-Group-ID | (tag=1) 4095 |
With the result that the User Profile assignment is not working.
I have used this in ACS v5 for years, and it works like a charm.
But now I looking to move from ACS to ISE, but I need this to be in working order first.
Any ideas?
Thank you.
11-04-2013 07:09 AM
How did you go about setting the Authorization Profile?
If you go to Policy > Policy Elements > Results then choose Results > Authorization > Authorization Profiles from the menu on the left.
Click the +Add button
I created a tunnel with the name AEROHIVE_TUNNEL and the Access Type set to ACCESS_ACCEPT
Choose the DACL to which the policy should be applied and set the Advanced Attributes.
As you can see in the screenshot the Radius:Tunnel-Private-Group-ID = IdentityGroup:Name can be changed manually by deleting the word Name and replacing it with 4095:
You can also change the Tag ID:
Once you submit, you'll receive confirmation of the save. Leave that screen and go back in to confirm the Authorization Profile:
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton
11-04-2013 01:28 PM
Hi, and thanks for answering.
I did exaclty as you show in your attached pictures.
But the settings changes as soon as I submitted.
But I got it working in the end. What I did was to go back and EDIT the Auth Profile.
Then the settings stuck.
Strange. Maybe a case of usupported browsers or something.
I have another question for you: Why do you have the DACL in there? Does Aerohive support that? Isn't that cisco-av-pair?
Aerohive didn't support that before. Things can have changed now, though.
Thanks again.
- Dal
11-04-2013 01:36 PM
No, you're right. The DACL shouldn't be in there.
What browser were you using?
11-04-2013 01:57 PM
Firefox v24
11-04-2013 02:04 PM
Hmmm Firefox up to v24 is supported. v25 broke a few things, but 24 should work OK. Might want to check some logs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide