Posts: 1,285
Registered: ‎08-29-2007

[Tutorial] Aerohive Integration with Clearpass - corp and guest #mhc

[ Edited ]

Integration of Clearpass with Aerohive Introduction


Much as we’d like all our customers to choose, or already have Aruba wireless, that is not always the case.   A key vendor in the marketplace is that of Aerohive, which consists of essentially fat Aps managed by a platform called HiveManager.  This tutorial outlines how to integrate Clearpass into an Aerohive wireless deployment for the purposes of corporate dot1x and guest users.




The following was used for this testing and demonstration.


Aerohive – AP330 firmware 6.1r3

HiveManager – Hive Manager Online 6.1r3

Clearpass –


Assumptions – Clearpass is joined to domain and Active Directory is being used for authentication.




Add the Aerohive device to Clearpass as a radius client.  You will need to add each individual AP as a client or add them by subnet.


1 - clearpass - add device.jpg


1.1       Corporate dot1x ssid


Setup your ssid with the appropriate parameters on HiveManager.


 2 - ssid-aerohive.jpg



Add this ssid to your network profile, and create the Clearpass radius configuration.  Create and assign an appropriate User Profile.  In the case of this demo, we are using the same vlan as the AP for simplicity.


 3 - aerohive-dot1x policy.jpg



The radius settings for Clearpass should be setup as below.


 3 - radius-clearpass.jpg


Using the ‘802.1X Wireless’ template in Clearpass, create the service by entering the ssid and choosing the Aerohive device that was added during the setup.


 clearpass-corp service.jpg


Add the attribute ‘Connection: SSID EQUALS <ssid>’ as above.  Optionally, you can set a ‘NAS-Identifier’ on the Aerohive AP and filter on that.


1.1.1     Using Radius attributes to assign User Profiles.


Similar to the Aruba concept of user-roles, Aerohive uses user-profiles to define different types of user rights.  Within the user-profile an attribute number is given and the radius response can be configured to return particular attributes so the user is placed into this user-profile.


These attributes can be returned by adding an Enforcement Policy to your Profile as below.


 4 - clearpass user profile attributes.jpg


Note:  The Tunnel-Private-Group-Id value must match the attribute-no of the user-profile on Aerohive.


1.2       Guest ssid


Aerohive can also be configured to use Clearpass for guest ssids.  There are two ways of doing this and both will be considered here.


1.2.1     Using Aerohive portal and Clearpass as radius and Guest management.


The Aerohive guest ssid can be set so that the internal portal on the Aerohive is served and the radius request is sent to Clearpass.  Clearpass has already been setup for guest account creation etc.


Create the Aerohive ssid with the following parameters.


 5 - Aerohive - guest ssid.jpg


Within the Network profile, add this ssid and create the captive portal profile and assign the Clearpass as the radius server.


 6 - aerohive network policy with guest.jpg


The captive portal profile on Aerohive will need to be configured as such with the following


  • Registration Type – User
  • Captive Web Portal Auth Method – MSCHAPv2
  • Show success page after successful authentication.
  • Show failure page after unsuccessful login.


 7 - aerohive-cp using interal AP.jpg


Using the Clearpass service template ‘Guest MAC Authentication’, create the guest service using the appropriate ssid and Aerohive as the NAS device.


Note:  Guest MAC caching does not work with Aerohive, or at least I was unable to make it work.  The user will always be presented with the portal page, even if they have passed mac authentication.  If anyone knows how to make this work, please advise.  We will still use the MAC caching template though so that the mac is registered on Clearpass.



 8 - clearpass-guest service.jpg




When the user connects, they are presented with the captive portal from the Aerohive AP.


 9 - aerohive portal internal.jpg


The radius request is sent to Clearpass for authentication as shown in access tracker below.


 10 - clearpass access tracker with aerohive CP.jpg


And the user is presented the success page.


11 - aerohive-cp success page using internal AP.jpg


1.2.2     Using Clearpass portal and Clearpass as radius and guest management


The following outlines how to use Clearpass for the guest registration page and subsequent authentication.


Configure the guest registration page in Clearpass Guest as below, with the following NAS-login settings.


  • Secure login – use https
  • IP address –
  • Password Encryption – No encryption (Note, we are still using https for the registration, so this is not a security concern)

 12 - clearpass-guest page using CP portal.jpg


Configure the Aerohive captive portal settings as shown below.


  • Registration type – External authentication
  • Authentication method – CHAP
  • Login URL – address of your defined guest registration page.
  • Password Encryption – No Encryption. 
  • Enable https

13 - aerohive-cp using CP portal.jpg 


After registering using the Clearpass portal, the user is presented with the success page served from the Aerohive AP.



 11 - aerohive-cp success page using internal AP.jpg



If my post is helpful please give kudos, or mark as solved if it answers your post.

New Contributor
Posts: 2
Registered: ‎12-22-2011

Re: [Tutorial] Aerohive Integration with Clearpass - corp and guest #mhc

Spot on tutorial - Kudos yet again for an excellent summary! Rockon!

Chief Airhead
Posts: 1,111
Registered: ‎07-13-2010

Re: [Tutorial] Aerohive Integration with Clearpass - corp and guest #mhc

Clearpass is used in many multi vendor environments. Great Tutorial!

Sean Rynearson | Chief Airhead
Aruba, a Hewlett Packard Enterprise Company
Aruba Employee
Posts: 20
Registered: ‎11-17-2011

Re: [Tutorial] Aerohive Integration with Clearpass - corp and guest #mhc

Do you know if you can tie captive portals to user profiles with the Hive?  i'm trying to get fancy and do redirects to onboard non-TLS devices.  This is so much easier with just Aruba gear....

Posts: 1,285
Registered: ‎08-29-2007

Re: [Tutorial] Aerohive Integration with Clearpass - corp and guest #mhc

Unfortunately I don't think so.


The captive portal is tied to the ssid, which makes things like that difficult.  It's the same with the mac caching on CPPM....I couldn't get that to work either.

If my post is helpful please give kudos, or mark as solved if it answers your post.

Aruba Employee
Posts: 20
Registered: ‎11-17-2011

Re: [Tutorial] Aerohive Integration with Clearpass - corp and guest #mhc

Thanks for the reply... I've reach out to a few hive guys.  If they come up with anything I'll post back here.  

Search Airheads
Showing results for 
Search instead for 
Did you mean: