Technical Tip: VLAN assignment issues with AerohiveNG
Description
This article describes the behavior where AerohiveNG clients are not moved to the appropriate VLAN. Instead, they are moved to the SSID's default VLAN.
By default, FortiNAC includes the Tunnel-Private-Group-Id RADIUS attribute within the RADIUS response to assign the appropriate network access. The Tunnel-PrivateGroup-Id value is a specific User Profile ID created within Aerohive.
AerohiveNG changed its operation such that it expects to receive a Filter-Id as opposed to a Tunnel-Private-Group-Id. This change prevents Aerohive from assigning the VLAN specified by FortiNAC and sets the SSID's Default VLAN instead.
Solution
Option 1: FortiNAC versions F7.2 and above: Configure FortiNAC to return Attribute Group "RFC_Role" (which contains Filter-Id). See Model Configuration in the Administration Guide.
Option 2: Configure AeroHiveNG to use the Tunnel-Private-Group-Id information. Refer to the VLANs/Profiles section of the reference manual Aerohive Wireless Access Points Integration Guide in the Document Library.