This procedure assumes that an EAC appliance has already been configured and is up and running on the network. It also assumes that switches have already been configured for use with the EAC. If this isn't the case see the following articles: How to Add Switches to NAC Appliance GroupHow to add EAC appliance into EMC
- Create LDAP authentication to point to active directory set to "NTLM" authentication
- In EMC click on the "Control" tab then drill into Configuration > AAA
- Right click "Default" and click "Make Advanced", or create a new advanced AAA configuration if desired
- Double click the only line item that exists in the "Authentication rules" table
- Change the "Authentication Method" option to "LDAP Authentication"
- Under the "LDAP Configuration" option select "New"
- Name the configuration accordingly
- Under the "LDAP Connection URLs" hit the "Add" button and add in the IP address of the Domain Controller in one of the following formats:
For LDAP use the format: ldap://xx.xx.xx.xx:389
For secure LDAP use: ldaps://xx.xx.xx.xx.636
Changes ports as required
- For "Administrator Username" put in the domain\username of the user that will be used to bind the NAC to the AD. Active Directory Permissions For NAC NTLM Authentication
- For "Administrator password" type in the password for the user
- For Search Settings put in the Search roots for the domain. To search from the top of the AD forest you can use the following search root scheme:
If your domain is "Extremenetworks.bestnetworkever.k12.edu" your Search Root would be:
You can narrow the search root to a specific OU, or specific section of the tree, but be aware that if you limit the search root to a section of the forest that doesn't contain the necessary data to be used then LDAP lookups may fail.
- Click on the "Populate Default Values" button in the lower right corner and select "Active Directory User defaults"
- Click the "Test" button to verify configuration, modify accordingly
- Click the "Save" button
- Click the "OK" button
- Enforce the appliance
- Test to see if the domain join worked:
- SSH to NAC appliance and run the command:
- If the message comes back that checking the trust secret was successful the NAC has bound and will be able to complete NTLM authentication
- If the message indicates a problem issue the command:
nacctl restart && tail -f /var/log/tag.log
- Services will cycle and EAC will attempt to join the AD. If you encounter an error message investigate the error message though KCS