Reset Search
 

 

Article

How to configure a WiNG controller for 802.1x authentication with internal RADIUS, using LDAP to connect to a Windows Active Directory server.

« Go Back

Information

 
TitleHow to configure a WiNG controller for 802.1x authentication with internal RADIUS, using LDAP to connect to a Windows Active Directory server.
Objective
Starting with a controller that already is configured for 802.1x authentication with internal RADIUS, bind to an LDAP server (such as a Windows Active Directory server) for the user database
Environment
  • Summit WM3000 Series
  • WiNG 5.x
  • Windows Active Directory
  • LDAP
Procedure
Note that this article assumes an 802.1x WLAN has been set up as described in the following article:
How to configure 802.1x authentication with internal RADIUS on a WiNG controller

First, add the WM LDAP bind user (or bind distinguished name). In this case, the bind user will be named "wm3400".
  1. On the LDAP server, open the "Server Manager". In Server Manager, under Active Directory Domain Services select the Users folder. Right click on the folder and select New > User.
  2. Name the user "wm3400", and set the username to "wm3400". Click "Next".
  3. Set the user password and click "Next".
  4. Review the summary and click "Finish".
  5. Right click on the newly created user and select Properties.
  6. Select the Member Of  tab and click "Add" to add another group membership.
  7. Enter "Domain Admins" in the object names field, and click "OK".
  8. Select the Account tab and check "Store password using reversible encryption". Click "OK".
  9. Again, right click the "wm3400" user and select Reset Password...
  10. Enter the desired password and uncheck "User must change password at next logon". Click "OK".
Next, create the wireless user group. Only users in this group will be able to access the wireless network.
  1. In Server Manager, under Active Directory Domain Services, select the Users group for the domain (for example, "extreme.wireless.com"). Right click on the Users group and select New > Group.
  2. Name the group (e.g. "StandardUsers") and click "OK".
  3. Add membership for this group to all users who should have wireless access.
Next, modify the RADIUS server policy in the wireless controller:
  1. In the Configuration tab, select Service > RADIUS > Server Policy. Select the "LocalRADIUS" policy and click "Edit".
  2. In the Server Policy tab, deselect any "RADIUS User Pools". Add the "StandardUsers" group to the "LDAP Groups". Ensure that "LDAP Group Verification" is checked, and scroll down.
  3. Set the "Authentication Data Source" to LDAP, and the "LDAP Authentication Type" to PEAP-GTC. Click "OK" and "Exit".
  4. Select the LDAP tab and click "Add" to add a new LDAP server.
  5. In the "Redundancy" field, select "Primary" and fill out ALL fields with the values listed in the table below. Once this is done, commit the changes to the running configuration.
FieldDefinitionValue
IP AddressIP Address of the LDAP Serverdependent on server configuration
LoginLDAP Login FilterWiNG 5.7.1.x - 5.9.1.x 
(sAMAccountName=%{Stripped-User-Name}) 

WiNG sub-5.7.1 or 5.9.2+ 
(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
PortLDAP Port389
TimeoutServer Timeout10
Bind DNLDAP bind user distinguished namecn=wm3400,cn=Users,dc=extreme,dc=wireless,dc=com
Base DNBase distinguished name of the user databasecn=Users,dc=extreme,dc=wireless,dc=com
Bind PasswordBind user's password<user_password>
Password AttributeDatabase attribute used as passwordUserPassword
Group AttributeDatabase attribute that should be sued for the group information.cn
Group FilterLDAP search filter for group information(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-userDn})))
Group Membership AttributeDatabase attribute for group membershipradiusGroupName
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255