Reset Search
 

 

Article

How to set internal RADIUS server on WiNG with LDAP based authentication?

« Go Back

Information

 
TitleHow to set internal RADIUS server on WiNG with LDAP based authentication?
Objective
How to set internal RADIUS server on WiNG based device in order to connect with LDAP based database?
Environment
  • All Summit WM3000 Series Controllers
  • ExtremeWiNG Controllers
  • WirelessWiNG Controllers
  • ExtremeWiNG Access Points
  • WirelessWiNG Acess Points
  • WiNG 5.5+ Software
Procedure
First of all create RADIUS policy

Go to WebUI, Configuration - Services - RADIUS - Server Policy - Add (right bottom corner)
 
User-added image
 
Under Server Policy find section Authentication and set Default Source = LDAP  and Authentication Type = PEAP-MS-CHAPv2
 
User-added image
 
TIP: Optionally you can specify just a particular SSID for LDAP authentication source
 
User-added image
 
Make sure LDAP agent account is configured for the ldap-bind process. Make sure this is an account known to LDAP database and it has sufficient access privileges. Click Add Row and set suitable Domain Name LDAP server is located in and username / password fitting the ldap-agent account
 
User-added image
User-added image
 
Click OK and Commit changes.
 
TIP: Make sure the domain name is correct checking on a PC using command below
C:\Users\> nbtstat -a <IP>
Node IpAddress: [w.x.y.z] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    <omitted>
    EXTRBRNO       <1B>  UNIQUE      Registered

Navigate yourself to LDAP tab (on the top of web page) and click Add (right bottom corner)
 
User-added image
 
Configure Primary (secondary is optional) LDAP server as noted below. 
TIP: The Bind-DN may be LDAP agent account 
 
User-added image
  • IP address - IP of LDAP server
  • Login - (sAMAccountName=%{Stripped-User-Name})
  • Port - 389
  • Bind DN - CN=<Bind-DN>,OU=<Organization Unit Name>,DC=<Domain>,DC=<Domain>
  • Base DN - OU=<Folder with user accounts>,DC=<Domain>,DC=<Domain>
  • Bind Password - Bind-DN's account password
  • Password Attribute - UserPassword
Click Ok and Commit and Save

Navigate yourself to Configuration - Devices - Service and map the RADIUS server you just created
 
User-added image

Confirm that LDAP agent (BIND DN) is joined with domain controller correctly under Statistics - System - select device acting as RADIUS server - LDAP Agent Status
 
User-added image

If you do not see the LDAP agent is joined, check following article 
Why supplicant fails to authenticate using EAP-MSCHAPv2 on WiNG?
 



 
Additional notes
You can configure the RADIUS server with same setup via CLI using following set of commands
 
radius-server-policy LDAP
 authentication data-source ldap ssid <SSID> precedence 1
 authentication data-source ldap
 authentication eap-auth-type peap-mschapv2
 ldap-server primary host <IP> port 389 login "(sAMAccountName=%{Stripped-User-Name})" bind-dn "CN=<BIND-DN-account>,OU=<LDAP-folder>,DC=<DOMAIN>,DC=<DOMAIN>" base-dn "DC=<DOMAIN>,DC=<DOMAIN>" passwd 0 <BIND-DN-account-password> passwd-attr UserPassword group-attr cn group-filter "(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-userDn})))" group-membership radiusGroupName net-timeout 10
 ldap-agent primary domain-name <DOMAIN> domain-admin-user <LDAP-agent-account> domain-admin-password 0 <password>
 no ldap-group-verification
 ldap-agent join

TIP: Follow LDAP standard notation to select correct BASE-DN, BIND-DN, LDAP-agent and DOMAIN
I.e. domain extreme.local will be noted as base-dn "DC=extreme,DC=local"
 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255