Use the Add/Edit LDAP Configuration window to configure the LDAP servers on
your network. You can access this window from the Users/Groups tab in the Authorization/Device Access tool,
or in NAC Manager from the
AAA Configuration window, by selecting New from the drop-down menu in the LDAP Configuration field.
You can also access this window from the Manage LDAP Configurations
window.
Any changes made in this window are written immediately to the Extreme Management Center
database.
| NOTE: | If you are using LDAPS, your Management Center/Extreme Access Control environment must be configured to
accept the new LDAPS server certificate. For information, see Server Certificate Trust Mode in the Secure Communications Help topic. |
|---|
Click areas in the window for more information.
- Test Button
- The connection to the LDAP server is tested and a report on connection test results is provided. There is also a user/host search that lets you search on a user entry or host entry value and display the attributes associated
- LDAP Connection URLs
- Use this table to add, edit, or delete connection URLs for the LDAP
server and any backup servers you have configured. (The backup servers
are redundant servers containing the same directory information.)
The format for the connection URL isldap://host:portwhere host equals hostname or IP address, and the default port is 389. For example,ldap://10.20.30.40:389. If you are using a secure connection, the format isldaps://host:portand the default port is 636. For example,ldaps://10.20.30.40:636. If you are using LDAPS, your Management Center/Access Control environment must be configured to accept the new LDAPS server certificate. For information, see Server Certificate Trust Mode in the Secure Communications Help topic.
If you are creating an LDAP configuration for Novell eDirectory, be aware that the eDirectory may require that the universal password lookup be done using LDAPS. If you configure the URL for LDAP only, the lookup may fail.
- Authentication Settings
- Enter the administrator username and password that will be used to connect to the LDAP server to make queries. The credentials only need to provide read access to the LDAP server. The timeout field lets you specify a timeout value in seconds for the LDAP server connection.
- Search Settings
- For the three fields, enter the root node of the LDAP server. To improve search performance, you can specify a sub tree node to confine the search to a specific section of the directory. The search root format should be a DN (Distinguished Name).
- Schema Definition
- Provide information that describes how entries are
organized in the LDAP server.
You can enter your own definitions or use the defaults available from
the menu button to the right of the OU Object Classes field:
- Active
Directory: User Defaults - Settings that allow user authentication when Access Control is set to proxy to LDAP and the server is an Active Directory machine.
- Active Directory: Machine Defaults - Settings that allow machine authentication when Access Control is set to proxy to LDAP and the server is an Active Directory machine.
- OpenLDAP Defaults - Settings that allow Access Control to verify the user's password via an OpenLDAP server. See the NAC Manager How to Configure PEAP Authentication via OpenLDAP Help topic for information.
- Novell eDirectory Defaults - Settings that allow Access Control to read the universal password from Novell eDirectory. You must configure eDirectory to allow that password to be read. See the NAC Manager How to Configure PEAP Authentication via eDirectory Help topic for information.
Schema Definition fields: -
- User Object Class - enter the name of the class used for users.
- User Search Attribute - enter the name of the attribute in the user object class that contains the user's login ID.
- Keep Domain Name for User Lookup - If selected, this option will allow the full username to be used when looking up the user in LDAP. For example, you should select this option when using the User Search Attribute: userPrincipalName.
If the option is not selected, the domain name will be stripped off the username prior to performing the lookup. For example, you should deselect this option when using the User Search Attribute: sAMAccountName. Two examples of the domain name being stripped off would be:
user@domain.com -> user
DOMAIN\user -> user - User Authentication Type - Specify how the user is authenticated. There are 4 options:
LDAP Bind – This is the easiest option to configure, but only works with a plain text password. It is useful for authentication from the captive portal but does not work with most 802.1x authentication types.
NTLM Auth – This option is only useful when the backend LDAP server is really a Microsoft Active Directory server. This is an extension to LDAP bind that uses ntlm_auth to verify the NT hash challenge responses from a client in MsCHAP, MsCHAPV2, and PEAP requests.
NT Hash Password Lookup – If the LDAP server has the user’s password stored as an NT hash that is readable by another system, you can have Access Control read the hash from the LDAP server to verify the hashes within an MsCHAP, MsCHAPV2, and PEAP request.
Plain Text Password Lookup – If the LDAP server has the user’s password stored unencrypted and that attribute is accessible to be read via an LDAP request, then this option reads the user’s password from the server at the time of authentication. This option can be used with any authentication type that requires a password.
- User Password Attribute - This is the name of the password used with the NT Hash Password Lookup and Plain Text Password Lookup listed above.
- Host Object Class - enter the name of the class used for hostname.
- Host Search Attribute - enter the name of the attribute in the host object class that contains the hostname.
- Use Fully Qualified Domain Name checkbox - use this checkbox to specify if you want to use the Fully Qualified Domain Name (FQDN) or just hostname without domain.
- OU Object Classes - the names of the classes used for organizational units.
For information on related windows:
