This Help topic provides instructions for configuring NAC to authenticate PEAP, MsCHAP, and MsCHAPv2 requests using Novell eDirectory.
To do this, you must create a RADIUS account and a Universal Password Policy on eDirectory. After eDirectory is configured, you can select the Populate Novell eDirectory Defaults for your NAC Manager LDAP configuration, and set the User Authentication Type to be Plain Text Password Lookup. Then, in your advanced AAA configuration, create an entry that uses this LDAP configuration. This will allow NAC to verify the user's password from the PEAP/MsCHAP/MsCHAPv2 request via eDirectory.
Use the following steps to create this configuration.
- In Novell iManager, create an account that is permitted to authenticate to eDirectory and retrieve the user password information.
- Create an admin user that the LDAP configuration in NAC Manager will use to connect and authenticate end-systems to the Novell eDirectory. In our example below, the username is radiusAdmin.
- Create an admin user that the LDAP configuration in NAC Manager will use to connect and authenticate end-systems to the Novell eDirectory. In our example below, the username is radiusAdmin.
- Assign the admin user trustee status and privileges to access the database.
- On the Modify Trustees page, locate the admin user using the Search function.
- Add the admin user as a Trustee using the Add Trustee button on the right side of the Modify Trustees page.
- Select the Assigned Rights link for the Trustee user and enable the Supervisor option defined for the All Attributes Rights Property.
- On the Modify Trustees page, locate the admin user using the Search function.
- Establish a universal password policy to be assigned to the organization or specific unit within the organization.
- Create a new Password Policy for the organization that will be used to enable universal passwords.
- Select the option to enable Universal Passwords and deselect the option Enable the Advanced Password Rules.
- Select the appropriate object in the Novell tree that the Universal Password Policy will be applied to.
The following screen shot shows a completed Universal Password Policy.
The following screen shot shows the Universal Policy Summary. Note that the Enable Universal Password option is set to true and the Enable the Advanced Password Rules option is set to false.
- The final step in defining the Universal Password Policy is to enable the option for the radiusAdmin user to retrieve users passwords from the database.
- Create a new Password Policy for the organization that will be used to enable universal passwords.
- In NAC Manager, create an LDAP configuration that defines access to Novell's eDirectory. The screen shot below shows an LDAP configuration used to authenticate 802.1x PEAP to eDirectory.
- In the Advanced Configuration window, right-click on the LDAP Configurations folder and select Add LDAP Configuration. The Add LDAP Configuration Window opens.
- In the OU Object Classes field, use the configuration menu to select the Populate Novell eDirectory Defaults option.
- Set the User Authentication Type to be Plain Text Password Lookup.
- Verify the User Password Attribute is nspmPassword.
- In your Advanced AAA Configuration, add an entry that uses this LDAP configuration. The configuration will allow NAC to verify the user's password from the PEAP/MsCHAP/MsCHAPv2 request.
