Popular Posts
-
The MU to MU disallow feature allows the RF Switch to block communications exchanged between clients associated to a WLAN.With the Motorola ... -
Pre-Requisites: Requirements: The following requirements must be met prior to attempting this configuration: One (or more) RF Switc... -
RADIUS Authentication Attributes: The RADIUS protocol follows client-server architecture and uses the User Datagram Protocol (UDP) as de... -
LDAP Server can be used as the database with WS5100 radius server. This document provides the details of configuration need to done for WS5... -
WS5100 login: cli User Access Verification Username: restore Password: restoreDefaultPassword WARNING:This will wipe out the con... -
IPSec VPN offers the security and encryption features necessary to protect enterprise data, voice, and video traffic as it traverses public... -
Components Used: The information in this document is based on the following hardware and software versions: · 1 x RFS4000 Swit... -
The following section outlines the configuration steps required to configure 802.11i with 802.1X and pre-shared keys on a RF Switch: 1) ... -
Use of ARP Cache in a network device Most of the network devices will have anARP cache; the content of the same will be a collection of IP...
Using OpenLDAP database with WS5100 on-board RADIUS server
LDAP Server can be used as the database with WS5100 radius
server. This document provides the details of configuration need to done for
WS5100 and LDAP server (Linux Openldap server).
Below are the 2 screen shots of Linux Openldap server, which
we will be used as database for radius hotspot authentication on WS5100.
In the above snap we can see that adam is the user and
highlighting on the user; the details are on the right and side
The ldif file for the above user will look as shown below:
dn:cn=adam,o=symbol,c=INDIA
objectclass:person
objectclass:uidObject
cn:adam
sn:adam
uid:adam
userPassword:mypassword
The above snap
shot gives a look into the group sales which has user adam as its member. The
ldif file for the user looks as shown below:
dn: cn=sales,o=symbol,c=INDIA
objectclass:GroupOfNames
member:cn=adam,o=symbol,c=INDIA
cn:sales
o:symbol
Details of
OpenLdap in Linux:
Edit the LDAP configuration file (/etc/openldap/slapd.conf)
with the base DN, Manager username & passwd.
suffix "o=symbol,c=INDIA
rootdn "cn=manager,o=symbol,c=INDIA
rootpw secret
Start the LDAP server (/usr/sbin/slapd )
User addition/deletion/searching can be done either
through CLI or through LdapBrowser
lbe.sh
OpenLdap cli command
for adding/searching users:
ldapadd
-x -D "cn=manager,o=symbol,c=INDIA
ldapadd
-x -D "cn=manager,o=symbol,c=INDIA
ldapadd
-x -D "cn=manager,o=symbol,c=INDIA
ldapsearch
-x -b 'o=SYMBOL,c=INDIA
ldif
files (base1.ldif, sales.ldif, member6.ldif)
(Cut
and paste the text below to create *.ldif file)
base1.ldif
dn: o=symbol,c=INDIA
objectclass: organization
o: SYMBOL
sales.ldif
dn: cn=sales,o=symbol,c=INDIA
objectclass:GroupOfNames
member:cn=adam,o=symbol,c=INDIA
cn:sales
o:symbol
member6.ldif
dn:cn=adam,o=symbol,c=INDIA
objectclass:person
objectclass:uidObject
cn:adam
sn:adam
uid:adam
userPassword:mypassword
User/Group Configuration with LdapBrowser:
LdapBrowser (free download) can be used for configuring
users instead of CLI.
1. Install LDAP browser and run the binary for configuration
GUI (lbe.sh).
2. Connect to the LDAP server running
3. Import the LDIF files mentioned above, using
LDIF->import menu option
(Import base1.ldif, group6.ldif and member6.ldif )
4. Choose Update/Add option when importing the configuration
5. Verify that users/groups loaded shows in left panel
LDAP configuration
in WS5100 for accessing openldap :
LDAP Configuration in switch for Openldap:-
LDAP Server Config Details
__________________________
Primary LDAP Server configuration
IP
Address : 192.168.0.245
Port : 389
Login :
(uid=%{Stripped-User-Name:-%{User-Name}})
Bind DN : cn=manager,o=symbol,c=INDIA
Base DN : o=symbol,C=INDIA
Password : 0 secret
Password
Attribute : UserPassword
Group
Name : cn
Group
Membership Filter: (|(&(objectClass=groupofNames)(member=%{Ldap-Us
erDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
Group Member Attr : radiusGroupName
Net
timeout : 1 second(s)
Description of the
Fields for LDAP configuration:
LDAP Server IP and Port:
The IP address of the server
running openldap Service and the port
number on which the active directory service is listening. Default port number
is 389.
LDAP “Base DN” field:
The top level of the LDAP directory
tree is the base, referred to as the "base DN". In the above example
we are working the domain dn "o=symbol,c=INDIA
Base DN =
“o=symbol,C=INDIA ”.
LDAP “Bind DN” and “Password” fields:
Allows the radius server to get
bind to the openldap Directory using the administrator user name and password.
In the above example the ‘manager’ is the user with administrative privileges
in the domain and the password for the user “secret” will be configured in the
Bind Password field. For the above
example Active Directory snap shot in Figure 1
Bind
DN = “cn=manager,o=symbol,c=INDIA ”
Bind
Password = “secret”
These fields (Base DN, Bind DN and
Password) will be used by the radius server to log onto the active and search
for the requested users within this base.
Group Membership Filter:
Specify a search criteria:
(|(&(objectClass=groupofNames)(member=%{Ldap-Us
erDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
Here
objectClass=groupofNames has been given since in the snap shot to we can see
that the group sales’s object class is groupofNames.
The basic
search is done based on the group and that is the reason one has to create the
same group on the switch also and configure a wlan policy allowing that wlan.
Rest of all other fields:
Rest of all the fields are to be used
as shown in the above table. These attributes will be used in searching the
users within the base in openldap as mentioned by the Base DN field.
Comparison between the configuration for linux openldap and
Windows Active directoy
For openldap:
User Login Filter
: (uid=%{Stripped-User-Name:-%{User-Name}})
Whereas for Active directory it will be;
User Login Filter
: (sAMAccountName=%{Stripped-User-Name:-%{User
-Name}})
For openldap:
Group Filter
:
(|(&(objectClass=groupofNames)(member=%{Ldap-Us
erDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
Whereas for Active directory it will be;
Group Filter:
(|(&(objectClass=group)(member=%{Ldap-UserDn
}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
Things to be taken care on the switch configuration:
1. Configure
the authentication data source as ldap with the following commands:
WS5100(config)#radius-server local
WS5100(config-radsrv)#authentication
data-source ldap
2. Mark the authentication type on switch to
“all” with the command;
WS5100(config)#radius-server local
WS5100(config-radsrv)#authentication
eap-auth-type all
3. The
user in the openldap is a member of group “sales”; configure a group on switch
with same name sales and in wlan policy allow access to wlan which we have
connected for that group.
WS5100(config)#radius-server local
WS5100(config-radsrv)#group sales
WS5100(config-radsrv-group)#policy wlan
1
4. Mark
the authentication protocol.
WS5100(config)#wireless
WS5100(config-wireless)#wlan 1 radius
authentication-protocol pap
Note: The parameters are set for Linux OPENLDAP service.
Parameters may be different for other LDAP servers.
Subscribe to:
Post Comments (Atom)
Social Icons
Popular Posts
-
RADIUS Authentication Attributes: The RADIUS protocol follows client-server architecture and uses the User Datagram Protocol (UDP) as de... -
Components Used: The information in this document is based on the following hardware and software versions: · 1 x RFS4000 Swit... -
The following section outlines the configuration steps required to configure 802.11i with 802.1X and pre-shared keys on a RF Switch: 1) ... -
Overview WiNG version 4.0 includes a rich suite of features which are included with each RF Switch at no additional charge as well as... -
Components Used: The information in this document is based on the following Motorola hardware and software versions: 1 x RFS6000 or ... -
Snipe-IT is a free and open source, cross-platform, feature-rich IT asset management system built using a PHP framework called Laravel ... -
IPSec VPN offers the security and encryption features necessary to protect enterprise data, voice, and video traffic as it traverses public... -
Requirements: The following requirements must be met prior to attempting this configuration: One RFS4000 or RFS6000 WLAN Switch Contr... -
The Motorola Hotspot authentication feature offers a simple way to provide secure authenticated access on a WLAN for users and devices usin... -
Use of ARP Cache in a network device Most of the network devices will have anARP cache; the content of the same will be a collection of IP...
0 nhận xét:
Post a Comment