View and modify an LDAP (lightweight directory access protocol) server object.
About LDAP Servers
An Extreme Networks device can act as a RADIUS authentication server and respond to 802.1X authentication requests from other devices acting as RADIUS authenticators. The Extreme Networks RADIUS server can store user accounts locally or check user login credentials against user accounts stored externally on Active Directory (AD) or LDAP user database servers. See "AAA Server Settings" for more information on configuring Active Directory servers. For more information about LDAP, see "LDAP Servers".
- An Extreme Networks RADIUS server must have a static IP address. Upload the certificate and key files to the device that will act as the RADIUS server before uploading this configuration.
To configure an LDAP user database server for RADIUS authentication, you must first create a network policy, an SSID with WPA/WPA2 802.1X Enterprise access security, and add a RADIUS server group that includes an Extreme Networks RADIUS Server.
In the AAA Server Profile window, on the User Database tab, select LDAP Server, select to add an LDAP server or choose an existing server from the drop-down list .
Configure an LDAP Server
Enter the following information to define a new LDAP Server.
Name: Enter a name for the LDAP server. The name can contain up to 32 alphanumeric characters without spaces.
LDAP Server: From , select the IP address or resolvable domain name of the LDAP server with the user accounts you want the Extreme Networks RADIUS authentication server to authenticate. Select to add a new LDAP server. You can use an IPv4 or IPv6 address.
Description: Enter an optional description containing up to 64 characters, including spaces.
RADIUS User BaseDN: Enter the entry LDAP database structure where you want the LDAP server to begin the search for user accounts. This is the BaseDN (base distinguished name)and can contain up to 256 characters.
For example, to begin searching for user accounts in "sales", enter "cn=sales, cn=users, dc=aerohive, dc=com". Although each LDAP directory structure will be different to meet the needs of the organization it supports, the following are some commonly used entry types in the LDAP structure:
dn (distinguished name): identifies a unique entry in the directory
cn (common name): for example, "cn=Joe Frier"
o (organization): for example, "o=aerohive"
ou (organizational unit): for example, "ou=engineering"
c (country): for example, "c=japan"
dc (domain component): for example, "dc=users"
Bind DN: Enter the name that the Extreme Networks RADIUS server provides to authenticate itself to the LDAP server when initiating a connection. The form of the name must match the form that appears as an entry on the LDAP server. For example, the entry name might be "ap1" and be located in the LDAP directory structure at "cn=ap1,cn=admins,cn=users,dc=yourcompany,dc=com". The bind DN name can contain up to 256 characters.
Bind DN Password: Enter the password that the Extreme Networks RADIUS server supplies when requesting access to the LDAP server. The password must exactly match the password entered for the user account defined on the LDAP server for the Extreme Networks RADIUS server. It can contain up to 64 characters. To see the text string that you type, clear the Obscure Password check box.
Confirm Password: Enter the password again.
Communication with LDAP or LDAPS: Choose the type of protocol that the RADIUS server uses when communicating with the LDAP server: LDAP or LDAPS (Secure LDAP). For example when a RADIUS server does lookups on a Novell eDirectory LDAP server, it must send traffic to the Novell server on TCP port 636 for LDAPS.
- When you choose communication with LDAPS, TLS Authentication/Encryption is enabled by default.
You can configure the following optional settings for the LDAP server:
Filter Attribute: Set the LDAP search filter to use when locating user accounts for the names that clients supply during RADIUS authentication. By default, the filter attribute is "cn" ("common name"). If the LDAP server uses a different attribute to identify user entries, you can change this to match the one in use on the server. The filter attribute can contain between 0 and 32 characters.
Destination Port: Enter the destination port number for TCP communications with the LDAP server. The default port number is 389. You can set it to any number between 1 and 65,535. You must set the same port number on the LDAP server.
TLS Authentication/Encryption: TLS (Transport Layer Security) provides mutual authentication and encryption between the Extreme Networks RADIUS server/LDAP client and the LDAP server. The RADIUS authentication server, in its role as an LDAP client, first authenticates the LDAP server. Then the LDAP server authenticates the Extreme Networks server. After that, they encrypt the ensuing user account lookup exchanges.
- Before configuring TLS authentication between the RADIUS server/LDAP client and the LDAP server, you must import the following files: (1) the CA certificate that the LDAP server is using, (2) an LDAP client certificate issued by that CA for the Extreme Networks device to use, and (3) the private key that corresponds to the LDAP client certificate.
CA Certificate File: Select the CA certificate to use when validating the server certificate that the LDAP server sends. The CA certificate must be issued by the same CA that issued and signed the server certificate for the LDAP server. The default "CA is Default_CA.pem".
LDAP Client Certificate: Select the certificate that the Extreme Networks RADIUS authentication server sends when authenticating itself to the LDAP server. The LDAP server must have the CA certificate that issued the LDAP client certificate, so that the LDAP server can validate it. The default certificate is "Default-Server_cert.pem".
Client Key File: Select the name of the file containing the private key that pairs with the public key in the LDAP client certificate. The default client key file is "Default-Server_key.pem".
Key File Password: Enter the password that the Extreme Networks RADIUS authentication server uses to encrypt and decrypt the LDAP client private key file. Then enter it again to confirm accuracy. To see the text string that you type, clear the Obscure Password check box.
Verify Server: Choose one of the following options for the Extreme Networks RADIUS authentication server to use when verifying the LDAP server during the TLS session. During the TLS session, the Extreme Networks device is in the role of an LDAP client.
Try: The Extreme Networks device tries to verify the identity of the LDAP server by requesting its server certificate. If the LDAP server sends a valid certificate, the session continues. If the LDAP server returns an invalid certificate, the Extreme Networks device terminates the session. This option is enabled by default.
Never: The Extreme Networks device never tries to verify the identity of the LDAP server. The Extreme Networks device neither requests nor checks the server certificate from the LDAP server.
Demand: The Extreme Networks device must verify the identity of the LDAP server to continue the session. The session continues only if the LDAP server sends a valid certificate. If the LDAP server sends an invalid certificate or if it does not return any certificate at all, the Extreme Networks device terminates the session.