Header Only - DO NOT REMOVE - Extreme Networks

Identifi: What is an easiest way to authenticate users in Active Directory using NAC?


Userlevel 4
Hello, everybody,

at the moment I have 120 APs and about 12000 users. Employees's SSID has beautiful authorization webform on Fortigate firewall, users use their Active DIrectory credentials and everything works fine, except I can't see AD accounts of wifi users in Netsight. This makes me very sad(

But I have an installation of mighty NAC!

Is there any step-by-step guide how to configure NAC to authorize AD users using a webform?

Could you please share it!

Many thanks in advance,

Ilya

12 replies

Userlevel 1
Why not use RADIUS auth?
Userlevel 4
Diederik Kuijper wrote:

Why not use RADIUS auth?

Hi,
what do you mean?

For sure, I could authorize users over Microsoft NPS. But this is enterprise customers, they need a beautiful web page, not just two input string for login/password.
Userlevel 1
Diederik Kuijper wrote:

Why not use RADIUS auth?

Why's that even a requirement? By utilizing Radius auth you can skip the auth webpage, users simply put in their AD credentials for connecting to the SSID. You then have the users available in Identifi/NetSight and if you enable FSSO polling on the Fortigate you automatically authenticate users for the firewall as well.

I did this to alleviate double sign-ins.

http://cookbook.fortinet.com/fsso-polling-mode/
Userlevel 7
You'd use the AD and ExtremeControl could query the user accounts via LDAP.

Could you post a screenshot of the current web login page that is used - I'd like to see how beautiful it is 🙂
Userlevel 4
Ron wrote:

You'd use the AD and ExtremeControl could query the user accounts via LDAP.

Could you post a screenshot of the current web login page that is used - I'd like to see how beautiful it is 🙂

It's in Russian, Ron, are you sure?) I'll ask the customer for permission on Monday.

It would be great if someone post a link to a guide which will help me to configure web login page in NAC)
Userlevel 7
Could you explain a bit more about the deployment.
What is the security on the WLAN service - is it open/none or WPA PSK or ECP?
Userlevel 4
Ron wrote:

Could you explain a bit more about the deployment.
What is the security on the WLAN service - is it open/none or WPA PSK or ECP?

Hi, Ronald,

sure!

This is open SSID without authorization. When user connects to the SSID he tries to reach any of Internet resources and gets to Fortigate FG-600 where he asked for his AD credentials (on the beautiful HTTPS login web page).

That is it!
You'd want to set up an Authenticated Registration portal in NAC. I couldn't find a step-by-step guide but the manual has everything you need. Is the current SSID using PSK?
Userlevel 4
James A wrote:

You'd want to set up an Authenticated Registration portal in NAC. I couldn't find a step-by-step guide but the manual has everything you need. Is the current SSID using PSK?

Hi, James,

it is open SSID. I'll try to play with NAC without a guide(

Thanks!
Userlevel 6
in the NAC portal choose Authenticated registration. you need to configure AAA to your AD (Radius or LDAP). It should be quite strait forward.

Good luck.

Z.
Userlevel 4
Pala, Zdenek wrote:

in the NAC portal choose Authenticated registration. you need to configure AAA to your AD (Radius or LDAP). It should be quite strait forward.

Good luck.

Z.

Hello, Pala,

Unfortunately, I can't find "Authenticated registrations" menu. I have Netsight 7.

Where could it be located?

Userlevel 1
Pala, Zdenek wrote:

in the NAC portal choose Authenticated registration. you need to configure AAA to your AD (Radius or LDAP). It should be quite strait forward.

Good luck.

Z.

Authenticated Registration would be in the portal configurations, in choosing what kind of portal features you are looking for.

Reply