Aerohive Migrated Content

Expand all | Collapse all

how to designate the password field used by LDAP AAA/RADIUS

  • 1.  how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-17-2018 13:51

    Is there any way to define which attribute the RADIUS server checks in an external LDAP server? It seems to be hitting the first one that it hits (NT passwd) rather than the userPassword attribute which has caused some odd problems.



  • 2.  RE: how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-17-2018 14:33

    That depends a bit on what we're getting back from the LDAP server. Would you be able to provide the output from this command:

     

    exec aaa ldap-search

     

    Also, if you can send tech data from the AP you run that command on, that would be helpful. If you'd rather send that to me directly, my email is communityhelp@aerohive.com.

     

    To get tech data in HiveManager (formerly NG, cloud.aerohive.com):

    Tools> Utilities> Get tech data> Check the box next to the device> Get tech data (blue button at the top of the page this time).

     

    This guide reviews how to get tech data from the CLI of the AP in case that is more convenient:

    https://thehivecommunity.aerohive.com/s/article/Collecting-Tech-Data-via-CLI

     



  • 3.  RE: how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-17-2018 15:16
    Hi,
    ah00#exec aaa ldap-search username tom
    ah00#
    Exec-Program output:
    Search user 'tom' under baseDN ou=users,dc=pcc,dc=com successful.
    filter: (uid=tom)
    dn: uid=tom,ou=users,dc=pcc,dc=com
    uid: tom
    mail: tom@pcc.com
    password exists
    password exists
    I take it we shouldn’t see password exists twice?
    Sent from Mail for Windows 10


  • 4.  RE: how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-17-2018 15:29

    Thank you for that output. Could you tell me what application you are using to manage your user directory?



  • 5.  RE: how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-17-2018 15:40
    OpenLDAP


  • 6.  RE: how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-17-2018 16:00

    Thank you. Were you able to get that tech data file?

     

    To get tech data in HiveManager (formerly NG, cloud.aerohive.com):

    Tools> Utilities> Get tech data> Check the box next to the device> Get tech data (blue button at the top of the page this time).

     

    This guide reviews how to get tech data from the CLI of the AP in case that is more convenient:

    https://thehivecommunity.aerohive.com/s/article/Collecting-Tech-Data-via-CLI

     



  • 7.  RE: how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-17-2018 16:47
    Sent from Mail for Windows 10


  • 8.  RE: how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-17-2018 17:37

    I haven't received the tech data yet, would you be able to send that again to communityhelp@aerohive.com?



  • 9.  RE: how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-17-2018 21:15

    Thank you for sending that over to me. By default when we set up an LDAP server in HiveManager, the predefined user group attribute is "radiusGroupName". If we changes this to "person", that should included userPassword.

     

    Here is the mapping from openLDAP for reference- http://www.zytrax.com/books/ldap/ape/#person

     

    To find this in the HiveManager we will want to go to Configure> Open the Network Policy> Open the SSID> Open/Create the Default Radius Server Group> Select Aerohive Radius Server> Switch to LDAP Server.

    200

     

     

     



  • 10.  RE: how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-18-2018 14:52

    That didn't work. It's still returning two passwords



  • 11.  RE: how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-18-2018 14:58

    I'm sorry, I'm not sure what you mean when you say it's returning two passwords. Could you clarify and/or send a screen shot of what you are seeing?



  • 12.  RE: how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-18-2018 15:01
    That search group doesn’t hide the “sambaNTpassword” field, which is what I think you may have been expecting based on the webpage you cited.

    Exec-Program output:
    Search user 'tom' under baseDN ou=users,dc=pcc,dc=com successful.
    filter: (uid=tom)
    dn: uid=tom,ou=users,dc=pcc,dc=com
    uid: tom
    mail: tom@pcc.com
    password exists
    password exists


  • 13.  RE: how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-26-2018 20:26

    Thank you for your patience, I'm sorry for the long wait here. I wanted to confirm before I got back to you, but it looks like the only way we would be able to not report that password field would be to have it not reported in plain text from the server.



  • 14.  RE: how to designate the password field used by LDAP AAA/RADIUS

    Posted 12-30-2018 16:34
    Thanks for getting back to me. I also figured this out in the meantime and it sort of like your answer...

    The radius server on Aerohive has a typical limitation in that it needs a clear text password returned from the userpasswd attribute. It can also use a ntpassword or lmpassword field if it finds those, which we have.

    This has finally motivated us to figure out how to keep the two fields in sync.

    Thanks!