rfs6000 configuration with samba4 AD ntlm auth for radius

  • 0
  • 1
  • Question
  • Updated 7 months ago
  • Answered
Hi folks,

We have a rfs6000 controller that we are trying to set up radius access with samba4 AD. The "controller" has joined the AD and at the beginning is ok. What we are having problems with and part of the certificates. How to generate the CSR and sign it internally for client authentication to work with your AD credentials? How to proceed?
Photo of Elias Morais Pereira

Posted 7 months ago

  • 0
  • 1
Photo of Timo

Timo

  • 3,210 Points 3k badge 2x thumb
Do you use the internal AAA from the RFS? The AD connection already run and you just need a valid cert?

For that case, you can check this link:
https://extremeportal.force.com/ExtrArticleDetail?n=000014936
Hey Timo, thanks for the answer!!
Do you use the internal AAA from the RFS?
Yes.
The AD connection already run and you just need a valid cert?
Yes.

In the link you posted, the first option for configuring certificates looks like this:

-----BEGIN CERTIFICATE -----
(Signed server certificate)
-----END CERTIFICATE -------

 
-----BEGIN CERTIFICATE -----
(Intermediate CA certificate 1)
-----END CERTIFICATE -------
-----BEGIN CERTIFICATE -----
(Intermediate CA certificate 2)
-----END CERTIFICATE -------
-----BEGIN CERTIFICATE -----
(Root CA certificate) 
-----END CERTIFICATE -------
Do I need to have these two line breaks between the signed server certificate and the intermediate ca...?

Would the Signed server certificate be the certificate that, for example, GlobalSign provided?
(Edited)
Photo of Timo

Timo

  • 3,210 Points 3k badge 2x thumb
Hi,
you don't need the break.

Signed server certificate -> certificate for your server
Intermediate CA -> certificate from the intermediate
Root CA -> certificate from the Root

Are you familiar with PKI? Inside a company you mostly have a offline root CA and a active intermediate CA. The intermediate is signed by the root and your server certificate by the intermediate. Based on this, you include the complete key chain.

This community for example use this key chain:
DigiCert High Assurance EV Root CA-> DigiCert SHA2 High Assurance Server CA
--> community.extremenetworks.com