Header Only - DO NOT REMOVE - Extreme Networks

7522 AP (as a controller) to be integrated with Windows Active Directory authentication.


Hi. Is this setup possible? I need help setting this up if this is a possible setup. TIA.

4 replies

Userlevel 4
Hi,
what do you mean with "integrated with AD"? I think you'll do 802.1x with EAP-MSCHAPv2 or do you will use the AD to get CLI/GUI access?

I prefer to use a Windows NPS instead of internal AAA. But you can use also the internal AAA and refer to a AD group to get access. Is this what you are looking for?

BR,
Timo
Timo wrote:

Hi,
what do you mean with "integrated with AD"? I think you'll do 802.1x with EAP-MSCHAPv2 or do you will use the AD to get CLI/GUI access?

I prefer to use a Windows NPS instead of internal AAA. But you can use also the internal AAA and refer to a AD group to get access. Is this what you are looking for?

BR,
Timo

The setup goes like this, when the user logged in his/her AD account, he will be automatically be connected to the wireless network. The AP will use the user's AD login credential as authentication. Will this be okay?
Userlevel 4
Timo wrote:

Hi,
what do you mean with "integrated with AD"? I think you'll do 802.1x with EAP-MSCHAPv2 or do you will use the AD to get CLI/GUI access?

I prefer to use a Windows NPS instead of internal AAA. But you can use also the internal AAA and refer to a AD group to get access. Is this what you are looking for?

BR,
Timo

Hi,
that will work. Search for "WiNG 5.X How-To - Active Directory Authentication". This PDF include all descriptions for the scenario.

Do you have a PKI? I prefer to provide a private certificate for every AP to secure the authentication. Biggest problem with MSCHAPv2 is, that most people disable the certificate validation. Use a trusted certificate or publish the AP certificate to every computer via GPO. Do not disable certificate validation!
Userlevel 6
Ronaldo,

this is quite specific design question, but in general - yes, it is possible.

AP is capable of both roles - authenticator and authentication server. You may either use LDAP to query user, or forward EAP-TLS requests to NPS
All depends on a required desing.

Let us know if you need more details.

Regards,
Ondrej

Reply