Header Only - DO NOT REMOVE - Extreme Networks
Solved

Local radius with LDAP and local users

  • 23 August 2019
  • 9 replies
  • 580 views

  • New Member
  • 4 replies
Hello Community,

I'm using WING VX controller version 5.9.3.0-018R.

I try to configure a wifi network SSID Testcorp that uses the local radius server with the local user database Testcorp-User-Pool. LDAP authentication with local radius is configured and working for SSIDs Wifi01 and Wifi02.
A guest network with captive portal is also configured and working as expected.

I added the radius user pool policy and the authentication parameter local in the radius server policy for SSID Testcorp.

When I connect to the Testcorp wifi, I get a certificate warning (self-signed certificate of controller) but LDAP authentication is used (found out by trial and error) and not the local user database.


I read this post/how-to's using both LDAP and local radius server, How to configure 802.1x authentication with internal RADIUS on a WiNG controller and How to configure a WiNG controller for 802.1x authentication with internal RADIUS, using LDAP but I can't figure out why LDAP and not the local user database is used on SSID Testcorp.

Excerpt of running config
code:
aaa-policy Testcorp_local_radius
authentication server 1 onboard controller

aaa-policy CaptivePortal
authentication server 1 onboard self




wlan Testcorp
description Testcorp
ssid Testcorp
vlan 201
bridging-mode local
encryption-type ccmp
authentication-type eap
no answer-broadcast-probes
use wlan-qos-policy Testcorp
use aaa-policy Testcorp_local_radius

wlan Guest
ssid Guest-Wifi
vlan 200
bridging-mode local
encryption-type none
authentication-type none
no answer-broadcast-probes
no client-client-communication
use wlan-qos-policy Guest
use captive-portal Guest
captive-portal-enforcement
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4




radius-group Testcorp-Users
policy vlan 201
policy ssid Testcorp

radius-group Guest
guest
policy vlan 200
policy ssid Guest-Wifi




radius-user-pool-policy Testcorp-User-Pool
user john-test password 0 testpassword group Testcorp-Users

radius-user-pool-policy Guest
$GUEST_USERS




radius-server-policy RADIUS-Policy
use radius-user-pool-policy Guest
use radius-user-pool-policy Testcorp-User-Pool
authentication data-source ldap ssid Wifi01 precedence 1
authentication data-source ldap ssid Wifi02 precedence 2
authentication data-source local ssid Guest-Wifi precedence 3
authentication data-source local ssid Testcorp precedence 4
authentication data-source ldap fallback
authentication eap-auth-type peap-mschapv2
ldap-server primary host $IP port 389 login $LDAP_PARAMETERS net-timeout 3
ldap-agent primary domain-name $DOMAIN domain-admin-user $DOMAIN_USER domain-admin-password 0 $PASSWORD
use radius-group GROUP1
use radius-group GROUP2



Anybody has a similar setup working or an idea why it is not working as expected?

Thanks in advance
Ned
icon

Best answer by Daren Ellis 28 August 2019, 17:22

Hi Ned,

Its not supported to have same radius service mapped to both AP and controller (you might have issue).
But we do support local radius with LDAP on either AP or controller.
Something my be wrong with the config somewhere.

I would suggest opening a case with GTAC so we can review the tech-support from the AP and the controller.
View original

9 replies

Userlevel 4
Hi Ned,

Some important info is messing from the post.
Please advise where radius server policy are mapped.
Captive portal AAA policy is not the same as Corp.
Hello Daren,

the radius server policy is mapped on the AP profiles. Here is one example of a profile. The Employee Wifi uses an external radius server to authenticate users.

code:
profile anyap Corpsite-any-internal
no mint mlcp vlan
no mint mlcp ipv6
no autoinstall configuration
no autoinstall firmware
use radius-server-policy RADIUS-Policy
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
wlan Wifi01 bss 1 primary
wlan Wifi02 bss 2 primary
wlan Guest bss 3 primary
wlan Employee bss 4 primary
wlan Testcorp bss 5 primary
interface radio2
wlan Wifi01 bss 1 primary
wlan Wifi02 bss 2 primary
wlan Mitarbeiter bss 3 primary
wlan Employee bss 4 primary
wlan Testcorp bss 5 primary
interface radio3
interface bluetooth1
shutdown
mode bt-sensor
interface up1
interface ge1
switchport mode trunk
switchport trunk allowed vlan 200-204
switchport trunk native vlan 100
interface ge2
interface fe1
interface fe2
interface fe3
interface fe4
interface vlan100
ip address dhcp
ip dhcp client request options all
interface vlan200
ip address dhcp
interface wwan1
interface pppoe1
use firewall-policy default
use captive-portal server Guest
configuration-persistence
service pm sys-restart
router ospf
adoption-mode controller


My goal is to authenticate users on the Testcorp Wifi to local radius server and local username and password database. The only thing that is not working as expected is that the Testcorp Wifi uses LDAP, instead of local authentication. Once authenticated I can ping the default gateway and have internet access.
Userlevel 4
Hi Ned,

Going off info provided, can you test by changing policy to following:
code:
aaa-policy Testcorp_local_radius
authentication server 1 onboard self

Previous configuration is telling AP auth requests should be sent to controller.
Hello Daren,

thank you very much. After changing the AAA policy auth. to "onboard self" the local database is used for authentication. It looks like you cannot have local auth. on AP (onboard self) and controller (onboard controller) at the same time. At least when LDAP is also configured.


When clients connect to ssid Testcorp a certificate warning for each AP is shown up. On Windows 10 I can disable the radius server certificate validation on the client. As far as I know this is not possible on Apple iOS devices. We have more than 50 APs so users won't accept that solution.


Is there a way to configure the same self-signed certificate for radius/802.1x auth. on all APs so users only have to accept the certificate once? Or alternatively can I import a public trusted certificate on all APs?

I searched through the Wing CLI Reference Guide. It looks like I can import keypairs with that command.
code:
crypto key import rsa RSA-KEYPAIR-NAME IMPORT-FROM-URL background|passphrase KEYPASSPHRASE
background on DEVICE-NAME





But I could not find any information where I can configure the radius server on AP/controller to use this certificate for radius/802.1x auth.

Or does the Wing AP/controller automatically use the latest certificate automatically? If this is the case do I break something when all APs and the controller have the same certificate?

Thank you in advance for your help
Ned
Userlevel 4
Hi Ned,

It may be a better option to have Radius service run from the controller instead of each AP if trusted cert is already imported into controller.

If you need certs to be pushed to all the APs, see article below:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-synchronize-custom-trustpoint-across-WiNG-deployment
Hello Daren,

I agree with you that the radius server on the controller is a better solution. But when I change the aaa policy settings from AP based

code:
aaa-policy Testcorp_local_radius
authentication server 1 onboard self

back to controller based
code:
aaa-policy Testcorp_local_radius
authentication server 1 onboard controller


I'm back to the point where I started. The radius runs on controller but does LDAP auth instead of local authentication.

If you could confirm this problem is related to have LDAP auth with local radius (Wifi01 and Wifi02) and local authentication on controller (Testcorp), I could authenticate Wifi01 and Wifi02 on an external radius server (like the SSID Employee) and use the local radius on the controller exclusively for SSID Testcorp.

Is it a supported setup to have local authentication on AP (onboard self) and local auth on controller (onboard controller) at the same time for different SSIDs?
Userlevel 4
Hi Ned,

Its not supported to have same radius service mapped to both AP and controller (you might have issue).
But we do support local radius with LDAP on either AP or controller.
Something my be wrong with the config somewhere.

I would suggest opening a case with GTAC so we can review the tech-support from the AP and the controller.
Hello Daren,

I think I have this issue:
Its not supported to have same radius service mapped to both AP and controller.


I leave the Guest Wifi auth. on APs and authenticate the Testcorp Wifi with LDAP on the controller.

Thank you very much for your help.
Hi Ned ,

I'm using WING VX9000 version 5.9.4.0-020R , And have similar setup working as yours,

The client wants to receive front-end authentication using-both , ldap-and-external-radius-server.
Authentication with eap-auth-type peap-mschapv2
And later on in the project to add captive-portal Geast
I before on-site testing and created In a test environment a local radius server with the local user database


code:
code:
aaa-policy MedTech_local_radius
authentication server 1 onboard controller
authentication protocol mschapv2

radius-server-policy RADIUS-Policy
use radius-user-pool-policy Med-User-Pool
authentication eap-auth-type peap-mschapv2
authentication data-source ldap ssid Wifi87 precedence 1


Is the correct authentication of DEFAULT SOURCE local / LDAP ?
Do i Need Ldap Agent?

Will you be able to share the Config you have created and working.

Thank you for your advice,
Chen

Reply