https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extreme-control-aaa-ldap-without-ad-domain-join/m-p/87210#M9357 Hello Martin,<BR /> <BR /> The process would be exactly the same but you are not required to have elevated privileges for the administrator username for the LDAP account specified. The account would only be used for LDAP lookups in an EAP-TLS environment. <BR /> <BR /> The LDAP configuration section of the Extreme Control does double duty in that it not only provides information for the LDAP lookup but in the case that NTLM is enabled the LDAP configuration is used to fill out the smb.conf files for Samba to join the active directory.<BR /> <BR /> Since NTLM isn't enabled no SMB.conf files will be generated and no domain join will be attempted. With no join being attempted we don't need a username that requires the necessary permissions to join the domain.<BR /> <BR /> As long as the account can perform LDAP lookups that is all that you would need.<BR /> <BR /> Thanks<BR /> -Ryan Wed, 09 Oct 2019 21:01:45 GMT Ryan_Yacobucci 2019-10-09T21:01:45Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extreme-control-aaa-ldap-without-ad-domain-join/m-p/87209#M9356 <P>Hi,<BR /><BR />When creating AAA LDAP configuration in control the requirements for the account needed are detailed here:<BR /><BR /><A href="https://extremeportal.force.com/ExtrArticleDetail?an=000090980" target="_blank" rel="nofollow noreferrer noopener">https://extremeportal.force.com/ExtrArticleDetail?an=000090980</A><BR /><BR />I have a couple of circumstances where EAP-TLS is being deployed and the use of NTLM authentication isn't required, just simple certificate authentication and then LDAP lookup for authorisation once in the NAC rule engine.<BR /><BR />In that scenario when creating the LDAP configuration any account is capable of doing an AD lookup, so a domain privilege account isn't required, nor is it required for Control to join the domain.<BR /><BR />My question is; is there an option to just create the LDAP connector with simple privileges that will do the task?<BR /><BR />Maybe there is a specific set way to configured this in XMC, perhaps the process is exactly the same just using the a normal service account as opposed to using a domain privilege account?<BR /><BR />Just wanted to validate what is the right way to do it, and that I am not missing anything?<BR /><BR />Thanks in advance</P> Wed, 09 Oct 2019 16:15:21 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extreme-control-aaa-ldap-without-ad-domain-join/m-p/87209#M9356 Anonymous 2019-10-09T16:15:21Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extreme-control-aaa-ldap-without-ad-domain-join/m-p/87210#M9357 Hello Martin,<BR /> <BR /> The process would be exactly the same but you are not required to have elevated privileges for the administrator username for the LDAP account specified. The account would only be used for LDAP lookups in an EAP-TLS environment. <BR /> <BR /> The LDAP configuration section of the Extreme Control does double duty in that it not only provides information for the LDAP lookup but in the case that NTLM is enabled the LDAP configuration is used to fill out the smb.conf files for Samba to join the active directory.<BR /> <BR /> Since NTLM isn't enabled no SMB.conf files will be generated and no domain join will be attempted. With no join being attempted we don't need a username that requires the necessary permissions to join the domain.<BR /> <BR /> As long as the account can perform LDAP lookups that is all that you would need.<BR /> <BR /> Thanks<BR /> -Ryan Wed, 09 Oct 2019 21:01:45 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extreme-control-aaa-ldap-without-ad-domain-join/m-p/87210#M9357 Ryan_Yacobucci 2019-10-09T21:01:45Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extreme-control-aaa-ldap-without-ad-domain-join/m-p/87211#M9358 Brilliant, thanks Ryan. Been wanting to clear up that question for ages <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> <BR /> Much appreciated for the quick response. Wed, 09 Oct 2019 21:26:42 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extreme-control-aaa-ldap-without-ad-domain-join/m-p/87211#M9358 Anonymous 2019-10-09T21:26:42Z