topic RE: rfs6000 configuration with samba4 AD ntlm auth for radius in ExtremeWireless (WiNG)

rfs6000 configuration with samba4 AD ntlm auth for radius

Elias_Morais_Pe — Fri, 23 Mar 2018 02:11:00 GMT

Hi folks,

We have a rfs6000 controller that we are trying to set up radius access with samba4 AD. The "controller" has joined the AD and at the beginning is ok. What we are having problems with and part of the certificates. How to generate the CSR and sign it internally for client authentication to work with your AD credentials? How to proceed?

RE: rfs6000 configuration with samba4 AD ntlm auth for radius

Timo1 — Fri, 23 Mar 2018 14:27:00 GMT

Do you use the internal AAA from the RFS? The AD connection already run and you just need a valid cert?

For that case, you can check this link:
https://extremeportal.force.com/ExtrArticleDetail?n=000014936

RE: rfs6000 configuration with samba4 AD ntlm auth for radius

Elias_Morais_Pe — Fri, 23 Mar 2018 19:05:00 GMT

Hey Timo, thanks for the answer!!

Do you use the internal AAA from the RFS?

Yes.

The AD connection already run and you just need a valid cert?

Yes.

In the link you posted, the first option for configuring certificates looks like this:

-----BEGIN CERTIFICATE ----- (Signed server certificate) -----END CERTIFICATE ------- -----BEGIN CERTIFICATE ----- (Intermediate CA certificate 1) -----END CERTIFICATE ------- -----BEGIN CERTIFICATE ----- (Intermediate CA certificate 2) -----END CERTIFICATE ------- -----BEGIN CERTIFICATE ----- (Root CA certificate) -----END CERTIFICATE -------Do I need to have these two line breaks between the signed server certificate and the intermediate ca...?

Would the Signed server certificate be the certificate that, for example, GlobalSign provided?

RE: rfs6000 configuration with samba4 AD ntlm auth for radius

Timo1 — Mon, 26 Mar 2018 11:50:00 GMT

Hi,
you don't need the break.

Signed server certificate -> certificate for your server
Intermediate CA -> certificate from the intermediate
Root CA -> certificate from the Root

Are you familiar with PKI? Inside a company you mostly have a offline root CA and a active intermediate CA. The intermediate is signed by the root and your server certificate by the intermediate. Based on this, you include the complete key chain.

This community for example use this key chain:
DigiCert High Assurance EV Root CA-> DigiCert SHA2 High Assurance Server CA
--> community.extremenetworks.com