This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Extreme Control AAA LDAP without AD Domain Join

Extreme Control AAA LDAP without AD Domain Join

Anonymous
Not applicable

‎10-09-2019 09:15 AM

Hi,

When creating AAA LDAP configuration in control the requirements for the account needed are detailed here:

https://extremeportal.force.com/ExtrArticleDetail?an=000090980

I have a couple of circumstances where EAP-TLS is being deployed and the use of NTLM authentication isn't required, just simple certificate authentication and then LDAP lookup for authorisation once in the NAC rule engine.

In that scenario when creating the LDAP configuration any account is capable of doing an AD lookup, so a domain privilege account isn't required, nor is it required for Control to join the domain.

My question is; is there an option to just create the LDAP connector with simple privileges that will do the task?

Maybe there is a specific set way to configured this in XMC, perhaps the process is exactly the same just using the a normal service account as opposed to using a domain privilege account?

Just wanted to validate what is the right way to do it, and that I am not missing anything?

Thanks in advance

0 Kudos
2 REPLIES 2

Anonymous
Not applicable

‎10-09-2019 02:26 PM

Brilliant, thanks Ryan. Been wanting to clear up that question for ages 🙂

Much appreciated for the quick response.
0 Kudos

Ryan_Yacobucci
Extreme Employee

‎10-09-2019 02:01 PM

Hello Martin,

The process would be exactly the same but you are not required to have elevated privileges for the administrator username for the LDAP account specified. The account would only be used for LDAP lookups in an EAP-TLS environment.

The LDAP configuration section of the Extreme Control does double duty in that it not only provides information for the LDAP lookup but in the case that NTLM is enabled the LDAP configuration is used to fill out the smb.conf files for Samba to join the active directory.

Since NTLM isn't enabled no SMB.conf files will be generated and no domain join will be attempted. With no join being attempted we don't need a username that requires the necessary permissions to join the domain.

As long as the account can perform LDAP lookups that is all that you would need.

Thanks
-Ryan
0 Kudos
GTM-P2G8KFN