This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (WiNG)
- Re: Local radius with LDAP and local users
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Local radius with LDAP and local users
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-23-2019 04:05 AM
Hello Community,
I'm using WING VX controller version 5.9.3.0-018R.
I try to configure a wifi network SSID Testcorp that uses the local radius server with the local user database Testcorp-User-Pool. LDAP authentication with local radius is configured and working for SSIDs Wifi01 and Wifi02.
A guest network with captive portal is also configured and working as expected.
I added the radius user pool policy and the authentication parameter local in the radius server policy for SSID Testcorp.
When I connect to the Testcorp wifi, I get a certificate warning (self-signed certificate of controller) but LDAP authentication is used (found out by trial and error) and not the local user database.
I read this post/how-to's using both LDAP and local radius server, How to configure 802.1x authentication with internal RADIUS on a WiNG controller and How to configure a WiNG controller for 802.1x authentication with internal RADIUS, using LDAP but I can't figure out why LDAP and not the local user database is used on SSID Testcorp.
Excerpt of running config
Anybody has a similar setup working or an idea why it is not working as expected?
Thanks in advance
Ned
I'm using WING VX controller version 5.9.3.0-018R.
I try to configure a wifi network SSID Testcorp that uses the local radius server with the local user database Testcorp-User-Pool. LDAP authentication with local radius is configured and working for SSIDs Wifi01 and Wifi02.
A guest network with captive portal is also configured and working as expected.
I added the radius user pool policy and the authentication parameter local in the radius server policy for SSID Testcorp.
When I connect to the Testcorp wifi, I get a certificate warning (self-signed certificate of controller) but LDAP authentication is used (found out by trial and error) and not the local user database.
I read this post/how-to's using both LDAP and local radius server, How to configure 802.1x authentication with internal RADIUS on a WiNG controller and How to configure a WiNG controller for 802.1x authentication with internal RADIUS, using LDAP but I can't figure out why LDAP and not the local user database is used on SSID Testcorp.
Excerpt of running config
code:
aaa-policy Testcorp_local_radius
authentication server 1 onboard controller
aaa-policy CaptivePortal
authentication server 1 onboard self
wlan Testcorp
description Testcorp
ssid Testcorp
vlan 201
bridging-mode local
encryption-type ccmp
authentication-type eap
no answer-broadcast-probes
use wlan-qos-policy Testcorp
use aaa-policy Testcorp_local_radius
wlan Guest
ssid Guest-Wifi
vlan 200
bridging-mode local
encryption-type none
authentication-type none
no answer-broadcast-probes
no client-client-communication
use wlan-qos-policy Guest
use captive-portal Guest
captive-portal-enforcement
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4
radius-group Testcorp-Users
policy vlan 201
policy ssid Testcorp
radius-group Guest
guest
policy vlan 200
policy ssid Guest-Wifi
radius-user-pool-policy Testcorp-User-Pool
user john-test password 0 testpassword group Testcorp-Users
radius-user-pool-policy Guest
$GUEST_USERS
radius-server-policy RADIUS-Policy
use radius-user-pool-policy Guest
use radius-user-pool-policy Testcorp-User-Pool
authentication data-source ldap ssid Wifi01 precedence 1
authentication data-source ldap ssid Wifi02 precedence 2
authentication data-source local ssid Guest-Wifi precedence 3
authentication data-source local ssid Testcorp precedence 4
authentication data-source ldap fallback
authentication eap-auth-type peap-mschapv2
ldap-server primary host $IP port 389 login $LDAP_PARAMETERS net-timeout 3
ldap-agent primary domain-name $DOMAIN domain-admin-user $DOMAIN_USER domain-admin-password 0 $PASSWORD
use radius-group GROUP1
use radius-group GROUP2
Anybody has a similar setup working or an idea why it is not working as expected?
Thanks in advance
Ned
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-28-2019 03:22 PM
Hi Ned,
Its not supported to have same radius service mapped to both AP and controller (you might have issue).
But we do support local radius with LDAP on either AP or controller.
Something my be wrong with the config somewhere.
I would suggest opening a case with GTAC so we can review the tech-support from the AP and the controller.
Its not supported to have same radius service mapped to both AP and controller (you might have issue).
But we do support local radius with LDAP on either AP or controller.
Something my be wrong with the config somewhere.
I would suggest opening a case with GTAC so we can review the tech-support from the AP and the controller.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-03-2019 03:02 PM
Hi Ned ,
I'm using WING VX9000 version 5.9.4.0-020R , And have similar setup working as yours,
The client wants to receive front-end authentication using-both , ldap-and-external-radius-server.
Authentication with eap-auth-type peap-mschapv2
And later on in the project to add captive-portal Geast
I before on-site testing and created In a test environment a local radius server with the local user database
code:
Is the correct authentication of DEFAULT SOURCE local / LDAP ?
Do i Need Ldap Agent?
Will you be able to share the Config you have created and working.
Thank you for your advice,
Chen
I'm using WING VX9000 version 5.9.4.0-020R , And have similar setup working as yours,
The client wants to receive front-end authentication using-both , ldap-and-external-radius-server.
Authentication with eap-auth-type peap-mschapv2
And later on in the project to add captive-portal Geast
I before on-site testing and created In a test environment a local radius server with the local user database
code:
code:
aaa-policy MedTech_local_radius
authentication server 1 onboard controller
authentication protocol mschapv2
radius-server-policy RADIUS-Policy
use radius-user-pool-policy Med-User-Pool
authentication eap-auth-type peap-mschapv2
authentication data-source ldap ssid Wifi87 precedence 1
Is the correct authentication of DEFAULT SOURCE local / LDAP ?
Do i Need Ldap Agent?
Will you be able to share the Config you have created and working.
Thank you for your advice,
Chen
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-04-2019 03:51 PM
Hello Daren,
I think I have this issue:
I leave the Guest Wifi auth. on APs and authenticate the Testcorp Wifi with LDAP on the controller.
Thank you very much for your help.
I think I have this issue:
Its not supported to have same radius service mapped to both AP and controller.
I leave the Guest Wifi auth. on APs and authenticate the Testcorp Wifi with LDAP on the controller.
Thank you very much for your help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-28-2019 03:22 PM
Hi Ned,
Its not supported to have same radius service mapped to both AP and controller (you might have issue).
But we do support local radius with LDAP on either AP or controller.
Something my be wrong with the config somewhere.
I would suggest opening a case with GTAC so we can review the tech-support from the AP and the controller.
Its not supported to have same radius service mapped to both AP and controller (you might have issue).
But we do support local radius with LDAP on either AP or controller.
Something my be wrong with the config somewhere.
I would suggest opening a case with GTAC so we can review the tech-support from the AP and the controller.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-28-2019 01:56 PM
Hello Daren,
I agree with you that the radius server on the controller is a better solution. But when I change the aaa policy settings from AP based
back to controller based
I'm back to the point where I started. The radius runs on controller but does LDAP auth instead of local authentication.
If you could confirm this problem is related to have LDAP auth with local radius (Wifi01 and Wifi02) and local authentication on controller (Testcorp), I could authenticate Wifi01 and Wifi02 on an external radius server (like the SSID Employee) and use the local radius on the controller exclusively for SSID Testcorp.
Is it a supported setup to have local authentication on AP (onboard self) and local auth on controller (onboard controller) at the same time for different SSIDs?
I agree with you that the radius server on the controller is a better solution. But when I change the aaa policy settings from AP based
code:
aaa-policy Testcorp_local_radius
authentication server 1 onboard self
back to controller based
code:
aaa-policy Testcorp_local_radius
authentication server 1 onboard controller
I'm back to the point where I started. The radius runs on controller but does LDAP auth instead of local authentication.
If you could confirm this problem is related to have LDAP auth with local radius (Wifi01 and Wifi02) and local authentication on controller (Testcorp), I could authenticate Wifi01 and Wifi02 on an external radius server (like the SSID Employee) and use the local radius on the controller exclusively for SSID Testcorp.
Is it a supported setup to have local authentication on AP (onboard self) and local auth on controller (onboard controller) at the same time for different SSIDs?
