Hi,
Trying to setting up a radius access to CLI on VOSS devices, LDAP/Bind authentication process on an AD works fine when using an attribute without domain name extension, e.g. firstname.lastname (here "uid" for user search attribute, with entry like "john.doe"):
Connection failed if changing the bind attribute to an another (here "userPrincipalName") where login uses domain name extension, e.g. john.doe@domain.lan, which is the normal login format in my entity:
Capturing radius traffic on AD controller, I can see that:
* first request searching for the user's groups membership with domain name extension is correctly done with domain extension, and AD response is ok:
* second request for bind authentication failed because NAC gw now try to do it without domain extension:
Any idea ?
Rodjeur
Trying to setting up a radius access to CLI on VOSS devices, LDAP/Bind authentication process on an AD works fine when using an attribute without domain name extension, e.g. firstname.lastname (here "uid" for user search attribute, with entry like "john.doe"):
Connection failed if changing the bind attribute to an another (here "userPrincipalName") where login uses domain name extension, e.g. john.doe@domain.lan, which is the normal login format in my entity:
Capturing radius traffic on AD controller, I can see that:
* first request searching for the user's groups membership with domain name extension is correctly done with domain extension, and AD response is ok:
* second request for bind authentication failed because NAC gw now try to do it without domain extension:
Any idea ?
Rodjeur
