We support GIXEN, the eBay sniper.
Best Buy Co, Inc.

Active Directory Authentication

Post Reply
sriramdas89
Member
Posts: 4
Joined: 07 Sep 2015 13:04

Active Directory Authentication

Post by sriramdas89 » 07 Sep 2015 13:21

Hi All,

Am new to Alcatel Lucent world and got the delivery of our 6860.

I want to provision VLANs on the access switches which are 6450 based on my Active Directory users / security groups.

I can get a Radius server to talk with my active directory and authenticate but how to configure the switch to check if a user belongs to a particular group and authenticate or how to map a particular user to a VLAN profile in the radius server ( i plan to use free radius on top of CentOS of Fedora )

If you have any guides to do please share it.

Any help / guidance / notes will be greatly appreciated.

Thanks,
Sriram A DAs

jmcastellanos
Member
Posts: 14
Joined: 10 Apr 2012 11:15

Re: Active Directory Authentication

Post by jmcastellanos » 15 Oct 2015 13:16

hi

here are some files you can use to configure your switches.
This feature of Access Guardian in 6860 is different from 6450, you have to configure where your users are.

follow this examples and you can configure what you want.

best regards

Mauricio Castellanos
ACFE.
El Salvador
You do not have the required permissions to view the files attached to this post.

devnull
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 813
Joined: 07 Sep 2010 10:16
Location: Germany

Re: Active Directory Authentication

Post by devnull » 16 Oct 2015 02:05

I can get a Radius server to talk with my active directory and authenticate but how to configure the switch to check if a user belongs to a particular group and authenticate or how to map a particular user to a VLAN profile in the radius server ( i plan to use free radius on top of CentOS of Fedora )
You can't do such things in the switch.
This has to be done in the radius.
I know how to do that in NPS, but i have not yet tried to query group membership in freeradius, so here i can't help you.

The radius server needs some logic to
a) check username/password (valid?)
b) return a group-dependent vlan number or vlan name to the switch.

in that case you have to return a filter-id or
e.g.
/etc/free/radius/users

"client" Cleartext-Password:= "client"
Filter-id ="client"

or a xylan authgroup
"alu40" Cleartext-Password:= "alu40"
Xylan-Auth-Group = 40

xylan-authgroup will make the switch to put that user into vlan 40 (switch needs to have vlan 40 of course configured and usable (e.g. tagged uplinks)

While Filter-id will need additional config on the switches (here 6850)

Code: Select all

aaa user-network-profile name "client" vlan 132 
aaa user-network-profile name "ipphones" vlan 30
 
vlan port mobile 1/7
vlan port 1/7 802.1x enable
vlan port mobile 1/8
vlan port 1/8 802.1x enable
On 6860 you need other config e.g.

Code: Select all

unp edge-profile client
unp edge-profile ipphones
unp edge-profile guest
unp vlan-mapping edge-profile client vlan 132
unp vlan-mapping edge-profile ipphones vlan 30
unp vlan-mapping edge-profile guest vlan 666
unp edge-template auth-template
unp edge-template auth-template 802.1x-authentication enable
unp edge-template auth-template mac-authentication enable
unp edge-template auth-template classification enable
unp edge-template auth-template aaa-profile aaa-profile
unp port 1/1/7 port-type edge
unp port 1/1/7 edge-template auth-template
unp port 1/1/8 port-type edge
unp port 1/1/8 edge-template auth-template
unp classification authentication-type 802.1x fail edge-profile guest
Why name (filter-id) not number?
-> You can set a client "client" and depending on your location have a different vlan e.g. campus 1 vlan = 101
campus 1 vlan = 101
campus 2 vlan = 201
campus 3 vlan = 301
-> you have same roles but the underlying vlan is different, way easier than have a different user at each location.

Whipster
Member
Posts: 24
Joined: 03 Apr 2013 15:57

Re: Active Directory Authentication

Post by Whipster » 24 Dec 2015 10:14

These helped me! just follow the instructions and you are GTG!
jmcastellanos wrote:hi

here are some files you can use to configure your switches.
This feature of Access Guardian in 6860 is different from 6450, you have to configure where your users are.

follow this examples and you can configure what you want.

best regards

Mauricio Castellanos
ACFE.
El Salvador

banalas
Member
Posts: 1
Joined: 15 Jan 2016 16:34

Re: Active Directory Authentication

Post by banalas » 13 Mar 2016 21:13

i am trying to configure at one of my client

can you please share the files


Thanks
Sri

devnull
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 813
Joined: 07 Sep 2010 10:16
Location: Germany

Re: Active Directory Authentication

Post by devnull » 15 Mar 2016 14:10

They are attached to the post?

Anirudhh-123
Member
Posts: 16
Joined: 26 Jul 2016 06:04

Re: Active Directory Authentication

Post by Anirudhh-123 » 27 Jul 2016 04:27

Hi,

Please suggest command to check AD integration of switch with radius server.

Thanks

silvio
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 933
Joined: 01 Jul 2008 10:51
Location: Germany

Re: Active Directory Authentication

Post by silvio » 04 Aug 2016 14:04

from switch to radius you can use:

Code: Select all

aaa test-radius-server RAD-1 type authentication user aaaaa password bbbbb

If the radius server finds the entry in the AD than you will see successfull message.
regards
Silvio

Anirudhh-123
Member
Posts: 16
Joined: 26 Jul 2016 06:04

Re: Active Directory Authentication

Post by Anirudhh-123 » 13 Aug 2016 01:08

thank you silvio.

but this command showing following error
my release is 6.4.3.520.R01

thanks
You do not have the required permissions to view the files attached to this post.

silvio
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 933
Joined: 01 Jul 2008 10:51
Location: Germany

Re: Active Directory Authentication

Post by silvio » 15 Aug 2016 13:08

works since 6.4.4 :shock:

regards
Silvio

Post Reply

Return to “OmniSwitch 6860 / 6860E”

Who is online

Users browsing this forum: No registered users and 2 guests