Active Directory Authentication

[sriramdas89]

Hi All,

Am new to Alcatel Lucent world and got the delivery of our 6860.

I want to provision VLANs on the access switches which are 6450 based on my Active Directory users / security groups.

I can get a Radius server to talk with my active directory and authenticate but how to configure the switch to check if a user belongs to a particular group and authenticate or how to map a particular user to a VLAN profile in the radius server ( i plan to use free radius on top of CentOS of Fedora )

If you have any guides to do please share it.

Any help / guidance / notes will be greatly appreciated.

Thanks,
Sriram A DAs

[jmcastellanos]

hi

here are some files you can use to configure your switches.
This feature of Access Guardian in 6860 is different from 6450, you have to configure where your users are.

follow this examples and you can configure what you want.

best regards

Mauricio Castellanos
ACFE.
El Salvador

[devnull]

I can get a Radius server to talk with my active directory and authenticate but how to configure the switch to check if a user belongs to a particular group and authenticate or how to map a particular user to a VLAN profile in the radius server ( i plan to use free radius on top of CentOS of Fedora )

You can't do such things in the switch.
This has to be done in the radius.
I know how to do that in NPS, but i have not yet tried to query group membership in freeradius, so here i can't help you.

The radius server needs some logic to
a) check username/password (valid?)
b) return a group-dependent vlan number or vlan name to the switch.

in that case you have to return a filter-id or
e.g.
/etc/free/radius/users

"client" Cleartext-Password:= "client"
Filter-id ="client"

or a xylan authgroup
"alu40" Cleartext-Password:= "alu40"
Xylan-Auth-Group = 40

xylan-authgroup will make the switch to put that user into vlan 40 (switch needs to have vlan 40 of course configured and usable (e.g. tagged uplinks)

While Filter-id will need additional config on the switches (here 6850)

Code: Select all

aaa user-network-profile name "client" vlan 132 
aaa user-network-profile name "ipphones" vlan 30
 
vlan port mobile 1/7
vlan port 1/7 802.1x enable
vlan port mobile 1/8
vlan port 1/8 802.1x enable

On 6860 you need other config e.g.

Code: Select all

unp edge-profile client
unp edge-profile ipphones
unp edge-profile guest
unp vlan-mapping edge-profile client vlan 132
unp vlan-mapping edge-profile ipphones vlan 30
unp vlan-mapping edge-profile guest vlan 666
unp edge-template auth-template
unp edge-template auth-template 802.1x-authentication enable
unp edge-template auth-template mac-authentication enable
unp edge-template auth-template classification enable
unp edge-template auth-template aaa-profile aaa-profile
unp port 1/1/7 port-type edge
unp port 1/1/7 edge-template auth-template
unp port 1/1/8 port-type edge
unp port 1/1/8 edge-template auth-template
unp classification authentication-type 802.1x fail edge-profile guest

Why name (filter-id) not number?
-> You can set a client "client" and depending on your location have a different vlan e.g. campus 1 vlan = 101
campus 1 vlan = 101
campus 2 vlan = 201
campus 3 vlan = 301
-> you have same roles but the underlying vlan is different, way easier than have a different user at each location.

[Whipster]

These helped me! just follow the instructions and you are GTG!

hi

here are some files you can use to configure your switches.
This feature of Access Guardian in 6860 is different from 6450, you have to configure where your users are.

follow this examples and you can configure what you want.

best regards

Mauricio Castellanos
ACFE.
El Salvador

[banalas]

i am trying to configure at one of my client

can you please share the files


Thanks
Sri

[devnull]

They are attached to the post?

[Anirudhh-123]

Hi,

Please suggest command to check AD integration of switch with radius server.

Thanks

[silvio]

from switch to radius you can use:

Code: Select all

aaa test-radius-server RAD-1 type authentication user aaaaa password bbbbb

If the radius server finds the entry in the AD than you will see successfull message.
regards
Silvio

[Anirudhh-123]

thank you silvio.

but this command showing following error
my release is 6.4.3.520.R01

thanks

[silvio]

works since 6.4.4

regards
Silvio