Active Directory Authentication
-
- Member
- Posts: 4
- Joined: 07 Sep 2015 13:04
Active Directory Authentication
Hi All,
Am new to Alcatel Lucent world and got the delivery of our 6860.
I want to provision VLANs on the access switches which are 6450 based on my Active Directory users / security groups.
I can get a Radius server to talk with my active directory and authenticate but how to configure the switch to check if a user belongs to a particular group and authenticate or how to map a particular user to a VLAN profile in the radius server ( i plan to use free radius on top of CentOS of Fedora )
If you have any guides to do please share it.
Any help / guidance / notes will be greatly appreciated.
Thanks,
Sriram A DAs
Am new to Alcatel Lucent world and got the delivery of our 6860.
I want to provision VLANs on the access switches which are 6450 based on my Active Directory users / security groups.
I can get a Radius server to talk with my active directory and authenticate but how to configure the switch to check if a user belongs to a particular group and authenticate or how to map a particular user to a VLAN profile in the radius server ( i plan to use free radius on top of CentOS of Fedora )
If you have any guides to do please share it.
Any help / guidance / notes will be greatly appreciated.
Thanks,
Sriram A DAs
-
- Member
- Posts: 15
- Joined: 10 Apr 2012 11:15
Re: Active Directory Authentication
hi
here are some files you can use to configure your switches.
This feature of Access Guardian in 6860 is different from 6450, you have to configure where your users are.
follow this examples and you can configure what you want.
best regards
Mauricio Castellanos
ACFE.
El Salvador
here are some files you can use to configure your switches.
This feature of Access Guardian in 6860 is different from 6450, you have to configure where your users are.
follow this examples and you can configure what you want.
best regards
Mauricio Castellanos
ACFE.
El Salvador
You do not have the required permissions to view the files attached to this post.
Re: Active Directory Authentication
You can't do such things in the switch.I can get a Radius server to talk with my active directory and authenticate but how to configure the switch to check if a user belongs to a particular group and authenticate or how to map a particular user to a VLAN profile in the radius server ( i plan to use free radius on top of CentOS of Fedora )
This has to be done in the radius.
I know how to do that in NPS, but i have not yet tried to query group membership in freeradius, so here i can't help you.
The radius server needs some logic to
a) check username/password (valid?)
b) return a group-dependent vlan number or vlan name to the switch.
in that case you have to return a filter-id or
e.g.
/etc/free/radius/users
"client" Cleartext-Password:= "client"
Filter-id ="client"
or a xylan authgroup
"alu40" Cleartext-Password:= "alu40"
Xylan-Auth-Group = 40
xylan-authgroup will make the switch to put that user into vlan 40 (switch needs to have vlan 40 of course configured and usable (e.g. tagged uplinks)
While Filter-id will need additional config on the switches (here 6850)
Code: Select all
aaa user-network-profile name "client" vlan 132
aaa user-network-profile name "ipphones" vlan 30
vlan port mobile 1/7
vlan port 1/7 802.1x enable
vlan port mobile 1/8
vlan port 1/8 802.1x enable
Code: Select all
unp edge-profile client
unp edge-profile ipphones
unp edge-profile guest
unp vlan-mapping edge-profile client vlan 132
unp vlan-mapping edge-profile ipphones vlan 30
unp vlan-mapping edge-profile guest vlan 666
unp edge-template auth-template
unp edge-template auth-template 802.1x-authentication enable
unp edge-template auth-template mac-authentication enable
unp edge-template auth-template classification enable
unp edge-template auth-template aaa-profile aaa-profile
unp port 1/1/7 port-type edge
unp port 1/1/7 edge-template auth-template
unp port 1/1/8 port-type edge
unp port 1/1/8 edge-template auth-template
unp classification authentication-type 802.1x fail edge-profile guest
-> You can set a client "client" and depending on your location have a different vlan e.g. campus 1 vlan = 101
campus 1 vlan = 101
campus 2 vlan = 201
campus 3 vlan = 301
-> you have same roles but the underlying vlan is different, way easier than have a different user at each location.
Re: Active Directory Authentication
These helped me! just follow the instructions and you are GTG!
jmcastellanos wrote:hi
here are some files you can use to configure your switches.
This feature of Access Guardian in 6860 is different from 6450, you have to configure where your users are.
follow this examples and you can configure what you want.
best regards
Mauricio Castellanos
ACFE.
El Salvador
Re: Active Directory Authentication
i am trying to configure at one of my client
can you please share the files
Thanks
Sri
can you please share the files
Thanks
Sri
Re: Active Directory Authentication
They are attached to the post?
-
- Member
- Posts: 19
- Joined: 26 Jul 2016 06:04
Re: Active Directory Authentication
Hi,
Please suggest command to check AD integration of switch with radius server.
Thanks
Please suggest command to check AD integration of switch with radius server.
Thanks
Re: Active Directory Authentication
from switch to radius you can use:
If the radius server finds the entry in the AD than you will see successfull message.
regards
Silvio
Code: Select all
aaa test-radius-server RAD-1 type authentication user aaaaa password bbbbb
If the radius server finds the entry in the AD than you will see successfull message.
regards
Silvio
-
- Member
- Posts: 19
- Joined: 26 Jul 2016 06:04
Re: Active Directory Authentication
thank you silvio.
but this command showing following error
my release is 6.4.3.520.R01
thanks
but this command showing following error
my release is 6.4.3.520.R01
thanks
You do not have the required permissions to view the files attached to this post.
Re: Active Directory Authentication
works since 6.4.4
regards
Silvio
regards
Silvio