Document on authenticating guest user via Active Directory server using LDAP protocol where portal mode is internal AP
Introduction
This document describes how to configure cnPilot Hotspot or E series device for web authentication using Active Directory (AD) server via LDAP.
Note: This feature is available from 3.0-b24 beta release build.
Devices used to explain the feature
Client device : Mobile phone
Access Point : Cambium Networks E600 Access point
Active Directory : Windows 2008 server
Configure LDAP Server
The first step is to configure the LDAP server, which serves as a backend database to store user credentials of the wireless clients. In this example, the Microsoft Windows 2008R2 server is used as the LDAP server.
Create Users on the Domain Controller
Step1 : Create an Organizational Unit (OU) which can contain multiple groups that carry multiple users
Step2 : Create a group inside the organizational unit
Step3 : Create a user and add the user to the group
In this example, a new OU “Test_Ldap” is created, and group “Test_Group_LdapTest” is created inside this OU. A user named “anand” is created, and added to the “Test_Group_Ldap”.
Note: The domain used in this example is corp.solutionlab.com
Attaching the screenshot for the steps described
Screenshot details are explained at the bottom of the screenshot Right click on corp.solutions.com domain name to create an OU
Enter the organizational name and click on OK
Test_Ldap OU is now created
Right click on Test_Ldap OU to create a new group
Enter group name “Test_Group_Ldap” and click OK “Test_Group_Ldap” group is now created
Right click on “Test_Ldap” OU to create a user
Add the user name and click NEXT
Add the password and click NEXT, check/uncheck the options in green which is applicable
Click FINISH to create the user
Add the user to a group
Search the group to which the user needs to be added and click on OK
User successfully added to the group
Configure LDAP server credential on the cnMaestro/AP
In cnMaestro, Ldap guest is available at shared settings > wlan > wlan name > guest access
Below configuration is for default Administrator user which is part of Users
In cnMaestro, LDAP IP address is configured at > AP_Group > Group name > Services >LDAP
In Access Point, LDAP guest configuration is available Configure> Wlan > Guest Access
In Access Point, LDAP IP address is configured at > Configure> Services > Network > LDAP
Order of DC, OU and CN
Make sure that the order of configuring the DC and OU and CN are correct so that we do not have any issues in binding the AD. Here in this example, order is like this,
CN=James,OU=ldap_OU_Test,OU=Test_Ldap,DC=corp,DC=solutionlab,DC=com
Let’s take different users created in different hierarchy of LDAP and bind with AP and authenticate
LDAP typically has following format. cn=common name , ou=organizational unit , dc=domain
“sadmin” –is an administrative user created at the root level.
“admin” is the user used to authenticate the client available at default users group.
For the below example, cnMaestro/ AP configuration is,
Note: We do not need to add OU here since “sadmin” user is not added to any group
Windows AD configuration, Bind user screen capture from the Active Directory
Authentication user "admin" screen shot from the Active Directory
Packet capture taken from the LDAP server when bind is success for user admin
Logs from the AP for successful user authentication
“anand” is the user used to authenticate the client available at Test_Ldap OU.
Windows AD configuration, Bind the LDAP server with user (sadmin), sadmin screen shot from the Active Directory
Authenticate guest user with username "anand" screenshot from the Active Directory
Packet capture taken from the LDAP server when bind is success for user anand
Logs from the AP when user authentication is success
Let’s use another Administrative user to bind the AP with the Active directory.
“Administrator” –is an administrative user already available in the users group
“admin” is the user used to authenticate the client available at default users group.
cnMaestro/ AP configuration is, Note that here Users is mapped to CN not OU
Windows AD configuration, Bind the LDAP server with user (Administrator) , and authenticate with guest user (admin) , screen shot of both users from the Active Directory
Packet capture taken from LDAP server when bind is success and authentication is also success
Logs from the AP when user authentication is success
“anand” user used to authenticate the client available at Test_Ldap OU.
Windows AD configuration, authentication user (anand) screen shot from the Active Directory
Packet capture taken from LDAP when bind is success and authentication is also success
Logs from the AP when user authentication is success
“James” user used to authenticate the client available at ldap_OU_Test OU which is inside the Test_Ldap OU
Packet capture taken from LDAP when bind is success and authentication is also success
Logs from the AP when user authentication is success
Let’s use another Administrative user to bind the AP with the Active directory.
“viswanathan” –is an administrative user already available in the Test_LDAP OU
“admin” is the user used to authenticate the client available at default users group.cnMaestro/AP configuration is,
Windows AD configuration, "Viswanathan" bind user screen shot from the Active Directory
Authentication user "admin" screen shot from the Active Directory
Packet capture taken from LDAP when bind is success and authentication is also success
Logs from the AP when user authentication is success
“anand” is the user used to authenticate the client available at Test_Ldap OU.
Windows AD configuration, authentication user screen shot from the Active Directory
Packet capture taken from LDAP when bind is success and authentication is also success
Logs from the AP when user authentication is success
"James” is the user used to authenticate the client available at ldap_OU_Test OU which is inside the Test_Ldap OU
Packet capture taken from LDAP when bind is success and authentication is also success
Logs from the AP when user authentication is success
How to analyse User authentication is fail
Scenario -1 - Bind is success, search is success and guest user authentication is failing (invalid credentials)
Packet capture taken from LDAP when bind is success and authentication is failure
Logs from the AP when user authentication is failure and bind and search is success
Scenario -2 – Bind is success, search fails and user authentication is failing
Packet capture taken from LDAP when bind is success and authentication is failure (search fails with reason OperationsError- reason user not available)
Logs from the AP when bind is success and search is failure resulting in user fail
Scenario -3 – Bind is failing, LDAP is reachable
In the below capture, we can see that the OU=Users is not correct and that is the reason for the failure. Correct usage is “CN=Administrator,CN=users,…”
Logs from the AP when bind is failing
Scenario -4 – Bind is failing, LDAP is reachable, Administrator Password is wrong
In the below capture, we can see that the response for bind request is invalid credentials.
Logs from the AP when bind is failing
Scenario -5 – Bind is failing, LDAP is not reachable,