Authenticating guest user via AD server using LDAP protocol where portal mode is Internal AP

Document on authenticating guest user via Active Directory server using LDAP protocol where portal mode is internal AP 

Introduction

This document describes how to configure cnPilot Hotspot or E series device for web authentication using Active Directory (AD) server via LDAP. 

Note: This feature is available from 3.0-b24 beta release build.

Devices used to explain the feature 

            Client device               : Mobile phone

            Access Point               : Cambium Networks E600 Access point

            Active Directory           : Windows 2008 server

Configure LDAP Server

The first step is to configure the LDAP server, which serves as a backend database to store user credentials of the wireless clients. In this example, the Microsoft Windows 2008R2 server is used as the LDAP server.

Create Users on the Domain Controller

Step1   : Create an Organizational Unit (OU) which can contain multiple groups that carry multiple users  

Step2   : Create a group inside the organizational unit

Step3   : Create a user and add the user to the group

In this example, a new OU “Test_Ldap” is created, and group “Test_Group_LdapTest” is created inside this OU. A user named “anand” is created, and added to the “Test_Group_Ldap”.

Note:  The domain used in this example is corp.solutionlab.com

Attaching the screenshot for the steps described

 Screenshot details are explained at the bottom of the screenshot

Right click on corp.solutions.com domain name to create an OU

Enter the organizational name and click on OK

 

Test_Ldap OU is now created

 

Right click on Test_Ldap OU to create a new group

Enter group name “Test_Group_Ldap” and click OK  “Test_Group_Ldap” group is now created

 

Right click on “Test_Ldap” OU to create a user

 

Add the user name and click NEXT

 

Add the password and click NEXT, check/uncheck the options in green which is applicable

 

Click FINISH to create the user

 

Add the user to a group

 

Search the group to which the user needs to be added and click on OK

 

User successfully added to the group

 Configure LDAP server credential on the cnMaestro/AP 

In cnMaestro, Ldap guest is available at shared settings > wlan > wlan name > guest access

Below configuration is for default Administrator user which is part of Users

In cnMaestro, LDAP IP address is configured at > AP_Group > Group name > Services >LDAP

In Access Point, LDAP guest configuration is available Configure> Wlan > Guest Access

In Access Point, LDAP IP address is configured at > Configure> Services > Network > LDAP

 Order of DC, OU and CN

            Make sure that the order of configuring the DC and OU and CN are correct so that we do not have any issues in binding the AD. Here in this example, order is like this,

CN=James,OU=ldap_OU_Test,OU=Test_Ldap,DC=corp,DC=solutionlab,DC=com

Let’s take different users created in different hierarchy of LDAP and bind with AP and authenticate 

LDAP typically has following format.   cn=common name , ou=organizational unit , dc=domain

“sadmin” –is an administrative user created at the root level.

“admin” is the user used to authenticate the client available at default users group.  

For the below example, cnMaestro/ AP configuration is,   

Note: We do not need to add OU here since “sadmin” user is not added to any group

Windows AD configuration, Bind user screen capture from the Active Directory  

Authentication user "admin" screen shot from the Active Directory

Packet capture taken from the LDAP server when bind is success for user admin

Logs from the AP for successful user authentication

“anand” is the user used to authenticate the client available at Test_Ldap OU. 

Windows AD configuration, Bind the LDAP server with user (sadmin), sadmin screen shot from the Active Directory 

Authenticate guest user with username "anand" screenshot from the Active Directory 

Packet capture taken from the LDAP server when bind is success for user anand

 Logs from the AP when user authentication is success 

Let’s use another Administrative user to bind the AP with the Active directory.

“Administrator” –is an administrative user already available in the users group

“admin” is the user used to authenticate the client available at default users group. 

cnMaestro/ AP configuration is,  Note that here Users is mapped to CN not OU

Windows AD configuration, Bind the LDAP server with user (Administrator) , and authenticate with guest user (admin) , screen shot of both users from the Active Directory 

Packet capture taken from LDAP server when bind is success and authentication is also success

Logs from the AP when user authentication is success

“anand” user used to authenticate the client available at Test_Ldap OU.

Windows AD configuration, authentication user (anand) screen shot from the Active Directory 

Packet capture taken from LDAP when bind is success and authentication is also success 

Logs from the AP  when user authentication is success

“James”  user used to authenticate the client available at ldap_OU_Test OU which is inside the Test_Ldap OU

   

Packet capture taken from LDAP when bind is success and authentication is also success 

 

Logs from the AP when user authentication is success

Let’s use another Administrative user to bind the AP with the Active directory.  

“viswanathan” –is an administrative user already available in the Test_LDAP OU

“admin” is the user used to authenticate the client available at default users group.cnMaestro/AP configuration is,   

Windows AD configuration, "Viswanathan" bind user screen shot from the Active Directory 

Authentication user "admin" screen shot from the Active Directory 

Packet capture taken from LDAP when bind is success and authentication is also success 

Logs from the AP when user authentication is success

“anand” is the user used to authenticate the client available at Test_Ldap OU.   

Windows AD configuration, authentication user screen shot from the Active Directory

 

Packet capture taken from LDAP when bind is success and authentication is also success

Logs from the AP when user authentication is success

"James” is the user used to authenticate the client available at ldap_OU_Test OU which is inside the Test_Ldap OU 

Packet capture taken from LDAP when bind is success and authentication is also success 

Logs from the AP when user authentication is success 

How to analyse User authentication is fail  

Scenario -1 - Bind is success, search is success and guest user authentication is failing (invalid credentials)

Packet capture taken from LDAP when bind is success and authentication is failure 

Logs from the AP when user authentication is failure and bind and search is success  

 Scenario -2 – Bind is success, search fails and user authentication is failing   

Packet capture taken from LDAP when bind is success and authentication is failure (search fails with reason OperationsError- reason user not available)

Logs from the AP when bind is success and search is failure resulting in user fail  

 Scenario -3 – Bind is failing, LDAP is reachable  

 In the below capture, we can see that the OU=Users is not correct and that is the reason for the failure. Correct usage is “CN=Administrator,CN=users,…”

Logs from the AP when bind is failing

Scenario -4 – Bind is failing, LDAP is reachable, Administrator Password is wrong     

In the below capture, we can see that the response for bind request is invalid credentials.

Logs from the AP when bind is failing 

Scenario -5 – Bind is failing, LDAP is not reachable, 

2 Likes