cancel
Showing results for 
Search instead for 
Did you mean: 

Authenticating guest user via AD server using LDAP protocol where portal mode is Internal AP

Highlighted

Authenticating guest user via AD server using LDAP protocol where portal mode is Internal AP

Document on authenticating guest user via Active Directory server using LDAP protocol where portal mode is internal AP 

Introduction

 

This document describes how to configure cnPilot Hotspot or E series device for web authentication using Active Directory (AD) server via LDAP. 

Note: This feature is available from 3.0-b24 beta release build.

Devices used to explain the feature 

           

            Client device               : Mobile phone

            Access Point               : Cambium Networks E600 Access point

            Active Directory           : Windows 2008 server

 

Configure LDAP Server

 

The first step is to configure the LDAP server, which serves as a backend database to store user credentials of the wireless clients. In this example, the Microsoft Windows 2008R2 server is used as the LDAP server.

 

Create Users on the Domain Controller

 

Step1   : Create an Organizational Unit (OU) which can contain multiple groups that carry multiple users  

 

Step2   : Create a group inside the organizational unit

 

Step3   : Create a user and add the user to the group

 

In this example, a new OU “Test_Ldap” is created, and group “Test_Group_LdapTest” is created inside this OU. A user named “anand” is created, and added to the “Test_Group_Ldap”.

 

Note:  The domain used in this example is corp.solutionlab.com

 

Attaching the screenshot for the steps described

 Screenshot details are explained at the bottom of the screenshot create_ou_2.PNGRight click on corp.solutions.com domain name to create an OU

 

create_ou_3.PNGEnter the organizational name and click on OK

 create_ou_4.PNGTest_Ldap OU is now created

 create_group_1.PNGRight click on Test_Ldap OU to create a new group

create_group_2.PNGEnter group name “Test_Group_Ldap” and click OK create_group_3.PNG“Test_Group_Ldap” group is now created

 create_user_1.PNGRight click on “Test_Ldap” OU to create a user

 create_user_2.PNGAdd the user name and click NEXT

 create_user_3.PNGAdd the password and click NEXT, check/uncheck the options in green which is applicable

 create_user_4.PNGClick FINISH to create the user

 add_user_to_group_1.PNGAdd the user to a group

 add_user_to_group_2.PNGSearch the group to which the user needs to be added and click on OK

 add_user_to_group_3.PNGUser successfully added to the group

 Configure LDAP server credential on the cnMaestro/AP 

 

In cnMaestro, Ldap guest is available at shared settings > wlan > wlan name > guest access

           

Below configuration is for default Administrator user which is part of Users LDAP_guest_configuration.PNG

 

In cnMaestro, LDAP IP address is configured at > AP_Group > Group name > Services >LDAPLDAP_Configuration.PNG

 

In Access Point, LDAP guest configuration is available Configure> Wlan > Guest AccessLDAP_guest_configuration_AP.PNG

 

In Access Point, LDAP IP address is configured at > Configure> Services > Network > LDAPLDAP_Configuration_AP.PNG

 

 Order of DC, OU and CN

            Make sure that the order of configuring the DC and OU and CN are correct so that we do not have any issues in binding the AD. Here in this example, order is like this,

CN=James,OU=ldap_OU_Test,OU=Test_Ldap,DC=corp,DC=solutionlab,DC=com

James_user.PNG

 

Let’s take different users created in different hierarchy of LDAP and bind with AP and authenticate 

 

LDAP typically has following format.   cn=common name , ou=organizational unit , dc=domain

“sadmin” –is an administrative user created at the root level.

“admin” is the user used to authenticate the client available at default users group.  

 

For the below example, cnMaestro/ AP configuration is,   sadmin_cn-AP_config.PNG

 

Note: We do not need to add OU here since “sadmin” user is not added to any group

 

Windows AD configuration, Bind user screen capture from the Active Directory  

sadmin_Windows_Conf.PNG

 

Authentication user "admin" screen shot from the Active Directory

Administrator_Windows_Conf.PNG

 

 

Packet capture taken from the LDAP server when bind is success for user adminsadmin_top.PNG

 

Logs from the AP for successful user authentication user-admin-bind-sadmin.PNG

 

“anand” is the user used to authenticate the client available at Test_Ldap OU. 

 

Windows AD configuration, Bind the LDAP server with user (sadmin), sadmin screen shot from the Active Directory sadmin_Windows_Conf.PNG

 

Authenticate guest user with username "anand" screenshot from the Active Directory 

anand_user.PNG

 

Packet capture taken from the LDAP server when bind is success for user anand

 

sadmin_user-anand.PNG

 

 Logs from the AP when user authentication is success user-anand-bind-sadmin.PNG

 

Let’s use another Administrative user to bind the AP with the Active directory.

 

“Administrator” –is an administrative user already available in the users group

 

“admin” is the user used to authenticate the client available at default users group. 

 

cnMaestro/ AP configuration is,  Note that here Users is mapped to CN not OU

 

Administrator-cn-ap_config.png

 

Windows AD configuration, Bind the LDAP server with user (Administrator) , and authenticate with guest user (admin) , screen shot of both users from the Active Directory 

Administrator_Windows_Conf.PNG

 

Packet capture taken from LDAP server when bind is success and authentication is also success

bind-Administrator-user-admin.PNG

 

Logs from the AP when user authentication is successuser-admin-bind-Administrator.PNG

 

“anand” user used to authenticate the client available at Test_Ldap OU.

   

Windows AD configuration, authentication user (anand) screen shot from the Active Directory anand_user.PNG

 

Packet capture taken from LDAP when bind is success and authentication is also success bind-Administrator-user-anand.PNG

 

Logs from the AP  when user authentication is successuser-anand-bind-Administrator.PNG

 

“James”  user used to authenticate the client available at ldap_OU_Test OU which is inside the Test_Ldap OU

   James_user.PNG

 

Packet capture taken from LDAP when bind is success and authentication is also success 

 bind-Administrator-user-james.PNG

 

Logs from the AP when user authentication is successuser-James-bind-Administrator.PNG

 

Let’s use another Administrative user to bind the AP with the Active directory.  

 

“viswanathan” –is an administrative user already available in the Test_LDAP OU

“admin” is the user used to authenticate the client available at default users group.cnMaestro/AP configuration is,   viswanathan-cn-ap_config.PNG

 

Windows AD configuration, "Viswanathan" bind user screen shot from the Active Directory Viswanathan_Windows_Conf.PNG

 

Authentication user "admin" screen shot from the Active Directory admin_user.PNG

 

Packet capture taken from LDAP when bind is success and authentication is also success bind-viswanathan-user-admin.PNG

 

Logs from the AP when user authentication is successuser-admin-bind-Viswanathan.PNG

 

“anand” is the user used to authenticate the client available at Test_Ldap OU.   

 

Windows AD configuration, authentication user screen shot from the Active Directory

 anand_user.PNG

 

Packet capture taken from LDAP when bind is success and authentication is also successbind-viswanathan-user-anand.PNG

 

 

Logs from the AP when user authentication is success user-anand-bind-Viswanathan.PNG

 

 

"James” is the user used to authenticate the client available at ldap_OU_Test OU which is inside the Test_Ldap OU  James_user.PNG

 

 

Packet capture taken from LDAP when bind is success and authentication is also success bind-viswanathan-user-james.PNG

 

 

Logs from the AP when user authentication is success user-james-bind-Viswanathan.PNG

 

How to analyse User authentication is fail  

Scenario -1 - Bind is success, search is success and guest user authentication is failing (invalid credentials)

Packet capture taken from LDAP when bind is success and authentication is failure user-authfail-bindsuccess_pkt.PNG

 

Logs from the AP when user authentication is failure and bind and search is success  user-authfail-bindsuccess.PNG

 

 Scenario -2 – Bind is success, search fails and user authentication is failing   

 

Packet capture taken from LDAP when bind is success and authentication is failure (search fails with reason OperationsError- reason user not available)user-searchfail-bindsuccess_pkt.PNG

 

Logs from the AP when bind is success and search is failure resulting in user fail  

 

user-searchfail-bindsuccess.png

 

 Scenario -3 – Bind is failing, LDAP is reachable  

 

 In the below capture, we can see that the OU=Users is not correct and that is the reason for the failure. Correct usage is “CN=Administrator,CN=users,…”

 

bind_fail.PNG

 

Logs from the AP when bind is failingbindfail.PNG

 

 

Scenario -4 – Bind is failing, LDAP is reachable, Administrator Password is wrong     

In the below capture, we can see that the response for bind request is invalid credentials.LDAP_Admin_passwrong.PNG

 

 

Logs from the AP when bind is failing LDAP_Admin_passwrong_aplog.PNG

 

 

Scenario -5 – Bind is failing, LDAP is not reachable, LDAP_Server_not_reachable.PNG