Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Version 8 inter grated with LDAP

  • 1.  Version 8 inter grated with LDAP

    Posted May 07, 2019 09:41 AM

    i can not make an authenticated between aruba ctr and LDAP with below config 

    version 8

     

    aaa authentication-server ldap "LDAP server"
    host 192.168.100.1
    admin-dn "hqadmin@beshaysteel.com"
    admin-passwd <removed>
    allow-cleartext
    base-dn "dc=beshaysteel,dc=com"
    preferred-conn-type clear-text
    !
    aaa authentication-server ldap "LDAP server 2"
    host 192.168.100.2
    admin-dn "cn=HQAuth,ou=DomainAdmins,ou=HQ,ou=BeshaySteel,dc=beshaysteel,dc=com"
    admin-passwd <removed>
    allow-cleartext
    base-dn "ou=HQ,ou=Beshay-Steel,dc=beshayst



  • 2.  RE: Version 8 inter grated with LDAP

    Posted May 07, 2019 09:45 AM

    Did you use something like LDAP browser to double-check your ldap settings?



  • 3.  RE: Version 8 inter grated with LDAP

    Posted May 07, 2019 09:52 AM

    no. i have not but i have many systmes that integrated with ldpa like fortigate .

     

    this the new configure

     


    aaa authentication-server ldap "LDAP server"
    host 192.168.100.1
    admin-dn "CN=HQAuth,CN=Users,DC=beshaysteel,DC=com"
    admin-passwd <removed>
    allow-cleartext
    base-dn "dc=beshaysteel,dc=com"
    preferred-conn-type clear-text
    !
    aaa authentication-server ldap "LDAP server 2"
    host 192.168.100.2
    admin-dn "CN=HQAuth,CN=Users,DC=beshaysteel,DC=com"
    admin-passwd <removed>
    allow-cleartext
    base-dn "dc=beshaysteel,dc=com"
    preferred-conn-type clear-text
    !



  • 4.  RE: Version 8 inter grated with LDAP

    Posted May 07, 2019 11:11 AM

    If this is active directory you are connecting to, you need to add a single parameter:

     

    key-attribute sAMAccountName



  • 5.  RE: Version 8 inter grated with LDAP

    Posted May 07, 2019 04:31 PM

    yes this is AD, this  parameters was appera in GUI normaly in the server paramters 



  • 6.  RE: Version 8 inter grated with LDAP

    Posted May 07, 2019 04:46 PM

    is this logs appera the issue ?

     

     

    May 7 16:22:26 authmgr[5546]: <199802> <5546> <ERRS> |authmgr| ldapclient.c, ldap_client_bind_admin_cb:922: LDAP Server LDAP server: Error in Binding Admin to server: Timeout or Network error
    May 7 16:22:28 dot1x-proc:1[5993]: <199802> <5993> <ERRS> |dot1x-proc:1| ldapclient.c, ldap_client_bind_admin_cb:922: LDAP Server LDAP server: Error in Binding Admin to server: Timeout or Network error
    May 7 16:22:28 dot1x-proc:2[5996]: <199802> <5996> <ERRS> |dot1x-proc:2| ldapclient.c, ldap_client_bind_admin_cb:922: LDAP Server LDAP server: Error in Binding Admin to server: Timeout or Network error



  • 7.  RE: Version 8 inter grated with LDAP

    Posted May 07, 2019 05:33 PM

    See if you can ping the LDAP server from the controller.  It doesn't seem to be answering.  Does your LDAP server answer on port 636 or 389?



  • 8.  RE: Version 8 inter grated with LDAP

    Posted May 07, 2019 05:35 PM

    i can ping the ldap "all in same subnet" , i try using 2 ports and as result, authenicated failed



  • 9.  RE: Version 8 inter grated with LDAP

    Posted May 07, 2019 05:49 PM

    I would use an LDAP diagnostic tool like ldapsearch or Softerra LDAP browser to ensure that your parameters and port are correct.



  • 10.  RE: Version 8 inter grated with LDAP

    Posted May 07, 2019 06:06 PM

    did you think that the issue in server not cntr.

     

    the aruba configuration is same as fortigate configuration regarding ldap . fortigate work but cnt no



  • 11.  RE: Version 8 inter grated with LDAP

    Posted May 08, 2019 03:27 AM

    Make a packet capture to see what's happening. 



  • 12.  RE: Version 8 inter grated with LDAP

    Posted May 08, 2019 04:42 AM

    While you did not reveal your objectives, Please be advised that you cannot do 802.1X EAP-PEAP-MSCHAPv2 user authentication through LDAP to an AD server. You should be able to do admin authentication, captive portal (PAP) or EAP-GTC/EAP-(T)TLS with LDAP.

     

    For most WLAN authentication scenario's, an external RADIUS server is the better choice. Also, try to avoid EAP-PEAP-MSCHAPv2 whenever possible, at least for unmanaged client devices.



  • 13.  RE: Version 8 inter grated with LDAP

    Posted May 08, 2019 05:54 AM

    Did you mean that there is a limitation with ldap AD.

    i make test usion PAP not MSCHAPv2 nut not help/

    all user datavase in ldapAD not in the reduis .

    could controller make a paket capture?



  • 14.  RE: Version 8 inter grated with LDAP

    Posted May 08, 2019 06:07 AM

    Yes, you should use RADIUS in favor of LDAP in most cases. The short summary is that LDAP (especially with AD) does not provide access to the user password which is required for MSCHAPv2 authentication. It is a design decision that Microsoft made, and I think they made the right decision not to allow access to user passwords.

     

    You can use ClearPass to bind into your Active Directory, or if you are experienced enough configure Microsoft NPS on Active Directory to enable RADIUS in an AD environment. 

     

    In general, avoid LDAP from the controller but use RADIUS, avoid EAP-PEAP-MSCHAPv2 and use EAP-TLS for wireless clients. There are lots of moving parts with significant consequences of choices in such a design, and I would advise you to work with an Aruba partner to get a secure design.

     

    I would capture the LDAP traffic on the LDAP server rather than on the controller.



  • 15.  RE: Version 8 inter grated with LDAP

    Posted May 08, 2019 08:02 AM

    but unfortunatlly i dont have clear pass or radius server in the site, so there is no soultion ?

     

    and what is the siisue berween aruba cntr and ldap , 

     



  • 16.  RE: Version 8 inter grated with LDAP

    Posted May 08, 2019 09:47 AM

    You can use a RADIUS server off-site, or install a RADIUS server.

     

    It's best to work with your Aruba partner to find a good solution.



  • 17.  RE: Version 8 inter grated with LDAP

    Posted May 08, 2019 04:45 PM

    thanks for yoe replay . but note that i have another controller version 8 that intergrated with this ldap with no issue, after i take copy from aaa authentication-server from the working cntr and paste it in the new controller can not authenticate also.

     

    we using same ldapAD
    2 cntr is vmc version 8



  • 18.  RE: Version 8 inter grated with LDAP

    Posted May 09, 2019 04:21 AM

    I think it is best that an engineer has a look at your problem. It is hard to solve it without actually looking at the environment.

     

    Please contact your Aruba partner, or Aruba Support if you have access to that.