Wireless Access

Reply
Highlighted
Occasional Contributor II

Mobility Manager admin login with AD accounts using LDAP

I have found guides on how to connect MM to AD using LDAPS so I have created 2 LDAP connections and put them in a server group. However. I cannot find any documentation on how to enable actually using it or how/where to select AD users or groups and assigning them roles in MM.

 

It's kind of unbelievable there is no readily available information about this, not in the documentation, not here and not on Google/Youtube. Any input, links, docs appreciated, I can't be the only one trying to control management access using AD.

 

This is not for 1x, Clearpass or anything else, just plain login to the MM with AD accounts.

Highlighted
Guru Elite

Re: Mobility Manager admin login with AD accounts using LDAP

I don't mean to be dismissive, but you don't see any guides, because everyone has moved on from LDAP to Radius. LDAP is not as flexible, or easy to troubleshoot as radius and 99% of people who use LDAP to AD can simply use add/remove to install the free Microsoft Radius.  You are not the only one doing management authentication to AD, you are just one of the few still trying with LDAP.  LDAP is inflexible and difficult to troubleshoot.  It also requires a service account that will break everything if the password is changed or disabled.

 

I would just install Microsoft NPS and start with that:  https://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/ta-p/80672

 

 

 

 

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: Mobility Manager admin login with AD accounts using LDAP

Thanks for your input csjoseph! I believe we can do both RADIUS & TACACS to this domain so chosing another mechanism is of course doable.

 

Personally I understand LDAP much better than RADUS and we use it a lot for other systems. If there is more thorough documentation for using RADIUS->AD auth then that may be the way we have to go instead then.

Highlighted
Occasional Contributor II

Re: Mobility Manager admin login with AD accounts using LDAP

Just to summarize if anyone else looks for the same. MM does not seem to have the ability to integrate with AD through LDAP(S) in any meaningful way. Any auth done this way will give the authenticated user or group one pre-defined role only since LDAP accounts cannot be linked to multiple roles. Only way to differentiate users/roles from and AD is through using a mechanism that allows for a role to be communicated to the client (MM) as part of the auth process, such as RADIUS or TACACS.

 

Also worth noting is that MM does not do search or recursion from the configured search base, you need to specify the full directory path to the ou containing the user or group that will be used for auth. 

Highlighted
Guru Elite

Re: Mobility Manager admin login with AD accounts using LDAP

I honestly have not tried LDAP in ArubaOS 8.x, but in 6.x you certainly could decide what management role a user obtained by using the memberOf attribute to map AP groups to admin roles.  Again, LDAP is not a very efficient way of doing management authentication in ArubaOS.

 

Closing this thread.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: