Add LDAP Configuration

Use the Add LDAP Configuration window to configure the LDAP servers on your network. You can access this window from the Control > Access Control tab. Expand the Configuration > Configurations > AAA > LDAP Configurations folder in the right panel and select Add. You can also access this window from the Manage LDAP Configurations tab. Any changes made in this window are written immediately to the ExtremeCloud IQ Site Engine database.

NOTE:	If you are using LDAPS, your ExtremeCloud IQ Site Engine / ExtremeControl environment must be configured to accept the new LDAPS server certificate. For information, see Server Certificate Trust Mode in the Secure Communications Help topic.

Add or Edit LDAP Configuration Window

Configuration Name Enter a name for the LDAP configuration. LDAP Connection URLs Use this table to add, edit, or delete connection URLs for the LDAP server and any backup servers you have configured. (The backup servers are redundant servers containing the same directory information.) Use the Up and Down arrows to arrange the order that the URLs are listed.

The format for the connection URL is ldap://host:port where host equals hostname or IP address, and the default port is 389. For example, ldap://10.20.30.40:389 . If you are using a secure connection, the format is ldaps://host:port and the default port is 636. For example, ldaps://10.20.30.40:636 . If you are using LDAPS, your ExtremeCloud IQ Site Engine / ExtremeControl environment must be configured to accept the new LDAPS server certificate. For information, see Server Certificate Trust Mode in the Secure Communications Help topic. If the LDAPS server URL uses FQDN then the LDAPS client (of both Access Control Engine and ExtremeCloud IQ Site Engine ) presents the Internal Communication Certificate to the LDAPS server. The best practice is to use a trusted certificate if the LDAPS URL is defined with FQDN, otherwise the LDAPS server may not accept the LDAPs connection. If the LDAPS server URL uses IP address then the LDAPS client (of both Access Control Engine and ExtremeCloud IQ Site Engine ) does not present the Internal Communication Certificate to the LDAPs server.

User Object Class- enter the name of the class used for users.
User Search Attribute- enter the name of the attribute in the user object class that contains the user's login ID.
Keep Domain Name for User Lookup- If selected, this option will allow the full username to be used when looking up the user in LDAP. For example, you should select this option when using the User Search Attribute: userPrincipalName.

LDAP Bind– This is the easiest option to configure, but only works with a plain text password. It is useful for authentication from the captive portal but does not work with most 802.1x authentication types.
NTLM Authentication– This option is only useful when the backend LDAP server is really a Microsoft Active Directory server. This is an extension to LDAP bind that uses ntlm_auth to verify the NT hash challenge responses from a client in MsCHAP, MsCHAPV2, and PEAP requests. If you want to run a NTLM Health Check, see NTLM Health Check and Advanced for the additional configuration steps.
NT Hash Password Lookup– If the LDAP server has the user’s password stored as an NT hash that is readable by another system, you can have ExtremeControl read the hash from the LDAP server to verify the hashes within an MsCHAP, MsCHAPV2, and PEAP request.
Plain Text Password Lookup– If the LDAP server has the user’s password stored unencrypted and that attribute is accessible to be read via an LDAP request, then this option reads the user’s password from the server at the time of authentication. This option can be used with any authentication type that requires a password.

Configure the interval and timeout for the test. See NTLM Health Check.
Select NTLM Health Check.
Enter the Username, Password, and theDomain to use for the health check tests.
Select OK.

The Access Control Engine expects a positive response from the domain controller for the health check authentication. If timeout happens or a negative response is received, the failover occurs and the Access Control Lost Partial Contact with LDAP Service alarm is generated.

You should only use the health check in an environment where you have multiple domain controllers deployed.
The health check should only be enabled if you have experienced this issue.
The Domain password policy requirement for periodic password check should be disabled for the health check account. The credentials used by the health check should always be working.

Active Directory: User Defaults- Settings that allow user authentication when ExtremeControl is set to proxy to LDAP and the server is an Active Directory machine.
Active Directory: Machine Defaults- Settings that allow machine authentication when ExtremeControl is set to proxy to LDAP and the server is an Active Directory machine.
Open LDAP Defaults -Settings that allow ExtremeControl to verify the user's password via an OpenLDAP server. See the NAC Manager How to Configure PEAP Authentication via OpenLDAP Help topic for information.
Novell eDirectory Defaults- Settings that allow ExtremeControl to read the universal password from Novell eDirectory. You must configure eDirectory to allow that password to be read. See the NAC Manager How to Configure PEAP Authentication via eDirectory help topic for information.

For information on related help topics: