Home > User Interface > Configuration > Policy Configuration > Domains and Realms
|
Menu path: Configuration > Policies and Access Control > Domains and Realms.
Two topics are covered on this page:
The general format and usage of this page is discussed in General GUI Usage.
AD (Active Directory) DC (Domain Controllers) must be defined before AD-based authentication sources can be created. See Configuration for a discussion of domain usage during configuration. Realms are discussed below.
In addition to the standard 
and 
buttons, there is an additional button to rejoin a domain. A
rejoin can be required if a previous domain join failed or some network element has
changed.
New domains are added through the use of the 
button.
Two tabs are used:
Settings
The fields in the setting tab are:
| Field | Usage | Example |
|---|---|---|
|
Identifier |
The name of the AD entry. It need not correspond to the DNS name of the AD server. | CorpAD |
| Workgroup | The name of the Windows workgroup of which the AD server is a member. | example |
|
DNS Name of the Domain |
The DNS name of the domain. | example.com |
| Sticky Domain Controller | If set to other than "*", restricts access to a single DC by IP address. Otherwise any available DCs will be used. | * |
| Active Directory Server | The IP address or DNS name of the AD server to perform the JOIN operation, monitoring, and NTLM operations. | 10.150.1.5 |
| DNS Server(s) | The IP address(es) of the DNS server(s) for the domain. Multiple entries are separated by commas. | 10.150.1.1,10.150.1.5 |
| Organizational Unit | The organizational unit (OU) in which the A3 server will be added to the domain. The OU string is read from top to bottom without any relative distinguished name. | Computers |
| Allow on Registration | If enabled, the AD server will be reachable from the registration VLAN. This requires that passthroughs be enabled and configured to allow both the domain DNS name and each domain controller's DNS name. |
|
When all of the fields are filled in, select 
to
save setting and join the domain, or 
to abandon
the settings. Error messages will be displayed if the join fails.
Note
It is frequently the case that the addition of the A3 server to the DNS fails due to security requirements on the DNS server. In this case, the A3 server should be added to the DNS server manually. The name of the A3 server is as entered during initial A3 installation, but can be changed later. The current DNS name can be found in the Configuration > System Configuration >Cluster page for the cluster master.Note
After the first Active Directory Domain has been successfully added, a number of services must be restarted through the Status > Services page. For each of the following, find the row and press the RESTART button: radiusd, radsniff, netdata, and pfstats. These should be performed in the order indicated.Note
When advised to restart any A3 service, the administrative interface for each cluster member must be used individually to perform the operation. Perform the operation on each member one at a time, waiting for the service(s) to completely restart.Note
When operating in a cluster, a JOIN operation must be individually be performed on each cluster member.NTLM Cache
The settings on this tab refer to caching of NTLM lookups in the AD servers. The fields are:
| Field | Usage | Example |
|---|---|---|
| NTLM Cache | If enabled, NTLM caching is performed for this domain. |
|
| Source | The AD server used for NTLM caching. Choose from a list of defined Active Directory servers. | 10.150.1.5 |
| LDAP Filter | An LDAP filter used to select the users that should be cached. | (&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840. 113556.1.4.803:=2)))) |
| Expiration | The length of time that entries should be cached, expressed in seconds. | 3600 |
| NTLM Cache Background Job | If enabled, all users matching the LDAP filter will be inserted in the cache via a background job. |
|
| NTLM Cache Background Job Individual Fetch | If enabled, AD users will be fetched one by one instead of doing a single batch fetch. This is useful when an AD is loaded or experiencing issues during a sync operation. Note that this makes the batch job approximately 4 times slower. |
|
| NTLM Cache on Connection | If enabled, an asynchronous job will cache the NTLM credentials of users when they connect. |
|
Realms specify which users are authenticated against which domain. The relationship of realms to other configuration settings is further described in Configuration.
Three realms are predefined, but must be edited before they are useful:
In a simple case in which a single domain will be used, Extreme Networks suggests that the DEFAULT and NULL domains be edited to point to the single Active Directory domain.
New realms are added through the use of the 
button.
The fields are:
| Field | Usage | Example |
|---|---|---|
| Realm | The name of the realm, which should specify the domain of usage. | example-int.com |
| NTLM Auth Configuration | ||
| Domain | Optionally select one of the defined domains for use in authentication in the realm. Domains can be omitted in the local realm as well as in other realms that don't require AD authentication. | CorpAD |
| FreeRADIUS Proxy Configuration | ||
| Realm Options | A3 uses FreeRADIUS as its embedded RADIUS server. FreeRADIUS options can be used to qualify the realm's operation. For example, add "nostrip" to avoid having the username stripped of the @... domain when proxying the RADIUS request. | nostrip |
| RADIUS AUTH | The RADIUS server(s) used to proxy authentication. The list is composed of entries from Configuration > Policies and Access Control > Authentication Sources > Internal Authentication Sources > RADIUS. | |
| Type | The home authentication server pool type. One of: Keyed Balance, Failover, Load Balance, Client Balance, or Client Port Balance. | Keyed Balance |
| Authorize from A3 | If enabled, the request will be forwarded to A3 for a dynamic answer. If disabled, the remote proxy server will answer. |
|
| RADIUS Accounting Proxy Servers | The RADIUS server(s) to proxy accounting. The list is composed of entries from Configuration > Policies and Access Control > Authentication Sources > Internal Authentication Sources > RADIUS. | |
| Type | The home accounting server pool type. One of: Keyed Balance, Failover, Load Balance, Client Balance, or Client Port Balance. | Load Balance |
| FreeRADIUS Eduroam Proxy Configuration | ||
| Eduroam Realm Options | Options for FreeRADIUS proxying to a local server. | nostrip |
| Eduroam RADIUS AUTH | The RADIUS server(s) used to proxy Eduroam authentication. The list is composed of entries from Configuration > Policies and Access Control > Authentication Sources > Internal Authentication Sources > RADIUS. | |
| Type | The home authentication server pool type. One of: Keyed Balance, Failover, Load Balance, Client Balance, or Client Port Balance. | Keyed Balance |
| Authorize from A3 | If enabled, the request will be forwarded to A3 for a dynamic answer. If disabled, the remote proxy server will answer. |
|
| Eduroam RADIUS Accounting Proxy Servers | The RADIUS server(s) to proxy accounting. The list is composed of entries from Configuration > Policies and Access Control > Authentication Sources > Internal Authentication Sources > RADIUS. | |
| Type | The home accounting server pool type. One of: Keyed Balance, Failover, Load Balance, Client Balance, or Client Port Balance. | Load Balance |
| Stripping Configuration | ||
| Strip in the Captive Portal | If enabled, the username matching this realm will be stripped when it is supplied to a captive portal web page. |
|
| Strip in the Administrative Interface | If enabled, the username matching this realm will be stripped when it is supplied for login to A3's administrative interface. |
|
| Strip in RADIUS Authorization | If enabled, the username matching this realm will be stripped when used in the authorization phase of 802.1X. This does not control the stripping in FreeRADIUS; the Realm Options should be used for that. |
|
| Custom Attributes | If enabled, allows the use of custom attributes to authenticate 802.1X users. |
|
| LDAP Source | The LDAP server to use to query the custom attributes. | |
Copyright © 2021 Extreme Networks. All rights reserved. Published April 2021.