ExtremeIQ Cloud

Configure an Active Directory Database

An Extreme Networks AP can act as a RADIUS authentication server and respond to 802.1X authentication requests from other devices acting as RADIUS authenticators. The Extreme Networks RADIUS server can store user accounts locally or check user login credentials against user accounts stored externally on an Active Directory or LDAP user database servers.

Note

The user database can be stored locally on the Extreme Networks RADIUS authentication server or externally on an Active Directory server, or you can store some user accounts externally and others locally.

When you select an Extreme Networks AP device as a RADIUS server, you can then configure where you want to store user accounts. In the AAA profile step, you can select Active Directory to store user accounts. See Configure AAA Server Settings in AAA Server Settings. After you enter the name and description for the AAA server profile, select Active Directory as the repository for user accounts. After you enter the required information and upload the configuration, a RADIUS authentication server can communicate with an Active Directory server. Similarly, you can select an LDAP server as the repository for user accounts. For more information, see LDAP Servers.

Add an Active Directory Object

If an Active Directory server has not been created, you can add one. To add and configure a new Active Directory server for RADIUS authentication, you must first create a network policy and an SSID with WPA/WPA2 802.1X Enterprise access security. In the Authenticate via RADIUS Server section, select , and select Extreme Networks RADIUS server. From the drop-down list highlight a device to configure as a RADIUS server, and then choose Select. In the window that appears, select AAA Server Settings. In the AAA Server Profile dialog box, enter the name and a description in their respective fields. Then, from the User Database tab, select Active Directory. You can add and configure a new Active Directory server if you do not see one in the drop-down list.

Configure an Active Directory Object

In the dialog box, select Add to configure an Active Directory object.

Enter the following information in sequence in the dialog box, and then select a series of Next steps to update and configure devices, retrieve the Base DN, configure join credentials, and then test and validate the domain user credentials. These steps require you to enter your domain credentials, and your local DNS server IP address.

Name: Enter a name, which can contain up to 32 characters. This is the name of the AD object and does not need to match the host name of the server.

Domain: Enter the Windows domain name to which the RADIUS authentication server and Active Directory server both belong, including parent domains, such as .com, .net, .org, and so on; for example, Extreme Networks.com. The domain name can contain up to 64 characters.

Auto, or Manual mode options allow you to manually configure the Domain and Realm fields, or let them be automatically handled by Active Directory and ExtremeCloud IQ.

Auto is the default setting. In this mode, the Active Directory Server and the BaseDN fields are locked, so you cannot enter values because this information is automatically configured by Active Directory. If you have a specific configuration, and want to enter values, select Manual, complete the fields, and then select Next.

Manual: In the manual mode, you must enter a short domain name and a realm name.

Active Directory Server: From the drop-down list, choose a previously defined IP object or host name for the Active Directory server that contains the user accounts you want the RADIUS authentication server to authenticate. If you do not see the one that you need listed, select New and add an IP object or host name. Enter an IPv4 or IPv6 address, or host name in the Active Directory Server field. ExtremeCloud IQ automatically creates a corresponding IP object or host name. You can also select an existing server and select to change its settings.

BaseDN: This is the Base Distinguished Name, or the starting point for directory server searches, and the point in the directory tree structure under which the server stores user accounts in its database.

Short Domain Name: Domain name. Enter a name containing up to 64 characters. This is equivalent to domain name.

Realm: The realm name corresponds to the user account location, which is often the same as the domain name. Although the realm name can be the same as the domain name, this is not always true. For example, authentication for a domain might be divided into multiple realms. One user might authenticate to the engineering.extreme.com realm and another authenticate to marketing.extreme.com, all within the exreme.com domain.

Computer OU: Set the OU (organizational unit) where the Extreme Networks RADIUS server has privileges to add itself as a computer in the domain, or leave it blank. The default is the Computers OU, but you can configure this field to point to any container, based on your facility security policy. The host names of Extreme Networks RADIUS servers stored in the computer OU on the Active Directory server cannot contain more than 256 characters and cannot contain underscores.

Note

By default, the RADIUS server attempts to add itself into "Computers" unless you specify a computer-ou here. Because you might not want to give a device access to the Computers container, you can create your own OU and give the device user permissions to create computers (that is, to add itself) to the specified OU. For example, the computer OU might be "wireless/APs".

Enable TLS Encryption: Select the check box to enable TLS (Transport Layer Security) to encrypt the user look-up requests that the Extreme Networks RADIUS server sends to the Active Directory server. Clear the check box to disable TLS encryption and send the look-up requests in plain text.

Active Directory Server Settings

Navigation

Configure an Active Directory Database