Configure an LDAP Server

About this task

Administrators have the option of using RADIUS server resources to authenticate users against an external LDAP server resource. Using an external LDAP user database allows the centralization of user information and reduces administrative overhead, making the RADIUS authorization process more secure and efficient.

RADIUS is a protocol for asking questions to a user database like LDAP. LDAP however is just a database of user credentials that can be used optionally with the RADIUS server to free up resources and manage user credentials from a secure remote location. Local controller or service platform RADIUS resources provide the tools to perform user authentication and authorize users based on complex checks and logic.

To configure an LDAP server configuration for use with the RADIUS server:

Procedure

Go to Policies > RADIUS Server.
Select a policy from the RADIUS Server list and navigate to the LDAP dashboard.

Select Add to configure LDAP Server settings:


Setting	Description
Redundancy	Define whether this LDAP server is a primary or secondary server resource. Primary servers are always queried for connection first. Tip: The best practice is to designate at least one secondary server is a good practice to ensure RADIUS user information is available if a primary server is unavailable Primary option is selected by default
Network	IP Address - Set the 128-character maximum IP address or FQDN of the external LDAP server acting as the data source for the RADIUS server Login - Define a unique login name used for accessing the remote LDAP server resource. Consider using a unique login name for each LDAP server provided to increase the security of the connection to the remote LDAP server Port Number - Use the spinner control to set the physical port number used by the RADIUS server to secure a connection with the remote LDAP server. The default option is 389 Timeout - Set an interval from 1 - 10 seconds the local RADIUS server uses as a wait period for a response from the primary or secondary LDAP server. The default setting is 10 seconds
Access	Secure Mode - Specify the security mode when connecting to an external LDAP server. Use start-tls or tls-mode to connect. The start-tls mode provides a way to upgrade a plain text connection to an encrypted connection using TLS. The default port value for start-tls is 389. The default port value for stls-mode is 636 Bind DN - Specify the distinguished name to bind with the LDAP server. The distinguished name (DN) is the name that uniquely identifies an entry in the LDAP directory. A DN is made up of attribute value pairs, separated by commas Base DN - Specify a DN that establishes the base object for the search. The base object is the point in the LDAP tree at which to start searching. LDAP DNs begin with the most specific attribute (usually some sort of name), and continue with progressively broader attributes, often ending with a country attribute. The first component of the DN is referred to as the Relative Distinguished Name (RDN). It identifies an entry distinctly from any other entries that have the same parent Bind Password - Type a valid password for the LDAP server. The password cannot exceed 32 characters Password Attribute - Type the LDAP server password attribute. The password cannot exceed 64 characters
Attribute	Group Attribute - LDAP systems have the facility to poll dynamic groups. In an LDAP dynamic group, an administrator can specify search criteria. All users matching the search criteria are considered a member of this dynamic group. Specify a group attribute used by the LDAP server. An attribute could be a group name, group ID, password, or group membership name Group Filter - The group filters used by the LDAP server. This filter is typically used for security role-to-group assignments and specifies the property to look up groups in the directory service Group Membership Attribute - The group member attribute sent to the LDAP server when authenticating users

Select Add to update LDAP server settings.
Select Save to change LDAP settings.