ldap-agent

Configures the LDAP agent‘s settings in the RADIUS server policy context

When a user's credentials are stored on an external LDAP server, the local RADIUS server cannot successfully conduct PEAP-MSCHAPv2 authentication, since it is not aware of the user's credentials maintained on the external LDAP server resource. Therefore, up to two LDAP agents can be provided locally so remote LDAP authentication can be successfully accomplished on the remote LDAP resource (using credentials maintained locally).

This feature is available to all controller, service platforms and access point models.

Supported on the following devices:

Syntax

ldap-agent [join|join-retry-timeout|primary|secondary]
ldap-agent [join {on <DEVICE-NAME>}|join-retry-timeout <60-300>]
ldap-agent [primary|secondary] domain-name <LDAP-DOMAIN-NAME> domain-admin-user 
<ADMIN-USER-NAME> domain-admin-password [0 <WORD>|2 <WORD>]

Parameters

ldap-agent [join {on <DEVICE-NAME>}|join-retry-timeout <60-300>]

ldap-agent

 Configures the LDAP agent‘s settings

join {on <DEVICE-NAME>}

 Initiates the join process, which binds the RADIUS server with the LDAP server‘s (Windows) domain. When successful, the hostname (name of the AP, wireless controller, or service platform) is added to the LDAP server‘s Active Directory.
  • on <DEVICE-NAME> – Optional. Specifies the device name
    • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
Note: To confirm the join status of a controller, use the show > ldap-agent > join-statuscommand.
join-retry-timeout <60-300> If the join process fails (i.e. the RADIUS server fails to join the LADP server‘s domain), the process is retried after a specified interval. This command configures the interval (in seconds) between two successive join attempts.
  • <60-300> – Set the timeout value from 60 - 300 seconds. The default is 60 seconds.
Note: A retry timer is initiated as soon as the join process starts, which tracks the time lapse in case of a failure.
 
ldap-agent [primary|secondary] domain-name <LDAP-DOMAIN-NAME> domain-admin-user 
<ADMIN-USER-NAME> domain-admin-password [0 <WORD>|2 <WORD>]

ldap-agent

 Configures the LDAP agent‘s settings

primary

 Configures the primary LDAP server details, such as domain name, user name, and password. The RADIUS server uses these credentials to bind with the primary LDAP server.

secondary

 Configures the secondary LDAP server details, such as domain name, user name, and password. The RADIUS server uses these credentials to bind with the secondary LDAP server.

domain-name <LDAP-DOMAIN-NAME>

 This keyword is common to both the ‘primary‘ and ‘secondary‘ parameters.
  • domain-name – Configures the primary or secondary LDAP server‘s domain name
    • <LDAP-DOMAIN-NAME> – Specify the domain name.

domain-admin-user <ADMIN-USER-NAME>

 This keyword is common to both the ‘primary‘ and ‘secondary‘ parameters.
  • domain-admin-user – Configures the primary or secondary LDAP server‘s admin user name
    • <ADMIN-USER-NAME> – Specify the admin user‘s name.
domain-admin-password [0 <WORD>| 2 <WORD>] This keyword is common to both the ‘primary‘ and ‘secondary‘ parameters.
  • domain-admin-password – Configures the primary or secondary LDAP server‘s admin user password
    • 0 <WORD> – Specifies the password in the unencrypted format
    • 2 <WORD> – Specifies the password in the encrypted format

Examples

nx9500-6C8809(config-radius-server-policy-test)#ldap-agent primary domain-name
test domain-admin-user Administrator domain-admin-password 0 test@123
nx9500-6C8809(config-radius-server-policy-test)#show context
radius-server-policy test
 ldap-agent primary domain-name test domain-admin-user Administrator domain-admin-password 0 test@123
nx9500-6C8809(config-radius-server-policy-test)#

Related Commands

no Removes LDAP agent settings from this RADIUS server policy
9037762-01 Rev AA