WC7520 & WC7600: External authentication using LDAP with Active Directory
This article describes how to configure the WC7520 and WC7600 wireless controllers to direct authentication of wireless clients to Active Directory using LDAP.
This procedure should be used for basic installations where you want clients to authenticate using credentials from the LDAP server and are not concerned with restricting which accounts or OUs from Active Directory can log on. If you require a more advanced set-up, use external authentication via RADIUS, which is described in the following articles:
For this configuration, you need the following information from the Active Directory server:
-
IP address of the server
-
User Base DN (see note 1 at the bottom of this article for more information)
-
Workgroup Name (this corresponds to the NETBIOS name of the domain)
-
Admin Domain (this corresponds to the FQDN of the domain)
-
Domain Admin User
-
Domain Admin Password
Configure the WC7520 and WC7600 Wireless Controllers
To configure the WC7520 and WC7600 wireless controllers:
1. From the admin interface of the controller, go to Configuration > System > IP/VLAN.
Ensure that the DNS settings are configured correctly for your domain. In most cases, but not all, the primary DNS server should point to the IP address of the Active Directory server.
2. Go to Configuration > Security > Authentication Server and select External LDAP server.
3. In the Server IP field, enter the IP address of the Active Directory server.
4. In the User Base DN field, enter a valid lookup string for your Active Directory server.
For more information, see note 1 at the bottom of this article.
5. In the Workgroup Name field, enter the NETBIOS name of the domain.
6. In the Admin Domain field, enter the FQDN of the domain.
7. Enter domain admin username and password in the corresponding fields.
8. To configure an SSID, go to Configuration > Profile > Basic > Radio.
9. Set Network Authentication to WPA with Radius / WPA2 with Radius / WPA & WPA2 with Radius.
10. Set Authentication Server to External - baic LDAP.
Configure the Wireless Client
Next, configure the client. Here we demonstrate the configuration on a Windows 7 client.
To configure the wireless client:
1. Go to Control Panel > Network and Sharing Center > Manage wireless networks > Add.
2. Select Manually create a network profile.
3. In Network name, enter the SSID that was configured previously in the controller.
4. For Security type, choose either WPA-Enterprise or WPA2-Enterprise depending on which option was configured in the controller previously.
5. Click the Next button and then click the Change connection settings button.
6. Go to the Security tab and click the Settings button.
7. Unselect Validate server certificate and then click the Configure button.
8. Unselect Automatically use my Windows logon name and password.
9. Click the OK button twice and then click the Advanced settings button.
10. Under the 802.1X settings tab, select Specify authentication mode and select User authentication. Click the OK button.
The client connects to the wireless network and prompts you to enter the network authentication information.
11. Enter the username and password from Active Directory.
The client connects.
Notes
Note 1. User Base DN refers the controller to Active Directory. However, User Base DN does not restrict the OU of which accounts can log in. When this kind of restriction is required, RADIUS should be used. To find the string to use as the User Base DN, use the dsquery command in a command prompt on the AD server.
For example, running dsquery user -name andy returns CN=andy,OU=L3,DC=netgearsupport,DC=local. The string that should be entered as the User Base DN is then OU=L3,DC=netgearsupport,DC=local.
Note 2. To allow the accounts from Active Directory to log in, the Allow access option under Network Access Permission must be enabled under the Dial-in tab in the account properties in Active Directory.
Document Type:
Published 11/28/2014 02:59 AM | Updated 02/02/2016 07:17 AM