TECHNICAL REPORT This document has been archived and will no longer be maintained or updated. For more information go to the Storage Solutions Technical Documents page on Dell TechCenter or contact support. Using Windows Active Directory for Account Authentication to PS Series Groups ABSTRACT This document details how administrators can control login authentication to a Dell EqualLogic™ PS Series Group using Windows domain user accounts and RADIUS clients. TR1035 V2.
Copyright © 2010 Dell Inc. All Rights Reserved. Dell EqualLogic is a trademark of Dell Inc. All trademarks and registered trademarks mentioned herein are the property of their respective owners. Possession, use, or copying of the documentation or the software described in this publication is authorized only under the license agreement specified herein. Dell, Inc. will not be held liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change.
PREFACE Thank you for your interest in Dell EqualLogic™ PS Series storage products. We hope you will find the PS Series products intuitive and simple to configure and manage. PS Series arrays optimize resources by automating volume and network load balancing. Additionally, PS Series arrays offer all-inclusive array management software, host software, and free firmware updates.
TABLE OF CONTENTS Revision Information........................................................................................................ iii Introduction .........................................................................................................................1 Prerequisites .................................................................................................................1 Steps Covered in This Document .....................................................................
REVISION INFORMATION The following table describes the release history of this Technical Report. Report Date Document Revision 1.0 January 2008 Initial Release 2.0 May 2010 Added steps for Windows 2008 NPS and PS Series array firmware enhancements in version 5.0.0 2.1 October 2010 Added steps for CHAP authentication through RADIUS The following table shows the software and firmware used for the preparation of this Technical Report.
INTRODUCTION Enterprises of all sizes consolidate user management and authentication into services such as Active Directory. It is common in these environments to want to control administrator accounts in the PS Series SAN from Active Directory.
PREPARE THE SERVER AND PS GROUP FOR RADIUS AUTHENTICATION This section covers installing Network Policy Services, configuring the PS Series group as a RADIUS client on the NPS server and configuring the PS Series group to recognize and accept login attempts from the RADIUS server. Installing and Configuring Network Policy Services This procedure assumes you will install and configure these services on the same server hosting Active Directory.
Figure 1: New RADIUS Client Enter the following information: In the Friendly name field, enter a name for the client. We suggest using the PS Series group name. In the Client address field, enter the PS Series group IP address. (Verifying the address is optional.)In the Vendor name drop-down list, select RADIUS Standard, if not already selected. Check the Manual option if not checked already and enter and confirm a Shared secret (password).
Using the Group Manager GUI To configure the group using the Group Manager GUI: Log in to the Group Manager GUI. Click Group Configuration > Administration tab (Figure 2). Figure 2: PS Series Group Manager – Administration In the RADIUS Authentication panel, select the checkbox: Enable RADIUS authentication for login and Require vendor-specific RADIUS attribute. Optionally (not recommended), deselect the checkbox: Enable RADIUS accounting for authenticated users.
Figure 3: RADIUS Settings Enter the IP address for the RADIUS authentication server, and enter and confirm a secret. Click OK. Adjust the Request timeout value and Number of retries value in the RADIUS settings dialog window as desired. Click OK. Finally, confirm and save all settings by clicking the floppy disk icon in the upper right of the group manager interface.
Open the Using Active Directory Users and Computers panel and create a new group to manage SAN Administrators (Figure 4). Figure 4: New Group Now you can add users to the new group that will manage the PS Series SAN. Make sure the Remote Dial-in properties for each user is set to Control access through NPS Network Policy (Figure 5). Figure 5: Remote Dial-in Properties Note: If you are currently running in mixed mode you will have to allow each user Remote Access Permission (Figure 6).
Figure 6: Adding Remote Access Permissions (Mixed mode domain) Creating Network Policies on the NPS Server A network policy applies to a user profile (in Active Directory) and tells the RADIUS server what type of privilege to grant a user who attempts to log in to a PS Series group. You must create a network policy for each type of account configured on the PS Series group. All PS Series Firmware versions support group administrator full access and read-only accounts.
Table 1: Common PS Series Supported Vendor Specific Attributes and Firmware Versions Attribute Field Value PS Series Supported Firmware EQL-Admin Attribute Number 6 Attribute Format (Syntax) Decimal Value 0 – All Versions Attribute Value 0 = Global Admin, 1=Pool Admin only, 2=Pool Admin with group read access, 3=Volume Admin EQL-PoolAccess EQLReplicationSite-Access EQL-AdminAccount-Type Attribute Number 7 Attribute Format (Syntax) String (Max.
Expand the Policies section, right-click Network Policies, and click New. The New Network Policy Wizard starts (Figure 7). Give the policy a name and leave the Type of network access server button checked with Unspecified in the box and click Next. Figure 7: NPS – Create New Network Policy The Specify Conditions screen starts. Click Add to add the conditions that need to be met in order to access the PS Series Group.
Figure 8: Policy Conditions In the Client Friendly Name window add the name of the RADIUS Client created for the PS Series group admins in the previous section (Figure 9). Figure 9: Client Friendly Name Verify the information is correct in the Specify Conditions list and click Add to add the next condition. The next condition needed will be the user group account with logon permissions. In the Select Condition view, choose Windows Groups and click Add (Figure 10).
Figure 10: Adding Windows Groups Specify the Windows Groups by adding the “SAN Admins” group created in the previous section (Figure 11).
Click OK to confirm the selection and complete the conditions entry. Verify the new network policy conditions are correct and choose Next to continue. Grant network access by checking the Access granted button in the Specify Access Permission window and click Next. In the Configure Authentication Methods window only check the Unencrypted authentication (PAP, SPAP) box and uncheck all others (Figure 12).
Figure 13: Service Type Attribute Adding the PS Series Vendor-Specific Attributes Vendor-specific attributes tailor the remote access policy to the vendor. For PS Series arrays, there are two required attributes, and several optional ones. The required attributes control what objects on the PS Series group users can manage once they log in. Group administrators can manage all objects on the group, including adding and removing members, and creating storage pools.
Figure 14: Vendor Specific Attribute In the Attribute Information window click Add. In the next window check Enter Vendor Code and enter 12740 in the field. This is the vendor code for PS Series arrays. Select Yes, It conforms button and click Configure Attribute (Figure15).
Figure 15: Vendor-Specific Attribute Information The Configure VSA dialog box is displayed (Figure 16). Figure 16: Configure VSA Enter the following information for the PS Series group administrator attribute: o In the Vendor-assigned attribute number field, enter 6 o In the Attribute format drop-down list, select Decimal. o In the Attribute value field, enter 0 (for a group administrator).
Creating Additional Network Policies using Optional VSA’s This section will discuss optional vendor specific attributes that can be used to add more granular access to a PS Series group. An example of an administration account with more granular access would be a pool administrator. Pool administrators have management privileges only for specific pools on a PS Series group.
o o o Vendor-assigned attribute number: enter 7 Attribute format drop-down: select String Attribute value field: enter the pool name for the account. Repeat this process if more than one pool will be accessed by the account.
Click OK twice to get back to the Attribute Information window. Add another Attribute Value to specify the PS Series pool and quota attributes. Use the same Vendor Code for network access server (12740) and choose “Yes. It conforms.” Configure the attribute values as follows: o Vendor-assigned attribute number: enter 7 o Attribute format drop-down: select String o Attribute value field: enter the pool name and quota value for the account.
To add any additional or other optional vendor-specific attributes such as making this pool admin account read only, refer to Table 2 for their values. Table 2: PS Series Optional Vendor Specific Attribute Values Attribute Field Value PS Series Supported Firmware EQL-AdminFull-Name Attribute Number 1 All Versions Attribute Format (Syntax) String (Max. length: 247) Attribute Value Name of person assigned to the account Attribute Number 2 Attribute Format (Syntax) String (Max.
Attribute Value EQL-PoolAccess EQLReplicationSite-Access EQL-AdminAccount-Type 0 = Global Admin, 1=Pool Admin only, 2=Pool Admin with group read access, 3=Volume Admin higher Attribute Number 7 Version 3.2 and higher Attribute Format (Syntax) String (Max. length: 247) Attribute Value Value is the pool name. The quota for volume administration accounts is expressed as PoolName Quota, with G and M appended to the quota representing GB and MB, respectively.
Note: It is recommended to add RADIUS Clients for each of the enabled PS array IP ports. This includes the PS Series group IP and all the enabled controller port IPs on the arrays in the group. This allows CHAP connections through multiple ports for redundancy and performance benefits.
Figure 18: Configure the Policy with CHAP Authentication Click OK when finished to close the window. Create new users to use the policy. The new users will be the CHAP username given to the PS Series volume access control. Set the users up the same way described in the section Creating Users and Groups for SAN Administration. Make sure you check the box to Store password using reversible encryption in the Account tab.
Now navigate to the Authentication tab and uncheck everything except the Encrypted authentication (CHAP) option. If this box is not checked, check it now. Navigate to the Encryption tab and uncheck everything except No encryption. If this box is not checked, check it now. Finally navigate to the Advanced tab and remove the Framed-Protocol attribute. Edit the Service-Type attribute and change it to Administrative. Finish the policy by clicking OK and OK to save and close the policy wizard.
Figure 19: Volume Log-On Using CHAP – Windows 2008 From a server or host running Windows Server 2003 or Windows XP Open the iSCSI Initiator Properties Select the Discovery tab and verify the PS group IP is in the Target portals window. Select the Targets tab and refresh to view volumes. Any configured volumes should show up. Log onto a configured volume by selecting Log on… Choose the Advanced… button to open the Advanced Settings window.
Figure 20: Volume Log-On Using CHAP – Windows 2003 Using Windows Active Directory For Account Authentication to PS Series Groups 25
APPENDIX A – CONFIGURATION STEPS ON WINDOWS SERVER 2003 This procedure assumes you will install and configure IAS on the same server hosting Active Directory. Perform the following steps to install and configure the IAS Server: Click Start > Control Panel > Add or Remove Programs. Click Add/Remove Windows Components. In the Windows Components dialog box, select Networking Services, then click Details.
In the Friendly name field, enter a name for the client. We suggest using the PS Series group name. In the Client address field, enter the PS Series group IP address. (Verifying the address is optional.) Click Next. The Additional Information dialog box is displayed. Figure 2: New RADIUS Client – Additional Information In the Additional Information dialog box, do the following: In the Client-Vendor drop-down list, select RADIUS Standard, if not already selected.
Figure 3: IAS – Create New Remote Access Policy The New Remote Access Policy Wizard starts (Figure 4). Figure 4: New Remote Access Policy Wizard Click Next. The Policy Configuration Method screen appears (Figure 5).
Figure 5: Policy Configuration Method Select Set up a custom policy, and enter a name for the policy; for example, EQL Group Administrators. Then, click Next. The Policy Conditions screen appears (Figure 6). Figure 6: Policy Conditions Under the Policy Conditions field, click Add. The Select Attribute screen appears (Figure 7).
Figure 7: Select Attribute Select Client-Friendly-Name and click Add. The Client-Friendly Name screen appears (Figure 8). Figure 8: Client-Friendly Name Enter the PS Series group name you specified in Overview of Steps Optionally repeat this process and enter the Windows Group that the policy will be created for here. Verify the information is correct in the Policy conditions list (Figure 9), then click Next.
Figure 9: Policy Conditions (Completed) The Permissions screen appears (Figure 10). Figure 10: Permissions Select Grant remote access permission, and click Next. The Profile screen appears (Figure 11).
Figure 11: Profile Click Edit Profile, and do the following: On the Authentication tab (Figure 12), select Unencrypted authentication and deselect everything else. Note: By default all passwords are encrypted by the RADIUS protocol. Choosing the unencrypted authentication here is simply for tunneling into the IAS server. Figure 12: Edit Profile: Authentication On the Encryption tab (Figure 13), select No encryption and deselect everything else.
Figure 13: Edit Profile: Encryption On the Advanced tab (Figure 14), select Framed-Protocol and click Remove. Then select Service-Type and click Edit (Figure 14). Figure 14: Edit Profile: Advanced The Enumerable Attribute Information screen appears (Figure 15).
Figure 15: Enumerable Attribute Information In the Attribute value list, select Administrative and click OK. The Administrative attribute grants full read-write access to the PS Series group. You return to the Edit Profile: Advanced screen, which should now look like Figure 16. Figure 16: Edit Profile: Advanced (Modified) Leaving this screen visible, continue with Adding the PS Series Vendor-Specific Attributes.
In the Add Attribute dialog box (Figure 17), select Vendor-Specific and click Add. Figure 17: Add Attribute In the Multivalued Attribute Information dialog box (Figure 18), click Add.
Select Enter Vendor Code, and enter 12740 in the field. This is the vendor code for EqualLogic, Inc. Select Yes, It conforms, then click Configure Attribute. Figure 19: Vendor-Specific Attribute Information The Configure VSA dialog box is displayed (Figure 20). Figure 20: Configure VSA Enter the following information for the EQL-Admin attribute: o In the Vendor-assigned attribute number field, enter 6. o In the Attribute format drop-down list, select Decimal.
Figure 21: Edit Dial-In Profile: Advanced (with new VSA) The Dial-in Settings confirmation box is displayed (Figure 22), asking if you want to view online help about protocol configuration. Click No. Figure 22: Dial-In Settings On the Profile screen (Figure 23), click Next.
Figure 23: Profile On the Completing the New Remote Access Policy Wizard screen (Figure 24), click Finish.
APPENDIX B: CONFIGURING RADIUS ON THE PS SERIES GROUP USING CLI To configure the PS Series group using the command-line interface log in to the Command Line Interface for the group using the group IP address and a group administrator account, such as grpadmin. Enter the following command to enable RADIUS logins: grpparams login-radius-auth enable Enter the following command to add the IP address of the RADIUS server (or servers), separated by commas and no spaces.
TECHNICAL SUPPORT AND CUSTOMER SERVICE Dell's support service is available to answer your questions about PS Series SAN arrays. If you have an Express Service Code, have it ready when you call. The code helps Dell's automated-support telephone system direct your call more efficiently. Contacting Dell Dell provides several online and telephone-based support and service options. Availability varies by country and product, and some services might not be available in your area.