Amigopod External Authentication Servers Software Walkthrough
Copyright © 2011 Aruba Networks, Inc. Aruba Networks trademarks include Airwave, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved. All other trademarks are the property of their respective owners.
Table of Contents External Authentication Servers .................................................................................................................... 4 About RADIUS Authentication Servers ........................................................................................................ 4 Types of authentication server .................................................................................................................. 4 Authorization for external authentication servers ..
1 External Authentication Servers About RADIUS Authentication Servers Authentication is the verification of a user’s credentials, typically a username and password. Many networks have more than one place where user credentials are stored. Networks that have different types of user, geographically separate systems, or networks created by integrating different types of systems are all situations where user account information can be spread across several places.
• Use role assigned to local user is the only authorization method available for the local user database. If the user’s authentication attempt is successful, the RADIUS server will respond with an Access-Accept message that includes the RADIUS attributes defined for the user’s role. • Use attributes from Proxy RADIUS server is an authorization method available only for Proxy RADIUS servers. The RADIUS attributes returned by the external RADIUS server are returned unmodified.
Selecting the Join Domain command starts a two-step process to join the domain: The process has built-in troubleshooting assistance, which can help with much of the necessary configuration: When the server’s DNS and network settings are correctly configured, all the necessary domainrelated information is automatically detected: 6| External Authentication Servers Amigopod |Technical Note
Joining the server to the Active Directory domain then requires entering the username and password for a domain administrator account. Once the domain has been joined, the status is available on the Active Directory Services page.
Authenticating Active Directory users As indicated in the domain summary, the RADIUS server cannot authenticate user accounts in Active Directory until a domain username and password is provided.
Most of the settings for the authentication server are automatically detected, however a Bind Identity (username) and Bind Password are required in order to authenticate users against the directory. NOTE The credentials provided do not need to be those of a domain administrator; a restricted user account may be provided here. Only user lookup operations are performed with this user account. Click the Save Changes button to store the credentials for the authentication server.
As with joining the domain, the credentials for a domain administrator are required to perform this operation. Managing Authentication Servers The RADIUS Authentication Servers page lists all available sources for use with authentication: The Test Authentication command may be used to check the connection to an authentication server, or verify the authorization rules that have been configured: NOTE Changing the properties of an authentication server requires restarting the RADIUS server.
Authorization for External Authentication Servers When a RADIUS Access-Request for a particular user is handled using an external authentication server, the user’s authorization is determined by the Authorization settings for that server. The RADIUS Authentication diagnostic can be used to demonstrate the difference between the various authorization methods. To use the diagnostic, navigate to RADIUS > Server Control and click the Test RADIUS Authentication command link.
• With authorization method Use PHP code to assign a user role (Advanced) – more complex authorization rules can be implemented to specify which role to assign to an authenticated user. Authorization can use any of the available properties of the user account, as well as taking into account other factors such as the time of day, previous usage, and more.
• Select the authorization method Use PHP code to assign a user role (Advanced) and use the following code: if (in_array('CN=Domain Admins,CN=Users,DC=amigopod,DC=local', $user['memberof'])) return 4; if (in_array('CN=Users,CN=Builtin,DC=amigopod,DC=local', $user['memberof'])) return 5; return false; Explanation: During user authorization, the ‘memberOf’ attribute of the user (which will contain a list of the groups to which the user belongs) is checked against the defined rules, and an appropriate role I