WESM zl Management and Configuration Guide WT.01.28 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

681

682

683

684

685

686

687

688

689

690

11-23

RADIUS Server

RADIUS Authentication

8. In the Password Attribute field, specify the attribute that stores a user’s pass-

word.

When looking up a user’s account, the internal RADIUS server also requests a

check on the user’s password (or, depending on the EAP type, a hash of that

password). The string that you enter in the Password Attribute field determines

the attribute name that the server requests.

Match the attribute name used by your LDAP server—commonly “userPass-

word” or “User-Password.”

9. In the Group Filter field, enter a filter string that searches for the groups to which

the users belongs.

This purpose of the group filter is to verify that the user is a member of the group

on the local RADIUS server that currently allows access.

An example of a group filter is:

&(objectClass=Group)(member=%{Ldap-UserDn}))

The first part of this filter tells the internal RADIUS server to search only for

group type objects. “Group” is one example of the name for this object class.

Other examples include:

• GroupOfUniqueNames

• GroupOfNames

The second part of the filter configures the internal RADIUS server to search

only for groups in which this user is a member. First enter the name of the

attribute that your LDAP server uses to list the members of a group. In this

example, that attribute is “member.” Another example is “uniquemember.” Next,

set this attribute equal to this variable:

%{Ldap-UserDn}

This variable configures the module to submit the username as an LDAP

distinguished name. To create this name, the module adds the username to the

base distinguished name. For example:

cn=user,cn=Users,dn=mydomain,dn=com

Make sure that the name produced is the user’s correct distinguished name.

The internal RADIUS server automatically adds this string to the filter:

(<group attribute>=<local group name>)

The RADIUS server replaces <group attribute> with the string that you enter

in the Group Attribute field. (See step 11). The server replaces <local group

name> with the name of the group configured in the local RADIUS database.