This Help topic provides instructions for configuring ExtremeControl to authenticate PEAP, MsCHAP, and MsCHAPv2 requests using Novell eDirectory.
To do this, you must create a RADIUS account and a Universal Password Policy on eDirectory. After eDirectory is configured, you can select the Populate Novell eDirectory Defaults for ExtremeControl, LDAP configuration, and set the User Authentication Type to be Plain Text Password Lookup. Then, in your advanced AAA configuration, create an entry that uses this LDAP configuration. This allows ExtremeControl to verify the user's password from the PEAP/MsCHAP/MsCHAPv2 request via eDirectory.
Use the following steps to create this configuration.
- In Novell iManager, create an account that is permitted to authenticate to eDirectory and retrieve the user password information.
- Create an admin user that the LDAP configuration in NAC Manager will use to connect and authenticate end-systems to the Novell eDirectory. In our example below, the username is radiusAdmin.
- Create an admin user that the LDAP configuration in NAC Manager will use to connect and authenticate end-systems to the Novell eDirectory. In our example below, the username is radiusAdmin.
- Assign the admin user trustee status and privileges to access the database.
- On the Modify Trustees page, locate the admin user using the Search function
.
- Add the admin user as a Trustee using the Add Trustee button on the right side of the Modify Trustees page.
- Select the Assigned Rights link for the Trustee user and enable the Supervisor option defined for the All Attributes Rights Property.
- On the Modify Trustees page, locate the admin user using the Search function
- Establish a universal password policy to be assigned to the organization or specific unit within the organization.
- Create a new Password Policy for the organization that will be used to enable universal passwords.
- Select the option to enable Universal Passwords and deselect the option Enable the Advanced Password Rules.
- Select the appropriate object in the Novell tree that the Universal Password Policy will be applied to.
The following screen shot shows a completed Universal Password Policy.
The following screen shot shows the Universal Policy Summary. Note that the Enable Universal Password option is set to true and the Enable the Advanced Password Rules option is set to false.
- The final step in defining the Universal Password Policy is to enable the option for the radiusAdmin user to retrieve users passwords from the database.
- Create a new Password Policy for the organization that will be used to enable universal passwords.
- On the Access Control tab, create an LDAP configuration that defines access to Novell's eDirectory.
- In ExtremeCloud IQ Site Engine, access the Control > Access Control tab.
- Expand Configurations > AAA in the right panel and select LDAP Configurations.
- Select Add in the right panel.
The Add LDAP Configuration window opens. - In the OU Object Classes field, enter the Populate Novell eDirectory Defaults option.
- In the User Authentication Type drop-down list, select Plain Text Password Lookup.
- Verify the User Password Attribute is nspmPassword.
- In your Advanced AAA Configuration, add an entry that uses this LDAP configuration. The configuration allows ExtremeControl to verify the user's password from the PEAP/MsCHAP/MsCHAPv2 request.