This Help topic provides information on how to configure authentication using the ExtremeControl engine RADIUS server to locally terminate 802.1X EAP authentication requests. There are three methods that can be used to do this, depending on the protocol that is used:
- LDAP Authentication - Uses a backend Active Directory server or LDAP server, and RADIUS server and client certificates (if required) to authenticate users.
- Local Authentication - Uses a local password repository, and RADIUS server and client certificates (if required) to authenticate users.
- RADIUS Certificates only - Uses only RADIUS server and client certificates to authenticate users (no password is required).
The following chart lists the protocols that are supported for local RADIUS termination, and shows whether the protocol uses RADIUS certificates and/or passwords to authenticate users. If passwords are required, you can then decide whether to use LDAP or local authentication for password verification. The chart also lists the hash types supported by each protocol for user password encryption. Note that PEAP (TLS) is not supported for local RADIUS termination and is only supported in a proxy RADIUS configuration.
| Protocol | RADIUS Certificates Required |
Password Required | Supported Password Hash Types |
|---|---|---|---|
| PAP | No | Yes | PKCS5 Reversible, SHA1, NT Hash |
| CHAP | No | Yes | PKCS5 Reversible |
| MsCHAP | Yes | Yes | PKCS5 Reversible, NT Hash |
| PEAP (EAP-MsCHAPv2) | Yes | Yes | PKCS5 Reversible, NT Hash |
| EAP-TTLS | Yes | Yes | PKCS5 Reversible, SHA1, NT Hash |
| EAP-TLS | Yes | No | N/A |
| EAP-MD5 | No | Yes | PKCS5 Reversible |
Instructions on:
LDAP Authentication
LDAP authentication uses a backend Active Directory server or LDAP server defined in your AAA Configuration to authenticate users. Additionally, some protocols also require RADIUS server and client certificates to be used in conjunction with LDAP authentication (see Certificate Configuration).
Before configuring LDAP authentication, read through the User Authentication considerations described below.
User Authentication Considerations
If you are using LDAP authentication, the type of LDAP server you select depends on the protocol you are using. With Active Directory, NAC Manager provides a more feature-rich integration and supports a large number of protocols, while with other LDAP servers such as OpenLDAP, NAC Manager provides a more basic integration with limited protocol support.
Active Directory
Supported Protocols: PAP, MsCHAP, PEAP, EAP-MsCHAPV2, and EAP-TTLS with tunneled PAP.
PAP or EAP-TTLS with tunneled PAP protocols
During the authentication process, the ExtremeControl engine sends an LDAP bind request to the Active Directory domain controller using the password retrieved from the end user's authentication request. Therefore, the LDAP protocol must be permitted between the ExtremeControl engine and the Active Directory domain controller for the authentication process to take place.
MsCHAP, PEAP, and EAP-MsCHAPv2 protocols
These three protocols work with Active Directory (and not other LDAP servers) because they use NT Hash for password encryption, which is the same password hash type used by the Microsoft Active Directory domain controller.
Authentication requests are made by the ExtremeControl engine sending an ntlm_auth request to the Active Directory domain controller. The ExtremeControl engine attempts to join the Active Directory domain using the LDAP configuration and the administrator username and password. In your LDAP configuration, the administrator username used to connect to the LDAP server must be a member of the built-in Domain Administrator group or Account Operators group. (See the Active Directory Permissions section below.)
Additionally, the DNS configuration must be set up
so that the ExtremeControl engine can
resolve the domain by name. To do this, you should configure the DNS server to
be one of the domain controllers for that domain, and verify that the domain name
is configured correctly on the ExtremeControl engine. If users authenticate to multiple domains, you must
also configure the domains to fully
trust each other. Refer to the following Microsoft documentation for information
on how to set up domain
trusts:
https://technet.microsoft.com/en-us/library/cc740018%28WS.10%29.aspx.
| Note: | For these protocols to work when the active directory domain server is set to only permit NTLMv2 authentication, your version of Samba must pass a flag during authentication to permit NTLMv1 to work for 802.1x MSCHAPv2 when the AD is set to the highest security setting (NTLMv2 only). On earlier versions, these protocols do not work if the active directory is set to only permit NTLMv2 because these protocols do not use NTLMv2 and the hash passed to NAC Manager is rejected by the active directory server. Permitting only NTLMv2 authentication only works if NAC Manager proxies the 802.1x request to Microsoft IAS/NPS. Microsoft IAS/NPS permits this lower level of authentication because it is in a TLS session, which Microsoft believes makes it as secure as NTLMv2. For more information, see https://technet.microsoft.com/en-us/library/cc772468.aspx |
Active Directory Permissions
Active Directory is supported on Windows 2008, Windows 2012, and Windows 2016 systems. ExtremeControl can fail to join Active Directory when accessing as a Standard Domain User with Descendant Computer Objects group member.
To enable this functionality, add the following permissions:
- Reset Password
- Validated write to DNS host name
- Validated write to service principal
- Read and write account restrictions
- Read and write DNS host name attributes
- Write servicePrincipalName
Active Directory with User Log On Restrictions
In Active Directory, it is possible to configure an option that restricts a user domain log on to specific computers. This configuration is enforced during the domain log on process.
In an ExtremeControl environment where users authenticate using 802.1X and NAC Manager is configured to proxy RADIUS requests, no additional configuration is required. The 802.1X authentication process completes normally and the determination of whether the user is permitted to log on to the domain from the specific computer is enforced at that time.
In an ExtremeControl environment where NAC Manager is terminating 802.1X authentications locally, NAC Manager performs an NTLM authentication to authenticate the 802.1X session. This process simulates the domain log on process. Therefore, NAC Manager indicates the incoming authentication request for the user is coming from a computer (the ExtremeControl engine) that the user is not permitted to log on to, and the authentication attempt is rejected.
The solution in this scenario is to add the ExtremeControl engines to the list of computers the user is permitted to log on to. This enables the 802.1X authentication process to complete and successfully authenticate the user. The enforcement of whether the user is permitted to log on to the specific computer takes place during the domain log on process.
Other LDAP Servers
Supported Protocols: PEAP, PAP, and EAP-TTLS with tunneled PAP.
During the authentication process, the ExtremeControl engine attempts an LDAP(S) bind with the LDAP server to authenticate the end user’s credentials. Ensure that LDAP(S) between the ExtremeControl engine and LDAP server is not blocked by an ACL or firewall.
Local Authentication
Local authentication uses a local password repository defined in your AAA Configuration to authenticate users. Additionally, some protocols also require RADIUS server and client certificates to be used in conjunction with local authentication (see Certificate Configuration). Before configuring local authentication, read through the user password considerations described below.
User Password Considerations
When you add or edit a user in your local password repository, you can specify the password hash type used to encrypt the user's password in the ExtremeCloud IQ Site Engine and NAC Manager databases. Select from two supported hashing algorithms, depending on the protocol you are using:
- SHA 1 – a non-reversible hashing algorithm
Supported Protocols: PAP and EAP-TTLS with tunneled PAP - PKCS5 – a reversible hashing algorithm
Supported Protocols: PAP, CHAP, MsCHAP, PEAP, EAP-MsCHAPV2, EAP-TTLS with tunneled PAP, and EAP-MD5
Certificate Configuration
If the protocol you are using requires RADIUS certificates for authentication (see the table above), review the certificate configuration information in this section.
During installation, ExtremeControl generates a unique private key and server certificate for the NAC Manager RADIUS server. This certificate provides basic functionality while you are configuring and testing your NAC Manager deployment. To integrate with the certificate structure you already have on your network, update to a certificate generated by a Certificate Authority that your connecting end-systems are already configured to trust.
In addition, configure the AAA Trusted Certificate Authorities to designate which client certificates can be trusted.
| Note: | The EAP-TLS Certificates with SHA1 are considered weak and are not accepted anymore. The radius server fails to start with the SHA1 certificate. You can use a more secure certificate, such as SHA256. |
EAP-TLS Certificate Requirements
Server Certificate:
Enhanced Key Usage:
Server Authentication (1.3.6.1.5.5.7.3.1)
Key Usage:
Digital Signature, Key Encipherment
Client Certificate:
Enhanced Key Usage:
Client Authentication (1.3.6.1.5.5.7.3.2)
Key Usage:
Digital Signature, Key Encipherment
For information on related help topics: