Configure Active Directory Authentication

From WiDirect
Jump to: navigation, search

This page describes how to configure a WiDirect to authenticate against an Active Directory server.

Edit WiDirect Configuration File

Using Putty or other SSH client, SSH to the WiDirect and run this command:

sudo emacs /root/AWICP/etc/config.php

Look for this section:

/* External Radius Support */
$RADIUS_ATTEMPT_AUTHENTICATION=0;
/* Do LDAP Authentication instead of RADIUS. */
$LDAP_AUTHENTICATION=0;
/* Domain to append if none present: */
$LDAP_DOMAIN="";
/* LDAP_DN is optional for further restricting LDAP logins */
$LDAP_DN = array();
/* Add RADIUS users if they are not in database? */
$RADIUS_ADD_USERS_NOT_IN_DB=1;
/* Radius users should replace existing users in database? */
$RADIUS_REPLACE_USERS_IN_DB=0;
/* Only authenticate via radius server (no local authentication) */
$RADIUS_AUTHENTICATION_PRIMARY=0;
/* Save password from extErnal Server? */
$RADIUS_SAVE_PASSWORD=1;
$RADIUS_DEFAULT_USER_PLAN=1;
$RADIUS_SECRET="testing123";
$RADIUS_SERVER="127.0.0.1";
$RADIUS_AUTH_PORT="1812";
$RADIUS_ACCT_PORT="1813";

Each variable needs to be set correctly. See the description of each below. After making the changes exit the file by pressing Control-X followed by Control-C. Press y when asked to save.

Radius attempt authentication: This option should be set to 1 if using either LDAP or Radius authentication.

LDAP authentication: Set to 1 to use LDAP authentication instead of Radius authentication.

LDAP domain: This domain will be appended to usernames if no domain is entered by the user.

LDAP DN: This option can be used to specify a number of OUs that are allowed access to the system. This variable is an array, so be sure to use proper formatting when including multiple OUs:

$LDAP_DN = ("OU=SALES,DC=ad,DC=allcitywireless,DC=allcitywireless.com", "OU=SUPPORT,DC=ad,DC=allcitywireless,DC=allcitywireless.com");

Radius add users not in DB: If a user is not in the database then this setting controls whether or not they are added. It is recommended that this option be set to 1.

Radius authentication primary: If this option is set to 1 then only the Radius or Active Directory server will be queried to determine whether or not the user is granted access to the system. If this option is set to 0 then the local database will be queried before the remote server.

Radius save password: This setting determines whether or not to associate the password entered by the user with the user's account.

Radius default user plan: The plan ID number of the plan the user will be placed on when authenticating against an external database.

Radius secret: Shared secret for Radius server. Not needed when using LDAP authentication.

Radius server: The radius or LDAP server to query. If using LDAP over SSL be sure to put the server in this format:

$RADIUS_SERVER = "ldaps://ldap.allcitywireless.com";

Radius authentication port: Port for Radius authentication. Not used for an LDAP server.

Radius accounting port: Port for Radius accounting messages. Not used for an LDAP server.

Test

After making all the above changes connect on a computer behind the WiDirect. You will be brought to the login page and asked to authenticate. The Active Directory server will be checked and the user will be authenticated based on the response from the remote server. The settings above will determine whether local users will be checked first, or if the password should be saved on the WiDirect.