Académique Documents
Professionnel Documents
Culture Documents
Using the Universal Port in a Lightweight Directory Access Protocol (LDAP) Environment
Configuration Requirements
The following components are required to install the access control solution: Linux server with Linux Red Hat 4.0 FreeRADIUS 1.1.x OpenLDAP 2.3.x Extreme Networks Summit X450e switches Windows XP clients Authentication is typically accomplished using a Remote Authentication Dial-In User Service (RADIUS) protocol which holds the authentication database. The solution to providing secure edge provisioning requires the addition of an authenticating element to the network configuration that can work with directory services. In other words, to integrate the Universal Port in an LDAP environment, a RADIUS server must be added to use the LDAP database. The following is a configuration example that enables an IP phone or PC to use the Universal Port technology to authenticate to an LDAP environment.
Overview
Customers with a directory services authentication solution such as Lightweight Directory Access Protocol (LDAP) require cost-effective, secure edge access devices. For added security, customers need a dynamic policy enforcement edge solution that does not depend on open, unsecured edge ports. Customers also want to use existing directory services infrastructures to reduce administrative overhead as well as reduce time and effort to configure edge switches. Extreme Networks Universal Port framework can establish and enforce policies based on an authenticated user or device. Each port is secured because it is not part of any subnet until access is granted by an authentication authority.
Configuration Instructions
Basic Configuration Steps
1. Install and configure RADIUS Server on existing Linux server 2. Install and configure OpenLDAP 3. Add vendor specific attributes to RADIUS server and LDAP server 4. Configure edge switches 5. Configure supplicant
Internet
Avaya HQ callserver
Avaya G250
802.1x PC
Transit 1
EAPS SecondaryPort 22
FreeRadius
Transit 2
EAPS PrimaryPort 23
EAPS Master
EAPS PrimaryPort 23
EAPS SecondaryPort 24
802.1x phone
802.1x phone
5070-01
Using the Universal Port in a Lightweight Directory Access Protocol (LDAP) EnvironmentPage 1
If radtest receives a response, the FreeRADIUS server is up and running. Note: Another free tool, NTRadPing, can be used to test authentication and authorization requests from Windows clients. NTRadPing displays detailed responses such as attribute values sent back from the RADIUS server.
3. Use the following commands to Uncomment LDAP from the authorize section.
authorize { preprocess chap mschap suffix ldap eap files }
4. Use the following commands to Uncomment LDAP from the authenticate section.
authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix ldap eap
Using the Universal Port in a Lightweight Directory Access Protocol (LDAP) EnvironmentPage 2
Using the Universal Port in a Lightweight Directory Access Protocol (LDAP) EnvironmentPage 3
Install OpenLDAP
OpenLDAP software is an open source implementation of LDAP and can be obtained at http://www.openldap.org. Use the following procedure to install OpenLDAP packages. 1. Verify the Red Hat Linux installed releases. The release number is stored in the /etc/redhat-release file. 2. Verify the version of OpenLDAP currently installed by entering the rpm -qa | grep openldap command at the Linux prompt.
# rpm -qa |grep openldap openldap-2.3.xx-x openldap-clients-2.3.xx-x openldap-servers-2.3.xx-x
3. If a default Red Hat Linux installation was used, there is at least one OpenLDAP Red Hat Package Manager (RPM) installed. The LDAP RPMs can either be found on the Red Hat CD or download from one of the following RPM download sources. www.rpmfind.net www.redhat.com Search on openldap and select the RPM based on the distribution Select Download, and then search on openldap
4. After downloading the RPMs to the Linux server, change to the download directory and start the installation using the rpm command.
# rpm -ivh openldap*
5. Verify that the OpenLDAP RPMs have been installed with the rpm -qa | grep openldap command at the Linux prompt.
# rpm -qa | grep openldap openldap-2.3.xx-x openldap-clients-2.3.xx-x openldap-servers-2.3.xx-x
Configure OpenLDAP
Once the build is complete, the slapd and slurpd daemons are located in /usr/local/libexec. The config files are in /etc/openldap and ready to start the main server daemon, slapd.
Using the Universal Port in a Lightweight Directory Access Protocol (LDAP) EnvironmentPage 4
The samba-related attributes may already be populated in the LDAP server if there is an LDAP-enabled samba infrastructure in place. Note: If the samba related entries are not present, then the values for sambaNTPassword and sambaNMPPassword can be created by running the mkntpwd command.
cd /usr/share/doc/samba-3.0.10/LDAP/smbldap-tools/mkntpwd make ./mkntpwd L <password> (provides value for sambaLMPassword attribute) ./mkntpwd N <password> (provides value for sambaNTPassword attribute)
Using the Universal Port in a Lightweight Directory Access Protocol (LDAP) EnvironmentPage 5
Using the Universal Port in a Lightweight Directory Access Protocol (LDAP) EnvironmentPage 6
For phone authentication (which uses EAP-based md5 authentication) the password is stored in cleartext in the UserPassword field for the phone entries in LDAP.
To make the port able to run the scripts, when told to do so by RADIUS/LDAP:
configure upm event user-authenticate profile a-avaya ports 1-23
LDAP UID entries: In the ldap phone uid details, use the following to execute a script:
Extreme-Security-Profile
NOTE: The fields required for authentication depend on the end-station; XP uses EAP-PEAP and must have encrypted fields for the UID password. Avaya phones authenticate with MD-5 and must have an unencrypted field in LDAP. Scripts: This a-avaya script tells the phone to configure itself in the voice VLAN, and to send tagged frames. The script also informs the phone of the fileserver and callserver.
Using the Universal Port in a Lightweight Directory Access Protocol (LDAP) EnvironmentPage 7
NOTE: This script refers specifically to Avaya but it should be applicable to any LLDP-enabled phone.
Using the Universal Port in a Lightweight Directory Access Protocol (LDAP) EnvironmentPage 9
www.extremenetworks.com
Corporate and North America
Extreme Networks, Inc. 3585 Monroe Street Santa Clara, CA 95051 USA Phone +1 408 579 2800
email: info@extremenetworks.com
Europe, Middle East, Africa and South America
Phone +31 30 800 5100
Asia Pacific
Phone +852 2517 1123
Japan
Phone +81 3 5842 4011
2007 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks Logo and Summit are either registered trademarks or trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names and marks are the property of their respective owners. Specifications are subject to change without notice. 1370_01 10/07 Using the Universal Port in a Lightweight Directory Access Protocol (LDAP) Environment Technical Brief