Active Directory Authentication for WiFi Client

  • 1
  • Question
  • Updated 3 months ago
Hi All, 

I have controller-managed AP zone where I need SSID for Active Directory based authentication. Active Directory is located at Branch site and Controller is at HQ. 

I am planning to follow below steps with my current understanding. Need your help to verify my steps. 
1.) Create AAA profile with Active Directory mode, port 369 and Customer AD IP. 
2.) Create SSID with Web Authentication option. 
3.) AD will be locally reachable to AP and no routes through controller. 

Will these steps suffice. ? 
Additionally I do have below queries. 
A.) Can anyone share guide for how setup Windows Server for above requirement. 
B.) Can I customize this web auth portal & Will that be hosted in AP itself? 
C.) Any additional advices would be appreciated as well. 

Thanks
GPMPA
Photo of gpmpa

gpmpa

  • 69 Posts
  • 4 Reply Likes

Posted 3 months ago

  • 1
Photo of Jakob Peterhänsel

Jakob Peterhänsel

  • 61 Posts
  • 19 Reply Likes
Hi,

I have not tried AAA auth with a web-portal, only 802.1x + WPA2.
On all the sites we've done that, the AAA server is only reachable via a route in the controller, the AP's does not ask directly, but I think that is possible..

In all our setups, we don't use AD directly, but the Radius server in AD. Seems much more reliable, and you don't need to authenticate an AD admin on the box, just have shared secret setup.

There is a guide/article here on the forum somewhere, try search for it.
Photo of gpmpa

gpmpa

  • 69 Posts
  • 4 Reply Likes
Thanks for the insights Jacob.
Here customer requires on site AD to be used with web portal.

Thanks
Photo of Robert Lowe

Robert Lowe

  • 172 Posts
  • 35 Reply Likes
Pretty sure the ZD only works in RADIUS-Proxy mode where controller proxies all AAA messaging. I'll try and find the statement
Photo of gpmpa

gpmpa

  • 69 Posts
  • 4 Reply Likes
Hi Robert,
This is a vSZ -H deployment. Usually this supports both proxy and non-proxy mode for AAA. But not sure about AD as well as don't know how to config AD in this scenario.

Thanks
Pamuditha
Photo of Robert Lowe

Robert Lowe

  • 172 Posts
  • 35 Reply Likes
Sorry my  bad. Anyways, here's an extract from the vSZ-H Admin Guide:
Photo of gpmpa

gpmpa

  • 69 Posts
  • 4 Reply Likes
Hi Robert, 

Thanks. Will update here with the results of testing. 

Thanks again.