AD or Radius login for Admins on Zone Director 1100

  • 1
  • Question
  • Updated 4 years ago
Hi,
Is it possible to have a group of admins and do the ad or radius authentification for management?
I cant find nothing about this on the forums or the knowledgebase.
I've just found information about regular users but nothing for management.
Basically just a group of admins will be using their ad logins.
Could you point me into the right direction?

I am using ZD 1100 with 9.6 firmware.

Thnx!
Photo of Christian Moscoso

Christian Moscoso

  • 3 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Miko

Miko

  • 20 Posts
  • 9 Reply Likes
Yes that is possible. Check https://support.ruckuswireless.com/documents/357-zonedirector-release-9-6-user-guide/download on page 278 under the topic heading of "Using An External Server For Administrator Authentication".

I set this up a while back using AD and it works great. I still use Radius for 802.1x auth but LDAP for management auth. Also I can't remember 100% but I do not think you can do a group of a group. All your users will have to be added directly to your management group.
Photo of David Yuan

David Yuan

  • 4 Posts
  • 0 Reply Likes
same problem.
always fail on step 4.
but even pass 4, how to assign one user or AD group into the an Administrator Role in ZoneDirector?

4. Test your authentication settings (Configure > AAA Servers > Test Authentication
Settings).
Photo of Miko

Miko

  • 20 Posts
  • 9 Reply Likes
Are you doing LDAP or Radius? Failing the test for Radius is normal if you don't use PAP. I think it is in some random manual but I know I saw it in an old forum post here http://forums-archive.ruckuswireless.com/forums/6/topics/839

Once past step 4 you can go to "Roles" and create a new role and fill in the "Group Attributes" field with the group you want to tie to that role.
Photo of David Yuan

David Yuan

  • 4 Posts
  • 0 Reply Likes
hi Miko,
could u provide a sample for me. i need sceen snapshot.
thank u very much!!!!
Photo of Miko

Miko

  • 20 Posts
  • 9 Reply Likes
Hopefully this helps. Below is the LDAP stuff which I use for management of the ZD.



Photo of David Yuan

David Yuan

  • 4 Posts
  • 0 Reply Likes
"ZD admins" can be find in AD, right? then this group members are administrator.

i saw u use AD, but why said LDAP?
i'm very strange, why AD type needn't provide credential? is there anything should trust in AD?
Photo of Miko

Miko

  • 20 Posts
  • 9 Reply Likes
Yes, "ZD Admins" is a group in AD that contains users who should have full admin access to the ZD. Sorry about using the term LDAP. We used to be a Novell shop and I am used to using the term LDAP interchangeably with AD but we are using AD in this case. There was no trust nessisary I just filled in the nessisary info and it works.
Photo of David Yuan

David Yuan

  • 4 Posts
  • 0 Reply Likes
Miko,
very very thank you!
i test it and pass AD setting. i can use ad account logon.
but LDAP still cannot work, does ZD support LDAP user to logon? if yes, i think u have example too, could you share it?
(what's the UID in AD? samaccountname? CN ?)
Photo of Miko

Miko

  • 20 Posts
  • 9 Reply Likes
Your settings look good except maybe for the "Key Attribute". If you are using Active Directory it should be sAMAccountName which is what Windows would use to log people in to computers. You can use cn, that is the value that is shown in Users and Computers which may not be the same as their login.

I should mention that if you require SSL authentication via LDAP this may not work. Our AD servers do not require SSL for authentication but our OpenLDAP server does and I could not get it working with OpenLDAP even even by changing the port to 636.