Administrator access via Active Directory?

  • 1
  • Question
  • Updated 1 month ago
  • (Edited)
Is it possible to login to the web UI authenticated using AD?  I can't seem to get it to work.  I created a role, made sure it it had super admin box checked.  In the AD config, I used the test button to give a user and password.  Unleashed correctly printed out the various groups, including Administrators, and said the user would be assigned to that group.  The role I created was called Administrators, and had 'Administrators' in the Group Attributes, so I *assumed* it would work, but instead I get a login error.  I assume I'm missing a piece of the puzzle here, but no idea what.  Any tips appreciated.
Photo of Dan Swartzendruber

Dan Swartzendruber

  • 15 Posts
  • 0 Reply Likes

Posted 1 month ago

  • 1
Photo of Tony Heung

Tony Heung, Official Rep

  • 65 Posts
  • 16 Reply Likes
Photo of Dan Swartzendruber

Dan Swartzendruber

  • 15 Posts
  • 0 Reply Likes
This is weird.  I'm trying to post syslog snippets and the site keeps giving me captcha challenges and won't let me by.  Hmmm.  I'm not sure what the heck is going on, I had to elide almost all of the information from my syslog post, or I'd get stuck in a captcha loop :(
(Edited)
Photo of Dan Swartzendruber

Dan Swartzendruber

  • 15 Posts
  • 0 Reply Likes
Okay, that was helpful.  All set now, thanks!
Photo of Dan Swartzendruber

Dan Swartzendruber

  • 15 Posts
  • 0 Reply Likes
Hmmm, interesting.  I either found a bug, or something confusing.  So, I have user 'Administrator' (set up during install).  Local password is (example) 'foo'.  'Administrator' account under AD has password 'bar'.  If I login as 'Administrator' and give 'bar', the log prints a message that auth is not local.  Good.  But if I use the password 'foo', it still says auth not local (although it does log me in).
Photo of Dan Swartzendruber

Dan Swartzendruber

  • 15 Posts
  • 0 Reply Likes
So if there are any 'funny' characters in the post, I had to use the </> mode.  Well then...
Photo of Dan Swartzendruber

Dan Swartzendruber

  • 15 Posts
  • 0 Reply Likes
Hmmm, interesting. I either found a bug, or something confusing. So, I have user 'Administrator' (set up during install). Local password is (example) 'foo'. 'Administrator' account under AD has password 'bar'. If I login as 'Administrator' and give 'bar', the log shows this: 2020-09-07T10:05:57-04:00 family-room-ap.druber.com syslog: pid=1577, AuthAdmin():admin login succeed, is_local_auth is 0 2020-09-07T10:05:57-04:00 family-room-ap.druber.com syslog: pid=1577, AuthAdmin():the user is not local auth,no need to promote password recovery feature!! (I am using remote syslog feature). The above is as expected. Now, the wrong/weird thing. I login as 'Administrator' using 'foo', and log shows: 2020-09-07T10:07:15-04:00 family-room-ap.druber.com syslog: pid=1577, AuthAdmin():admin login succeed, is_local_auth is 0 2020-09-07T10:07:15-04:00 family-room-ap.druber.com syslog: pid=1577, AuthAdmin():the user is not local auth,no need to promote password recovery feature!! e.g. even though the gave the local password (I have fallback box checked), it is still claiming not local authentication?
Photo of Tony Heung

Tony Heung, Official Rep

  • 65 Posts
  • 16 Reply Likes
The syslog message "no need to promote password recovery feature" takes a number of factors to be generated, not necessarily all based on if it is local auth or not.  I wouldn't based on this message alone and conclude the system has determined this is not local auth even using the local password.  What if you setup with different admin username for AD while keep the Administrator username as local?  Would you get the same result?
Photo of Dan Swartzendruber

Dan Swartzendruber

  • 15 Posts
  • 0 Reply Likes
One point of confusion: administrator happens to also be an AD user.  So, I changed the local user to 'admin'.  I then logged in via ssh:

Please login: admin
Password:
Welcome to Ruckus Unleashed Network Command Line Interface
ruckus>

admin login succeed, is_local_auth is 0

something is not right?


Photo of Tony Heung

Tony Heung, Official Rep

  • 65 Posts
  • 16 Reply Likes
Understood.  Basically the AD auth is working fine but you found it odd that the system returned the message saying it is local auth instead?  Maybe it's time to log a ticket with support and so they can examine the log in more detail.  
Photo of Syamantak Omer

Syamantak Omer, Official Rep

  • 551 Posts
  • 175 Reply Likes
Hi Dan,

Whatever user name and the password is configured under Admin & Service >> Administrator >> Preference >> Administrator Name/Password, is the only user which can access CLI of the Unleashed. This is as per design.



Let us know if you are observing different behavior.

Regards,
Syamantak Omer
(Edited)
Photo of Dan Swartzendruber

Dan Swartzendruber

  • 15 Posts
  • 0 Reply Likes
Yes, I am.  'dswartz' is my personal account in AD.  See:

[[email protected] ~]# ssh 10.0.0.18

Please login: dswartz
Password:
Welcome to Ruckus Unleashed Network Command Line Interface


Photo of Dan Swartzendruber

Dan Swartzendruber

  • 15 Posts
  • 0 Reply Likes
Tony, precisely.  It seems weird it's telling me non-local when that clearly isn't the case.  NB: I am not complaining with an issue here, just thought you might want to know something is off.  I don't have  paid contract, so is it even possible for me to open a ticket?
Photo of Tony Heung

Tony Heung, Official Rep

  • 65 Posts
  • 16 Reply Likes
Thanks Dan for the info.  I will talk to the engineering team in the next meeting.
Photo of Dan Swartzendruber

Dan Swartzendruber

  • 15 Posts
  • 0 Reply Likes
Syamantak, you seem to be using a version of unleashed without the AAA support?