How to limit admin login based on User Group using Microsoft LDAP on Sz/vSZ(e.g. Guestpass Access)

vijaykuniyal — Wed, 15 Nov 2023 01:29:12 GMT

This article explains how to limit admin login based on User Group using Microsoft LDAP on Sz/vSZ, in this example we will cover Guestpass Access.

SUMMARY:
Customer wants to use Microsoft LDAP to allow admin login only for Guestpass generation based on User Group using Microsoft LDAP on Sz/vSZ.

Validation has been done 6.1.1.X firmware version.

We will cover below setting from Microsoft AD Perspective.

User Group Mapping
How to find DN pattern

from SZ/vSZ perspective

Administrator
Group
AAA
Search filter

Microsoft AD User Group setting.

From Microsoft AD open Administrative Tools>>>Active Directory Users and Computer.
User Group Mapping

In Active Directory Users and Computer select the group which needs to allowed for Guestpass generation and Map Members to it with the Add button.

e.g.
GPASS is the Group as below.
vijayguest is the member mapped to it.

How to find right DN pattern (Group and User)

Open command Prompt and run below command one by one.


("dsquery group -name <groupname>")
("dsquery group -name <username>")

<groupname> is variable "GPASS" as in below example

<username> is variable "Administrator" as in below example

This DN pattern will be used in the AAA server setting for Search filter and Administrator Domain.

Administrator

Create an administrator user on SZ/vSZ GUI>>>Administration>>>Admin and Roles>>>Administrator

(guestpassuser for example, this is a dummy user).

Groups

Create an Group on SZ/vSZ GUI>>>Administration>>>Admin and Roles>>>Groups

With below settingas example.

Permission

Resources

Administrator

Move user to the right with the arrow to map to the group.

Review

Review the setting and click OK.

AAA

Create an AAA LDAP server on SZ/vSZ GUI>>>Administration>>>Admin and Roles>>>AAA

Turn on Default Role Mapping
Select User Groupcreated as above(GPASS)
Select Administrator created as above(guestpassuser)
Select LDAP from the checkbox
Fill Realm as AD domain (wireless.com for example)

IP address of Server and Port number (389 for LDAP)
Base Doamin(exact domain) and Admin Domain based on ds query for Administrator.
Type LDAP Administrator password and Confirm password.
Fill Key Attribute: "cn"

Search filter

Search Filter in the below format and Click OK to Save.(based on the dsquesy results, max character limit in the box is 64)


(objectClass=*)(memberof=CN=GPASS,CN=Users,DC=wireless,DC=com)

Test AAA Server

AD User part of GPASS group will pass authentication.

AD User not a member of GPASS group will fail to authenticate.

Once tested verify login from the admin page as well.

LDAP User group authentication will succeed (GPASS in this example).

Authentication will fail for non LDAP Group User (GPASS in this example).

topic How to limit admin login based on User Group using Microsoft LDAP on Sz/vSZ(e.g. Guestpass Access) in RUCKUS Self-Help

How to limit admin login based on User Group using Microsoft LDAP on Sz/vSZ(e.g. Guestpass Access)