10-18-2022 09:22 AM
Objective:
AD for Dot1x authentication feature was introduced in Zone Director firmware version 10.2 onwards. Upon necessary configuration ZD would be able to interact with AD modules during access. ZD receives radius request from client device containing EAP-MSCHAP and username/password pertaining to Active Directory server. ZD uses local certificate for 1st level of authentication and fetches password from remote AD server for 2nd level MSCHAP authentication.
Prerequisites:
Step-1: Zone Director configuration, in our example configuration has been done on ZD1200 running firmware 10.5.x.
a. Navigate to “Services & Profiles” menu and locate “AAA Servers”.
b. Click on create tab, choose profile type as “AD for 802.1x”
c. Input all necessary values as mentioned below. Make sure the ZD can resolve “Server Device Name”.
Step-2: Setup a Windows Domain Controller with Active Directory service running. In below example Windows server 2016 was used.
a. Make sure Full computer name is configured. Right click on Windows Icon >> Navigate to System >> Under Computer name, domain, and workgroup settings. Validate the configuration in Full Computer name section. This value should match Zone Director configuration in Step-1 > C.
b. Change settings if Full Computer Name section needs to be updated.
c. In below example Win2K16 is the computer name and cslab86.local is the Domain name. Full computer name would be “Win2K16.cslab86.local”
d. In Active Directory Users and Computers section, make sure to configure user group and credentials to be shared with Wireless users.
Step-3: Validating the configuration from Zone Director
a. Navigate to “Services & Profiles” menu and locate “AAA Servers. Under “Test Auth/Acc Servers Settings” section. Chose the AD for Dot1x profile needs to be tested and hit “Test” tab. If the profile configuration is correct, we could see success! Message.
b. The configured AD for Dot1x profile can be mapped in WLAN. Navigate to “Wireless LAN” tab >> Create new WLAN. Under authentication method choose 802.1x EAP along with the configured Authentication server. The users connecting to this WLAN would authenticate against AD server.