This article explains how to limit admin login based on User Group using Microsoft LDAP on Sz/vSZ, in this example we will cover Guestpass Access.
SUMMARY: Customer wants to use Microsoft LDAP to allow admin login only for Guestpass generation based on User Group using Microsoft LDAP on Sz/vSZ.
Validation has been done 6.1.1.X firmware version.
We will cover below setting from Microsoft AD Perspective.
User Group Mapping How to find DN pattern
from SZ/vSZ perspective
Administrator Group AAA Search filter
Microsoft AD User Group setting.
From Microsoft AD open Administrative Tools>>>Active Directory Users and Computer. User Group Mapping
In Active Directory Users and Computer select the group which needs to allowed for Guestpass generation and Map Members to it with the Add button.
e.g. GPASS is the Group as below. vijayguest is the member mapped to it.
How to find right DN pattern (Group and User)
Open command Prompt and run below command one by one.
("dsquery group -name <groupname>") ("dsquery group -name <username>")
<groupname> is variable "GPASS" as in below example
<username> is variable "Administrator" as in below example
This DN pattern will be used in the AAA server setting for Search filter and Administrator Domain.
Create an administrator user on SZ/vSZ GUI>>>Administration>>>Admin and Roles>>>Administrator
(guestpassuser for example, this is a dummy user).
Create an Group on SZ/vSZ GUI>>>Administration>>>Admin and Roles>>>Groups
With below settingas example.
Move user to the right with the arrow to map to the group.
Review the setting and click OK.
Create an AAA LDAP server on SZ/vSZ GUI>>>Administration>>>Admin and Roles>>>AAA
Turn on Default Role Mapping Select User Groupcreated as above(GPASS) Select Administrator created as above(guestpassuser) Select LDAP from the checkbox Fill Realm as AD domain (wireless.com for example)
IP address of Server and Port number (389 for LDAP) Base Doamin(exact domain) and AdminDomain based on ds query for Administrator. Type LDAP Administrator password and Confirm password. Fill Key Attribute: "cn"
Search Filter in the below format and Click OK to Save.(based on the dsquesy results, max character limit in the box is 64)