cancel
Showing results for 
Search instead for 
Did you mean: 

How to limit admin login based on User Group using Microsoft LDAP on Sz/vSZ(e.g. Guestpass Access)

vijaykuniyal
RUCKUS Team Member

This article explains how to limit admin login based on User Group using Microsoft LDAP on Sz/vSZ, in this example we will cover Guestpass Access.

SUMMARY:
Customer wants to use Microsoft LDAP to allow admin login only for Guestpass generation based on User Group using Microsoft LDAP on Sz/vSZ.

Validation has been done 6.1.1.X firmware version.

We will cover below setting  from Microsoft AD Perspective.

User Group Mapping
How to find DN pattern

from SZ/vSZ perspective

Administrator
Group
AAA
Search filter

Microsoft AD User Group setting.

From Microsoft AD open Administrative Tools>>>Active Directory Users and Computer.
User Group Mapping

vijaykuniyal_2-1698972053504.png

In Active Directory Users and Computer select the group which needs to allowed for Guestpass generation and Map Members to it with the Add button.

e.g.
GPASS is the Group as below.
vijayguest is the member mapped to it.

vijaykuniyal_1-1698971914976.png

How to find right DN pattern (Group and User)

Open command Prompt and run below command one by one.


("dsquery group -name <groupname>")
("dsquery group -name <username>")


<groupname> is variable "GPASS" as in below example

vijaykuniyal_3-1698972535940.png
<username> is variable "Administrator" as in below example

vijaykuniyal_17-1698975189775.png

This DN pattern will be used in the AAA server setting for Search filter and Administrator Domain.

Administrator

Create an administrator user on SZ/vSZ GUI>>>Administration>>>Admin and Roles>>>Administrator

(guestpassuser for example, this is a dummy user).

vijaykuniyal_6-1698973325056.png

vijaykuniyal_8-1698973402014.png

Groups

Create an Group on SZ/vSZ GUI>>>Administration>>>Admin and Roles>>>Groups

With below settingas example.

Permission

vijaykuniyal_10-1698973693554.png

Resources

vijaykuniyal_11-1698973769146.png

Administrator

Move user to the right with the arrow to map to the group.

vijaykuniyal_12-1698973860867.png

 

Review

Review the setting and click OK.

vijaykuniyal_13-1698974009654.png

 

AAA

Create an AAA LDAP server on SZ/vSZ GUI>>>Administration>>>Admin and Roles>>>AAA


Turn on Default Role Mapping
Select User Groupcreated as above(GPASS)
Select Administrator created as above(guestpassuser)
Select LDAP from the checkbox
Fill Realm as AD domain (wireless.com for example)

vijaykuniyal_14-1698974403648.png

 

IP address of Server and Port number (389 for LDAP)
Base
Doamin(exact domain) and Admin Domain based on ds query for Administrator.
Type LDAP Administrator password and Confirm password.
Fill Key Attribute: "cn"

vijaykuniyal_16-1698974944268.png

Search filter

Search Filter in the below format and Click OK to Save.(based on the dsquesy results, max character limit in the box is 64)


(objectClass=*)(memberof=CN=GPASS,CN=Users,DC=wireless,DC=com)
 
 
 

vijaykuniyal_0-1698979440755.png

Test AAA Server

AD User part of GPASS group will pass authentication.

vijaykuniyal_1-1698979528093.png

AD User not a member of GPASS group will fail to authenticate.

vijaykuniyal_2-1698979632074.png
Once tested verify login from the admin page as well.

LDAP User group authentication will succeed (GPASS in this example).

vijaykuniyal_3-1698979874927.png

Authentication will fail for non LDAP Group User (GPASS in this example).

 

vijaykuniyal_5-1698980016961.png

 

Vijay Kuniyal

Staff Technical Support Engineer

CCNA RnS | CCNA Wireless | CWNA | RASZA | Meraki CMNO | RACPA
0 REPLIES 0