11-02-2023 07:56 PM - edited 11-14-2023 05:29 PM
This article explains how to limit admin login based on User Group using Microsoft LDAP on Sz/vSZ, in this example we will cover Guestpass Access.
SUMMARY:
Customer wants to use Microsoft LDAP to allow admin login only for Guestpass generation based on User Group using Microsoft LDAP on Sz/vSZ.
Validation has been done 6.1.1.X firmware version.
We will cover below setting from Microsoft AD Perspective.
User Group Mapping
How to find DN pattern
from SZ/vSZ perspective
Administrator
Group
AAA
Search filter
Microsoft AD User Group setting.
From Microsoft AD open Administrative Tools>>>Active Directory Users and Computer.
User Group Mapping
In Active Directory Users and Computer select the group which needs to allowed for Guestpass generation and Map Members to it with the Add button.
e.g.
GPASS is the Group as below.
vijayguest is the member mapped to it.
How to find right DN pattern (Group and User)
Open command Prompt and run below command one by one.
("dsquery group -name <groupname>")
("dsquery group -name <username>")
<groupname> is variable "GPASS" as in below example
<username> is variable "Administrator" as in below example
This DN pattern will be used in the AAA server setting for Search filter and Administrator Domain.
Administrator
Create an administrator user on SZ/vSZ GUI>>>Administration>>>Admin and Roles>>>Administrator
(guestpassuser for example, this is a dummy user).
Groups
Create an Group on SZ/vSZ GUI>>>Administration>>>Admin and Roles>>>Groups
With below settingas example.
Permission
Resources
Administrator
Move user to the right with the arrow to map to the group.
Review
Review the setting and click OK.
AAA
Create an AAA LDAP server on SZ/vSZ GUI>>>Administration>>>Admin and Roles>>>AAA
Turn on Default Role Mapping
Select User Groupcreated as above(GPASS)
Select Administrator created as above(guestpassuser)
Select LDAP from the checkbox
Fill Realm as AD domain (wireless.com for example)
IP address of Server and Port number (389 for LDAP)
Base Doamin(exact domain) and Admin Domain based on ds query for Administrator.
Type LDAP Administrator password and Confirm password.
Fill Key Attribute: "cn"
Search filter
Search Filter in the below format and Click OK to Save.(based on the dsquesy results, max character limit in the box is 64)
(objectClass=*)(memberof=CN=GPASS,CN=Users,DC=wireless,DC=com)
Test AAA Server
AD User part of GPASS group will pass authentication.
AD User not a member of GPASS group will fail to authenticate.
Once tested verify login from the admin page as well.
LDAP User group authentication will succeed (GPASS in this example).
Authentication will fail for non LDAP Group User (GPASS in this example).