无线 : 思科 4400 系列无线局域网控制器

配置验证的统一无线网络Novell的eDirectory数据库

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 22 日) | 反馈


目录


简介

在K-12教育空间,有增加的需要通过在Novell的内创建的帐户验证无线用户eDirectory。由于K-12环境的分布式特性,各自的学校也许没有资源放置RADIUS服务器在每个站点亦不他们希望配置这些RADIUS服务器的另外的开销。完成此的唯一方法是通过使用通信的LDAP在无线局域网控制器(WLC)和LDAP服务器之间。Cisco无线LAN控制器支持本地EAP验证外部LDAP数据库例如Microsoft Active Directory。此白皮书描述为本地EAP验证配置的一思科WLC Novell的eDirectory已启用作为一个全面貌特征的LDAP服务器。注释的一个警告–测试客户端使用Cisco Aironet Desktop软件执行802.1x验证。Novell不此时当前支持与他们的客户端的802.1x。结果,依靠客户端,一两阶段登录过程能发生。注释这些参考:

Novell 802.1x语句

“当前,他们必须两次登陆。当Novell客户端安装时,用户必须登录使用在首次登录对话的仅工作站复选框允许802.1x用户认证,当桌面初始化时,使用“红色N”登录工具,他们必须然后登陆到Novell网络。这指一两阶段登录”。

对仅“工作站登录的”一替代方案是配置Novell客户端使用“最初的Novell Login=Off”在先进的洛金设置(默认是“最初的Novell Login=On”)。欲知更多信息,参考802.1x验证和Novell客户端Windows的leavingcisco.com

第三方客户端例如Meetinghouse Aeigs客户端(思科安全服务客户端) Novell技术合作伙伴可能不需要一双登录。欲知更多信息,参考支持SecureConnectleavingcisco.com

Novell客户端的另一可行的应急方案是有计算机(或用户)验证(802.1x)对WLAN在Novell姬娜之前被执行。

测试解决方案单个符号的与Novell客户端和802.1x是超出此白皮书的范围之外。

测试结构

测试的解决方案

  • 有6.0.188.0软件的Cisco无线LAN控制器

  • Cisco Aironet LWAPP AP 1242AG

  • 与Cisco Aironet Desktop软件4.4的Windows XP

  • 有Novell的eDirectory 8.8,5 Windows服务器2003年

  • Novell ConsoleOne 1.3.6h (eDirectory管理工具)

网络拓扑

图 1

http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-01.gif

设备 IP 地址 子网掩码 默认网关
eDirectory的Novell 192.168.3.3 255.255.255.0 192.168.3.254
第 3 层交换机 192.168.3.254 255.255.255.0 --
AP 分配通过从L3交换机的DHCP 255.255.255.0 192.168.3.254
WLC管理接口WLC AP管理器接口 192.168.3.253 192.168.3.252 255.255.255.0 192.168.3.254

配置

Novell eDirectory配置

全双工Novell eDirectory安装和配置是超出此白皮书的范围之外。必须安装eDirectory的Novell以及对应的LDAP组件。

要求的关键配置参数是必须为用户帐户启用简单密码,并且必须配置已验证LDAP。使用LDAP的TLS以前版本WLC代码支持(4.2);然而, Cisco WLAN控制器软件不再支持安全LDAP。

  1. 当配置LDAP服务器部分的eDirectory时,请确保不可加密的LDAP端口(389)启用。参见从Novell iManager应用程序的图2

    图 2

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-02.gif

  2. 在eDirectory安装时,它为树型结构将要求您或域名等等。如果eDirectory已经安装, Novell的ConsoleOne (图3)是查看eDirectory结构的一个容易工具。查找是关键的什么适当的模式是,当尝试建立通信到WLC时。您必须也安排将允许WLC执行已验证捆绑到LDAP服务器的帐户创建。为了简化,在这种情况下, Novell eDirecotry管理帐户使用已验证捆绑。

    图 3

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-03.gif

  3. 请使用ConsoleOne为了验证LDAP组允许明文密码

    图 4

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-04.gif

  4. 验证那在OU下,安全设置简单密码启用。

    图 5

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-05.gif

查看Novell eDirectory结构是浏览器的另一有用工具包括与默认安装。

图 6

http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-06.gif

WLC 配置

测试网络的物理拓扑的参考的图1。用于此测验的WLC根据与Ap-manager和管理接口的标准操作配置在相同子网和无标记从VLAN方面。

图 7

http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-07.gif

  1. 配置本地EAP验证:安全>本地EAP >General。

    标准的默认未更改。

    图 8

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-08.gif

  2. 创建一新的本地Eap profile :安全>本地EAP >配置文件

    对于此测试案例,选择的本地Eap profile名称eDirectory。选择的认证方法是LEAP、EAP-FAST和PEAP;然而,仅PEAP在本文测试了。

    图 9

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-09.gif

    当您配置PEAP的时本地EAP验证,您必须有在WLC安装的证书。在这种情况下,为了便于测试,使用了设立制造厂的思科证书;然而,客户设置的证书可能也安装。客户端证书没有要求为使用PEAP-GTC,但是他们可以为内在PEAP方法如果必须启用。

    图 10

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-10.gif

  3. 设置LDAP的验证优先权:安全>本地EAP >验证优先级

    图 11

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-11.gif

  4. 添加LDAP服务器到WLC :安全>AAA > LDAP

    图 12

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-12.gif

  5. 配置WLC使用新颖eDirecotry (请参见图13) :

    1. 选择已验证简单捆绑方法的。

    2. 输入捆绑用户名。这是创建对在eDirectory内将用于WLC绑定到eDirectory的帐户。

      注意: 确保您输入用户名的正确目录属性。对于此测试案例, “o=ZION”使用了cn=Admin。

    3. 输入捆绑密码。这是捆绑用户帐户的密码。

    4. 输入用户群DN。这是无线用户用户帐号查找的域名。在测试案例中,用户查找在DN (o=Zion)的根。如果他们在其他组/组织内套入,请与逗号一起串连他们(例如, “o=ZION, o=WLCUser”)。

    5. 输入用户属性。这是共同名称(CN) (请参见图6)

    6. 用户对象目标类型–这设置为用户

    图 13

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-13.gif

  6. 创建WLAN您希望Novell eDirectory客户端使用。对于此测试案例, WLAN配置文件名称eDirectory,并且SSID是Novell (请参见图14)。

    图 14

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-14.gif

  7. 启用WLAN并且应用适当的无线电策略和接口。对于此测试案例, Novell SSID为802.11a网络只启用和附加对管理接口。

    图 15

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-15.gif

  8. 配置适当的第2层安全设置。对于此测试案例, WPA+WPA2安全、WPA2策略、AES加密和802.1x密钥管理的选择。

    图 16

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-16.gif

  9. 使用LDAP服务器,要完成本地EAP验证配置,请配置本地EAP验证的WLAN :

    1. 选择启用的本地EAP验证并且应用已创建Eap profile (eDirectory)。

    2. 在LDAP服务器下,请选择已配置的eDirectory服务器(192.168.3.3)的IP地址。

    图 17

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-17.gif

客户端配置

PEAP-GTC是K-12学校的多数的当前验证需求。WLC不支持本地EAP验证的MSCHAPv2。结果,您必须选择EAP验证类型的GTC在客户端。

以下图是Cisco Aironet Desktop软件配置的初排PEAP-GTC的能连接对WLAN SSID Novell。相似的配置用有PEAP-GTC支持的本地Microsoft客户端完成。

  1. 配置客户端配置文件名称和SSID (Novell)。

    图 18

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-18.gif

  2. 选择安全和PEAP的(EAP-GTC) WPA/WPA2/CCKM EAP类型的。

    图 19

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-19.gif

  3. 配置PEAP-GTC :

    1. 选择验证服务器标识静态密码

    2. 输入帐户的用户名和密码或请求方将提示输入凭证在登录。

    3. 请勿输入在<ANY> Novell目录模式,和这没有要求。

    图 20

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-20.gif

  4. 一旦配置文件完成,请激活它,并且认证过程应该开始。

    图 21

    http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-21.gif

图22通过PEAP-GTC表示一个成功的关联和验证。

图 22

http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-22.gif

调试

要验证您能进行一已验证BIND以及用户认证,请启用eDirectory的这些trace选项:

  • 验证

  • LDAP

  • NMA

图 23

http://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112137-novell-edirectory-23.gif

如调试所显示,一成功的LDAP认证答复传送对在192.168.3.253的无线局域网控制器:

LDAP   : (192.168.3.253:36802)(0x0020:0x63) DoSearch on connection 
    0x34367d0
LDAP   : (192.168.3.253:36802)(0x0020:0x63) Search request:
      base: "o=ZION"
      scope:2  dereference:0  sizelimit:0  timelimit:5  attrsonly:0
      filter: "(&(objectclass=user)(cn=sorr))"
      attribute: "dn"
      attribute: "userPassword"
Auth   : Starting SEV calculation for conn 23, entry .sorr.ZION.ZION..
Auth   : 1 GlobalGetSEV.
Auth   : 4 GlobalGetSEV succeeded.
Auth   : SEV calculation complete for conn 23, (0:0 s:ms).
LDAP   : (192.168.3.253:36802)(0x0020:0x63) Sending search result entry 
    "cn=sorr,o=ZION" to connection 0x34367d0
LDAP   : (192.168.3.253:36802)(0x0020:0x63) Sending operation result 0:"":"" to 
    connection 0x34367d0
LDAP   : (192.168.3.253:36802)(0x0021:0x63) DoSearch on connection 0x34367d0
LDAP   : (192.168.3.253:36802)(0x0021:0x63) Search request:
      base: "o=ZION"
      scope:2  dereference:0  sizelimit:0  timelimit:5  attrsonly:0
      filter: "(&(objectclass=user)(cn=sorr))"
      attribute: "dn"
      attribute: "userPassword"
LDAP   : (192.168.3.253:36802)(0x0021:0x63) Sending search result entry 
    "cn=sorr,o=ZION" to connection 0x34367d0
LDAP   : (192.168.3.253:36802)(0x0021:0x63) Sending operation result 0:"":"" to 
    connection 0x34367d0
LDAP   : (192.168.3.253:36802)(0x0022:0x60) DoBind on connection 0x34367d0
LDAP   : (192.168.3.253:36802)(0x0022:0x60) Bind name:cn=sorr,o=ZION, version:3,
    authentication:simple
Auth   : [0000804d] <.sorr.ZION.ZION.> LocalLoginRequest. Error success, conn: 
    22.
LDAP   : (192.168.3.253:36802)(0x0022:0x60) Sending operation result 0:"":"" to 
    connection 0x34367d0
Auth   : UpdateLoginAttributesThread page 1 processed 1 login in 0 milliseconds

注意: 某些线路在debug输出中包裹的归结于空间限制条件。

要保证WLC进行对eDirectory服务器的一成功认证请求,请发出这些调试on命令WLC :

debug aaa ldap enable
debug aaa local-auth eap method events enable
debug aaa local-auth db enable

从成功认证的输出示例: :

*Dec 23 16:57:04.267: LOCAL_AUTH: (EAP) Sending password verify request profile
    'sorr' to LDAP
*Dec 23 16:57:04.267: AuthenticationRequest: 0xcdb6d54
*Dec 23 16:57:04.267:   Callback.....................................0x84cab60
*Dec 23 16:57:04.267:   protocolType.................................0x00100002
*Dec 23 16:57:04.267:   proxyState...................................
    00:40:96:A6:D6:CB-00:00
*Dec 23 16:57:04.267:   Packet contains 3 AVPs (not shown)
*Dec 23 16:57:04.267: EAP-AUTH-EVENT: Waiting for asynchronous reply from LL
*Dec 23 16:57:04.267: EAP-AUTH-EVENT: Waiting for asynchronous reply from LL
*Dec 23 16:57:04.267: EAP-AUTH-EVENT: Waiting for asynchronous reply from method
*Dec 23 16:57:04.267: ldapTask [1] received msg 'REQUEST' (2) in state 
    'CONNECTED' (3)
*Dec 23 16:57:04.267: disabled LDAP_OPT_REFERRALS
*Dec 23 16:57:04.267: LDAP_CLIENT: UID Search (base=o=ZION, 
    pattern=(&(objectclass=user)(cn=sorr)))
*Dec 23 16:57:04.269: LDAP_CLIENT: ldap_search_ext_s returns 0 85
*Dec 23 16:57:04.269: LDAP_CLIENT: Returned 2 msgs including 0 references
*Dec 23 16:57:04.269: LDAP_CLIENT: Returned msg 1 type 0x64
*Dec 23 16:57:04.269: LDAP_CLIENT: Received 1 attributes in search entry msg
*Dec 23 16:57:04.269: LDAP_CLIENT: Returned msg 2 type 0x65
*Dec 23 16:57:04.269: LDAP_CLIENT : No matched DN
*Dec 23 16:57:04.269: LDAP_CLIENT : Check result error 0 rc 1013
*Dec 23 16:57:04.269: LDAP_CLIENT: Received no referrals in search result msg
*Dec 23 16:57:04.269: ldapAuthRequest [1] called lcapi_query base="o=ZION" 
    type="user" attr="cn" user="sorr" (rc = 0 - Success)
*Dec 23 16:57:04.269: Attempting user bind with username cn=sorr,o=ZION
*Dec 23 16:57:04.273: LDAP ATTR> dn = cn=sorr,o=ZION (size 14)
*Dec 23 16:57:04.273: Handling LDAP response Success
*Dec 23 16:57:04.274: LOCAL_AUTH: Found context matching MAC address - 448
*Dec 23 16:57:04.274: LOCAL_AUTH: (EAP:448) Password verify credential callback
    invoked
*Dec 23 16:57:04.274: eap_gtc.c-TX-AUTH-PAK: 
*Dec 23 16:57:04.274: eap_core.c:1484: Code:SUCCESS  ID:0x 8  Length:0x0004  
    Type:GTC
*Dec 23 16:57:04.274: EAP-EVENT: Received event 'EAP_METHOD_REPLY' on handle 
    0xBB000075
*Dec 23 16:57:04.274: EAP-AUTH-EVENT: Handling asynchronous method response for 
    context 0xBB000075
*Dec 23 16:57:04.274: EAP-AUTH-EVENT: EAP method state: Done
*Dec 23 16:57:04.274: EAP-AUTH-EVENT: EAP method decision: Unconditional Success
*Dec 23 16:57:04.274: EAP-EVENT: Sending method directive 'Free Context' on 
    handle 0xBB000075
*Dec 23 16:57:04.274: eap_gtc.c-EVENT: Free context
*Dec 23 16:57:04.274: id_manager.c-AUTH-SM: Entry deleted fine id 68000002 - 
    id_delete
*Dec 23 16:57:04.274: EAP-EVENT: Sending lower layer event 'EAP_SUCCESS' on 
    handle 0xBB000075
*Dec 23 16:57:04.274: peap_inner_method.c-AUTH-EVENT: EAP_SUCCESS from inner 
    method GTC
*Dec 23 16:57:04.278: LOCAL_AUTH: EAP: Received an auth request
*Dec 23 16:57:04.278: LOCAL_AUTH: Found context matching MAC address - 448
*Dec 23 16:57:04.278: LOCAL_AUTH: (EAP:448) Sending the Rxd EAP packet (id 9) to
    EAP subsys
*Dec 23 16:57:04.280: LOCAL_AUTH: Found matching context for id - 448
*Dec 23 16:57:04.280: LOCAL_AUTH: (EAP:448) ---> [KEY AVAIL] send_len 64, 
    recv_len 64
*Dec 23 16:57:04.280: LOCAL_AUTH: (EAP:448) received keys waiting for success
*Dec 23 16:57:04.280: EAP-EVENT: Sending lower layer event 'EAP_SUCCESS' on 
    handle 0xEE000074
*Dec 23 16:57:04.281: LOCAL_AUTH: Found matching context for id - 448
*Dec 23 16:57:04.281: LOCAL_AUTH: (EAP:448) Received success event
*Dec 23 16:57:04.281: LOCAL_AUTH: (EAP:448) Processing keys success
*Dec 23 16:57:04.281: 00:40:96:a6:d6:cb [BE-resp] AAA response 'Success'
*Dec 23 16:57:04.281: 00:40:96:a6:d6:cb [BE-resp] Returning AAA response
*Dec 23 16:57:04.281: 00:40:96:a6:d6:cb AAA Message 'Success' received for 
    mobile 00:40:96:a6:d6:cb

注意: 某些线路在输出中包裹的归结于空间限制条件。

因为更多K-12学校采用Cisco WLAN体系结构,将有增加的需要支持无线用户验证到eDirectory的Novell的。本文验证思科WLC能利用Novell的eDirectory LDAP数据库验证用户,当配置为本地EAP验证。一相似的配置可能也执行与验证Novell的Cisco Secure ACS用户eDirectory。进一步调查必须为单个符号完成与其他WLAN客户端例如思科安全服务客户端和Microsoft Windows零配置。

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 112137