Novell Open Enterprise Server LDAP integration

  • 1
  • Question
  • Updated 4 years ago
  • Answered
Here's our setup:

- AH Device as RADIUS
- External DB, Novell eDirectory ver 8.8 SP6 (OES ver 2.0.3)

Is there a document/resource somewhere to integrate AH RADIUS with Novell eDirectory?

Thanks in advance.
Photo of McArenas

McArenas

  • 16 Posts
  • 1 Reply Like

Posted 4 years ago

  • 1
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Hey Marlon

here is the major issue with radius servers using Novell eDirectory as identity store.
Most radius servers allow you to define the outer method for eap authentication but not the inner. What you will find is that during the eap negotiation most clients will choose for example PEAP with inner method MSCHAPv2. Novell eDirectory does not natively support this but does support eap-gtc, so you would have to disable the inner method of EAP-MSCHAPv2.

Cisco acs allows you to do this, but then windows clients won't be able to connect because they don't support eap-gtc as an inner method. At this point I can't find a solution to solve this issue.

clearpass and freeradius allow you to connect ldap over ssl
edirectory needs the universal password
had to allow the bind user to retrieve password in the universal policy in edirectory
bind user needs to have admin rights
checked Allow bind using user password
Password Attribute: nspmPassword
Password Type: cleartext

you can read about it here
https://www.netiq.com/documentation/e...

Then clients can use the inner method of MSCHAPv2 and the bind user can extract the password from the novell password hash

So the Aerohive Radius would have to provide you this capability. Maybe I will setup a test on Monday or next week and see how it goes. There is some sort of story behind freeradius and Aerohive and Aruba, but I can't recall the details.

If using eap-tls it should work but it would require valid client certs on all devices and valid server cert. the question becomes how to get the cert on the client.

The Aerohive client manager solution is supposed to make this process easier, but I believe there are some restrictions, like you have to be using the Aerohive radius server.

Feel free to ring me or come over if you want to test it out.
Cheers
A
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Hey Marlon

Just had a look, there is a eDirectory checkbox and there is TLS Authentication/Encryption option, the only thing I can't see is a place to define the password attribute for nspmPassword like CP uses. There is an Account Policy Check checkbox, ut am not sure what that does.





Photo of McArenas

McArenas

  • 16 Posts
  • 1 Reply Like
Thanks Andrew! As always, you're a champ! Will lookup the NetIQ article you sent. Love to see your testing. I
Photo of McArenas

McArenas

  • 16 Posts
  • 1 Reply Like
For pushing cert to an already imaged Macbooks, you may try to use the certtool command:

https://developer.apple.com/library/m...

Found it here:
https://discussions.apple.com/thread/...