Configuring or reconfiguring Extreme XMC/NAC to use LDAPS instead of LDAP
As you can read LDAPS is the way we are going to set up LDAP connections in the future.
ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
This document will focus on (re)configuring the Extreme Management Center (XMC) and Extreme Control (NAC) to use LDAPS instead of LDAP.
Extreme Control appliances are managed via Extreme Management Center.
Screenshots in this document are based on an existing install.
When handling an existing XMC, it is best to first test the LDAPS independently of the currently used LDAP connections. In this way, no impact is created should there be a communication error between AD/LDAP and XMC.
Check the current LDAP configuration
Go to Control > Access Control > Configuration > AAA > LDAP Configuration
Check if the existing connections are in fact not yet using LDAPS. If the URL of each connection starts with “LDAPS”, then you do not need to take any corrective actions.
1. Check if the XMC trusts all certificates
Go to Administration > Certificates
The “Server Trust Mode” should be one of the following:
- “TRUSTALL” All server certificates are accepted
- “IMPORT” All server certificates are accepted and recorded
Either of these settings accepts the certificate of Active Directory Domain Controller. Later, this may be changed from “IMPORT” to “LOCKED” (Only server certificates matching the recorded certificate are accepted) via the update button.
A word of caution: when the “Server Trust Mode ” is “LOCKED”, communication between the XMC and the NAC engines or AD Domain Controllers may stop when certificates change.
2. Modify current LDAP configuration
Go back to Control > Access Control > Configuration > AAA > LDAP configuration. Edit each
To edit, double-click on the entry or select the entry and use the edit button.
Add the same hostname as a new LDAP Connection URL but begin the URL with “LDAPS://” and end with the default LDAPS port 636. Change the order, so that the new entry is placed
first. Use the Add and order Up/Down buttons to do this.
Use the Test button, the output must mention a successful connection via LDAPs
3. Cleaning up
If the test is successful, delete all original LDAP Connection URLs that start with “LDAP://” before saving the LDAP Configuration.
You can verify the test with a tcpdump or netstat -nt command on the XMC. You will need elevated rights (root access) in the bash to run the tcpdump command.
netstat -nt | grep 636
tcp6 0 0 <IP of XMC>:42616 <IP of Domain Controller>:636 ESTABLISHED
Should the connection give an error, then either there is an issue with the certificate or with the communication between AD and ClearPass.
The certificate should not be an issue if you verified that the “Server Trust Mode” is anything but “LOCKED”. Consult the server.log via the GUI (Administration > Diagnostics > Server > Server Log) or bash. You can use a tail command to see the last entries in the log.
tail -f /usr/local/Extreme_Networks/NetSight/appdata/logs/server.log
Check for INFO or ERROR messages that contain
“SSL certificate from server <IP address> has been rejected (The certificate provided by the server did not match the expected certificate)”
“the server provided an unexpected certificate”
If possible, sniff the communication between XMC and AD Domain Controller. You should see
a full TCP and TLS handshake:
A firewall log is usually an excellent source of information and very handy when troubleshooting.
4. Directory Domain Controller
Make sure that the AD allows LDAPS
Server Trust Mode
The “Server Trust Mode” is default set to “TRUSTALL”, so the LDAPS connection will not fail on a certificate. See Figure 2: Server Trust Mode for a screenshot that will help to verify the “Server Trust Mode”.
Create the appropriate LDAP Configuration
Go to Control > Access Control > Configuration > AAA > LDAP Configuration and use the Add button. See also Figure 1: LDAP Configurations for an informative screenshot.
The LDAP Connection URL should start with “LDAPS://” and the port should be 636.
After successfully testing the LDAPS connection, save the LDAP Configuration.
Create the appropriate Authentication Rules
Go to Control > Access Control > Configuration > AAA > Active Directory (or Default) to create the Authentication Rules
Use the Add button to add an Authentication rule.
Select the appropriate Authentication Type and Method. Fill in the User/MAC/Host pattern that this rule should match. Use one of the previously created LDAP Configuration entries to complete and click OK.
Share the post