1. Blog
  2. Cybersecurity
  3. Configuring or reconfiguring Extreme XMC/NAC to use LDAPS instead of LDAP

Configuring or reconfiguring Extreme XMC/NAC to use LDAPS instead of LDAP

Introduction

As you can read LDAPS is the way we are going to set up LDAP connections in the future.
ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
This document will focus on (re)configuring the Extreme Management Center (XMC) and Extreme Control (NAC) to use LDAPS instead of LDAP.
Extreme Control appliances are managed via Extreme Management Center.
Screenshots in this document are based on an existing install.

Existing XMC

When handling an existing XMC, it is best to first test the LDAPS independently of the currently used LDAP connections. In this way, no impact is created should there be a communication error between AD/LDAP and XMC.

Check the current LDAP configuration

Go to Control > Access Control > Configuration > AAA > LDAP Configuration


Check if the existing connections are in fact not yet using LDAPS. If the URL of each connection starts with “LDAPS”, then you do not need to take any corrective actions.

Corrective actions

1. Check if the XMC trusts all certificates

Go to Administration > Certificates


The “Server Trust Mode” should be one of the following:

  • “TRUSTALL” All server certificates are accepted
  • “IMPORT” All server certificates are accepted and recorded

Either of these settings accepts the certificate of Active Directory Domain Controller. Later, this may be changed from “IMPORT” to “LOCKED” (Only server certificates matching the recorded certificate are accepted) via the update button.

A word of caution: when the “Server Trust Mode ” is “LOCKED”, communication between the XMC and the NAC engines or AD Domain Controllers may stop when certificates change.

2. Modify current LDAP configuration

Go back to Control > Access Control > Configuration > AAA > LDAP configuration. Edit each
configuration.

To edit, double-click on the entry or select the entry and use the edit button.

Add the same hostname as a new LDAP Connection URL but begin the URL with “LDAPS://” and end with the default LDAPS port 636. Change the order, so that the new entry is placed
first. Use the Add and order Up/Down buttons to do this.

Use the Test button, the output must mention a successful connection via LDAPs

3. Cleaning up

If the test is successful, delete all original LDAP Connection URLs that start with “LDAP://” before saving the LDAP Configuration.

Troubleshooting

You can verify the test with a tcpdump or netstat -nt command on the XMC. You will need elevated rights (root access) in the bash to run the tcpdump command.

netstat -nt | grep 636

tcp6   0    0 <IP of XMC>:42616   <IP of Domain Controller>:636        ESTABLISHED

Should the connection give an error, then either there is an issue with the certificate or with the communication between AD and ClearPass.

1. Certificate

The certificate should not be an issue if you verified that the “Server Trust Mode” is anything but “LOCKED”. Consult the server.log via the GUI (Administration > Diagnostics > Server > Server Log) or bash. You can use a tail command to see the last entries in the log.

tail -f /usr/local/Extreme_Networks/NetSight/appdata/logs/server.log

Check for INFO or ERROR messages that contain

“SSL certificate from server <IP address> has been rejected (The certificate provided by the server did not match the expected certificate)”

“the server provided an unexpected certificate”

2. Tcpdump

If possible, sniff the communication between XMC and AD Domain Controller. You should see
a full TCP and TLS handshake:

3. Firewall

A firewall log is usually an excellent source of information and very handy when troubleshooting.

4. Directory Domain Controller

Make sure that the AD allows LDAPS

New XMC

Server Trust Mode

The “Server Trust Mode” is default set to “TRUSTALL”, so the LDAPS connection will not fail on a certificate. See Figure 2: Server Trust Mode for a screenshot that will help to verify the “Server Trust Mode”.

Create the appropriate LDAP Configuration

Go to Control > Access Control > Configuration > AAA > LDAP Configuration and use the Add button. See also Figure 1: LDAP Configurations for an informative screenshot.
The LDAP Connection URL should start with “LDAPS://” and the port should be 636.
After successfully testing the LDAPS connection, save the LDAP Configuration.

Create the appropriate Authentication Rules

Go to Control > Access Control > Configuration > AAA > Active Directory (or Default) to create the Authentication Rules

Use the Add button to add an Authentication rule.

Select the appropriate Authentication Type and Method. Fill in the User/MAC/Host pattern that this rule should match. Use one of the previously created LDAP Configuration entries to complete and click OK.

Share the post