Home > Wireless LAN > Splash Page > Integrating Active Directory with Sign-On Splash Page

Integrating Active Directory with Sign-On Splash Page

Cisco Meraki devices (MR access points and MX security appliances) support the use of a sign-on Splash Page, requiring network users to authenticate in a web browser before being allowed access to the network. This splash page can be integrated with an Active Directory server, allowing users to provide their domain credentials to gain access.

This article outlines how to configure a sign-on Splash Page with Active Directory.

Overview

When using Active Directory authentication, your Access Points need to perform a secure LDAP bind using SSL\TLS via the starttls command. The LDAP bind authenticates the user logging into the splash page as illustrated below:

  1. A secure connection is established using TLS. After the handshake, a secure channel is established. LDAP calls are encrypted preventing outsiders from snooping the portion of the exchange highlighted in beige.
  2. The AP binds to the Domain Controller using the Active Directory admin credentials specified in Dashboard. 
  3. If the bind is successful, the AP searches the directory for the user logging in by their sAMAccountName attribute. If a match is found, the DN of the user is returned to the AP.
  4. The AP then attempts to bind with the DN of the user and password entered in Dashboard. If the credentials are OK then the user is authenticated. 

 

Configuration and Requirements

In order to configure a splash page with Active Directory authentication, configuration steps must be completed on both Dashboard and Active Directory, outlined below:

Active Directory Configuration

The following requirements must be configured on each AD server being used for authentication:

  • Every AD server specified in Dashboard must hold the Global Catalog role. Please refer to Microsoft documentation for specific configuration steps.
  • Since communication between the MR and AD server will be encrypted using TLS, a valid certificate with the appropriate parameters must be configured on the server.
  • The MR will communicate from its LAN IP with each AD server over TCP port 3268, so ensure that no firewalls or ACLs on the network or server will block that communication.

When Active Directory authentication is configured, the MR queries the Global Catalog over TCP port 3268. Therefore the Active Directory server (Domain Controller) specified in Dashboard must also hold the Global Catalog role.

Dashboard Configuration

Once all AD servers have been primed with the configuration requirements outlined above, the following steps outline how to set up AD authentication with a sign-on splash page:

  1. Log into Dashboard
  2. Navigate to Wireless > Configure > Access control.
  3. Select the desired SSID from the SSID drop-down menu.
  4. Navigate to the Splash page section.
  5. Using the Authentication Method drop-down menu, select my Active Directory server.
  6. Navigate to Active Directory servers and Active Directory admin.
  7. Click on Add a server and input the IP address of the domain controller.
    Note: Multiple servers may be added. The AP will test against these servers in sequential order, i.e. from top to bottom.
  8. Input a domain admin's credentials in the Active Directory admin section. The account can use the Windows 2000 (admin@domain.local) or Pre-Windows 2000 (Domain\admin) format.
    Note: It is advised these user credentials have minimal read-access permissions to the domain database. This account will only be used for the BIND to Active Directory
  9. Click the Save Changes button to save changes.

Testing Communication with Active Directory

Once the configuration has been saved, connectivity and functionality can be tested within Dashboard. Under the Active Directory servers section within Wireless > Configure > Access Control, click the Test button and input a valid domain user's credentials (the domain should be left out of the username).

The image below shows an example use of the test functionality:

 

This test will then check every AP configured to use the SSID, and where each AP will query the AD server to check if the test credentials are valid:

 

If this test fails, it is first recommended to ensure that all of the Active Directory requirements outlined above are met, and ensure that each "Failed" AP has network connectivity to the server.
For more detailed troubleshooting steps, please refer to our documentation regarding Troubleshooting Active Directory Authentication with a Sign-on Splash Page.

Microsoft LDAP Test

Once the configuration above has been completed, the Meraki device should be able to communicate with the Active Directory server using TLS. If this fails, Microsoft offers the Ldp.exe tool to ensure that the LDAP service is running and compatible with the current certificate.

Please reference Microsoft documentation for error code details and troubleshooting assistance.

You must to post a comment.
Last modified
09:54, 12 May 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1944

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case