In User-Based management mode, all the LAN client will need to log in with a user account before they can access the Internet. Except for local user accounts, user authentication can also be done by an external authentication server, such as an Active Directory server. This document introduces how to bind the router to an AD/LDAP server and use the server to authenticate the LAN clients.
1. Go to Application >> Active Directory/ LDAP >> General Setup, enable AD/LDAP and enter the information of AD/LDAP server as follows:
2. Click OK to save the configuration, and click OK again when being asked to reboot the router.
3. Create an AD/LDAP profile: Go to Application >> Active Directory/ LDAP >> AD/LDAP Profiles page, click on an available index number.
4. Edit the profile as follows:
5. Go to User Management >> General Setup to make sure the User Management mode is "User-Based."
6. Create a new user profile: Go to User Management >> User Profile, click on an available index.
7. Edit the profile as follows:
8. Now, when LAN clients access the Internet for the first time, the router will redirect them to a login page. They should log in with a user account on the AD/LDAP database.
9. From User Management >> User Online Status page, Network Administrator will see the users who are authenticated by the AD/LDAP server.
Vigor3900/Vigor2960 supports three binds type for LDAP/AD authentication:
Below we provide examples of using Simple mode and regular mode.
1. Navigate to User Management >> LDAP / Active Directory, and click Add to add a new profile.
2. Configure the LDAP profile
(1) Simple mode
Use this mode when the LDAP/AD server has a simple structure. For example, the LDAP/AD server has only one default user group "Users" under the domain "ms.draytek.com," and all the user accounts are under this group. Then we can configure the profile like the following:
(2) Regular Mode
Use this mode when the LDAP/AD server has multiple levels and required searching to find the path to the user account. For example, there are OU "People" and "Group" under the domain, OU "RD1", "RD2", "RD3" are under the OU "People", OU "MIS", "PQC", "FAE" are under OU "RD1", and we want all the user accounts under OU "People" can be authenticated, then we can configure the profile like the following:
In Regular mode, when there is a user authentication request, the router will use the Regular DN and Password to get authenticated by the LDAP/AD server first (a.k.a. simple bind request). After the authentication succeeded, the router will send a search request and see if there is the user account is under Base DN. If LDAP server replies Entry 0, it means the user account doesn't exist in the Base DN. If the user account exists, the LDAP server will respond with the Entry/Path. With the path, the router will send the bind request to the LDAP server for authenticating the user account.
After the configuration, we can verify LDAP by "Preview."
1. Go to User Management >> Web Portal >> General Setup
2. Now when LAN clients open a browser and access the Internet for the first time, there will be a login page. LAN clients can log in with the user account on LDAP/AD server, and access the Internet after login successfully.
Published On: 2017-11-07
Was this helpful?