LogoLogo
  • EnGenius Cloud Technology
  • EnGenius Cloud Services DataCenters
  • LLDP-MED
  • Presence Service
  • Captive Portal
    • Integrate with External Splash Page
      • Click-through
      • Sign-on Splash
      • Error Message
  • Zero-wait DFS
  • Security Access Points
    • Wireless Network Security Issues
    • Denial of Service and EnGenius Solution
    • Data Breach, Passcode Cracking, and the EnGenius Solution
    • EnGenius Solution and Benefits
  • AirGuard
    • Rogue AP
    • Rules and Classifications
    • Evil Twin
    • Malicious Attacks
    • RF Jamming
  • Fast Handover RSSI Thresholds
  • Authentication with Google Secure LDAP Server
    • Configure Google LDAP Authentication for Wireless Networks Access
    • Appendix
    • Troubleshooting
  • Authentication with Microsoft Active Directory (AD) Server for Wireless Users
    • Configure Active Directory Authentication for Wireless Network Access (SSID)
    • Behavior to Authenticate Users with Microsoft AD Server
    • Appendix
    • Troubleshooting
  • Configure SAML SSO with ADFS
  • Authentication with Microsoft Entra ID LDAP Server
Powered by GitBook
On this page
  • Process of AP Joining AD Domain
  • Process of Authenticating Wireless Users
  • Setup Active Directory Profile on Client Devices

Was this helpful?

Export as PDF
  1. Authentication with Microsoft Active Directory (AD) Server for Wireless Users

Behavior to Authenticate Users with Microsoft AD Server

Last updated 3 years ago

Was this helpful?

Each AP must join the Windows Active Directory domain before it has permission to validate the user’s credentials on the Active Directory Server via the SMBv1 protocol.

Process of AP Joining AD Domain

  • EnGenius AP automatically looks up the closest Windows Domain Controller and stores the information in the Samba configuration.

  • AP requests a Ticket-Granting Ticket (TGT) from the Kerberos server to join the AD domain.

  • After the AP joined the domain, the Samba Winbind daemon within AP firmware would be ready to authenticate wireless users.

Process of Authenticating Wireless Users

When users request to access the wireless network, EnGenius Cloud AP’s internal Radius Server uses the ntlm_auth tool to verify the access permission to the AD server with the Winbind daemon. The Winbind daemon would immediately communicate with the AD server via SMBv1 to authenticate wireless users.

Setup Active Directory Profile on Client Devices

Some types of client devices (e.g., Andriod Phones) may require installing a Client (CA) Certificate (ca.pem) before getting authenticated with Active Directory Server.

Note: The CA Certificate for Active Directory Clients can be Exported via EnGenius Cloud GUI.

To get started:

  • The Active Directory client device scans out EnGenius Wifi SSID and connects it

  • 802.1x page pops up and requests to enter sAMAccountName, e.g., account.

  • If the Certificate page pops up, click the Trust button

  • For Android Phones, it is required to specify the EAP method and Phase 2 authentication. Please refer to the following settings

    • EAP method: Select EAP-PEAP

    • EAP Phase 2 authentication: Select MSCHAPV2 (Note: if MSCHAPV2 is not supported on client devices, None or GTC is a choice but may have some compatible issues on specific devices, e.g., Chromebook)

    • Domain (Optional): Enter the corresponding domain shown on EnGenius Cloud GUI, e.g., engenius.ai (by default)

    • Choose Do not validate with CA certificate. (Google Nexus does not have this option, the certificate (ca.pem) must be installed)

Example Configuration for Android:

Figure07 -- Export CA Certificate
Figure06 -- Process of Authenticating Wireless Users
Figure08 -- Configuration for Android