Behavior to Authenticate Users with Microsoft AD Server
Last updated
Last updated
Each AP must join the Windows Active Directory domain before it has permission to validate the user’s credentials on the Active Directory Server via the SMBv1 protocol.
EnGenius AP automatically looks up the closest Windows Domain Controller and stores the information in the Samba configuration.
AP requests a Ticket-Granting Ticket (TGT) from the Kerberos server to join the AD domain.
After the AP joined the domain, the Samba Winbind daemon within AP firmware would be ready to authenticate wireless users.
When users request to access the wireless network, EnGenius Cloud AP’s internal Radius Server uses the ntlm_auth tool to verify the access permission to the AD server with the Winbind daemon. The Winbind daemon would immediately communicate with the AD server via SMBv1 to authenticate wireless users.
Some types of client devices (e.g., Andriod Phones) may require installing a Client (CA) Certificate (ca.pem) before getting authenticated with Active Directory Server.
Note: The CA Certificate for Active Directory Clients can be Exported via EnGenius Cloud GUI.
To get started:
The Active Directory client device scans out EnGenius Wifi SSID and connects it
802.1x page pops up and requests to enter sAMAccountName, e.g., account.
If the Certificate page pops up, click the Trust button
For Android Phones, it is required to specify the EAP method and Phase 2 authentication. Please refer to the following settings
EAP method: Select EAP-PEAP
EAP Phase 2 authentication: Select MSCHAPV2 (Note: if MSCHAPV2 is not supported on client devices, None or GTC is a choice but may have some compatible issues on specific devices, e.g., Chromebook)
Domain (Optional): Enter the corresponding domain shown on EnGenius Cloud GUI, e.g., engenius.ai (by default)
Choose Do not validate with CA certificate. (Google Nexus does not have this option, the certificate (ca.pem) must be installed)
Example Configuration for Android: