Each AP must join the Windows Active Directory domain before it has permission to validate the user’s credentials on the Active Directory Server via the SMBv1 protocol.

Process of AP Joining AD Domain

• EnGenius AP automatically looks up the closest Windows Domain Controller and stores the information in the Samba configuration.

• AP requests a Ticket-Granting Ticket (TGT) from the Kerberos server to join the AD domain.

• After the AP joined the domain, the Samba Winbind daemon within AP firmware would be ready to authenticate wireless users.

Process of Authenticating Wireless Users

When users request to access the wireless network, EnGenius Cloud AP’s internal Radius Server uses the ntlm_auth tool to verify the access permission to the AD server with the Winbind daemon. The Winbind daemon would immediately communicate with the AD server via SMBv1 to authenticate wireless users.

Setup Active Directory Profile on Client Devices

Some types of client devices (e.g., Andriod Phones) may require installing a Client (CA) Certificate (ca.pem) before getting authenticated with Active Directory Server.

Note: The CA Certificate for Active Directory Clients can be Exported via EnGenius Cloud GUI.

To get started:

• The Active Directory client device scans out EnGenius Wifi SSID and connects it

• 802.1x page pops up and requests to enter sAMAccountName, e.g., account.

• If the Certificate page pops up, click the Trust button

• For Android Phones, it is required to specify the EAP method and Phase 2 authentication. Please refer to the following settings

  • EAP method: Select EAP-PEAP

  • EAP Phase 2 authentication: Select MSCHAPV2 (Note: if MSCHAPV2 is not supported on client devices, None or GTC is a choice but may have some compatible issues on specific devices, e.g., Chromebook)

  • Domain (Optional): Enter the corresponding domain shown on EnGenius Cloud GUI, e.g., engenius.ai (by default)

  • Choose Do not validate with CA certificate. (Google Nexus does not have this option, the certificate (ca.pem) must be installed)

Example Configuration for Android:

Overview

EnGenius Cloud AP can leverage Microsoft Active Directory (AD) Server to provide a highly secure authentication process for WPA2/WPA3-Enterprise or Captive Portal. The benefit of using Microsoft Active Directory Server is that users may integrate WPA2/WPA3-Enterprise or Captive Portal with a Windows AD Server to identify the specified domain, credentials quickly, and account Emails for the authentication management.

Before setting up Microsoft AD Authentication for EnGenius Cloud AP, you need to set up the Microsoft Windows 2000 Server or later edition. (Note: To enable the SMBv1 sharing protocol, please refer to https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

• Chromebook Bug:

Note: Some browsers might pop up a Not-Trusted warning message for self-signed certificates. If this is the case, the user must search for an official Certificate Authority (CA) to apply for a (CA) certificate to avoid the warning message.

• Samsung devices must fill in Domain

• Google Pixel requires instaling the Certificate https://support.google.com/pixelphone/answer/2844832?hl=zh-Hant

• Learn more about EnGenius Cloud：https://www.engenius.ai/cloud

There are two ways to enable Microsoft AD Authentication to authenticate wireless users with EnGenius Cloud.

• Enable Security Type WPA2/WPA3-Enterprise with AD Authentication.

• Enable Captive Portal for user authentication with Active Directory Server.

Setup Microsoft Active Directory Server

The steps below show only the important settings. Please refer to Microsoft documentation and support for assistance.

To get started:

• Select the Active Directory Domain Services role to promote a domain controller in the Server Roles steps.

• Configure Access Permission for verifying user credentials

  • To specify which organization units and groups EnGenius AP can access to verify the user’s credentials.

  • refer to https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts​

  ​

• Create Firewall rules which are needed for AP to join domain and authentication (ref: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts)

  • 88/TCP/UDP Kerberos

  • 389/TCP/UDP LDAP

  • 445/TCP SMB

• Note: Microsoft Active Directory server needs to be located in the same VLAN subnet as AP’s management VLAN interface. Even though the SSID enables VLAN, AP still sends SMBv1 packets to communicate with the Active Directory server via AP’s management VLAN interface.

WPA2/WPA3-Enterprise with Active Directory Server

Login to EnGenius Cloud ( https://cloud.engenius.ai ) and click the (hamxxxx) icon to select the Network for configuration.

To get started:

• Go to Configure > SSID and select a specific SSID name from the list

• From the Wireless tab, select WPA2 Enterprise for Security Type

• Select Active Directory for user authentication

• Click Add a server and enter the configuration (Host, Port, Admin, and Password) for the Active Directory server.

• Click the Apply button to save SSID configurations.

Note: Authentication with Active Directory is a feature in Pro Plan, and it requires a PRO license to enable it.

Captive Portal Authentication with Active Directory Server

Login to EnGenius Cloud ( https://cloud.engenius.ai ) and click the (hamxxxx) icon to select the Network for configuration.

To get started:

• To get started: Go to Configure > SSID and select a specific SSID name from the list.

• From the Wireless tab, set the Security Type to Open.

• Enable Captive Portal from the Captive Portal tab.

• Select Active Directory for Authentication Type

• Click Add a server and enter the configuration (Host, Port, Admin, and Password) for the Active Directory server.

• Click the Apply button to save SSID configurations. Note: Authentication with Active Directory is a feature in Pro Plan, and it requires a PRO license to enable it.

Note: Authentication with Active Directory is a feature in Pro Plan, and it requires a PRO license to enable it.

How to Generate Customized Certificate?

There are several tools available to create self-signed certificates. This tutorial lets you create a self-signed certificate for Active Directory by using OpenSSL.

• Get started to generate a certification file

  • Download Freeradius code from the link below: https://github.com/FreeRADIUS/freeradius-server/tree/master/raddb/cert

  • cd to raddb/cert/

  • Adjust customized information in the .cnf file, e.g., domain name, expiration duration, location, etc.

  • ./bootstrap

  • zip cert.zip server.pem dh ca.pem

• Click Import and upload cert.zip to the EnGenius Cloud

• Export ca.pem and install it on the client device if requested.

Note: Some browsers might pop up a Not-Trusted warning message for self-signed certificates. If this is the case, the user must search for an official Certificate Authority (CA) to apply for a (CA) certificate to avoid the warning message.

Supported Operating Systems and Models

EAP-PEAP/MSCHAPV2 and TLS 1.2+ are essential on client devices for Active Directory authentication. The following operating systems have native support and get verified working with EnGenius Cloud AP: (updated on 4/20/2022)

• iOS version 13 and higher.

• Google Chrome OS

• Android version 6 and higher

• Microsoft Windows 8 and higher

• macOS 11 and higher

Example Configuration for Android: