724-746-5500 | blackbox.com
Page 174
724-746-5500 | blackbox.com
Chapter 11: Deployment Examples CLI
Default Domain
Domain: Type the DNS domain name to which the SmartPath AP RADIUS server and Active Directory server belong; for example,
blackbox.com.
Active Directory Server: Choose a previously defined IP object/host name for the Active Directory server from the drop-down list.
If you do not see the one that you need, click the New icon ( + ) and define it, or select the blank space at the top of the
drop-down list and type the IP address or host name of the server. When you do so, SmartPath EMS VMA automatically creates a
corresponding IP object/host name.
BaseDN: (read-only) After you configure this section and click “Retrieve Directory Information,” SmartPath EMS VMA displays the
BaseDN, which is the point in the LDAP tree structure under which the server stores user accounts in its database.
Computer OU: Set the OU (organizational unit) where the SmartPath AP RADIUS server has privileges to add itself as a computer
in the domain or leave it blank. The default is the Computers OU, but you can configure this field to point to any container, based
on your facility security policy. Enter this in the form ou/sub-ou/sub-ou, using only forward slashes. If any containers in the path
contain spaces, enclose the entire string in quotation marks.
NOTE: The host name of a SmartPath AP RADIUS server stored in the computer OU on the Active Directory server has the
following limitations: Its name cannot be longer than 256 characters and cannot contain underscores.
TLS Encryption: Select the checkbox to enable TLS (Transport Layer Security) to encrypt the user lookup requests that the
SmartPath AP RADIUS server sends to the Active Directory server. Clear the checkbox to disable TLS encryption and send the
lookup requests in plain text.
NOTE: The link that the SmartPath AP RADIUS server makes when it joins the Active Directory domain and logs in to the Active
Directory server with its domain admin name and password is encrypted using Kerberos v5.
Click “Retrieve Directory Information.” SmartPath EMS VMA attempts to retrieve the Active Directory server BaseDN. If the
SmartPath AP succeeds in retrieving this information, it displays it along with the following message: "The Active Directory server
IP address and the BaseDN were successfully retrieved." It also displays the following options and shows the Domain Admin
Credentials to Join Domain section:
Domain Admin Credentials to Join Domain
Domain Admin: Enter the name that the SmartPath AP RADIUS server uses to log in to the Active Directory server and add itself
as a computer in the domain, or as a computer in an organizational unit in the domain. The name must be for a domain user and
have rights to create a computer in the domain, or create a computer in an organizational unit in the domain. It can be up to 64
characters long.
Password: Enter the password that the SmartPath AP RADIUS authentication server submits when joining an Active Directory
domain. The password must exactly match the password entered for the user account defined on the Active Directory server for
the SmartPath AP RADIUS authentication server. It can be up to 64 characters long. To ensure accuracy, enter the password again
in the Confirm Password field. To see the text string that you type, clear the Obscure Password checkbox.
After you enter the appropriate domain administrator credentials, click “Join and Save” or “Join and Discard.” The first option
saves the domain admin credentials on SmartPath EMS VMA after successfully joining the domain; the second clears them.
Choose the option that best satisfies your security policy. When you click one of the two Join options, the SmartPath AP RADIUS
server attempts to add itself to the domain. If it is successful, the following message appears: "The SmartPath AP RADIUS server
successfully joined the Active Directory domain." In addition, the Domain Users Credentials for User Auth section appears.
Domain Users Credentials for User Auth
Domain User: Enter the name that the SmartPath AP RADIUS server provides to authenticate itself to the Active Directory server
when initiating a connection to request a user account lookup. The domain user name can be in either user principal format
([email protected]) or DN format (cn=administrator,cn=users,dc=domain,dc=com).