How to configure LDAP authentication on EMC Connectrix DCX?

Well, it’s always good that we have the LDAP for the user login authentication to the fabric.

First, you need to have the admin login to the switch, connect to the switch on command line.

switch:admin> aaaConfig --add server [-p port] [-t timeout] [-d domain_name]

example:

SANDUEL:admin> aaaconfig --add 192.166.22.22 -conf ldap -p 389 -d sanduel.com -t 3

Server: Enter either a server name or IPv4 address. Microsoft Active Directory does not support IPv6 addresses. Avoid duplicating server listings (that is, listing the same server once by name and again by IP address).  Maximum is up to five servers can be added to the configuration.

-p port Optional: Enter a server port. The default is port 389.

-t timeout Optional: Enter the length of time (in seconds) that the server has to respond before the next server is contacted. The default is three seconds. Time-out values can range from 1 to 30 seconds.

-d domain_name Enter the name of the Windows domain.

-----------------------------------------------------------------

SANDUEL:admin> aaaconfig --show

RADIUS CONFIGURATIONS

=====================

RADIUS configuration does not exist.

 

LDAP CONFIGURATIONS

===================

 

Position                 : 1

Server                   : 192.166.22.22

Port                     : 389

Domain                   : sanduel.com

Timeout(s)               : 3

 

Primary AAA Service: Switch database

Secondary AAA Service: None


 

 

The next step is to enable the RADIUS or LDAP server

Enter this command to enable RADIUS or LDAP using the local database:

switch:admin> aaaconfig --authspec "<radius | ldap>;local"

where you specify the type of server as either RADIUS or LDAP, but not both. Local is used for

local authentication if the user authentication fails on the RADIUS or LDAP server.

 

Example

sanduel:admin> aaaconfig --authspec

Usage: aaaConfig --authspec <aaa1 [;aaa2]> [-backup]

sanduel:admin> aaaconfig --authspec  "ldap;local"

sanduel:admin> aaaconfig --show

RADIUS CONFIGURATIONS

=====================

RADIUS configuration does not exist.

 

LDAP CONFIGURATIONS

===================

 

Position                 : 1

Server                   : 192.166.22.22

Port                     : 389

Domain                   : sanduel.com

Timeout(s)               : 3

 

Primary AAA Service: LDAP

Secondary AAA Service: Switch database

SANDUEL:admin>

 


 

 

One thing good about this configuration is, you can add the NT group (multiple AD user).

Below are the step:

SANDUEL:admin> ldapcfg

Usage: ldapcfg

--help:         display this screen

--show:         display all the mapped entries

--maprole <LDAP rolename> <switch rolename>:

                creates a new mapping of ldap role with switch role

--unmaprole <LDAP rolename>:

                delete an existing mapping of ldap role

 

SANDUEL:admin> ldapcfg maprole sanduelgroup admin

LDAP role "sanduelgroup" has been successfully mapped.

SANDUEL:admin>

 

 

SANDUEL:admin> ldapcfg --show

        LDAP Role       |       Switch Role

------------------------------------------------

        sanduelgroup      |       admin