diff --git a/configuration/bypass-mfa/index.html b/configuration/bypass-mfa/index.html index c820fee..f07bc6d 100644 --- a/configuration/bypass-mfa/index.html +++ b/configuration/bypass-mfa/index.html @@ -13,7 +13,7 @@ Bypass MFA | AzureAD-LDAP-wrapper @@ -41,7 +41,7 @@ /> @@ -49,14 +49,14 @@ @@ -68,8 +68,8 @@ "name": "Bypass MFA", "url" : "https://ahaenggli.github.io/AzureAD-LDAP-wrapper/configuration/bypass-mfa/", "headline": "Bypass MFA", - "description": "Officially MFA is not supported by this LDAP-wrapper. The login for users with activated MFA simply fails, as mentioned here and here. There is no interactive window to enter another factor, and LDAP does not support this either. If you need to use this LDAP-wrapper despite of activated MFA, there are two options:\nDisable MFA for this application in AzureAD (preferred).\nThere are several ways to define MFA, but only some of them allows you to disable MFA.", - "wordCount" : "359", + "description": "Officially MFA is not supported by this LDAP-wrapper. The login for users with activated MFA simply fails, as mentioned here and here. There is no interactive window to enter another factor, and LDAP does not support this either. If you need to use this LDAP-wrapper despite of activated MFA, there are two options:\nDisable MFA for this application in your tenant (preferred).\nThere are several ways to define MFA, but only some of them allows you to disable MFA.", + "wordCount" : "364", "inLanguage": "en", "isFamilyFriendly": "true", "mainEntityOfPage": { @@ -80,7 +80,7 @@ "copyrightYear" : "0001", "dateCreated": "0001-01-01T00:00:00.00Z", "datePublished": "0001-01-01T00:00:00.00Z", - "dateModified": "2023-07-21T12:16:16.00Z", + "dateModified": "2024-01-11T15:18:30.00Z", "publisher":{ "@type":"Organization", "name": "AzureAD-LDAP-wrapper", @@ -878,6 +878,196 @@

Navigation

+ + + + +
  • + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    • + @@ -1104,7 +1294,7 @@

    More

    -
  • AzureAD-LDAP-wrapper
  • /
  • Configuration
  • /
  • Bypass MFA
    • +
  • LDAP-wrapper for Microsoft Entra ID
  • /
  • Configuration
  • /
  • Bypass MFA
    • @@ -1125,7 +1315,7 @@

    More

    Bypass MFA

    Officially MFA is not supported by this LDAP-wrapper. The login for users with activated MFA simply fails, as mentioned here and Bypass MFA If you need to use this LDAP-wrapper despite of activated MFA, there are two options:

    1. -

      Disable MFA for this application in AzureAD (preferred).
      +

      Disable MFA for this application in your tenant (preferred).
      There are several ways to define MFA, but only some of them allows you to disable MFA.

    @@ -1484,6 +1677,109 @@

    Bypass MFA

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/configuration/customize-attributes/index.html b/configuration/customize-attributes/index.html index 038205e..6bcd2a5 100644 --- a/configuration/customize-attributes/index.html +++ b/configuration/customize-attributes/index.html @@ -872,6 +872,196 @@

    Navigation

    + + + + +
  • + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    • + @@ -1098,7 +1288,7 @@

    More

    -
  • AzureAD-LDAP-wrapper
  • /
  • Configuration
  • /
  • Customize attributes
    • +
  • LDAP-wrapper for Microsoft Entra ID
  • /
  • Configuration
  • /
  • Customize attributes
    • @@ -1423,6 +1613,109 @@

    Customize attributes

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/configuration/index.html b/configuration/index.html index d360de1..9f09b38 100644 --- a/configuration/index.html +++ b/configuration/index.html @@ -872,6 +872,196 @@

    Navigation

    + + + + +
  • + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    • + @@ -1092,7 +1282,7 @@

    More

    -
  • AzureAD-LDAP-wrapper
  • /
  • Configuration
    • +
  • LDAP-wrapper for Microsoft Entra ID
  • /
  • Configuration
    • @@ -1420,6 +1610,109 @@

    Configuration

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/configuration/index.xml b/configuration/index.xml index 2893663..749c130 100644 --- a/configuration/index.xml +++ b/configuration/index.xml @@ -13,7 +13,7 @@ https://ahaenggli.github.io/AzureAD-LDAP-wrapper/configuration/bypass-mfa/ Officially MFA is not supported by this LDAP-wrapper. The login for users with activated MFA simply fails, as mentioned here and here. There is no interactive window to enter another factor, and LDAP does not support this either. If you need to use this LDAP-wrapper despite of activated MFA, there are two options: -Disable MFA for this application in AzureAD (preferred). +Disable MFA for this application in your tenant (preferred). There are several ways to define MFA, but only some of them allows you to disable MFA. diff --git a/configuration/settings/index.html b/configuration/settings/index.html index 7a6059b..ecdec29 100644 --- a/configuration/settings/index.html +++ b/configuration/settings/index.html @@ -875,6 +875,196 @@

    Navigation

    + + + + +
  • + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    • + @@ -1101,7 +1291,7 @@

    More

    -
  • AzureAD-LDAP-wrapper
  • /
  • Configuration
  • /
  • Settings
    • +
  • LDAP-wrapper for Microsoft Entra ID
  • /
  • Configuration
  • /
  • Settings
    • @@ -1832,6 +2022,109 @@

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/index.html b/index.html index 2befcf1..bfcea8b 100644 --- a/index.html +++ b/index.html @@ -40,7 +40,7 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + +
    +
    + + + +
    + + + + AzureAD-LDAP-wrapper + + +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + \<img src="https://cdn.buymeacoffee.com/buttons/default-orange.png" style="height: 20px; width: 20px;" alt="Buy Me A Coffee"> + + + + + + + + + + + + + + + + + + + + + + GitHub + + + + + + + + + + + + + + + + + + + Toggle Dark/Light/Auto mode + + + + Toggle Dark/Light/Auto mode + + + + Toggle Dark/Light/Auto mode + + + + + + + + Back to homepage + + + + + + + + + + + + + + +
    +
    +
    + + + +
    + + + + + +
    + + + + + + + + + + + +
    + +
    + +
      + + + + + + + + + + + + + + + + + + +
    1. LDAP-wrapper for Microsoft Entra ID
    2. /
    3. Usage examples
    4. /
    5. 6.2 Authelia with LDAP-wrapper
      6. + + + + + + +
    +
    + + +
    + + + +
    +

    6.2 Authelia with LDAP-wrapper

    +

    Authelia supports LDAP authentication, enabling users to log in by authenticating against your LDAP directory. This guide outlines the steps to set up LDAP authentication with Authelia using LDAP-wrapper.

    + +
    +

    + Prerequisites + + + +

    +
    +

    Before configuring LDAP authentication for Authelia with LDAP-wrapper, ensure the following prerequisites are met:

    +
      +
    • LDAP-wrapper: Ensure you have a functioning LDAP-wrapper.
      • +
    • Authelia: Set up and configure Authelia for your environment.
      • +
    +
    +

    + Settings for Authelia LDAP Authentication with LDAP-wrapper + + + +

    +
    +

    To configure LDAP authentication with Authelia using LDAP-wrapper, follow these steps:

    +
      +
    1. Open your configuration.yml file in the Authelia configuration directory.
      2. +
    2. Locate the authentication_backend section and configure it with the following example, adjusting the url,base_dn, user, and password based on your LDAP-wrapper setup:
      3. +
    +
        ## Authentication Backend Provider Configuration
+    authentication_backend:
+
+    ## Password Reset Options
+    password_reset:
+        ## Disable both the HTML element and the API for reset password functionality.
+        disable: true
+        ## External reset password url for Microsoft
+        custom_url: "https://account.activedirectory.windowsazure.com/ChangePassword.aspx"
+
+    ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation
+    ## See the below documentation for more information
+    ## Duration Notation docs:  <https://www.authelia.com/c/common#duration-notation-format>
+    ## Refresh Interval docs: <https://www.authelia.com/c/1fa#refresh-interval>
+    refresh_interval: 5m
+
+    ##
+    ## LDAP (Authentication Provider)
+    ##
+    ldap:
+        ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
+        implementation: custom
+        ## The url to the ldap server. Format: <scheme>://<address>[:<port>].
+        url: ldap://my-nas-name.local:389
+        ## The dial timeout for LDAP.
+        timeout: 5s
+        ## Use StartTLS with the LDAP connection.
+        start_tls: false
+        tls:
+        ## Server Name for certificate validation (in case it's not set correctly in the URL).
+        # server_name: ldap.domain.tld
+        ## Skip verifying the server certificate (to allow a self-signed certificate).
+        skip_verify: false
+        ## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
+        minimum_version: TLS1.2
+        ## The distinguished name of the container searched for objects in the directory information tree.
+        base_dn: dc=domain,dc=tld
+        ## The attribute holding the username of the user. This attribute is used to populate the username in the session
+        username_attribute: uid
+        ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
+        additional_users_dn: cn=users
+        ## The users filter used in search queries to find the user profile based on input filled in login form.
+        users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
+        ## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups.
+        additional_groups_dn: cn=groups
+        ## The groups filter used in search queries to find the groups based on relevant authenticated user.
+        groups_filter: (&(member={dn})(objectClass=posixGroup))
+        ## The attribute holding the name of the group.
+        group_name_attribute: cn
+        ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
+        mail_attribute: mail
+        ## The attribute holding the display name of the user. This will be used to greet an authenticated user.
+        display_name_attribute: displayName
+        ## Follow referrals returned by the server.
+        ## This is especially useful for environments where read-only servers exist. Only implemented for write operations.
+        permit_referrals: false
+        ## The username and password of the admin user, matching an entry of your LDAP-wrapper environment variable `LDAP_BINDUSER`.
+        user: uid=root
+        ## Password can also be set using a secret: <https://www.authelia.com/c/secrets>
+        password: 1234
+
      +
    1. Save the changes to your configuration.yml file.
      2. +
    2. Restart Authelia to apply the new configuration.
      3. +
    +

    Now, Authelia is configured to authenticate users against your LDAP directory through LDAP-wrapper.

    + +
    + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + gdoc_arrow_left_alt + 6.1 Portainer + + + + + + + 6.3 Synology Radius with UniFi + gdoc_arrow_right_alt + + + + + +
    +
    +
    + + + +
    + + + + + + diff --git a/usage/index.html b/usage/index.html new file mode 100644 index 0000000..c0b8c66 --- /dev/null +++ b/usage/index.html @@ -0,0 +1,1791 @@ + + + + + + + + + + + + + Usage examples | AzureAD-LDAP-wrapper + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + +
    +
    + + + +
    + + + + AzureAD-LDAP-wrapper + + +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + \<img src="https://cdn.buymeacoffee.com/buttons/default-orange.png" style="height: 20px; width: 20px;" alt="Buy Me A Coffee"> + + + + + + + + + + + + + + + + + + + + + + GitHub + + + + + + + + + + + + + + + + + + + Toggle Dark/Light/Auto mode + + + + Toggle Dark/Light/Auto mode + + + + Toggle Dark/Light/Auto mode + + + + + + + + Back to homepage + + + + + + + + + + + + + + +
    +
    +
    + + + +
    + + + + + +
    + + + + + + + + + + + +
    + +
    + +
      + + + + + + + + + + + + +
    1. LDAP-wrapper for Microsoft Entra ID
    2. /
    3. Usage examples
      4. + + + + +
    +
    + + +
    + + + +
    +

    Usage examples

    + + + + + +
    +
    +
    Some examples how to use the LDAP-wrapper. This may also help configure similar services/apps.
    +
    + + +
    + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + gdoc_arrow_left_alt + 5. Troubleshooting + + + + + + + 6.1 Portainer + gdoc_arrow_right_alt + + + + + +
    +
    +
    + + + +
    + + + + + + diff --git a/usage/index.xml b/usage/index.xml new file mode 100644 index 0000000..4eaa787 --- /dev/null +++ b/usage/index.xml @@ -0,0 +1,46 @@ + + + + Usage examples on AzureAD-LDAP-wrapper + https://ahaenggli.github.io/AzureAD-LDAP-wrapper/usage/ + Recent content in Usage examples on AzureAD-LDAP-wrapper + Hugo -- gohugo.io + en-us + + 6.1 Portainer + https://ahaenggli.github.io/AzureAD-LDAP-wrapper/usage/portainer/ + Mon, 01 Jan 0001 00:00:00 +0000 + + https://ahaenggli.github.io/AzureAD-LDAP-wrapper/usage/portainer/ + Portainer supports LDAP authentication, allowing users to log in by authenticating against your LDAP directory. This guide outlines the steps to set up LDAP authentication over LDAP-wrapper with Portainer. +Prerequisites Settings for Portainer LDAP Authentication with LDAP-wrapper LDAP Configuration LDAP Security User Search Configurations Prerequisites Before configuring LDAP authentication for Portainer, ensure the following prerequisites are met: +LDAP-wrapper: Make sure you have a working LDAP-wrapper. Portainer: Install and set up a working instance of Portainer. + + + + 6.2 Authelia with LDAP-wrapper + https://ahaenggli.github.io/AzureAD-LDAP-wrapper/usage/authelia/ + Mon, 01 Jan 0001 00:00:00 +0000 + + https://ahaenggli.github.io/AzureAD-LDAP-wrapper/usage/authelia/ + Authelia supports LDAP authentication, enabling users to log in by authenticating against your LDAP directory. This guide outlines the steps to set up LDAP authentication with Authelia using LDAP-wrapper. +Prerequisites Settings for Authelia LDAP Authentication with LDAP-wrapper Prerequisites Before configuring LDAP authentication for Authelia with LDAP-wrapper, ensure the following prerequisites are met: +LDAP-wrapper: Ensure you have a functioning LDAP-wrapper. Authelia: Set up and configure Authelia for your environment. Settings for Authelia LDAP Authentication with LDAP-wrapper To configure LDAP authentication with Authelia using LDAP-wrapper, follow these steps: + + + + 6.3 Synology Radius with UniFi + https://ahaenggli.github.io/AzureAD-LDAP-wrapper/usage/synology-radius-unifi/ + Mon, 01 Jan 0001 00:00:00 +0000 + + https://ahaenggli.github.io/AzureAD-LDAP-wrapper/usage/synology-radius-unifi/ + UniFi allows you to use a custom Radius server like the default package from Synology. Combined with the LDAP-wrapper, this creates a powerful setup for your users. +DSM 7.2.1-69057 Update 3 +LDAP-wrapper v2.0.2 +RADIUS Server Package 3.0.25-0515 +UniFi Network Application 8.0.24 Prerequisites Settings in Synology RADIUS Server Settings in UniFi Controller Prerequisites Before configuring Synology Radius and UniFi, ensure the following prerequisites are met: +Synology NAS: Ensure you are up to date with your DSM, and install the current RADIUS Server package. + + + + diff --git a/usage/portainer/index.html b/usage/portainer/index.html new file mode 100644 index 0000000..81e01d6 --- /dev/null +++ b/usage/portainer/index.html @@ -0,0 +1,1880 @@ + + + + + + + + + + + + + 6.1 Portainer | AzureAD-LDAP-wrapper + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + +
    +
    + + + +
    + + + + AzureAD-LDAP-wrapper + + +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + \<img src="https://cdn.buymeacoffee.com/buttons/default-orange.png" style="height: 20px; width: 20px;" alt="Buy Me A Coffee"> + + + + + + + + + + + + + + + + + + + + + + GitHub + + + + + + + + + + + + + + + + + + + Toggle Dark/Light/Auto mode + + + + Toggle Dark/Light/Auto mode + + + + Toggle Dark/Light/Auto mode + + + + + + + + Back to homepage + + + + + + + + + + + + + + +
    +
    +
    + + + +
    + + + + + +
    + + + + + + + + + + + +
    + +
    + +
      + + + + + + + + + + + + + + + + + + +
    1. LDAP-wrapper for Microsoft Entra ID
    2. /
    3. Usage examples
    4. /
    5. 6.1 Portainer
      6. + + + + + + +
    +
    + + +
    + + + +
    +

    6.1 Portainer

    +

    Portainer supports LDAP authentication, allowing users to log in by authenticating against your LDAP directory. This guide outlines the steps to set up LDAP authentication over LDAP-wrapper with Portainer.

    + +
    +

    + Prerequisites + + + +

    +
    +

    Before configuring LDAP authentication for Portainer, ensure the following prerequisites are met:

    +
      +
    • LDAP-wrapper: Make sure you have a working LDAP-wrapper.
      • +
    • Portainer: Install and set up a working instance of Portainer.
      • +
    +
    +

    + Settings for Portainer LDAP Authentication with LDAP-wrapper + + + +

    +
    +
    +

    + LDAP Configuration + + + +

    +
    +
      +
    • LDAP Server: Specify the IP or name of your NAS with Port 389.
      +Example: 192.168.1.2:389 or my-nas-name.local:389
      • +
    • Reader DN: Set it to uid=root, matching an entry of your LDAP-wrapper environment variable LDAP_BINDUSER.
      • +
    • Password: Set it to the password corresponding to the entry in your LDAP-wrapper environment variable LDAP_BINDUSER.
      • +
    +
    +

    + LDAP Security + + + +

    +
    +
      +
    • Ensure that StartTLS, Use TLS, and Skip verification are set to off.
      • +
    +
    +

    + User Search Configurations + + + +

    +
    +
      +
    • +

      Base DN: Define the base DN as cn=users,dc=domain,dc=tld.

      +
      • +
    • +

      Username Attribute: Specify mail.

      +
      • +
    • +

      Filter: Use the following filter to restrict access:

      +
      (|(&(uid=*)(memberOf=cn=users,cn=groups,dc=domain,dc=tld))(&(cn=administrators)))
+

      This filter ensures that only users within the administrators group can log into Portainer.

      +
      • +
    +

    Don’t forget to save your LDAP-wrapper configuration. Now, users attempting to log into Portainer will be authenticated against your LDAP directory. Only users within the administrators group, as specified in the LDAP filter, will be allowed access to Portainer.

    + +
    + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + gdoc_arrow_left_alt + 6. Usage examples + + + + + + + 6.2 Authelia + gdoc_arrow_right_alt + + + + + +
    +
    +
    + + + +
    + + + + + + diff --git a/usage/radius_settings_certs.png b/usage/radius_settings_certs.png new file mode 100644 index 0000000..c31975e Binary files /dev/null and b/usage/radius_settings_certs.png differ diff --git a/usage/radius_settings_clients.png b/usage/radius_settings_clients.png new file mode 100644 index 0000000..a57b489 Binary files /dev/null and b/usage/radius_settings_clients.png differ diff --git a/usage/radius_settings_common.png b/usage/radius_settings_common.png new file mode 100644 index 0000000..7a3caa3 Binary files /dev/null and b/usage/radius_settings_common.png differ diff --git a/usage/radius_unifi_profiles_detail.png b/usage/radius_unifi_profiles_detail.png new file mode 100644 index 0000000..0007e0f Binary files /dev/null and b/usage/radius_unifi_profiles_detail.png differ diff --git a/usage/radius_unifi_profiles_find.png b/usage/radius_unifi_profiles_find.png new file mode 100644 index 0000000..89f3d43 Binary files /dev/null and b/usage/radius_unifi_profiles_find.png differ diff --git a/usage/radius_unifi_wlan_detail.png b/usage/radius_unifi_wlan_detail.png new file mode 100644 index 0000000..57ca227 Binary files /dev/null and b/usage/radius_unifi_wlan_detail.png differ diff --git a/usage/radius_unifi_wlan_new.png b/usage/radius_unifi_wlan_new.png new file mode 100644 index 0000000..2a6c6a2 Binary files /dev/null and b/usage/radius_unifi_wlan_new.png differ diff --git a/usage/synology-radius-unifi/index.html b/usage/synology-radius-unifi/index.html new file mode 100644 index 0000000..43e0e9c --- /dev/null +++ b/usage/synology-radius-unifi/index.html @@ -0,0 +1,1954 @@ + + + + + + + + + + + + + 6.3 Synology Radius with UniFi | AzureAD-LDAP-wrapper + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + +
    +
    + + + +
    + + + + AzureAD-LDAP-wrapper + + +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + \<img src="https://cdn.buymeacoffee.com/buttons/default-orange.png" style="height: 20px; width: 20px;" alt="Buy Me A Coffee"> + + + + + + + + + + + + + + + + + + + + + + GitHub + + + + + + + + + + + + + + + + + + + Toggle Dark/Light/Auto mode + + + + Toggle Dark/Light/Auto mode + + + + Toggle Dark/Light/Auto mode + + + + + + + + Back to homepage + + + + + + + + + + + + + + +
    +
    +
    + + + +
    + + + + + +
    + + + + + + + + + + + +
    + +
    + +
      + + + + + + + + + + + + + + + + + + +
    1. LDAP-wrapper for Microsoft Entra ID
    2. /
    3. Usage examples
    4. /
    5. 6.3 Synology Radius with UniFi
      6. + + + + + + +
    +
    + + +
    + + + +
    +

    6.3 Synology Radius with UniFi

    +

    UniFi allows you to use a custom Radius server like the default package from Synology. Combined with the LDAP-wrapper, this creates a powerful setup for your users.

    + + + + + +
    +
    +
    DSM 7.2.1-69057 Update 3
    +LDAP-wrapper v2.0.2
    +RADIUS Server Package 3.0.25-0515
    +UniFi Network Application 8.0.24
    +
    + + +
    +

    + Prerequisites + + + +

    +
    +

    Before configuring Synology Radius and UniFi, ensure the following prerequisites are met:

    +
      +
    • Synology NAS: Ensure you are up to date with your DSM, and install the current RADIUS Server package.
      • +
    • LDAP-wrapper: Ensure you have a functioning LDAP-wrapper.
      • +
    • UniFi AP: Ensure you are up to date and have access to your controller settings.
      • +
    +
    +

    + Settings in Synology RADIUS Server + + + +

    +
    +
      +
    1. +

      Open the RADIUS Server package on your Synology NAS.

      +
      2. +
    2. +

      Configure the RADIUS Common Settings with the following parameters:

      +
        +
      • Authentication port: Set the RADIUS Server’s port number for interface protocols. The default value is 1812 for authentication.
        • +
      • Select network interface: Choose the network interfaces connected to RADIUS client devices (e.g., a router). RADIUS Server provides authentication services only for access requests coming from the specified interface.
        • +
      • TLS/SSL profile level: Choose “Intermediate compatibility,” which is the default setting. This option is recommended because it is compatible with general-purpose browsers but is not compatible with insecure cipher suites.
        • +
      • Source for user authentication: Enable LDAP users.
        • +
      +

      RADIUS common settings

      +
      3. +
    3. +

      Check your certificates.

      +
        +
      • RADIUS Server requires a valid certificate.
        • +
      +

      RADIUS certs

      +
      4. +
    4. +

      Configure the RADIUS Clients by adding clients based on the IP address range.

      + + + + + +
      +
      +
      Each UniFi AP will directly contact your Synology RADIUS Server. Ensure that your firewall allows all those APs to connect to your NAS with the previously defined port (e.g., 1812).
      +
      + +

      To set up clients by IP address range:

      +
        +
      • +

        Click Add and choose Subnet, then enter the following information:

        +
          +
        • Name: Enter a display name for the collection of clients, making it easier to identify.
          • +
        • IP address: Enter the base IP addresses of the RADIUS clients (e.g., 192.168.10.1).
          • +
        • Subnet mask: Enter a subnet mask, for example, 255.255.255.0.
          • +
        • Shared secret: Enter a text string used as a password between the clients and RADIUS Server. This secret will also be needed in your UniFi configuration.
          • +
        +
        • +
      +

      RADIUS clients

      +
      5. +
    +
    +

    + Settings in UniFi Controller + + + +

    +
    +
      +
    1. +

      Log in to your UniFi controller.

      +
      2. +
    2. +

      Navigate to Settings > Profiles > RADIUS and create a new entry.

      +

      UniFi: Find RADIUS profiles

      +
        +
      • Enable Wired Networks.
        • +
      • Enable Wireless Networks.
        • +
      • Enter the IP address of your Synology NAS in the IP Address field.
        • +
      • Specify the RADIUS authentication port (typically 1812) in the Port field.
        • +
      • Enter the same shared secret configured in the Synology RADIUS Server in the Shared Secret field.
        • +
      • Disable Accounting.
        • +
      +

      UniFi: RADIUS Details

      +
      3. +
    3. +

      Navigate to the Wireless Networks section (Settings > WiFi) and edit your network.

      +

      UniFi: Find WLAN details

      +
      4. +
    4. +

      Edit the Wireless Network where you want to enable RADIUS authentication.

      +
        +
      • Enable WPA Enterprise.
        • +
      • Select the previously added RADIUS Profile.
        • +
      +

      UniFi: WLAN Details

      +
      5. +
    5. +

      Save the settings and apply the changes to your UniFi network.

      +
      6. +
    +

    Now, UniFi is configured to use the Synology RADIUS Server for authentication. Users authenticated through UniFi will be verified against your LDAP directory using LDAP-wrapper, creating a robust and secure setup.

    + +
    + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + gdoc_arrow_left_alt + 6.2 Authelia + + + + + + + + +
    +
    +
    + + + +
    + + + + + +