User's Manual 254 Document #: LTRT-10632
Mediant 800B Gateway & E-SBC
15.3.7 RADIUS-based CDR Accounting
Once you have configured a RADIUS server(s) for accounting in 'Configuring RADIUS
Servers' on page 246, you need to enable and configure RADIUS-based CDR accounting
(see 'Configuring RADIUS Accounting' on page 998).
15.4 LDAP-based Management and SIP Services
The device supports the Lightweight Directory Access Protocol (LDAP) application protocol
and can operate with third-party, LDAP-compliant servers such as Microsoft Active
Directory (AD).
You can use LDAP for the following LDAP services:
SIP-related (Control) LDAP Queries: LDAP can be used for routing and
manipulation (e.g., calling name and destination address).
The device connects and binds to the remote LDAP server (IP address or
DNS/FQDN) during the service’s initialization (at device start-up) or whenever you
change the LDAP server's IP address and port. Binding to the LDAP server is based
on username and password (Bind DN and Password). Service makes 10 attempts to
connect and bind to the remote LDAP server, with a timeout of 20 seconds between
attempts. If connection fails, the service remains in disconnected state until the LDAP
server's IP address or port is changed. If connection to the LDAP server later fails, the
service attempts to reconnect.
For the device to run a search, the path to the directory’s subtree, known as the
distinguished name (DN), where the search is to be done must be configured (see
'Configuring LDAP DNs (Base Paths) per LDAP Server' on page 262). The search key
(filter), which defines the exact DN to search and one or more attributes whose values
must be returned to the device must also be configured. For more information on
configuring these attributes and search filters, see 'AD-based Routing for Microsoft
Skype for Business' on page 276.
The device can store recent LDAP queries and responses in its local cache. The
cache is used for subsequent queries and/or in case of LDAP server failure. For more
information, see 'Configuring the Device's LDAP Cache' on page 266.
If connection with the LDAP server disconnects (broken), the device sends the SNMP
alarm, acLDAPLostConnection. Upon successful reconnection, the alarm clears. If
connection with the LDAP server is disrupted during the search, all search requests
are dropped and an alarm indicating a failed status is sent to client applications.
Management-related LDAP Queries: LDAP can be used for authenticating and
authorizing management users (Web and CLI) and is based on the user's login
username and password (credentials) when attempting login to one of the device's
management platforms. When configuring the login username (LDAP Bind DN) and
password (LDAP Password) to send to the LDAP server, you can use templates
based on the dollar ($) sign, which the device replaces with the actual username and
password entered by the user during the login attempt. You can also configure the
device to send the username and password in clear-text format or encrypted using
TLS (SSL).
The device connects to the LDAP server (i.e., an LDAP session is created) only when
a login attempt occurs. The LDAP Bind operation establishes the authentication of the
user based on the username-password combination. The server typically checks the
password against the userPassword attribute in the named entry. A successful Bind
operation indicates that the username-password combination is correct; a failed Bind
operation indicates that the username-password combination is incorrect.
Once the user is successfully authenticated, the established LDAP session may be
used for further LDAP queries to determine the user's management access level and
privileges (Operator, Admin, or Security Admin). This is known as the user
To Next Page
Loading...
