https://community.cisco.com/t5/network-access-control/cisco-5508-and-active-directory-integration-using-eap/m-p/1688094#M292710 <HTML><HEAD></HEAD><BODY><P>Hello all and thanks for the replies. After further reasearch I have found that MS-CHAP PEAP v2 with WPA2-AES is what I should do. I have been told this is used by 90% of deployments where Active Directory Authentication is required.</P><P></P><P>I am in the process of purchasing a Cisco ACS with 5.2 software to add to the configuration.</P><P></P><P>From what I understand, I will need to configure a CA Authority on a Windows Server and then download that certficate to the ACS. Then I would configure the LDAP connection from the ACS to my Windows AD Server. </P><P></P><P>Is anyone around that uses this same scenario in production? In this scenario, do I have to manually install the certificate from the CA on each wireless client?</P><P></P><P>Thanks in advance for your replies</P><P></P><P>Kevin</P></BODY></HTML> Thu, 26 May 2011 16:35:31 GMT kmcdonald1973 2011-05-26T16:35:31Z https://community.cisco.com/t5/network-access-control/cisco-5508-and-active-directory-integration-using-eap/m-p/1688091#M292702 <P>Hello,</P><P></P><P>I have just recently purchased a 5505 Controller and 30 3502i AP's. On my main corporate WLAN, I would like to allow users to be able to authenticate via Active Directory username and password.I am also looking for as little client side set up as possible. From what I have researched, I will need to use some type of EAP method.</P><P></P><P>I have come across two methods that appear to be the top contenders.</P><P></P><P>EAP-FAST - The method seems to be a possibility but I see that it uses certificates. If I use this method, does it mean that I would have to import the certificates to each machine manually? Also, can I configure thsi to work with just the 5508 Controller and an AD Database server or do I need an intermediary like IAS or ACS?</P><P></P><P>PEAP/GTC - This method is also a possibility and I think that it does not require certificates. Is this true? Does this also require an intermediary like ACS or IAS.</P><P></P><P>Thanks in advance,</P><P></P><P>Kevin</P> Mon, 11 Mar 2019 01:06:48 GMT https://community.cisco.com/t5/network-access-control/cisco-5508-and-active-directory-integration-using-eap/m-p/1688091#M292702 kmcdonald1973 2019-03-11T01:06:48Z https://community.cisco.com/t5/network-access-control/cisco-5508-and-active-directory-integration-using-eap/m-p/1688092#M292704 <HTML><HEAD></HEAD><BODY><P>The WLC does have a feature called Local EAP which I believe is possible to back-end to AD via LDAP.</P><P><A href="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml">http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml</A></P><P></P><P>I dont know off the top of my head, but I think only certain EAP types work with the LDAP part..... </P><P></P><P>Generally speaking though, if you want to use EAP, you get alot more bang out of a real AAA server (ACS/IAS).</P></BODY></HTML> Wed, 25 May 2011 21:30:17 GMT https://community.cisco.com/t5/network-access-control/cisco-5508-and-active-directory-integration-using-eap/m-p/1688092#M292704 weterry 2011-05-25T21:30:17Z https://community.cisco.com/t5/network-access-control/cisco-5508-and-active-directory-integration-using-eap/m-p/1688093#M292707 <HTML><HEAD></HEAD><BODY><P>For web-auth no need any intermediary, you can connect directly to LDAP.</P><P>For EAP-FAST certificates needed on both sides.</P><P>For PEAP-GTS, I found that no support for Microsoft AD.</P></BODY></HTML> Thu, 26 May 2011 05:13:11 GMT https://community.cisco.com/t5/network-access-control/cisco-5508-and-active-directory-integration-using-eap/m-p/1688093#M292707 deshtikypshaq 2011-05-26T05:13:11Z https://community.cisco.com/t5/network-access-control/cisco-5508-and-active-directory-integration-using-eap/m-p/1688094#M292710 <HTML><HEAD></HEAD><BODY><P>Hello all and thanks for the replies. After further reasearch I have found that MS-CHAP PEAP v2 with WPA2-AES is what I should do. I have been told this is used by 90% of deployments where Active Directory Authentication is required.</P><P></P><P>I am in the process of purchasing a Cisco ACS with 5.2 software to add to the configuration.</P><P></P><P>From what I understand, I will need to configure a CA Authority on a Windows Server and then download that certficate to the ACS. Then I would configure the LDAP connection from the ACS to my Windows AD Server. </P><P></P><P>Is anyone around that uses this same scenario in production? In this scenario, do I have to manually install the certificate from the CA on each wireless client?</P><P></P><P>Thanks in advance for your replies</P><P></P><P>Kevin</P></BODY></HTML> Thu, 26 May 2011 16:35:31 GMT https://community.cisco.com/t5/network-access-control/cisco-5508-and-active-directory-integration-using-eap/m-p/1688094#M292710 kmcdonald1973 2011-05-26T16:35:31Z