https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148834#M18627 <HTML><HEAD></HEAD><BODY><P>Yes you can use LDAP with no RADIUS. However you should be aware of restrictions when using LDAP backend atabase authentication against LDAP. For instance, you will have to reconfigure your AD to return clear-text password.</P></BODY></HTML> Tue, 03 Feb 2009 05:59:31 GMT r.roudi 2009-02-03T05:59:31Z https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148831#M18624 <P>I am attempting to secure our 'enterprise' WLAN with EAP security and would like it to check user's credentials via LDAP against our Active Directory database. </P><P></P><P>If using LDAP to authenticate, is there any reason to have a RADIUS server at all? If so, please elaborate.</P><P></P><P>Thanks for your guidance,</P><P></P><P>Lucas</P> Sat, 03 Jul 2021 23:57:12 GMT https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148831#M18624 Lucas Phelps 2021-07-03T23:57:12Z https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148832#M18625 <HTML><HEAD></HEAD><BODY><P>If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.</P><P></P><P></P><P>For the furter assistance following URL may help you</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml</A></P><P></P><P></P></BODY></HTML> Mon, 19 Jan 2009 03:24:05 GMT https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148832#M18625 amritpatek 2009-01-19T03:24:05Z https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148833#M18626 <HTML><HEAD></HEAD><BODY><P>I guess I'm still left wondering whether I can just go into the LDAP configuration on the WLC and type the server info of my Active Directory server or whether I am required to have a RADIUS server.</P><P></P><P>RADIUS is an older, less secure method, and I'd rather have secure authentication directly to our LDAP AD server.</P></BODY></HTML> Mon, 02 Feb 2009 15:00:26 GMT https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148833#M18626 Lucas Phelps 2009-02-02T15:00:26Z https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148834#M18627 <HTML><HEAD></HEAD><BODY><P>Yes you can use LDAP with no RADIUS. However you should be aware of restrictions when using LDAP backend atabase authentication against LDAP. For instance, you will have to reconfigure your AD to return clear-text password.</P></BODY></HTML> Tue, 03 Feb 2009 05:59:31 GMT https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148834#M18627 r.roudi 2009-02-03T05:59:31Z https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148835#M18628 <HTML><HEAD></HEAD><BODY><P>But even with a RADIUS server, doesn't the password have to be clear-text? </P><P></P><P>I'm trying to figure out what the benefit is of having the required RADIUS server if I can hook the WLC directly up to LDAP on our Domain controllers.</P></BODY></HTML> Tue, 03 Feb 2009 14:39:04 GMT https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148835#M18628 Lucas Phelps 2009-02-03T14:39:04Z https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148836#M18629 <HTML><HEAD></HEAD><BODY><P>You need radius server, because you looking for protocol support such as PEAP, LEAP, EAP-TLS </P></BODY></HTML> Fri, 06 Mar 2009 22:31:05 GMT https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148836#M18629 aneelaka 2009-03-06T22:31:05Z https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148837#M18630 <HTML><HEAD></HEAD><BODY><P>Enable IAS (microsfot's RADIUS) on one of your windows servers and set it to authenticate against AD. </P></BODY></HTML> Tue, 10 Mar 2009 15:43:38 GMT https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148837#M18630 venom43212 2009-03-10T15:43:38Z https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148838#M18631 <HTML><HEAD></HEAD><BODY><P>RADIUS communications are hashed with the Shared Secret, which is a poor excuse for encryption, but it keeps user credentials from rolling around in clear text format. Seems like you ought to be able to use IPSec to tighten up the comm between the controller and the RADIUS box.</P></BODY></HTML> Thu, 02 Apr 2009 20:30:41 GMT https://community.cisco.com/t5/wireless/authenticating-users-via-ldap-active-directory/m-p/1148838#M18631 Robert.N.Barrett_2 2009-04-02T20:30:41Z