topic Re: PEAP authentication to LDAP in Wireless

PEAP authentication to LDAP

tjenkin2 — Sat, 03 Jul 2021 23:18:29 GMT

Hi,

I have a working WLAN solution that uses PEAP (1252 AP's, WCS, 4400 controllers etc.). At the moment we authenticate against Active Directory via a Cisco ACS appliance (v4.1) - this works fine.

We are trying to also get authentication working to our LDAP Server - however, ACS keeps reporting "Authentication type not supported by external DB". It also doesn't seem to even try to contact the LDAP server looking at our LAN sniffer logs.

Any ideas ? Thanks, Tim.

Re: PEAP authentication to LDAP

m.glosson — Thu, 14 Aug 2008 16:16:14 GMT

You can't authenticate PEAP against LDAP (at least a non-Active Directory LDAP; I've never tried pointing to an Active Directory LDAP). PEAP is a Microsoft-funded "standard". If you still want to use EAP but don't want to deal with client certs (as in EAP-TLS), you can do EAP-GTC or EAP-FAST. The problem for lots of people with that is that Windows XP and Vista do not support it natively via ZeroConfig. You have to use a client such as Intel ProSet, Juniper Oddysey, or Cisco Secure Services Client.

See http://en.wikipedia.org/wiki/EAP-TLS#PEAPv1.2FEAP-GTC for more info about EAP.

Re: PEAP authentication to LDAP

daniel.keith — Wed, 28 Jan 2009 14:07:13 GMT

I am using Novell LDAP with EAP-GTC and I believe that error message is due to certificates not being installed on the Novell side and on the Cisco ACS. I also seem to remember the ACS needing an admin account on the LDAP database to access it fully, unless you use specialized groups which you can map. There was also a cert.db7 file that you have to extract and add to the Cisco ACS as well.

Re: PEAP authentication to LDAP

Stephen Rodriguez — Wed, 28 Jan 2009 15:10:18 GMT

If you are trying to make an LDAP call to the Microsoft AD, it won't work. The WLC only supports unencrypted LDAP calls, and AD only supports an ecrypted call. in other words, the WLC only can do clear text passwords, and AD will not send them as clear text.

HTH,

Steve

Re: PEAP authentication to LDAP

srosenthal — Fri, 20 Feb 2009 20:40:45 GMT

I am setting up a WLAN using WLAN 4404, ACS and 1130 AP's. My customer is using a Novell network.

I was going to setup the ACS and client to do PEAP and have the ACS authenticate via LDAP to the Novell server.

This will work won't it? The customer does have a cert from Verisign that I will install on the ACS.

Seth

Re: PEAP authentication to LDAP

Stephen Rodriguez — Fri, 20 Feb 2009 20:42:21 GMT

that should work.

although why you would buy a certificate to do PEAP, instead of using your own CA, or have the ACS generate it's own PEAP ceritificate.....

Re: PEAP authentication to LDAP

srosenthal — Fri, 20 Feb 2009 20:45:04 GMT

Thank you for the quick answer.

The customer already has several Verisign certs for their servers so I was just going to install one on the ACS also.

I tried in the lab to have the ACS server self generate a cert and then connect via the wireless. I added a user account on the ACS. I can fully connect it I tell the laptop to not validate the server.

I am missing something? I thought I had to leave the box checked to validate the server.

Seth

Re: PEAP authentication to LDAP

Stephen Rodriguez — Fri, 20 Feb 2009 20:46:03 GMT

nope, PEAP does not require the client to validate the server side certificate. Only TLS requires mutual certificate validations.

Re: PEAP authentication to LDAP

aneelaka — Fri, 06 Mar 2009 21:37:18 GMT

PEAP with ACS-LDAP is supported with PEAP (EAP-GTC) and not with PEAP (EAP-MSCHAPV2)

Change you peap type from PEAP-mschapV2 to PEAP -EAP-GTC

Table 1-3 EAP Authentication Protocol and User Database Compatibility

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/o.html

Re: PEAP authentication to LDAP

srosenthal — Sun, 08 Mar 2009 23:42:10 GMT

Doen't EAP-GTC require some sort of generic token card?

Seth