acs 5.2 peap-gtc and ldap

eugene.tsuno · ‎01-30-2012

We want to use eap-ttls and ldap (not AD). That isn't supported.

So we want to go PEAP, but the only methods are PEAP-MSCHAP or PEAP-GTC. Now the docs say PEAP-GTC supports ldap on the identity store.

So is GTC simply GTC without a token card? (simple login and password) and will work with LDAP? Do some of the GTC look like an LDAP auth?

So because a GTC is just login/password, using that method for ldap is okay even though it isn't a GTC even though the password isn't a one time one? Just funny to use GTC without a GTC involved.

eugene.tsuno · ‎02-01-2012

Well, I convinced myself it is going to work.

camejia · ‎02-01-2012

Hello Eugene,

I have configured the ACS 5.1 with LDAP Authentication against a Windows domain. I have also installed Cisco Secure Service Client (CSSC Supplicant) with PEAP GTC enabled for the Tunneled Method. I only have static password defined in Windows Domain.

I have tested authentication with client configured for PEAP-GTC > ACS 5.1 with LDAP database > Windows AD acting as backend LDAP and everything is working fine.

So, it seems that PEAP-GTC, even though is meant for OTP database would work when authenticating against LDAP database as well.

ACS configuration:

NOTE: The above was configured on a Lab Environment and I cannot assure how it will behave on a production network.

NOTE: Click images to enlarge.

That being said it seems that the suggested scenario might work.

If this was helpful please rate.

Best Regards.

eugene.tsuno · ‎02-02-2012

Thank you very much Carlos. I just have to get my wireless guy to configure PEAP-GTC on a VLAN so I can test.

I wish EAP-TTLS was also supported, but I will take what I can get.