05-25-2011 12:02 PM - edited 03-10-2019 06:06 PM
Hello,
I have just recently purchased a 5505 Controller and 30 3502i AP's. On my main corporate WLAN, I would like to allow users to be able to authenticate via Active Directory username and password.I am also looking for as little client side set up as possible. From what I have researched, I will need to use some type of EAP method.
I have come across two methods that appear to be the top contenders.
EAP-FAST - The method seems to be a possibility but I see that it uses certificates. If I use this method, does it mean that I would have to import the certificates to each machine manually? Also, can I configure thsi to work with just the 5508 Controller and an AD Database server or do I need an intermediary like IAS or ACS?
PEAP/GTC - This method is also a possibility and I think that it does not require certificates. Is this true? Does this also require an intermediary like ACS or IAS.
Thanks in advance,
Kevin
05-25-2011 02:30 PM
The WLC does have a feature called Local EAP which I believe is possible to back-end to AD via LDAP.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml
I dont know off the top of my head, but I think only certain EAP types work with the LDAP part.....
Generally speaking though, if you want to use EAP, you get alot more bang out of a real AAA server (ACS/IAS).
05-25-2011 10:13 PM
For web-auth no need any intermediary, you can connect directly to LDAP.
For EAP-FAST certificates needed on both sides.
For PEAP-GTS, I found that no support for Microsoft AD.
05-26-2011 09:35 AM
Hello all and thanks for the replies. After further reasearch I have found that MS-CHAP PEAP v2 with WPA2-AES is what I should do. I have been told this is used by 90% of deployments where Active Directory Authentication is required.
I am in the process of purchasing a Cisco ACS with 5.2 software to add to the configuration.
From what I understand, I will need to configure a CA Authority on a Windows Server and then download that certficate to the ACS. Then I would configure the LDAP connection from the ACS to my Windows AD Server.
Is anyone around that uses this same scenario in production? In this scenario, do I have to manually install the certificate from the CA on each wireless client?
Thanks in advance for your replies
Kevin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide