Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1885
Views
0
Helpful
3
Replies

Cisco 5508 and Active Directory Integration using EAP

kmcdonald1973
Level 1
Level 1

‎05-25-2011 12:02 PM - edited ‎03-10-2019 06:06 PM

Hello,

I have just recently purchased a 5505 Controller and 30 3502i AP's. On my main corporate WLAN, I would like to allow users to be able to authenticate via Active Directory username and password.I am also looking for as little client side set up as possible. From what I have researched, I will need to use some type of EAP method.

I have come across two methods that appear to be the top contenders.

EAP-FAST - The method seems to be a possibility but I see that it uses certificates. If I use this method, does it mean that I would have to import the certificates to each machine manually? Also, can I configure thsi to work with just the 5508 Controller and an AD Database server or do I need an intermediary like IAS or ACS?

PEAP/GTC - This method is also a possibility and I think that it does not require certificates. Is this true? Does this also require an intermediary like ACS or IAS.

Thanks in advance,

Kevin

Labels:
0 Helpful
3 Replies 3

weterry
Level 4
Level 4

‎05-25-2011 02:30 PM

The WLC does have a feature called Local EAP which I believe is possible to back-end to AD via LDAP.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml

I dont know off the top of my head, but I think only certain EAP types work with the LDAP part.....

Generally speaking though, if you want to use EAP, you get alot more bang out of a real AAA server (ACS/IAS).

0 Helpful

deshtikypshaq
Level 1
Level 1

‎05-25-2011 10:13 PM

For web-auth no need any intermediary, you can connect directly to LDAP.

For EAP-FAST certificates needed on both sides.

For PEAP-GTS, I found that no support for Microsoft AD.

0 Helpful

kmcdonald1973
Level 1
Level 1
In response to deshtikypshaq

‎05-26-2011 09:35 AM

Hello all and thanks for the replies. After further reasearch I have found that MS-CHAP PEAP v2 with WPA2-AES is what I should do. I have been told this is used by 90% of deployments where Active Directory Authentication is required.

I am in the process of purchasing a Cisco ACS with 5.2 software to add to the configuration.

From what I understand, I will need to configure a CA Authority on a Windows Server and then download that certficate to the ACS. Then I would configure the LDAP connection from the ACS to my Windows AD Server.

Is anyone around that uses this same scenario in production? In this scenario, do I have to manually install the certificate from the CA on each wireless client?

Thanks in advance for your replies

Kevin

0 Helpful
Customers Also Viewed These Support Documents