Hi Fellows ,
We have deployed WLC 3504 and Customer wants to give SSID access via AD credentials for employees . We have configured WLC for getting users authenticated via LDAP integration. But domain end user getting certificate errors.
Customer is not interested in installing Cisco PEAP across the organization.
Is it possible to get user authenticated via WLC and LDAP integration without Cisco PEAP ?
Or MS NPS or some external RADIUS is must for this ? Has WLC some limitations in this integration ?
Thanks in anticipation .
Certificate error means you are using "LDAPS". Is it correct?
Meanwhile, you can do it with NPS as well.
Hi , Deepak
Thanks for your response.
The goal is : end user to connect the SSID using email@example.com and AD Password ( Both Domain connected Systems and BYOD ) .
At start we don't want to add another Network Element like external AAA server and wanted to use WLC 's LDAP integration option to achieve the goal .
By Certificate error the connection gives digital certificate error I think this can be over by using PEAP ? Is there any limitation on WLC for using Only Cisco PEAP ? Can't we use default MS -PEAP
I think PEAP is used to avoid Client side installation of Certificates.
Is there any way to work with MS PEAP which is available with normal installation of Wireless adapter ( Cisco PEAP is to be additionally installed again organization wide) , Authentication from WLC using AD as back end DB without any external RADIUS
or using MS PEAP at wireless client to get authenticated from AD requires ( mandatory ) NPS or Other External RADIUS ?
Thanks in anticipation
Dear Deepak and patoberli :
Thanks for your continued support . We have to come to following understanding.
If we select Cisco PEAP on Client we don't need to push any certificate to end user and that's what we need . For MS-PEAP we would require certificates on the client side .
As Found on this link
I think we got the answer why MS PEAP won't work .
Now we have to test using Cisco PEAP only client side and using WLC as authentication server with AD as back end DB .
Thanks for making more clear. I think your certificate is not published on the AD group policies so it didn't push to the client. Try with making some changes in the client 's network interface as showing in below pic:
Uncheck the option: Verify the server identity by validating the certificate.
I agree with you but he is testing the network and try to find out the root cause. If it will uncheck then we will get the root cause after that we can suggest him to push certificate on client's using the GPO.