Authenticate thru ACS to Novell LDAP

millerlw · ‎02-10-2005

Hi,

I have been trying for days to get this to work. Using EAP-TLS, created server cert for ACS and user cert, imported both certs to ACS server and laptop.

Is is possible to get a novell client, WindersXP laptop to authenticate to a novell server thru my ACS? The laptop says Attempting To Authenticate, but then fails. Log on access point reads: Station (mac-address) Authentication failed .

All of the AP's and the WDS are seeing each other and registered. I can connect in guest mode, but cannot authenticate to my novell server.

Thanks in advance

Leonard

dixho · ‎02-15-2005

Please look at Table 1 at the following URL:

http://www.cisco.com/en/US/customer/products/hw/wireless/ps430/prod_configuration_guide09186a0080262422.html

EAP-TLS should support LDAP. Please post the infrastructure AP configuration and WDS AP configuration.

millerlw · ‎02-16-2005

dixho,

Thanks for the reply. After posting that I found out that my Novell certs do not have the EKU field that EAP-TLS requires. So until I can get that EKU field in my certs, I have abandoned EAP-TLS in favor of PEAP. But lo and behold, I'm having a problem with that also. Novell says they have scripts to get the extra field in the certs, but that's all the info I get from them.

With PEAP I get a message on the ACS that "EAP-TLS or PEAP authentication failed during SSL handshake". I think I just need to leave it alone for a day. It has really dominated my days for the past week or so.

Anything you can give would be greatly appreciated. If you want to write me directly, Leonard.Miller@udlp.com

Thanks

Leonard

chris.houston · ‎02-16-2005

Have you thought of using PEAP-GTC instead of EAP_TLS? I have an ACS that authenticates the users through my Novell NDS. It was a pain to setup up, but it works great. Just an idea.

millerlw · ‎02-17-2005

Chris,

I have thought about that and it appears I may have to go that way. But the only thing is, I am under the impression that WindersXP does not support GTC, only MS-CHAP. And I would like to keep from forcing users to purchase extra cards if they already have wireless built into their laptops. But if I have to force them, then I have to. I originally wanted to but upper mgmt decided against it.

Do you have any info you can send me? My e-mail is is a previous post.

Thanks alot

Leonard

depwanguy · ‎04-06-2005

Chris,

I am having trouble finding any good documents on getting my ACS to authenticate my Novell NDS users. Can you tell me how you got yours working? I am having particular trouble with the certificates.

Any information you can provide is greatly appreciated!

millerlw · ‎04-06-2005

Check your certificates. If you are missing the EKU field,which you probably are, it isn't going to work. I ended up having to force the use of Cisco cards, using EAP-GTC and having user accounts on the ACS. I even opened an incident with Novell. They said there is a script that will add the EKU field to the certificate, but they couldn't tell me where it is.

Currently my users log in to the local machine, then authenticate to the ACS, then log in to Novell. It's really annoying, but it works for now.

Write me directly if you want.

Leonard.Miller@udlp.com

Hope this helps

Leonard

chris.houston · ‎04-12-2005

The configuration we are using is similar to Leonard’s, except that we authenticate the users against the Novell NDS, not a user list on the ACS. The ACS has an external database mapping that does this. This way, I don't have to keep up with user accounts on the ACS. It is a pain to setup, but it does work. As for the client logging into the workstation, then authenticating through the ACS, then network access is allowed, is annoying, but for now, its the only way it will work. I am working with Novell to see if there is a way to eliminate this step. I will post if I find a solution.

Here is a link on how to setup PEAP:

http://www.cisco.com/en/US/customer/products/hw/wireless/ps430/products_technical_reference_chapter09186a008025d6ee.html

This link shows how to setup the ACS with the certificate. It says MS-CHAPv2, but it is almost the same with PEAP-GTC. The certificate part can be confusing, you may not need to do all of the steps, like configure the CA.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

Hope this helps.

Chris

jroth · ‎07-11-2005

YOu can use PEAP-GTC with more then Cisco cards if you are using XP. From Cisco, you can get a PEAP supplicant that integrates into your XP wireless config. I have HP laptops with buit-in card using is with this very same setup. ACS with server side Cert with backend connection to NDS. Downside is the limitation of having to use XP OS only w/ 802.1x card, or going 100% cisco cards. I ended up turning to Funk with the Odyssey client as my supplicant, it has been great. Works on all my Workstations and with all 802.1x cards.

depwanguy · ‎07-12-2005

I, too, would like to use the built-in adapters on my laptops running XP using EAP-GTC instead of buy all Cisco adapters. Do you have a link to this PEAP supplicant as I am having trouble locating it?

Many thanks for your assistance.

Brian

depwanguy · ‎08-31-2005

An update on this issue...

I tried the various authentication clients and stuck with AEGIS from Meetinghouse. My workstations no longer require multiple logins (workstation, then eDirectory/NDS) and it comes with a client deployment tool that will load all your customizations, even copy the CA certificate to the proper stores. It also works with various wirless cards (Cisco, LinkSys, Netgear, etc.).

jsmbrown · ‎05-07-2007

I have Novell authentication working with PEAP-GTC. I now would like to take it to the next level and get it working with secure LDAP. Has anyone been successful with this? I am not sure where to get the certificates and certificate database from Novell side.

I am also having inconsistencies with the secondary LDAP not authenticating. Sometimes it works, sometimes not.