cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
994
Views
0
Helpful
7
Replies

Authenticating Users via LDAP (Active Directory)

Lucas Phelps
Level 5
Level 5

I am attempting to secure our 'enterprise' WLAN with EAP security and would like it to check user's credentials via LDAP against our Active Directory database.

If using LDAP to authenticate, is there any reason to have a RADIUS server at all? If so, please elaborate.

Thanks for your guidance,

Lucas

7 Replies 7

amritpatek
Level 6
Level 6

If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.

For the furter assistance following URL may help you

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

I guess I'm still left wondering whether I can just go into the LDAP configuration on the WLC and type the server info of my Active Directory server or whether I am required to have a RADIUS server.

RADIUS is an older, less secure method, and I'd rather have secure authentication directly to our LDAP AD server.

Yes you can use LDAP with no RADIUS. However you should be aware of restrictions when using LDAP backend atabase authentication against LDAP. For instance, you will have to reconfigure your AD to return clear-text password.

But even with a RADIUS server, doesn't the password have to be clear-text?

I'm trying to figure out what the benefit is of having the required RADIUS server if I can hook the WLC directly up to LDAP on our Domain controllers.

You need radius server, because you looking for protocol support such as PEAP, LEAP, EAP-TLS

Enable IAS (microsfot's RADIUS) on one of your windows servers and set it to authenticate against AD.

RADIUS communications are hashed with the Shared Secret, which is a poor excuse for encryption, but it keeps user credentials from rolling around in clear text format. Seems like you ought to be able to use IPSec to tighten up the comm between the controller and the RADIUS box.

Review Cisco Networking for a $25 gift card