With some EAP methods you don't need clear-text password. With others however you need.

For ecample, you DON'T need clear-text password for:

• EAP-FAST/GTC
• EAP-TLS
• PEAPv1/GTC.

You need clear-text password for:

• LEAP
• EAP-FAST/MSCHAPv2
• PEAPv0/MSCHAPv2

The LDAP backend database supports these Local EAP methods:

EAP-FAST/GTC 
EAP-TLS
PEAPv1/GTC.






LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported, but only if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password. If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported.

Reference: http://tiny.cc/cougvw

So, you can for example use local EAP on the WLC with EAP-TLS or PEAP-GTC and you don't need the clear-text password. But if you want to use PEAP-MSCHAPv2 then that is not supported unless you get the LDAP DB to send a clear-text password.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Thanks Amjad, very detailed reply. Appreciate the source link.

I was suspecting that the most desirable methods won't work with non-clear text LDAP passwords. Sounds like that what will work is a road of client certificate mess that I am sure is technocically possible. All those 3 supported methods do require client certificate:

• EAP-FAST/GTC
• EAP-TLS
• PEAPv1/GTC.

So just in case I am not missing something; is there a workable L2 authentication method using Microsoft AD as the backed via LDAP where simple username and password pops up at the client-end; AND

• no client certificates/smart cards
• no pre-shared keys such as the case with the WPAxx
• no clear text passwords LDAP backend is available

Client being main stream range of possibilities such as iOS; Mac OS; Windows etc (no specialized NICs and drivers allowed in this solution).

With PEAPv1-GTC the client certificate is optional; not mandatory.

Look into this:

http://www.cisco.com/en/US/products/ps7034/products_configuration_example09186a0080734afc.shtml

HTH

Amjad

useful replies is more useful than saying "Thank you"

so, why not promote a server to do NPS?  you can use the IIS 6.0 toolkit and generate a self signed certificate for that server if you don't have PKI.

then you can use that to do PEAP against AD

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Thanks Steve

Have you actually done that in the real atomic world? I mean done it without deploying PKI?

It's not the certificate generation but its that the NPS would not even pick a certificate unless the certificate scheme is modified so that this type of certificate becomes permissible and that's what the deployment of PKI does which is what I don't want to do -- deploy PKI that is

I do have NPS; that's the easy part. The certificate biz is the ugly part. And yes if this worked it will be the most ideal solution.

B

Yes, worked with a customer to get this running back during my TAC tenure.  So long as the server has a cert saying it's authorized to authorize it'll work.

On the Client you do need to go and uncheck teh 'validate server certificate' box, and all is gravy.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Looking for L2 authentication solution Abhishek; thank you nonetheless.