04-12-2013 02:29 PM - edited 07-03-2021 11:54 PM
After looking at few problematic trends with 802.1x and the requisite evasive answers I must ask a very simple yet specific question:
Are we out of luck with Cisco's WLCs authenticating against Microsoft Active Directory via LDAP?
I am referring to the issue with clear text passwords being required by WLC's LDAP implementation which makes that LDAP useless against Microsoft Active Directory?
Thank you
~B
04-12-2013 02:36 PM
802.1x requires a radius server and also the radius has to join the domain. LDAP only supports clear text for EAP-TLS and EAP-FAST or PAP using WebAuth.
Sent from Cisco Technical Support iPhone App
04-12-2013 11:30 PM
With some EAP methods you don't need clear-text password. With others however you need.
For ecample, you DON'T need clear-text password for:
You need clear-text password for:
The LDAP backend database supports these Local EAP methods:
LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported, but only if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password. If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported.
Reference: http://tiny.cc/cougvw
So, you can for example use local EAP on the WLC with EAP-TLS or PEAP-GTC and you don't need the clear-text password. But if you want to use PEAP-MSCHAPv2 then that is not supported unless you get the LDAP DB to send a clear-text password.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
04-14-2013 09:03 AM
Thanks Amjad, very detailed reply. Appreciate the source link.
I was suspecting that the most desirable methods won't work with non-clear text LDAP passwords. Sounds like that what will work is a road of client certificate mess that I am sure is technocically possible. All those 3 supported methods do require client certificate:
So just in case I am not missing something; is there a workable L2 authentication method using Microsoft AD as the backed via LDAP where simple username and password pops up at the client-end; AND
Client being main stream range of possibilities such as iOS; Mac OS; Windows etc (no specialized NICs and drivers allowed in this solution).
04-14-2013 11:58 PM
With PEAPv1-GTC the client certificate is optional; not mandatory.
Look into this:
http://www.cisco.com/en/US/products/ps7034/products_configuration_example09186a0080734afc.shtml
HTH
Amjad
useful replies is more useful than saying "Thank you"
05-22-2013 03:05 PM
Not good; software required to make win7 work
https://supportforums.cisco.com/thread/2206685?referring_site=kapi
Back to searching for native support; no software; no certificates; no pre shared keys
05-22-2013 03:09 PM
so, why not promote a server to do NPS? you can use the IIS 6.0 toolkit and generate a self signed certificate for that server if you don't have PKI.
then you can use that to do PEAP against AD
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
05-22-2013 03:14 PM
Thanks Steve
Have you actually done that in the real atomic world? I mean done it without deploying PKI?
It's not the certificate generation but its that the NPS would not even pick a certificate unless the certificate scheme is modified so that this type of certificate becomes permissible and that's what the deployment of PKI does which is what I don't want to do -- deploy PKI that is
I do have NPS; that's the easy part. The certificate biz is the ugly part. And yes if this worked it will be the most ideal solution.
B
05-22-2013 03:17 PM
Yes, worked with a customer to get this running back during my TAC tenure. So long as the server has a cert saying it's authorized to authorize it'll work.
On the Client you do need to go and uncheck teh 'validate server certificate' box, and all is gravy.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
05-28-2013 03:06 PM
Hello,
As per your query i can suggest you the following solution-
Complete these steps in order to successfully implement this setup:
•Configure LDAP Server.
•Configure WLC for LDAP Server.
•Configure the WLAN for Web Authentication.
For more information refer to the link-
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml
Hope this will help you.
05-28-2013 03:10 PM
Looking for L2 authentication solution Abhishek; thank you nonetheless.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide