How to tie into LDAP for webauth authentication

Unanswered Question

I currently have a customer that wants to authenticate his webauth page against his LDAP server.

Probably, the preference would be for him to utilize the internal webauth built into the WiSM.

In any case, since RADIUS/AAA seems to be Cisco's authentication method of choice, how can I get the WiSM to connect back to the customer's Novell system LDAP server for webauth authentication?

There has been some discussion internally here as to a couple of ideas:

1) Can the NDS LDAP server have some RADIUS support that might be turned on (if available).

2) Possibly utilizing a product such as freeradius ( www.freeradius.org ) to provide a RADIUS front end to talk to the WiSM and then query the underlying NDS LDAP server in the background - in essence, provide AAA/RADIUS to NDS/LDAP translation.

The customer is a Novell shop and, therefore, is reluctant to bring up a Microsoft server to run IAS.

As a second part to the question, the customer is asking if there might be a way where the lobby ambassador function could facilitate transient guest access while also looking to the LDAP database for machines that are utilized by more regular guest users (i.e.: User-owned home laptops brought in, but granted only filtered internet access) but where the users type in their system LDAP password to get out. I really can't imagine how this could be accomplished, but I am trying my best to get this answered. Of course, an answer of "No you can't authenticate two ways simultaneously" (if true) is acceptable.

My thought as to how to solve the above dilemma is that there would be an LDAP entry for one user that transient guest users could utilize for temporary access. The password for this credential would be rotated periodically. Multiple simultaneous logins would be permitted against that GUEST user in the LDAP directory. Lobby Ambassador would not be utilized at all. All other other "persistent" users would then be able to utilize their LDAP login to reach the Internet with their personal machines.

Of course, all of this is predicated on the assumption that there is some way to get the wireless controller (which appears to only be able to speak RADIUS to an AAA server) to talk to the NDS which may only speak LDAP (not sure if this is true or not).

Any suggestions as to how to solve this would be greatly appreciated.

Thanks,

- John

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

For what it's worth, after asking around at Cisco as well as our own internal resources there appear to be two choices:

1) Cisco recommends their ACS AAA server to sit between the wireless controller and the LDAP Server.

2) Alternatively, the freeradius product can talk to the Novell eDirectory (assuming that it is the correct revision of eDirectory - there are documents at freeradius.org which discuss this).

In terms of having multiple authentication methods against different backend credential repsitories to get to the same destination (i.e.: Filtered Internet) but for the same WLAN/SSID/VLAN, it would appear that you can only choose one type of authentication for a particular WLAN - no big surprise there.

Therefore, to accomodate two different types of login credentials (lobby ambassador for guests and LDAP for staff members with personal equipment - with both users only able to access filtered internet, nothing else) it would appear that the best way to accomplish this might be to create two separate SSIDs: One for guests "GUEST" that uses WebAuth against users created by the lobby ambassador and a different SSID "STAFF" for trusted staff members with user accounts in LDAP who bring in their home computers and want to establish internet connectivity using their regular user names/passwords that could still use webauth, but authenticating against LDAP via ACS or freeradius.

In terms of the whole LDAP support in general, there are some considerations that must be made in terms of the choice of EAP used. Cisco has documents that show tables of the kinds of EAP that are most compatable with LDAP/NDS/etc.

Hopefully, this will be helpful to anyone else who might encounter this.

- John

rileymartin Sat, 02/23/2008 - 20:05

Hi,

It's been a while since your last post and I was wondering if the client ever went through with this or if you implemented a similar solution for eDirectory? I would like to implement an inexpensive solution such as an AP1220B or a AP1131 and have users gain access to the wireless network by authenticating against eDirectory. I was hoping you might have some good information on this. Thanks.

Riley

Actions

This Discussion

 

 

Trending Topics - Security & Network