I currently have a customer that wants to authenticate his webauth page against his LDAP server.
Probably, the preference would be for him to utilize the internal webauth built into the WiSM.
In any case, since RADIUS/AAA seems to be Cisco's authentication method of choice, how can I get the WiSM to connect back to the customer's Novell system LDAP server for webauth authentication?
There has been some discussion internally here as to a couple of ideas:
1) Can the NDS LDAP server have some RADIUS support that might be turned on (if available).
2) Possibly utilizing a product such as freeradius ( www.freeradius.org ) to provide a RADIUS front end to talk to the WiSM and then query the underlying NDS LDAP server in the background - in essence, provide AAA/RADIUS to NDS/LDAP translation.
The customer is a Novell shop and, therefore, is reluctant to bring up a Microsoft server to run IAS.
As a second part to the question, the customer is asking if there might be a way where the lobby ambassador function could facilitate transient guest access while also looking to the LDAP database for machines that are utilized by more regular guest users (i.e.: User-owned home laptops brought in, but granted only filtered internet access) but where the users type in their system LDAP password to get out. I really can't imagine how this could be accomplished, but I am trying my best to get this answered. Of course, an answer of "No you can't authenticate two ways simultaneously" (if true) is acceptable.
My thought as to how to solve the above dilemma is that there would be an LDAP entry for one user that transient guest users could utilize for temporary access. The password for this credential would be rotated periodically. Multiple simultaneous logins would be permitted against that GUEST user in the LDAP directory. Lobby Ambassador would not be utilized at all. All other other "persistent" users would then be able to utilize their LDAP login to reach the Internet with their personal machines.
Of course, all of this is predicated on the assumption that there is some way to get the wireless controller (which appears to only be able to speak RADIUS to an AAA server) to talk to the NDS which may only speak LDAP (not sure if this is true or not).
Any suggestions as to how to solve this would be greatly appreciated.