PEAP authentication to LDAP

Unanswered Question
Aug 11th, 2008


I have a working WLAN solution that uses PEAP (1252 AP's, WCS, 4400 controllers etc.). At the moment we authenticate against Active Directory via a Cisco ACS appliance (v4.1) - this works fine.

We are trying to also get authentication working to our LDAP Server - however, ACS keeps reporting "Authentication type not supported by external DB". It also doesn't seem to even try to contact the LDAP server looking at our LAN sniffer logs.

Any ideas ? Thanks, Tim.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
m.glosson Thu, 08/14/2008 - 09:16

You can't authenticate PEAP against LDAP (at least a non-Active Directory LDAP; I've never tried pointing to an Active Directory LDAP). PEAP is a Microsoft-funded "standard". If you still want to use EAP but don't want to deal with client certs (as in EAP-TLS), you can do EAP-GTC or EAP-FAST. The problem for lots of people with that is that Windows XP and Vista do not support it natively via ZeroConfig. You have to use a client such as Intel ProSet, Juniper Oddysey, or Cisco Secure Services Client.

See for more info about EAP.

daniel.keith Wed, 01/28/2009 - 06:07

I am using Novell LDAP with EAP-GTC and I believe that error message is due to certificates not being installed on the Novell side and on the Cisco ACS. I also seem to remember the ACS needing an admin account on the LDAP database to access it fully, unless you use specialized groups which you can map. There was also a cert.db7 file that you have to extract and add to the Cisco ACS as well.

Stephen Rodriguez Wed, 01/28/2009 - 07:10

If you are trying to make an LDAP call to the Microsoft AD, it won't work. The WLC only supports unencrypted LDAP calls, and AD only supports an ecrypted call. in other words, the WLC only can do clear text passwords, and AD will not send them as clear text.



srosenthal Fri, 02/20/2009 - 12:40

I am setting up a WLAN using WLAN 4404, ACS and 1130 AP's. My customer is using a Novell network.

I was going to setup the ACS and client to do PEAP and have the ACS authenticate via LDAP to the Novell server.

This will work won't it? The customer does have a cert from Verisign that I will install on the ACS.


Stephen Rodriguez Fri, 02/20/2009 - 12:42

that should work.

although why you would buy a certificate to do PEAP, instead of using your own CA, or have the ACS generate it's own PEAP ceritificate.....

srosenthal Fri, 02/20/2009 - 12:45

Thank you for the quick answer.

The customer already has several Verisign certs for their servers so I was just going to install one on the ACS also.

I tried in the lab to have the ACS server self generate a cert and then connect via the wireless. I added a user account on the ACS. I can fully connect it I tell the laptop to not validate the server.

I am missing something? I thought I had to leave the box checked to validate the server.


Stephen Rodriguez Fri, 02/20/2009 - 12:46

nope, PEAP does not require the client to validate the server side certificate. Only TLS requires mutual certificate validations.


This Discussion



Trending Topics - Security & Network