08-11-2008 05:13 AM - edited 07-03-2021 04:18 PM
Hi,
I have a working WLAN solution that uses PEAP (1252 AP's, WCS, 4400 controllers etc.). At the moment we authenticate against Active Directory via a Cisco ACS appliance (v4.1) - this works fine.
We are trying to also get authentication working to our LDAP Server - however, ACS keeps reporting "Authentication type not supported by external DB". It also doesn't seem to even try to contact the LDAP server looking at our LAN sniffer logs.
Any ideas ? Thanks, Tim.
08-14-2008 09:16 AM
You can't authenticate PEAP against LDAP (at least a non-Active Directory LDAP; I've never tried pointing to an Active Directory LDAP). PEAP is a Microsoft-funded "standard". If you still want to use EAP but don't want to deal with client certs (as in EAP-TLS), you can do EAP-GTC or EAP-FAST. The problem for lots of people with that is that Windows XP and Vista do not support it natively via ZeroConfig. You have to use a client such as Intel ProSet, Juniper Oddysey, or Cisco Secure Services Client.
See http://en.wikipedia.org/wiki/EAP-TLS#PEAPv1.2FEAP-GTC for more info about EAP.
01-28-2009 06:07 AM
I am using Novell LDAP with EAP-GTC and I believe that error message is due to certificates not being installed on the Novell side and on the Cisco ACS. I also seem to remember the ACS needing an admin account on the LDAP database to access it fully, unless you use specialized groups which you can map. There was also a cert.db7 file that you have to extract and add to the Cisco ACS as well.
01-28-2009 07:10 AM
If you are trying to make an LDAP call to the Microsoft AD, it won't work. The WLC only supports unencrypted LDAP calls, and AD only supports an ecrypted call. in other words, the WLC only can do clear text passwords, and AD will not send them as clear text.
HTH,
Steve
02-20-2009 12:40 PM
I am setting up a WLAN using WLAN 4404, ACS and 1130 AP's. My customer is using a Novell network.
I was going to setup the ACS and client to do PEAP and have the ACS authenticate via LDAP to the Novell server.
This will work won't it? The customer does have a cert from Verisign that I will install on the ACS.
Seth
02-20-2009 12:42 PM
that should work.
although why you would buy a certificate to do PEAP, instead of using your own CA, or have the ACS generate it's own PEAP ceritificate.....
02-20-2009 12:45 PM
Thank you for the quick answer.
The customer already has several Verisign certs for their servers so I was just going to install one on the ACS also.
I tried in the lab to have the ACS server self generate a cert and then connect via the wireless. I added a user account on the ACS. I can fully connect it I tell the laptop to not validate the server.
I am missing something? I thought I had to leave the box checked to validate the server.
Seth
02-20-2009 12:46 PM
nope, PEAP does not require the client to validate the server side certificate. Only TLS requires mutual certificate validations.
03-06-2009 01:37 PM
PEAP with ACS-LDAP is supported with PEAP (EAP-GTC) and not with PEAP (EAP-MSCHAPV2)
Change you peap type from PEAP-mschapV2 to PEAP -EAP-GTC
Table 1-3 EAP Authentication Protocol and User Database Compatibility
03-08-2009 04:42 PM
Doen't EAP-GTC require some sort of generic token card?
Seth
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: