PEAP authentication to LDAP

tjenkin2 · ‎08-11-2008

Hi,

I have a working WLAN solution that uses PEAP (1252 AP's, WCS, 4400 controllers etc.). At the moment we authenticate against Active Directory via a Cisco ACS appliance (v4.1) - this works fine.

We are trying to also get authentication working to our LDAP Server - however, ACS keeps reporting "Authentication type not supported by external DB". It also doesn't seem to even try to contact the LDAP server looking at our LAN sniffer logs.

Any ideas ? Thanks, Tim.

m.glosson · ‎08-14-2008

You can't authenticate PEAP against LDAP (at least a non-Active Directory LDAP; I've never tried pointing to an Active Directory LDAP). PEAP is a Microsoft-funded "standard". If you still want to use EAP but don't want to deal with client certs (as in EAP-TLS), you can do EAP-GTC or EAP-FAST. The problem for lots of people with that is that Windows XP and Vista do not support it natively via ZeroConfig. You have to use a client such as Intel ProSet, Juniper Oddysey, or Cisco Secure Services Client.

See http://en.wikipedia.org/wiki/EAP-TLS#PEAPv1.2FEAP-GTC for more info about EAP.

daniel.keith · ‎01-28-2009

I am using Novell LDAP with EAP-GTC and I believe that error message is due to certificates not being installed on the Novell side and on the Cisco ACS. I also seem to remember the ACS needing an admin account on the LDAP database to access it fully, unless you use specialized groups which you can map. There was also a cert.db7 file that you have to extract and add to the Cisco ACS as well.

Stephen Rodriguez · ‎01-28-2009

If you are trying to make an LDAP call to the Microsoft AD, it won't work. The WLC only supports unencrypted LDAP calls, and AD only supports an ecrypted call. in other words, the WLC only can do clear text passwords, and AD will not send them as clear text.

HTH,

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

srosenthal · ‎02-20-2009

I am setting up a WLAN using WLAN 4404, ACS and 1130 AP's. My customer is using a Novell network.

I was going to setup the ACS and client to do PEAP and have the ACS authenticate via LDAP to the Novell server.

This will work won't it? The customer does have a cert from Verisign that I will install on the ACS.

Seth

Stephen Rodriguez · ‎02-20-2009

that should work.

although why you would buy a certificate to do PEAP, instead of using your own CA, or have the ACS generate it's own PEAP ceritificate.....

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

srosenthal · ‎02-20-2009

Thank you for the quick answer.

The customer already has several Verisign certs for their servers so I was just going to install one on the ACS also.

I tried in the lab to have the ACS server self generate a cert and then connect via the wireless. I added a user account on the ACS. I can fully connect it I tell the laptop to not validate the server.

I am missing something? I thought I had to leave the box checked to validate the server.

Seth

Stephen Rodriguez · ‎02-20-2009

nope, PEAP does not require the client to validate the server side certificate. Only TLS requires mutual certificate validations.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

aneelaka · ‎03-06-2009

PEAP with ACS-LDAP is supported with PEAP (EAP-GTC) and not with PEAP (EAP-MSCHAPV2)

Change you peap type from PEAP-mschapV2 to PEAP -EAP-GTC

Table 1-3 EAP Authentication Protocol and User Database Compatibility

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/o.html

srosenthal · ‎03-08-2009

Doen't EAP-GTC require some sort of generic token card?

Seth