Authenticating Users via LDAP (Active Directory)

Unanswered Question
Jan 7th, 2009

I am attempting to secure our 'enterprise' WLAN with EAP security and would like it to check user's credentials via LDAP against our Active Directory database.

If using LDAP to authenticate, is there any reason to have a RADIUS server at all? If so, please elaborate.

Thanks for your guidance,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
amritpatek Sun, 01/18/2009 - 19:24

If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.

For the furter assistance following URL may help you

Lucas Phelps Mon, 02/02/2009 - 07:00

I guess I'm still left wondering whether I can just go into the LDAP configuration on the WLC and type the server info of my Active Directory server or whether I am required to have a RADIUS server.

RADIUS is an older, less secure method, and I'd rather have secure authentication directly to our LDAP AD server.

r.roudi Mon, 02/02/2009 - 21:59

Yes you can use LDAP with no RADIUS. However you should be aware of restrictions when using LDAP backend atabase authentication against LDAP. For instance, you will have to reconfigure your AD to return clear-text password.

Lucas Phelps Tue, 02/03/2009 - 06:39

But even with a RADIUS server, doesn't the password have to be clear-text?

I'm trying to figure out what the benefit is of having the required RADIUS server if I can hook the WLC directly up to LDAP on our Domain controllers.

aneelaka Fri, 03/06/2009 - 14:31

You need radius server, because you looking for protocol support such as PEAP, LEAP, EAP-TLS

venom43212 Tue, 03/10/2009 - 08:43

Enable IAS (microsfot's RADIUS) on one of your windows servers and set it to authenticate against AD.

Robert.N.Barrett_2 Thu, 04/02/2009 - 13:30

RADIUS communications are hashed with the Shared Secret, which is a poor excuse for encryption, but it keeps user credentials from rolling around in clear text format. Seems like you ought to be able to use IPSec to tighten up the comm between the controller and the RADIUS box.


This Discussion



Trending Topics - Security & Network