Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
825
Views
0
Helpful
7
Replies

Authenticating Users via LDAP (Active Directory)

Lucas Phelps
Level 5
Level 5

‎01-07-2009 06:26 AM - edited ‎07-03-2021 04:57 PM

I am attempting to secure our 'enterprise' WLAN with EAP security and would like it to check user's credentials via LDAP against our Active Directory database.

If using LDAP to authenticate, is there any reason to have a RADIUS server at all? If so, please elaborate.

Thanks for your guidance,

Lucas

Labels:
0 Helpful
7 Replies 7

amritpatek
Level 6
Level 6

‎01-18-2009 07:24 PM

If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.

For the furter assistance following URL may help you

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

0 Helpful

Lucas Phelps
Level 5
Level 5
In response to amritpatek

‎02-02-2009 07:00 AM

I guess I'm still left wondering whether I can just go into the LDAP configuration on the WLC and type the server info of my Active Directory server or whether I am required to have a RADIUS server.

RADIUS is an older, less secure method, and I'd rather have secure authentication directly to our LDAP AD server.

0 Helpful

r.roudi
Level 1
Level 1
In response to Lucas Phelps

‎02-02-2009 09:59 PM

Yes you can use LDAP with no RADIUS. However you should be aware of restrictions when using LDAP backend atabase authentication against LDAP. For instance, you will have to reconfigure your AD to return clear-text password.

0 Helpful

Lucas Phelps
Level 5
Level 5
In response to r.roudi

‎02-03-2009 06:39 AM

But even with a RADIUS server, doesn't the password have to be clear-text?

I'm trying to figure out what the benefit is of having the required RADIUS server if I can hook the WLC directly up to LDAP on our Domain controllers.

0 Helpful

aneelaka
Level 1
Level 1
In response to Lucas Phelps

‎03-06-2009 02:31 PM

You need radius server, because you looking for protocol support such as PEAP, LEAP, EAP-TLS

0 Helpful

venom43212
Level 4
Level 4
In response to Lucas Phelps

‎03-10-2009 08:43 AM

Enable IAS (microsfot's RADIUS) on one of your windows servers and set it to authenticate against AD.

0 Helpful

Robert.N.Barrett_2
Level 4
Level 4
In response to venom43212

‎04-02-2009 01:30 PM

RADIUS communications are hashed with the Shared Secret, which is a poor excuse for encryption, but it keeps user credentials from rolling around in clear text format. Seems like you ought to be able to use IPSec to tighten up the comm between the controller and the RADIUS box.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card