WLC/LDAP/WPA authentication solution

Unanswered Question
Sep 10th, 2009
User Badges:

Hi Experts,

I have Cisco WLC 4404 with 100 LWAP access points. Currently I am using shared WEP authentication. I like to migrate it WPA. I want the clients to have authenticated using Individual username / password to get into the network. I am using LDAP for username password repository. I also have Cisco ACS (AAA) server kept unused.

I think it can be achieved using

1. web authentication configured in WLC itself. But i donot want this as WLC may be loaded unnecessarily. Is this correct.

2. Another option I read is 802.1x authentication with WPA. Since I am integrating with LDAP, I also learned that only EAP-FAST can be used.

The question is, whether windows XP supports EAP-FAST client by default (I didn't the option in win XP). Or otherwise should i load a third party clients in all the client laptops. Whether cisco aironet client is free to download and use?

Kindly help me



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
orochi_yagami Tue, 09/15/2009 - 03:00
User Badges:


I'm assuming your user account are from the windows NT domain/Active directory, so Windows PEAP will become your choice as well. By using windows PEAP, you're not necessary to install 3rd party wireless supplicant on user machine. You can refer to the link below:


Basically it show you how's the setup and requirement.


snarayanaraju Wed, 09/16/2009 - 22:07
User Badges:

Hi Orochi,

Thanks for sharing your ideas. I am using LDAP and not using WINDOWS AD.

I believe PEAP will not support LDAP. Also I cannot use Digital certificate and want the user to enter username / password

Whether supplicant has to be installed in all the clients?


Vinay Saini Sat, 09/19/2009 - 22:40
User Badges:
  • Cisco Employee,

The best option to use here is Cisco ACS.

You can have accounting also in addition to 802.1x auth. You can also use different types of Auth mechanism and enable multiple , so client can use whatever it supports like (PEAP LEAP FAST etc).

JASON BOYERS Mon, 09/21/2009 - 20:02
User Badges:

Let me list your requirements, to better define them:

1) Clients must log in (each time?) with their username and password

2) You don't have, and don't want to implement, a certificate server

3) You are using a non-Windows AD LDAP directory for user authentication

4) You have a Cisco ACS (version ?) that you can use for RADIUS, to interact between the client and the LDAP server

5) You want to avoid web authentication if you can, because of concerns about overloading the WLC.

One thing - what is your supplicant? Are these standard Windows XP, SP2 machines? Also, what are your encryption requirements? Web authentication provides no encryption for the data after authentication.

And, without a certificate on at least the ACS server (plus appropriate Certificate Authority server), you're out of luck for EAP.

EAP-FAST generally requires a certificate on the server side (if you want it to be at least somewhat secure). And, it requires a Cisco supplicant, such as the Aironet Desktop Utility with the Cisco CB21AG PCMCIA card (or can potentially use the EAPHost supplicant in Windows Vista.)

If you don't need encryption, go with web authentication. The WLC should not have a problem handling the requests (how many simultaneous logins are you looking at?) If you do need encryption, you are going to need some additional components, whether supplicants or a certificate server.


This Discussion