Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x/LEAP authentication against RADIUS+LDAP

Hi,

To secure access via WLAN infra, LEAP is another option that can be used together with 802.1x.

Can LEAP be used with RADIUS (Cisco Access Registar@CAR), where RADIUS, in turn will forward AAA request to another external server via LDAP? I've came across info saying that LEAP cannot work with "LDAP/NDS Backend DB Support".

Can anybody verify this?

Thank you.

AK

6 REPLIES
Silver

Re: 802.1x/LEAP authentication against RADIUS+LDAP

For LEAP to work with an external database the database needs to support MS-CHAP. This is the reason it does not work with NDS or LDAP. The following table shows the databases supported by LEAP.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/o.htm#551

Re: 802.1x/LEAP authentication against RADIUS+LDAP

Of course this is true only for Cisco ACS, there are other radius products on the market (Steel-Belted by Funk for one) that claim the ability to do authentication, including LEAP, off an LDAP database. I know there are some limitations to that also, esp. if you want to do it against active directory, which isn't true LDAP...

Community Member

Re: 802.1x/LEAP authentication against RADIUS+LDAP

Yes, LEAP can be used in conjunction with Cisco CNS Access Registrar and a back-end LDAP directory.

Note that the user passwords must be stored in cleartext format, in the directory.

Community Member

Re: 802.1x/LEAP authentication against RADIUS+LDAP

A question related to this topic: Do you know if I Can use ISA service (Radius) from a windows 2000 server in order to use radius authentication with an AP 1200? Is this possible or only with Cisco Secure ACS ?

Thanks.

Community Member

Re: 802.1x/LEAP authentication against RADIUS+LDAP

Can you give me a link on how to do this? Also can this be done using ACS instead on Registrar?

Community Member

Re: 802.1x/LEAP authentication against RADIUS+LDAP

In AR 3.0, you create an eap-leap 'service':

cd /radius/services/

add leapservice

cd leapservice

set type eap-leap

set user-service local-users

In this example 'local-users' is an AR internal userlist service, but it could equally be an LDAP or Oracle database one. The passwords in these external stores must be available to AR in cleartext.

AFAIK, ACS does not support LEAP with an LDAP directory.

517
Views
0
Helpful
6
Replies
CreatePlease to create content