Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLC/LDAP/WPA authentication solution

Hi Experts,

I have Cisco WLC 4404 with 100 LWAP access points. Currently I am using shared WEP authentication. I like to migrate it WPA. I want the clients to have authenticated using Individual username / password to get into the network. I am using LDAP for username password repository. I also have Cisco ACS (AAA) server kept unused.

I think it can be achieved using

1. web authentication configured in WLC itself. But i donot want this as WLC may be loaded unnecessarily. Is this correct.

2. Another option I read is 802.1x authentication with WPA. Since I am integrating with LDAP, I also learned that only EAP-FAST can be used.

The question is, whether windows XP supports EAP-FAST client by default (I didn't the option in win XP). Or otherwise should i load a third party clients in all the client laptops. Whether cisco aironet client is free to download and use?

Kindly help me



New Member

Re: WLC/LDAP/WPA authentication solution


I'm assuming your user account are from the windows NT domain/Active directory, so Windows PEAP will become your choice as well. By using windows PEAP, you're not necessary to install 3rd party wireless supplicant on user machine. You can refer to the link below:

Basically it show you how's the setup and requirement.


New Member

Re: WLC/LDAP/WPA authentication solution

Hi Orochi,

Thanks for sharing your ideas. I am using LDAP and not using WINDOWS AD.

I believe PEAP will not support LDAP. Also I cannot use Digital certificate and want the user to enter username / password

Whether supplicant has to be installed in all the clients?


Cisco Employee

Re: WLC/LDAP/WPA authentication solution

The best option to use here is Cisco ACS.

You can have accounting also in addition to 802.1x auth. You can also use different types of Auth mechanism and enable multiple , so client can use whatever it supports like (PEAP LEAP FAST etc).

Cisco Employee

Re: WLC/LDAP/WPA authentication solution

New Member

Re: WLC/LDAP/WPA authentication solution

Let me list your requirements, to better define them:

1) Clients must log in (each time?) with their username and password

2) You don't have, and don't want to implement, a certificate server

3) You are using a non-Windows AD LDAP directory for user authentication

4) You have a Cisco ACS (version ?) that you can use for RADIUS, to interact between the client and the LDAP server

5) You want to avoid web authentication if you can, because of concerns about overloading the WLC.

One thing - what is your supplicant? Are these standard Windows XP, SP2 machines? Also, what are your encryption requirements? Web authentication provides no encryption for the data after authentication.

And, without a certificate on at least the ACS server (plus appropriate Certificate Authority server), you're out of luck for EAP.

EAP-FAST generally requires a certificate on the server side (if you want it to be at least somewhat secure). And, it requires a Cisco supplicant, such as the Aironet Desktop Utility with the Cisco CB21AG PCMCIA card (or can potentially use the EAPHost supplicant in Windows Vista.)

If you don't need encryption, go with web authentication. The WLC should not have a problem handling the requests (how many simultaneous logins are you looking at?) If you do need encryption, you are going to need some additional components, whether supplicants or a certificate server.