Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

EAP-FAST with LDAP

Hi again folks,

I have yet another hurdle to overcome using the 5508 controller. I had it setup using WPA2+PSK for L2 and Web Authentication with RADIUS for L3 but my organization doesn't want to use a PSK. Instead they've asked me to configure the WLAN using WPA2 with 802.1x

We're not permitted to run a local CA so I was asked to configure using EAP-FAST and have that do an external LDAP lookup.

I worked on this all day today and the WiFi client continually replies that it cannot find a certificate to authenticate. I configured the EAP profile to use LEAP and EAP-FAST and left the defaults for the rest of the parameters. In the EAP-FAST Method Parameters I put in a server key and left anonymous provisioning (though I wasn't exactly sure if I needed it enabled or not). Still can't get it to associate with an AP.

I was hoping you folks would help me troubleshoot this issue. I've tried many different configurations but haven't resolved it.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: EAP-FAST with LDAP

You don't need to export the cert, the WLC doesnt need it and you can still just uncheck the box for validate server certificate. On the WLC, you'll want to reconfigure the WLC to talk to the NPS, and tell the WLAN to use the NPS instead of the local eap profile.

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
18 REPLIES

Re: EAP-FAST with LDAP

can you post a screenshot of our Local EAP fast config?

Sent from Cisco Technical Support iPad App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Hall of Fame Super Silver

Re: EAP-FAST with LDAP

Just to add... What type of radius server are you using, is it connecting to AD and what clients devices?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

EAP-FAST with LDAP

We were using 2008 R2 NPS for radius which was working great for the layer 3 we had set up previously but for the 802.1x configuration, I disabled the radius server so that it wouldn't be considered during the authentication process. We wanted it to simply query LDAP so I added the LDAP server and removed the RADIUS from the AAA tab on the WLAN page and then went into the security tab and disabled the radius completely.

I can certainly post a screenshot but that will have to wait till Monday.

Unfortunately, it will drive me nuts till then.

:-)

Re: EAP-FAST with LDAP

are you going ti use AD for the LDAP? If so, you need to configure AD to send a clear text password back to the WLC, as it can't decrypt the hash that gets sent back.

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

EAP-FAST with LDAP

While a clear text password from AD is something I'm sure I will have to address, I'm not there yet. I first have to resolve associating with the AP.

But thanks for the heads up Steve. You wouldn't happen to have a link that outlines that procedure, would you?

New Member

EAP-FAST with LDAP

Okay... here are the screenshots of how I have the EAP-FAST configured on my controller.

Please feel free to throw anything out there that you think will help.

EAP-FAST with LDAP

The config looks ok, I might try removing the Local CA checkbox in the EAP-Fast config.

I do have another question though.  What type of clients are you using?  Win7 and Mac OS x support eap-fast natively, but Xp does not.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

EAP-FAST with LDAP

Hi Steve,

As per the documentation:

"If you chose EAP-FAST and want the device certificate on the controller to be used for authentication, select the

Local Certificate Required check box. If you want to use EAP-FAST with PACs instead of certificates, leave this check box unselected, which is the default setting."

I left it checked because I wanted to use the 5508 as my CA which I think is what this setting implies, correct?

I am using an XP client to connect and many of the clients will be XP as well as a bunch of IPADs.

Does the client require any special configurations being an XP device?

Because the client repeatedly says it cannot find the certificate, I was thinking to use manual provisioning for the PAC.

unless I am way off base, the problem is that the controller isn't providing a cert to the client when asking to associate, correct?

I went into the commands tab and generated a PAC file that I pulled off the controller via tftp. I now have that pac file and want to try using it on the client but I cannot find information on how to import it to the client.

Anyone have information on that?

EAP-FAST with LDAP

XP doesn't support EAP-Fast natively, so it would be trying to do either EAP-TLS or PEAP.  For XP to use EAP-Fast, you would need some supplicant that is capable of it.

Insted of doing EAP-Fast you can configure the WLC to do PEAP, then on the client, uncheck the validate server certificate box.

Give that a try, and let us know if it works.

HTH,

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

EAP-FAST with LDAP

Hi guys,

Okay, configured with PEAP and no validation and I can now associate with the AP but I can't authenticate via LDAP. Likely because as Steve stated, AD is probably not configured for clear text replies.

The 5508 is reporting "AAA Authentication Failure for UserName:domain\user User Type: WLAN USER"

I feel like we are really close to wrapping this up. Any tips on how to get AD to send back a clear text responce to the LDAP query?

Thanks so much for the help.

Mike

EAP-FAST with LDAP

while I can't find a document/walk through on how to get AD to return a clear text password, though I've heard it's a registery hack or expanding the schema on Commerce Server, I did find an article on how to generate a self signed certificate, that you could import into your NPS server.

http://blog.samkendall.net/2011/10/13/creating-a-self-signed-certificate-on-windows-server-20082008-r2-without-iis/

HTH,

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

EAP-FAST with LDAP

Well, I got pretty far... but now somewhat lost. I've created the self-signed cert and gotten it configured on my NPS network policy. I expected that the next step was to export it and get it imported into the Trusted Root Authorities on the client but I cannot. I get an access denied. Maybe because the export of the cert made the file a .pfx filetype and not a .cer?

Dunno.

Also, do I need to make config changes within the controller? Do I need to load the cert onto the controller as well?

I'm sorry... Im just out of my element here.

Thanks

Re: EAP-FAST with LDAP

You don't need to export the cert, the WLC doesnt need it and you can still just uncheck the box for validate server certificate. On the WLC, you'll want to reconfigure the WLC to talk to the NPS, and tell the WLAN to use the NPS instead of the local eap profile.

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Hall of Fame Super Silver

Re: EAP-FAST with LDAP

Okay... Well just to add to this....

Your NPS is joined to the domain correct? So why use ldap? Your better off creating policies to do a lookup on an AD group.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

EAP-FAST with LDAP

Oh.. I should have been clearer.. Yes, since it's been determined that AD wont pass a clear-text password, I went back and re-enabled my RADIUS so I am actually using a network policy in NPS to do an AD group lookup.

Trying to use PEAP with EAP-MSCHAPv2 on the client and the NPS. It denies access with an error "22" and goes on to explain, "The authentication request failed because the EAP method selected cannot be processed by the server."

I dunno what else to try tonight. I'll start working on it again in the morning.

Thanks again for the sugestions. Every bit helps!

Hall of Fame Super Silver

Re: EAP-FAST with LDAP

That error is either a bad certificate on the NPS or an internal error on the NPS.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

EAP-FAST with LDAP

I was hoping that a different NPS would give me better results but after putting the NPS role on a different server and reconfiguring all the radius settings, I got the same exact error from the new radius.

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: (removed for security reasons)

Account Name: (removed for security reasons)

Account Domain: (removed for security reasons)

Fully Qualified Account Name: (removed for security reasons)

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 68-bc-0c-64-00-50:WLAN3000

Calling Station Identifier: 00-13-ce-dc-67-fa

NAS:

NAS IPv4 Address: 10.10.30.5

NAS IPv6 Address: -

NAS Identifier: Cisco_0c:55:e4

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 1

RADIUS Client:

Client Friendly Name: WLAN

Client IP Address: 10.10.30.5

Authentication Details:

Connection Request Policy Name: Secure Wireless Connections

Network Policy Name: Secure Wireless Connections

Authentication Provider: Windows

Authentication Server: (removed for security reasons)

Authentication Type: EAP

EAP Type: -

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 22

Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

New Member

EAP-FAST with LDAP

Hey guys,

Okay, looks like I was able to get this working by doing the following:

I created the self-signed cert on the NPS server and from the NSP servers Network policy, I chose PEAP as the EAP type, then added the cert. and selected EAP-MSCHAPv2 as the EAP type within the config settings for PEAP.

What I did differently last time was that I chose EAP-MSCHAPv2 in the EAP type. By doing so I was not able to click "edit" and select the cert.

I think I have it configured correctly this time as clients are now authenticating.. theres just a few more tweaks to address but overall.. a good day. :-)

Thank you Scott and Steve. Couldn't have done it without you!

Kind regards,

Mike

2485
Views
0
Helpful
18
Replies
CreatePlease to create content