Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LEAP Authentication via LDAP

I would like to use LEAP authentication for my WLAN users via an existing LDAP database, but have been told that this will not work because LDAP does not support any CHAP authentication protocols and this is what the Aironet AP's use. I don't really understand why this response since it will be the ACS server talking to the LDAP server, not the AP. I thought the LDAP server is used only as a group/password database and the ACS server handles the interface to the access point.

Has anyone set up a similar architecture? Or, can anyone give me a more definitive explanation of why this would not work?



New Member

Re: LEAP Authentication via LDAP

You are correct, you can NOT use an LDAP database to authenticate. The problem is with the hashing algorithm. Other standards exist, but LEAP is Cisco proprietary and that is one of the issues. If you don't have a ton of users, maybe just create a local database file on your RADIUS server, that works great, or authenticate against an NT domain.

New Member

Re: LEAP Authentication via LDAP

I wish to authenticate wireless users with LEAP and ACS 3.0 against an LDAP server.

The ACS User Guide specifies (page 1-9, table 1-2) that password authentication protocol LEAP is not compatible with an LDAP database, the same as stated in previous post of this thread.

However, in a recent TechTalk (Securing and Managing Your 802.11 Wireless Network) there were some questions related to this issue :

- Question 163 : Can you proxy through a Cisco ACS server to a backend LDAP server for username and password authorization?

Answer 163 : Absolutely. Pls see the following URL:

- Question 238 : Can you support LEAP with a backend LDAP server?

Answer 238 : yes!

- Question 301 : When using LEAP, is the password stored in a Cisco ACS stored as a hash or something that can be stored in an LDAP server?

Answer 301 : A hashed password is used, and LDAP does not have support for the hashing algorithm.

Is there any way to use this kind of authentication? Has anyone tried it? Can anyone clarify this point?

Thanks in advance


CreatePlease login to create content