Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WPA2 802.1x with MS RADIUS, LDAP, Clean Access

We are in a multivendor enviornment using NAC and WCS.  We would like to implement WPA2 Enterprise.  We currently authenticate with LDAP to place users in proper roles.

Not 100% sure on this.  As far as I know, it is not possible to implement 802.1x with LDAP.....so how could we use LDAP and a Radius server together in order to implement WPA2 Enterprise?  Is this possible?  Any documentation out there that I have yet to find explaining this?

Any help would be appreciated.

Thanks in advance,

Ben

Everyone's tags (7)
1 REPLY
Cisco Employee

Re: WPA2 802.1x with MS RADIUS, LDAP, Clean Access

Hi,

Let's clarify all possibilities and you can chose one from there :-)

1) the Wireless Controller (WLC) can act as radius server. The feature is called "local eap". So the WLC authenticates the client (wpa2 if you like).

The WLC can use an LDAP database as user database. The only restrictions are that you cannot use "mschapv2" methods. So only peap-gtc,eap-fast-gtc and eap-tls. Of those 3, only eap-tls is present on the client default windows supplicant.

2) You can have a complete radius server like Cisco ACS. However the limitation coming with LDAP remains. Unless your database is Active Directory in which case ACS can integrate with it and allow for all eap methods.

3) If you go for WPA enterprise, that means you will authenticate users 2 times. One with dot1x to join the wireless and one with NAC afterwards to get network connectivity. Again if you have active directory, you can go with "single sign on" so that users never have to enter their credentials. Otherwise they will have to enter them twice.

Apart from that fact, NAC pretty much doesn't care if your wireless is open or dot1x-secured, it comes after the dot1x authentication anyway.

I hope this clarifies ?

Nicolas

===

please rate answers that you find useful

2479
Views
0
Helpful
1
Replies
CreatePlease to create content