Controller-less WLANs

How to configure LDAP authentication on the Instant for the clients to authenticate using LDAP server?

Use of LDAP server for Authentication in IAP as External Radius server

LDAP (Lightweight Directory Access Protocol)

To use an LDAP server for user authentication, configure the LDAP server on the Virtual Controller, and configure
user IDs and passwords

PEAP-GTC termination allows authorization against an Lightweight Directory Access Protocol (LDAP) server and external RADIUS server while PEAPMSCHAV2 allows authorization against an external RADIUS server.

This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft Active Directory server with LDAP authentication.
 
1. EAP-Generic Token Card (GTC) — This EAP method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the IAP to an external authentication server for user data backup.
 
2. EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2)— This EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server.
 
Environment : This article applies to all Instant Access Points and Instant OS versions.
 
LDAP Server — To configure an LDAP server, specify the attributes described in the following table:
 
wlan ldap-server AD
ip 1.2.3.4
port 389
admin-dn cn=Administrator,cn=Users,dc=arubatac2008,dc=com
admin-password admin
base-dn cn=Users,dc=arubatac2008,dc=com
filter (objectclass=*)
key-attribute sAMAccountName

To configure an LDAP server using Command line:
 
(Instant Access Point)(config)# wlan ldap-server <profile-name>
(Instant Access Point)(LDAP Server <profile-name>)# ip <IP-address>
(Instant Access Point)(LDAP Server <profile-name>)# port <port>
(Instant Access Point)(LDAP Server <profile-name>)# admin-dn <name>
(Instant Access Point)(LDAP Server <profile-name>)# admin-password <password>
(Instant Access Point)(LDAP Server <profile-name>)# base-dn <name>
(Instant Access Point)(LDAP Server <profile-name>)# filter <filter>
(Instant Access Point)(LDAP Server <profile-name>)# key-attribute <key>
(Instant Access Point)(LDAP Server <profile-name>)# timeout <seconds>
(Instant Access Point)(LDAP Server <profile-name>)# retry-count <number>
(Instant Access Point)(LDAP Server <profile-name>)# end
(Instant Access Point)# commit apply
Version History
Revision #:
2 of 2
Last update:
‎10-08-2014 10:22 AM
Updated by:
 
Labels (1)
Comments
jrfarrar

I have followed this and am having issues getting it to work. The auth fails. What commands could I use to test connectivity to the LDAP server from the CLI?

Rylo

I was having troubles with this as well when a customer had an older Aruba Controller and 2 Access Points. We went with a couple IAP-205s and needed LDAP integration. Using the above configuration there were some additional items needed.

 

I found that I needed the DISPLAY NAME of the admin for the Admin-DN. I had created a user with the first name Aruba and the last name LDAP. This made the DISPLAY NAME "Aruba LDAP". This is what needs to be in the CN= for the Admin-DN.

I also found there is a difference in using the CN= and OU=

Currently our admin account is in the Users group which is a “Container”. Our actual user accounts are stored in an Orginizational Unit with sub OUs as well. So the Admin-DN needed the CN=Users and the Base-DN needed the OU=MyUserOU.

For the windows machines I had to download and install the Aruba GTC Shim because the customer was previously using GTC and they were not going to a RADIUS server at the moment. My Android phone and IPHONE did not need any additional addins for the authentication. 

 

The windows laptop I am using I needed to manually create a wireless profile with…

 

Security Tab >

“Choose a network authentication method:”

Microsoft: Protected EAP (PEAP)

Settings >

Select “Trusted Root Certification Authorities”

GeoTrust Global CA

Select Authentication Method:

EAP-Token (This is the Aruba GTC Shim)

 

This allowed me to use my domain login credentials

Username

Password

Domain (This is blank because the Base-DN already has this, if anything is put in here the authentication fails)

TempNetworks

I am struggling to get this to work on my 205s. Everything points to the connection being refused by the ldap server (Active Directory) because it is not SSL. On controllers there is a way to select ldaps (port 636)  rather than clear-text (port 389). This does not seem to be possible on Instant. I can change the port number to 636 but the connection still appears to be clear text, which the ldap server refuses.

 

Is there a cli way to enable ldaps?

mikeviles

Well, after many hours of trying a bunch of things and spending time on the phone with an array of aruba support engineers, a more senior guy tells me ldaps is not supported in the Aruba Virtual Controller (Instant). You can put in a port, but it doesn't use SSL so any ldap server rejects it if SSL is required.

 

Pretty frustrating. The only way for this to work with Instant is to place a radius server in the mix, which is not an option for us.

 

sigh

marlon@uscomputer.com

Aruba iAPs can authenticate with Apple devices, but not Windows devices when using LDAP.  I can connect from my iPhone but not from Windows Laptop. I spent a lot of time with Aruba support, and they blame Windows for their Aruba Termination not working with LDAP....

 

Aruba should get their act together and address the issue. 

mikeviles

You can theoretically get windows to works by installing Aruba's PEAP-GTC plug-in. Find it here:

 

http://support.arubanetworks.com/TOOLSRESOURCES/tabid/76/DMXModule/514/Command/Core_ViewDetails/Default.aspx?EntryId=5116

 

It works as long as you are not using Secure LDAP (ldaps)

marlon@uscomputer.com

1) Cisco equipment doesn't need a plugin, nor would we want to have the plugin installed on the PCs.  Shortcoming of Aruba.

2) Not using LDAPS?  From a security stand point, that is not an option.  Having credentials travel in clear text is not a good idea.

 

Aurba really needs to look at this, it is a huge shortcoming and all our customers are asking for the ability to use LDAP authentication (LDAPS) so they can login with their AD credentials.

 

Thanks.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.