Controllerless Networks

Reply
Occasional Contributor I
Posts: 6
Registered: ‎01-08-2013

IAP WPA2 Enterprise internal server with LDAP

I was told that iap wpa2 interprise can be configured as radius internal server and the radius server can authenticate against a LDAP server. Does anyone know how to configure this?

 

thanks.

Guru Elite
Posts: 8,632
Registered: ‎09-08-2010

Re: IAP WPA2 Enterprise internal server with LDAP

Check out Chapter 11 in the attached guide. It explains how to configure EAP termination on the VC.

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 130
Registered: ‎06-11-2013

Re: IAP WPA2 Enterprise internal server with LDAP

Are you connecting to OpenLDAP or ActiveDirectory or similar?

 

Do you want to use EAP-PEAP-MSCHAPv2 or EAP-TTLS PAP/MSCHAPv2?

 

Please note for ActiveDirectory with MSCHAPv2: you will need a domain join for this. For MSCHAPv2 you will need to have NTLM_Auth in place on your RADIUS server. The Aruba Instant internal RADIUS-server does not support a domain join and NTLM_Auth.

 

If you are using OpenLDAP and want to use MSCHAPv2 then you need to store either plain-text passwords or NT-Passwords (like AD does). If you are using PAP you can store passwords with any hashing algorithm.

 

 

I would advise you to use an external RADIUS server if possible.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Occasional Contributor I
Posts: 6
Registered: ‎01-08-2013

Re: IAP WPA2 Enterprise internal server with LDAP

hello,

 

i want to implement in a active directory domain network. The LDAP server is the DC.

 

Do you think is possible to implement without radius?

 

thanks,

MVP
Posts: 130
Registered: ‎06-11-2013

Re: IAP WPA2 Enterprise internal server with LDAP

At least for PEAP EAP-MSCHAPv2 (which is most common) you will need a RADIUS server.

 

Possible RADIUS servers: Microsoft NPS (which is included in Windows Server), FreeRADIUS (if you have a Linux platform) or possibly ClearPass Policy Manager if you have some budget available :)

 

When using EAP-TTLS with PAP you would not need an external RADIUS server, but note the default Windows 802.1X supplicant does not have support for this.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Super Contributor I
Posts: 300
Registered: ‎12-01-2010

Re: IAP WPA2 Enterprise internal server with LDAP

The NPS for MSFT is free just activate it but the good thing you do not need the cerificate server as you can use Aruba to ternminate the EAP traffic.

Normal Guy
New Contributor
Posts: 2
Registered: ‎03-21-2017

Re: IAP WPA2 Enterprise internal server with LDAP

Hello,

If a customer has 2 different LDAPs (say Student and Faculty), can you reference both with Termination Enabled, and they will fail-thru?  ie. if the user is not contained in the first, it tries the second.  Or, is it better to have an External RADIUS server that points to both LDAPs, set Termination to Disabled, and point the IAPs to the RADius server?

Thanks in advance.

Search Airheads
Showing results for 
Search instead for 
Did you mean: