Education

Reply
Occasional Contributor II

802.1x Auth with MS LDAP and MSCHAP

We currently have a semi-production 802.1x WPA2/AES with EAP-GTC working with a non MS LDAP server in the back end....

I want to move the inner auth to MSCHAP and auth against a MS Server which is (so I'm told) syncronized with our non-MS LDAP server(s)....

I assumed I could just change the Aruba side config (and user side) to use MSChap and be good to go..problem is, it still only works with EAP-GTC....

From the controller cli:
"aaa test server pap" - works
"aaa test server mschap" - fails

Sylog notes the following when a clinet using MSCHAP trys to auth:
ldapclient.c, ldap_auth_api:119: Invalid authentication protocol 4 for LDAP


So, my question really is, does Microsoft's LDAP use MSCHAP by defaut ?
I'm thinking since user accounts are "pushed down/sync'd" that the paswords are not stored with NT-Hash....

Anyone currently doing 802.1x auth with a MS LDAP server ?
Guru Elite

Microsoft Radius

If you want to migrate to MSCHAP, have you considered Microsoft's free IAS (Radius) server that is built into every version of Microsoft's Server platform? It supports MSCHAP straight out the box without any of the LDAP gymnastics.

MS LDAP does NOT support MSCHAP by default.

The easier path would be using IAS.

The ArubaOS 3.4.1 User Guide has detailed instructions on how to configure Microsoft IAS as a radius server starting on page 629.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: 802.1x Auth with MS LDAP and MSCHAP

lol....

Did some more Google'in and found (as your mentioned):
- MS-CHAP is not used by any Microsoft products other then IAS for RADIUS

I guess RADIUS it is....
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: