Security

Reply

IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Hi All, was wondering if anyone had any idea of the exact IAP settings for authenticating users via LDAP to a windows Server 2008 Active Directy Server.

 

I have numerous examples but none seem to work. I have configured an openldap server and authentication works immedietly with LDAP, but NOT with windows domain controller. I have asuccessful bind established but no authentication is happening.

 

I have the following formats for the filter string:

 

filter: (&(objectclass=user)(objectcategory=person))

key atrribute: sAMAccountName

 

I also have tried the following filter attributes also.

 

(&(objectcategory=user)(memberof=CN=Group,OU=Users,DC=Domain,DC=com)) to no avail.

 

Does anyone have a working example of the settings for this to function against an AD server?

 

Thanks

 

 

 

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Are you doing PEAP EAP-MSCHAPv2 or EAP-TTLS PAP on the clients?

 

EAP-TTLS PAP can work in this setup, PEAP EAP-MSCHAPv2 however cannot. Using LDAP you cannot read password attributes from AD. You *can* do a LDAP bind, but for MSCHAPv2 you will need to terminate on AD directly (for this the IAP would need to be domain-joined, but this is not supported). The LDAP bind can only work PAP.

 

If you want to do PEAP-EAP MSCHAPv2 against AD you will need an external RADIUS server. You could look at FreeRADIUS, Microsoft NPS or perhaps ClearPass.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Super Contributor I

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Hi arjan_k,

 

I am using PEAP EAP-MSCHAPv2 and have the same issue. What InstantOS does this apply for? According to Instant 6.5.2.0 User Guide, external LDAP server is supported:

instant6520.PNG

 

Regards,

Julián


Regards,
Julián
Guru Elite

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

I would save time and get an external radius server.  To use an LDAP server with mschap, you need to (1) setup your LDAP server on the IAP (2) Enable Termination on your SSID (3) Install an EAP-GTC client on all of your clients.

 

You can avoid that by simply using an external radius server; you would avoid having to install software on your clients, and an external radius server would support machine authentication (EAP-GTC does not).



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Hi arjan_k and Colin,

 

Yeah, I was able to authenticate with PEAP-EAP MSCHAPv2 against AD using an external radius server. However, EAP offload feature must be enabled on the IAP in order to work:

eapoffload.png

 

What is it referring to with outer and inner layers of the EAP protocol?

 

Regards,

Julián


Regards,
Julián
Highlighted
Guru Elite

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

You should not need to use EAP offload if you have an external RADIUS server.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Strange because if I disable EAP offload it doesn't work but if I enable EAP offload it does work. Also the EAP offload feature description says that:

 

NOTE: AP termination is required when using LDAP for authentication, because LDAP doesn't support EAP.

 

I am using a Windows Server 2012 with AD and NPS configured.

 

Regards,

Julián


Regards,
Julián
Super Contributor I

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Hi Tim and Colin,

 

I have made this type of authentication in customer side. The authentication in against an external radius server with AD on it (Windows Server 2016), since the radius server pull the credentials from the AD. I have tried with termination enabled and disabled. With termination disabled doesn't work, however, with termination enabled works.  Is this the expected behaviour?

 

Regards,

Julián


Regards,
Julián
Guru Elite

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Can you please elaborate on what "doesn't work" means?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Yes, with "doesn't work" I mean I can't connect to the network, authentication fails.

Regards,
Julián

Regards,
Julián
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: