Security

Reply
New Contributor
Posts: 1
Registered: ‎01-28-2014

IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Hi All, was wondering if anyone had any idea of the exact IAP settings for authenticating users via LDAP to a windows Server 2008 Active Directy Server.

 

I have numerous examples but none seem to work. I have configured an openldap server and authentication works immedietly with LDAP, but NOT with windows domain controller. I have asuccessful bind established but no authentication is happening.

 

I have the following formats for the filter string:

 

filter: (&(objectclass=user)(objectcategory=person))

key atrribute: sAMAccountName

 

I also have tried the following filter attributes also.

 

(&(objectcategory=user)(memberof=CN=Group,OU=Users,DC=Domain,DC=com)) to no avail.

 

Does anyone have a working example of the settings for this to function against an AD server?

 

Thanks

 

 

 

MVP
Posts: 130
Registered: ‎06-11-2013

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Are you doing PEAP EAP-MSCHAPv2 or EAP-TTLS PAP on the clients?

 

EAP-TTLS PAP can work in this setup, PEAP EAP-MSCHAPv2 however cannot. Using LDAP you cannot read password attributes from AD. You *can* do a LDAP bind, but for MSCHAPv2 you will need to terminate on AD directly (for this the IAP would need to be domain-joined, but this is not supported). The LDAP bind can only work PAP.

 

If you want to do PEAP-EAP MSCHAPv2 against AD you will need an external RADIUS server. You could look at FreeRADIUS, Microsoft NPS or perhaps ClearPass.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Regular Contributor I
Posts: 359
Registered: ‎03-02-2017

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

[ Edited ]

Hi arjan_k,

 

I am using PEAP EAP-MSCHAPv2 and have the same issue. What InstantOS does this apply for? According to Instant 6.5.2.0 User Guide, external LDAP server is supported:

instant6520.PNG

 

Regards,

Julián

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

[ Edited ]

I would save time and get an external radius server.  To use an LDAP server with mschap, you need to (1) setup your LDAP server on the IAP (2) Enable Termination on your SSID (3) Install an EAP-GTC client on all of your clients.

 

You can avoid that by simply using an external radius server; you would avoid having to install software on your clients, and an external radius server would support machine authentication (EAP-GTC does not).



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 359
Registered: ‎03-02-2017

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Hi arjan_k and Colin,

 

Yeah, I was able to authenticate with PEAP-EAP MSCHAPv2 against AD using an external radius server. However, EAP offload feature must be enabled on the IAP in order to work:

eapoffload.png

 

What is it referring to with outer and inner layers of the EAP protocol?

 

Regards,

Julián

Highlighted
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

[ Edited ]

You should not need to use EAP offload if you have an external RADIUS server.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 359
Registered: ‎03-02-2017

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Strange because if I disable EAP offload it doesn't work but if I enable EAP offload it does work. Also the EAP offload feature description says that:

 

NOTE: AP termination is required when using LDAP for authentication, because LDAP doesn't support EAP.

 

I am using a Windows Server 2012 with AD and NPS configured.

 

Regards,

Julián

Search Airheads
Showing results for 
Search instead for 
Did you mean: