02-05-2014 05:36 AM
Hi All, was wondering if anyone had any idea of the exact IAP settings for authenticating users via LDAP to a windows Server 2008 Active Directy Server.
I have numerous examples but none seem to work. I have configured an openldap server and authentication works immedietly with LDAP, but NOT with windows domain controller. I have asuccessful bind established but no authentication is happening.
I have the following formats for the filter string:
key atrribute: sAMAccountName
I also have tried the following filter attributes also.
Does anyone have a working example of the settings for this to function against an AD server?
02-05-2014 07:33 AM
Are you doing PEAP EAP-MSCHAPv2 or EAP-TTLS PAP on the clients?
EAP-TTLS PAP can work in this setup, PEAP EAP-MSCHAPv2 however cannot. Using LDAP you cannot read password attributes from AD. You *can* do a LDAP bind, but for MSCHAPv2 you will need to terminate on AD directly (for this the IAP would need to be domain-joined, but this is not supported). The LDAP bind can only work PAP.
If you want to do PEAP-EAP MSCHAPv2 against AD you will need an external RADIUS server. You could look at FreeRADIUS, Microsoft NPS or perhaps ClearPass.
ACMX#255 | ACMP | ACCP | AWMP