New Contributor
Posts: 1
Registered: ‎01-28-2014

IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Hi All, was wondering if anyone had any idea of the exact IAP settings for authenticating users via LDAP to a windows Server 2008 Active Directy Server.


I have numerous examples but none seem to work. I have configured an openldap server and authentication works immedietly with LDAP, but NOT with windows domain controller. I have asuccessful bind established but no authentication is happening.


I have the following formats for the filter string:


filter: (&(objectclass=user)(objectcategory=person))

key atrribute: sAMAccountName


I also have tried the following filter attributes also.


(&(objectcategory=user)(memberof=CN=Group,OU=Users,DC=Domain,DC=com)) to no avail.


Does anyone have a working example of the settings for this to function against an AD server?






Posts: 130
Registered: ‎06-11-2013

Re: IAP LDAP AAA WPA2 settings for windows server 2008 AD authentication

Are you doing PEAP EAP-MSCHAPv2 or EAP-TTLS PAP on the clients?


EAP-TTLS PAP can work in this setup, PEAP EAP-MSCHAPv2 however cannot. Using LDAP you cannot read password attributes from AD. You *can* do a LDAP bind, but for MSCHAPv2 you will need to terminate on AD directly (for this the IAP would need to be domain-joined, but this is not supported). The LDAP bind can only work PAP.


If you want to do PEAP-EAP MSCHAPv2 against AD you will need an external RADIUS server. You could look at FreeRADIUS, Microsoft NPS or perhaps ClearPass.

Search Airheads
Showing results for 
Search instead for 
Did you mean: