04-24-2012 12:27 PM
I will admit that the whole wlan has been a challenge to wrap my head around, so please excuse my ignorance, but please educate me.
I do not have AD but I do have an ldap server. I have worked with Aruba support and have set up and test ldap authentication using my 650 controller (OS 220.127.116.11). eap-peap and eap-gtc are configured. This is under the AAA profiles-802.1x Authentication profile.
I have also installed the peap-gtc supplicant on the windows client.
My question is how do I actually authenticate. I attempt to connect to the wlan, but wasn't successful. But then I have to admit that I don't know what to expect. Should I be prompted for a user name and password? Or shoud the crediential be the same for the windows wrkst and the ldap server? What process should I see?
Any help I would greatly appreciate.
04-26-2012 01:58 PM
Let me take a shot at it.
The first thing that can be very helpful to do is get into the CLI of the controller and configure:
logging level debug security
This will produce a huge amount of log output for security-related events, like authentication. Often you can tell what's going on by looking at "show log security 50" (shows the last 50 lines of the security log).
Second, yes, you should be prompted for a username/password the first time you connect. Assuming you've checked the box that says "Remember my credentials" then you shouldn't get prompted again. Make sure in the client configuration you have selected WPA2/Enterprise as the security scheme. For the network authentication, choose Microsoft: Protected EAP (PEAP). Inside the PEAP settings, choose EAP-Token for the Authentication Method. That should be all you need to get started. Assuming this is Windows 7, you may need to also click on the Advanced Settings button, select "Specify Authentication Mode", and choose "User authentication" - I have had mixed results with setting/not setting this.
Once it is all configured, you really should just have to tell Windows to connect to the wireless network. It should automatically attempt authentication, and should prompt you for credentials.
I'll warn you that 802.1X against an LDAP back end is not very common, so it's going to be a little tough to find people who know how this works. I would say 95% of our customers are using RADIUS.
Jon Green, ACMX, CISSP