Wireless Access

last person joined: 12 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Documentation on IAP 802.1x LDAP authentication to Windows AD?

This thread has been viewed 31 times

  • 1.  Documentation on IAP 802.1x LDAP authentication to Windows AD?

    Posted Dec 08, 2015 06:15 PM

    I've created an LDAP authentication server successfully within the IAP, associated it with my WPA-2 Enterprise SSID, but when the SSID is selected, clients prompt for username/password, and I get "RADIUS reject for station first.last XX:XX:XX:XX:XX:XX from server ldap-servername" in the logs.

     

    This is configured as an LDAP server (not radius), and all the documentation I'm finding points to setting up Radius on Windows... but why is this necessary if I can make a LDAP query to AD?

     

    I'm on 6.4, and reading throught the 802.1x auth portion, as well as Googling - but not getting a clear path here.

     

    Thanks for any direction.

     

     



  • 2.  RE: Documentation on IAP 802.1x LDAP authentication to Windows AD?

    EMPLOYEE
    Posted Dec 08, 2015 06:28 PM
    What authentication method are you using?

    Does your client support EAP-GTC?

    How are your passwords stored in LDAP?

    Using a RADIUS server is the recommended way.

    Sent from Nine


  • 3.  RE: Documentation on IAP 802.1x LDAP authentication to Windows AD?

    Posted Dec 09, 2015 10:21 AM

    Just found this - which addressess pretty similar query:

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/RADIUS-vs-LDAP/td-p/23344

     

    But for continuity:

     

    What authentication method are you using?

    The intent is to use 802.1x authentication:

    (http://www.arubanetworks.com/techdocs/InstantHTML/Content/Chapter11%20Authentication/AuthenticationMethods.htm)


    Does your client support EAP-GTC?

    Attempted Win7, 8.1, and iOS.  From my reading this morning, apparently not.

    How are your passwords stored in LDAP?
    No confident idea.  This is a Windows AD server, and a direct LDAP query to it; a quick google isn't producing a response for this context.

     

    Using a RADIUS server is the recommended way.

    Thats what I'm gathering - but stumped on why it appears I can configure it that way, and documentation is so slim.

     

    I do appreaciate the input.

     



  • 4.  RE: Documentation on IAP 802.1x LDAP authentication to Windows AD?
    Best Answer

    Posted Dec 09, 2015 01:02 PM

    LDAP is a protocol that is used for looking up and potentially authenticating users against an established directory database. This is generally fine for captive portal authentication but not typically used for 1X unless you have an intermediary like Clear Pass. Also, do not use the standard unencrypted port (389) which is clear text. Instead use LDAPS (636) for encrypted (SSL) communication between the controller and server. 

     

    Using IAS/NPS on your Windows server as the RADIUS server is the preferred method for authentication. IAS/NPS will use AD for authentication lookups on computers and users. This is a much more secure and efficient method than doing termination on and lookups from the virtual controller. 

     

    Here are some good resources; 

    http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/802.1x.php

    http://community.arubanetworks.com/aruba/attachments/aruba/115/6113/1/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf%C2%A0or

     

    Hope this helps you out. 



  • 5.  RE: Documentation on IAP 802.1x LDAP authentication to Windows AD?

    Posted Dec 09, 2015 02:43 PM

    Sure does.  Thank you.