12-08-2015 03:14 PM - edited 12-08-2015 03:16 PM
I've created an LDAP authentication server successfully within the IAP, associated it with my WPA-2 Enterprise SSID, but when the SSID is selected, clients prompt for username/password, and I get "RADIUS reject for station first.last XX:XX:XX:XX:XX:XX from server ldap-servername" in the logs.
This is configured as an LDAP server (not radius), and all the documentation I'm finding points to setting up Radius on Windows... but why is this necessary if I can make a LDAP query to AD?
I'm on 6.4, and reading throught the 802.1x auth portion, as well as Googling - but not getting a clear path here.
Thanks for any direction.
Solved! Go to Solution.
12-08-2015 03:27 PM
12-09-2015 07:21 AM
Just found this - which addressess pretty similar query:
But for continuity:
What authentication method are you using?
The intent is to use 802.1x authentication:
Does your client support EAP-GTC?
Attempted Win7, 8.1, and iOS. From my reading this morning, apparently not.
How are your passwords stored in LDAP?
No confident idea. This is a Windows AD server, and a direct LDAP query to it; a quick google isn't producing a response for this context.
Using a RADIUS server is the recommended way.
Thats what I'm gathering - but stumped on why it appears I can configure it that way, and documentation is so slim.
I do appreaciate the input.
12-09-2015 10:01 AM
LDAP is a protocol that is used for looking up and potentially authenticating users against an established directory database. This is generally fine for captive portal authentication but not typically used for 1X unless you have an intermediary like Clear Pass. Also, do not use the standard unencrypted port (389) which is clear text. Instead use LDAPS (636) for encrypted (SSL) communication between the controller and server.
Using IAS/NPS on your Windows server as the RADIUS server is the preferred method for authentication. IAS/NPS will use AD for authentication lookups on computers and users. This is a much more secure and efficient method than doing termination on and lookups from the virtual controller.
Here are some good resources;
Hope this helps you out.
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP