Wireless Access

Reply
Occasional Contributor II

LDAP authentication with eDirectory

We're finally moving away from a PSK environment and want our users to authenticate via LDAP in the most secure way. We do not have a RADIUS server in place and we are a Novell shop (eDirectory OES ). 

 

I have the LDAP server setup with the preferred connection type set to: start-tls. The L2 dot.1x profile has termination enabled, termination EAP-TYPE: eap-tls and eap-peap are enabled.

 

Termination Inner EAP-Type: eap-gtc. 

 

I guess what I'd like to know is: is this the most secure way our users can connect without adding a RADIUS server? 

 

Thanks. 

Guru Elite

Re: LDAP authentication with eDirectory

Yes, but you will require a third-party supplicant for most clients to support EAP-GTC.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: LDAP authentication with eDirectory

Thanks - what about checking off eap-mschapv2 under the dot1.x profile as well?

 

Idealy we'd like a RADIUS server in place but we really need to move away from our current pre-shared key environment. 

Guru Elite

Re: LDAP authentication with eDirectory

PEAP-MSCHAPv2 is not possible with your configuration. Your only options
with LDAP are:



EAP-GTC

EAP-TTLS (requires a RADIUS server)

EAP-TLS

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: LDAP authentication with eDirectory

Thank you. I'm currently testing this out and it's working fine with a blackberry 10 device, Windows 7 and Windows 10 laptops. According to airwave, most of our users (at the moment any ways) are connecting with their androids and ipads. I'm just curious as to how many of our clients will have issues connnecting if they're running fairly new software?

 

Also, would you suggest using captive portal to authenticate against LDAP?

Guru Elite

Re: LDAP authentication with eDirectory

Do you have third party supplicants installed on the Windows 7 machines? Win 7 does not support EAP-GTC natively.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: LDAP authentication with eDirectory

No we don't...what's the encryption supposed to be set to in the SSID profile? Right now, it's "opensystem" then it brings up a captive portal and enter our LDAP creds. 

Guru Elite

Re: LDAP authentication with eDirectory

Oh, then you're not doing 802.1X. You would set it to WPA2 AES


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: LDAP authentication with eDirectory

ah...ok. Makes sense now. Just an FYI, here's the error message I get:

 

Radius Server: securelogin.arubanetworks.com
Root CA: GeoTrust Global CA

The server "securelogin.arubanetworks.com" presented a valid certificate issued by "GeoTrust Global CA", but "GeoTrust Global CA" is not configured as a valid trust anchor for this profile. Further, the server "securelogin.arubanetworks.com" is not configured as a valid NPS server to connect to for this profile.

Guru Elite

Re: LDAP authentication with eDirectory

This is normal. You'll need to click the connect button.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: