Wireless Access

I am trying to bring up an new WLAN in my test/QA environment.  On this WLAN, I want to use LDAP authentication from the controller to the domain controller in the test domain.  I have my configuration complete, and LDAP authentication works to the domain controller, but only in clear text mode.  I assume SSL LDAP is failing because there is no certificate installed.

So my questions are:

1:  Can the certificate come from our private CA, or does it need to be issued by a CA that is trusted by the wireless controller.

2:  What should the common name of the certificate be?

3:  Should the certificate be installed on the domain controller (I believe yes), or should it be installed on the wireless controller (which is what my windows domain admin thinks)?

Any help will be greatly appreciated.

Thanks,

Robert

What is your ultimate goal here?   To authenticate 802.1X users to LDAP (over SSL)?    Is there a reason why you don't install NPS (Network Policy Server) in the domain and leverage native RADIUS capabilities rather than relying on LDAP?   Using LDAP for 802.1X authentications requires additional considerations/configuration on the controller; including enabling dot1x termination and using EAP-GTC.

My ultimate goal is to get users authenticated against my windows domain controller, and currently my plan is to use LDAP to do that.  Once again, I have it working already but only with clear text.

I can check with the windows domain administrators to see if they have NPS installed already, but it seems to me that since I am so close using LDAP, why not stick with that?

When you say you have it working, do you mean you have 802.1X working and you can authentiate to a WPA2-Enterprise SSID, or just test authentications through the test tool on the controller?

Side note; RADIUS provides more flexibility/granularity with policies and provides the ability to return attributes to the controller if you choose (Roles, VLANs, etc.).

Yes,  from my wireless client I can authenticate to a WPA2-Enterprise SSID.

I realize that I would have more flexibility with Radius, but at this time there are no plans to have multiple roles, vlans, etc.  This is a very small WLAN.  

I have asked the Windows group about NPS, but have no heard back from them at this time.

Well, assuming you have things working on your end and you want/have to use LDAP, back to your original questions:

1:  Can the certificate come from our private CA, or does it need to be issued by a CA that is trusted by the wireless controller.

Yes, the certificate can be from any CA, however it will need to be trusted by the controller.

2:  What should the common name of the certificate be?

Doesn't really matter in this use case; usually it is the hostname, but can be something else.

3:  Should the certificate be installed on the domain controller (I believe yes), or should it be installed on the wireless controller (which is what my windows domain admin thinks)?

Yes, if you want to secure LDAP on the domain controller, then the certificate is installed on the domain controller.   The controller just needs to trust it; so you are going to import the trusted CA or the certificate itself (if self-signed) into the controller.  

Also, because you are using LDAP, you'll need dot1x termination on the controller and use EAP-GTC; which I assume you have already setup since you say you have it working already.

Ok.  Thanks for the information.  I'll get the certificate generated, install the root on the controller so it will trust it, and have the windows group install the certificate on the domain controller.

Thanks for the help.

Robert

rluechtefeld,

Authenticating using LDAP instead of Radius introduces too many drawbacks:

- Machine Authentication not supported (no login scripts, no mananging  or visibility into machines at the ctrl-alt-delete screen over wireless, new users cannot log into wireless computers that they never logged into before)

- Custom supplicants required for Windows Computers (you will have to configure or install software on every Windows computer to get it on the network, instead of using group policy to configure them.  The only reason why your smartphone will work is that it supports EAP-GTC natively, but Windows Clients do not.

Long story short, using the controller with 802.1x connecting to LDAP is only meant for customers who are forced to use a Non-Domain LDAP like Novell's eDirectory and it contains significant drawbacks.  NPS is meant to be used with Windows and provides the best experience and manageability for free(the cost of the server) without all of the drawbacks.  If you can, please take a look at the Windows 2008 NPS setup guide here http://community.arubanetworks.com/aruba/attachments/aruba/115/6113/1/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf or forward it to your Server Group.

We are very passionate about getting users off on the right foot,  vs. "letting them learn the hard way."

Thanks to both of you for your input and guidance on this.  I have looked at the document on configuring NPS and have forwarded it on to my contact in the Windows group.  We are going to go ahead and try to implement NPS.  

Currently, PCs should not be connecting to this SSID, only wireless devices i.e. phones, tablets, etc.  However I'm sure it's just a matter of time until the first exception to that policy and then I'll be wishing I did NPS.