Wireless Access

last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

LDAP Queries

Jump to Best Answer
This thread has been viewed 2 times
  • 1.  LDAP Queries

    Posted Apr 16, 2020 05:56 AM



    Can we use LDAP for EAP-PEAP with termination disabled or should termination be enabled. Please update soon as there is an ongoing issue and need to bring up the setup.


    Thank you in advance!

  • 2.  RE: LDAP Queries

    Posted Apr 16, 2020 06:06 AM

    You cannot use LDAP for EAP-PEAP without termination.  If you do use LDAP for EAP-PEAP, your clients would have to support EAP-GTC (Windows devices do not support this natively

  • 3.  RE: LDAP Queries

    Posted Apr 16, 2020 06:14 AM



    Thank you for your response. Please let me know if I can enable termination with EAP-PEAP mschapv2 as inner eap instead of GTC for LDAP.


  • 4.  RE: LDAP Queries
    Best Answer

    Posted Apr 16, 2020 06:19 AM

    You would only be able to do that if you are using termination AND pointing to a radius server (instead of an LDAP server).  With mschapv2 and termination and an LDAP server, your only inner option is eap-gtc.


    Long story short, if you have a Windows domain, install the free NPS radius server and avoid all of the hoops you will have to jump through with termination.

  • 5.  RE: LDAP Queries

    Posted Apr 16, 2020 06:25 AM



    Thank you for your quick response. So If I understood you, if we need to use LDAP, then we need to do the following:


    1. Enable termination on the controller

    2. EAP should be EAP-PEAP and inner-eap-type should be eap-gtc and not mschapv2

    3. Install GTC pluggins in devices.


    Can you let me know if GTC plugins are available even for mobile devices and also do you have any link on how to install GTC plugins?


    Thank you!




  • 6.  RE: LDAP Queries

    Posted Apr 16, 2020 08:46 AM



    EAP-GTC is selectable on Android Devices as an option when you configure the SSID. On IOS you don't need to select anything.


    However, i had similar cases deployed and it is a big head-ache for EAP-GTC rollout, on Windows. Some of the WiFi adapters were not capable of supporting this plug in and they couldn't connect to the SSID at all.


    Its something i had very bad experience on the customer side perspective.


    Instead, i installed Windows Server NPS feature and use it as RADIUS Authentication, without EAP-GTC. It is less headache and better user-experience, especially for Windows devices.

  • 7.  RE: LDAP Queries

    Posted Apr 16, 2020 09:19 AM

    Hi Cjoseph,


    Thank you for your guidance.


    I will look into it.