Controllerless Networks

last person joined: 10 hours ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

IAP WPA2 Enterprise internal server with LDAP

  • 1.  IAP WPA2 Enterprise internal server with LDAP

    Posted Feb 04, 2014 10:54 AM

    I was told that iap wpa2 interprise can be configured as radius internal server and the radius server can authenticate against a LDAP server. Does anyone know how to configure this?

     

    thanks.



  • 2.  RE: IAP WPA2 Enterprise internal server with LDAP

    Posted Feb 04, 2014 10:58 AM
      |   view attached

    Check out Chapter 11 in the attached guide. It explains how to configure EAP termination on the VC.

     

     

    Attachment(s)



  • 3.  RE: IAP WPA2 Enterprise internal server with LDAP

    Posted Feb 04, 2014 02:44 PM

    Are you connecting to OpenLDAP or ActiveDirectory or similar?

     

    Do you want to use EAP-PEAP-MSCHAPv2 or EAP-TTLS PAP/MSCHAPv2?

     

    Please note for ActiveDirectory with MSCHAPv2: you will need a domain join for this. For MSCHAPv2 you will need to have NTLM_Auth in place on your RADIUS server. The Aruba Instant internal RADIUS-server does not support a domain join and NTLM_Auth.

     

    If you are using OpenLDAP and want to use MSCHAPv2 then you need to store either plain-text passwords or NT-Passwords (like AD does). If you are using PAP you can store passwords with any hashing algorithm.

     

     

    I would advise you to use an external RADIUS server if possible.



  • 4.  RE: IAP WPA2 Enterprise internal server with LDAP

    Posted Feb 05, 2014 04:42 AM

    hello,

     

    i want to implement in a active directory domain network. The LDAP server is the DC.

     

    Do you think is possible to implement without radius?

     

    thanks,



  • 5.  RE: IAP WPA2 Enterprise internal server with LDAP

    Posted Feb 05, 2014 05:04 AM

    At least for PEAP EAP-MSCHAPv2 (which is most common) you will need a RADIUS server.

     

    Possible RADIUS servers: Microsoft NPS (which is included in Windows Server), FreeRADIUS (if you have a Linux platform) or possibly ClearPass Policy Manager if you have some budget available :)

     

    When using EAP-TTLS with PAP you would not need an external RADIUS server, but note the default Windows 802.1X supplicant does not have support for this.



  • 6.  RE: IAP WPA2 Enterprise internal server with LDAP

    Posted Feb 05, 2014 09:56 PM

    The NPS for MSFT is free just activate it but the good thing you do not need the cerificate server as you can use Aruba to ternminate the EAP traffic.



  • 7.  RE: IAP WPA2 Enterprise internal server with LDAP

    Posted Apr 12, 2017 12:14 PM

    Hello,

    If a customer has 2 different LDAPs (say Student and Faculty), can you reference both with Termination Enabled, and they will fail-thru?  ie. if the user is not contained in the first, it tries the second.  Or, is it better to have an External RADIUS server that points to both LDAPs, set Termination to Disabled, and point the IAPs to the RADius server?

    Thanks in advance.