Controllerless Networks

I am trying to configure WPA-2 Enterprise against ldap service but it declines access. Where I can see logs in the IAP controller for that?

My config looks perfect to my knowledge but wifi access is not working, not sure what is wrong:

wlan ssid-profile test
 enable
 index 2
 termination
 type employee
 essid test
 opmode wpa2-aes
 max-authentication-failures 0
 auth-server ldapmaster
 rf-band all
 captive-portal disable
 dtim-period 1
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

wlan ldap-server ldapmaster
 ip XXXX
 port 389
 admin-dn cn=readuser,dc=XXXX
 admin-password XXXXX
 base-dn cn=users,dc=XXXX,dc=XXXX
 filter (objectclass=*)
 key-attribute userPassword

Since I couldn't find a way to see any ldap logs on the IAP, I started tcpdump on the ldapserver to see what happened, and then I managed to find out that the key attribute is acually cn, not like I was thinking this is the attribute for the password.

Here are my findings:

- there are attribute descriptions which are hardcoded or something which lsap search command look for:

- in my case ldap search works correctly for the given username, however since in the cn for that particular user we have userPassword atribute, and also ntPassword and lmPassword it matches 3 entries, not only one:

However it does not work. I tried to provide as password what is in the attribute lmPassword which is in clear text but it's not allowing me access. I think that it might be because it matches 3 fields, not only one, but I could not find where I can select which attributes to count as password. Also I am not sure if password can by in unix crypt format... Any idea?

So some progress here: actually my configuration for ldap is correct. If I use it in the captive portal it works. The problem apparently is that there is no EAP-TLS supported in this case. So it's not possible out of the box to use ldap server only. We need radius server with EAP-TLS enabled, otherwise it won't work.