Controllerless Networks

Occasional Contributor II

IAP ldap and WPA-2 Enertpise

I am trying to configure WPA-2 Enterprise against ldap service but it declines access. Where I can see logs in the IAP controller for that?


My config looks perfect to my knowledge but wifi access is not working, not sure what is wrong:


wlan ssid-profile test
 index 2
 type employee
 essid test
 opmode wpa2-aes
 max-authentication-failures 0
 auth-server ldapmaster
 rf-band all
 captive-portal disable
 dtim-period 1
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

wlan ldap-server ldapmaster
 ip XXXX
 port 389
 admin-dn cn=readuser,dc=XXXX
 admin-password XXXXX
 base-dn cn=users,dc=XXXX,dc=XXXX
 filter (objectclass=*)
 key-attribute userPassword


Occasional Contributor II

Re: IAP ldap and WPA-2 Enertpise

Since I couldn't find a way to see any ldap logs on the IAP, I started tcpdump on the ldapserver to see what happened, and then I managed to find out that the key attribute is acually cn, not like I was thinking this is the attribute for the password.


Here are my findings:

- there are attribute descriptions which are hardcoded or something which lsap search command look for:

ldap0.png- in my case ldap search works correctly for the given username, however since in the cn for that particular user we have userPassword atribute, and also ntPassword and lmPassword it matches 3 entries, not only one:

ldap.pngHowever it does not work. I tried to provide as password what is in the attribute lmPassword which is in clear text but it's not allowing me access. I think that it might be because it matches 3 fields, not only one, but I could not find where I can select which attributes to count as password. Also I am not sure if password can by in unix crypt format... Any idea?


Occasional Contributor II

Re: IAP ldap and WPA-2 Enertpise

So some progress here: actually my configuration for ldap is correct. If I use it in the captive portal it works. The problem apparently is that there is no EAP-TLS supported in this case. So it's not possible out of the box to use ldap server only. We need radius server with EAP-TLS enabled, otherwise it won't work.

Search Airheads
Showing results for 
Search instead for 
Did you mean: