03-27-2018 05:59 AM
I am trying to configure WPA-2 Enterprise against ldap service but it declines access. Where I can see logs in the IAP controller for that?
My config looks perfect to my knowledge but wifi access is not working, not sure what is wrong:
wlan ssid-profile test enable index 2 termination type employee essid test opmode wpa2-aes max-authentication-failures 0 auth-server ldapmaster rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64 wlan ldap-server ldapmaster ip XXXX port 389 admin-dn cn=readuser,dc=XXXX admin-password XXXXX base-dn cn=users,dc=XXXX,dc=XXXX filter (objectclass=*) key-attribute userPassword
Solved! Go to Solution.
Re: IAP ldap and WPA-2 Enertpise
04-03-2018 07:15 AM - edited 04-03-2018 07:16 AM
Since I couldn't find a way to see any ldap logs on the IAP, I started tcpdump on the ldapserver to see what happened, and then I managed to find out that the key attribute is acually cn, not like I was thinking this is the attribute for the password.
Here are my findings:
- there are attribute descriptions which are hardcoded or something which lsap search command look for:
- in my case ldap search works correctly for the given username, however since in the cn for that particular user we have userPassword atribute, and also ntPassword and lmPassword it matches 3 entries, not only one:
However it does not work. I tried to provide as password what is in the attribute lmPassword which is in clear text but it's not allowing me access. I think that it might be because it matches 3 fields, not only one, but I could not find where I can select which attributes to count as password. Also I am not sure if password can by in unix crypt format... Any idea?
07-18-2018 06:30 AM
So some progress here: actually my configuration for ldap is correct. If I use it in the captive portal it works. The problem apparently is that there is no EAP-TLS supported in this case. So it's not possible out of the box to use ldap server only. We need radius server with EAP-TLS enabled, otherwise it won't work.