Occasional Contributor II

802.1x Auth with MS LDAP and MSCHAP

We currently have a semi-production 802.1x WPA2/AES with EAP-GTC working with a non MS LDAP server in the back end....

I want to move the inner auth to MSCHAP and auth against a MS Server which is (so I'm told) syncronized with our non-MS LDAP server(s)....

I assumed I could just change the Aruba side config (and user side) to use MSChap and be good to go..problem is, it still only works with EAP-GTC....

From the controller cli:
"aaa test server pap" - works
"aaa test server mschap" - fails

Sylog notes the following when a clinet using MSCHAP trys to auth:
ldapclient.c, ldap_auth_api:119: Invalid authentication protocol 4 for LDAP

So, my question really is, does Microsoft's LDAP use MSCHAP by defaut ?
I'm thinking since user accounts are "pushed down/sync'd" that the paswords are not stored with NT-Hash....

Anyone currently doing 802.1x auth with a MS LDAP server ?
Guru Elite

Microsoft Radius

If you want to migrate to MSCHAP, have you considered Microsoft's free IAS (Radius) server that is built into every version of Microsoft's Server platform? It supports MSCHAP straight out the box without any of the LDAP gymnastics.

MS LDAP does NOT support MSCHAP by default.

The easier path would be using IAS.

The ArubaOS 3.4.1 User Guide has detailed instructions on how to configure Microsoft IAS as a radius server starting on page 629.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: 802.1x Auth with MS LDAP and MSCHAP


Did some more Google'in and found (as your mentioned):
- MS-CHAP is not used by any Microsoft products other then IAS for RADIUS

I guess RADIUS it is....
Search Airheads
Showing results for 
Search instead for 
Did you mean: