If you're using ACS with an external LDAP database then you're limited to EAP-FAST, PEAP-GTC, or EAP-TLS according to the ACS documentation. We did run into a similar problem but decided to access the user database via RADIUS instead (we have a proprietary, home-grown system which is accessible via RADIUS or LDAP), and ACS does allow the use of PEAP-MSCHAPv2 in that setup. If you're set on using ACS then your options are configuring the external user database as a LEAP Proxy RADIUS Server or having all the accounts locally on the ACS box.
Reference information here: http://tinyurl.com/5umk8l -- Brandon Case, CCNA Network Engineer, ITaP Purdue University [EMAIL PROTECTED] Office: (765)49-67096 Mobile: (765)479-7597 Fax: (765)49-46620 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of John York Sent: Tuesday, July 22, 2008 5:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems We have a Cisco WLC-4402 and ACS v4.1. Until recently we've been running our wireless wide open and using VPN for encryption, but want to move to WPA/WPA2 for all our clients. We will use the idEngines AutoConnect product to configure the clients (student machines) but I've run into problems just getting the wireless configured. Since we want to use WPA, that means some flavor of EAP. The student data is on an ldap server, so that means WPA/2-enterprise, no WPA-PSK. The Windows clients support EAP-TLS and EAP-PEAP(MSCHAPv2), but we don't want to bother with certificates on the client so EAP-TLS is out. It looks like EAP-PEAP(MSCHAPv2) is the way to go, but the Cisco WLC and ACS only support EAP-TLS, EAP-FAST or EAP-GTC. Cisco TAC's answer was, more or less, "Just install clients that have the Cisco Compatible Extensions (CCX)." The SecureW2 client does support EAP-GTC. It also supports EAP-TTLS--the ACS supports PEAP/TLS, PEAP with TLS as an inner method. Don't know if those two are the same or not. I'm sure someone has gotten this to work before. Does authenticating to an ldap server mean we are forced to use EAP-TLS with client certs, install some client on the student machines, or is there another way? John York Network Engineer Blue Ridge Community College ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.