Here's the backdrop for my questions:

For 802.1x authentication on the WLAN, we use PEAP w/ MS-CHAPv2, against our AD 
environment. This works wonderfully and always has.

The rub- we have a set of users not in AD- they are in our ED (LDAP). I'll 
thank you not to ask why.

These LDAP credential folk cannot use the 802.1x setup as it is, as they are 
not in AD. LDAP lookups aren't possible because PEAP w /MS-CHAPv2 doesn't work 
with LDAP.

Potential options:

-         add support for TTLS/PAP against LDAP on a new SSID (yuck)
-         add support for TTLS/PAP on current SSID to make it support two EAP 
types (never done it here)
-         insist that everyone be AD (politics)
-         insist that everyone be in LDAP and go to TTLS/PAP globally

This is not a terribly important issue right now, but looking down the road it 
will come up and so I'd like to get my thoughts lined up.

Does anyone else use a single SSID with two EAP types? Or have AD and LDAP both 
at play in any other way? Anyone using TTLS/PAP that can comment on it's 
suitability and reliability versus PEAP w/ MS-CHAPv2?


Thanks-

Lee Badman


**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Reply via email to