If there aren't too many "ldap users", can u not just create an account on AD ? Make them "special case"...
Ken Connell Intermediate Network Engineer Computer & Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 -----Original Message----- From: Lee H Badman <lhbad...@syr.edu> Sender: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Tue, 12 Oct 2010 15:08:51 To: <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Reply-to: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Active Directory and LDAP at the same time. Or... just LDAP with 802.1x. Here's the backdrop for my questions: For 802.1x authentication on the WLAN, we use PEAP w/ MS-CHAPv2, against our AD environment. This works wonderfully and always has. The rub- we have a set of users not in AD- they are in our ED (LDAP). I'll thank you not to ask why. These LDAP credential folk cannot use the 802.1x setup as it is, as they are not in AD. LDAP lookups aren't possible because PEAP w /MS-CHAPv2 doesn't work with LDAP. Potential options: - add support for TTLS/PAP against LDAP on a new SSID (yuck) - add support for TTLS/PAP on current SSID to make it support two EAP types (never done it here) - insist that everyone be AD (politics) - insist that everyone be in LDAP and go to TTLS/PAP globally This is not a terribly important issue right now, but looking down the road it will come up and so I'd like to get my thoughts lined up. Does anyone else use a single SSID with two EAP types? Or have AD and LDAP both at play in any other way? Anyone using TTLS/PAP that can comment on it's suitability and reliability versus PEAP w/ MS-CHAPv2? Thanks- Lee Badman ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
