How do you do get client supplicants correctly configured when doing different EAP types on same network? Manually or via the likes of Cloudpath, referencing different types of users?
-Lee -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Reynolds, Walter Sent: Tuesday, October 12, 2010 3:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Active Directory and LDAP at the same time. Or... just LDAP with 802.1x. We have been using FreeRadius with TTLS/PAP which has been working fine (against Kerberos and not LDAP) We recently added support for PEAP/MSChapv2 on the same SSID without a problem. --- Walter Reynolds Principal Systems Security Development Engineer ITS Communications Systems and Data Centers University of Michigan (734) 615-9438 > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H > Badman > Sent: Tuesday, October 12, 2010 3:09 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Active Directory and LDAP at the same time. Or... just > LDAP with 802.1x. > > Here's the backdrop for my questions: > > For 802.1x authentication on the WLAN, we use PEAP w/ MS-CHAPv2, against our > AD environment. This works wonderfully and always has. > > The rub- we have a set of users not in AD- they are in our ED (LDAP). I'll > thank you > not to ask why. > > These LDAP credential folk cannot use the 802.1x setup as it is, as they are > not in > AD. LDAP lookups aren't possible because PEAP w /MS-CHAPv2 doesn't work > with LDAP. > > Potential options: > > - add support for TTLS/PAP against LDAP on a new SSID (yuck) > - add support for TTLS/PAP on current SSID to make it support two EAP > types > (never done it here) > - insist that everyone be AD (politics) > - insist that everyone be in LDAP and go to TTLS/PAP globally > > This is not a terribly important issue right now, but looking down the road > it will come > up and so I'd like to get my thoughts lined up. > > Does anyone else use a single SSID with two EAP types? Or have AD and LDAP > both at play in any other way? Anyone using TTLS/PAP that can comment on it's > suitability and reliability versus PEAP w/ MS-CHAPv2? > > > Thanks- > > Lee Badman > > ********** Participation and subscription information for this EDUCAUSE > Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
