Lee, Perhaps you could setup the LDAP server as an external database for ACS and let ACS provide the RADIUS needed for 802.1x.
Bruce Osborne Liberty University From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Tuesday, October 12, 2010 4:01 PM Subject: Re: Active Directory and LDAP at the same time. Or... just LDAP with 802.1x. ACS on this end. ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Danner, Mearl Sent: Tuesday, October 12, 2010 3:23 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Active Directory and LDAP at the same time. Or... just LDAP with 802.1x. What kind of AAA server are you using? If IAS a possibility would be to set up a freeradius server to proxy the AD requests to IAS and handle the LDAP requests locally. I'm not sure if the configuration options in freeradius allow that configuration, but perhaps some of the Wireless Lan members that use freeradius can chime in. Disclaimer - We've been wholly IAS since we moved all of our users from eDirectory to AD and haven't used freeradius since. Mearl From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Tuesday, October 12, 2010 2:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Active Directory and LDAP at the same time. Or... just LDAP with 802.1x. Here's the backdrop for my questions: For 802.1x authentication on the WLAN, we use PEAP w/ MS-CHAPv2, against our AD environment. This works wonderfully and always has. The rub- we have a set of users not in AD- they are in our ED (LDAP). I'll thank you not to ask why. These LDAP credential folk cannot use the 802.1x setup as it is, as they are not in AD. LDAP lookups aren't possible because PEAP w /MS-CHAPv2 doesn't work with LDAP. Potential options: - add support for TTLS/PAP against LDAP on a new SSID (yuck) - add support for TTLS/PAP on current SSID to make it support two EAP types (never done it here) - insist that everyone be AD (politics) - insist that everyone be in LDAP and go to TTLS/PAP globally This is not a terribly important issue right now, but looking down the road it will come up and so I'd like to get my thoughts lined up. Does anyone else use a single SSID with two EAP types? Or have AD and LDAP both at play in any other way? Anyone using TTLS/PAP that can comment on it's suitability and reliability versus PEAP w/ MS-CHAPv2? Thanks- Lee Badman ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
