I think we can run multiple EAP types on our ACS (v4.2), but TTLS/PAP is not one of them. In fact, I don't think TTLS is supported at all. It looks like EAP-GTC is on the list now, and might be kludged somehow. I've found Cisco support for ACS to be awful--usually it takes me about 2 days to get anywhere, and the answer is almost always that it isn't supported. Thanks John
-----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Wednesday, October 13, 2010 8:59 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Active Directory and LDAP at the same time. Or... just LDAP with 802.1x. Thanks, Jeroen. I'll start looking into whether Cisco ACS can do multiple EAP types on single network, and if they even support TTLS/PAP. I've not put a lot of time into this, but the feedback on the list has been very helpful (as always). Regards- Lee Badman -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ingen Schenau, Jeroen van (ICTS) Sent: Wednesday, October 13, 2010 8:41 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Active Directory and LDAP at the same time. Or... just LDAP with 802.1x. > Does anyone else use a single SSID with two EAP types? Or have AD and > LDAP both at play in any other way? Anyone using TTLS/PAP that can > comment on it's suitability and reliability versus PEAP w/ MS-CHAPv2? We support both TTLS/PAP and PEAP with MS-CHAPv2 on our main SSID; clients can use either method, but we (network admins) actually prefer TTLS/PAP because it's a bit easier to troubleshoot and is slightly faster. We're using the Radiator radius server, currently with several authentication backends: internal LDAP, unix "shadow" files, external radius hierarchy for eduroam, external LDAP to allow clients from a neighboring institution, flat files for special user accounts... What you want would be possible with Radiator and probably with other Radius servers too (eg FreeRadius). Having a flexible, highly configurable Radius server is the key here. You can contact me (on or off list) for more details, if you want. Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
