Hi,
As I've just read, Anonymous inband provisioning (phase0) requires
MsCHAPV2. Hence the phone and notebook will never be able to receive
PAC if they are 1st configured to authenticate with a MS LDAP since we
will already disable MSCHAP from the supplicant setup. SO in order for
this lab to work for the EAP-FAST portion, we either need to do what I
did or manually provision pac for the notebook. For the phone, no
choice, we need to authenticate with the local db of the WLC 1st
before we change to LDAP. Very tricky question.
Alvin
Quoting [email protected]:
Hi Jason,
This lab asked for local eap to be authenticated with MS LDAP using
EAP-FAST-GTC and PEAP-GTC since ms ldap doesn't support mschapv2. For
PeapV1, this is pretty straight forward, both phone and laptop connects
as long as the CA root cert is installed. However, for EAP-FAST I
noticed that I need to setup the phone and notebook to receive an
auto-generated PAC from the WLC using local net users before I can
swing over to authenticate via LDAP. If i do the other way round,
authenticating via LDAP 1st without authenticating through local net
user, both the phone and notebook will fail authentication. Can anyone
verify this as this affects the sequence of configuration and testing
of the connectivity during an actual lab.
Alvin
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
