You could try a different Radius server... we use Radiator (http://www.open.com.au/radiator/) but eg FreeRADIUS (http://freeradius.org/) is also a good choice. Both support a wide variety of EAP methods, including PEAP and EAP-TTLS. Actually, we support both on our wireless network (but prefer EAP-TTLS). Our Radius servers authenticate clients using PEAP against an LDAP server and clients using EAP-TTLS against a UNIX password file, but EAP-TTLS is also possible against LDAP.
Also worth browsing: www.eduroam.org. Even if your institution does not join the eduroam federation, the cookbook on the site contains useful information about Radius setups. Best regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands ----Original Message---- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of John York Sent: woensdag 23 juli 2008 15:56 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems > That's pretty much what I've run into. Do you know of something else > I could use in place of ACS to query ldap? We're part of the > Virginia Community College System, and they own the student database > and only provide ldap, so I'm stuck there. If we don't install stuff > on the student machines (SecureW2) and don't build a PKI for the > students we're stuck with PEAP-MSCHAPv2--there's a collision in the > middle at the ACS. > > I'm going to try SecureW2 with TTLS. It says it supports PAP, and > the ACS PEAP-GTC says it supports PAP, maybe I'll get lucky. That > still means installing SecureW2, tho. > > Thanks > John > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[EMAIL PROTECTED] On Behalf Of Case, > Brandon J > Sent: Wednesday, July 23, 2008 8:42 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems > > If you're using ACS with an external LDAP database then you're > limited to EAP-FAST, PEAP-GTC, or EAP-TLS according to the ACS > documentation. We did run into a similar problem but decided to > access the user database via RADIUS instead (we have a proprietary, > home-grown system which is accessible via RADIUS or LDAP), and ACS > does allow the use of > PEAP-MSCHAPv2 in that setup. If you're set on using ACS then your > options are configuring the external user database as a LEAP Proxy > RADIUS Server or having all the accounts locally on the ACS box. > > Reference information here: http://tinyurl.com/5umk8l ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
