That’s pretty much what we did at USF too, works well. Toivo Voll Network Administrator Information Technology Communications University of South Florida
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike Wiseman Sent: Tuesday, October 12, 2010 16:17 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Active Directory and LDAP at the same time. Or... just LDAP with 802.1x. LDAP *can* be used as the directory for PEAPv0/MS-Chapv2 - there's some documentation for this at: http://rnd.feide.no/2007/08/21/feide_and_eduroam/#id862569 My institution does not run a central AD and when we went to implement Eduroam, we implemented an LDAP environment to store the NTLMv2 hash for 802.1X. The goal was to eliminate the need for 3rd party supplicants. We did need to populate the LDAP with the hash since the Kerberos backend since the NTLM v2 hash was not available in our existing authentication infrastructure. Mike Mike Wiseman Manager, Information Security Information + Technology Services University of Toronto Here’s the backdrop for my questions: For 802.1x authentication on the WLAN, we use PEAP w/ MS-CHAPv2, against our AD environment. This works wonderfully and always has. The rub- we have a set of users not in AD- they are in our ED (LDAP). I’ll thank you not to ask why. These LDAP credential folk cannot use the 802.1x setup as it is, as they are not in AD. LDAP lookups aren’t possible because PEAP w /MS-CHAPv2 doesn’t work with LDAP. Potential options: - add support for TTLS/PAP against LDAP on a new SSID (yuck) - add support for TTLS/PAP on current SSID to make it support two EAP types (never done it here) - insist that everyone be AD (politics) - insist that everyone be in LDAP and go to TTLS/PAP globally This is not a terribly important issue right now, but looking down the road it will come up and so I’d like to get my thoughts lined up. Does anyone else use a single SSID with two EAP types? Or have AD and LDAP both at play in any other way? Anyone using TTLS/PAP that can comment on it’s suitability and reliability versus PEAP w/ MS-CHAPv2? Thanks- Lee Badman ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.