Onboard RADISU with peap/MSCHAPv2 and LDAP

// Expert user has replied.
Y Yoshihiro Sato 3 years 5 months ago
0 2 0

Hi

 

Has anyone tried PEPA and MSCHAPv2 with Integrated RADIUS through LDAP?

(Onboard RADIUS is configured with PEAP and MSCHAPv2 and Auth data source is configured as LDAP)

Our partner is checking this with RFS v4.3.

Although they fixed "invalid credential" issue, the wireless client could not associate successfully...

 

If changing to 802.1x(external RADIUS: Microsoft IAS ) with same ID & password, this client could associate successfully.

So the username and password does not seem to be the issue.

 

This might be RFS configuration issue or Windows 2003 AD configuration issue.

 

Please let me know if we have HOW-TO documents (or something) or check points for troubleshooting?

 

What we saw through wireshark was "result(0)" from AD...

 

Your input would be greatly appreciated.

 

Thanks in advance
Please Register or Login to post a reply

2 Replies

C Chris Frazee 5 years 4 months ago

Hello Sato-san,       I have successfully configured the RFS6K v4.3 using the internal radius with PEAP/MSCHAPv2 and LDAP to 2003 and 2008 server.
To get PEAP MSCHAPv2 to work you need to have the Wireless Controller join the domain...

 

Basically configure LDAP then select the LDAP auth. Set the protocol to PEAP MSCHAPv2 and additional fields will become active below the LDAP config. Enter your NetBIOS domain name + administrator username and password.

 

 

You must have Groups defined within AD and users must be assigned to these Groups. These same Groups need to be added on the RFS Internal Radius Groups. LDAP Group Verification needs to be enabled, from the Radius Server/Authentication screen as well.

 

If everything is correct the Wireless Controller will join the domain and will show up on the DC as a computer. Once this is done the Wireless Controller will use NTLM to authenticate users (using MSCHAPv2) and LDAP for group association. I will send you my lab configuration via e-mail. If you have any questions, please feel free to e-mail Sato-san. Chris Frazee

M Marcus Kurath 5 years 4 months ago

have not useed LDAP with MS-ChapV2 since this functionality is new tothe radius  Wing 4.x code in 4.3 but I have done it to authenticate a hotspot using the internal moto radius and the AD LDAP directory I have attached some notes which may help--keep in mind the syntax is very case sensitive. Remember you need to create a bind user and that user needs to be configured for password reversible encryption

CONTACT
Can’t find what you’re looking for?
Get in touch