Practically, you would need a RADIUS server. I would not go the LDAP/EAP-GTC direction, nor do PEAP. If the LDAP server is Active Directory, you may install NPS (AD Network Policy Server) which offers RADIUS; but implementing ClearPass or use Central Cloud Authentication and Policy may be easier if you don't have the knowledge on NPS.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Apr 17, 2025 02:46 AM
From: Aria_A
Subject: LDAP Authentication with AP only AOS10
Thanks for your answer! My customer does not have a radius server and only have an LDAP server, is there any way to authenticate Windows device directly to it? I think I once tried to do the same thing with controller based AOS8, but I'm not sure how to do it in AOS10
------------------------------
AA
Original Message:
Sent: Apr 16, 2025 08:04 AM
From: Herman Robers
Subject: LDAP Authentication with AP only AOS10
PEAP is strongly deprecated as the underlying technology is obsolete/cracked. EAP-GTC is probably even worse as the password goes plain in the tunnel and if you can trick a client to authenticate, you have access to the AD password.
The reason that LDAP doesn't work directly is that for LDAP authentication your would need the user's password to authenticate to the LDAP server, in MSCHAPv2 (used in PEAP) a password hash is used but that cannot be verified with an LDAP server. So the protocols are incompatible; and with passwords being phased out more and more, I would try to move to the more secure EAP-TLS with client certificates instead of passwords.
I'm not even sure if AOS10 can do EAP-GTC with LDAP backend, but never tried as I would not even consider it.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 14, 2025 02:45 AM
From: Aria_A
Subject: LDAP Authentication with AP only AOS10
Hi, what is the pre-requisite for authentication with LDAP server using AP only AOS10? We are trying to authenticate using windows with PEAP, is captive portal necessary? I have read that PEAP is not supported and we need to use EAP-GTC, but im still not sure how and why.
Thank you!
------------------------------
AA
------------------------------