Configure PEAP Authentication via OpenLDAP in ExtremeCloud IQ Site Engine

This Help topic provides instructions for configuring NAC Manager to authenticate PEAP, MsCHAP, and MsCHAPv2 requests by checking the username and password using an OpenLDAP server.

In ExtremeCloud IQ Site Engine, create an LDAP configuration that defines access to OpenLDAP.

  1. Access the Control > Access Control tab.
  2. Expand Configurations > AAA in the left panel and select LDAP Configurations.
  3. Select Add in the right panel.

    The Add LDAP Configuration window opens.
  4. In the OU Object Classes field, enter the Populate OpenLDAP Defaults option.
  5. Configure the LDAP configuration to do a password lookup. There are three ways to do this:
    • Have the password encryption on the OpenLDAP server set to use clear text passwords. Then, in your LDAP configuration, set the User Authentication Type field to Plain Text Password Lookup and the User Password Attribute to userPassword (which is the default).
    • Use an NT Hashed password. These encryption types are not supported by OpenLDAP for user passwords, so you must modify your user password update script or web page to set the password for the user, create the desired hash of the password, and set a newly defined attribute to have that value. With this method, the LDAP configuration must use the User Authentication Type of NTHash Password Lookup. You will also need to configure the User Password Attribute to be the attribute you selected for storing the NT Hash or LM Hash of the password.
    • If your ExtremeControl deployment only requires authentication via captive portal Registration, then the User Authentication Type should be set to LDAP Bind for ease of deployment.
  6. In your Advanced AAA Configuration, add an entry that uses this LDAP configuration. The configuration allows ExtremeControl to verify the user's password from the PEAP/MsCHAP/MsCHAPv2 request.