Cisco 2100 Series Configuration Manual page 227

Chapter 5 Configuring Security Solutions
The LDAP backend database supports these local EAP methods: EAP-TLS, EAP-FAST/GTC, and
Note
PEAPv1/GTC. LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported but only
if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is
not supported because it does not return a clear-text password. If the LDAP server cannot be configured
to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not
supported.
If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless
Note
clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found,
either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS
servers are configured, the controller attempts to authenticate the client with the first RADIUS server,
then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate
manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local
EAP. If you never want the controller to try to authenticate clients using an external RADIUS server,
enter these CLI commands in this order:
config wlan disable wlan_id
config wlan radius_server auth disable wlan_id
config wlan enable wlan_id
Figure 5-21
Figure 5-21
LDAP server
(optional)
OL-17037-01
provides an example of a remote office using local EAP.
Local EAP Example
WAN
Wireless LAN
Regional office
RADIUS server
Cisco Aironet
controller
Lightweight Access Point
Cisco Wireless LAN Controller Configuration Guide
Configuring Local EAP
IP
5-39