Cisco Wireless - Aironet WAP and 2112 WLC. Questions regarding authentication and encryption

I am installing a Cisco WLC 2112 controller with 5 1142 Aironet WAPs. I have set up the network side of things but am having many questions regarding authentication. I wanted to understand how secure LDAP (Windows AD auth) is compared to IAS/NPS with Radius? Also how do the certificates work with both of these methods. Do I still need to install a root CA service if I want to use LDAP? Or is there a way to secure LDAP authentication without installing a CA server?

If anyone can help with this I have a few more general questions. Such as the recommended range of these 1142 WAP's, DHCP configuration, etc.

Thank you !
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I can only comment on what I have read in regards to the LDAP configuration as I have never configured it myself, but I have configured RADIUS on these devices multiple times and I have even done graduate level research on RADIUS authentication on Cisco devices.  In general, both methods use a form of EAP.  The LDAP configuration will likely use EAP-FAST and RADIUS (with IAS or NPS) will use PEAP.  Both of these protocols are very secure.  The certificates appear to work fairly similar as well.  In both cases you will need an Enterprise Root CA.  RADIUS has two options for how the certificate can be used, the clients can authenticate with username/password and verify a certificate that is on the RADIUS server itself, or clients can authenticate with a certificate installed on each client machine.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
If you are going to use certificated then every machine needs to have a cert installed, ldap is very nice and powerfull but keep in mind can also be queried like a database allowing alot of information can be floating around.  If you are that worried you should look into a WIPS setup or SNORT
muniseeAuthor Commented:
Unfortunately we are trying to stay away from deploying a Radius server. Currently I am trying to get this deployed using a wildcard cert I have imported into the WLC and the client. Still the instructions are vague when it comes to troubleshooting. I had tons of issues trying to import the PEM cert from our Root CA. I kept getting issues reading or importing the private key. I narrowed it down to the way OPENSSL converts the cert. And that doesn't make sense as Cisco TELLS you to use OPENSSL to do this. Either way. I am out of time and need to call Cisco. I will update this ticket with my progress. THank you !
muniseeAuthor Commented:
Thanks all of you. I went with Radius after all. This was because LDAP doesn't support MSCHAPv2 and I didn't want to set my LDAP to clear text. So the Radius was our solution. Once I made that decision it was very easy to get configured and running. This has been a great intro to Wireless in the enterprise. I learned quite a bit.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.