LDAP authentication uses a backend Active Directory server or LDAP server
defined in your AAA Configuration to authenticate users. Additionally, some
protocols also require RADIUS server and client certificates to be used in
conjunction with LDAP authentication.
Supported Protocols: PAP, MsCHAP, PEAP, EAP-MsCHAPV2, and EAP-TTLS
with tunneled PAP.
PAP or EAP-TTLS with tunneled PAP protocols
During the authentication process, the Access Control engine sends an LDAP
bind request to the Active Directory domain controller using the password
retrieved from the end user’s authentication request. Therefore, the LDAP
protocol must be allowed between the Access Control engine and the Active
Directory domain controller for the authentication process to take place.
MsCHAP, PEAP, and EAP-MsCHAPv2 protocols
These three protocols work with Active Directory (and not other LDAP servers)
because they use NT Hash for password encryption, which is the same
password hash type used by the Microsoft Active Directory domain controller.
Local authentication uses a local password repository defined in your AAA
Configuration to authenticate users. Additionally, some protocols also require
RADIUS server and client certificates to be used in conjunction with local
When you add or edit a user in your local password repository, you can specify
the password hash type used to encrypt the user’s password in the Extreme
Management Center and NAC Manager databases.