BYOD, LDAP and PEAP is a nice combo. Trying to implement this was a little bit tricky. Here are some hints:
1. If you use an LDAP like OpenLDAP oder Lotus Notes LDAP, then you must use PEAP-GTC as authentication protocol. MSChap won’t work!
2. With an Apple iOS you cannot configure which phase2 authentication method you want to use. So, if you enable MSChap AND GTC on your ACS, then the iOS Device will use MSChap. This will result in an authentication reject. Disable MSChap authentication protocol on the Cisco ACS to get these devices working because then the iOS Device uses GTC.
3. Windows 7 has no native GTC support. If you want to authenticate against an OpenLDAP account database, you must install a 3rd party supplicant. If you have an Intel Wireless Card in your Laptop, you can use the Wireless Utilities downloadable on the Intel Website. After installing these Utilities, you can use GTC as an authentication method.
4. If you get a lot „EAP timeout“ errors in your ACS Logfile, try to change the EAP Timeout Value in the Wireless Settings (i.e. on the WLAN Controller) from 2sec (Default) to 10sec.