WLC integration with LDAP (Active Directory)

jain.nitin · ‎04-30-2009

Hi All, I would like to integrate Active Directory with Wireless controller. Can any one help me on this how can I do this? what will be the settings for users laptop? peap or LEAP

huangedmc · ‎04-30-2009

According to our SE, integration w/ Active Directory via LDAP is currently not supported.

It had something to do w/ how the password is wrapped...can't remember the details now.

We use ACS for AAA via RADIUS so it's not a problem for us.

If you have MS IAS that can support RADIUS then maybe that'll work.

jain.nitin · ‎04-30-2009

look at this document

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml

huangedmc · ‎04-30-2009

I should've clarified...WLC supports Microsoft AD via LDAP, but only for EAP-FAST, and EAP-TLS.

If you plan on using it for PEAP, it won't work.

I'm told a new maintenance release will be out in June.

Maybe the limitation will be removed then.

Open a TAC case or check w/ your SE to make sure my info is up to date.

jain.nitin · ‎05-06-2009

Thanks for your help. Could you please let me know if i integrate wlc with AD directly then what would be configuration for windows PC. Means like we configure for PEAP for windows wireless client.

Thanks

gamccall · ‎05-06-2009

PEAP + AD + Local EAP on controllers = not work.

PEAP + AD + controllers + RADIUS server = work just fine.

jain.nitin · ‎05-06-2009

I dont understand then what would be the configuration on windows clients Pc/Laptops if I integrate WLC with AD...any idea

gamccall · ‎05-07-2009

What settings, specifically, are you unsure about?

jain.nitin · ‎05-08-2009

what I mean is if I integrate WLC with AD directly without ACS. Then what should be setting on windows Clients' laptop. Like for PEAP there is option to select PEAP & then MSCHAPv2 settings on client laptops.

I hope you got my point.

gamccall · ‎05-08-2009

Here's what Cisco says about supported EAP methods for a Local EAP solution:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Local EAP can use an LDAP server as its backend database to retrieve user credentials.

An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user.

The LDAP backend database supports these Local EAP methods:

EAP-FAST/GTC

EAP-TLS

PEAPv1/GTC.

LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported, but only if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password. If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

GTC is not supported by default on Windows systems, so you would have to install a third-party wireless client such as Cisco CSSC.

Step · ‎10-04-2019

What's the purpose of the Local EAP? I'm interested in if I can configure WLC without Local EAP.

Step · ‎10-04-2019

Ok, I understood. LDAP doesn't include EAP.