×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

WLC authentication based on AD/LDAP

Unanswered Question
May 18th, 2012
User Badges:

Hello,


What are the possibilities for configuring a WLC to authenticate WLAN users based on their Active Directory user account?


Is this possible by setting up local EAP on the WLC?


I’ am looking for a solution where there are no changes to the Domain Controller involved and also no setting op IAS/RADIUS.


WLC:2504


Thanks in advance,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
maldehne Sun, 05/20/2012 - 13:57
User Badges:
  • Cisco Employee,

with AD

LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported because AD is not set to return clear-text-password


---------------------------------------------------------------------------------------

Please nake sure to rate correct answers

maldehne Sun, 05/20/2012 - 19:22
User Badges:
  • Cisco Employee,

The difference here we are talking about EAP-FAST/with EAP-TLS not mschap v2 which is not supported as I have alread mentioend.


-----------------------------------------------------------------------------------------

Please Don't forget to rate correct answers

GuidoBarendse88 Sat, 05/26/2012 - 07:14
User Badges:

We are also thinking about implementing an open guest network. This network is open to connect to but when you connect to the internet you need to accept an agreement and login via a web page. Can this be done with the 2504 WLC?


Also web-filtering on the guest network has to be done. Which device would you recommend for this task?

Amjad Abdullah Sun, 05/27/2012 - 03:04
User Badges:
  • Red, 2250 points or more

You can implement open guest network and choose passthrough under Layer 3 security tab in WLAN config (see image below) so the connected users see a page and press "OK" button before they are able to connect to go to internet.

In that page you can write your Agreement so the users accept it by pressing the OK button.

You can modify the page by using a cusotme web-bundle and modify the pages in it then upload it back to the WLC.




Here you'll find all what you need about how to do that:

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70users.html#wp1049273



You also have the option to use an external page (rather than downloading a customized bundle) for your agreement. Here is a config example how to use external server for web-auth:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml



HTH


Amjad

Amjad Abdullah Sun, 05/27/2012 - 22:06
User Badges:
  • Red, 2250 points or more

Actually this is out of my experience and my answer below will be as what I usually "hear" from my security colleagues.

You may consider BlueCoat  for web filtering. (I am not even sure if it is permitted to metnion vendors name here).


You can check and contact the vendor for their products. Choose what is best for you.

You can also search and ask on security forums if there are any other products.


Regards,


Amjad

Actions

This Discussion

Related Content