LDAP Configuration with WLAN Controller 5508

Unanswered Question
Apr 29th, 2013

Dear Friends;

We have 5508 controller (redundant) & would like to configure Staff vlan to get authenticate with active directory.i am new to the controller device & want to configure controller with active directory (windows 2012).

Please share the documents, steps or your ideas for the below scenario.

5508 controller (Active & Standby) with 48 Access Point.(configuration Done)

Guest Vlan (only for internet Access) controller based web authentication configured.

Staff Vlan   ( inside & outside ). Need to configure with LDAP authentication??

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
David Watkins Mon, 04/29/2013 - 13:35

You will likely want to avoid LDAP authentication for backend lookup with Local EAP due to EAP method limitations.

The LDAP backend database supports these Local EAP methods:

  • EAP-FAST/GTC

  • EAP-TLS

  • PEAPv1/GTC.

- http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

Unless you're using EAP-TLS, windows clients will be out of luck if using the native supplicant.

You should consider configuring NPS on your MS 2012 server so you can choose PEAP/MSchapv2 or EAP-TLS and authenticating to it as a RADIUS server rather than LDAP.

LDAP gets messy for use with Local EAP as it is very basic in functionality.  You will not be able to offer lookups to various OUs etc; everything will be bound to a "single" container.

johncaston_2 Mon, 04/29/2013 - 21:55

Hi,

The normal approach to authenticate users against AD is to configure a RADIUS server, I normally use the IAS (Win2k3) or NPS (Win2K8) service on the Windows Server to do this, then you can select the conditions that you want to authenticate against, e.g. Windows security groups, SSID, etc

On the WLC you just need to specify the RADIUS server under the Security tab and under the WLAN, select 802.1X as the authentication type and pick the RADIUS server under the AAA tab

If you have a good Certificate Authority structure within your environment then you're best to use EAP-TLS, failing that PEAP is a legitimate option and is much simpler to deploy.

You can use this to authenticate both computer and user

Hope that helps,

Cheers,

John

jawedparkar Tue, 04/30/2013 - 00:13

Thank you for suggestion,

correct me if im wrong, as per above comments i understood that Radius will be better than configuring LDAP.

Please explain more about radius that how the LDAP user will authentic through Radius.

Do i need to create separate user account for radius or user will get authenticate with existing AD accounts. this is confusing me little bit.

Thanks

johncaston_2 Tue, 04/30/2013 - 01:03

Here's an extract from the Cisco doc...

LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported,

but only if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password. If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported.

So Microsoft AD is not supported for a lot of these authentication types. (it's OK for Web Authentication)

RADIUS provides a standard interface and acts as the middle-man to AD and other user databases. RADIUS also allows you to pass attributes back to the WLC, so you can control levels of access.

Configuring the RADIUS on the WLC is really simple, navigate to Security > RADIUS Authentications and add a server - just enter the IP address and a shared password - that's it. You may also want to add the same server as a RADIUS Accounting Server

On the domain controller, install the IAS or NPS service. Once installed, add the WLC as  RADIUS client (enter the management IP address of the WLC and the same shared password)

Create a Policy on the IAS/NPS, usually you will specify the security group (e.g. Domain Users), plus any other conditions you may wish to add (just leave it with Domain Users for testing)

You'll also need to specify the authentication you want to use - I'd suggest PEAP/MSChapv2 (you'll need a cert on your server) - just follow the online help

On the WLC, configure the WLAN and specify WPA2 with AES (typically) and select 802.1X for the Authentication Key Management.

Go to the AAA Servers tab and select the RADIUS server from the drop down list

Those are the basic steps and it should pretty much work, depending on your AD setup - if it doesn't work, check the event logs on the IAS / NPS server - it should tell you why it's failing

Follow this link for the Cisco doc

http://www.cisco.com/en/US/partner/products/ps6366/products_configuration_example09186a0080921f67.shtml

Good luck,

Cheers,

John

jawedparkar Tue, 04/30/2013 - 06:54

thanks lot john,

i configured as per the above link but windows 7 client not able to connect. below are logs if you could help me out.

*radiusTransportThread: Apr 30 16:46:24.001: c8:d7:19:16  Access-Reject received from RADIUS server  11.11.11.11for mobile c8:d7:19:16 receiveId = 9

*radiusTransportThread: Apr 30 16:46:24.001: c8:d7:19:16: [Error] Client requested no retries for mobile C8:D7:19:16

*radiusTransportThread: Apr 30 16:46:24.001: c8:d7:19:16: Returning AAA Error 'Authentication Failed' (-4) for mobile c8:d7:19:16:62:59

*Dot1x_NW_MsgTask_1: Apr 30 16:46:24.001: c8:d7:19:16  Processing Access-Reject for mobile c8:d7:19:16

*Dot1x_NW_MsgTask_1: Apr 30 16:46:24.001: c8:d7:19:16 Removing PMK cache due to EAP-Failure for mobile c8:d7:19:16:62:59 (EAP Id -1)

*Dot1x_NW_MsgTask_1: Apr 30 16:46:24.001: c8:d7:19:16: Sending EAP-Failure to mobile c8:d7:19:16

(EAP Id -1)

*Dot1x_NW_MsgTask_1: Apr 30 16:46:24.002: c8:d7:19:16: Entering Backend Auth Failure state (id=-1) for mobile c8:d7:19:16:62:59

*Dot1x_NW_MsgTask_1: Apr 30 16:46:24.003: c8:d7:19:16: Max AAA failure for mobile c8:d7:19:16:

*Dot1x_NW_MsgTask_1: Apr 30 16:46:24.003: c8:d7:19:16: Setting quiet timer for 5 seconds for mobile c8:d7:19:16:62:59

*Dot1x_NW_MsgTask_1: Apr 30 16:46:24.003: c8:d7:19:16:  dot1x - moving mobile c8:d7:19:16: into Unknown state

*osapiBsnTimer: Apr 30 16:46:28.963: c8:d7:19:16: 802.1x 'quiteWhile' Timer expired for station c8:d7:19:16:and for message = M0

*apfReceiveTask: Apr 30 16:46:33.963: c8:d7:19:16: Sending Accounting request (2) for station c8:d7:19:16:

*apfReceiveTask: Apr 30 16:47:33.963: c8:d7:19:16:apfMsAssoStateDec.

Stephen Rodriguez Tue, 04/30/2013 - 07:12

Access-Reject received from RADIUS server  11.11.11.11for mobile c8:d7:19:16 receiveId = 9

you need to go to the IAS/NPS and take a look at eventvwr in the Security logs and see why the server rejected the client.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

jawedparkar Thu, 05/02/2013 - 06:27

Thank you all for the support, finally the authentication is successfull after configuration & troubleshooting with MS NPS as a radius.

i am requesting again if you guide me on LWAPP & CAPWAP as i assigned ip address as follows to AP 3501i.

lwapp ap ip address  

or i need to assign ip address with capwap.

johncaston_2 Thu, 05/02/2013 - 10:05

Hi Jawed,

Are you sure that you want to manually configure the AP IP address? That doesn't scale very well and makes management a lot more difficult, I've always used DHCP to assign the IP address and inform the AP of the WLC's IP - then you just have to plug in and go, this is a much easier approach

You can either use DHCP on your core Cisco switch or use Microsoft DHCP. You need to configure the appropriate Vendor Class Identifiers (VCI) for the AP model, which can be a bit confusing the first time out but I've created my own guide that I can share if you like

In many cases I just leave the AP's on the default data vlan, so you can just plug into any switch port, again making life a bit easier

Cheers,

John

Abhishek Abhishek Fri, 05/03/2013 - 06:17

Hello Jawed,

As per your query i can suggest you the following solution-

Configure WLC for LDAP Server

Now that the LDAP server is configured, the next step is to configure the WLC with details of the LDAP server. Complete these steps on the WLC GUI:

Note: This document assumes that the WLC is configured for basic operation and that the LAPs are registered to the WLC. If you are a new user who wants to setup the WLC for basic operation with LAPs, refer to Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC).

1.In the Security page of the WLC, choose AAA > LDAP from the left-side task pane in order to move to the LDAP server configuration page.

In order to add an LDAP server, click New. The LDAP Servers > New page appears.

2.In the LDAP Servers Edit page, specify the details of the LDAP server, such as the IP address of LDAP server, Port Number, Enable Server status, and so on.

For more information refer to the link-

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml#C2

Hope this will help.

Actions

This Discussion

Related Content

 
 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode