How to configure Wireless Lan Controller (WLC) for Lightweight Directory Access Protocol (LDAP) authentication


Feb 25, 2015 8:51 PM
Jun 22nd, 2012


What is LDAP?

Lightweight Directory Access Protocol is ued to access directory servers. A directory server is a hierarchical, object oriented database (DB) (try to stay awake!). A simple example is the telephone directory, which consists of a list of names (of either persons or organizations) organized alphabetically, with each name having an address and phone number associated with it. Objects contain data comprised of attributes which are a set of key/value pairs. Refer to a DB as a tree. Distinguished Name (DN) is a unique name used to refer to a particular object in the DB tree. A DN is not an object!

A base DN is the base of the DB and is most commonly a DNS domain.

cn - Common Name

ou - Organizational Unit

dc - Domain Component

Containers – containers, OU’s, or domains and can “contain” other objects like user objects, group objects, and computer objects.

So for a user named John Smith…

cn=John Smith,ou=East,dc=company,dc=com - Distinguished Name for the user .

cn=John Smith - Relative Distinguished Name

dc=company,dc=com - DNS domain name (

ou=East - Organizational Unit where user "John Smith" resides

Default MS Containers

The default CN=Users and CN=Computers containers that are created when Active Directory is installed are not organizational units (OUs). Objects in the default containers are more difficult to manage because Group Policy cannot be applied directly to them. New user accounts, computer accounts, and security groups that are created by using earlier versions of user interface and command-line management tools, such as the net user and net computer commands, the net group command, the netdom add command where the /ou command is either not specified or supported, or Windows NT 4.0 tools such as User Manager for Domains, do not allow administrators to specify a target organizational unit and therefore create these objects in either the CN=Computers container or the CN=User container by default.

So if all of the users are in the “Users” Container, be aware that it would be CN=Users (the common name for the container Users) and not OU=Users.

How do I know what to query for?

The hardest part of this is configuring the LDAP server parameters correctly on the WLC. Our documents make a lot of assumptions that someone not familiar with LDAP will not understand right away. Use an LDAP browsing tool to get this information

LDAP Tools

It is important to have some sort of LDAP browsing tool. You can download lots of free LDAP browsers from the Internet. Examples include LDP which is included on the MS Server CD in the support\tools dir (or just Google it) as well as LDAP Admin by SourceForce (AAA uses this one a lot).


You can also do an anonymous bind, but almost no one does that.

Using LDP

Most want authenticated bind so that is what we are going to do! Once LDP is installed, you can just go to START>Run and type ‘ldp’.

You then want to select Connection>Bind

Have the customer bind using domain admin account credentials.


Once they have done that, you should see a screen similar to the following


Then select View>Tree and enter the correct Base DN and click OK.

In this example, the Base DN is DC=leesdeck, DC=com.

So if the customer’s AD setup is ‘’ then the Base DN would be DC=company, DC=com.


Once you have done that, you should see the Base DN in the upper left-hand side of LDP and be able to expand it out to find where the account you are going to use to bind to the LDAP server on the WLC.

In this example, we are using an account called ‘ldap’.


From this, we can see that the account resides under Users.  Again, notice that Users is a CN and not an OU.  

We know the base DN for the users is CN=Users,DC=leesdesk,DC=com.

A common user attribute is the sAMAccountName.   Case Sensitive!!!!

Object type is Person (notice in the ldp output is says objectClass.

You could use other attributes and object types, but these work.


What if I want to bind with an account that is not in the same container as my users?

You need to modify the bind username to reflect the location of the binding account


What if I have users in different containers?  Do I have to have all of my wireless LDAP users in the same container?

No, you can search the base DN


Overall Rating: 5 (1 ratings)
diego.porez Thu, 06/28/2012 - 06:40


I am implementing WEB AUTH with LDAP in a Cisco 2500 WLC version 7.0, I could help with the syntax (user base DN) in order to reach every user in the next tree active directory

bbiandov Wed, 10/01/2014 - 11:28

How do you allow multiple user attributes; in other words a user might choose to enter sAMAccountName or mail so how to you make it match the first one; then if it fails the second one and only then produce auth failure? Listing multiple LDAP servers with different user attributes does NOT work!

elonesampaio Fri, 08/29/2014 - 04:26

LDAP not connecting followed all the steps of the tutorial. help me friend

Antonio Rodriguez Wed, 02/25/2015 - 20:51

there are missing steps about how to associate ldap server to wian also what we have to do in the wireless client in order to get connected to this wlan.... please complete your tutorial!!


Login or Register to take actions

This Document

Posted June 22, 2012 at 11:16 PM
Updated June 23, 2012 at 8:14 AM
Comments:4 Overall Rating:5
Views:11758 Contributors:4

Related Content


Documents Leaderboard

Rank Username Points
Stephen Rodriguez
Nitin Mamgain
David Watkins

Trending Topics - Security & Network