Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

WLC authentication based on AD/LDAP

Hello,

What are the possibilities for configuring a WLC to authenticate WLAN users based on their Active Directory user account?

Is this possible by setting up local EAP on the WLC?

I’ am looking for a solution where there are no changes to the Domain Controller involved and also no setting op IAS/RADIUS.

WLC:2504

Thanks in advance,

Everyone's tags (2)
8 REPLIES
Cisco Employee

WLC authentication based on AD/LDAP

Here you go:

Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

Regards,

Jatin

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

WLC authentication based on AD/LDAP

with AD

LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported because AD is not set to return clear-text-password

---------------------------------------------------------------------------------------

Please nake sure to rate correct answers

New Member

Re: WLC authentication based on AD/LDAP

So what are the other options if AD is not supported?

And what is the difference with this manual? Because AD is used.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

Cisco Employee

Re: WLC authentication based on AD/LDAP

The difference here we are talking about EAP-FAST/with EAP-TLS not mschap v2 which is not supported as I have alread mentioend.

-----------------------------------------------------------------------------------------

Please Don't forget to rate correct answers

New Member

Re: WLC authentication based on AD/LDAP

We are also thinking about implementing an open guest network. This network is open to connect to but when you connect to the internet you need to accept an agreement and login via a web page. Can this be done with the 2504 WLC?

Also web-filtering on the guest network has to be done. Which device would you recommend for this task?

Re: WLC authentication based on AD/LDAP

You can implement open guest network and choose passthrough under Layer 3 security tab in WLAN config (see image below) so the connected users see a page and press "OK" button before they are able to connect to go to internet.

In that page you can write your Agreement so the users accept it by pressing the OK button.

You can modify the page by using a cusotme web-bundle and modify the pages in it then upload it back to the WLC.

Here you'll find all what you need about how to do that:

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70users.html#wp1049273

You also have the option to use an external page (rather than downloading a customized bundle) for your agreement. Here is a config example how to use external server for web-auth:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

Re: WLC authentication based on AD/LDAP

Thank you Amjad. Which device do you recommend for web filtering?

Re: WLC authentication based on AD/LDAP

Actually this is out of my experience and my answer below will be as what I usually "hear" from my security colleagues.

You may consider BlueCoat  for web filtering. (I am not even sure if it is permitted to metnion vendors name here).

You can check and contact the vendor for their products. Choose what is best for you.

You can also search and ask on security forums if there are any other products.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"
10136
Views
0
Helpful
8
Replies
CreatePlease to create content