ldap authentication on wlc 2504 for wireless clients
I'm trying to configure LDAP authentication for wireless clients. I found various documents describing LDAP setup, but they only seem to offer a portion of the config.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_security_sol.html Under the LDAP section, I have don all this.
Server Index 1
Server Address x.x.x.x
Port Number 389
Simple Bind Authenticated
Bind Username CN=xxxxxxc,OU=Denver,OU=CorpUsers,DC=xxxxx,DC=com
Bind Password xxxxx
Confirm Bind Password xxxxx
User Base DN DC=xxxxx,DC=com
User Attribute sAMAccountName
User Object Type Person
Secure Mode(via TLS) Enabled
Server Timeout 2 seconds
Enable Server Status Enabled
Local EAP profiles I have EAP-FAST & EAP-TLS
I am NOT using certs, so all those are unchecked.
Authentication Priority is LDAP
this part I am guessing on:
Layer 2 Security is set to 802.1x
Layer 3 is none
AAA servers, I have my LDAP server selected, local EAP auth enabled with my ldap profile selected, ldap as top item for authentication
I just get a message that says Windows was unable to connect to the wireless network.
It works fine if I change layer 2 security to WPA2 with a PSK.
I'm not certain that the LDAP request is even hitting the server. I am using authenticated bind, so I have NOT enabled anonymous authentication on the LDAP server and I'm not using certs.
Any ideas on what I'm missing to make LDAP auth work?
I have webauth to external server, redirect is fine client enters credentials and gets passed back. we thought the LDAP auth was working but things fell apart, we were never seeing any LDAp requests. the teh client username is resisted on the controller., this looks to be a dynamic addition.
I'm thinking anonymous bind and passing teh cn attribute as the client "username".
I abandoned this altogether and determined it was easier to just configure radius and use NPS on the windows server to pass domain authentication. So I installed NPS and configured it to allow a specific windows group and it seems to be working fine. If not using certs I had to tell the wireless client profile to NOT check the cert as there is none. If you are a member of the domain and in that group you get authenticated automatically.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...