Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco WLC 2504 and ways to authenticate users

Hi All,

     What is the ways to make user authenticate to WLC 2504 and what is the best and simple way and what is the differences btw each method _i mean for example need radius server or something else to be exist_ ?

     and any one can give me case study for this issue

System consist of Cisco 2504 and Cisco LAP 1140

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Cisco WLC 2504 and ways to authenticate users

There is too much info that you require to write up in a forum. What you need to look at is the various way do authenticate using 802.1x. These require a radius server and usually ties back to AD.

For short... EAP-TLS requires a certificate on the radius and clients. EAP-PEAP requires a certificate in the radius and uses machine or user AD credentials. These are the only two I would suggest you look at.

What you have to find out is what devices you have and what encryption and authentication methods those devices support.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
9 REPLIES
Hall of Fame Super Silver

Re: Cisco WLC 2504 and ways to authenticate users

There is too much info that you require to write up in a forum. What you need to look at is the various way do authenticate using 802.1x. These require a radius server and usually ties back to AD.

For short... EAP-TLS requires a certificate on the radius and clients. EAP-PEAP requires a certificate in the radius and uses machine or user AD credentials. These are the only two I would suggest you look at.

What you have to find out is what devices you have and what encryption and authentication methods those devices support.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Community Member

Re: Cisco WLC 2504 and ways to authenticate users

Hi Scott,

     thanks for your support and help , i know i ask about alot of things but i expect also alot of info. greedy

     What about this case

     Web Authentication Using LDAP on Wireless LAN Controllers (WLCs) Configuration Example     

          http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml

     is this the best way to do it _to just authenticate the users_ with min configuration, here i just need LDAP server ?? am i right ??

       what is the type of this method ? is this require certificate ??

     sry for these many questions

     thanks again for your help really appreciated

Hall of Fame Super Silver

Re: Cisco WLC 2504 and ways to authenticate users

I don't like using LDAP at all. If that's what you want and you want the easy way of doing things, then look at this doc.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Cisco WLC 2504 and ways to authenticate users

You have more flexibility if you have active directory and a radius server. Or else just do local EAP PEAP on the WLC and put the username and password of users in the WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Cisco WLC 2504 and ways to authenticate users

Here is a good link for local EAP using PEAP.

http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Community Member

Re: Cisco WLC 2504 and ways to authenticate users

@Scott

     Thanks for your advice i will try it

Community Member

Re: Cisco WLC 2504 and ways to authenticate users

we have verious kind a device onboard, like iPad, laptops,etc, but we need to allow user to access some internal resource and access company site ( it is intranet site), what ldap method you suggest? and how do I test ir before deploy it?

on WLC os version 7.5 i don't see way to setup. is ther walk thru kind a documents?

Hall of Fame Super Silver

Re: Cisco WLC 2504 and ways to authenticate users

I don't use LDAP but rather use PEAP with a radius server. EAP-TLS is a good authentication but requires certificates on both the radius and the clients. You can look at doing local EAP on the WLC. As far as restricting traffic, you will be better off creating ACL's on your layer 3 interface.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Community Member

Re: Cisco WLC 2504 and ways to authenticate users

To implement radius based authentication is the best practice for the small & enterprise environment.

Information About RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized security for users attempting to gain management access to a network. It serves as a backend database similar to local and TACACS+ and provides authentication and accounting services:

•Authentication—The process of verifying users when they attempt to log into the controller.

Users must enter a valid username and password in order for the controller to authenticate users to the RADIUS server. If multiple databases are configured, you can specify the sequence in which the backend database must be tired.

•Accounting—The process of recording user actions and changes.

Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the RADIUS accounting server becomes unreachable, users are able to continue their sessions uninterrupted.

RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The controller, which requires access control, acts as the client and requests AAA services from the server. The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.

You can configure multiple RADIUS accounting and authentication servers.For example, you may want to have one central RADIUS authentication server but several RADIUS accounting servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on. 

For more Information : http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp2149947

1721
Views
3
Helpful
9
Replies
CreatePlease to create content