Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco WLC 4404/5508 Web Authentication by AD Security Groups

Hey

I'm searching for a solution to web authenticate users within a specific Active Directory Security Group. I tried to authenticate over Radius with Cisco Secure ACS and Network Access Restrictions. But NAR only works with Layer 2 authentication. And Web Authentication over LDAP can only be used with User Objects.

Any ideas?

best regards,

Marc      

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cisco WLC 4404/5508 Web Authentication by AD Security Groups

Scott:

You and maldehne are saying the correct thing. However, this is some kind of limitation that cisco should improve in the future. classifying users based on groups in AD is more flexible than classifying based on OU's when using LDAP. If there is anything that can be implemented to classify users based on AD groups at Layer 3 auth level that will be very useful functionality for cisco products.

Rating useful replies is more useful than saying "Thank you"
5 REPLIES
Hall of Fame Super Silver

Cisco WLC 4404/5508 Web Authentication by AD Security Groups

Are you trying to authenticate Administers of the WLC's to AD or are you trying to use WebAuthentication allowing access to the Security Group?  If you are trying to use ACS to allow for Administers to have access to the WLC's then you would use ACS TACACS not radius.  You would need role1=ALL as a shell profile for that policy and point to your Security Group in AD.

Do a search for role1=ALL on this forum and you will get many hits.

-Scott
*** Please rate helpful posts ***
New Member

Cisco WLC 4404/5508 Web Authentication by AD Security Groups

No, i want to control access over web authentication with AD Security Groups. With web authentication over LDAP, I cannot define security groups, only OU's.

Hall of Fame Super Silver

Re: Cisco WLC 4404/5508 Web Authentication by AD Security Groups

That is the same with IAS/NPS also, you have to point to an OU. I was thinking you specified a Security Group OU. The only workaround is to put the Security Group users in a new OU that radius can be pointed to.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Re: Cisco WLC 4404/5508 Web Authentication by AD Security Groups

Scott:

You and maldehne are saying the correct thing. However, this is some kind of limitation that cisco should improve in the future. classifying users based on groups in AD is more flexible than classifying based on OU's when using LDAP. If there is anything that can be implemented to classify users based on AD groups at Layer 3 auth level that will be very useful functionality for cisco products.

Rating useful replies is more useful than saying "Thank you"
Cisco Employee

Re: Cisco WLC 4404/5508 Web Authentication by AD Security Groups

Have those users only under certain container on your LDAP server and  use its DN as the user Base DN to be defined on the controller , thus  restricting the search for that branch of the LDAP Tree.

889
Views
0
Helpful
5
Replies