Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WLC integration with LDAP

Hi all and thank you in advance for any you help/advice you might be able to offer....

I'm having problems getting a WLC (7.0.220.0) working using LDAP (Windows 2008). This evening, in an effort to troubleshoot the problem further, I have configured the customer's ASA to use LDAP too and run a test....as you can see below, the test works flawlessly (on the ASA).

aaa-server LDAP_TEST protocol ldap

aaa-server LDAP_TEST host x.x.x.x

server-port 389

ldap-base-dn OU=Users,OU=IT Dept (South),DC=yyy,DC=co,DC=zzz

ldap-scope subtree

ldap-login-password *

ldap-login-dn CN=ldap,OU=Users,OU=IT Dept (South),DC=yyy,DC=co,DC=zzz

server-type microsoft

ASA/act# test aaa-server authentication LDAP_TEST host x.x.x.x username ldap password password

INFO: Attempting Authentication test to IP address <x.x.x.x> (timeout: 12 seconds)

INFO: Authentication Successful

ASA/act#

Now, my understanding is that the ASA only supports PAP (clear text) as Authentication method when communicating to an LDAP server....while on the Controller, I am using EAP-FAST....so my understanding would be that only EAP-FAST/GTC or EAP-FAST/MSCHAPv2 (IF the LDAP server is setup to return a clear text password) are supported.

On the Controller, I am using the very same settings as I have used on the ASA (for the LDAP server configuration). However, users are still unable to Authenticate....they Associate, but do not Authenticate. The clients are all Windows 7 and are setup to use the in-built Cisco EAP-FAST as Authentication method. We are not using certificates.

The thing is that I'm pretty sure that both the Windows 7 clients and the Controller are setup correctly but, as I said, the clients are still unable to authenticate.

I guess that my questions are these:

- on the client side, you can setup the laptops to use "Any method" as authentication method...but how does this exactly work? do they try both EAP-GTC and EAP-MSCHAPv2 (i.e. if it can't authenticate through EAP-GTC will then try EAP-MSCHAPv2?)

- is it better to hardcode the clients to use EAP-GTC or EAP-MSCHAPv2 (instead of default "Any method")....when working on an LDAP environment

- how can I check that the MS 2008 server is indeed setup to "return a clear text password" if using EAP-FAST/MSCHAPv2 (and I do realize that this is probably a question for a Microsoft forum)

- how can I check the the LDAP server is configured to support EAP-GTC and/or EAP-MSCHAPv2??

Thanks again.

Everyone's tags (3)
11 REPLIES

WLC integration with LDAP

For the ASA, it can do more than PAP, if it's a VPN user.

PAP—For all connection types.

CHAP—For L2TP-over-IPsec.

MS-CHAPv1—For L2TP-over-IPsec.

MS-CHAPv2—For  L2TP-over-IPsec, and for regular IPsec remote access connections when  the password-management feature is enabled. You can also use MS-CHAPv2  with clientless connections.

www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_aaa.html#wp1094668

But the WLC can't do any of the chap.  The below goes over one of the methods to get AD to return a clear text password.

http://technet.microsoft.com/en-us/library/ee799239%28CS.10%29.aspx

As for the client, I would force them to use EAP-Fast, and not let them choose which method they want to use.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

WLC integration with LDAP

Hi Steve,

You mention that the WLC can't do any of the chap....however, Cisco's documentation seems to say otherwise..? or am I not understanding the documentation correctly?

From Cisco:

Local EAP can use an LDAP server as its backend database to retrieve user credentials.

An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user.

The LDAP backend database supports these Local EAP methods:

  • EAP-FAST/GTC
  • EAP-TLS
  • PEAPv1/GTC.

LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported, but only if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password. If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported.

Thanks,

Santi

WLC integration with LDAP

That is the negotiation between the clients, not the WLC handshake to the AD for the credentials.

Basically, the WLC does not understand the format that AD stores the credentials.  *correct it's not chap, should be LM-Hash or NT-Hash*

So unless you go and tell AD to not store the password in the LM-Hash format, you can't make an LDAP call to the WLC at this time.

http://support.microsoft.com/kb/299656

The above talks about disabling the LM-Hash.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: WLC integration with LDAP

Hi,

I'm really sorry, but I still don't fully understand....

- in my case, it is clear that ASA to LDAP works (i.e. ASA can query the DB successfully) but the WLC to LDAP doesn't. Could someone explain to me why this is. i.e. what does the ASA do in a different way (to the WLC) when talking to the LDAP server

- also, my understanding is that the (wireless) clients use (in this case) EAP-FAST for Authentication between the client and the WLC....and then, the WLC queries the LDAP server to validate the username/password provided by the client. Is this correct?

- finally, if I also understand correctly, the problem that I am having is that the WLC is having problems retrieving/verifying the password provided by the client. I.e. the WLC does not understand the format in which LDAP/AD stores the password. Is this correct? and, if yes, again, why the ASA test is successful when quering the same LDAP server?

Thanks once more.

Santi

Sorry, one more thing.....we have also tried doing "Anonymous bind" from the WLC....and, users still can't Authenticate.....again, this is because really, we are having the same underlying problem....i.e. the WLC can talk to the LDAP server successfuly but, the WLC is still unable to understand the password as stored by LDAP/AD and therefore, users can't authenticate.....is this correct?

Thanks.

New Member

WLC integration with LDAP

Did you get this to work, I am running into the same issue with ldap.

Re: WLC integration with LDAP

Basically if you are using AD you can't do a LDAP call from the WLC. The WLC doesn't understand the format that AD stores the passwords in

If you can you can turn a Microsoft server into a NPS and run your RADIUS authentication there.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: WLC integration with LDAP

so basically I need to run IAS on my server and also make it a CA, or can I get away without the certificates as you were trying to do.

Re: WLC integration with LDAP

you don't have to make it a CA, unless you want to do EAP-TLS.  If you are just wanting to do PEAP, you can use the IIS6.0 toolkit to create a SSC

http://blog.samkendall.net/2011/10/13/creating-a-self-signed-certificate-on-windows-server-20082008-r2-without-iis/

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

WLC integration with LDAP

This is not an acceptable answer.  Steve, do you work for Cisco, or are you commenting on personal experience & knowledge?

I have had a working RADIUS configuration for 2 years+ of an ASA 5510 for authentication of AnyConnect SSL & IPSEC VPN clients with AD, and a WLC 2106 for authentication of WPA2-Enterprise w/802.1x certificates with AD.  Both were configured to communication to the same RADIUS server that is a Windows Server 2003 DC with IAS/RADIUS and a CA installed.  During the planning for installing a new Windows Server 2008 R2 DC, I decided to attempt to remove my reliance on RADIUS since authenticating directly with LDAP is becoming more common.  I was successfully able to configure our ASA to do direct LDAP queries to AD, but similar to "superduperlopez" and "rschwenderman", I have been unable to configure the WLC the same way.

I feel like the following line in Cisco's documentation is unsatisfactory:  "For example, Microsoft Active Directory is not supported because it does not return a clear-text password."

I would take this to mean that the ASA is working correctly due to either:

A) The ASA is accepting clear-text passwords from AD, and AD is configured to pass clear-text passwords, or
B) The ASA is not accepting clear-text passwords from AD, and AD is not configured to pass clear-text passwords

Now this would lead me to the following:

A) Cisco has not properly updated the WLC documentation to instruct users how to correctly configured the WLC to do backend LDAP queries, or
B) Cisco has not implemented the technology changes that were made in the ASA to the WLC

This frustrates the average network admin, as it is seen by us as "If the ASA can do it, why can't the WLC".  Also, don't get this confused with any "client" issues, as all that is being asked for is the WLC to using a different backend "authentication" server while not modifying the client side at all.  The concept of "Local EAP" seems to fit, but doesn't work.

I would really appreciate someone giving some insight on this topic, as there are three customers on this forum post that have had the same problem withing the last 2 months.

The previous posters, and myself, are not looking for someone to retype the documentation, but rather explain how it is working on one of Cisco's security products, but not the other.

New Member

Re: WLC integration with LDAP

WLC integration with LDAP needs.

Are there any updated posts that I have missed on this?

I do not want to have to run a RADIUS server if I can use my 2008 AD and LDAP setup.

I am going to be installing a Campus Manager and the setup for the WLC is causing me some concern.

Can anyone point me in the correct direction to as, will Windows 2008 LDAP work with the WLC, and if so, are threre any TID's anywhere on this?

Thank you

New Member

Brian, did you ever figure

Brian, did you ever figure out how to get that thing going WITHOUT having to implement PKI throughout AD?

I believe the sticking point is that RADIUS always sends the passwords clear text -- you can see them with Wire Shark but the answer why ASA works and WLC doesn't has to do with WLC's need of a certificate on the RADIUS box. ASA authentication doesn't need any certificate business so the VPN authentication works just fine.

Now how does one order and import a well known CA's certificate onto the NPS box? I hear there is some toolkit to do that under the carpet? Fine but where do you order the certificate? This isn't your run-of-the-mill Go Daddy SSL cert? It has to be a special type of certificate is required with EKU extension marked as Client Authentication purpose 1.3.6.1.5.5.7.3.2

5928
Views
0
Helpful
11
Replies
CreatePlease to create content