topic Re: WLC and AD integration without using external AAA server. in Wireless

WLC and AD integration without using external AAA server.

Adnan_Siddiqi — Mon, 05 Jul 2021 17:08:35 GMT

Hi Fellows ,

We have deployed WLC 3504 and Customer wants to give SSID access via AD credentials for employees . We have configured WLC for getting users authenticated via LDAP integration. But domain end user getting certificate errors.

Customer is not interested in installing Cisco PEAP across the organization.

Is it possible to get user authenticated via WLC and LDAP integration without Cisco PEAP ?

Or MS NPS or some external RADIUS is must for this ? Has WLC some limitations in this integration ?

Thanks in anticipation .

Adnan

Re: WLC and AD integration without using external AAA server.

Deepak Kumar — Wed, 27 Mar 2019 09:34:44 GMT

Hi,

Certificate error means you are using "LDAPS". Is it correct?

Follow this documents: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010101100.pdf

Meanwhile, you can do it with NPS as well.

Regards,

Deepak Kumar

Re: WLC and AD integration without using external AAA server.

Adnan_Siddiqi — Mon, 01 Apr 2019 08:12:56 GMT

Hi , Deepak

Thanks for your response.

The goal is : end user to connect the SSID using user@domain.com and AD Password ( Both Domain connected Systems and BYOD ) .

At start we don't want to add another Network Element like external AAA server and wanted to use WLC 's LDAP integration option to achieve the goal .

By Certificate error the connection gives digital certificate error I think this can be over by using PEAP ? Is there any limitation on WLC for using Only Cisco PEAP ? Can't we use default MS -PEAP

Re: WLC and AD integration without using external AAA server.

Adnan_Siddiqi — Mon, 01 Apr 2019 11:29:59 GMT

PFA error image

Re: WLC and AD integration without using external AAA server.

patoberli — Mon, 01 Apr 2019 15:54:45 GMT

This is a completely normal message and is always shown if you aren't already trusting this certificate on the client. You'd need an MDM solution for the client, where you first install the certificate in the trust store and assign it to the client-wireless profile and then connect.

Re: WLC and AD integration without using external AAA server.

Adnan_Siddiqi — Tue, 02 Apr 2019 07:20:12 GMT

I think PEAP is used to avoid Client side installation of Certificates.

Is there any way to work with MS PEAP which is available with normal installation of Wireless adapter ( Cisco PEAP is to be additionally installed again organization wide) , Authentication from WLC using AD as back end DB without any external RADIUS

or using MS PEAP at wireless client to get authenticated from AD requires ( mandatory ) NPS or Other External RADIUS ?

Thanks in anticipation

Re: WLC and AD integration without using external AAA server.

Deepak Kumar — Tue, 02 Apr 2019 07:58:45 GMT

Hi,

Thanks for making more clear. I think your certificate is not published on the AD group policies so it didn't push to the client. Try with making some changes in the client 's network interface as showing in below pic:

Uncheck the option: Verify the server identity by validating the certificate.

Regards,

Deepak Kumar

Re: WLC and AD integration without using external AAA server.

patoberli — Tue, 02 Apr 2019 08:12:45 GMT

I suggest to NOT uncheck this option, otherwise somebody else can create a copy of the SSID and phish the cleartext username+password of your domain users.
If the clients are managed, you can push a group policy containing the correct certificate to the Windows clients. If they are not managed, you can either program an installer that creates the profile and installs the certificate, or have the users click on Connect (after having verified that the certificate checksum matches the correct checksum, which you have documented somewhere.

Re: WLC and AD integration without using external AAA server.

Deepak Kumar — Tue, 02 Apr 2019 08:33:08 GMT

Hi,

I agree with you but he is testing the network and try to find out the root cause. If it will uncheck then we will get the root cause after that we can suggest him to push certificate on client's using the GPO.

Regards,

Deepak Kumar

Re: WLC and AD integration without using external AAA server.

Adnan_Siddiqi — Tue, 02 Apr 2019 10:07:40 GMT

Dear Deepak and patoberli :

Thanks for your continued support . We have to come to following understanding.

If we select Cisco PEAP on Client we don't need to push any certificate to end user and that's what we need . For MS-PEAP we would require certificates on the client side .

As Found on this link

https://community.cisco.com/t5/wireless-security-and-network/cisco-peap-vs-ms-peap/td-p/342607?attachment-id=105929

Combining with

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211277-WLC-with-LDAP-Authentication-Configurati.html

I think we got the answer why MS PEAP won't work .

Now we have to test using Cisco PEAP only client side and using WLC as authentication server with AD as back end DB .