topic Re: Cannot connect to LDAPs using WLC in Wireless

Cannot connect to LDAPs using WLC

wolff — Thu, 05 Jan 2023 13:00:21 GMT

We have a WLC, that we'd like to authenticate users against LDAP. However the WLC fails to establish a connection with the following error: Failed to start LDAP over TLS

The LDAP server itself is set up correctly. I have tried accessing it using an LDAP browser and that works just fine. Pinging the LDAP from the WLC also works, but somehow the LDAP connection itself fails. Sadly the above error is the only information I could get from the debug logs. It seems the WLC fails to establish a TLS connection at all and thus doesn't even get to the point of speaking LDAP. I have checked the manual, but cannot find anything that sounds like it could be the issue. Maybe the WLC is not trusting the LDAP's TLS certificate? If so, where would I add the cert to trust?

Device: Cisco 3504 Wireless LAN Controller
Software: 8.10.183.0

Re: Cannot connect to LDAPs using WLC

balaji.bandi — Fri, 09 Dec 2022 22:37:09 GMT

what WLC device and what code running:

look at the example video : (since we don't know what WLC and code running)

https://www.youtube.com/watch?v=ofdx1s180g4

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/108008-ldap-web-auth-wlc.html#C2

Re: Cannot connect to LDAPs using WLC

wolff — Sat, 10 Dec 2022 13:14:30 GMT

Sorry. I have added the missing information to the question.

Re: Cannot connect to LDAPs using WLC

Rich R — Sat, 10 Dec 2022 15:10:37 GMT

For a start - update your code version to latest recommended by TAC just to eliminate know bugs - see links below.

Then get a packet capture to see which end is presenting what certificates and where it's failing.

See https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/managing_certificates.html#ID1794 for adding your server's root CA cert.

Re: Cannot connect to LDAPs using WLC

wolff — Tue, 13 Dec 2022 22:16:20 GMT

I had come across this article when looking for solutions, however it sounds like this is for CA-certs used for EAP. Is this really the right place to add a certificate to trust for TLS connections?

Re: Cannot connect to LDAPs using WLC

Rich R — Wed, 14 Dec 2022 02:02:10 GMT

Unless someone else knows better I can't see where else you could add them?

Re: Cannot connect to LDAPs using WLC

wolff — Mon, 19 Dec 2022 13:50:51 GMT

I guess… I'll add it there, and make a packet capture.

Re: Cannot connect to LDAPs using WLC

wolff — Thu, 05 Jan 2023 14:11:00 GMT

I have now made a packet capture and the WLC establishes a TCP socket and then immediately begins speaking LDAP (without creating a TLS-tunnel). I have set the option “secure mode (via TLS)”, as per the instructions in the manual, however that does not seem to cause the controller use LDAPs, instead it tries to perform a StartTLS extended operation (which fails, since the server speaks LDAPs and is still waiting for a TLS tunnel to be established). How do I configure the WLC for LDAPs?

Re: Cannot connect to LDAPs using WLC

Rich R — Fri, 06 Jan 2023 09:15:14 GMT

That is the only option - as defined in the LDAP standard - no other option on the WLC so you'll need to look at your server LDAP config.