topic Re: GUI/CLI Access Authentication with 9800 WLC using LDAP in Wireless

GUI/CLI Access Authentication with 9800 WLC using LDAP

toy.thompson — Wed, 06 Mar 2024 08:34:06 GMT

Can I use LDAP to access the 9800 GUI / CLI?

Re: GUI/CLI Access Authentication with 9800 WLC using LDAP

Max Jobs — Wed, 06 Mar 2024 08:47:56 GMT

Hi Toy,

Yes, you can configure LDAP authentication for accessing both the GUI and CLI on a Cisco Catalyst 9800 Series Wireless Controller.

Configure LDAP Server:

aaa group server ldap LDAP_SERVER server X.X.X.X ldap attribute-map MY_LDAP_MAP

Define LDAP Attribute Map:

ldap attribute-map MY_LDAP_MAP map-name memberOf IETF-Radius-Service-Type map-value memberOf "CN=Admins,CN=Groups,DC=example,DC=com" Admin

In this example, the attribute map MY_LDAP_MAP maps the LDAP attribute memberOf to the local role Admin for users who are members of the LDAP group CN=Admins,CN=Groups,DC=example,DC=com.

Enable AAA Authentication:

aaa new-model aaa authentication login LDAP_AUTH group LDAP_SERVER local

Apply AAA Authentication to GUI/CLI:

*** Example for GUI ip http authentication aaa *** Example for CLI line vty 0 4 login authentication LDAP_AUTH

Hope it fits your request.

Re: GUI/CLI Access Authentication with 9800 WLC using LDAP

toy.thompson — Wed, 06 Mar 2024 09:06:16 GMT

Thanks for the feedback I will try it and provide feedback....I see you don't have any authorization method only authentication, I assume it will retrieve the relevant authorization level from the local admin role and the attribute map will be similar for local LobbyAdmin role

Re: GUI/CLI Access Authentication with 9800 WLC using LDAP

Max Jobs — Wed, 06 Mar 2024 09:38:47 GMT

Thank you, this is a trick to figure out the service is working or not, without engaging to security stuffs.

Re: GUI/CLI Access Authentication with 9800 WLC using LDAP

Rich R — Wed, 06 Mar 2024 17:43:09 GMT

Are you sure it works for CLI @Max Jobs ?
Is this wrong?
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_secure_ldap.html

Restrictions for Configuring SLDAP

- LDAP authentication is not supported for interactive (terminal) sessions.

Re: GUI/CLI Access Authentication with 9800 WLC using LDAP

toy.thompson — Mon, 06 May 2024 10:53:27 GMT

Do you perhaps have a more detailed explanation for the use of these commands:

Device(config-ldap-server)# bind authenticate root-dn CN=ldapipv6user,CN=Users,DC=ca,DC=ssh2,DC=com password Cisco12345
Device(config-ldap-server)# base-dn CN=Users,DC=ca,DC=ssh2,DC=com

specifically around the user and user groups that will be authenticated