topic LDAP client auth in Wireless

LDAP client auth

Joe Clark — Sun, 04 Jul 2021 06:45:39 GMT

I've searched the internet but the examples I've found use certificates or web auth. I'm trying to get users to authenticate using their LDAP credentials on a new SSID.

I have the LDAP server set up on the controller but I'm still having troubles getting authentication to work.

I'd like to bypass using ACS and have the controller talk directly to the LDAP server.

In our environment we have the following:

Two WiSM controllers in separate data centers

4402 guest controller (in production now)

5508 guest controller (being installed now)

All controllers running 7.0.235.3

ACS 4.2

NCS 1.1.1.24

LDAP client auth

Stephen Rodriguez — Tue, 19 Mar 2013 17:48:46 GMT

So you are looking at the guides for Local EAP? or is this for guest users?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

LDAP client auth

Joe Clark — Tue, 19 Mar 2013 17:49:49 GMT

These will be contractors that are BYOD but do have AD login credentials.

LDAP client auth

Stephen Rodriguez — Tue, 19 Mar 2013 17:58:02 GMT

So you have the WLC configured for Local EAP/PEAP?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

LDAP client auth

Joe Clark — Tue, 19 Mar 2013 18:57:34 GMT

I have the LEAP profile set up and chosen on the WLAN tab.

LDAP client auth

Stephen Rodriguez — Tue, 19 Mar 2013 19:02:52 GMT

I would set it for PEAP vs LEAP. Not all supplicants support LEAP and it's vulnerable.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

LDAP client auth

Joe Clark — Tue, 19 Mar 2013 19:09:46 GMT

Do you have a link or anything about setting that up? Does it require certs?

LDAP client auth

Stephen Rodriguez — Tue, 19 Mar 2013 19:16:42 GMT

you should just need to check the PEAP box and not the LEAP box.

as for certs, just on the WLC and it will be there already.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

LDAP client auth

Joe Clark — Tue, 19 Mar 2013 19:18:28 GMT

So then I have to choose "Local Certificate Required" or "Client Certificate Required"?

LDAP client auth

Stephen Rodriguez — Tue, 19 Mar 2013 19:26:51 GMT

not required...those are for TLS. so you shoudl be able to uncheck those boxes

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

LDAP client auth

Joe Clark — Tue, 19 Mar 2013 19:31:36 GMT

They were unchecked...

Here is what I have:

L2 security

WPA+WPA2 selected.

Checkbox for WPA2 policy WPA2 encryption AES

Auth Key MGmT 802.1x

AAA Sever tab

LDAP server selected

Local EAP Authentication checked

EAP Profile Name - Test

Local EAP Profile - Test

PEAP checked, nothing else

Authentication Priority - LDAP

Is there anything else I'm missing?

LDAP client auth

Stephen Rodriguez — Tue, 19 Mar 2013 19:35:23 GMT

that should do. on the client make sure you uncheck the box to 'validate server certificate' as well.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

LDAP client auth

Joe Clark — Tue, 19 Mar 2013 19:40:58 GMT

I think I got it... had to set up the network profile in Windows.

I'm a total n00b at this so thanks for your help!

LDAP client auth

Stephen Rodriguez — Tue, 19 Mar 2013 19:42:21 GMT

no worries, that's why we are here!

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

LDAP client auth

Joe Clark — Fri, 22 Mar 2013 15:34:25 GMT

Ok, so now the problem I ran into is that when I change priority order -> local auth to LDAP, it breaks our 7925 wifi phones. Even if I have LDAP and Local in the box, if I change the order to LDAP/Local it breaks the phones but LDAP works. If I change it to Local/LDAP the phones work again but LDAP doesn't.

The phones are using EAP-Fast. Any ideas? Do I need to change the auth method of the phones?