topic Re: WLC 4400: Web Authentication Using LDAP in Wireless

WLC 4400: Web Authentication Using LDAP

Jaaazman777 — Sun, 04 Jul 2021 02:57:33 GMT

Hello!

Dear all, I have some problems integrating WLC 4400 with AD using ldap

The the WLC LDAP Server and WLAN for Web Authentication are configured acoording to

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml#C2

when I connect to SSID the laptop is given the ip address, then I can see the web-page with

it's incorrect

The attributes of the LDAP server:

Server Address *.*.*.*

Port Number 389

User Base DN ou=ORG,dc=domain,dc=local

User Attribute userPrincipalName

User Object Type Person

the test user is located in AD folder ORG, but this folder also contains a lot of subtrees

There are some questions:

1) Is it obligatory to use value "Authenticated" in the Simple Bind option or it can be Anonymous?

2) Is the Controller capable for searching the users located in User Base DN subtrees?

Here is some debug from the controller:

667: LDAP_CLIENT: UID Search (base=.....

669: LDAP_CLIENT: ldap_search_ext_s returns 0 85

669: LDAP_CLIENT: Returned 1 msgs including 0 references

669: LDAP_CLIENT: Returned msg 1 type 0x65

669: LDAP_CLIENT : No matched DN

669: LDAP_CLIENT : Check result error 0 rc 1013

669: LDAP_CLIENT: Received no referrals in search result msg

669: LDAP_CLIENT: Received 1 attributes in search result msg

669: ldapAuthRequest [1] called lcapi_query base="ou=ORG,dc=domain,dc=local" type="Person" attr="userPrincipalName" user="test@domain.local" (rc = 0 - Success)

669: Handling LDAP response Authentication Failed

670: 00:1d:e0:a1:73:2f Returning AAA Error 'Authentication Failed' (-4) for mobile *MAC-address*

670: AuthorizationResponse: 0x31b6e2d0

Re: WLC 4400: Web Authentication Using LDAP

Nicolas Darchis — Tue, 15 Mar 2011 19:00:17 GMT

Is your AD domain really "domain.local" ?

To reply to your questions :

1) It can be anonymous if you configured your AD to accept anonymous binding which is not the default behavior if I have a good memory

2) Yes it searches subtrees

Did you type "test@domain.local" in the login page ? Try with "test" simply. Since you configured your base DN to be the ORG ou on domain.local, that's where the AD will search, no need of precising the domain.

Nicolas

Re: WLC 4400: Web Authentication Using LDAP

Jaaazman777 — Tue, 15 Mar 2011 20:06:24 GMT

thank you for your answers, Nicolas Darchis!

"All the characters are fictional" 😃

About login...I think, when we use sAMAccountName we just need to type in the login, and userPrincipalName requires typing the whole domain name

Any way I tried a lot of variants, but nothing worked out

what about debug? What can LDAP_CLIENT : No matched DN mean?

Re: WLC 4400: Web Authentication Using LDAP

Nicolas Darchis — Tue, 15 Mar 2011 20:31:47 GMT

It says that AD returns "user not found".

By the way, where is your admin account located ? The one you are authenticating with ?

Can you post the complete ldap configuration with the admin user as well ?

Note that the admin has to be under the same base DN as your search DN (so it has to be under ORG too).

In such situations, I usually download softterra ldap browser and connect to the AD from my laptop via LDAP, I use the same config as on the WLC to connect (admin username and then I do a search). It's often a small typo that makes it not work.

A sniffer trace of the ldap traffic also sometimes help to determine if the problem is with the admin user authentication or the search itself.

Re: WLC 4400: Web Authentication Using LDAP

Jaaazman777 — Tue, 15 Mar 2011 20:41:35 GMT

Nicolas Darchis, thank you very much for your advice!

yes, my admin account is located in the same Base DN

Server Address *.*.*.*

Port Number 389

Bind Username admin

Bind Password ***

Confirm Bind Password ***

User Base DN ou=ORG,dc=domain,dc=local

User Attribute userPrincipalName

User Object Type Person

I'll try to use ldap browser, I hope It'll be helpful

Re: WLC 4400: Web Authentication Using LDAP

Jaaazman777 — Wed, 16 Mar 2011 12:42:03 GMT

Dear Nicolas!

Thank you very much for your advices!

Everything works now!

I tested the settings with the help of ldap browser, and then applied them to the controller

Final WLC Ldap-server settings:

Simple Bind - (Anonymous doesn't work)
Bind Username - the user must be created in User Base DN folder (ex. OU=ORG)
User Base DN - the core OU, that contains all users (ex. )
User Attribute - there can be two variants:
- sAMAccountName -
- userPrincipalName - <user1@domain.local>
User Object Type -

Re: WLC 4400: Web Authentication Using LDAP

vince.steiner — Wed, 16 Mar 2011 15:42:30 GMT

Jaaazman777 wrote:

Dear Nicolas!

Thank you very much for your advices!

Everything works now!

I tested the settings with the help of ldap browser, and then applied them to the controller

Final WLC Ldap-server settings:

Simple Bind -   (Anonymous doesn't work) 
Bind Username - the user must be created in User Base DN folder (ex. OU=ORG)
User Base DN -  the core OU, that contains all users (ex. )
User Attribute - there can be two variants:
- sAMAccountName -  
- userPrincipalName - <user1@domain.local> 
User Object Type -

I have the same strange problem.

i have WCS and 3 2000 seriec controllers.

everything works fine through ldap browser but authenticationalways gives me an error:

the username and password combination is invalid.

im also using WPA2 AES PSK and Mac filtering, in case this may affect anything.