topic Re: LDAP authentication through a web page in Wireless

LDAP authentication through a web page

TrickTrick — Mon, 05 Jul 2021 15:46:03 GMT

Hi everybody,

It seems easy, but I find some difficulties to make it work, I'm trying to configure the WLC to let people get access to the network by using their LDAP credentials

I configured a WLAN as follows :

interface : Management

security :

Layer 2 : None

Layer 3 : Web policy ( Authentication)

Over-ride Global Config : Enable

Web Auth type : Internal (I want to change it after to use a customized page, not that important for now)

AAA servers :

everything on default except for LDAP server I have the IP address there and authentication using local and LDAP only

EAP profile : EAP (created)

somehow I can't see any WLAN using my laptop ( I was able before doing these modifications) , and by using my phone it worked but the login is always incorrect even when using the correct username and password in the OU defined in the LDAP menu

DO you have guys any input, what's the correct setup to follow to make it work

I followed btw this guide (Create WLAN That Relies On LDAP Server To Authenticate Users Through Internal WLC Web Portal) : https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211277-WLC-with-LDAP-Authentication-Configurati.html

Infos : WLC : 2504

AP: AIR-AP1832I-E-K9

Thanks

Re: LDAP authentication through a web page

Sandeep Choudhary — Fri, 22 Jun 2018 05:24:46 GMT

please go through this guide:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/108008-ldap-web-auth-wlc.html

Regards

Dont forget to rate helpful posts

Re: LDAP authentication through a web page

TrickTrick — Fri, 22 Jun 2018 09:41:09 GMT

Thanks for this guide, the guide I posted in the OP is almost like this one, the problem is the same, always an Error during the authentication ... no account is accepted from the OU defined.. what could be the issue? . the guy controlling AD is telling me that the OU is defined correctly

Re: LDAP authentication through a web page

patoberli — Fri, 22 Jun 2018 12:27:03 GMT

Is the WLC allowed to authenticate users in the AD?
Depending on the AD version, the WLC has to get some additional permissions to authenticate users on behalf (I think 'enumeration' is the keyword).

Re: LDAP authentication through a web page

TrickTrick — Thu, 28 Jun 2018 11:58:39 GMT

honestly i'm not sure about this particular part, since i'm not controlling it, I want to be sure what exactly I should need to do at the WLC level
I did exactly what is mentioned here : https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/108008-ldap-web-auth-wlc.html

I can say that the controller is well configured ? it's maybe something at the LDAP server level ?

Re: LDAP authentication through a web page

patoberli — Thu, 28 Jun 2018 12:06:09 GMT

Yes, the LDAP server also needs to be configured correctly. The user that you are using for the authentication needs access on the AD server to authenticate other users on his behalf. I think this part here is very important and so is the next chapter: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/108008-ldap-web-auth-wlc.html#anc20

In any case, I'd suggest you install a radius server and use radius for the user authentication.

Re: LDAP authentication through a web page

TrickTrick — Thu, 28 Jun 2018 14:17:38 GMT

yeah, it seems something is messed up there, some connections aren't established correctly ...here some logs messages confirming this while i'm using correct credentials

*ewmwebWebauth1: Jun 28 15:19:41.072: %LOG-3-Q_IND: ldap_db.c:1082 Could not connect to LDAP server 1, reason: 49 (Invalid credentials).[...It occurred 2 times.!]
*LDAP DB Task 1: Jun 28 15:19:40.108: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1082 Could not connect to LDAP server 1, reason: 49 (Invalid credentials).
*ewmwebWebauth1: Jun 28 15:02:22.747: %LOG-3-Q_IND: ldap_db.c:1082 Could not connect to LDAP server 1, reason: 49 (Invalid credentials).[...It occurred 2 times.!]
*LDAP DB Task 1: Jun 28 15:02:21.784: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1082 Could not connect to LDAP server 1, reason: 49 (Invalid credentials).

Re: LDAP authentication through a web page

patoberli — Thu, 28 Jun 2018 14:21:34 GMT

What messages do you see on your ldap server in the logs?

Re: LDAP authentication through a web page

TrickTrick — Thu, 28 Jun 2018 16:27:06 GMT

Solved! It was an autentication protocol problem between LDAP and WLC, we had to use PAP as an authentication protocol, I honestly didn't check this before and never had the idea to check it 😕