Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2301
Views
0
Helpful
6
Replies

dynamic vlan assignment with openldap

k.abillama
Level 1
Level 1

‎08-02-2011 11:38 PM - edited ‎03-10-2019 06:16 PM

Hi,

I have a scenario where my customer has an ACS 5.2 and couple WLCs. the customer has also a openldap database and needs to do dynamic vlan assignement for his wireless user against this database. I know that for Active directory it works, please advise if it does as well for openldap and how?

Regards,

Labels:
0 Helpful
6 Replies 6

Tarik Admani
VIP Alumni
VIP Alumni

‎08-05-2011 05:55 PM

Yes this should work from the openldap as well. You will need to retrieve the directory groups once your openldap configuratoin is tested and complete.

After retreiving your group you will the proceed to create your access policies (authorization profile) there you will create the vlan assignment that you want. Once you create your authorization rule you will merge the open ldap group with the authorization policy.

Keep in mind its not openldap that provides the vlan, its the conditions you want to meet in order to trigger the vlan assignment from ACS.

Thanks,

Tarik

0 Helpful

k.abillama
Level 1
Level 1
In response to Tarik Admani

‎08-06-2011 12:20 AM

Thank You tarik! and it works even if the user have an MSCHAPv2 client. There are some links that say that mschapv2 with ldap doesn't work.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to k.abillama

‎08-06-2011 07:10 AM

No it doesnt work if you are using mschap v2 here is a grid of the supported eap based protocols and the directory services:

You can find this information here:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1045863

Hope this helps.

0 Helpful

k.abillama
Level 1
Level 1
In response to Tarik Admani

‎08-07-2011 05:01 AM

Hi Tarik,

I've been through the document but I thought there could be a workaround avaialable as I've seen some posts where customers have freeradius and ldap backend  working for mschapv2.

Anyway, what could be an alternative if the customer is a university and the end user could have any kind of OS,PDA...etc?

Regards,

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to k.abillama

‎08-08-2011 02:44 AM

If you have to use openldap, then those authentication protocols is what you will have to use. I dont understand how freeradius is able to convert a mschap v2 authentication protocol in order to work with ldap. An alternative workaround would be to use the ACS internal database if you want to keep all your mschap v2 settings and if you do not have a MS AD environment. You can group users in the ACS database and if you plan to grow your acs environment you can setup additonal servers as part of distributed system.

Thanks,

Tarik

0 Helpful
Customers Also Viewed These Support Documents