Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4394
Views
0
Helpful
6
Replies

Cisco WLC 2500 Active directory integration

ingens-networks
Level 1
Level 1

‎04-11-2012 05:25 AM - edited ‎07-03-2021 09:58 PM

Hello to all!!

I recently bought a Cisco WLC 2500. I want to configure a WLAN with Active directory autentication.

How I can do this??

There is any guide or configuration example?

Thanks!

Labels:
0 Helpful
6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame

‎04-11-2012 06:11 AM

Truro use a radius server. Search for wlc peap ias or nps

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni

‎04-11-2012 07:47 AM

You can use LDAP to connect to the AD for authentication. This needs you to utilize local EAP.

Here is a config example: http://tiny.cc/ctulcw

The above link

The problem with LDAP integration with AD is that you are only restricted to some EAP types.
The supported types are EAP-FAST, EAP-TLS and LEAP.

quoting from the above link:

Local EAP supports LEAP, EAP-FAST, EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.

The LDAP backend database supports these Local EAP methods:
EAP-FAST/GTC
EAP-TLS
PEAPv1/GTC.
LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported, but only if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password. If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported.

The only common supported EAP types shared between local EAP and LDAP (as it's backend server) is EAP-TLS PEAPv1/GTCand EAP-FAST. So if you are going to use this option you need probably to use one of those types.

You can also use a radius server and integrate the radius server with AD. This is a much better optoin where you can use whatever EAP type supported by the radius server. If you can take the radius server option then I don't recommend to go to local EAP option with LDAP. RADIUS erver option is much better. Use only the local eap if you have small environment or you can't by anyway utilize a radius server.

Hope this helps.

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Michael Seden
Level 1
Level 1

‎10-30-2012 02:48 PM

I have the same problem. I wondered if you had fixed yours. We are using Active Directory on 2008 R2 for our Domain Controller. Everything I have seen so far is Server 2003. We have 2 networks, one a guest that we do the local user configuration and generate passwords as needed. The other I would like to tie to AD so my internal users can authenticate. I did a Tac case on it but they say it is my Windows config that is wrong. (still not resolved) I got the AD Guru on it and they can't seem to see anything wrong either. I know it is probably as simpl as a radio button click. Any help would be appreciated.

Thanks,

Mike Seden

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Michael Seden

‎10-31-2012 01:30 AM

Are you using radius or not? It's easier to accomplish this if you just bring up a Microsoft radius server either IAS (2003) or NPS if your on 2008.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

kdom
Level 1
Level 1
In response to Michael Seden

‎12-19-2018 01:30 PM

@Michael Seden wrote:

I have the same problem. I wondered if you had fixed yours. We are using Active Directory on 2008 R2 for our Domain Controller. Everything I have seen so far is Server 2003. We have 2 networks, one a guest that we do the local user configuration and generate passwords as needed. The other I would like to tie to AD so my internal users can authenticate. I did a Tac case on it but they say it is my Windows config that is wrong. (still not resolved) I got the AD Guru on it and they can't seem to see anything wrong either. I know it is probably as simpl as a radio button click. Any help would be appreciated.

 

Thanks,

Mike Seden


Hi Michael,

 

I have WLC 2500 series (version 8.5), and our AD is working well:

 

1) You should create your SSID and bind your Interface Group created.

2) Go to SECURITY -- TACACS+-- LDAP -- NEW -- Simple Bind mark as a "Authenticated",  and fill each field required (I have followed this guide for our server https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/108008-ldap-web-auth-wlc.pdf )

3) Enyou your connection.

 

Regards!

 

0 Helpful

ammahend
VIP
VIP
In response to kdom

‎12-19-2018 09:00 PM

I think for Single OU you can but if you have multiple OU, you need some radius server.

-hope this helps-
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card