cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
627
Views
10
Helpful
9
Replies
Highlighted
Beginner

WLC and AD integration without using external AAA server.

Hi Fellows ,

 

We have deployed WLC 3504 and Customer wants to give SSID access via  AD credentials for employees . We have configured WLC for getting users authenticated via LDAP integration.  But domain end user  getting certificate  errors.

Customer is not interested in installing  Cisco PEAP across the organization.

 

Is it possible to get user authenticated via WLC and LDAP integration without Cisco PEAP  ?

Or  MS NPS or some external RADIUS is must for this ?   Has WLC some limitations in this integration ?

 

 

Thanks in anticipation .

 

Adnan

9 REPLIES 9
Highlighted
VIP Advocate

Hi,

Certificate error means you are using "LDAPS". Is it correct?

Follow this documents: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010101100.pdf

 

Meanwhile, you can do it with NPS as well. 

 

Regards,

Deepak Kumar

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Highlighted

Hi , Deepak

 

Thanks for your response. 

 

The goal is :  end user to connect   the  SSID  using     user@domain.com  and AD Password  ( Both Domain connected Systems  and BYOD )  . 

 

At start we don't want to add another Network Element like external AAA server  and  wanted to use  WLC 's LDAP integration option to achieve the goal .

 

By Certificate error the connection gives digital certificate error  I think this can be over by using PEAP  ? Is there any limitation on WLC for using Only Cisco PEAP ?   Can't we use default MS -PEAP

Highlighted

PFA  error image

Highlighted

This is a completely normal message and is always shown if you aren't already trusting this certificate on the client. You'd need an MDM solution for the client, where you first install the certificate in the trust store and assign it to the client-wireless profile and then connect.
Highlighted

  I think  PEAP  is used to avoid Client side installation of Certificates. 

 

Is there any way to work with MS PEAP which is available with normal installation of  Wireless adapter ( Cisco PEAP is to be additionally  installed again organization wide) , Authentication from WLC using AD as back end DB without any external RADIUS

 

or  using MS PEAP at wireless client to get authenticated from AD  requires ( mandatory )  NPS or Other External RADIUS ?

 

Thanks in anticipation

 

Highlighted

Dear  Deepak and patoberli :

 

Thanks for your continued support .   We  have to come to following understanding.

 

If we select  Cisco PEAP on Client we don't need to push any certificate to end user and that's what we need . For MS-PEAP we would require certificates on the client side .

 

As Found on this link

 

https://community.cisco.com/t5/wireless-security-and-network/cisco-peap-vs-ms-peap/td-p/342607?attachment-id=105929

 

Combining with

 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211277-WLC-with-LDAP-Authentication-Configurati.html

 

I think we got the answer why MS PEAP won't work . 

 

Now we have to test using Cisco PEAP only client side and using  WLC as authentication server with AD as back end DB .

 

 

 

 

 

 

Highlighted

Hi,

Thanks for making more clear. I think your certificate is not published on the AD group policies so it didn't push to the client. Try with making some changes in the client 's network interface as showing in below pic:Certificate.jpg

 

 

 

 

 

 

 

Uncheck the option: Verify the server identity by validating the certificate.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Highlighted

I suggest to NOT uncheck this option, otherwise somebody else can create a copy of the SSID and phish the cleartext username+password of your domain users.
If the clients are managed, you can push a group policy containing the correct certificate to the Windows clients. If they are not managed, you can either program an installer that creates the profile and installs the certificate, or have the users click on Connect (after having verified that the certificate checksum matches the correct checksum, which you have documented somewhere.
Highlighted

Hi,

I agree with you but he is testing the network and try to find out the root cause. If it will uncheck then we will get the root cause after that we can suggest him to push certificate on client's using the GPO. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Content for Community-Ad