Is there any way on an LDAP server to create an LDAP group that can be tied to the WLC for LDAP authentication. I have this url that explains local authentication and LDAP... http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml . That helps with local authentication but one thing I don't see is any guidance on how to create a group in a DC to communicate with anything on WLC. Any ideas?
I suppose a little background to this might help. We are in the process of trying to setup an SSID that works exclusively with Mobile devices. The best most painless way that we see to do it if we can is to create a group on our LDAP servers that will communicate with our mobile SSID and only allow those specific people granted access (through LDAP) to get in.
There is two ways I think this can be done.
1) WLC's do not have great support for LDAP. If you want a robust solution to fit your needs look into Cisco ISE. You would be able to have a single SSID but profile devices and only allow an AD group to connect with an IPhone (for example).
2) Set up Microsoft RADIUS server IAS or NPS. You can choose particular AD groups as a filter on the users, then setup the WLC to authenticate via RADIUS rather then LDAP.
Sent from Cisco Technical Support iPad App
You are right. You need a radius server overall that integrates with AD and do AD-to-radius group mapping. This way authentication is allowed/denied from radius, not WLC itself.
If the user can get a radius server to achieve this that will be great (especially if the user is using 802.1x/EAP authenticaion). If not, what I described about OU mapping is the only solution to get the users classified as per what I understood from users requirements.
The user is not only limited to Microsoft RADIUS (IAS or NPS). However, any radius server that supports AD group mapping can be used. with cisco ACS for example this is supported as well. I am not sure if this is also supported with open-source radius (openRadius for example). But if it is then openRadius can also be used.
Unfortunately therei s no way to do this with if you are going to do the LDAP configuration direcly between WLC and LDAP server. You can only deal with OUs not groups in this case.
What you can do is to put your devices under same OU and use that OU as the "User Base DN" in LDAP server configuratoin on WLC. This way ALL users inside that OU will be allowed authentication. If you have nested OUs [OUs inside your OU and the outer OU is used as the Base DN, then even users inside inner OU will be able to authenticate.
So, what you need to do now is to classify the users per OU, not per group.
Hope this helps.