Solved: Adding an AAA LDAP Server on Catalyst 9800 Wireless controller

O.K. · ‎04-18-2023

Hello,

When I try to add an LDAP server on Cisco Catalyst 9800-L Wireless Controller (17.3.6), I get an error which says "Invalid User Base DN"

I' aware user base DN shouldn't contain a space character, but domain controller i not under my control and there is a white space in OU name.

I've already tried to put the whole string into single quotes (') and value of the OU into double quotes ("), but WLC doesn't like them.

I've also tried to escape with backslash (\) also it didn't worked.

Here is the example:

'OU="test 1",OU=test,DC=int,DC=at' --> If I delete the white space between "test" and "1" it works.

Has anyone experienced such a issue?

Thanks in advance!

Regards.

marce1000 · ‎04-18-2023

>... but domain controller i not under my control
- Then there's not much you can do if the 9800 won't take it , you may have a try with IOS-XE 17.9.3 (note: also supports the older generation Wave 1 APs again) , or perhaps edit LDAP server with GUI (if done , reverse this mark to CLI (...))

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

marce1000 · ‎04-18-2023

>... but domain controller i not under my control
- Then there's not much you can do if the 9800 won't take it , you may have a try with IOS-XE 17.9.3 (note: also supports the older generation Wave 1 APs again) , or perhaps edit LDAP server with GUI (if done , reverse this mark to CLI (...))

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

O.K. · ‎04-20-2023

Hi,
thank you for your reply. I've tried both (CLI and GUI) and multiple possible solutions (like escaping special characters etc.) but without luck. What I can't follow is Cisco has accepted white space on the old wireless controllers.

marce1000 · ‎04-20-2023

- Then you need to confront Cisco with that argument and create a TAC case.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Scott Fella · ‎04-20-2023

Not everything gets moved over, AireOS and the IOS-XE is different platforms as you know. everyone wanted everything in AireOS, why would they build a new platform. Like what @marce1000 mentioned, bring this up to TAC or your Cisco SE and see if they can possibly add this to future releases. As of now, you need to figure out another way.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎04-18-2023

Just to add.... like @marce1000 mentioned, you are pretty much out of luck if you can't work with he team that manages the directory services. Your only work around would be for them to create a new group and add users to that new group, or else get a radius server and use that to build your policies, which I think is so much better.

-Scott
*** Please rate helpful posts ***