Solved: C9800 with ldap

SeokGeunChoi73564 · ‎08-28-2023

Hi, I am trying to access SSID through AD authentication with C9800 WLC, Active Directory, C9115.

Each equipment version
C9800: 17.3.3 (vWLC)
AD: This is an AD created on a Windows server, and there is no problem with AD itself because it is currently being used in the office.
C9115AXI: It is registered with vWLC and transmits even the wireless signal well.

1. By enabling WebAuth in the LDAP settings and WLAN settings in the AAA configuration, when connecting to SSID, it is redirected to the virtual IP for WebAuth, and the ID/PW input page seems to work well.
2. However, even with the AD Admin account, Authentication Failed is displayed.

How can I proceed with troubleshooting?
Are there any problems with WLC's certificate?
Below are the documents currently referenced.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216744-configuring-catalyst-9800-wlc-with-ldap.html

how to set up a WLAN with 802.1x security on C9800 Series Wireless Controllers - Part 4

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html

*****I proceeded while looking at the documentation related to the certificate, but could not proceed below the Import Device Cert.. part.

Since this is a test environment, there is no equipment certificate from CA.

marce1000 · ‎08-28-2023

- You have 4 WLC errors from WirelessAnalyzer for the file you attached, these should at least be corrected , if you make corrections then run WirelessAnalyzer again and make sure that they have disappeared ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

marce1000 · ‎08-28-2023

>...Since this is a test environment, there is no equipment certificate from CA.
- A good placed to start is to have a global checkup of the current configuration on the C9800 (vWLC ) ; for that use the CLI command
show tech wireless
Feed the output into :
https://cway.cisco.com/wireless-config-analyzer/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

SeokGeunChoi73564 · ‎08-28-2023

Hi marce1000.

I checked the current overall settings on the website you informed me of, and confirmed that several alerts are coming out.
However, even though most of the alerts have been taken care of, the same problem is still showing.

I have a question, do I have to upload CA's certificate to WLC for WebAuth using LDAP?
This is because "Certificate unknown" was shown in what appears to be a packet to enter ID/PW and receive authentication when capturing packets.

I don't think the WLC made it mandatory to get a certificate from a CA to authenticate via the company's AD.

I attached a show tech wireless.txt

Thanks.

marce1000 · ‎08-28-2023

- You have 4 WLC errors from WirelessAnalyzer for the file you attached, these should at least be corrected , if you make corrections then run WirelessAnalyzer again and make sure that they have disappeared ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

SeokGeunChoi73564 · ‎08-29-2023

Hi marce1000

I've currently found an issue with AD integration.
Through WLC's built-in packet capture tool, we confirmed that the invalidCredentials packet came out in response to bindRequest.
The strange thing is that AD information is received under the same conditions through the LDAP client program.

Are the settings incorrect?
thank you.

+ The base-DN value was applied to WLC the same as the value verified in the LDAP program. ( Using LDAP Admin program)

Rich R · ‎08-28-2023

And do yourself a favour - update to 17.6.5 or 17.9.4.
If, for some reason, you feel a need to stay on 17.3 then at least update to 17.3.7 but remember 17.3 is approaching end of life so you should already be planning update to 17.9 regardless.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

SeokGeunChoi73564 · ‎08-29-2023

Hi Rich R

I've currently found an issue with AD integration.
Through WLC's built-in packet capture tool, we confirmed that the invalidCredentials packet came out in response to bindRequest.
The strange thing is that AD information is received under the same conditions through the LDAP client program.

Are the settings incorrect?
thank you.

+ The base-DN value was applied to WLC the same as the value verified in the LDAP program. ( Using LDAP Admin program)

Rich R · ‎08-30-2023

> The strange thing is that AD information is received under the same conditions through the LDAP client program.
Well if they were indeed the same then the result would be the same so there must be a difference

> Are the settings incorrect?
I've never used LDAP integration myself so can't offer any extra advice on this. You'll have to look through all available info on community etc to see what gotchas others have encountered. And make sure your software is up to date just in case you're hitting a known bug in the older software.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390