Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1825
Views
10
Helpful
8
Replies

Cannot connect to LDAPs using WLC

Go to solution
wolff
Level 1
Level 1

‎12-09-2022 10:30 AM - edited ‎01-05-2023 05:00 AM

We have a WLC, that we'd like to authenticate users against LDAP. However the WLC fails to establish a connection with the following error: Failed to start LDAP over TLS

The LDAP server itself is set up correctly. I have tried accessing it using an LDAP browser and that works just fine. Pinging the LDAP from the WLC also works, but somehow the LDAP connection itself fails. Sadly the above error is the only information I could get from the debug logs. It seems the WLC fails to establish a TLS connection at all and thus doesn't even get to the point of speaking LDAP. I have checked the manual, but cannot find anything that sounds like it could be the issue. Maybe the WLC is not trusting the LDAP's TLS certificate? If so, where would I add the cert to trust?

Device: Cisco 3504 Wireless LAN Controller
Software: 8.10.183.0

Labels:
debug.txt
Preview file
28 KB
conf_wlc_hk_2022-11 copy.txt
Preview file
26 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP

‎01-06-2023 01:15 AM

That is the only option - as defined in the LDAP standard - no other option on the WLC so you'll need to look at your server LDAP config.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-09-2022 02:36 PM - edited ‎12-09-2022 02:37 PM

what WLC device and what code running:

look at the example  video : (since we don't know what WLC and code running)

https://www.youtube.com/watch?v=ofdx1s180g4

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/108008-ldap-web-auth-wlc.html#C2

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
wolff
Level 1
Level 1
In response to balaji.bandi

‎12-10-2022 05:14 AM

Sorry. I have added the missing information to the question.

0 Helpful

Go to solution
Rich R
VIP
VIP

‎12-10-2022 07:10 AM

For a start - update your code version to latest recommended by TAC just to eliminate know bugs - see links below.

Then get a packet capture to see which end is presenting what certificates and where it's failing.

See https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/managing_certificates.html#ID1794 for adding your server's root CA cert.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
wolff
Level 1
Level 1
In response to Rich R

‎12-13-2022 02:16 PM

I had come across this article when looking for solutions, however it sounds like this is for CA-certs used for EAP. Is this really the right place to add a certificate to trust for TLS connections?

0 Helpful

Go to solution
Rich R
VIP
VIP

‎12-13-2022 06:02 PM

Unless someone else knows better I can't see where else you could add them?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
wolff
Level 1
Level 1
In response to Rich R

‎12-19-2022 05:50 AM

I guess… I'll add it there, and make a packet capture.

0 Helpful

Go to solution
wolff
Level 1
Level 1

‎01-05-2023 06:11 AM

I have now made a packet capture and the WLC establishes a TCP socket and then immediately begins speaking LDAP (without creating a TLS-tunnel). I have set the option “secure mode (via TLS)”, as per the instructions in the manual, however that does not seem to cause the controller use LDAPs, instead it tries to perform a StartTLS extended operation (which fails, since the server speaks LDAPs and is still waiting for a TLS tunnel to be established). How do I configure the WLC for LDAPs?

0 Helpful

Go to solution
Rich R
VIP
VIP

‎01-06-2023 01:15 AM

That is the only option - as defined in the LDAP standard - no other option on the WLC so you'll need to look at your server LDAP config.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top