Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3715
Views
3
Helpful
9
Replies

Cisco WLC 2504 and ways to authenticate users

Go to solution
Mahmoud El-sharif
Level 1
Level 1

‎07-14-2013 02:18 AM - edited ‎07-04-2021 12:24 AM

Hi All,

     What is the ways to make user authenticate to WLC 2504 and what is the best and simple way and what is the differences btw each method _i mean for example need radius server or something else to be exist_ ?

     and any one can give me case study for this issue

System consist of Cisco 2504 and Cisco LAP 1140

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎07-14-2013 05:22 AM

There is too much info that you require to write up in a forum. What you need to look at is the various way do authenticate using 802.1x. These require a radius server and usually ties back to AD.

For short... EAP-TLS requires a certificate on the radius and clients. EAP-PEAP requires a certificate in the radius and uses machine or user AD credentials. These are the only two I would suggest you look at.

What you have to find out is what devices you have and what encryption and authentication methods those devices support.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎07-14-2013 05:22 AM

There is too much info that you require to write up in a forum. What you need to look at is the various way do authenticate using 802.1x. These require a radius server and usually ties back to AD.

For short... EAP-TLS requires a certificate on the radius and clients. EAP-PEAP requires a certificate in the radius and uses machine or user AD credentials. These are the only two I would suggest you look at.

What you have to find out is what devices you have and what encryption and authentication methods those devices support.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Mahmoud El-sharif
Level 1
Level 1
In response to Scott Fella

‎07-14-2013 05:58 AM

Hi Scott,

     thanks for your support and help , i know i ask about alot of things but i expect also alot of info. greedy

     What about this case

     Web Authentication Using LDAP on Wireless LAN Controllers (WLCs) Configuration Example     

          http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml

     is this the best way to do it _to just authenticate the users_ with min configuration, here i just need LDAP server ?? am i right ??

       what is the type of this method ? is this require certificate ??

     sry for these many questions

     thanks again for your help really appreciated

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Mahmoud El-sharif

‎07-14-2013 06:01 AM

I don't like using LDAP at all. If that's what you want and you want the easy way of doing things, then look at this doc.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎07-14-2013 06:04 AM

You have more flexibility if you have active directory and a radius server. Or else just do local EAP PEAP on the WLC and put the username and password of users in the WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎07-14-2013 06:07 AM

Here is a good link for local EAP using PEAP.

http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Go to solution
Mahmoud El-sharif
Level 1
Level 1
In response to Scott Fella

‎07-15-2013 03:01 AM

@Scott

     Thanks for your advice i will try it

0 Helpful

Go to solution
Mukesh Brahmbhatt
Level 1
Level 1
In response to Mahmoud El-sharif

‎08-08-2013 12:22 PM

we have verious kind a device onboard, like iPad, laptops,etc, but we need to allow user to access some internal resource and access company site ( it is intranet site), what ldap method you suggest? and how do I test ir before deploy it?

on WLC os version 7.5 i don't see way to setup. is ther walk thru kind a documents?

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Mukesh Brahmbhatt

‎08-08-2013 03:42 PM

I don't use LDAP but rather use PEAP with a radius server. EAP-TLS is a good authentication but requires certificates on both the radius and the clients. You can look at doing local EAP on the WLC. As far as restricting traffic, you will be better off creating ACL's on your layer 3 interface.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
blenka
Level 3
Level 3

‎08-22-2013 04:30 PM

To implement radius based authentication is the best practice for the small & enterprise environment.

Information About RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized security for users attempting to gain management access to a network. It serves as a backend database similar to local and TACACS+ and provides authentication and accounting services:

•Authentication—The process of verifying users when they attempt to log into the controller.

Users must enter a valid username and password in order for the controller to authenticate users to the RADIUS server. If multiple databases are configured, you can specify the sequence in which the backend database must be tired.

•Accounting—The process of recording user actions and changes.

Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the RADIUS accounting server becomes unreachable, users are able to continue their sessions uninterrupted.

RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The controller, which requires access control, acts as the client and requests AAA services from the server. The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.

You can configure multiple RADIUS accounting and authentication servers.For example, you may want to have one central RADIUS authentication server but several RADIUS accounting servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on. 

For more Information : http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp2149947

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card