Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2735
Views
0
Helpful
5
Replies

GUI/CLI Access Authentication with 9800 WLC using LDAP

toy.thompson
Level 2
Level 2

‎03-06-2024 12:34 AM

Can I use LDAP to access the 9800 GUI / CLI?

0 Helpful
5 Replies 5

Max Jobs
Level 3
Level 3

‎03-06-2024 12:47 AM

Hi Toy,

Yes, you can configure LDAP authentication for accessing both the GUI and CLI on a Cisco Catalyst 9800 Series Wireless Controller.

Configure LDAP Server:

 

aaa group server ldap LDAP_SERVER
  server X.X.X.X
  ldap attribute-map MY_LDAP_MAP

 

 

Define LDAP Attribute Map:

 

ldap attribute-map MY_LDAP_MAP
  map-name  memberOf IETF-Radius-Service-Type
  map-value memberOf "CN=Admins,CN=Groups,DC=example,DC=com" Admin

 

In this example, the attribute map MY_LDAP_MAP maps the LDAP attribute memberOf to the local role Admin for users who are members of the LDAP group CN=Admins,CN=Groups,DC=example,DC=com.

 

Enable AAA Authentication:

 

aaa new-model
aaa authentication login LDAP_AUTH group LDAP_SERVER local

 

 

 Apply AAA Authentication to GUI/CLI:

 

*** Example for GUI
ip http authentication aaa

*** Example for CLI
line vty 0 4
  login authentication LDAP_AUTH

 

 

Hope it fits your request.

0 Helpful

toy.thompson
Level 2
Level 2
In response to Max Jobs

‎03-06-2024 01:06 AM

Thanks for the feedback I will try it and provide feedback....I see you don't have any authorization method only authentication, I assume it will retrieve the relevant authorization level from the local admin role and the attribute map will be similar for local LobbyAdmin role

0 Helpful

Max Jobs
Level 3
Level 3

‎03-06-2024 01:31 AM - edited ‎03-06-2024 01:38 AM

Thank you, this is a trick to figure out the service is working or not, without engaging to security stuffs.

0 Helpful

Rich R
VIP
VIP
In response to Max Jobs

‎03-06-2024 09:43 AM

Are you sure it works for CLI @Max Jobs ?
Is this wrong?
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_secure_ldap.html

Restrictions for Configuring SLDAP

- LDAP authentication is not supported for interactive (terminal) sessions.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

toy.thompson
Level 2
Level 2
In response to Rich R

‎05-06-2024 03:53 AM

Do you perhaps have a more detailed explanation for the use of these commands:

Device(config-ldap-server)# bind authenticate root-dn CN=ldapipv6user,CN=Users,DC=ca,DC=ssh2,DC=com password Cisco12345
Device(config-ldap-server)# base-dn CN=Users,DC=ca,DC=ssh2,DC=com

specifically around the user and user groups that will be authenticated

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card