cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
731
Views
0
Helpful
5
Replies

GUI/CLI Access Authentication with 9800 WLC using LDAP

toy.thompson
Level 1
Level 1

Can I use LDAP to access the 9800 GUI / CLI?

5 Replies 5

Max Jobs
Level 1
Level 1

Hi Toy,

Yes, you can configure LDAP authentication for accessing both the GUI and CLI on a Cisco Catalyst 9800 Series Wireless Controller.

Configure LDAP Server:

 

aaa group server ldap LDAP_SERVER
  server X.X.X.X
  ldap attribute-map MY_LDAP_MAP

 

 

Define LDAP Attribute Map:

 

ldap attribute-map MY_LDAP_MAP
  map-name  memberOf IETF-Radius-Service-Type
  map-value memberOf "CN=Admins,CN=Groups,DC=example,DC=com" Admin

 

In this example, the attribute map MY_LDAP_MAP maps the LDAP attribute memberOf to the local role Admin for users who are members of the LDAP group CN=Admins,CN=Groups,DC=example,DC=com.

 

Enable AAA Authentication:

 

aaa new-model
aaa authentication login LDAP_AUTH group LDAP_SERVER local

 

 

 Apply AAA Authentication to GUI/CLI:

 

*** Example for GUI
ip http authentication aaa

*** Example for CLI
line vty 0 4
  login authentication LDAP_AUTH

 

 

Hope it fits your request.

Thanks for the feedback I will try it and provide feedback....I see you don't have any authorization method only authentication, I assume it will retrieve the relevant authorization level from the local admin role and the attribute map will be similar for local LobbyAdmin role

Max Jobs
Level 1
Level 1

Thank you, this is a trick to figure out the service is working or not, without engaging to security stuffs.

Are you sure it works for CLI @Max Jobs ?
Is this wrong?
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_secure_ldap.html

Restrictions for Configuring SLDAP

- LDAP authentication is not supported for interactive (terminal) sessions.

Do you perhaps have a more detailed explanation for the use of these commands:

Device(config-ldap-server)# bind authenticate root-dn CN=ldapipv6user,CN=Users,DC=ca,DC=ssh2,DC=com password Cisco12345
Device(config-ldap-server)# base-dn CN=Users,DC=ca,DC=ssh2,DC=com

specifically around the user and user groups that will be authenticated

Review Cisco Networking for a $25 gift card