LDAP authentication through a web page

TrickTrick · ‎06-21-2018

Hi everybody,

It seems easy, but I find some difficulties to make it work, I'm trying to configure the WLC to let people get access to the network by using their LDAP credentials

I configured a WLAN as follows :

interface : Management

security :

Layer 2 : None

Layer 3 : Web policy ( Authentication)

Over-ride Global Config : Enable

Web Auth type : Internal (I want to change it after to use a customized page, not that important for now)

AAA servers :

everything on default except for LDAP server I have the IP address there and authentication using local and LDAP only

EAP profile : EAP (created)

somehow I can't see any WLAN using my laptop ( I was able before doing these modifications) , and by using my phone it worked but the login is always incorrect even when using the correct username and password in the OU defined in the LDAP menu

DO you have guys any input, what's the correct setup to follow to make it work

I followed btw this guide (Create WLAN That Relies On LDAP Server To Authenticate Users Through Internal WLC Web Portal) : https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211277-WLC-with-LDAP-Authentication-Configurati.html

Infos : WLC : 2504

AP: AIR-AP1832I-E-K9

Thanks

Sandeep Choudhary · ‎06-21-2018

please go through this guide:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/108008-ldap-web-auth-wlc.html

Regards

Dont forget to rate helpful posts

TrickTrick · ‎06-22-2018

Thanks for this guide, the guide I posted in the OP is almost like this one, the problem is the same, always an Error during the authentication ... no account is accepted from the OU defined.. what could be the issue? . the guy controlling AD is telling me that the OU is defined correctly

patoberli · ‎06-22-2018

Is the WLC allowed to authenticate users in the AD?
Depending on the AD version, the WLC has to get some additional permissions to authenticate users on behalf (I think 'enumeration' is the keyword).

TrickTrick · ‎06-28-2018

honestly i'm not sure about this particular part, since i'm not controlling it, I want to be sure what exactly I should need to do at the WLC level
I did exactly what is mentioned here : https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/108008-ldap-web-auth-wlc.html

I can say that the controller is well configured ? it's maybe something at the LDAP server level ?

patoberli · ‎06-28-2018

Yes, the LDAP server also needs to be configured correctly. The user that you are using for the authentication needs access on the AD server to authenticate other users on his behalf. I think this part here is very important and so is the next chapter: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/108008-ldap-web-auth-wlc.html#anc20

In any case, I'd suggest you install a radius server and use radius for the user authentication.

TrickTrick · ‎06-28-2018

yeah, it seems something is messed up there, some connections aren't established correctly ...here some logs messages confirming this while i'm using correct credentials

*ewmwebWebauth1: Jun 28 15:19:41.072: %LOG-3-Q_IND: ldap_db.c:1082 Could not connect to LDAP server 1, reason: 49 (Invalid credentials).[...It occurred 2 times.!]
*LDAP DB Task 1: Jun 28 15:19:40.108: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1082 Could not connect to LDAP server 1, reason: 49 (Invalid credentials).
*ewmwebWebauth1: Jun 28 15:02:22.747: %LOG-3-Q_IND: ldap_db.c:1082 Could not connect to LDAP server 1, reason: 49 (Invalid credentials).[...It occurred 2 times.!]
*LDAP DB Task 1: Jun 28 15:02:21.784: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1082 Could not connect to LDAP server 1, reason: 49 (Invalid credentials).

patoberli · ‎06-28-2018

What messages do you see on your ldap server in the logs?

TrickTrick · ‎06-28-2018

Solved! It was an autentication protocol problem between LDAP and WLC, we had to use PAP as an authentication protocol, I honestly didn't check this before and never had the idea to check it :/