cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1078
Views
0
Helpful
14
Replies

LDAP client auth

Joe Clark
Level 1
Level 1

I've searched the internet but the examples I've found use certificates or web auth.  I'm trying to get users to authenticate using their LDAP credentials on a new SSID.

I have the LDAP server set up on the controller but I'm still having troubles getting authentication to work.

I'd like to bypass using ACS and have the controller talk directly to the LDAP server.

In our environment we have the following:

Two WiSM controllers in separate data centers

4402 guest controller (in production now)

5508 guest controller (being installed now)

All controllers running 7.0.235.3

ACS 4.2

NCS 1.1.1.24

1 Accepted Solution

Accepted Solutions

that should do. on the client make sure you uncheck the box to 'validate server certificate' as well.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

14 Replies 14

Stephen Rodriguez
Cisco Employee
Cisco Employee

So you are looking at the guides for Local EAP?  or is this for guest users?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

These will be contractors that are BYOD but do have AD login credentials.

So you have the WLC configured for Local EAP/PEAP?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

I have the LEAP profile set up and chosen on the WLAN tab.

I would set it for PEAP vs LEAP.  Not all supplicants support LEAP and it's vulnerable.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Do you have a link or anything about setting that up?  Does it require certs?

you should just need to check the PEAP box and not the LEAP box.

as for certs, just on the WLC and it will be there already.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

So then I have to choose "

not required...those are for TLS.  so you shoudl be able to uncheck those boxes

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

They were unchecked...

Here is what I have:

L2 security

WPA+WPA2 selected.

Checkbox for WPA2 policy WPA2 encryption AES

Auth Key MGmT 802.1x

AAA Sever tab

LDAP server selected

Local EAP Authentication checked

EAP Profile Name - Test

Local EAP Profile - Test

PEAP checked, nothing else

Authentication Priority - LDAP

Is there anything else I'm missing?

that should do. on the client make sure you uncheck the box to 'validate server certificate' as well.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

I think I got it... had to set up the network profile in Windows.

I'm a total n00b at this so thanks for your help!

no worries, that's why we are here!

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Ok, so now the problem I ran into is that when I change priority order -> local auth to LDAP, it breaks our 7925 wifi phones.  Even if I have LDAP and Local in the box, if I change the order to LDAP/Local it breaks the phones but LDAP works.  If I change it to Local/LDAP the phones work again but LDAP doesn't.

The phones are using EAP-Fast.  Any ideas?  Do I need to change the auth method of the phones?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: