09-12-2012 07:22 PM - edited 07-03-2021 10:39 PM
We just got a new 5508 wireless controller and the question we have is : can we get wireless users to authenticate to an Active Directory server to get access to the network? I know we can get the authentication done with an RSA server, but what about plain AD?
What's the process to do that?
09-12-2012 07:38 PM
Well you can do LDAP or even better, use a radius server. If your a Microsoft shop, just bring up an IAS or NPS radius server. This will allow you to use 802.1x authentication either using PEAP or EAP-TLS. The only other requirement is either a server sided certificate (PEAP) or a server and client side certificate (EAP-TLS).
Sent from Cisco Technical Support iPad App
10-27-2012 02:48 AM
Hi Scott,
I read in a document that this can be done directly with the AD, however our main concern is that we dont want to do any adjustment in the client side as they have different platform and we have a large number of clients.
When doing it through IAS, will we avoid adjusting at the client side
Thanks
10-27-2012 08:22 AM
there are multiple deployment scenarios possible, it depends on what security that you needed for those clients.
for webauth - with open network or l2 security use radius auth(no dot1x) pap/chap/md5 on auth server for webauth. client just need web browser only.
configuring ldap on wlc also work with AD or any ldap server for webauth.
10-28-2012 01:56 AM
We need the user to use his Active Directory username and password, but it is really important to not do adjustment on the client side.
Can we accomplish this by integrating the wlc with our AD
Thanks
10-28-2012 01:59 PM
Yes.
Web Authentication Using LDAP on Wireless LAN Controllers (WLCs) Configuration Example
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml
Wireless LAN Controller Web Authentication Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
10-29-2012 07:45 AM
Thanks for your support,
However, can this be done using a pop up username and password prompt instead of web authentication?
10-29-2012 02:12 PM
If you prefer user authentication instead of webauth then 802.1X needs to be used. in that case you can use wireless client supplicant to enter the user credentials where WLC contact the AAA server for auth and LDAP can be used as database server.
10-29-2012 04:51 PM
But in this case (802.1X) do I have adjust profile settings, or the user can only enter his username and password in the prompt>
10-29-2012 06:23 PM
You shouldn't have to adjust any settings. Most supplicants are smart enough to pick out the encryption type.
The only problem you may have is if the device doesn't trust the certificate authority that granted your aaa server the rifts to authenticate.
But if these are domain machines that shouldn't be an issue.
If you are looking for more if a BYOD or guest solution the webauth with a PSK would be the way to go.
Steve
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide