cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4933
Views
0
Helpful
9
Replies
network770
Beginner

wireless controller 5508 authentication to AD server

We just got a new 5508 wireless controller and the question we have is :  can we get wireless users to authenticate to an Active Directory server to get access to the network?  I know we can get the authentication done with an RSA server, but what about plain AD?

What's the process to do that?

9 REPLIES 9
Scott Fella
Hall of Fame Guru

Well you can do LDAP or even better, use a radius server. If your a Microsoft shop, just bring up an IAS or NPS radius server. This will allow you to use 802.1x authentication either using PEAP or EAP-TLS. The only other requirement is either a server sided certificate (PEAP) or a server and client side certificate (EAP-TLS).

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***

Hi Scott,

I read in a document that this can be done directly with the AD, however our main concern is that we dont want to do any adjustment in the client side as they have different platform and we have a large number of clients.

When doing it through IAS, will we avoid adjusting at the client side

Thanks

there are multiple deployment scenarios possible, it depends on what security that you needed for those clients.

for webauth - with open network or l2 security use radius auth(no dot1x) pap/chap/md5 on auth server for webauth. client just need web browser only.

configuring ldap on wlc also work with AD or any ldap server for webauth.

We need the user to use his Active Directory username and password, but it is really important to not do adjustment on the client side.

Can we accomplish this by integrating the wlc with our AD

Thanks

Yes.

Web Authentication Using LDAP on Wireless LAN Controllers (WLCs) Configuration Example

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml

Wireless LAN Controller Web Authentication Configuration Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

Thanks for your support,

However, can this be done using a pop up username and password prompt instead of web authentication?

If you prefer user authentication instead of webauth then 802.1X needs to be used. in that case you can use wireless client supplicant to enter the user credentials where WLC contact the AAA server for auth and LDAP can be used as database server.

But in this case (802.1X) do I have adjust profile settings, or the user can only enter his username and password in the prompt>

You shouldn't have to adjust any settings. Most supplicants are smart enough to pick out the encryption type.

The only problem you may have is if the device doesn't trust the certificate authority that granted your aaa server the rifts to authenticate.

But if these are domain machines that shouldn't be an issue.

If you are looking for more if a BYOD or guest solution the webauth with a PSK would be the way to go.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
Create
Recognize Your Peers
Content for Community-Ad