Re: WLC 4400: Web Authentication Using LDAP

Jaaazman777 · ‎03-15-2011

Hello!

Dear all, I have some problems integrating WLC 4400 with AD using ldap

The the WLC LDAP Server and WLAN for Web Authentication are configured acoording to

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml#C2

when I connect to SSID the laptop is given the ip address, then I can see the web-page with

login and pass - it seems to be OK, but when I enter login and pass it tells me, that

it's incorrect

The attributes of the LDAP server:

Server Address *.*.*.*

Port Number 389

User Base DN ou=ORG,dc=domain,dc=local

User Attribute userPrincipalName

User Object Type Person

the test user is located in AD folder ORG, but this folder also contains a lot of subtrees

There are some questions:

1) Is it obligatory to use value "Authenticated" in the Simple Bind option or it can be Anonymous?

2) Is the Controller capable for searching the users located in User Base DN subtrees?

Here is some debug from the controller:

667: LDAP_CLIENT: UID Search (base=.....

669: LDAP_CLIENT: ldap_search_ext_s returns 0 85

669: LDAP_CLIENT: Returned 1 msgs including 0 references

669: LDAP_CLIENT: Returned msg 1 type 0x65

669: LDAP_CLIENT : No matched DN

669: LDAP_CLIENT : Check result error 0 rc 1013

669: LDAP_CLIENT: Received no referrals in search result msg

669: LDAP_CLIENT: Received 1 attributes in search result msg

669: ldapAuthRequest [1] called lcapi_query base="ou=ORG,dc=domain,dc=local" type="Person" attr="userPrincipalName" user="test@domain.local" (rc = 0 - Success)

669: Handling LDAP response Authentication Failed

670: 00:1d:e0:a1:73:2f Returning AAA Error 'Authentication Failed' (-4) for mobile *MAC-address*

670: AuthorizationResponse: 0x31b6e2d0

Nicolas Darchis · ‎03-15-2011

Is your AD domain really "domain.local" ?

To reply to your questions :

1) It can be anonymous if you configured your AD to accept anonymous binding which is not the default behavior if I have a good memory

2) Yes it searches subtrees

Did you type "test@domain.local" in the login page ? Try with "test" simply. Since you configured your base DN to be the ORG ou on domain.local, that's where the AD will search, no need of precising the domain.

Nicolas

Jaaazman777 · ‎03-15-2011

thank you for your answers, Nicolas Darchis!

"All the characters are fictional" =)

About login...I think, when we use sAMAccountName we just need to type in the login, and userPrincipalName requires typing the whole domain name

Any way I tried a lot of variants, but nothing worked out

what about debug? What can LDAP_CLIENT : No matched DN mean?

Nicolas Darchis · ‎03-15-2011

It says that AD returns "user not found".

By the way, where is your admin account located ? The one you are authenticating with ?

Can you post the complete ldap configuration with the admin user as well ?

Note that the admin has to be under the same base DN as your search DN (so it has to be under ORG too).

In such situations, I usually download softterra ldap browser and connect to the AD from my laptop via LDAP, I use the same config as on the WLC to connect (admin username and then I do a search). It's often a small typo that makes it not work.

A sniffer trace of the ldap traffic also sometimes help to determine if the problem is with the admin user authentication or the search itself.

Jaaazman777 · ‎03-15-2011

Nicolas Darchis, thank you very much for your advice!

yes, my admin account is located in the same Base DN

Server Address *.*.*.*

Port Number 389

Bind Username admin

Bind Password ***

Confirm Bind Password ***

User Base DN ou=ORG,dc=domain,dc=local

User Attribute userPrincipalName

User Object Type Person

I'll try to use ldap browser, I hope It'll be helpful

Jaaazman777 · ‎03-16-2011

Dear Nicolas!

Thank you very much for your advices!

Everything works now!

I tested the settings with the help of ldap browser, and then applied them to the controller

Final WLC Ldap-server settings:

Simple Bind - (Anonymous doesn't work)
Bind Username - the user must be created in User Base DN folder (ex. OU=ORG)
User Base DN - the core OU, that contains all users (ex. )
User Attribute - there can be two variants:
- sAMAccountName -
- userPrincipalName - <user1@domain.local>
User Object Type -

vince.steiner · ‎03-16-2011

Jaaazman777 wrote:

Dear Nicolas!

Thank you very much for your advices!

Everything works now!

I tested the settings with the help of ldap browser, and then applied them to the controller

Final WLC Ldap-server settings:

Simple Bind -   (Anonymous doesn't work) 
Bind Username - the user must be created in User Base DN folder (ex. OU=ORG)
User Base DN -  the core OU, that contains all users (ex. )
User Attribute - there can be two variants:
- sAMAccountName -  
- userPrincipalName - <user1@domain.local> 
User Object Type -

I have the same strange problem.

i have WCS and 3 2000 seriec controllers.

everything works fine through ldap browser but authenticationalways gives me an error:

the username and password combination is invalid.

im also using WPA2 AES PSK and Mac filtering, in case this may affect anything.