WLC 5508 LDAP Windows 2008 Server - auth based on AD groups

2colin-cant · ‎12-02-2010

hi NG,

i'm trying to web-authenticate my Wifi user of an WLC 5508 against LDAP.

Thereby i'm trying to autenticate all users within a GROUP, not an OU within the MS Active Directory based upon an Windows 2008 Server.

I can authenticate against a user, witch is beeing put into an OU, according to examples based here: https://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html

Checking based upon Users within OUs works fine.

But i have not got all of those users wihin one single OU!

Need help for following: LDAP-Auth based on AD Groups:

Using:

MS-Domain: MY-DOMAIN.CH

AD-GROUP: VPN-USERS

AD-Structure:

MY-DOMAIN.CH

|

GROUPS

|

Administrative Groups

|

VPN-USERS

(-> Member of this Groups (Wireless1, Wirless2, ...)

-------------------------------------------------------------------

Server Adress: IP.IP.IP.IP

Port: 389

Enable Server Stats YES

Simple Bind Authenticated

Bind Username LDAP-USER

Bind Password supersecret

Bind Passw. confirm supersecret

User Base DN: ?-1-?

User Attribute: ?-2-?

User Object Type: Person

Server Timeout 2

-------------------------------------------------------------------

What happens for instance, if i put a GROUP within a GROUP regarding the LDAP Authentication.

I guess i have to authenticate against the "upper" GROUP, or do i have to create an entry on the WLC for every GROUP i'm questoning?

Could some one provide my with an example, since i have not found documentation regarding this topic.

Thank you.

Nicolas Darchis · ‎12-02-2010

Hi,

User Base DN : this is in case you want to restrict the search area. If you put "dc=mydomain,dc=CH", you will search your whole AD. Depending on the size, it can be slow ...

Remember that the User Base DN is also used for the admin user.

In conclusion, User Base DN should be the most restrictive path that leads to both the admins and the users you want to authenticate.

Example :

OU=Employees,OU=Humans,DC=Mydomain,DC=CH

This would prevent to search in machines or any assets. This implies that the admin you bind with is an employee and you are only authenticating employees. You can have any number of OUs under employees, it doesn't matter

Attribute : This is the object attribute that the WLC uses to compare with the user name. In general, you would go with sAMAccountName in AD. CN would be another common example for LDAP databases.

If what you are looking for is to restrict access and only authenticate people who belong to a certain group. Then you need a radius server like ACS.

That server will be able to make selections and check the "memberOf" attribute to make sure it is in a certain group.

Nicolas

===

Don't forget to rate answers that you find useful

sgalloway · ‎06-30-2013

Hi Nicolas,

I am having a similar issue.. I can successfully autheticate to a particular OU group within our AD structure ( windows 2008 ) but when l modify the WLC 5508 ldap details to search the Whole AD Directory from the Top Level using the administrator account it does not work ? any ideas...

Nicolas Darchis · ‎06-30-2013

if you define the base of the directory as search DN then you need your admin user DN to be ultra specific, the admin DN in WLC config needs to specify in which OU the admin is etc ...

while if you search dn is more precise, you can afford just stating the admin username as dn