02-17-2014 04:48 AM - edited 07-05-2021 12:12 AM
Guys i am integerating WLC5750 with the ACS server which is integerated with our LDAP.
I did below configuration on the WLC:
aaa new-model
aaa group server radius ACS
server name ACS
aaa authentication dot1x ACS group ACS
aaa session-id common
radius server ACS
address ipv4 100.100.100.100 auth-port 1645 acct-port 1646
key cisco123
for the ACS part it is already integerated with my LDAP.
i have defined the service selection rule under access policies.
Also the default network access identity and authorization are both configured.
also in Default network access -> allowed protocols -> i have checked Allow EAP-FAST as well.
i am not sure what i am missing.
 
					
				
		
02-17-2014 05:24 AM
Look at ACS logs and see what they say about the failure.
Rating useful replies is more useful than saying "Thank you"
02-17-2014 10:42 AM
Hi
Looks like "dot1x system-auth-control" is missing.
Pls see the below config example
External RADIUS EAP with 5760/3850
Also refer this post as well. It is for 5760 integration with ISE. Stilll may be helpful as concept is same on 5760 end.
HTH
Rasika
**** Pls rate all useful responses ****
02-17-2014 10:55 AM
it is already there, i checked the configuration.
the example you gave is with ISE.
in my setup i have WLC integerated to ACS 5.3 which is integerated with LDAP.
all examples I have seen are with with internal data stores.
Please share with me if you have doc related to that.
02-17-2014 11:04 AM
Hi
First example given is with ACS 5.2
There is also given how to run a debug for a particular client MAC. Try that & see what's happening.
Also suggest, first create a local user on ACS & check if that works. Then you know there is no issue with WLC & ACS. If that works that mean intergration with ACS to LDAP having issues.
As Amjad suggested, look at the ACS detail log of the client failure (Monitoring & Report-> Monitoring & Report Viewer -> AAA Protocol -> Radius Authentication)
HTH
Rasika
**** Pls rate all useful responses ****
02-17-2014 11:12 AM
that sounds like a plan, will do that and update you tomorow.
02-17-2014 11:19 AM
Also refer this video on "Windows AD as LDAP server on Converged Access controllers"
https://supportforums.cisco.com/videos/8028
Note: It did not play on my computer, may be my computer issue, you can give it a try
Rasika
*** Pls rate all useful responses ****
 
02-18-2014 02:25 AM
i have check the logs on ACS server and below is the Failure Reason:
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
i want the clients to use PAP_ASCII protocol but they are using PEAP for which some sort of certificate is required i believe.
02-18-2014 02:28 AM
my requirement for the tasks are simple:
i want users to connec to the SSID, once connected they will open browser to enter username and password.
This username and password is the same as of the LDAP, once authenticated they can use network resources.
03-01-2014 10:04 PM
i have a couple of questions.
is the ldap used as l2 security for the ssid? or is it used for the webauth?
the error message is generally when the supplicant does not have the CA. you can try disabling server certificate verification on the client to check if there is an issue with the certs.
02-26-2014 01:33 AM
please have a look on the Configuration Examples, It may help you:
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide