Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
4
Helpful
4
Replies

WLC 8510 LDAP Bind

eddig
Level 1
Level 1

‎05-29-2013 12:22 PM - edited ‎07-04-2021 12:09 AM

I am trying to do an LDAP bind to a Windows AD server from the WLC.  I have configured the LDAP server on the WLC and filled in the following information:

Server Index..................................... 1

Address.......................................... xx.xx.xx.xx

Port............................................. 389

Enabled.......................................... Yes

User DN.......................................... DC=dss,DC=group,DC=local

User Attribute................................... sAMAccountName

User Type........................................ Person

Retransmit Timeout............................... 2 seconds

Bind Method ..................................... Authenticated

Bind Username.................................... WireLDAP

When trying to authenticate a user to the SSID I get the following error message in the WLC message logs:

*LDAP DB Task 1: May 29 16:23:38.086: #AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1059 Could not connect to LDAP server 1, reason: 49 (Invalid credentials).

I have run wireshark on the AD server and I see the WLC request come in but on the return path I see error code 49 - invalid credentials being returned.

I have used and LDAP browser on laptop and been able to bind to the AD server using the same account that is configured on the WLC, the only difference is that I had to use WireLDAP@dss.group.local to get it to work.

Is the configuration that I have specified on the WLC enough? I am pointing the request at the route of the AD directory but do I need to be more specific fro the bind username i.e. point it at the specific user group?

Regards

Craig

Labels:
0 Helpful
4 Replies 4

David Watkins
Level 4
Level 4

‎05-29-2013 01:23 PM

You need to specify an OU for your query, it looks like you just have the FQDN of the root domain, but no particular container to query.  Also, have you tested with an anonymous bind to see the results?

Since this is hitting AD, take a look at the following doc?  (it's a little old, but still applicable)

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml#ldap

If still using the authenticated bind, which is fine, does the WireLDAP user have the appropriate rights on the OU container for peforming a query?

0 Helpful

eddig
Level 1
Level 1
In response to David Watkins

‎05-29-2013 01:52 PM

David, thank you for getting back to me.  Is OU definitley required? when I tried the Bind using the LDAP browser on my laprtop I was able to bind to the root of the directory and then browse the whole directory.  I don't want to specify an OU because all the users that will need to be authenticated reside in different OU's throughout the directory.  I have seen some documentation where you can specify a different OU etc in the Bind Username box which then points that authentication to a different OU but I haven't been able to successfully get that to work so have discounted it for the time being (maybe that is wrong of me to do so).

anaonymous binds aren't allowed by our AD servers so I haven't been able to use that as a test.

WireLDAP must have the rights to query as it worked from my LDAP browser.

it feeld like I am missing something really fundamental and it maybe the OU but if I need to specify that it would really restrict my deployment.

0 Helpful

David Watkins
Level 4
Level 4
In response to eddig

‎05-29-2013 02:50 PM

I believe you will need to reference a particular OU.  You are correct that you can also specified a distinguished name to your authenticated user if they are in a different directory than your user query base, but we still need to tell the WLC "where" to query.  I would at least create a test container and check that the WLC can query in that specific directory vs the root domain.

I understand your concern, but you would need to have your structured hiearchy to allow the query to take place within an OU.  This could be a base OU you make called "users", that contains all your domain users in their respective hierarchy underneath.  The WLC LDAP featureset is very limited, so you won't be able to have multiple parent OU's queried, although it can work through from the top down of a single OU.

Just out of curiousity, what are you using LDAP for?  Are you referencing LDAP as part of web authentication, or are you using LOCAL EAP on the WLC with LDAP query for the users?  Since you say you have a MS AD server, utilizing IAS or NPS (RADIUS) would give you far superior flexibility in configuration and administration.

eddig
Level 1
Level 1
In response to David Watkins

‎05-31-2013 04:07 AM

David thank you for your help, I think I have got to the bottom of it.

It is possible to point straight to the root on the User Bind DN so I have left that configuration the same i.e.

DC=dss,DC=group,DC=local

I did have to be more specific on the Bind Username and point it at the right CN path, this is where I was making my mistake, I was using the WireLDAP as the CN in the string but this was wrong.  The CN for WireLDAP is different when I look in AD it is actually Wire LDAP so the string in the Bind Username box now reads:

cn=Wire LDAP, OU=service group,DC=dss,DC=group,DC=local

This has allowed me to bind via LDAP to the specific container for the bind user but to the root of the directory for all client auth requests.

P.S. I am using this for EAP-TLS via a local EAP profile, you are right running IAS\NPS on the windows server would have allowed for more functionality but hey that's company politics.

Craig

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card