Thanks for the reply!  I read it on this forum Monday evening after spending 4 hours on the site. Does 4.2 support authentication as our DC do not accept anonymous sessions. My end goal is to use the WLC and LDAP/AD to authenticate users accounts that are using wlan ssid to the domain. Lots of mxed results and after browsing the forum could not determine if this would work. Debugging the WLC shows no communication session with the LDAP server or on sniffer. Is it even possible to authenticate users using layer 3 web auth to the LDAP server against AD. Is the better way to go is to use MSFT IAS ?  Thanks in advance.

I am trying to accomplish the same thing with no clear cut success. Documentation seems a bit shaky here. I am using a 5508 with 1142 APs

Actually the main thing that I usually depend on to find the problem is the debug:

debug aaa ldap enable

It will show you if the connection with the LDAP server has a problem (auth binding failure maybe).

If you are using normal username for authenticaiton binding try then to use the full username

for example, Rather than using "Amjad" as username, you try using:

CN=Amjad, OU= Administrators,DC=MyCompany,DC=com

This could probably solve the issue if it is with the auth binding.

If the problem with the auth binding anyway it will appear in the debug aaa ldap.

HTH

Amjad

The IAS/NPS will definitely give you greater funcationality/granularity/security, but the LDAP "technically" requires less steps, as tricky as it is.  Are you using an autonomous or authenticated bind?  What kind of LDAP server are you using?

Did you follow the steps outlined here: http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml#ldap

in terms of configuring the "LDAP server" itself?  Nearly all of the config is handled at the LDAP server and each step is critical from adjusting security accounts, container security, allowing anonymous binding (if applicable), and correct OU designation.

Can you capture the following and post

>show ldap statistics

>debug client

>debug aaa ldap enable

Also, when you're done testing, another...

>show ldap statistics.

Thank you for the quick reply David,

We are using authenticated bind. I do not have the rights to make changes in ASDI and unless I can get a super good reason to use anonymous bind, that is out of the question. I did check the show ldap statistics on the controller and even though it looks right I am getting the following information:

>show ldap statistics

Server Index..................................... 1
Server statistics:
  Initialized OK................................. 0
  Initialization failed.......................... 20088
  Initialization retries......................... 20088
  Closed OK...................................... 26783
Request statistics:
  Received....................................... 6696
  Sent........................................... 0
  OK............................................. 0
  Success........................................ 0
  Authentication failed.......................... 0
  Server not found............................... 0
  No received attributes......................... 0
  No passed username............................. 0
  Not connected to server........................ 0
  Internal error................................. 6695
  Retries........................................ 0

For my LDAP config, I am using a parent OU for the bind because AD is divided by location OUs with the users in these locations (even broken down further based on department). I am rechecking my LDAP credentials and settings.

I am also trying to do this w/ out configuring a CA server. If I can get this to work w/ out it then I know management will have no issue installing a CA service on a server.

I am trying to use MS AD for my LDAP server. I am reading that it may not work (which is frustrating). I am also getting the following error... Unable to find a certificate to log you on to the network. I am just trying to get this up and running. Creating a CA server is not an option at this exact moment. I have unchecked all of the certificate required buttons under the EAP profile settings. It would be nice to have a Test Connection button on the LDAP page to confirm settings are correct.

If authentication fails that does not mean ldap configuration is wrong! Ldap config but other setup could be wrong. For example if u use eap-tls then you should have valid certificates in both client and wlc (when using local eap). And local eap should also be configured correctly and correct eap profile should be selected under wlan!

So debug client will show u where the fail happens so you fix it. It works and i tested it many times.