Re: WLC authentication based on AD/LDAP

GuidoBarendse88 · ‎05-18-2012

Hello,

What are the possibilities for configuring a WLC to authenticate WLAN users based on their Active Directory user account?

Is this possible by setting up local EAP on the WLC?

I’ am looking for a solution where there are no changes to the Domain Controller involved and also no setting op IAS/RADIUS.

WLC:2504

Thanks in advance,

Jatin Katyal · ‎05-20-2012

Here you go:

Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

Regards,

Jatin

~Jatin

maldehne · ‎05-20-2012

with AD

LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported because AD is not set to return clear-text-password

---------------------------------------------------------------------------------------

Please nake sure to rate correct answers

GuidoBarendse88 · ‎05-20-2012

So what are the other options if AD is not supported?

And what is the difference with this manual? Because AD is used.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

maldehne · ‎05-20-2012

The difference here we are talking about EAP-FAST/with EAP-TLS not mschap v2 which is not supported as I have alread mentioend.

-----------------------------------------------------------------------------------------

Please Don't forget to rate correct answers

GuidoBarendse88 · ‎05-26-2012

We are also thinking about implementing an open guest network. This network is open to connect to but when you connect to the internet you need to accept an agreement and login via a web page. Can this be done with the 2504 WLC?

Also web-filtering on the guest network has to be done. Which device would you recommend for this task?

Amjad Abdullah · ‎05-27-2012

You can implement open guest network and choose passthrough under Layer 3 security tab in WLAN config (see image below) so the connected users see a page and press "OK" button before they are able to connect to go to internet.

In that page you can write your Agreement so the users accept it by pressing the OK button.

You can modify the page by using a cusotme web-bundle and modify the pages in it then upload it back to the WLC.

Here you'll find all what you need about how to do that:

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70users.html#wp1049273

You also have the option to use an external page (rather than downloading a customized bundle) for your agreement. Here is a config example how to use external server for web-auth:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

GuidoBarendse88 · ‎05-27-2012

Thank you Amjad. Which device do you recommend for web filtering?

Amjad Abdullah · ‎05-27-2012

Actually this is out of my experience and my answer below will be as what I usually "hear" from my security colleagues.

You may consider BlueCoat for web filtering. (I am not even sure if it is permitted to metnion vendors name here).

You can check and contact the vendor for their products. Choose what is best for you.

You can also search and ask on security forums if there are any other products.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"