Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
0
Helpful
1
Replies

WLC embed AP 9800 cisco integreat with Active Directory not working

alexander kobayashi
Level 1
Level 1

‎11-25-2020 10:50 PM - edited ‎07-05-2021 12:49 PM

Dear All

I did configuration follow config guide this link "https://www.cisco.com/c/en/us/td/docs/wireless/controller/ewc/17-2/config-guide/ewc_cg_17_2/secure_ldap_.html"

 

but i don't see log request or receive from WLC to LDAP

 

 

================================
Server name :xx.xx.xx.xx
Server Address :xx.xx.xx.xx
Server listening Port :xxx
Bind Root-dn :xxxx
Server mode :Secure-TLS
Cipher Suite :0x00
Authentication Seq :Search first. Then Bind/Compare password next
Authentication Procedure:Bind with user password
xx xx xx
Object Class :sAMAccountName
Object Class :Person
Request timeout :20
Deadtime in Mins :0
State :ALIVE
---------------------------------
* LDAP STATISTICS *
Total messages [Sent:0, Received:0]
Response delay(ms) [Average:0, Maximum:0]
Total search [Request:0, ResultEntry:0, ResultDone:0]
Total bind [Request:0, Response:0]
Total extended [Request:0, Response:0]
Total compare [Request:0, Response:0]
Search [Success:0, Failures:0]
Bind [Success:0, Failures:0]
Missing attrs in Entry [0]
----------------------------------
No. of active connections :0

Labels:
0 Helpful
1 Reply 1

Rich R
VIP
VIP

‎11-26-2020 05:56 AM

> Request timeout :20 - so clearly sending requests and not seeing any (valid) reply

So request might not reach LDAP server or LDAP server ignores request because it's invalid (certificate for example) or response doesn't reach WLC or WLC ignores response because it's invalid (certificate for example) 

- Does your WLC have a route to the LDAP server?

- Does the LDAP server have a route back to the WLC?

- Are there any firewalls or ACLs in the path which could be blocking?

- Have you configured valid/trusted certificates on both ends?

 

Bit suspicious that you have 20 request timeouts but zero LDAP messages sent in stats so maybe nothing has even been sent?  You can use packet capture to confirm what's being sent and received.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card