cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2149
Views
10
Helpful
10
Replies

WLC LDAP integration not working as expected

Chris Kohr
Level 1
Level 1

I'm working on a project to create several personal area networks.  We want to have 1 user per ssid and we are attempting to use LDAP.

Currently in a test environment I have 2 users in separate OUs on a microsoft 2012 server and 2 ssids setup.  I have the binding set down to a specific OU that only includes a single user.

 

User A is able to login into SSID A without issue.  User B cannot.  This is correct.

User A is also able to login into SSID B.  This should not happen.

User B is not able to login to either SSID.

 

I set this up according to the documentation I found on Cisco's website.

 

EDIT:

wlc: Cisco 5508 controller v8 firmware

Under the wlan configs I have the LDAP server selected for SSID A and not for B.  I am trying to establish the security piece for a single wlan before moving on.

2 Accepted Solutions

Accepted Solutions

No, domain membership of the laptop is not needed for this. User will be asked for username/password when connecting to the SSID (if you use WPA2-Enterprise with PEAP-MsChapV2).
Have a look here: https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html
It explains how to do this, including some variants.

View solution in original post

You should find more information on the NPS server in Event Viewer in the tab Security. You should get 1-2 entries per authentication request. Those usually outline what's wrong, for example wrong group or calling station. 

View solution in original post

10 Replies 10

Hope below video may helpful on this matter

Windows AD as LDAP server on CUWN controllers

 

HTH

Rasika

*** Pls rate all useful responses ***

Thank you for the response.  This video shows how to establish LDAP authentication which I have already done but doesn't show how to only allow user A access to only SSID A.  Currently, user A is able to connect ssid a and ssid b.

 

 

johnd2310
Level 8
Level 8

Hi,

 

Have you tried using radius(Microsoft NPS)? You can use radius attributes and user groups to control who can access a specific ssid.

 

Thanks

John

**Please rate posts you find helpful**

I'm in process of setting this up now.  The part I'm not sure about is if the devices need to be on the domain to get the policies.  This project is for authenticating users who have devices that ARE NOT on a domain.  The end solution is for users who will never associate their devices with a domain.

 

I've considered an ISE server but there is next to no documentation on how to set this up.

No, domain membership of the laptop is not needed for this. User will be asked for username/password when connecting to the SSID (if you use WPA2-Enterprise with PEAP-MsChapV2).
Have a look here: https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html
It explains how to do this, including some variants.

Sorry for the delay in response back.  I setup the NPS role on the server according to the directions on the link provided above.  I am not able to connect.  Attached is the debug from the WLC.  I also checked the event logs on the Windows 10 laptop and there is a message stating the network is not available.  I can remove all authentication and the laptop will connect to the network without issue.  I'm thinking I'm missing a something.

 

 

Hi,

what is the error in the windows event viewer pertaining to NPS? Have you checked that the key on the wlc matches the server.

 

Thanks

John

**Please rate posts you find helpful**

The error message on the laptop basically reads that the specific network is not available.

I have tried resetting the user password and re-entering the shared secret key on the controller and server.  Nothing has worked.

wlan-autoconfig-log.PNG

You should find more information on the NPS server in Event Viewer in the tab Security. You should get 1-2 entries per authentication request. Those usually outline what's wrong, for example wrong group or calling station. 

All,

After looking over the logs I discovered the problem.  I did not have a Connection Request Policy in place.  None of the documentation I read through mentioned any thing about this.  As soon as I created this policy, I was able to connect.

 

Thank you to all for the assistance.

Review Cisco Networking for a $25 gift card