Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2148
Views
10
Helpful
10
Replies

WLC LDAP integration not working as expected

Go to solution
Chris Kohr
Level 1
Level 1

‎01-10-2019 11:30 AM - edited ‎07-05-2021 09:40 AM

I'm working on a project to create several personal area networks.  We want to have 1 user per ssid and we are attempting to use LDAP.

Currently in a test environment I have 2 users in separate OUs on a microsoft 2012 server and 2 ssids setup.  I have the binding set down to a specific OU that only includes a single user.

 

User A is able to login into SSID A without issue.  User B cannot.  This is correct.

User A is also able to login into SSID B.  This should not happen.

User B is not able to login to either SSID.

 

I set this up according to the documentation I found on Cisco's website.

 

EDIT:

wlc: Cisco 5508 controller v8 firmware

Under the wlan configs I have the LDAP server selected for SSID A and not for B.  I am trying to establish the security piece for a single wlan before moving on.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to Chris Kohr

‎01-11-2019 07:01 AM

No, domain membership of the laptop is not needed for this. User will be asked for username/password when connecting to the SSID (if you use WPA2-Enterprise with PEAP-MsChapV2).
Have a look here: https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html
It explains how to do this, including some variants.

View solution in original post

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to Chris Kohr

‎01-16-2019 12:10 AM

You should find more information on the NPS server in Event Viewer in the tab Security. You should get 1-2 entries per authentication request. Those usually outline what's wrong, for example wrong group or calling station. 

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Rasika Nayanajith
VIP
VIP

‎01-10-2019 12:13 PM

Hope below video may helpful on this matter

Windows AD as LDAP server on CUWN controllers

 

HTH

Rasika

*** Pls rate all useful responses ***

Go to solution
Chris Kohr
Level 1
Level 1
In response to Rasika Nayanajith

‎01-10-2019 12:33 PM

Thank you for the response.  This video shows how to establish LDAP authentication which I have already done but doesn't show how to only allow user A access to only SSID A.  Currently, user A is able to connect ssid a and ssid b.

 

 

0 Helpful

Go to solution
johnd2310
Level 8
Level 8

‎01-10-2019 03:52 PM

Hi,

 

Have you tried using radius(Microsoft NPS)? You can use radius attributes and user groups to control who can access a specific ssid.

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Go to solution
Chris Kohr
Level 1
Level 1
In response to johnd2310

‎01-11-2019 06:13 AM

I'm in process of setting this up now.  The part I'm not sure about is if the devices need to be on the domain to get the policies.  This project is for authenticating users who have devices that ARE NOT on a domain.  The end solution is for users who will never associate their devices with a domain.

 

I've considered an ISE server but there is next to no documentation on how to set this up.

0 Helpful

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to Chris Kohr

‎01-11-2019 07:01 AM

No, domain membership of the laptop is not needed for this. User will be asked for username/password when connecting to the SSID (if you use WPA2-Enterprise with PEAP-MsChapV2).
Have a look here: https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html
It explains how to do this, including some variants.

Go to solution
Chris Kohr
Level 1
Level 1
In response to patoberli

‎01-15-2019 06:29 AM

Sorry for the delay in response back.  I setup the NPS role on the server according to the directions on the link provided above.  I am not able to connect.  Attached is the debug from the WLC.  I also checked the event logs on the Windows 10 laptop and there is a message stating the network is not available.  I can remove all authentication and the laptop will connect to the network without issue.  I'm thinking I'm missing a something.

 

 

Preview file
11 KB
0 Helpful

Go to solution
johnd2310
Level 8
Level 8
In response to Chris Kohr

‎01-15-2019 03:46 PM

Hi,

what is the error in the windows event viewer pertaining to NPS? Have you checked that the key on the wlc matches the server.

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Go to solution
Chris Kohr
Level 1
Level 1
In response to johnd2310

‎01-16-2019 07:07 AM

The error message on the laptop basically reads that the specific network is not available.

I have tried resetting the user password and re-entering the shared secret key on the controller and server.  Nothing has worked.

wlan-autoconfig-log.PNG

0 Helpful

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to Chris Kohr

‎01-16-2019 12:10 AM

You should find more information on the NPS server in Event Viewer in the tab Security. You should get 1-2 entries per authentication request. Those usually outline what's wrong, for example wrong group or calling station. 

0 Helpful

Go to solution
Chris Kohr
Level 1
Level 1
In response to patoberli

‎01-16-2019 08:02 AM

All,

After looking over the logs I discovered the problem.  I did not have a Connection Request Policy in place.  None of the documentation I read through mentioned any thing about this.  As soon as I created this policy, I was able to connect.

 

Thank you to all for the assistance.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card