• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7453
  • Last Modified:

Cisco WLC with 802.1x and LDAP authentication

Hi,

I was trying to configure a Cisco 2504 WLC with user-logins via 802.1x. The authentication is supposed go through our central LDAP server, allowing us to use the same user/pw for connection to the WLAN.
After countless hours, I'm wondering if this even possible, even though the Security->AAA-Servers tab allows one to select up to three LDAP servers. With only LDAP selected, I get this in the debugs when I try to connect to the AP:

Returning AAA Error 'No Server' (-7) for mobile [..]

If I have radius enabled, request packets are correctly generated and sent by the controller.

I tried switching to Web-auth, again using LDAP for authentication, which resulted in a web login being displayed in the browser once the WLAN connection is up. The web auth correctly accepted my user/pw combo from the LDAP servers ... so I assume the LDAP configuration is correct.

What am I missing here? Are there any limitations in the 802.1x-authentication I am not aware of? Given the broad use of LDAP based authentication (e.g. in ADS), I would wonder that user/pw auth is not available at this point, but rather just Radius ... even in the Cisco docs I was only able to find samples on how to configure 802.1x with Radius  ...

Please let me know what additional information is needed for diagnose ...

P.S. - tried with 7.4/7.5/7.6 OS version of the WLC, LDAP is a stock LDAP server on a Linux machine

Thanks!
0
Garry Glendown
Asked:
Garry Glendown
1 Solution
 
Craig BeckCommented:
LDAP-based authentication only supports 'some' 802.1x protocols unless you're lucky.  We generally advise against using LDAP unless you absolutely have to.

https://supportforums.cisco.com/thread/2214399

The main point here is this:

LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported,
but only if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password. If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now