?
Solved

Cisco WLC with 802.1x and LDAP authentication

Posted on 2014-01-31
1
Medium Priority
?
6,973 Views
Last Modified: 2014-02-15
Hi,

I was trying to configure a Cisco 2504 WLC with user-logins via 802.1x. The authentication is supposed go through our central LDAP server, allowing us to use the same user/pw for connection to the WLAN.
After countless hours, I'm wondering if this even possible, even though the Security->AAA-Servers tab allows one to select up to three LDAP servers. With only LDAP selected, I get this in the debugs when I try to connect to the AP:

Returning AAA Error 'No Server' (-7) for mobile [..]

If I have radius enabled, request packets are correctly generated and sent by the controller.

I tried switching to Web-auth, again using LDAP for authentication, which resulted in a web login being displayed in the browser once the WLAN connection is up. The web auth correctly accepted my user/pw combo from the LDAP servers ... so I assume the LDAP configuration is correct.

What am I missing here? Are there any limitations in the 802.1x-authentication I am not aware of? Given the broad use of LDAP based authentication (e.g. in ADS), I would wonder that user/pw auth is not available at this point, but rather just Radius ... even in the Cisco docs I was only able to find samples on how to configure 802.1x with Radius  ...

Please let me know what additional information is needed for diagnose ...

P.S. - tried with 7.4/7.5/7.6 OS version of the WLC, LDAP is a stock LDAP server on a Linux machine

Thanks!
0
Comment
Question by:Garry Glendown
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 46

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 39825538
LDAP-based authentication only supports 'some' 802.1x protocols unless you're lucky.  We generally advise against using LDAP unless you absolutely have to.

https://supportforums.cisco.com/thread/2214399

The main point here is this:

LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported,
but only if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password. If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported.
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question