Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco WLC with 802.1x and LDAP authentication

Posted on 2014-01-31
1
6,280 Views
Last Modified: 2014-02-15
Hi,

I was trying to configure a Cisco 2504 WLC with user-logins via 802.1x. The authentication is supposed go through our central LDAP server, allowing us to use the same user/pw for connection to the WLAN.
After countless hours, I'm wondering if this even possible, even though the Security->AAA-Servers tab allows one to select up to three LDAP servers. With only LDAP selected, I get this in the debugs when I try to connect to the AP:

Returning AAA Error 'No Server' (-7) for mobile [..]

If I have radius enabled, request packets are correctly generated and sent by the controller.

I tried switching to Web-auth, again using LDAP for authentication, which resulted in a web login being displayed in the browser once the WLAN connection is up. The web auth correctly accepted my user/pw combo from the LDAP servers ... so I assume the LDAP configuration is correct.

What am I missing here? Are there any limitations in the 802.1x-authentication I am not aware of? Given the broad use of LDAP based authentication (e.g. in ADS), I would wonder that user/pw auth is not available at this point, but rather just Radius ... even in the Cisco docs I was only able to find samples on how to configure 802.1x with Radius  ...

Please let me know what additional information is needed for diagnose ...

P.S. - tried with 7.4/7.5/7.6 OS version of the WLC, LDAP is a stock LDAP server on a Linux machine

Thanks!
0
Comment
Question by:Garry-G
1 Comment
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39825538
LDAP-based authentication only supports 'some' 802.1x protocols unless you're lucky.  We generally advise against using LDAP unless you absolutely have to.

https://supportforums.cisco.com/thread/2214399

The main point here is this:

LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported,
but only if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password. If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question