Solved

Cisco WLC with 802.1x and LDAP authentication

Posted on 2014-01-31
1
6,558 Views
Last Modified: 2014-02-15
Hi,

I was trying to configure a Cisco 2504 WLC with user-logins via 802.1x. The authentication is supposed go through our central LDAP server, allowing us to use the same user/pw for connection to the WLAN.
After countless hours, I'm wondering if this even possible, even though the Security->AAA-Servers tab allows one to select up to three LDAP servers. With only LDAP selected, I get this in the debugs when I try to connect to the AP:

Returning AAA Error 'No Server' (-7) for mobile [..]

If I have radius enabled, request packets are correctly generated and sent by the controller.

I tried switching to Web-auth, again using LDAP for authentication, which resulted in a web login being displayed in the browser once the WLAN connection is up. The web auth correctly accepted my user/pw combo from the LDAP servers ... so I assume the LDAP configuration is correct.

What am I missing here? Are there any limitations in the 802.1x-authentication I am not aware of? Given the broad use of LDAP based authentication (e.g. in ADS), I would wonder that user/pw auth is not available at this point, but rather just Radius ... even in the Cisco docs I was only able to find samples on how to configure 802.1x with Radius  ...

Please let me know what additional information is needed for diagnose ...

P.S. - tried with 7.4/7.5/7.6 OS version of the WLC, LDAP is a stock LDAP server on a Linux machine

Thanks!
0
Comment
Question by:Garry Glendown
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39825538
LDAP-based authentication only supports 'some' 802.1x protocols unless you're lucky.  We generally advise against using LDAP unless you absolutely have to.

https://supportforums.cisco.com/thread/2214399

The main point here is this:

LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported,
but only if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password. If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question