WLC and LDAP

Hi to all,
i want to use local-eap+LDAP (microsoft AD) and i'm experiencing some issue.
First of all i'm not able to bind WLC and LDAP...if a perform a debug aaa ldap enable i get this output:
Any idea about how to solve this issue?
Regards
Ale

It sounds like .... invalid credentials ? :-)
Please post your LDAP config on WLC.
Is your admin username with which you're binding within the search context that you defined ? this is very important

Similar Messages

WLC and LDAP Groups

Is there any way on an LDAP server to create an LDAP group that can be tied to the WLC for LDAP authentication. I have this url that explains local authentication and LDAP... http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml . That helps with local authentication but one thing I don't see is any guidance on how to create a group in a DC to communicate with anything on WLC. Any ideas?

You are right. You need a radius server overall that integrates with AD and do AD-to-radius group mapping. This way authentication is allowed/denied from radius, not WLC itself.
If the user can get a radius server to achieve this that will be great (especially if the user is using 802.1x/EAP authenticaion). If not, what I described about OU mapping is the only solution to get the users classified as per what I understood from users requirements.
The user is not only limited to Microsoft RADIUS (IAS or NPS). However, any radius server that supports AD group mapping can be used. with cisco ACS for example this is supported as well. I am not sure if this is also supported with open-source radius (openRadius for example). But if it is then openRadius can also be used.

Unable to setup WLC for LDAP

Hi,
I'm trying to setup WLC for LDAP to authenticate the users. I have all the components required according to cisco's document. WLC4402, LAP1142N, 2008 AD serving as LDAP.
I'm configuring according to the document and also trying same settings from other users on this forum who (seems to) have got the WLC-LDAP up and working. My problem is that I'm receiving the below debug message on the controller and there is nothing on the internet on this error:
*LDAP DB Task 1: Apr 28 10:05:35.903: LDAP server 1 changed state to IDLE
*emWeb: Apr 28 10:09:21.046: aaaLdapServerStateSet [1] changed state to 'DISABLED'.
*emWeb: Apr 28 10:09:21.046: aaaLdapServerStateSet [1] changed state to 'ENABLED'.
*LDAP DB Task 1: Apr 28 10:09:21.052: ldapTask [1] received msg 'CLOSE' (4) in state 'IDLE' (1)
*LDAP DB Task 1: Apr 28 10:09:21.055: ldapClose [1] called lcapi_close (rc = 1008 - Invalid client handle)
*LDAP DB Task 1: Apr 28 10:09:21.055: LDAP server 1 changed state to IDLE
I'm getting this error regardless of the authentication type, any username and attributes. So it makes me think WLC is not even trying to bind to LDAP. If the error was invalid credentials or something mismatch or something, it gives me some information to base my troubelshooting but I just can't find information on this (rc = 1008 - Invalid client handle) message.
I appreciate any input you guys have. Also if you need me to post my config screenshots or anything else, then please let me know
Thanks,
Delgee

Hi Nicolas,
Thanks for the reply.
I've tried with Softterra LDAP browser and it is working fine. I can browse everything with the account I'm using for binding.
The funny thing I found out is that the LDAP authentication is actually working, when I try to connect via wireless and enter my AD account the on web auth page, it logs me in. So it is authenticating agains LDAP but why I'm getting this error, I don't know.
Any idea?
Regards,
Delgee

Problem with ADS and LDAP

Problem with ADS and LDAP
I have installed Win2000 + sp1 and ADS on a computer. This computer is PDC.
After connection via LDAP I cann't get any object ( users or goups etc. ).
I try connect to ADS by java ( JNDI ).
When I use another clients of LDAP ( eg. Maxware Directory Explorer) I have
the same problem - no objects.
Can anybody help me?
Grzegorz Pszona
my e-mail: [email protected]

Thanks a lot.
Softerra's browser is really good.
Thanks
Rashmi
"Anant Kadiyala" <[email protected]> wrote:
>
I used Softerra's LDAP browser. The browser is free. There is also a
java baded
LDAP browser from Univ of Michigan. I found the Softerra browser to be
more easier
to use.
-anant
"rashmi" <[email protected]> wrote:
Hi,
Can you please let me know which exact ADS tool that you used to examine
the
DN. I have Active Directory Users and Computers, Sites and Servicesand
Domain
and Trusts installed on my machine but I am not able to figure out how
to get
the DN?
Thanks
Rashmi
for Stephen Davies <[email protected]> wrote:
Grzegorz,
I have had WLS6.1 & ADS working ok using LDAP V2. Mind you it did take
a
fair bit of messing around to get it going. MS does have a few oddities,
for example the Administrators DN might look something like this:
cn=Administrator,cn=Users,dc=eglobal,dc=net
One tool that I found invaluable came with the additional support tools
for Windows 2000. The 'Active Directory Administration Tool' made it
easy to list the directory contents and examine the DNs.
Regards,
Steve
Stephen Davies
Principal Consultant
eGlobal Services Pty. Ltd.
Sydney, Australia
Ph. +61 2 9283 1033
http://www.eglobal.net/

Single sign-on using Kerberos and Ldap

I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
I have the Kerberos authentication and part of the Ldap service working via pam & nss.
ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
BUT...
id gives:- userID, groupID (primary group only)
groups :- primary group only. (no secondary groups are listed)
Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
Thanks in advance for any help.

After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
//M.

ISE 1.2 With WLC and AD

Hi everyone,
What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
The wireless network is configured with 2 SSID (Staff and Guest)
Active Directory, DNS, DHCP, and NTP configured & synced.
ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
Please provide your thoughts and assistance.
Regards

You have to implement dot1x and radius between your NAD and ISE device.
Using the switch 3850, that are the steps:
username RADIUS-HEALTH password radiusKey1 privilege 15
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!this password will be used to communicate with ISE and to verify reachability
!between ISE and Switch
aaa server radius dynamic-author
client 172.16.1.18 server-key 7 radiuskey
client 172.16.1.20 server-key 7 radiuskey
ip domain-name lab.local
ip name-server 172.16.1.1
dot1x system-auth-control
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 50
switchport access vlan 10
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip access-list extended ACL-ALLOW
permit ip any any
!the comm between radius and ise will occur on these Port
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
snmp-server community ciscoro RO
snmp-server community public RO
snmp-server trap-source Vlan100
snmp-server source-interface informs Vlan100
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!defining ISE servers
radius server ISE-RADIUS-1
address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
automate-tester username RADIUS-HEALTH idle-time 15
key radiusKey
Please be sure that NTP servers and time are synchronized.
enable dot1X on windows machine, or using cisco NAM.
you can enable debugging on aaa authentication to see the events.
you have to create this user on ISE (RADIUS-HEALTH).
3850#test aaa group radius username password new-code
and observe the result. You are supposed to have user authenticated successfully.
You Must also have define these device in ISE on the radius interface.
ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE.
administration-->network resources -->Network Devices-->Add
input the name
input the Ip address for radius communication
select the authentication settings and field the corresponding shared secret radius key
select snmp settings and select version 2c.
snmp community : ciscoro
you can customize the polling interval if you want and that all.
you are supposed to received message communication between your NAD and ISE.
After you can do the procedure for WLC device.
I will fill it after you have passed the first steps (3850 authentication).

Adding phones and users with bat and LDAP sync

What are the various ways of importing users with phones when the Communications Manager 9.0 is sync'd with LDAP. Also, what method is the easiest and fastest?
For example, I could do the following steps:
Sync CUCM with LDAP to import new users, add phones using bat files, manually update users to associate devices etc
I believe I should also be able to do the above method and use a bat file to update the users to associate devices etc. This method still involves 2 steps and the creation of 2 seperate bat files.
In CUCM version 9 it is possible to have local and LDAP users, so is it possible to add the phones and users using the phones/users tab of the bat file and have them beocme LDAP users?
Thank you,
Danny

#1 Remove this embedded CSS code from your HTML document(s). You don't need it.
body {
    background-color: #CCC;
body,td,th {
    color: #FFF;
    font-size: 14px;
#2 Open PW.css file and add this to the top:
body {
font-family: Arial, Helvetica, sans-serif;
font-size: 14px;
background-color: #CADFEB;
/**or insert a background-image using the CSS editor**/
#3 Remove font-family and font-size from all your other CSS selectors. You don't need to duplicate styles on every element.
#4 Replace this:
#content {
    position:absolute;
    left:199px;
    top:10px;
    width:860px;
    z-index:1;
    right: auto;
    background-color: #FFF;
    text-align: center;
    color: #000;
    height: auto;
with this:
#content {
     width:860px;
     margin: 20px auto;
     border: 4px solid silver;
     background-color: #FFF;
     text-align: center;
     color: #000;
     -moz-box-shadow: 5px 5px 5px #888;
     -webkit-box-shadow: 5px 5px 5px #888;
     box-shadow: 5px 5px 5px #888;
#5 Save your PW.css file and upload to server.
Nancy O.
Alt-Web Design & Publishing
Web | Graphics | Print | Media Specialists
http://alt-web.com/
http://twitter.com/altweb

OBIEE and LDAP problem

Hi all!
After connecting our OBIEE 11.1.1.5 to LDAP we faced with a strange problem: after one user enters the system any next user logged in has the same privileges in OBIEE as the first one.
We turned off the following caches:
- WebLogic Principal Validator Cache in a security realm Performance section
- Group Membership Lookup Hierarchy Caching in our LDAP authentication provider Performance section
But the problem still occurs. Does anyone have any suggestions on this?

Hi I was having endless issues with OBIEE and LDAP, I followed the exact steps here:
http://docs.oracle.com/cd/E17904_01/web.1111/e13707/atn.htm#SECMG169
These worked for me, so you could check for a start these recommended setting are same in your environment.
Thanks

XI 3.1 Client Tools and LDAP Authentication

I have Business Objects XI 3.1 SP2 installed. For the web clients (InfoView) single sign on and LDAP authentication are working correctly. However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?

Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
Take a look at note 1272536 (http://service.sap.com/notes)
Regards,
Stratos

I want to see list of Disabled user from AD and LDAP

Hi
i wan see the list of disabled user from AD and LDAP and it shows in the next page as Tabular format
having all the details of AD (Attributes)

Hi
i wan see the list of disabled user from AD and LDAP and it shows in the next page as Tabular format
having all the details of AD (Attributes)

Connected MDM and LDAP, but but now what? Why user mapping?

Hi Gurus,
In my last thread, I posted that I was not able to connect MDM with LDAP. I was finally able to.
My problem now is I have to define user mapping in SAP Portal for the MDM business iViews to work.
By connecting MDM and LDAP, I got the benefit that now the authentication and authorization is happening via LDAP.
But this does eliminate the need for user mapping. If this is the case then why the real benefit of using LDAP?
In this case this becomes worse as I need to know the user's LDAP Password which no body will share for sure.
Any ideas? I want to get rid off this user mapping stuff.
Warn Regards,
Karan

without knowing specifics of ur architecture, i can quickly point out two things:
1) LDAP is primarily used for authentication, true.
2) Portal User mapping should not be an issue if u already have portal tied up to the active directory or some kind of single sign on?
So portal knows the users who has logged it, polls the Active directory for authentication and Active directory logs into MDM with that users role.
-Sudhir

ISE and LDAP Integration

Hello,
I have a question about the LDAP integration with the ISE:
Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
Even I tried to change the base DN and the search DN but without luck.
The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
Is there any missing information/tips required in such integration?

Hello,
I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
This section contains the following:
•Directory Service
•Multiple LDAP Instances
•Failover
•LDAP Connection Management
•User Authentication
•Authentication Using LDAP
•Binding Errors
•User Lookup
•MAC Address Lookup
•Group Membership Information Retrieval
•Attributes Retrieval
•Certificate Retrieval
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913

Problem share folder WLC and pc macbookpro

I am doing a migration from my wireless network in the old network in the PC MacBookPro I can see shared files on the network. But when I connect to the SSID configured on the WLC and I can not see shared files on the network. I have no ACL configured on the SSID.

Bonjour is a non-routabe multicast based service. A trick I use sometimes is to configure the WLAN to be in hreap mode if the ap is located locally to the target bonjour device.if your running in local mode, make sure they are on the same vlan and global multicast is enabled.
Sent from Cisco Technical Support iPad App

Database Table and LDAP Authentication in the same repository?

I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
Thanks,
-Matt

Another thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
1) LDAP "authentication" init block sets custom variable LDAP_USER
2) Table "authentication" init block sets custom variable TABLE_USER
3) Final authentication init block (the real one) sets USER variable using something like this:
SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END
FROM DUAL
WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END = ':USER'
Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes.

Cisco 8510 WLC and RTU licence

Hi Guys,
I have a simular issue where is shows the status as active, not-in-use.
What does this mean and how do I get this to be in use.
This is a Controller with HA-SKU license.
The licenses has been inherited from the Primary Controller.
Any license on HA-SKU controller is disregarded.
Feature name: ap_count (adder)
License type: Permanent
License state: Active, Not-In-Use
License Nodelocked: No
RTU License Count: 50
Hope to hear from you soon.
Regards,
Clifton.

Hi,
since this is a HA-SKU WLC, and the license is inherited from the active then no need to have a permenant license on it.
is the HA working fine?
please review the following link for the HA licensing requirements
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3504.shtml#licensing

WLC and LDAP

Similar Messages

Maybe you are looking for