Cisco Wireless LAN Controller Configuration Guide, Release 7.4
Configuring LDAP
Downloads: This chapterpdf (PDF - 1.28MB) The complete bookPDF (PDF - 17.75MB) | The complete bookePub (ePub - 4.37MB) | Feedback

Configuring LDAP

Configuring LDAP

Information About LDAP

An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user. For example, local EAP may use an LDAP server as its backend database to retrieve user credentials.

Fallback LDAP Servers

The LDAP servers are configured on a WLAN for authentication. You require at least two LDAP servers to configure them for fallback behavior. A maximum of three LDAP servers can be configured for the fallback behavior per WLAN. The servers are listed in the priority order for authentication. If the first LDAP server becomes irresponsive, then the controller switches to the next LDAP server. If the second LDAP server becomes irresponsive, then the controller switches again to the third LDAP server.


Note


The LDAP backend database supports these local EAP methods: EAP-TLS, EAP-FAST/GTC, and PEAPv1/GTC. LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported but only if the LDAP server is set up to return a clear-text password.



Note


Cisco wireless LAN controllers support Local EAP authentication against external LDAP databases such as Microsoft Active Directory and Novell’s eDirectory. For more information about configuring the controller for Local EAP authentication against Novell’s eDirectory, see the Configure Unified Wireless Network for Authentication Against Novell's eDirectory Database whitepaper at http:/​/​www.cisco.com/​en/​US/​products/​ps6366/​products_​white_​paper09186a0080b4cd24.shtml.


Configuring LDAP (GUI)


    Step 1   Choose Security > AAA > LDAP to open the LDAP Servers page.
    • If you want to delete an existing LDAP server, hover your cursor over the blue drop-down arrow for that server and choose Remove.
    • If you want to make sure that the controller can reach a particular server, hover your cursor over the blue drop-down arrow for that server and choose Ping.

    Step 2   Perform one of the following:
    • To edit an existing LDAP server, click the index number for that server. The LDAP Servers > Edit page appears.

    • To add an LDAP server, click New. The LDAP Servers > New page appears. If you are adding a new server, choose a number from the Server Index (Priority) drop-down list to specify the priority order of this server in relation to any other configured LDAP servers. You can configure up to 17 servers. If the controller cannot reach the first server, it tries the second one in the list and so on.
    Step 3   If you are adding a new server, enter the IP address of the LDAP server in the Server IP Address text box.
    Step 4   If you are adding a new server, enter the LDAP server’s TCP port number in the Port Number text box. The valid range is 1 to 65535, and the default value is 389.
    Step 5   From the Server Mode drop-down list, choose None.
    Step 6   Select the Enable Server Status check box to enable this LDAP server or unselect it to disable it. The default value is disabled.
    Step 7   From the Simple Bind drop-down list, choose Anonymous or Authenticated to specify the local authentication bind method for the LDAP server. The Anonymous method allows anonymous access to the LDAP server. The Authenticated method requires that a username and password be entered to secure access. The default value is Anonymous.
    Step 8   If you chose Authenticated in the previous step, follow these steps:
    1. In the Bind Username text box, enter a username to be used for local authentication to the LDAP server. The username can contain up to 80 characters.
      Note   

      If the username starts with “cn=” (in lowercase letters), the controller assumes that the username includes the entire LDAP database path and does not append the user base DN. This designation allows the authenticated bind user to be outside the user base DN.

    2. In the Bind Username text box, enter a username to be used for local authentication to the LDAP server. The username can contain up to 80 characters.
    Step 9   In the User Base DN text box, enter the distinguished name (DN) of the subtree in the LDAP server that contains a list of all the users. For example, ou=organizational unit, .ou=next organizational unit, and o=corporation.com. If the tree containing users is the base DN, type. o=corporation.com

    or

    dc=corporation,dc=com
    Step 10   In the User Attribute text box, enter the name of the attribute in the user record that contains the username. You can obtain this attribute from your directory server.
    Step 11   In the User Object Type text box, enter the value of the LDAP objectType attribute that identifies the record as a user. Often, user records have several values for the objectType attribute, some of which are unique to the user and some of which are shared with other object types.
    Step 12   In the Server Timeout text box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.
    Step 13   Click Apply to commit your changes.
    Step 14   Click Save Configuration to save your changes.
    Step 15   Specify LDAP as the priority backend database server for local EAP authentication as follows:
    1. Choose Security > Local EAP > Authentication Priority to open the Priority Order > Local-Auth page.
    2. Highlight LOCAL and click < to move it to the left User Credentials box.
    3. Highlight LDAP and click > to move it to the right User Credentials box. The database that appears at the top of the right User Credentials box is used when retrieving user credentials.
      Note   

      If both LDAP and LOCAL appear in the right User Credentials box with LDAP on the top and LOCAL on the bottom, local EAP attempts to authenticate clients using the LDAP backend database and fails over to the local user database if the LDAP servers are not reachable. If the user is not found, the authentication attempt is rejected. If LOCAL is on the top, local EAP attempts to authenticate using only the local user database. It does not fail over to the LDAP backend database.

    4. Click Apply to commit your changes.
    5. Click Save Configuration to save your changes.
    Step 16   (Optional) Assign specific LDAP servers to a WLAN as follows:
    1. Choose WLANs to open the WLANs page.
    2. Click the ID number of the desired WLAN.
    3. When the WLANs > Edit page appears, choose the Security > AAA Servers tabs to open the WLANs > Edit (Security > AAA Servers) page.
    4. From the LDAP Servers drop-down lists, choose the LDAP server(s) that you want to use with this WLAN. You can choose up to three LDAP servers, which are tried in priority order.
      Note   

      These LDAP servers apply only to WLANs with web authentication enabled. They are not used by local EAP.

    5. Click Apply to commit your changes.
    6. Click Save Configuration to save your changes.
    Step 17   Specify the LDAP server fallback behavior, as follows:
    1. Choose WLAN > AAA Server to open the Fallback Parameters page.
    2. From the LDAP Servers drop-down list, choose the LDAP server in the order of priority when the controller attempts to authenticate management users. The order of authentication is from server.
    3. Choose Security > AAA > LDAP to view the list of global LDAP servers configured for the controller.

    Configuring LDAP (CLI)

    • Configure an LDAP server by entering these commands:

      • config ldap add index server_ip_address port# user_base user_attr user_type —
Adds an LDAP server.

      • config ldap delete index—Deletes a previously added LDAP server.

      • config ldap {enable | disable} index—Enables or disables an LDAP server.

      • config ldap simple-bind {anonymous index | authenticated index username username password password}—Specifies the local authentication bind method for the LDAP server. The anonymous method allows anonymous access to the LDAP server whereas the authenticated method requires that a username and password be entered to secure access. The default value is anonymous. The username can contain up to 80 characters.

        If the username starts with “cn=” (in lowercase letters), the controller assumes that the username includes the entire LDAP database path and does not append the user base DN. This designation allows the authenticated bind user to be outside the user base DN.

      • config ldap retransmit-timeout index timeout—Configures the number of seconds between retransmissions for an LDAP server.

    • Specify LDAP as the priority backend database server by entering this command:

      config local-auth user-credentials ldap

      If you enter the config local-auth user-credentials ldap local command, local EAP attempts to authenticate clients using the LDAP backend database and fails over to the local user database if the LDAP servers are not reachable. If the user is not found, the authentication attempt is rejected. If you enter the config local-auth user-credentials local ldap command, local EAP attempts to authenticate using only the local user database. It does not fail over to the LDAP backend database.

    • (Optional) Assign specific LDAP servers to a WLAN by entering these commands:

      • config wlan ldap add wlan_id server_index—Links a configured LDAP server to a WLAN.

        The LDAP servers specified in this command apply only to WLANs with web authentication enabled. They are not used by local EAP.

      • config wlan ldap delete wlan_id {all | index}—Deletes a specific or all configured LDAP server(s) from a WLAN.

    • View information pertaining to configured LDAP servers by entering these commands:

      • show ldap summary—Shows a summary of the configured LDAP servers.

        
        Idx  Server Address   Port  Enabled
        ---  ---------------  ----  -------
        1    2.3.1.4           389 	   No
        2    10.10.20.22 	 	 	 389 	 	 Yes

      • show ldap index—Shows detailed LDAP server information. Information like the following appears:

        
        Server Index..................................... 2
        Address.......................................... 10.10.20.22
        Port............................................. 389
        Enabled.......................................... Yes
        User DN.......................................... ou=active,ou=employees,ou=people,
        													o=cisco.com
        User Attribute................................... uid
        User Type........................................ Person
        Retransmit Timeout............................... 2 seconds
        Bind Method ..................................... Authenticated
        Bind Username................................. user1
        
      • show ldap statistics—Shows LDAP server statistics.

        
        Server Index..................................... 1
        Server statistics:
          Initialized OK................................. 0
          Initialization failed.......................... 0
          Initialization retries......................... 0
          Closed OK...................................... 0
        Request statistics:
          Received....................................... 0
          Sent........................................... 0
          OK............................................. 0
          Success........................................ 0
          Authentication failed.......................... 0
          Server not found............................... 0
          No received attributes......................... 0
          No passed username............................. 0
          Not connected to server........................ 0
          Internal error................................. 0
          Retries........................................ 0
        
        Server Index..................................... 2
        ..
        
      • show wlan wlan_id—Shows the LDAP servers that are applied to a WLAN.

    • Make sure the controller can reach the LDAP server by entering this command: ping server_ip_address

    • Save your changes by entering this command:

      save config

    • Enable or disable debugging for LDAP by entering this command: debug aaa ldap {enable | disable}