Step 1 |
Choose
Security >
AAA >
LDAP to open the
LDAP Servers page.
|
Step 2 |
Perform one of
the following:
|
Step 3 |
If you are adding a new server, enter the IP
address of the LDAP server in the Server IP Address
field. Both IPv4 and IPv6 addresses are supported.
|
Step 4 |
If you are adding a new server, enter the LDAP
server’s TCP port number in the Port Number field. The
valid range is 1 to 65535, and the default value is 389.
Note
|
Only LDAP port 389 is supported on Cisco WLC. No other ports are
supported for LDAP.
|
|
Step 5 |
From the
Server
Mode drop-down list, choose
None.
|
Step 6 |
Check the Enable Server Status
check box to enable this LDAP server or unselect it to disable it. The default
value is disabled.
|
Step 7 |
From the
Simple Bind drop-down list, choose Anonymous or
Authenticated to specify the local authentication bind method
for the LDAP server. The Anonymous method allows anonymous access to the LDAP
server. The Authenticated method requires that a username and password be
entered to secure access. The default value is Anonymous.
|
Step 8 |
If you chose
Authenticated in the previous step, follow these
steps:
-
In the Bind
Username field, enter a username to be used for local
authentication to the LDAP server. The username can contain up to 80
characters.
Note
|
If the username
starts with “cn=” (in lowercase letters), the controller assumes
that the username includes the entire LDAP database path and
does not append the user base DN. This designation allows the
authenticated bind user to be outside the user base DN.
|
-
In the Bind
Username field, enter a username to be used for local
authentication to the LDAP server. The username can contain up to 80
characters.
|
Step 9 |
In the User Base
DN field, enter the distinguished name (DN) of the subtree in
the LDAP server that contains a list of all the users. For example,
ou=organizational unit, .ou=next organizational unit, and o=corporation.com. If
the tree containing users is the base DN, type.
o=corporation .com
or dc =corporation,
dc=com
|
Step 10 |
In the User
Attribute field, enter the name of the attribute in the user
record that contains the username. You can obtain this attribute from your
directory server.
|
Step 11 |
In the User Object
Type field, enter the value of the LDAP objectType attribute
that identifies the record as a user. Often, user records have several values
for the objectType attribute, some of which are unique to the user and some of
which are shared with other object types.
|
Step 12 |
In the Server
Timeout field, enter the number of seconds between
retransmissions. The valid range is 2 to 30 seconds, and the default value is 2
seconds.
|
Step 13 |
Click
Apply to commit
your changes.
|
Step 14 |
Click
Save
Configuration to save your changes.
|
Step 15 |
Specify LDAP as the priority backend database
server for local EAP authentication as follows:
-
Choose Security > Local EAP > Authentication
Priority to open the Priority Order >
Local-Auth page.
-
Highlight LOCAL and
click <
to move it to the left User
Credentials field.
-
Highlight LDAP and click > to move it to the
right User Credentials field. The database that
is displayed at the top of the right User
Credentials field is used when retrieving user
credentials.
Note
|
If both LDAP and
LOCAL appear in the right User
Credentials field with LDAP on the top and LOCAL
on the bottom, local EAP attempts to authenticate clients using
the LDAP backend database and fails over to the local user
database if the LDAP servers are not reachable. If the user is
not found, the authentication attempt is rejected. If LOCAL is
on the top, local EAP attempts to authenticate using only the
local user database. It does not fail over to the LDAP backend
database.
|
-
Click
Apply to commit
your changes.
-
Click
Save
Configuration to save your changes.
|
Step 16 |
(Optional) Assign
specific LDAP servers to a WLAN as follows:
-
Choose
WLANs to open the
WLANs page.
-
Click the ID
number of the desired WLAN.
-
When the WLANs > Edit page is displayed,
choose the Security > AAA Servers tabs to open
the WLANs > Edit (Security > AAA Servers)
page.
-
From the LDAP
Servers drop-down lists, choose the LDAP server(s) that
you want to use with this WLAN. You can choose up to three LDAP servers,
which are tried in priority order.
Note
|
These LDAP servers
apply only to WLANs with web authentication enabled. They are
not used by local EAP.
|
-
Click
Apply to commit
your changes.
-
Click
Save
Configuration to save your changes.
|
Step 17 |
Specify the
LDAP server fallback behavior, as follows:
-
Choose WLAN > AAA
Server to open the Fallback
Parameters page.
-
From the LDAP Servers drop-down list, choose the
LDAP server in the order of priority when the controller attempts to
authenticate management users. The order of authentication is from
server.
-
Choose
Security >
AAA >
LDAP to view the list of global LDAP servers
configured for the controller.
|