Choose Security > AAA > LDAP to open the LDAP Servers page.

• If you want to delete an existing LDAP server, hover your cursor over the blue drop-down arrow for that server and choose Remove.

• If you want to make sure that the controller can reach a particular server, hover your cursor over the blue drop-down arrow for that server and choose Ping.

Perform one of the following:

• To edit an existing LDAP server, click the index number for that server. The LDAP Servers > Edit page is displayed.

• To add an LDAP server, click New. The LDAP Servers > New page is displayed. If you are adding a new server, choose a number from the Server Index (Priority) drop-down list to specify the priority order of this server in relation to any other configured LDAP servers. You can configure up to 17 servers. If the controller cannot reach the first server, it tries the second one in the list and so on.

If you are adding a new server, enter the IP address of the LDAP server in the Server IP Address field. Both IPv4 and IPv6 addresses are supported.

If you are adding a new server, enter the LDAP server’s TCP port number in the Port Number field. The valid range is 1 to 65535, and the default value is 389.

From the Server Mode drop-down list, choose None.

Check the Enable Server Status check box to enable this LDAP server or unselect it to disable it. The default value is disabled.

From the Simple Bind drop-down list, choose Anonymous or Authenticated to specify the local authentication bind method for the LDAP server. The Anonymous method allows anonymous access to the LDAP server. The Authenticated method requires that a username and password be entered to secure access. The default value is Anonymous.

If you chose Authenticated in the previous step, follow these steps:

1. In the Bind Username field, enter a username to be used for local authentication to the LDAP server. The username can contain up to 80 characters.

   Note	If the username starts with “cn=” (in lowercase letters), the controller assumes that the username includes the entire LDAP database path and does not append the user base DN. This designation allows the authenticated bind user to be outside the user base DN.

2. In the Bind Username field, enter a username to be used for local authentication to the LDAP server. The username can contain up to 80 characters.

In the User Base DN field, enter the distinguished name (DN) of the subtree in the LDAP server that contains a list of all the users. For example, ou=organizational unit, .ou=next organizational unit, and o=corporation.com. If the tree containing users is the base DN, type.

In the User Attribute field, enter the name of the attribute in the user record that contains the username. You can obtain this attribute from your directory server.

In the User Object Type field, enter the value of the LDAP objectType attribute that identifies the record as a user. Often, user records have several values for the objectType attribute, some of which are unique to the user and some of which are shared with other object types.

In the Server Timeout field, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Specify LDAP as the priority backend database server for local EAP authentication as follows:

1. Choose Security > Local EAP > Authentication Priority to open the Priority Order > Local-Auth page.

2. Highlight LOCAL and click < to move it to the left User Credentials field.

3. Highlight LDAP and click > to move it to the right User Credentials field. The database that is displayed at the top of the right User Credentials field is used when retrieving user credentials.

   Note

   If both LDAP and LOCAL appear in the right User Credentials field with LDAP on the top and LOCAL on the bottom, local EAP attempts to authenticate clients using the LDAP backend database and fails over to the local user database if the LDAP servers are not reachable. If the user is not found, the authentication attempt is rejected. If LOCAL is on the top, local EAP attempts to authenticate using only the local user database. It does not fail over to the LDAP backend database.

4. Click Apply to commit your changes.

5. Click Save Configuration to save your changes.

(Optional) Assign specific LDAP servers to a WLAN as follows:

1. Choose WLANs to open the WLANs page.

2. Click the ID number of the desired WLAN.

3. When the WLANs > Edit page is displayed, choose the Security > AAA Servers tabs to open the WLANs > Edit (Security > AAA Servers) page.

4. From the LDAP Servers drop-down lists, choose the LDAP server(s) that you want to use with this WLAN. You can choose up to three LDAP servers, which are tried in priority order.

   Note	These LDAP servers apply only to WLANs with web authentication enabled. They are not used by local EAP.

5. Click Apply to commit your changes.

6. Click Save Configuration to save your changes.

Specify the LDAP server fallback behavior, as follows:

1. Choose WLAN > AAA Server to open the Fallback Parameters page.

2. From the LDAP Servers drop-down list, choose the LDAP server in the order of priority when the controller attempts to authenticate management users. The order of authentication is from server.

3. Choose Security > AAA > LDAP to view the list of global LDAP servers configured for the controller.