Step 1 |
Choose
Security >
AAA >
LDAP to open the
LDAP Servers page.
|
Step 2 |
Perform one of
the following:
|
Step 3 |
If you are adding a new server, enter the IP
address of the LDAP server in the
Server
IP Address text box.
Note
|
From
Release 8.0, IPv6 can also be used to configure the LDAP server on the
controller.
|
|
Step 4 |
If you are adding a new server, enter the LDAP
server’s TCP port number in the
Port
Number text box. The valid range is 1 to 65535, and the default
value is 389.
Note
|
Only LDAP port 389 is supported on Cisco WLC. No other ports are
supported for LDAP.
|
|
Step 5 |
From the
Server
Mode (via TLS) drop-down list, choose
Disabled to establish LDAP connection (without
secure tunnel) between LDAP server and the Cisco WLC using TCP or
Enabled to establish a secure LDAP connection using
TLS.
|
Step 6 |
Select the
Enable Server
Status check box to enable this LDAP server or unselect it to
disable it. The default value is disabled.
|
Step 7 |
From the Simple Bind drop-down list,
choose
Anonymous or
Authenticated to
specify the local authentication bind method for the LDAP server. The Anonymous
method allows anonymous access to the LDAP server. The Authenticated method
requires that a username and password be entered to secure access. The default
value is Anonymous.
|
Step 8 |
If you chose
Authenticated in the previous step, follow these
steps:
-
In the Bind Username text box, enter a username to be used
for local authentication to the LDAP server. The username can contain up to 80
characters.
Note
|
If the username starts with
“cn=” (in lowercase letters), the controller assumes that the username includes
the entire LDAP database path and does not append the user base DN. This
designation allows the authenticated bind user to be outside the user base DN.
|
-
In the Bind Username text box, enter a username to be used
for local authentication to the LDAP server. The username can contain up to 80
characters.
|
Step 9 |
In the User Base DN text box, enter the distinguished name
(DN) of the subtree in the LDAP server that contains a list of all the users.
For example, ou=organizational unit, .ou=next organizational unit, and
o=corporation.com. If the tree containing users is the base DN, type.
o=corporation .com
or
dc =corporation ,dc=com
|
Step 10 |
In the User Attribute text box, enter the name of the
attribute in the user record that contains the username. You can obtain this
attribute from your directory server.
|
Step 11 |
In the User Object Type text box, enter the value of the
LDAP objectType attribute that identifies the record as a user. Often, user
records have several values for the objectType attribute, some of which are
unique to the user and some of which are shared with other object types.
|
Step 12 |
In the Server Timeout text box, enter the number of
seconds between retransmissions. The valid range is 2 to 30 seconds, and the
default value is 2 seconds.
|
Step 13 |
Click
Apply to commit
your changes.
|
Step 14 |
Click
Save
Configuration to save your changes.
|
Step 15 |
Specify LDAP as the priority backend database
server for local EAP authentication as follows:
-
Choose
Security >
Local EAP >
Authentication
Priority to open the Priority Order > Local-Auth page.
-
Highlight
LOCAL and click
<
to move it to the left User Credentials box.
-
Highlight
LDAP and click
> to move it
to the right User Credentials box. The database that appears at the top of the
right User Credentials box is used when retrieving user credentials.
Note
|
If both LDAP and LOCAL appear
in the right User Credentials box with LDAP on the top and LOCAL on the bottom,
local EAP attempts to authenticate clients using the LDAP backend database and
fails over to the local user database if the LDAP servers are not reachable. If
the user is not found, the authentication attempt is rejected. If LOCAL is on
the top, local EAP attempts to authenticate using only the local user database.
It does not fail over to the LDAP backend database.
|
-
Click
Apply to commit
your changes.
-
Click
Save
Configuration to save your changes.
|
Step 16 |
(Optional) Assign
specific LDAP servers to a WLAN as follows:
-
Choose
WLANs to open the
WLANs page.
-
Click the ID
number of the desired WLAN.
-
When the
WLANs > Edit page appears, choose the
Security >
AAA Servers tabs
to open the WLANs > Edit (Security > AAA Servers) page.
-
From the LDAP Servers drop-down lists, choose the
LDAP server(s) that you want to use with this WLAN. You can choose up to three
LDAP servers, which are tried in priority order.
Note
|
These LDAP servers apply
only to WLANs with web authentication enabled. They are not used by local EAP.
|
-
Click
Apply to commit
your changes.
-
Click
Save
Configuration to save your changes.
|
Step 17 |
Specify the
LDAP server fallback behavior, as follows:
-
Choose
WLAN >
AAA Server to open the Fallback Parameters page.
-
From the
LDAP Servers drop-down list, choose the LDAP server in the order of priority
when the controller attempts to authenticate management users. The order of
authentication is from server.
-
Choose
Security >
AAA >
LDAP to view the list of global LDAP servers
configured for the controller.
|