Cisco WLC 2500 series – Lessons Learned
November 29, 2012
Posted by on
- Assigning a local DHCP server
1. Define a new Internal DHCP Scope (Controller > Internal DHCP Server > DHCP Scope).
2. Ensure that the newly defined DHCP Scope is in the same IP range as that defined on the Wireless Dynamic interface
3. Under the Dynamic Interface settings (Controller > Interfaces > [select the dynamic interface]), insert the WLC management IP as a primary DHCP server:
- Using an LDAP server for authentication
1. Define a new LDAP server under Security > AAA > LDAP
2. If using Active Directory, select Authenticated under the “Simple Bind” option.
3. Under Bind Username enter the Distinguished name of the LDAP user that the WLC will use to authenticate to the LDAP / AD server. You can use an LDAP browsing tool such as Jxplorer to get the DN of an LDAP user.
- The WLC only access the common name (CN) of the user, you cannot use the sAMAccountName or similar attributes within the Distinguished Name provided.
- The Bind Username field has a character limit (just over 80 characters). Since Distinguished Names tend to be quite long, ensure that your entire DN fits into the field
4. If you are using AD, use sAMAccountName as a User Attribute, and Person as the User Object Type.
5. The user base DN servers as a filter to return a desired subset of users.
6. Assign the above LDAP user to a defined WLAN (in the below example WLANs > WLANs > Sysadmins):
Underneath LDAP Servers, select the previously defined server, and under Order used for authentication make sure to select at least LDAP
- Check the generated messages under Management > Logs > Message Logs
- Use the debug aaa ldap command via CLI
Web auth portal SSL certificate
We had issues importing a 3rd party ssl certificate to the WLC for use in the web auth portal. The management logs spat out an error message that it cannot PEM decode private key. After finding this helpful post:
I just needed to install OpenSSL 0.98 in windows rather than using my linux openssl client. Smells like a bug…