Cisco WLC 2500 series – Lessons Learned

Posted on by David Vassallo
  • Assigning a local DHCP server

1. Define a new Internal DHCP Scope (Controller > Internal DHCP Server > DHCP Scope).

2. Ensure that the newly defined DHCP Scope is in the same IP range as that defined on the Wireless Dynamic interface

3. Under the Dynamic Interface settings (Controller > Interfaces > [select the dynamic interface]), insert the WLC management IP as a primary DHCP server:

  •   Using an LDAP server for authentication

1. Define a new LDAP server under Security > AAA > LDAP

2. If using Active Directory, select Authenticated under the “Simple Bind” option.

3. Under Bind Username enter the Distinguished name of the LDAP user that the WLC will use to authenticate to the LDAP / AD server. You can use an LDAP browsing tool such as Jxplorer to get the DN of an LDAP user.

Please Note:

  • The WLC only access the common name (CN) of the user, you cannot use the sAMAccountName or similar attributes within the Distinguished Name provided.
  • The Bind Username field has a character limit (just over 80 characters). Since Distinguished Names tend to be quite long, ensure that your entire DN fits into the field

4. If you are using AD, use sAMAccountName as a User Attribute, and Person as the User Object Type.

5. The user base DN servers as a filter to return a desired subset of users.

6. Assign the above LDAP user to a defined WLAN (in the below example WLANs > WLANs > Sysadmins):

Underneath LDAP Servers, select the previously defined server, and under Order used for authentication make sure to select at least LDAP

Troubleshooting LDAP:

  • Check the generated messages under Management > Logs > Message Logs
  • Use the debug aaa ldap command via CLI

Web auth portal SSL certificate

We had issues importing a 3rd party ssl certificate to the WLC for use in the web auth portal. The management logs spat out an error message that it cannot PEM decode private key. After finding this helpful post:

http://pvoord.wordpress.com/2012/06/20/importing-3rd-party-certificate-on-cisco-wlc/

I just needed to install OpenSSL 0.98 in windows rather than using my linux openssl client. Smells like a bug…

Advertisement
Privacy Settings

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.