LDAP authorisation configuration
The current version supports LDAP authorization only in the mode of storing user accounting data on an LDAP server in an open form.
To configure LDAP authorization for Wi-Fi users, you will need a pre-configured LDAP server (such as OpenLDAP) with the following parameters:
- At least one OU user group, such as Users, is created;
- At least one user, such as user, is created.
Before enabling LDAP user authorization, you must configure the ldap-server settings:
wlc(config)# ldap-server bind authenticate root-dn "cn=admin,dc=eltex,dc=ru" wlc(config)# ldap-server bind authenticate root-password ascii-text <Administrator password> wlc(config)# ldap-server host <LDAP server address> wlc(config-ldap-server)# exit
The root-dn and root-password parameters are the parameters with which the LDAP server “Administrator” user was created: domain name and password, respectively. Ldap-server host is the address of the host where the LDAP server is installed.
Next, it is necessary to configure ldap-profile:
wlc(config)# aaa ldap-profile tester wlc(config-aaa-ldap-profile)# base-dn "ou=Users,dc=eltex,dc=ru" wlc(config-aaa-ldap-profile)# ldap-server host <LDAP server address> wlc(config-aaa-ldap-profile)# exit wlc(config)#
The base-dn parameter in this case is the domain name of the user, which is set when the user is created in LDAP.
Then it is necessary to specify this profile in the local radius settings:
wlc(config)# radius-server local wlc(config-radius)# virtual-server default wlc(config-radius-vserver)# ldap-mode wlc(config-radius-vserver)# enable wlc(config-radius-vserver)# exit wlc(config-radius)# ldap-profile tester
Commit and confirm the configuration:
wlc# commit wlc# confirm
To test, an access point must be connected to the WLC and an SSID with Enterprise authorization must be configured.
Configuring user authorization using LDAP server is complete.