https://community.cisco.com/t5/network-access-control/problem-with-getting-ldap-attributes-on-ise-when-eapchaining-is/m-p/2056048#M200292 <HTML><HEAD></HEAD><BODY><P>It's not LDAP group based, just additional attribute WLANProfile which returns to which VLAN should the user be connected.</P><P></P><P>If the it matches ie Employees, then access is granted. </P><P>This works fine when EAP Chaining is disabled in protocols, when I enable it stops matching.</P></BODY></HTML> Wed, 10 Oct 2012 07:31:48 GMT Karel Navratil 2012-10-10T07:31:48Z https://community.cisco.com/t5/network-access-control/problem-with-getting-ldap-attributes-on-ise-when-eapchaining-is/m-p/2056044#M200284 <P>Hi All,</P><P></P><P>has anybody and idea how to set LDAP attributes retrieval with EAPChaining enabled?</P><P></P><P>My scenarios is:</P><P></P><P>- user with AnyConnect (EAP-FAST) connects to WLAN and sends it's credentials</P><P>- ISE authenticates username and password against Active Directory</P><P>- ISE should check if the same userid contains in LDAP Directory (not AD, different store) special attribute which controls access to our WLAN</P><P>- If the attribute is found, then authorization profile is matched.</P><P></P><P>This works when I disable EAP-Chaining Policy -&gt; Policy Elements -&gt; Results -&gt; Authentication -&gt; Allowed Protocols ...</P><P></P><P>In logs I've found that the user was not found in LDAP, but the user exists.</P><P></P><P>Maybe the workaround can be if just user from EAPChaining is used and not also the hostname, then it could match. But I cannot find any similar parameter which returns only user.</P><P></P><P>Does anybody have an idea how to solve this?</P><P></P><P>Thanks!</P><P></P><P>K.</P> Mon, 11 Mar 2019 02:39:16 GMT https://community.cisco.com/t5/network-access-control/problem-with-getting-ldap-attributes-on-ise-when-eapchaining-is/m-p/2056044#M200284 Karel Navratil 2019-03-11T02:39:16Z https://community.cisco.com/t5/network-access-control/problem-with-getting-ldap-attributes-on-ise-when-eapchaining-is/m-p/2056045#M200285 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>This seems like a corner issue, because eap-fast with ldap is not supported. LDAP as the protocol doest support hash based authentication hence the reason ISE is failing to hit the ldap database.</P><P></P><P>Referencing acs material since ise docs are not complete:</P><P></P><P>http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html</P><P></P><P></P><P>Sent from Cisco Technical Support Android App</P></BODY></HTML> Tue, 09 Oct 2012 14:55:18 GMT https://community.cisco.com/t5/network-access-control/problem-with-getting-ldap-attributes-on-ise-when-eapchaining-is/m-p/2056045#M200285 Tarik Admani 2012-10-09T14:55:18Z https://community.cisco.com/t5/network-access-control/problem-with-getting-ldap-attributes-on-ise-when-eapchaining-is/m-p/2056046#M200288 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>I'm not using LDAP to authenticate just as additional attribute retrieval. Authentication is done via Active Directory.</P><P></P><P>Just want to have control who can access our WLAN and who not and take advantage of EAP-Chaining</P><P></P><P>K.</P></BODY></HTML> Tue, 09 Oct 2012 14:58:55 GMT https://community.cisco.com/t5/network-access-control/problem-with-getting-ldap-attributes-on-ise-when-eapchaining-is/m-p/2056046#M200288 Karel Navratil 2012-10-09T14:58:55Z https://community.cisco.com/t5/network-access-control/problem-with-getting-ldap-attributes-on-ise-when-eapchaining-is/m-p/2056047#M200290 <HTML><HEAD></HEAD><BODY><P>Do you have your ldap group configured as an authorization condition?</P><P></P><P>I remember an topic on the forums where the retrieval is done when the authorization rule has the ldap group as a condition. Then ise will attempt the lookup.</P><P></P><P></P><P>Sent from Cisco Technical Support Android App</P></BODY></HTML> Wed, 10 Oct 2012 01:30:45 GMT https://community.cisco.com/t5/network-access-control/problem-with-getting-ldap-attributes-on-ise-when-eapchaining-is/m-p/2056047#M200290 Tarik Admani 2012-10-10T01:30:45Z https://community.cisco.com/t5/network-access-control/problem-with-getting-ldap-attributes-on-ise-when-eapchaining-is/m-p/2056048#M200292 <HTML><HEAD></HEAD><BODY><P>It's not LDAP group based, just additional attribute WLANProfile which returns to which VLAN should the user be connected.</P><P></P><P>If the it matches ie Employees, then access is granted. </P><P>This works fine when EAP Chaining is disabled in protocols, when I enable it stops matching.</P></BODY></HTML> Wed, 10 Oct 2012 07:31:48 GMT https://community.cisco.com/t5/network-access-control/problem-with-getting-ldap-attributes-on-ise-when-eapchaining-is/m-p/2056048#M200292 Karel Navratil 2012-10-10T07:31:48Z https://community.cisco.com/t5/network-access-control/problem-with-getting-ldap-attributes-on-ise-when-eapchaining-is/m-p/2056049#M200294 <HTML><HEAD></HEAD><BODY><P>Any ideas here?</P></BODY></HTML> Sun, 14 Oct 2012 21:20:36 GMT https://community.cisco.com/t5/network-access-control/problem-with-getting-ldap-attributes-on-ise-when-eapchaining-is/m-p/2056049#M200294 Karel Navratil 2012-10-14T21:20:36Z