https://community.cisco.com/t5/network-access-control/acs-4-x-and-ldap-as-userdatabase/m-p/662868#M421485 <HTML><HEAD></HEAD><BODY><P>I take your point.. its a balance between functionality verses security.</P><P></P><P>Cisco could choose to add a cludge solution. But generally the golden rule of all password repositories should be passwords go in - never out.</P><P></P><P>Since LDAP itself cant/wont support MSCHAP natively you need to implement a "back door" to allow plain text passwords out of LDAP back into the AAA server.</P><P></P><P>You then have issues of password management, but more importantly.. how secure is the system you will have built?</P><P></P><P></P></BODY></HTML> Wed, 28 Feb 2007 11:11:38 GMT darpotter 2007-02-28T11:11:38Z https://community.cisco.com/t5/network-access-control/acs-4-x-and-ldap-as-userdatabase/m-p/662865#M421482 <P>Does anyone know when/if Cisco plan to let LDAP support PEAP(mschapv2)? </P><P></P><P>We are running Novell, and it seems that we have to use Freeradius because PEAP w/mschap v.2 is not supported when LDAP is the userdatabase</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00806fe24a.html#wp857274" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00806fe24a.html#wp857274</A> </P><P></P><P>Johann Folkestad</P><P></P><P></P> Sun, 10 Mar 2019 22:00:40 GMT https://community.cisco.com/t5/network-access-control/acs-4-x-and-ldap-as-userdatabase/m-p/662865#M421482 johannf 2019-03-10T22:00:40Z https://community.cisco.com/t5/network-access-control/acs-4-x-and-ldap-as-userdatabase/m-p/662866#M421483 <HTML><HEAD></HEAD><BODY><P>Its not a matter of Cisco allowing it. LDAP databases dont generally support MSCHAP despite (during my time at Cisco) constant nagging.</P><P></P><P>I guess if enough customers moaned loud enough at the LDAP vendors they might support it natively.</P><P></P><P>The only way I know it can be made to work is a very nasty hack where the LDAP db basically has to store another value which the AAA server requests (and treats as a password) in order to do the MSCHAP locally. So you also end up with 2 passwords for each user.</P><P></P><P>If you do this you might as well let anyone on your network. Afterall, if your AAA server can get the password... who else can?</P></BODY></HTML> Tue, 27 Feb 2007 13:39:08 GMT https://community.cisco.com/t5/network-access-control/acs-4-x-and-ldap-as-userdatabase/m-p/662866#M421483 darpotter 2007-02-27T13:39:08Z https://community.cisco.com/t5/network-access-control/acs-4-x-and-ldap-as-userdatabase/m-p/662867#M421484 <HTML><HEAD></HEAD><BODY><P>OK thanks, but then I don't understand that Freeradius support MSCHAP, and ACS does'nt.</P><P></P><P></P><P>JF</P><P></P></BODY></HTML> Wed, 28 Feb 2007 07:39:10 GMT https://community.cisco.com/t5/network-access-control/acs-4-x-and-ldap-as-userdatabase/m-p/662867#M421484 johannf 2007-02-28T07:39:10Z https://community.cisco.com/t5/network-access-control/acs-4-x-and-ldap-as-userdatabase/m-p/662868#M421485 <HTML><HEAD></HEAD><BODY><P>I take your point.. its a balance between functionality verses security.</P><P></P><P>Cisco could choose to add a cludge solution. But generally the golden rule of all password repositories should be passwords go in - never out.</P><P></P><P>Since LDAP itself cant/wont support MSCHAP natively you need to implement a "back door" to allow plain text passwords out of LDAP back into the AAA server.</P><P></P><P>You then have issues of password management, but more importantly.. how secure is the system you will have built?</P><P></P><P></P></BODY></HTML> Wed, 28 Feb 2007 11:11:38 GMT https://community.cisco.com/t5/network-access-control/acs-4-x-and-ldap-as-userdatabase/m-p/662868#M421485 darpotter 2007-02-28T11:11:38Z