https://community.cisco.com/t5/network-access-control/ise-2-4-p4-problems-with-eap-md5-authentication/m-p/3750068#M487995 <P>Hi,</P> <P>&nbsp;</P> <P>EAP-MD5 authentication is supported for internal database only (according to the documentation), but I assumed the user account associated with EAP-MD5 can be configured locally but get its password externally.</P> <P>&nbsp;</P> <P>Apparently this doesn't work well, since I changed the password in AD for the user and yet it still authenticates correctly. Same goes for disabling the user in AD. However, if I make the user&nbsp;internal&nbsp;(don't check the External checkbox) then password verification and disable checks work fine.&nbsp;</P> <P>&nbsp;</P> <P>From the looks of things this means I need to manage all EAP-MD5 users locally on ISE, and I can't use AD to manage their passwords.&nbsp;</P> <P>&nbsp;</P> <P>Is this correct?</P> Tue, 20 Nov 2018 15:44:16 GMT Nadav 2018-11-20T15:44:16Z https://community.cisco.com/t5/network-access-control/ise-2-4-p4-problems-with-eap-md5-authentication/m-p/3749521#M487992 <P>Hi everyone,</P> <P>&nbsp;</P> <P>EAP-MD5 is supported only with internal database, so I made a local user identity group with a single user. That user is a shadow user that external authenticates with my external identity source (Active Directory).</P> <P>&nbsp;</P> <P>So:&nbsp; MyUser (External) --- &gt; MyUserGroup</P> <P>&nbsp;</P> <P>Here are some issues I've seen:&nbsp;</P> <P>1) When authenticating with EAP-MD5, if I disable the user in AD the authentication still works.&nbsp;</P> <P>2) When authenticating with EAP-MD5, even if I were to block all communications between PSN and AD authentication still works.</P> <P>&nbsp;</P> <P>My policy set for EAP-MD5:</P> <P>1) Allow protocol EAP-MD5</P> <P>2) Authenticate from "Internal Users"</P> <P>3) Authorize InternalUser.IdentityGroup EQUALS User Identity Groups: MyUserGroup</P> <P>&nbsp;</P> <P>Any ideas why it's not performing proper checks with AD?</P> <P>&nbsp;</P> <P>Thanks!</P> Mon, 19 Nov 2018 19:49:08 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-p4-problems-with-eap-md5-authentication/m-p/3749521#M487992 Nadav 2018-11-19T19:49:08Z https://community.cisco.com/t5/network-access-control/ise-2-4-p4-problems-with-eap-md5-authentication/m-p/3749558#M487993 What does your default authentication rule look like for the policy set and how is it configured?<BR /><BR />Regards,<BR />-Tim<BR /> Mon, 19 Nov 2018 20:52:04 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-p4-problems-with-eap-md5-authentication/m-p/3749558#M487993 Timothy Abbott 2018-11-19T20:52:04Z https://community.cisco.com/t5/network-access-control/ise-2-4-p4-problems-with-eap-md5-authentication/m-p/3749573#M487994 It's DenyAccess. Either it passes the EAP-MD5 rule, or is dropped<BR /> Mon, 19 Nov 2018 21:11:04 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-p4-problems-with-eap-md5-authentication/m-p/3749573#M487994 Nadav 2018-11-19T21:11:04Z https://community.cisco.com/t5/network-access-control/ise-2-4-p4-problems-with-eap-md5-authentication/m-p/3750068#M487995 <P>Hi,</P> <P>&nbsp;</P> <P>EAP-MD5 authentication is supported for internal database only (according to the documentation), but I assumed the user account associated with EAP-MD5 can be configured locally but get its password externally.</P> <P>&nbsp;</P> <P>Apparently this doesn't work well, since I changed the password in AD for the user and yet it still authenticates correctly. Same goes for disabling the user in AD. However, if I make the user&nbsp;internal&nbsp;(don't check the External checkbox) then password verification and disable checks work fine.&nbsp;</P> <P>&nbsp;</P> <P>From the looks of things this means I need to manage all EAP-MD5 users locally on ISE, and I can't use AD to manage their passwords.&nbsp;</P> <P>&nbsp;</P> <P>Is this correct?</P> Tue, 20 Nov 2018 15:44:16 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-p4-problems-with-eap-md5-authentication/m-p/3750068#M487995 Nadav 2018-11-20T15:44:16Z https://community.cisco.com/t5/network-access-control/ise-2-4-p4-problems-with-eap-md5-authentication/m-p/3751943#M487996 Any ideas? Fri, 23 Nov 2018 14:54:34 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-p4-problems-with-eap-md5-authentication/m-p/3751943#M487996 Nadav 2018-11-23T14:54:34Z