https://community.cisco.com/t5/network-access-control/why-we-do-not-support-this-authentication-protocol-eap-mschap/m-p/3501656#M496898 <HTML><HEAD></HEAD><BODY><P><SPAN lang="EN-US" style="font-size: 10.0pt;">I have a public sector customer with external LDAP as user database, and they are using right now a ClearPass as radius Server. </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">This kind of customers are from Education Sector, where the pc &amp; notebook are old, and in many cases don’t have support or aren´t&nbsp;&nbsp; managed centrally., so installing a client or certificate is not an option.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">The authentication protocol is EAP-MSCHAPv1/v2 with LDAP as external identity source is the only choice for them.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">Today everything is working fine for them, but in the migration process from ClearPass to ISE, the problem is the lack of support of this combination (EAP-MSCHAP with LDAP ( Oracle or OpenLdap ) as external database.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">Now the workaround is using the ISE as proxy radius of ClearPAss, but this is not a satisfactory solution for the customer.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">This issue is not only for this specific customer, as we will have the same problem in almost all Public Sector customers if we want to go with ISE as solution.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> </SPAN><SPAN style="font-size: 10pt;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">I have a specific question regarding why we do not support this Authentication protocol with External identity source like:</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">MSCHAPv1/v2&nbsp; with LDAP (LDAP as Ext.Identity Source)</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> or</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">EAP-MSCHAPv2 with LDAP (LDAP as Ext.Identy Source)</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">I need to answer with technical detail information about why we don´t support it but ClearPass does. </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">I Repeat it is not an option&nbsp; using&nbsp;&nbsp; the ISE as proxy radius of ClearPass.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">I have not&nbsp; found any document with a detailed answer&nbsp; to explain to&nbsp; my customer why it does not&nbsp; work.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">I need you help.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">Regards</SPAN></P><P> Leo</P></BODY></HTML> Mon, 18 Jun 2018 21:23:16 GMT lemontan 2018-06-18T21:23:16Z https://community.cisco.com/t5/network-access-control/why-we-do-not-support-this-authentication-protocol-eap-mschap/m-p/3501656#M496898 <HTML><HEAD></HEAD><BODY><P><SPAN lang="EN-US" style="font-size: 10.0pt;">I have a public sector customer with external LDAP as user database, and they are using right now a ClearPass as radius Server. </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">This kind of customers are from Education Sector, where the pc &amp; notebook are old, and in many cases don’t have support or aren´t&nbsp;&nbsp; managed centrally., so installing a client or certificate is not an option.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">The authentication protocol is EAP-MSCHAPv1/v2 with LDAP as external identity source is the only choice for them.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">Today everything is working fine for them, but in the migration process from ClearPass to ISE, the problem is the lack of support of this combination (EAP-MSCHAP with LDAP ( Oracle or OpenLdap ) as external database.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">Now the workaround is using the ISE as proxy radius of ClearPAss, but this is not a satisfactory solution for the customer.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">This issue is not only for this specific customer, as we will have the same problem in almost all Public Sector customers if we want to go with ISE as solution.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> </SPAN><SPAN style="font-size: 10pt;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">I have a specific question regarding why we do not support this Authentication protocol with External identity source like:</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">MSCHAPv1/v2&nbsp; with LDAP (LDAP as Ext.Identity Source)</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> or</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">EAP-MSCHAPv2 with LDAP (LDAP as Ext.Identy Source)</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">I need to answer with technical detail information about why we don´t support it but ClearPass does. </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">I Repeat it is not an option&nbsp; using&nbsp;&nbsp; the ISE as proxy radius of ClearPass.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">I have not&nbsp; found any document with a detailed answer&nbsp; to explain to&nbsp; my customer why it does not&nbsp; work.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">I need you help.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt;">Regards</SPAN></P><P> Leo</P></BODY></HTML> Mon, 18 Jun 2018 21:23:16 GMT https://community.cisco.com/t5/network-access-control/why-we-do-not-support-this-authentication-protocol-eap-mschap/m-p/3501656#M496898 lemontan 2018-06-18T21:23:16Z https://community.cisco.com/t5/network-access-control/why-we-do-not-support-this-authentication-protocol-eap-mschap/m-p/3501657#M496901 <HTML><HEAD></HEAD><BODY><P>Mainly due to planning and priority. Please discuss it with our PM team.</P></BODY></HTML> Mon, 18 Jun 2018 21:28:27 GMT https://community.cisco.com/t5/network-access-control/why-we-do-not-support-this-authentication-protocol-eap-mschap/m-p/3501657#M496901 hslai 2018-06-18T21:28:27Z https://community.cisco.com/t5/network-access-control/why-we-do-not-support-this-authentication-protocol-eap-mschap/m-p/3501658#M496902 <HTML><HEAD></HEAD><BODY><P>To add a bit more color, to make the MSCHAP password accessible available to LDAP requires that you reduce password security by storing the password in cleartext and regenerate hash for use in auth exchange, or store in a reversibly encrypted LDAP store.&nbsp; Still, customers have expressed a desire to implement such functionality even if not as secure as AD password storage, so feature has been raised in priority.&nbsp; Use of Secure LDAP may reduce some of the security concerns.&nbsp; In any case, the original decision not to include LDAP support for PEAP-EAP-MSCHAPv2 was based on security concerns that another vendor may never even mention to their customer.</P><P></P><P>Craig</P></BODY></HTML> Tue, 19 Jun 2018 12:31:22 GMT https://community.cisco.com/t5/network-access-control/why-we-do-not-support-this-authentication-protocol-eap-mschap/m-p/3501658#M496902 Craig Hyps 2018-06-19T12:31:22Z