topic Re: ISE with LDAP using PEAP or MSCHAPv2 in Network Access Control

ISE with LDAP using PEAP or MSCHAPv2

gugonza2 — Mon, 18 Jun 2018 12:05:23 GMT

Hi Team,

I have a customer using LDAP and RADIUS using PEAP and MSCHAPv2 protocols.

They are evaluating ISE but, using ISE with LDAP is not supported PEAP or MSCHAPv2.

The customer is asking us for a reason, what is the reason why ISE does´t support this protocols ?

Is in roadmap this ? is going ISE to support them ?

Please your help in this question.

Re: ISE with LDAP using PEAP or MSCHAPv2

ognyan.totev — Mon, 18 Jun 2018 12:15:34 GMT

I am not sure ,where you read that LDAP and these protocols are not supported ??

I am not tested this but i think it might work just you must create a New Identity Source Sequence

Where you will use AD and LDAP_AD

And use it in authorization policy . In authentication use protocols that you need for your deployment.

And i saw one more thing https://bst.cloudapps.cisco.com/bugsearch/bug/CSCul55352/?rfs=iqvred

Re: ISE with LDAP using PEAP or MSCHAPv2

gugonza2 — Mon, 18 Jun 2018 12:22:13 GMT

Sorry for confusion in the note, ISE support LDAP, but ISE will not support PEAP and MSCHAPv2 with LDAP, you can see the Table 2 "Authentication Protocols and Supported External Identity Sources" in the following link:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter…

The customer´s question is Why and if we have any roadmap for that ?

Re: ISE with LDAP using PEAP or MSCHAPv2

ldanny — Mon, 18 Jun 2018 12:32:05 GMT

we do not discuss roadmaps in this forum.

please contact your Cisco representative for additional information.

Re: ISE with LDAP using PEAP or MSCHAPv2

gugonza2 — Mon, 18 Jun 2018 12:34:50 GMT

Thanks Danny, sorry for roadmap question, But, is there any reason why ISE don't´s support specific Authentication protocols such as PEAP and MSCHAPv2 ?

Re: ISE with LDAP using PEAP or MSCHAPv2

Arne Bier — Mon, 18 Jun 2018 22:26:48 GMT

The way I understand it, it's a technical limitation of how the passwords are stored in the LDAP "database".

You can perform ASCII/PAP authentication to an LDAP directory (because the password that is sent in the auth request is simply a string comparison with the plain text password stored in the LDAP directory). But you cannot perform CHAP etc because there is neither a simple password sent by the client, nor is there a simple password stored on the external directory. E.g. in AD, the client and server perform a handshake protocol, hence the name Challenge-Handshake Authentication Protocol (I don't completely understand it - google it) and this is where the complexity comes in.

Have a read of this too

Deploying RADIUS: Protocol and Password Compatibility

If you want the real gory details (actually an excellent explanation by a somewhat militant sounding Alan de Kok (FreeRadius dev) then check this out Users - Chap auhtentication against LDAP

Having said that, Aruba Clearpass appears to support this. LDAP Authentication Source Configuration - so maybe the technical argument is an old one.

It's confusing for sure

Re: ISE with LDAP using PEAP or MSCHAPv2

ldanny — Tue, 19 Jun 2018 10:59:18 GMT

Its mainly due to planning and priority.

Re: ISE with LDAP using PEAP or MSCHAPv2

gugonza2 — Thu, 21 Jun 2018 09:01:57 GMT

Thanks Arne, Danny for your answers.

Re: ISE with LDAP using PEAP or MSCHAPv2

tandemike — Thu, 04 Jul 2019 21:15:55 GMT

@ldanny what do you mean by ""its a matter of planning and Priority".i have a similar scenario which a big client who wants global implementation for ISE and have been trying to find the solution

@gugonza2 how did you solve your situation

Re: ISE with LDAP using PEAP or MSCHAPv2

hslai — Thu, 04 Jul 2019 21:49:10 GMT

See No Comment on Roadmaps or Fixes