https://community.cisco.com/t5/network-access-control/cisco-prime-authentication-using-chap-and-active-directory/m-p/4397117#M567096 <P>Hello,</P><P>&nbsp;</P><P>I have a prime infrastructure server (v3.4) currently configured with external authentication using PAP method.</P><P>An audit recommends we move to CHAP authentication, but we also want to authenticate users based on AD accounts.</P><P>Is there a way to achieve this ?</P><P>&nbsp;</P><P>So far i've found that i can either :</P><P>1. Authenticate users with the PAP method against AD accounts through ISE (v2.2) or Microsoft NPS.</P><P>2. Authenticate users with the CHAP method against internal users on ISE.</P><P>&nbsp;</P><P>I need to have both CHAP authentication configured on Prime and users able to login with their AD accounts, but it's starting to look like this is simply not possible.</P><P>&nbsp;</P><P>&nbsp;</P><P>Does someone know a working design to achieve this ?</P><P>&nbsp;</P><P>Thank you for your time,</P><P>Have a nice day.</P> Mon, 03 May 2021 15:56:00 GMT tom.barat@dimensiondata.com 2021-05-03T15:56:00Z https://community.cisco.com/t5/network-access-control/cisco-prime-authentication-using-chap-and-active-directory/m-p/4397117#M567096 <P>Hello,</P><P>&nbsp;</P><P>I have a prime infrastructure server (v3.4) currently configured with external authentication using PAP method.</P><P>An audit recommends we move to CHAP authentication, but we also want to authenticate users based on AD accounts.</P><P>Is there a way to achieve this ?</P><P>&nbsp;</P><P>So far i've found that i can either :</P><P>1. Authenticate users with the PAP method against AD accounts through ISE (v2.2) or Microsoft NPS.</P><P>2. Authenticate users with the CHAP method against internal users on ISE.</P><P>&nbsp;</P><P>I need to have both CHAP authentication configured on Prime and users able to login with their AD accounts, but it's starting to look like this is simply not possible.</P><P>&nbsp;</P><P>&nbsp;</P><P>Does someone know a working design to achieve this ?</P><P>&nbsp;</P><P>Thank you for your time,</P><P>Have a nice day.</P> Mon, 03 May 2021 15:56:00 GMT https://community.cisco.com/t5/network-access-control/cisco-prime-authentication-using-chap-and-active-directory/m-p/4397117#M567096 tom.barat@dimensiondata.com 2021-05-03T15:56:00Z https://community.cisco.com/t5/network-access-control/cisco-prime-authentication-using-chap-and-active-directory/m-p/4397272#M567104 <P>If you can enable "<A href="https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption" target="_self">Store password using reversible encryption</A>" on those users, then in theory it will enable CHAP for that account.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="chap.png" style="width: 633px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/119459i405B614C49A862E8/image-size/large?v=v2&amp;px=999" role="button" title="chap.png" alt="chap.png" /></span></P> <P>Having said that, I believe you also need to reset the password to force Windows to store it in the reversible format.</P> <P>I tried all this and it did not work for me. Perhaps it's disabled elsewhere in Windows 2012 and onwards. Either way, CHAP is not a great method. But better than PAP I guess.</P> <P>&nbsp;</P> <P>Have a play and let us know if you get it working.</P> Mon, 03 May 2021 20:54:54 GMT https://community.cisco.com/t5/network-access-control/cisco-prime-authentication-using-chap-and-active-directory/m-p/4397272#M567104 Arne Bier 2021-05-03T20:54:54Z https://community.cisco.com/t5/network-access-control/cisco-prime-authentication-using-chap-and-active-directory/m-p/4397919#M567127 <P>Hello,</P><P>&nbsp;</P><P>Thank you for your answer.</P><P>&nbsp;</P><P>Unfortunatley i don't think the client will agree to a trial and error approach.</P><P>&nbsp;</P><P>If this is not supported, that's fine and we can move on, but ideally i would have a design or documentation piece explaining that it's not supported and why.</P><P>&nbsp;</P><P>I also think it's strange that Prime only supports CHAP and PAP as external authentication methods.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 05 May 2021 07:01:15 GMT https://community.cisco.com/t5/network-access-control/cisco-prime-authentication-using-chap-and-active-directory/m-p/4397919#M567127 tom.barat@dimensiondata.com 2021-05-05T07:01:15Z https://community.cisco.com/t5/network-access-control/cisco-prime-authentication-using-chap-and-active-directory/m-p/4398129#M567141 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/796226">tom.barat@dimensiondata.com</a>&nbsp;</P><P class="lia-align-justify">&nbsp;please take a look at: <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_asset_visibility.html" target="_blank" rel="noopener">ISE Administrator Guide, 2.7</A>, search for <STRONG>Authentication Protocols and Supported External Identity Sources</STRONG>.</P><P class="lia-align-justify"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="04 - Authentication Protocols and Supported External Identity Sources.png" style="width: 752px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/119567i253C9826588554DC/image-dimensions/752x801?v=v2" width="752" height="801" role="button" title="04 - Authentication Protocols and Supported External Identity Sources.png" alt="04 - Authentication Protocols and Supported External Identity Sources.png" /></span></P><P>&nbsp;</P><P>Hope this helps !!!</P> Wed, 05 May 2021 12:43:42 GMT https://community.cisco.com/t5/network-access-control/cisco-prime-authentication-using-chap-and-active-directory/m-p/4398129#M567141 Marcelo Morais 2021-05-05T12:43:42Z