topic Re: ISE-LDAP Authentication issue in Network Access Control

ISE-LDAP Authentication issue

rahul.k1 — Mon, 13 Jun 2022 09:09:05 GMT

Hi Team,

Our team have been using LDAP and RADIUS using MSCHAPv2 protocol

They are evaluating ISE but, using ISE with LDAP is not getting dot1x authentication
ISE is getting logs for the switch 2960-x and tested the MAB authentication

What is the reason that when the dot1x is enabled, ISE does not receive the logs for the same ?

How do I enable 801.1x authentication in endpoints that are connected to an LDAP server ?

Re: ISE-LDAP Authentication issue

Mohammed al Baqari — Mon, 13 Jun 2022 08:30:19 GMT

Hi,

Not sure what do you mean by not supported.? MSCHAPv2 will be the inner
authentication method between NAD (e.g. your switch) and ISE server
when using PEAP. LDAP can still be used between ISE server and AD. The
overall result shows that MSCHAPv2 can still be used while ISE uses LDAP
with AD.

Go through this doc for between understanding on how things work.

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html

**** please remember to rate useful posts

Re: ISE-LDAP Authentication issue

Greg Gibbs — Tue, 14 Jun 2022 04:47:31 GMT

Identity Stores using direct LDAP connection do not support PEAP-MSCHAPv2 due to the way the passwords are stored/secured. See the 'Authentication Protocols and Supported External Identity Sources' table in the ISE Admin Guide.

If you need to use PEAP-MSCHAPv2, you would need to integrate ISE with Active Directory as per this guide.

If you need to use LDAP instead of AD Integration, you would need to use an authentication protocol supported by LDAP, like EAP-TLS.