topic No support of EAP-MSCHAPv2 with EAP-TTLS using Azure AD in Network Access Control

No support of EAP-MSCHAPv2 with EAP-TTLS using Azure AD

jitendrac — Sun, 30 Jun 2024 05:47:11 GMT

Hi All,

Per Cisco Identity Services Engine Administrator Guide, Release 3.3 under Table 13. Authentication Protocols and Supported External Identity Sources. It is mentioned that EAP-MSCHAPv2 (as an inner method of EAP-TTLS) is not supported with REST External Identity Sources like Azure AD.

If Windows Native Supplicant allows you to configure EAP-MSCHAPv2 (as an inner method of EAP-TTLS), then why is ISE not supporting it?

Is this restriction from the ISE side OR the Azure AD Side?

Re: No support of EAP-MSCHAPv2 with EAP-TTLS using Azure AD

Arne Bier — Sun, 30 Jun 2024 21:13:33 GMT

Hi @jitendrac

The only supported inner authentication method I know of that is supported by AzureAD and ISE, is PAP (Plain Auth Protocol).

The reason why, is for the same reason that we cannot do MSCHAPv2 to an LDAP repository - e.g. if ISE talks to an active directory domain controller using LDAP, then you cannot perform MSCHAPv2, because the "challenge" handshake process involved in the password checking, is a special process that happens. MSCHAPv2 works only when ISE is integrated (joined) to the domain controller and used Kerberos (and all that other stuff I don't understand ...). Thus, the only solution with ISE talking to LDAP, is PAP. ISE presents the username and password to the LDAP server, and the LDAP server compares the credentials in its databased - if it matches then the response is positive, else, the auth fails. MSCHAP is much more complicated and there are various versions that Microsoft developed over the years. My suspicion is that on the Azure side, there is no support for any method other than PAP. ROPC builds the secure tunnel between ISE and Azure. What you do in that tunnel is secured - hence no need for the complicated CHAP song and dance routine.

Username/password credentials checking is likely to become extinct one day because Microsoft is slowly replacing those ageing methods with more complicated forms, sometimes based on biometrics (i.e. Windows Hello). Windows Credential Guard feature is another thing that throws a spanner in the works - you can disable it, but it's not advised.

Re: No support of EAP-MSCHAPv2 with EAP-TTLS using Azure AD

ahollifield — Mon, 01 Jul 2024 14:57:05 GMT

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

Re: No support of EAP-MSCHAPv2 with EAP-TTLS using Azure AD

thomas — Mon, 08 Jul 2024 17:51:45 GMT

See ▷ What's New in ISE 3.0 > 08:28 802.1X with Azure AD using ROPC
for the explanation of Why this will not work.

Azure AD != Active Directory

Thankfully, Microsoft finally renamed "Azure AD" to Entra ID to prevent this common misunderstanding.