https://community.cisco.com/t5/wireless/wireless-authentication-cisco-ise-using-ldap/m-p/4182188#M17526 <P>I am using 5520 WLC and AP 9120 with 8.1.102.0 code to authenticate clients via ISE 2.6 using Novel LDAP as identity source.</P><P>It appears that MSCHAPv1/v2, EAP-MSCHAPV2 and PEAP are not supported on LDAP.</P><P>&nbsp;</P><P>Please advise the possible ways to do it. Its urgent and time sensitive project.</P><P>&nbsp;</P><P>Thank you!</P> Mon, 05 Jul 2021 19:46:47 GMT atsetheodros 2021-07-05T19:46:47Z https://community.cisco.com/t5/wireless/wireless-authentication-cisco-ise-using-ldap/m-p/4182188#M17526 <P>I am using 5520 WLC and AP 9120 with 8.1.102.0 code to authenticate clients via ISE 2.6 using Novel LDAP as identity source.</P><P>It appears that MSCHAPv1/v2, EAP-MSCHAPV2 and PEAP are not supported on LDAP.</P><P>&nbsp;</P><P>Please advise the possible ways to do it. Its urgent and time sensitive project.</P><P>&nbsp;</P><P>Thank you!</P> Mon, 05 Jul 2021 19:46:47 GMT https://community.cisco.com/t5/wireless/wireless-authentication-cisco-ise-using-ldap/m-p/4182188#M17526 atsetheodros 2021-07-05T19:46:47Z https://community.cisco.com/t5/wireless/wireless-authentication-cisco-ise-using-ldap/m-p/4182356#M17527 <P>The issue is with the passwords in LDAP - (the passwords should not be transmitted, but rather, a hash is transmitted).</P> <P>LDAP repositories are suited to PAP/ASCII password exchanges. And neither of those are supported inner EAP methods <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>&nbsp;</P> <P>Is there any way you could get those LDAP identities into ISE itself? It might require some coding and regular sync, but if the username and password existed in ISE, then you can do EAP and MSCHAPv1/2 inner method.</P> <P>The obvious solution would be to migrate the users to Active Directory ... instead of Novel <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>&nbsp;</P> <P>I believe there are <A href="https://gtacknowledge.extremenetworks.com/articles/How_To/HOW-TO-Configure-Generic-LDAP-w-MSCHAPv2-Based-Authentication-in-Identity-Engines" target="_self">people on the internet</A> who have got this to work -but they had to create password hashes for all of the accounts and then store this hashed password as an additional attribute per user. Quite clever - it means that ISE would have to retrieve that attribute during authentication, and not the regular user password. I cannot verify this but it sounds very promising.</P> <P>&nbsp;</P> Wed, 11 Nov 2020 20:14:54 GMT https://community.cisco.com/t5/wireless/wireless-authentication-cisco-ise-using-ldap/m-p/4182356#M17527 Arne Bier 2020-11-11T20:14:54Z