cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1527
Views
1
Helpful
9
Replies
Cisco Employee

ISE with LDAP using PEAP or MSCHAPv2

Hi Team,

I have a customer using LDAP and RADIUS using PEAP and MSCHAPv2 protocols.

They are evaluating ISE but, using ISE with LDAP is not supported PEAP or MSCHAPv2.

The customer is asking us for a reason,  what is the reason why ISE does´t support this protocols ?

Is in roadmap this ?   is going ISE to support them ?

Please your help in this question.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE with LDAP using PEAP or MSCHAPv2

Its mainly due to planning and priority.

9 REPLIES 9
Contributor

Re: ISE with LDAP using PEAP or MSCHAPv2

I am not sure ,where you read that LDAP and these protocols are not supported ??

I am not tested this but i think it might work just you must create a New Identity Source Sequence

Where you will use AD and LDAP_AD

And use it in authorization policy . In authentication use protocols that you need for your deployment.

And i saw one more thing https://bst.cloudapps.cisco.com/bugsearch/bug/CSCul55352/?rfs=iqvred

Cisco Employee

Re: ISE with LDAP using PEAP or MSCHAPv2

Sorry for confusion in the note,  ISE support LDAP, but ISE will not support PEAP and MSCHAPv2 with LDAP, you can see the Table 2 "Authentication Protocols and Supported External Identity Sources" in the following link:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter…

The customer´s question is Why and if we have any roadmap for that ?

Cisco Employee

Re: ISE with LDAP using PEAP or MSCHAPv2

we do not discuss roadmaps in this forum.

please contact your Cisco representative for additional information.

Cisco Employee

Re: ISE with LDAP using PEAP or MSCHAPv2

Thanks Danny, sorry for roadmap question,  But, is there any reason why ISE don't´s support specific Authentication protocols such as PEAP and MSCHAPv2 ?

VIP Advocate

Re: ISE with LDAP using PEAP or MSCHAPv2

The way I understand it, it's a technical limitation of how the passwords are stored in the LDAP "database".

You can perform ASCII/PAP authentication to an LDAP directory (because the password that is sent in the auth request is simply a string comparison with the plain text password stored in the LDAP directory). But you cannot perform CHAP etc because there is neither a simple password sent by the client, nor is there a simple password stored on the external directory.  E.g. in AD, the client and server perform a handshake protocol, hence the name Challenge-Handshake Authentication Protocol  (I don't completely understand it - google it) and this is where the complexity comes in.

Have a read of this too

Deploying RADIUS: Protocol and Password Compatibility

If you want the real gory details (actually an excellent explanation by a somewhat militant sounding Alan de Kok (FreeRadius dev) then check this out Users - Chap auhtentication against LDAP

Having said that, Aruba Clearpass appears to support this. LDAP Authentication Source Configuration - so maybe the technical argument is an old one.

It's confusing for sure

Cisco Employee

Re: ISE with LDAP using PEAP or MSCHAPv2

Its mainly due to planning and priority.

Highlighted
Beginner

Re: ISE with LDAP using PEAP or MSCHAPv2

@ldanny  what do you mean by ""its a matter of planning and Priority".i have a similar scenario which a big client who wants global implementation for ISE and have been trying to find the solution

 

@gugonza2  how did you solve your situation

Cisco Employee

Re: ISE with LDAP using PEAP or MSCHAPv2

Cisco Employee

Re: ISE with LDAP using PEAP or MSCHAPv2

Thanks Arne, Danny for your answers.