03-15-2013 04:47 AM - edited 03-10-2019 08:12 PM
We are in the slow process of setting up ISE for 802.1x for all our users. Our Windows guys are working great so far with AD, but or Mac guys use their own LDAP server. I have sucessfully configured the LDAP server into ISE and I am able to authenticate to the LDAP server with switches (PAP) and Linux (EAP-GTC). Currently, I cannot get the OSX computers to use PEAP/EAP to authenticate to their LDAP. They can authenicate to ISE using the internal database. According to the ISE documentation EAP-GTC is pretty much the only option for LDAP that uses some sort of security if you are using usernames and passwords. Unfortuntatly, we do not have direct access to our organizations certificate authority so issueing each computer a trusted cert is a bit of a challenge.
Does anyone have some advice in setting up OSX computers to use ISE against LDAP? I cannot find any documentation of the Apple side that shows EAP-GTC is supported, and we would perfer to stay away from PAP clear text for security reasons.
Thanks.
Solved! Go to Solution.
03-15-2013 05:29 AM
Michael,
Your only option is to use eap-tls because PEAP mschapv2 is a hash based protocol that isnt supported in the ldap protocol. You have to join ISE to AD and can not even use AD as an LDAP DB because mschapv2 will not work.
Hope this link helps:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html
Thanks,
Tarik Admani
*Please rate helpful posts*
03-15-2013 05:44 AM
Michael,
You can use different CA to authenticate the MAC users, you will have to create a certificate authentication profile. First you need to import the root and all intermediate CAs into the CA store in ISE (and make sure you check trust for client authentication). Configuration notes for this can be found here:
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_admin.html#wp1122804
Tarik Admani
*Please rate helpful posts*
03-15-2013 05:29 AM
Michael,
Your only option is to use eap-tls because PEAP mschapv2 is a hash based protocol that isnt supported in the ldap protocol. You have to join ISE to AD and can not even use AD as an LDAP DB because mschapv2 will not work.
Hope this link helps:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html
Thanks,
Tarik Admani
*Please rate helpful posts*
03-15-2013 05:38 AM
Thanks for the quick answer Tarik. I had a feeling that was going to be the answer.
In order for EAP-TLS to work, does the ISE appliance and the client need to share a same CA? Or is it possible to have multiple certs for the different authentication methods?
The reason I ask is the ISE appliance has a cert used for authethenticating with AD. Our Mac guys might have a different cert from a different CA.
Thanks!
03-15-2013 05:44 AM
Michael,
You can use different CA to authenticate the MAC users, you will have to create a certificate authentication profile. First you need to import the root and all intermediate CAs into the CA store in ISE (and make sure you check trust for client authentication). Configuration notes for this can be found here:
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_admin.html#wp1122804
Tarik Admani
*Please rate helpful posts*
03-15-2013 05:47 AM
Thanks again Tarik! I have a path forward at least. I'll setup an internal CA just for our Apple guys.
03-15-2013 12:31 PM
I was actually able to force the OSX computers to use EAP-GTC by disabling EAP-MSCHAP on ISE. This is obviously an issue for our AD guys. It seems that OSX is trying MS-CHAP first, then it gives up. There has to be a way to only allow some protocols for certian identity stores. I'll have to keep looking into it.
03-15-2013 01:06 PM
Micheal,
Have you tried to set the preferred eap type to GTC and then enable both mschapv2 and gtc, hopefully the windows clients can behave a little better.
Thanks,
Tarik Admani
*Please rate helpful posts*
03-15-2013 05:29 PM
I did not see that option in ISE or OSX unfortunately. For some reason if OSX sees MSCHAP is available it tried that first.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide