Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3507
Views
0
Helpful
7
Replies

802.1x ISE, LDAP, and OSX 10.8.2

Go to solution
mkriss5681
Level 1
Level 1

‎03-15-2013 04:47 AM - edited ‎03-10-2019 08:12 PM

We are in the slow process of setting up ISE for 802.1x for all our users. Our Windows guys are working great so far with AD, but or Mac guys use their own LDAP server. I have sucessfully configured the LDAP server into ISE and I am able to authenticate to the LDAP server with switches (PAP) and Linux (EAP-GTC). Currently, I cannot get the OSX computers to use PEAP/EAP to authenticate to their LDAP. They can authenicate to ISE using the internal database. According to the ISE documentation EAP-GTC is pretty much the only option for LDAP that uses some sort of security if you are using usernames and passwords. Unfortuntatly, we do not have direct access to our organizations certificate authority so issueing each computer a trusted cert is a bit of a challenge.

Does anyone have some advice in setting up OSX computers to use ISE against LDAP? I cannot find any documentation of the Apple side that shows EAP-GTC is supported, and we would perfer to stay away from PAP clear text for security reasons.

Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎03-15-2013 05:29 AM

Michael,

Your only option is to use eap-tls because PEAP mschapv2 is a hash based protocol that isnt supported in the ldap protocol. You have to join ISE to AD and can not even use AD as an LDAP DB because mschapv2 will not work.

Hope this link helps:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to mkriss5681

‎03-15-2013 05:44 AM

Michael,

You can use different CA to authenticate the MAC users, you will have to create a certificate authentication profile. First you need to import the root and all intermediate CAs into the CA store in ISE (and make sure you check trust for client authentication). Configuration notes for this can be found here:

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_admin.html#wp1122804

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎03-15-2013 05:29 AM

Michael,

Your only option is to use eap-tls because PEAP mschapv2 is a hash based protocol that isnt supported in the ldap protocol. You have to join ISE to AD and can not even use AD as an LDAP DB because mschapv2 will not work.

Hope this link helps:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
mkriss5681
Level 1
Level 1
In response to Tarik Admani

‎03-15-2013 05:38 AM

Thanks for the quick answer Tarik. I had a feeling that was going to be the answer.

In order for EAP-TLS to work, does the ISE appliance and the client need to share a same CA? Or is it possible to have multiple certs for the different authentication methods?

The reason I ask is the ISE appliance has a cert used for authethenticating with AD. Our Mac guys might have a different cert from a different CA.

Thanks!

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to mkriss5681

‎03-15-2013 05:44 AM

Michael,

You can use different CA to authenticate the MAC users, you will have to create a certificate authentication profile. First you need to import the root and all intermediate CAs into the CA store in ISE (and make sure you check trust for client authentication). Configuration notes for this can be found here:

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_admin.html#wp1122804

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
mkriss5681
Level 1
Level 1
In response to Tarik Admani

‎03-15-2013 05:47 AM

Thanks again Tarik! I have a path forward at least. I'll setup an internal CA just for our Apple guys.

0 Helpful

Go to solution
mkriss5681
Level 1
Level 1
In response to Tarik Admani

‎03-15-2013 12:31 PM

I was actually able to force the OSX computers to use EAP-GTC by disabling EAP-MSCHAP on ISE. This is obviously an issue for our AD guys. It seems that OSX is trying MS-CHAP first, then it gives up. There has to be a way to only allow some protocols for certian identity stores. I'll have to keep looking into it.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to mkriss5681

‎03-15-2013 01:06 PM

Micheal,

Have you tried to set the preferred eap type to GTC and then enable both mschapv2 and gtc, hopefully the windows clients can behave a little better.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
mkriss5681
Level 1
Level 1
In response to Tarik Admani

‎03-15-2013 05:29 PM

I did not see that option in ISE or OSX unfortunately. For some reason if OSX sees MSCHAP is available it tried that first.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents