12-21-2021 05:43 AM
Hello Community,
I am in the process of integrating the Cisco ESA and Cisco ISE for admin authentication using RADIUS and I have used the below link which was straight forward and i was able make most of the features to work.
But, I am facing a weird issue wherein when authenticating an admin using Internal user store, but while(within the user options) selecting the AD as the password store, i get a wrong password error, when i am certain that the password is correct.
When using another user from the same identity group and assigning an internal password for the user within ISE, i am able to successfully login and get the authorization profile to work as well.
I have made sure that the correct Authentication rule is taking effect as the logs mention that and the same AD password works for other devices and I am able to successfully login.
The class attribute mentioned in the link also is working correctly when the internal password is chosen.
Your thoughts would be appreciated?
I am attaching the following:
1. The error message saying the password is wrong.
2. The config within the user option pointing to AD
3. The user pointing to the internal store(which works).
Thanks and Regards
Aamir Aleem
Solved! Go to Solution.
 
					
				
		
12-21-2021 04:27 PM
Hi @aamir.aleem
Can you set the ESA to use PAP instead of CHAP/MD5 ? I think that might be the issue.
We see this also in Prime Infrastructure when PI is set to CHAP - setting it to PAP then works.
 
					
				
		
12-21-2021 04:27 PM
Hi @aamir.aleem
Can you set the ESA to use PAP instead of CHAP/MD5 ? I think that might be the issue.
We see this also in Prime Infrastructure when PI is set to CHAP - setting it to PAP then works.
12-21-2021 09:50 PM - edited 12-21-2021 09:51 PM
Hi Arne,
Thanks for the reply.
You are right! It worked when i changed it to PAP.
Are you aware if this has been documented as a bug? Since, you say its the same behavior in prime as well, it should be documented.
Thanks and Regards
Aamir Aleem
12-21-2021 10:14 PM
Hi
Sadly it's not a bug.
Have a look at this nice table - Windows AD stores the passwords as an "NT hash" - therefore the CHAP is not supported.
Applications are the problem - apps like ESA and Prime should support MSCHAP or better.
12-21-2021 11:15 PM
Hi Arne,
Noted. This makes complete sense.
Well, as per protocol security since CHAP is better, so, I had decided to use it.
I think our friends at Cisco should note this point and align it in their future product advancements.
Aamir
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide