Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2857
Views
10
Helpful
4
Replies

Cisco ESA and ISE Integration using RADIUS and AD Authentication

Go to solution
aamir.aleem
Level 1
Level 1

‎12-21-2021 05:43 AM

Hello Community,

 

I am in the process of integrating the Cisco ESA and Cisco ISE for admin authentication using RADIUS and I have used the below link which was straight forward and i was able make most of the features to work.

 

https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217163-asyncos-external-authentication-with-cis.html

 

But, I am facing a weird issue wherein when authenticating an admin using Internal user store,  but while(within the user options) selecting the AD as the password store, i get a wrong password error, when i am certain that the password is correct.

 

When using another user from the same identity group and assigning an internal password for the user within ISE, i am able to successfully login and get the authorization profile to work as well.

 

I have made sure that the correct Authentication rule is taking effect as the logs mention that and the same AD password works for other devices and I am able to successfully login.

The class attribute mentioned in the link also is working correctly when the internal password is chosen.

 

Your thoughts would be appreciated?

 

I am attaching the following:

 

1. The error message saying the password is wrong.

2. The config within the user option pointing to AD

3. The user pointing to the internal store(which works).

 

 

Thanks and Regards


Aamir Aleem

Preview file
22 KB
Preview file
14 KB
Preview file
25 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎12-21-2021 04:27 PM

Hi @aamir.aleem 

 

Can you set the ESA to use PAP instead of CHAP/MD5 ? I think that might be the issue. 

We see this also in Prime Infrastructure when PI is set to CHAP - setting it to PAP then works.

 

 

View solution in original post

4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎12-21-2021 04:27 PM

Hi @aamir.aleem 

 

Can you set the ESA to use PAP instead of CHAP/MD5 ? I think that might be the issue. 

We see this also in Prime Infrastructure when PI is set to CHAP - setting it to PAP then works.

 

 

Go to solution
aamir.aleem
Level 1
Level 1
In response to Arne Bier

‎12-21-2021 09:50 PM - edited ‎12-21-2021 09:51 PM

Hi Arne,

 

Thanks for the reply.

You are right! It worked when i changed it to PAP.

 

Are you aware if this has been documented as a bug? Since, you say its the same behavior in prime as well, it should be documented.

 

 

Thanks and Regards

 

Aamir Aleem

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to aamir.aleem

‎12-21-2021 10:14 PM

Hi

 

Sadly it's not a bug. 

Have a look at this nice table - Windows AD stores the passwords as an "NT hash" - therefore the CHAP is not supported.

 

Applications are the problem - apps like ESA and Prime should support MSCHAP or better. 

 

Go to solution
aamir.aleem
Level 1
Level 1
In response to Arne Bier

‎12-21-2021 11:15 PM

Hi Arne,

 

Noted. This makes complete sense.

Well, as per protocol security since CHAP is better, so, I had decided to use it.

 

I think our friends at Cisco should note this point and align it in their future product advancements.

 

 

Aamir

 

0 Helpful
Customers Also Viewed These Support Documents