Cisco ISE - AD integration

muthumohan · ‎09-18-2012

Hi,

I just have a basic question. When ISE is integrated with AD to authenticate Windows users, what exactly goes on between the ISE and AD. For example, if ISE sends a "Access-challenge" to the client PC, the PC will respond with the hash of the challenge string and the user password (ie. MD4 hash of the password). For ISE to verify this, ISE must know the user password (ie, MD4 hash of the password) stored in the AD. How does ISE come to know of the user passwords? Does AD allow access to the user passwords for the ISE? What AD privilige does ISE have to get this information?

I would appreciate if anyone can explain on what goes between ISE and AD while authenticating the users. How does AD see the ISE?

Also, what is the password used while performing machine authentication in windows?

Thanks in advance,

Regards,

Mohan Muthu

Tarik Admani · ‎09-18-2012

Hi,

The hash is sent to Active Directory to determine if it is valid.

For machine authenticaiton the password is set dynamically once the computer joins AD and is set by the client, and by default rotates every 30 days.

http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

Thanks,

Tarik Admani
*Please rate helpful posts*

muthumohan · ‎09-19-2012

Hi Tarik,

Thank you for your answers. But it is still not very clear to me. According to my understaning, this is what happens between ISE and clien PC. Please correct me if wrong.

1. ISE (RADIUS Server) sends challenge (16 octect authenticator string) to client PC.

2. Client PC calculates a HASH-A of this authenticator sting + shared-secret-key

3. Then Client PC XORs the HASH_A from step 2 and the MD4 Hash of the user-password to get cipher text

4. Client PC sends this resultant 16 octect cipher text string back to ISE

5. ISE will have to do the reverse to verify the user-password. First of all, it must get the HASH_A (calculated in step 2). To get this, it must know the MD4 hash of the user-password. This is where my question is. How does ISE know the MD4 hash of the user-password to undo the operation of step 3 at the ISE side. That is, without the user-password's hash, ISE will not be able to perform the reverse operation to verify the cipher text.

Please feel free to correct me if I am wrong anywhere.

Thanks again for your help with machine authentication process. That is very useful.

Regards,

Mohan

Tarik Admani · ‎09-19-2012

Hi,

This isnt very well documented even internally. With Mschap there is an rpc call that is made from the ISE to AD in order to validate the username and password, basically in the access-request and access-challenge, not only is the hash exchanged but the peap tunnel is also built in order to protect the user credentials.

If you dont mind me asking why are you so curious with how the password is exchanged?

thanks,

Tarik Admani
*Please rate helpful posts*

muthumohan · ‎09-19-2012

Hello Tarik,

Thanks again for your quick response.

I am a technical trainer and I need to get to the bottom of things before I take a class. I was going over the authentication process step-by-step, and was not clear on how exactly the user-password (that is stored in AD) is verified by ISE. I don't think AD will revel the user-password to anyone. So, I was wondering how exactly the username is verified by ISE.

I will dig deep into this and let you know if I find the answer.

Thanks for your help and time.

Regards,

Mohan

Tarik Admani · ‎09-19-2012

Mohan,

Here is the rfc for mschapv2 which is used for peap.

http://www.ietf.org/rfc/rfc2759.txt

Maybe this will help.

I am more than happy to help, please remember to rate any feedback you find helpful.

Ravi Singh · ‎07-10-2013

Please read the attached PDF. It will describe the communication process of ISE with AD.