Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
3
Replies

Cisco ISE LDAP for Wireless Issues

joeharb
Level 5
Level 5

‎01-06-2014 09:09 AM - edited ‎03-10-2019 09:14 PM

We are trying to onboard devices for Wireless and are having issues with the fact that mschapv2 isn't supported for LDAP.  What our goal is to have the  user attach to a single SSID and authencticate using their LDAP credentials then we pass them on to a supplicant provisioning that will implement EAP-TLS.  Is this possible?  We don't want to have to add the users as a local user.  We won't be able to utilize AD due to multiple LDAP instances.

We have followed the Cisco Press design which says to do PEAP and point it to the LDAP store but this still gives that results.  How can we onboard the devices (ipads,windows laptops) using LDAP inorder to present the SCEP supplicant process?

Thanks,

Joe

Labels:
0 Helpful
3 Replies 3

joeharb
Level 5
Level 5

‎01-06-2014 04:00 PM

To add to the previous questions, if you are using EAP-TLS, I assume you have to have a certificate store listed in the identity sequence. If this is the case is there anyway to retrieve group member ship with EAP-TLS via LDAP? I would like to use group membership in the authorization policy but I am not sure that this will work since after the certificate profile is matched the LDAP store isn't queried. Is it possible to do group membership attributes with EAP-TLS and LDAP?

Thanks,

Joe

Sent from Cisco Technical Support iPad App

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to joeharb

‎01-06-2014 11:19 PM

Hi,

You can use the CWA functionality however, that changes your single ssid wish to a dual ssid setup (because you can not enable mac filtering with 802.1x on the same wlan), from there the user can login with their LDAP credentials and gain access to the policy that will onboard their personal device.

To your second question the answer is yes, you should be able to use LDAP groups when using eap-tls. I personally have never used an ldap integration with ISE that is because all ISE deployments I have worked on have always used AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

joeharb
Level 5
Level 5
In response to Tarik Admani

‎01-07-2014 08:20 AM

Thanks for your reply, to followup can the CWA utilize the LDAP with Wireless?  Would this still not use mschapv2? 

From what I can tell if the authencation profile has the CAP listed in the Identity Sequence and a cert is present on the client their is no LDAP lookup for the user.  The certificate common name is presented to ISE and the user authenticates with no attributes gathered.

Please advise,

Joe

0 Helpful
Customers Also Viewed These Support Documents