Cisco Prime authentication using CHAP and Active Directory

tom.barat@dimensiondata.com · ‎05-03-2021

Hello,

I have a prime infrastructure server (v3.4) currently configured with external authentication using PAP method.

An audit recommends we move to CHAP authentication, but we also want to authenticate users based on AD accounts.

Is there a way to achieve this ?

So far i've found that i can either :

1. Authenticate users with the PAP method against AD accounts through ISE (v2.2) or Microsoft NPS.

2. Authenticate users with the CHAP method against internal users on ISE.

I need to have both CHAP authentication configured on Prime and users able to login with their AD accounts, but it's starting to look like this is simply not possible.

Does someone know a working design to achieve this ?

Thank you for your time,

Have a nice day.

Arne Bier · ‎05-03-2021

If you can enable "Store password using reversible encryption" on those users, then in theory it will enable CHAP for that account.

Having said that, I believe you also need to reset the password to force Windows to store it in the reversible format.

I tried all this and it did not work for me. Perhaps it's disabled elsewhere in Windows 2012 and onwards. Either way, CHAP is not a great method. But better than PAP I guess.

Have a play and let us know if you get it working.

tom.barat@dimensiondata.com · ‎05-05-2021

Hello,

Thank you for your answer.

Unfortunatley i don't think the client will agree to a trial and error approach.

If this is not supported, that's fine and we can move on, but ideally i would have a design or documentation piece explaining that it's not supported and why.

I also think it's strange that Prime only supports CHAP and PAP as external authentication methods.

Marcelo Morais · ‎05-05-2021

Hi tom.barat@dimensiondata.com

please take a look at: ISE Administrator Guide, 2.7, search for Authentication Protocols and Supported External Identity Sources.

Hope this helps !!!