11-19-2018 11:49 AM
Hi everyone,
EAP-MD5 is supported only with internal database, so I made a local user identity group with a single user. That user is a shadow user that external authenticates with my external identity source (Active Directory).
So: MyUser (External) --- > MyUserGroup
Here are some issues I've seen:
1) When authenticating with EAP-MD5, if I disable the user in AD the authentication still works.
2) When authenticating with EAP-MD5, even if I were to block all communications between PSN and AD authentication still works.
My policy set for EAP-MD5:
1) Allow protocol EAP-MD5
2) Authenticate from "Internal Users"
3) Authorize InternalUser.IdentityGroup EQUALS User Identity Groups: MyUserGroup
Any ideas why it's not performing proper checks with AD?
Thanks!
11-19-2018 12:52 PM
11-19-2018 01:11 PM
11-20-2018 07:44 AM
Hi,
EAP-MD5 authentication is supported for internal database only (according to the documentation), but I assumed the user account associated with EAP-MD5 can be configured locally but get its password externally.
Apparently this doesn't work well, since I changed the password in AD for the user and yet it still authenticates correctly. Same goes for disabling the user in AD. However, if I make the user internal (don't check the External checkbox) then password verification and disable checks work fine.
From the looks of things this means I need to manage all EAP-MD5 users locally on ISE, and I can't use AD to manage their passwords.
Is this correct?
11-23-2018 06:54 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide