Re: ISE 2.4 P4: Problems with EAP-MD5 authentication

Nadav · ‎11-19-2018

Hi everyone,

EAP-MD5 is supported only with internal database, so I made a local user identity group with a single user. That user is a shadow user that external authenticates with my external identity source (Active Directory).

So: MyUser (External) --- > MyUserGroup

Here are some issues I've seen:

1) When authenticating with EAP-MD5, if I disable the user in AD the authentication still works.

2) When authenticating with EAP-MD5, even if I were to block all communications between PSN and AD authentication still works.

My policy set for EAP-MD5:

1) Allow protocol EAP-MD5

2) Authenticate from "Internal Users"

3) Authorize InternalUser.IdentityGroup EQUALS User Identity Groups: MyUserGroup

Any ideas why it's not performing proper checks with AD?

Thanks!

Timothy Abbott · ‎11-19-2018

What does your default authentication rule look like for the policy set and how is it configured?

Regards,
-Tim

Nadav · ‎11-19-2018

It's DenyAccess. Either it passes the EAP-MD5 rule, or is dropped

Nadav · ‎11-20-2018

Hi,

EAP-MD5 authentication is supported for internal database only (according to the documentation), but I assumed the user account associated with EAP-MD5 can be configured locally but get its password externally.

Apparently this doesn't work well, since I changed the password in AD for the user and yet it still authenticates correctly. Same goes for disabling the user in AD. However, if I make the user internal (don't check the External checkbox) then password verification and disable checks work fine.

From the looks of things this means I need to manage all EAP-MD5 users locally on ISE, and I can't use AD to manage their passwords.

Is this correct?

Nadav · ‎11-23-2018

Any ideas?