ISE 3.0.0.458 p#1 and Google LDAPS

giovanni.augusto · ‎01-14-2021

Hi Everyone,

I have successfully configured an LDAPS binding between Cisco ISE and Google LDAPS (available with Cloud Identity Premium) and I can retrieve users and groups (needed custom schema settings). I were able to do that only by using a linux server with stunnel to proxy the connection.

Is there a chance to connect to Google LDAPS directly from Cisco ISE? what it seems to be the issue is the lack of support for LDAP authentication via certificate as it is a Google LDAPS requirement.

Thank you!

giovanni.augusto · ‎01-14-2021

Additionally I have been working on creating an authorization flow that would match group membership from Google LDAP after fetching the username from a user certificate where the CN is the email of the user.

So far I have been unable to get the External LDAP groups.

Thinking it was a problem with subject format, I tried with a dummy PAP authentication against Google LDAP identity store and I could authenticate, retrieve extra attributes but no way I could retrieve group membership.

Also I tried by adding "memberOf" as an additional attribute in the LDAP connector in ISE and when I can process the authentication with PAP I can also retrieve data from these attributes but in Wireless EAP-TLS there is no chance to go through the authentication flow (no binary comparison available for certs since Google LDAP host no user certificate...) and so I cannot retrieve any attribute to use in the authorization flow.

Long story, was anyone able to make this work or has any suggestion?