Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1052
Views
0
Helpful
2
Replies

ISE-LDAP Authentication issue

rahul.k1
Level 1
Level 1

‎06-13-2022 12:49 AM - edited ‎06-13-2022 02:09 AM

Hi Team,

 

Our team have been using LDAP and RADIUS using  MSCHAPv2 protocol

  • They are evaluating ISE but, using ISE with LDAP is not getting dot1x authentication
  • ISE is getting logs for the switch 2960-x and tested the MAB authentication

 What is the reason that when the dot1x is enabled, ISE does not receive the  logs for the same ?

 How do I enable 801.1x authentication in endpoints that are connected to an LDAP server ?

 

0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎06-13-2022 01:30 AM

Hi,

Not sure what do you mean by not supported.? MSCHAPv2 will be the inner
authentication method between NAD (e.g. your switch) and ISE server
when using PEAP. LDAP can still be used between ISE server and AD. The
overall result shows that MSCHAPv2 can still be used while ISE uses LDAP
with AD.

Go through this doc for between understanding on how things work.

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html

**** please remember to rate useful posts
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎06-13-2022 09:47 PM

Identity Stores using direct LDAP connection do not support PEAP-MSCHAPv2 due to the way the passwords are stored/secured. See the 'Authentication Protocols and Supported External Identity Sources' table in the ISE Admin Guide.

If you need to use PEAP-MSCHAPv2, you would need to integrate ISE with Active Directory as per this guide.

If you need to use LDAP instead of AD Integration, you would need to use an authentication protocol supported by LDAP, like EAP-TLS.

0 Helpful
Top