cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
478
Views
0
Helpful
1
Replies

ISE: User in LDAP Identity Store have multiple Passwords - depending on Attribute

Hi,

 

I’m running a ISE 2.4 Patch 5 and have to sync with an LDAP Identity Store where they are using the same User with up to five different Password,

depending from the incoming source.

I’ve configured the Admin Access with the LDAP sync and this is working fine since there is no LDAP Password Attribute to send

with and it checks the default LDAP Password field – everything ok.

But when the radius request is sourced by an for example F5 VPN Concentrator there should be a other Password checked with a custom attribute “Pwvpn”.

So the F5 sends the radius request to the ISE and the ISE should check the PWD under the LDAP attribute “Pwvpn”.

 

I’ve tried several things but without any success…

At the moment the Customer is running a FreeRadius and it worked fine and we are trying to migrate to ISE…

 

I've also opened an TAC Case were the response was to open a feature request since this is not supported.

Does anyone have any similar Setup or the need for ISE implementation?

 

Thanks

Aleks

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Cisco TAC is correct that the LDAP connector in ISE not supporting another attribute as the password.

From some info on the net, I found only some use case with using the universal password of Novell eDirectory in the comments in the LDAP module section of radiusd.conf:

#	password_attribute: Define the attribute which contains the user
#	password.
#	While integrating FreeRADIUS with Novell eDirectory, set
#	'password_attribute = nspmpassword' in order to use the universal
#	password of the eDirectory users for RADIUS authentication. This will
#	work only if FreeRADIUS is configured to build with --with-edir option.
#
#	default: NULL - don't add password
#
#	password_attribute = "userPassword"

 

View solution in original post

1 Reply 1

hslai
Cisco Employee
Cisco Employee

Cisco TAC is correct that the LDAP connector in ISE not supporting another attribute as the password.

From some info on the net, I found only some use case with using the universal password of Novell eDirectory in the comments in the LDAP module section of radiusd.conf:

#	password_attribute: Define the attribute which contains the user
#	password.
#	While integrating FreeRADIUS with Novell eDirectory, set
#	'password_attribute = nspmpassword' in order to use the universal
#	password of the eDirectory users for RADIUS authentication. This will
#	work only if FreeRADIUS is configured to build with --with-edir option.
#
#	default: NULL - don't add password
#
#	password_attribute = "userPassword"