Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
0
Helpful
1
Replies

ISE: User in LDAP Identity Store have multiple Passwords - depending on Attribute

Go to solution
aleksandar.vidic
Level 1
Level 1

‎02-11-2019 08:00 AM

Hi,

 

I’m running a ISE 2.4 Patch 5 and have to sync with an LDAP Identity Store where they are using the same User with up to five different Password,

depending from the incoming source.

I’ve configured the Admin Access with the LDAP sync and this is working fine since there is no LDAP Password Attribute to send

with and it checks the default LDAP Password field – everything ok.

But when the radius request is sourced by an for example F5 VPN Concentrator there should be a other Password checked with a custom attribute “Pwvpn”.

So the F5 sends the radius request to the ISE and the ISE should check the PWD under the LDAP attribute “Pwvpn”.

 

I’ve tried several things but without any success…

At the moment the Customer is running a FreeRadius and it worked fine and we are trying to migrate to ISE…

 

I've also opened an TAC Case were the response was to open a feature request since this is not supported.

Does anyone have any similar Setup or the need for ISE implementation?

 

Thanks

Aleks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-13-2019 05:36 PM

Cisco TAC is correct that the LDAP connector in ISE not supporting another attribute as the password.

From some info on the net, I found only some use case with using the universal password of Novell eDirectory in the comments in the LDAP module section of radiusd.conf:

#	password_attribute: Define the attribute which contains the user
#	password.
#	While integrating FreeRADIUS with Novell eDirectory, set
#	'password_attribute = nspmpassword' in order to use the universal
#	password of the eDirectory users for RADIUS authentication. This will
#	work only if FreeRADIUS is configured to build with --with-edir option.
#
#	default: NULL - don't add password
#
#	password_attribute = "userPassword"

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-13-2019 05:36 PM

Cisco TAC is correct that the LDAP connector in ISE not supporting another attribute as the password.

From some info on the net, I found only some use case with using the universal password of Novell eDirectory in the comments in the LDAP module section of radiusd.conf:

#	password_attribute: Define the attribute which contains the user
#	password.
#	While integrating FreeRADIUS with Novell eDirectory, set
#	'password_attribute = nspmpassword' in order to use the universal
#	password of the eDirectory users for RADIUS authentication. This will
#	work only if FreeRADIUS is configured to build with --with-edir option.
#
#	default: NULL - don't add password
#
#	password_attribute = "userPassword"

 

0 Helpful
Customers Also Viewed These Support Documents