This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have a customer using LDAP and RADIUS using PEAP and MSCHAPv2 protocols.
They are evaluating ISE but, using ISE with LDAP is not supported PEAP or MSCHAPv2.
The customer is asking us for a reason, what is the reason why ISE does´t support this protocols ?
Is in roadmap this ? is going ISE to support them ?
Please your help in this question.
Solved! Go to Solution.
I am not sure ,where you read that LDAP and these protocols are not supported ??
I am not tested this but i think it might work just you must create a New Identity Source Sequence
Where you will use AD and LDAP_AD
And use it in authorization policy . In authentication use protocols that you need for your deployment.
And i saw one more thing https://bst.cloudapps.cisco.com/bugsearch/bug/CSCul55352/?rfs=iqvred
Sorry for confusion in the note, ISE support LDAP, but ISE will not support PEAP and MSCHAPv2 with LDAP, you can see the Table 2 "Authentication Protocols and Supported External Identity Sources" in the following link:
The customer´s question is Why and if we have any roadmap for that ?
Thanks Danny, sorry for roadmap question, But, is there any reason why ISE don't´s support specific Authentication protocols such as PEAP and MSCHAPv2 ?
The way I understand it, it's a technical limitation of how the passwords are stored in the LDAP "database".
You can perform ASCII/PAP authentication to an LDAP directory (because the password that is sent in the auth request is simply a string comparison with the plain text password stored in the LDAP directory). But you cannot perform CHAP etc because there is neither a simple password sent by the client, nor is there a simple password stored on the external directory. E.g. in AD, the client and server perform a handshake protocol, hence the name Challenge-Handshake Authentication Protocol (I don't completely understand it - google it) and this is where the complexity comes in.
Have a read of this too
If you want the real gory details (actually an excellent explanation by a somewhat militant sounding Alan de Kok (FreeRadius dev) then check this out Users - Chap auhtentication against LDAP
Having said that, Aruba Clearpass appears to support this. LDAP Authentication Source Configuration - so maybe the technical argument is an old one.
It's confusing for sure