Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
535
Views
0
Helpful
4
Replies

ISE with Secure LDAP and RAVPN on ASA

MustafaKamel
Level 1
Level 1

‎12-03-2018 12:25 PM

Dears,
I have network contain ASA and ISE and AD, all this devices integrated together and i need to authentication remote access VPN users from LDAP through ISE but i have an issue.

The main issue that i need all users can change password after first login and notify users before password expired and can change password when password expired.

My ISE Version: 2.2 and 2.4

My ASA Versing: 9.1 

Mustafa K. Saad
0 Helpful
4 Replies 4

Surendra
Cisco Employee
Cisco Employee

‎12-03-2018 12:51 PM

LDAP with ISE supports only these protocols EAP-GTC, EAP-TLS, or PEAP-TLS and none of them support password change. You can use Active Directory instead of LDAP on ISE to make this work.

Refer to https://community.cisco.com/t5/security-documents/password-management-with-ldap-vs-radius-for-vpn-users/ta-p/3147278 for more about “password-management” command which essentially allows this feature to work.
0 Helpful

Arne Bier
VIP
VIP
In response to Surendra

‎12-03-2018 01:25 PM

@Surendra- what about EAP-PEAP?  I am fairly sure that I implemented an EAP-PEAP solution for a customer where the authentication was their AD server, but we interfaced to it via LDAP.

0 Helpful

Surendra
Cisco Employee
Cisco Employee
In response to Arne Bier

‎12-03-2018 01:37 PM

May I know what you meant when you said EAP-PEAP ? EAP-PEAP is technically encrypting EAP packets using TLS otherwise called just PEAP. It would require an EAP method along with it like MSCHAP or MSCHAPv2 and it in itself is not a protocol that can be used for authentication. I was referring to this https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html#concept_BD3A270FEC0C411DA10FB808C14B48D5 when I said LDAP supports only those protocols with ISE. If there was any instance where you made it work with other protocols, I would be happy to learn how you did that.

Cheers,
Surendra.
0 Helpful

Arne Bier
VIP
VIP
In response to Surendra

‎12-03-2018 02:19 PM

oh yes, of course. Sorry.  I forgot about that.  The LDAP integration to AD was fine, but you're right about PEAP - it doesn't work in that case.  I had used it successfully for cases like Sponsor Portal user authentication or for simple PAP type of authentications.

0 Helpful
Customers Also Viewed These Support Documents