Re: LDAP import to ACS

walruspro · ‎03-09-2005

We use 802.1x with PEAP for all our students and personell over WLAN and wire and it works excellent. However - our central catalouge will be an LDAP-server and since LDAP can't process chap we must get accounts into the ACS 3.3 another way. One way would be to use CSUtils with some pearlscripts but we can't decrypt the passwords that are stored in LDAP... So, anyone have some good ideas about what to do?

/Fredrik

Karlstad Univerity

Sweden

sstudsdahl · ‎03-09-2005

One thing that you could do is setup ACS so that all unknown users within ACS get authenticated against the LDAP server. This process is setup with the "Unknown User" policy within ACS and also telling ACS about the LDAP server. Here is a link with some more information about setting up ACS in this fashion.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/d.htm#wp354503

Steve

walruspro · ‎03-09-2005

That would be nice but since we use MS-CHAP, LDAP can't handle that. This is the dilemma... LDAP only supports PAP as far as I understand.

/F

walruspro · ‎03-09-2005

That would be nice but since we use MS-CHAP, LDAP can't handle that. This is the dilemma... LDAP only supports PAP as far as I understand.

/F

sstudsdahl · ‎03-10-2005

ACS will handle the authentication protocol differences for you. MS-CHAP authentication will occur to the ACS server and it will use PAP authentication against the LDAP server.

Steve

walruspro · ‎03-10-2005

Well, ok. But not if I read table 1-3 on this page:

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_user_guide_chapter09186a00802335f9.html

But you mean that it is only to set it up and then the ACS handle the PAP/CHAP-job?

/Fredrik

sstudsdahl · ‎03-11-2005

Fredrik,

I stand corrected. Your interpretation is correct. Thank you for teaching me something!

Now that I have a better understanding of ACS, it looks as if your options are going to be limited.

The only option that is coming to mind would be to use a third party supplicant for your authentication. One that comes to mind is made is Aegis client by Meetinghouse. Here is a link to the site for more info on it.

http://www.mtghouse.com/products/aegisclient/index.shtml

Another one that you might look at is SecureW2.

http://www.securew2.com/uk/

I'll keep thinking on this one and see what else I can come up with.

Steve

anders.nilsson@umu.se · ‎06-26-2005

Hi Steve

As far as my knowledge goes the securew2 solution uses EAP-TTLS which isn't supported by ACS.

I'm I right or have I overlooked something?

Also in freeradius you are able to use PEAP-MSCHAPv2 using LDAP-stored NT-hashes. Anyone tried this on an ACS?

Seems to me that you really need an MS AD to make this to work.

Any other ideas?

Best regards

Anders Nilsson

UMDAC

dopenfield · ‎03-29-2005

We are in the same boat here. Sure would be nice if Cisco came up with a way to make these two work together. We don't want to have a separate client on our student PCs. I've talked with Funk as well, same issue Chap vs. PAP.

For copying the LDAP user database over to ACS have you looked at the RDBMS synchronization section? That may be the direction we go but haven't tested it yet.

walruspro · ‎03-29-2005

No, the procedure that we have implemented now, until we find something better, is an automated perl-job to import the ldap accounts via CSutils. Not good but it works.

/fred