Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
219
Views
3
Helpful
3
Replies

No support of EAP-MSCHAPv2 with EAP-TTLS using Azure AD

jitendrac
Level 1
Level 1

‎06-29-2024 10:47 PM

Hi All,

Per Cisco Identity Services Engine Administrator Guide, Release 3.3 under Table 13. Authentication Protocols and Supported External Identity Sources. It is mentioned that EAP-MSCHAPv2 (as an inner method of EAP-TTLS) is not supported with REST External Identity Sources like Azure AD.

If Windows Native Supplicant allows you to configure EAP-MSCHAPv2 (as an inner method of EAP-TTLS), then why is ISE not supporting it?

Is this restriction from the ISE side OR the Azure AD Side?

0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎06-30-2024 02:13 PM

Hi @jitendrac 

The only supported inner authentication method I know of that is supported by AzureAD and ISE, is PAP (Plain Auth Protocol).

The reason why, is for the same reason that we cannot do MSCHAPv2 to an LDAP repository - e.g. if ISE talks to an active directory domain controller using LDAP, then you cannot perform MSCHAPv2, because the "challenge" handshake process involved in the password checking, is a special process that happens. MSCHAPv2 works only when ISE is integrated (joined) to the domain controller and used Kerberos (and all that other stuff I don't understand ...).  Thus, the only solution with ISE talking to LDAP, is PAP. ISE presents the username and password to the LDAP server, and the LDAP server compares the credentials in its databased - if it matches then the response is positive, else, the auth fails.  MSCHAP is much more complicated and there are various versions that Microsoft developed over the years. My suspicion is that on the Azure side, there is no support for any method other than PAP. ROPC builds the secure tunnel between ISE and Azure. What you do in that tunnel is secured - hence no need for the complicated CHAP song and dance routine. 

Username/password credentials checking is likely to become extinct one day because Microsoft is slowly replacing those ageing methods with more complicated forms, sometimes based on biometrics (i.e. Windows Hello). Windows Credential Guard feature is another thing that throws a spanner in the works - you can disable it, but it's not advised.

thomas
Cisco Employee
Cisco Employee

‎07-08-2024 10:51 AM

See ▷ What's New in ISE 3.0  > 08:28 802.1X with Azure AD using ROPC
for the explanation of Why this will not work.

Azure AD != Active Directory

Thankfully, Microsoft finally renamed "Azure AD" to Entra ID to prevent this common misunderstanding.

0 Helpful
Customers Also Viewed These Support Documents