cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1610
Views
8
Helpful
7
Replies

Using ISE as RADIUS server with Win AD

DanWeaver
Cisco Employee
Cisco Employee

I received this question from a customer, does anyone know the answer?

"The real question here is the customer wants to refer back to LDAP. What they recently found is with the F/W using LDAP for authentication is a user can log in with matching case and is forced to 2 factor auth but if the case isn’t matching they still get logged in but with no 2 factor. The F/W vendor has told them they need to use Radius. So the question is can they use the Radius function in Tacacs and have that refer back to LDAP and still force them to match case? They are looking to not have to have 2 user databases. If they will need to maintain a separate database in the Tacacs server for this they can do that directly in the F/W."

1 Accepted Solution

Accepted Solutions

There should be no case sensitivity concerns if you go against ISE. I can’t speak to the current setup but the case involved in the username shouldn’t come into play here as ISE controls exactly where authentications go. So the authentication phase would only allow authentications against the 2FA server. The authorization phase would do an LDAP/AD group lookup.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

7 Replies 7

paul
Level 10
Level 10

Not sure what they at trying to do here, but typically if you used ISE you would have ISE send the request to the two factor server via RADIUS then do AD/LDAP lookups on the username during the authorization section of the rules to do group matching or other attribute matching.  So say you wanted two factor authentication plus AD group lookups:

Authentication Phase:

FW->TACACS->ISE->RADIUS->2FA Server

Authorization Phase:

ISE->AD/LDAP Group Lookup

If Member of "Network Admin" group then full access

If Member of "Network Read-Only" group then read-only access

Something like that is pretty typical.  Even if the customer only wants 2FA I still the requests through ISE so I can get uniform logging and have the ability to apply different levels of authorization in the future.

I believe their question is regarding remote access VPN on the firewall they referenced.

Remote access VPN or Admin the answer is the same. Change my if statements to:

If member of “Employee VPN” group then full access

If member of “Vendor X” group then permit access but apply DACL X

If member of “Vendor Y” group then permit access but apply DACL Y

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

thanks Paul and to be perfectly clear, the answer to case sensitivity is "yes, it will enforce case sensitivity"?

There should be no case sensitivity concerns if you go against ISE. I can’t speak to the current setup but the case involved in the username shouldn’t come into play here as ISE controls exactly where authentications go. So the authentication phase would only allow authentications against the 2FA server. The authorization phase would do an LDAP/AD group lookup.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Paul,

Thank you for your time, expertise, and quick responses!!!

more from the customer:

"Second is they recently found an issue with the current  2 factor authentication setup. They are using LDAP for authentication which isn’t case sensitive so if a username is all lower case and they type it in lower case the user will then get prompted for 2 factor auth. If they type anything else they get passed through to LDAP and they get connected without 2 factor authentication.

Username is kdonnelly

As long as I type lowercase I will need 2 factor to get it.

If I type Kdonnelly I get passed through to LDAP and connect without 2 factor.

So if we use the TACACS radius functionality is that case sensitive?"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: