05-23-2017 05:45 AM
I received this question from a customer, does anyone know the answer?
"The real question here is the customer wants to refer back to LDAP. What they recently found is with the F/W using LDAP for authentication is a user can log in with matching case and is forced to 2 factor auth but if the case isn’t matching they still get logged in but with no 2 factor. The F/W vendor has told them they need to use Radius. So the question is can they use the Radius function in Tacacs and have that refer back to LDAP and still force them to match case? They are looking to not have to have 2 user databases. If they will need to maintain a separate database in the Tacacs server for this they can do that directly in the F/W."
Solved! Go to Solution.
05-23-2017 06:36 AM
There should be no case sensitivity concerns if you go against ISE. I can’t speak to the current setup but the case involved in the username shouldn’t come into play here as ISE controls exactly where authentications go. So the authentication phase would only allow authentications against the 2FA server. The authorization phase would do an LDAP/AD group lookup.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
05-23-2017 06:02 AM
Not sure what they at trying to do here, but typically if you used ISE you would have ISE send the request to the two factor server via RADIUS then do AD/LDAP lookups on the username during the authorization section of the rules to do group matching or other attribute matching. So say you wanted two factor authentication plus AD group lookups:
Authentication Phase:
FW->TACACS->ISE->RADIUS->2FA Server
Authorization Phase:
ISE->AD/LDAP Group Lookup
If Member of "Network Admin" group then full access
If Member of "Network Read-Only" group then read-only access
Something like that is pretty typical. Even if the customer only wants 2FA I still the requests through ISE so I can get uniform logging and have the ability to apply different levels of authorization in the future.
05-23-2017 06:08 AM
I believe their question is regarding remote access VPN on the firewall they referenced.
05-23-2017 06:13 AM
Remote access VPN or Admin the answer is the same. Change my if statements to:
If member of “Employee VPN” group then full access
If member of “Vendor X” group then permit access but apply DACL X
If member of “Vendor Y” group then permit access but apply DACL Y
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
05-23-2017 06:24 AM
thanks Paul and to be perfectly clear, the answer to case sensitivity is "yes, it will enforce case sensitivity"?
05-23-2017 06:36 AM
There should be no case sensitivity concerns if you go against ISE. I can’t speak to the current setup but the case involved in the username shouldn’t come into play here as ISE controls exactly where authentications go. So the authentication phase would only allow authentications against the 2FA server. The authorization phase would do an LDAP/AD group lookup.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
05-23-2017 06:39 AM
Paul,
Thank you for your time, expertise, and quick responses!!!
05-23-2017 06:10 AM
more from the customer:
"Second is they recently found an issue with the current 2 factor authentication setup. They are using LDAP for authentication which isn’t case sensitive so if a username is all lower case and they type it in lower case the user will then get prompted for 2 factor auth. If they type anything else they get passed through to LDAP and they get connected without 2 factor authentication.
Username is kdonnelly
As long as I type lowercase I will need 2 factor to get it.
If I type Kdonnelly I get passed through to LDAP and connect without 2 factor.
So if we use the TACACS radius functionality is that case sensitive?"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide