Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1349
Views
0
Helpful
5
Replies

Problem with getting LDAP attributes on ISE when EAPChaining is enabled

Karel Navratil
Level 1
Level 1

‎10-09-2012 03:48 AM - edited ‎03-10-2019 07:39 PM

Hi All,

has anybody and idea how to set LDAP attributes retrieval with EAPChaining enabled?

My scenarios is:

- user with AnyConnect (EAP-FAST) connects to WLAN and sends it's credentials

- ISE authenticates username and password against Active Directory

- ISE should check if the same userid contains in LDAP Directory (not AD, different store) special attribute which controls access to our WLAN

- If the attribute is found, then authorization profile is matched.

This works when I disable EAP-Chaining Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols ...

In logs I've found that the user was not found in LDAP, but the user exists.

Maybe the workaround can be if just user from EAPChaining is used and not also the hostname, then it could match. But I cannot find any similar parameter which returns only user.

Does anybody have an idea how to solve this?

Thanks!

K.

Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎10-09-2012 07:55 AM

Hi,

This seems like a corner issue, because eap-fast with ldap is not supported. LDAP as the protocol doest support hash based authentication hence the reason ISE is failing to hit the ldap database.

Referencing acs material since ise docs are not complete:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html

Sent from Cisco Technical Support Android App

0 Helpful

Karel Navratil
Level 1
Level 1
In response to Tarik Admani

‎10-09-2012 07:58 AM

Hi,

I'm not using LDAP to authenticate just as additional attribute retrieval. Authentication is done via Active Directory.

Just want to have control who can access our WLAN and who not and take advantage of EAP-Chaining

K.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎10-09-2012 06:30 PM

Do you have your ldap group configured as an authorization condition?

I remember an topic on the forums where the retrieval is done when the authorization rule has the ldap group as a condition. Then ise will attempt the lookup.

Sent from Cisco Technical Support Android App

0 Helpful

Karel Navratil
Level 1
Level 1
In response to Tarik Admani

‎10-10-2012 12:31 AM

It's not LDAP group based, just additional attribute WLANProfile which returns to which VLAN should the user be connected.

If the it matches ie Employees, then access is granted.

This works fine when EAP Chaining is disabled in protocols, when I enable it stops matching.

0 Helpful

Karel Navratil
Level 1
Level 1

‎10-14-2012 02:20 PM

Any ideas here?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents