Re: Wireless Authentication - Cisco ISE using LDAP

atsetheodros · ‎11-11-2020

I am using 5520 WLC and AP 9120 with 8.1.102.0 code to authenticate clients via ISE 2.6 using Novel LDAP as identity source.

It appears that MSCHAPv1/v2, EAP-MSCHAPV2 and PEAP are not supported on LDAP.

Please advise the possible ways to do it. Its urgent and time sensitive project.

Thank you!

Arne Bier · ‎11-11-2020

The issue is with the passwords in LDAP - (the passwords should not be transmitted, but rather, a hash is transmitted).

LDAP repositories are suited to PAP/ASCII password exchanges. And neither of those are supported inner EAP methods

Is there any way you could get those LDAP identities into ISE itself? It might require some coding and regular sync, but if the username and password existed in ISE, then you can do EAP and MSCHAPv1/2 inner method.

The obvious solution would be to migrate the users to Active Directory ... instead of Novel

I believe there are people on the internet who have got this to work -but they had to create password hashes for all of the accounts and then store this hashed password as an additional attribute per user. Quite clever - it means that ISE would have to retrieve that attribute during authentication, and not the regular user password. I cannot verify this but it sounds very promising.