ACS 4.x and LDAP as userdatabase

Unanswered Question
Feb 27th, 2007

Does anyone know when/if Cisco plan to let LDAP support PEAP(mschapv2)?

We are running Novell, and it seems that we have to use Freeradius because PEAP w/mschap v.2 is not supported when LDAP is the userdatabase

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00806fe24a.html#wp857274

Johann Folkestad

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darpotter Tue, 02/27/2007 - 05:39

Its not a matter of Cisco allowing it. LDAP databases dont generally support MSCHAP despite (during my time at Cisco) constant nagging.

I guess if enough customers moaned loud enough at the LDAP vendors they might support it natively.

The only way I know it can be made to work is a very nasty hack where the LDAP db basically has to store another value which the AAA server requests (and treats as a password) in order to do the MSCHAP locally. So you also end up with 2 passwords for each user.

If you do this you might as well let anyone on your network. Afterall, if your AAA server can get the password... who else can?

johannf Tue, 02/27/2007 - 23:39

OK thanks, but then I don't understand that Freeradius support MSCHAP, and ACS does'nt.

JF

darpotter Wed, 02/28/2007 - 03:11

I take your point.. its a balance between functionality verses security.

Cisco could choose to add a cludge solution. But generally the golden rule of all password repositories should be passwords go in - never out.

Since LDAP itself cant/wont support MSCHAP natively you need to implement a "back door" to allow plain text passwords out of LDAP back into the AAA server.

You then have issues of password management, but more importantly.. how secure is the system you will have built?

Actions

This Discussion