02-27-2007 03:48 AM - edited 03-10-2019 03:00 PM
Does anyone know when/if Cisco plan to let LDAP support PEAP(mschapv2)?
We are running Novell, and it seems that we have to use Freeradius because PEAP w/mschap v.2 is not supported when LDAP is the userdatabase
Johann Folkestad
02-27-2007 05:39 AM
Its not a matter of Cisco allowing it. LDAP databases dont generally support MSCHAP despite (during my time at Cisco) constant nagging.
I guess if enough customers moaned loud enough at the LDAP vendors they might support it natively.
The only way I know it can be made to work is a very nasty hack where the LDAP db basically has to store another value which the AAA server requests (and treats as a password) in order to do the MSCHAP locally. So you also end up with 2 passwords for each user.
If you do this you might as well let anyone on your network. Afterall, if your AAA server can get the password... who else can?
02-27-2007 11:39 PM
OK thanks, but then I don't understand that Freeradius support MSCHAP, and ACS does'nt.
JF
02-28-2007 03:11 AM
I take your point.. its a balance between functionality verses security.
Cisco could choose to add a cludge solution. But generally the golden rule of all password repositories should be passwords go in - never out.
Since LDAP itself cant/wont support MSCHAP natively you need to implement a "back door" to allow plain text passwords out of LDAP back into the AAA server.
You then have issues of password management, but more importantly.. how secure is the system you will have built?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide