Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
405
Views
0
Helpful
3
Replies

ACS 4.x and LDAP as userdatabase

johannf
Level 1
Level 1

‎02-27-2007 03:48 AM - edited ‎03-10-2019 03:00 PM

Does anyone know when/if Cisco plan to let LDAP support PEAP(mschapv2)?

We are running Novell, and it seems that we have to use Freeradius because PEAP w/mschap v.2 is not supported when LDAP is the userdatabase

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00806fe24a.html#wp857274

Johann Folkestad

Labels:
0 Helpful
3 Replies 3

darpotter
Level 5
Level 5

‎02-27-2007 05:39 AM

Its not a matter of Cisco allowing it. LDAP databases dont generally support MSCHAP despite (during my time at Cisco) constant nagging.

I guess if enough customers moaned loud enough at the LDAP vendors they might support it natively.

The only way I know it can be made to work is a very nasty hack where the LDAP db basically has to store another value which the AAA server requests (and treats as a password) in order to do the MSCHAP locally. So you also end up with 2 passwords for each user.

If you do this you might as well let anyone on your network. Afterall, if your AAA server can get the password... who else can?

0 Helpful

johannf
Level 1
Level 1
In response to darpotter

‎02-27-2007 11:39 PM

OK thanks, but then I don't understand that Freeradius support MSCHAP, and ACS does'nt.

JF

0 Helpful

darpotter
Level 5
Level 5
In response to johannf

‎02-28-2007 03:11 AM

I take your point.. its a balance between functionality verses security.

Cisco could choose to add a cludge solution. But generally the golden rule of all password repositories should be passwords go in - never out.

Since LDAP itself cant/wont support MSCHAP natively you need to implement a "back door" to allow plain text passwords out of LDAP back into the AAA server.

You then have issues of password management, but more importantly.. how secure is the system you will have built?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents