ACS,Novell and EAP-FAST

Unanswered Question
Dec 20th, 2007

Hello,

I'm in trouble with this infrastructure:

-ACS 4.1

-Aironet 1231

-PC con ADU

-external user database Novell NDS

At the start, I try to use windows external database and EAP-FAST authentication with success, but, when I put only LDAP as external user database, nothing happen.

I read something about no compatibility between ldap and eap-fast, it's true?

And what kind of authentication is compatible with LDAP database?

EAP-GTC?EAP-TLS?Please, If someone designed or configured an infrastructure like this, can give me some advice?...thanks and best regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Tue, 01/08/2008 - 19:59

You can use this table (http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/o.html#wp824733) to check compatibility with the authentication method and the external database. It's important to remember that not all authentication types are supported on all external databases, generally due to how the password is sent within the authentication method and the way it's stored in the external DB (nothing ACS can do about it). You can't for example use CHAP against an Windows back-end as the two are stored differently and can't be compared.


Note that EAP-FAST is NOT supported with LDAP.

stefanotiburzi Wed, 01/09/2008 - 00:31

Thanks for the answer;I'm just thinking about use PEAP(eap-gtc)that should be compatible ,instead of PEAP(MSCHAP),and doesn't request any CA server.

Do you know anything about this kind of authentication?I read about it,I know that probably I can use a static password that reside in Novell database;probably the problem is about the password change. I don't know if the password can change manually or in automatically when expire in novell database...and what about the security?the encryption is ensured from the wap?I know...a lot of doubts, but at the start of the project Novell didn't exist and all working fine with Windows!!!

gfullage Wed, 01/09/2008 - 20:58

The trouble with LDAP is the password is stored in the clear and therefore has to be sent in the clear. Note from the previous table that the only authentication methods that LDAP support all send the password in the clear (albeit some of them within an encrypted tunnel).


EAP-GTC is generally used for token (one-time) passwords, which are OK to send in the clear since they're only valid one-time. GTC stands for Generic Token Card. I'm not actually sure if you cna just use it for non-token authentication, never even thought about it.


PEAP(EAP-TLS) might be better, but will require certs, or EAP-FASTv1a (Phase two in the table) which comes with ACS v4.0 by default.

stefanotiburzi Thu, 01/10/2008 - 00:26

So, If I use EAP-GTC, all the password will be send in clear??I can't do it!!

And what about EAP-TLS with EAP-FAST?This is the actual situation but the problem is about the automatic PAC privisioning (phase zero).LDAP support only manual PAC, it's true?

And so, I have to create a PAC for every single user that should be have the access to the wireless lan, and install them on every pc of the lan?and what about the password aging?every time I have to replace manualy the pac key?sorry for the very many question, and thank a lot for the help...

Actions

This Discussion