Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
725
Views
5
Helpful
2
Replies

UCP using LDAP and PEAP-GTC

snarayanaraju
Level 4
Level 4

‎01-11-2010 10:49 PM - edited ‎03-10-2019 04:53 PM

Hi experts,

I am using PEAP-GTC with ACS secure engine 4.1 with external database as LDAP as authentication mechanism for my wireless clients.

I am trying to configure user changable password in this setup. I am seeing in documents that only windows active directory is possible to achieve this.

can you please guide me how to configure user changable password for my wireless clients when LDAP is used as external authentication server

thanks in advance

sairam

Labels:
0 Helpful
2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

‎01-12-2010 05:56 AM

Hi Sairam:


You use the UCP application to enable users to change their ACS passwords for only ACS internal user's with a web-based utility. When users need to change passwords, they can access the UCP web page by using a supported web browser.


Installing UCP:


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/installation/guide/user_passwords/ucp41.html


We can not use UCP with any kind of database neither windows nor LDAP. It only works for ACS internal/Local users.


Secondly, For wireless clients password change only works with PEAP-MSCHAPv2 and EAP-FAST that too with windows database (AD) because it requires mschap protocol to negotiate password change.


On ACS we need to make sure that mschap is enabled Under External User Databases > Database Configuration > Windows Database >

Configure > Windows Authentication Configuration.


"Enable password changes using MS-CHAP version 1." and,

"Enable password changes using MS-CHAP version 2."


And, Under System Configuration > Global Authentication Setup > under "MS-CHAP Configuration",


Check "Allow MS-CHAP Version 1 Authentication"

Check "Allow MS-CHAP Version 2 Authentication"


You are using ACS as a authentication server with LDAP as a backend database and ldap doesn't support MSCHAP.


Looks like none of these option fits in your requirement


HTH


Regards,

JK


Plz rate helpful posts-

~Jatin

snarayanaraju
Level 4
Level 4
In response to Jatin Katyal

‎01-12-2010 08:18 AM

Dear JK,

I am worried that you are saying using LDAP + PEAP-GTC + ACS, it is not possible to make the setup which enables the wireless users to change their password.

Otherwise it will be difficult for us to control the users. I prefer the users should maintain their own password.

Can you please suggest me any other solution which will enable this setup using LDAP + ACS + other EAP method for my wireless clients (Please note: I donot want the certificate authentication as it will again require cumbersome task of distributing to users)

thanks in advance

SAIRAM

0 Helpful
Customers Also Viewed These Support Documents