Re: ACS Radius to LDAP

mironduplessis · ‎10-28-2005

Hi,

I have a ACS 3.3 Server set up to authenticate externally via an LDAP Server.

When authenticating my VPN users it works well as im using the Cisco VPN 3000 Radius Option.

When authenticating Tacacs users it

works well.

However when attempting to authenticate

a 802.1x client using Leap. The Error in the reports states that the External database does not support this type of authentication. For these users the Radius for Aironet is selected. I can authenticate to the Radius server if I use a Local User/Password on the ACS.

When debugging the LDAP server it seems that the ACS sends the two requests slightly differently. When authenticating a user from Radius Aironet it attempts to obtain the Group Details. This is not supported on our LDAP servers as we do not use groups.

Does anyone why the ACS sends the requests differently? And how to change the ACS behaviour.

Regards

Miron

andrewclymer · ‎10-31-2005

You can not authenticate against LDAP with LEAP.

The LEAP protocol never sends the plain text password it only sends an MSCHAP generated hash of the password, so ACS needs to be able to retrieve the plain text password of the user from the identity store, compute the hash and compare it to the one supplied. In the case of LDAP and Directories the LDAP bind function does not allow you to retrieve the plain text password, only tell you if a supplied password is correct or not.

When I was at Cisco we tried to get the Directory vendors to support MSCHAP based bind but could not get enough trancation.

PEAP and EAP-FAST are protocols designed to get around this problem and revert back to sending a form of the clear text password inside a secure tunnel to allow you to use of identity stores like Directories and Token servers.

mironduplessis · ‎11-01-2005

andrew,

Thanks for that information.

I wanted my wireless clients to be able to associate with an AP over an encrypted session by dynamically obtaining the wep key. And using there LDAP logins for this process with no preshared keys or certificates.

One solution may be to have the LDAP server create

duplicate user entries on the ACS server. Then LEAP will be able to work..

Is there any other way this may be done.

If I use PEAP will I have to supply the users with a

Preshared Key or Certificate?

We are looking at all the methods that will be suitable for our user base. Presently we are thinking that a VPN solution over the Wireless may be the most usefull.

Regards

Miron

andrewclymer · ‎11-01-2005

Duplicate user records would work, but then you have an issue of keeping both databases in sync, both interms of removing accounts and modifying passwords.

If you have a centralised tool that you own that performs enterprise wide password change then this is a possibility. There is an interface into ACS that will allow you to automate the synchronization of user accounts.

As for using PEAP you will need to have a certificate on your ACS server which is part of a chain that ultimatly contians a CA that all your clients in your organisation trust, eg. VeriSign

As for the VPN solution, this is a workable solution Ive seen this done in numerous places. It solves alot of the problems of roaming between access points etc since the security is done at layer 3 and not layer 2.

mironduplessis · ‎05-24-2006

Andrew,

I am trying to configure the PEAP solution, I have it working with MS-Chapv2 with a local user account.

If I want to authenticate the user against the LDAP

server which is already set up and working with with ACS can I get away with not using a trusted CA and just use a self signed certificate. Also would you have to change the way the client connects.

Regards

Miron