I have a ACS 3.3 Server set up to authenticate externally via an LDAP Server.
When authenticating my VPN users it works well as im using the Cisco VPN 3000 Radius Option.
When authenticating Tacacs users it
However when attempting to authenticate
a 802.1x client using Leap. The Error in the reports states that the External database does not support this type of authentication. For these users the Radius for Aironet is selected. I can authenticate to the Radius server if I use a Local User/Password on the ACS.
When debugging the LDAP server it seems that the ACS sends the two requests slightly differently. When authenticating a user from Radius Aironet it attempts to obtain the Group Details. This is not supported on our LDAP servers as we do not use groups.
Does anyone why the ACS sends the requests differently? And how to change the ACS behaviour.
The LEAP protocol never sends the plain text password it only sends an MSCHAP generated hash of the password, so ACS needs to be able to retrieve the plain text password of the user from the identity store, compute the hash and compare it to the one supplied. In the case of LDAP and Directories the LDAP bind function does not allow you to retrieve the plain text password, only tell you if a supplied password is correct or not.
When I was at Cisco we tried to get the Directory vendors to support MSCHAP based bind but could not get enough trancation.
PEAP and EAP-FAST are protocols designed to get around this problem and revert back to sending a form of the clear text password inside a secure tunnel to allow you to use of identity stores like Directories and Token servers.
I wanted my wireless clients to be able to associate with an AP over an encrypted session by dynamically obtaining the wep key. And using there LDAP logins for this process with no preshared keys or certificates.
One solution may be to have the LDAP server create
duplicate user entries on the ACS server. Then LEAP will be able to work..
Is there any other way this may be done.
If I use PEAP will I have to supply the users with a
Preshared Key or Certificate?
We are looking at all the methods that will be suitable for our user base. Presently we are thinking that a VPN solution over the Wireless may be the most usefull.
Duplicate user records would work, but then you have an issue of keeping both databases in sync, both interms of removing accounts and modifying passwords.
If you have a centralised tool that you own that performs enterprise wide password change then this is a possibility. There is an interface into ACS that will allow you to automate the synchronization of user accounts.
As for using PEAP you will need to have a certificate on your ACS server which is part of a chain that ultimatly contians a CA that all your clients in your organisation trust, eg. VeriSign
As for the VPN solution, this is a workable solution Ive seen this done in numerous places. It solves alot of the problems of roaming between access points etc since the security is done at layer 3 and not layer 2.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :