Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ISE LDAP for Wireless Issues

We are trying to onboard devices for Wireless and are having issues with the fact that mschapv2 isn't supported for LDAP.  What our goal is to have the  user attach to a single SSID and authencticate using their LDAP credentials then we pass them on to a supplicant provisioning that will implement EAP-TLS.  Is this possible?  We don't want to have to add the users as a local user.  We won't be able to utilize AD due to multiple LDAP instances.

We have followed the Cisco Press design which says to do PEAP and point it to the LDAP store but this still gives that results.  How can we onboard the devices (ipads,windows laptops) using LDAP inorder to present the SCEP supplicant process?

Thanks,

Joe

3 REPLIES
New Member

Re: Cisco ISE LDAP for Wireless Issues

To add to the previous questions, if you are using EAP-TLS, I assume you have to have a certificate store listed in the identity sequence. If this is the case is there anyway to retrieve group member ship with EAP-TLS via LDAP? I would like to use group membership in the authorization policy but I am not sure that this will work since after the certificate profile is matched the LDAP store isn't queried. Is it possible to do group membership attributes with EAP-TLS and LDAP?

Thanks,

Joe

Sent from Cisco Technical Support iPad App

Cisco ISE LDAP for Wireless Issues

Hi,

You can use the CWA functionality however, that changes your single ssid wish to a dual ssid setup (because you can not enable mac filtering with 802.1x on the same wlan), from there the user can login with their LDAP credentials and gain access to the policy that will onboard their personal device.

To your second question the answer is yes, you should be able to use LDAP groups when using eap-tls. I personally have never used an ldap integration with ISE that is because all ISE deployments I have worked on have always used AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: Cisco ISE LDAP for Wireless Issues

Thanks for your reply, to followup can the CWA utilize the LDAP with Wireless?  Would this still not use mschapv2? 

From what I can tell if the authencation profile has the CAP listed in the Identity Sequence and a cert is present on the client their is no LDAP lookup for the user.  The certificate common name is presented to ISE and the user authenticates with no attributes gathered.

Please advise,

Joe

188
Views
0
Helpful
3
Replies
CreatePlease login to create content