We are trying to onboard devices for Wireless and are having issues with the fact that mschapv2 isn't supported for LDAP. What our goal is to have the user attach to a single SSID and authencticate using their LDAP credentials then we pass them on to a supplicant provisioning that will implement EAP-TLS. Is this possible? We don't want to have to add the users as a local user. We won't be able to utilize AD due to multiple LDAP instances.
We have followed the Cisco Press design which says to do PEAP and point it to the LDAP store but this still gives that results. How can we onboard the devices (ipads,windows laptops) using LDAP inorder to present the SCEP supplicant process?
To add to the previous questions, if you are using EAP-TLS, I assume you have to have a certificate store listed in the identity sequence. If this is the case is there anyway to retrieve group member ship with EAP-TLS via LDAP? I would like to use group membership in the authorization policy but I am not sure that this will work since after the certificate profile is matched the LDAP store isn't queried. Is it possible to do group membership attributes with EAP-TLS and LDAP?
You can use the CWA functionality however, that changes your single ssid wish to a dual ssid setup (because you can not enable mac filtering with 802.1x on the same wlan), from there the user can login with their LDAP credentials and gain access to the policy that will onboard their personal device.
To your second question the answer is yes, you should be able to use LDAP groups when using eap-tls. I personally have never used an ldap integration with ISE that is because all ISE deployments I have worked on have always used AD.
Thanks for your reply, to followup can the CWA utilize the LDAP with Wireless? Would this still not use mschapv2?
From what I can tell if the authencation profile has the CAP listed in the Identity Sequence and a cert is present on the client their is no LDAP lookup for the user. The certificate common name is presented to ISE and the user authenticates with no attributes gathered.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :