Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
821
Views
0
Helpful
2
Replies

Why we do not support this Authentication protocol (EAP-MSCHAP) with External identity source like LDAP

Go to solution
lemontan
Cisco Employee
Cisco Employee

‎06-18-2018 02:23 PM

I have a public sector customer with external LDAP as user database, and they are using right now a ClearPass as radius Server.

This kind of customers are from Education Sector, where the pc & notebook are old, and in many cases don’t have support or aren´t   managed centrally., so installing a client or certificate is not an option.

The authentication protocol is EAP-MSCHAPv1/v2 with LDAP as external identity source is the only choice for them.

Today everything is working fine for them, but in the migration process from ClearPass to ISE, the problem is the lack of support of this combination (EAP-MSCHAP with LDAP ( Oracle or OpenLdap ) as external database.

Now the workaround is using the ISE as proxy radius of ClearPAss, but this is not a satisfactory solution for the customer.

This issue is not only for this specific customer, as we will have the same problem in almost all Public Sector customers if we want to go with ISE as solution.

I have a specific question regarding why we do not support this Authentication protocol with External identity source like:

MSCHAPv1/v2  with LDAP (LDAP as Ext.Identity Source)

or

EAP-MSCHAPv2 with LDAP (LDAP as Ext.Identy Source)

I need to answer with technical detail information about why we don´t support it but ClearPass does.

I Repeat it is not an option  using   the ISE as proxy radius of ClearPass.

I have not  found any document with a detailed answer  to explain to  my customer why it does not  work.

I need you help.

Regards

Leo

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to hslai

‎06-19-2018 05:31 AM

To add a bit more color, to make the MSCHAP password accessible available to LDAP requires that you reduce password security by storing the password in cleartext and regenerate hash for use in auth exchange, or store in a reversibly encrypted LDAP store.  Still, customers have expressed a desire to implement such functionality even if not as secure as AD password storage, so feature has been raised in priority.  Use of Secure LDAP may reduce some of the security concerns.  In any case, the original decision not to include LDAP support for PEAP-EAP-MSCHAPv2 was based on security concerns that another vendor may never even mention to their customer.

Craig

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-18-2018 02:28 PM

Mainly due to planning and priority. Please discuss it with our PM team.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to hslai

‎06-19-2018 05:31 AM

To add a bit more color, to make the MSCHAP password accessible available to LDAP requires that you reduce password security by storing the password in cleartext and regenerate hash for use in auth exchange, or store in a reversibly encrypted LDAP store.  Still, customers have expressed a desire to implement such functionality even if not as secure as AD password storage, so feature has been raised in priority.  Use of Secure LDAP may reduce some of the security concerns.  In any case, the original decision not to include LDAP support for PEAP-EAP-MSCHAPv2 was based on security concerns that another vendor may never even mention to their customer.

Craig

0 Helpful
Customers Also Viewed These Support Documents