You are here
SEC0034 - ISE 1.1 LDAP Integration and Identity Source Sequence
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video demonstrate steps to integrate Cisco ISE with LDAP directory server. Here we uses Active Directory as an example. The configuration steps and result are very similar to AD integration, although you are able limit the search scope with LDAP. User group membership can also be retrieved to be used as part of authorization policies. We will also create a simple Identity Source Sequence where LDAP is included as one of Identity Sources.
Topic:
- External Identity Source (LDAP)
- LDAP User Group Selection
- Identity Source Sequence
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
8 comments
LDAP as authC source for Wireless
Thanks for these great videos, they've been extremely helpful. I'm having some difficulty setting up Wireless 802.1X using LDAP as the authC source. I understand there are limitations on what EAP methods can be used. Since PEAP is not supported with LDAP, I'd like to use EAP-FAST because certificates would be difficult to implement in my environment but I'm not sure if that method works at all with LDAP (can't find anything saying one way or the other). A video or some thoughts on the subject would be great. Thanks!
LDAP as authC source for Wireless
We are not aware of limitation on using LDAP with PEAP. Did you find this documented somewhere or you tried this out yourself without success? As far as ISE is concerned, LDAP is just another way of looking up user identity and should not really be tied with any particular authentication protocol.
ISE, LDAP and MSCHAPv2
Thanks for responding. I have a trustsec 2.1 document (Authenticating to Multiple AD Domains, Aug 2012) that states "Cisco ISE supports all Extensible Authentication Protocol (EAP) versions, including Transport Layer Security (TLS) and Protected EAP-Generic Token Card (PEAP-GTC). However, Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAPv2) is not possible when an LDAP-based authentication server is used. Table 1 shows these authentication and authorization policies (AuthC and AuthZ)." So when i say that PEAP is not supported, what i mean is PEAPv0 with EAP-MSCHAPv2. I'm sure PEAP with EAP-GTC would probably work but tokens are also not going to happen in my environment.
Secure LDAP
Could you please explain the process or even do a video on how to implement LDAP securely?
Thanks,
Joe
Wireless LDAP
How can you get past the limitation of mschapv2 not being supported for LDAP?
Wireless LDAP
Were you able to confirm that MSCHAPv2 does not work with LDAP? If not, I would give it a try despite what the Cisco doc says first.
Confirmed
Yes the authentication messages show that it skips the store due to the fact that it isn't supported.
Confirmedi
In that case, you are not left with a whole lot of options. You can try to see if Windows Native supplicant supports any other password-based authen protocol (I don't recall any). If not, the other option is to use supplicant like Cisco AnyConnect which support more suite of protocol.