Correct, the SSID that we were using LDAP with did not use MSCHAPv2. Did they happen to mention what version that bug was fixed in?
We upgraded to 1.2 and it has been stable for us so far. On Wed, Aug 14, 2013 at 11:17 AM, Curtis K. Larsen (UIT-Network) < [email protected]> wrote: > Joe, > > Thanks for the reply. I am guessing you are not using PEAP-MSCHAPv2 is > that correct? I have just come across the following from Cisco : > > CSCuc52361 Bug Details *ISE should allow domain modification/stripping > for AD external store * *Symptom:* > Currently ISE does not allow modifying the domain name before > authentication when the external identity store used is AD. This is a > problem in an environment like Eduroam where the specification enforces a > particular username format (user@realm). Generally the username stored in > the AD UPN field is not in the same format as the one supplied for > authentication. It would be good to allow the modification of the AD > username prior to authentication, or at least support suffix/prefix > stripping, since this would be sufficient for local domain authentication > (this would still break cross forest). > > *Conditions:* > Trying to modify the domain name of the user before AD authentication. > > *Workaround:* > Use LDAP for basic stripping (Does not currently work for MSCHAPv2) > > Thanks, > > Curtis > > > ------------------------------ > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ > [email protected]] on behalf of Joe Roth [ > [email protected]] > *Sent:* Tuesday, August 13, 2013 6:58 PM > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] ISE as RADIUS server with eduroam > > Curtis, > > We are not using eduroam but we are a cisco ISE user. When you connect to > AD via LDAP in ISE I believe that you can accomplish what you are looking > to do. If you create a new LDAP identity source look under the directory > structure tab. You can strip the subject name based on a dividing > character. You can leave your current AD identity source in place and add > the LDAP one as well, they will run side by side. > > > On Tue, Aug 13, 2013 at 7:05 PM, Curtis K. Larsen (UIT-Network) < > [email protected]> wrote: > >> Hello, >> >> I am just wondering if anyone on the list that participates in eduroam >> uses ISE for RADIUS. We are playing with ISE, and finding difficulty >> getting it to strip off the realm suffix before authenticating against AD. >> I can't imagine there isn't a way to do this since I assume that would >> prevent any eduroam customers from using ISE as their primary RADIUS >> server. Hopefully we are just missing something simple. Let me know. >> >> Thanks, >> >> Curtis Larsen >> University of Utah >> Network Engineer >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> > > > > -- > Joe Roth > Networking Group > Binghamton University > Ph. 607-777-7528 > Fax 607-777-4009 > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > -- Joe Roth Networking Group Binghamton University Ph. 607-777-7528 Fax 607-777-4009 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
