Lab Minutes Forum
Technical Discussion => Security => Topic started by: AndrewMac on January 13, 2014, 09:35:12 PM
-
Hello
Wondering if there is anyway to tell the ACS to tell the client to prefer a particular EAP type inner method.
For example first try PEAP-GTC to authenticate against Novell eDirectory store, if the client is a windows device then try using PEAP-MSCHAPv2 then authenticate against an AD store
currently I have created an identity store that lists Novell eDirectory first and then AD, but it seems that the client negotiation prefers clients to try PEAP-MSCHAPv2
Any thoughts on the matter would be appreciated
-
I don't think there is a straightforward way of doing this, if at all possible. ACS only allows you to set prefer protocol under Allowed Protocol list but that is only for the outer method. MoSt likely you need to use Rule Based authentication instead of simple and then if you can select inner method as a condition, map it to appropriate Identity Store but this still require the client to know which authentication protocol to use.
-
Thanks MC
there does not be a easy way to do it.
For Aruba clearpass and freeradius I found options with ldap over ssl
had allow the bind user to retrieve password in the universal policy in edirectory
checked Allow bind using user password
Password Attribute: nspmPassword
Password Type: cleartext
But can't seem to find a similar option for ACS
Cheers