Using PEAP to authenticate to Novell NDS - Appliance

Discussion in 'Cisco' started by Turrekens Jurgen, Jul 2, 2004.

  1. We've recently purchased a Cisco ACS appliance, but so far our vendor
    hasn't been able to get it to work with our NDS. We would like to use
    the ACS appliance to authenticate to eDirectory credentials, and add
    MAC-authentication later on (when we've figured out how to administer
    all those addresses).

    So far, authenticating to an MS Domain is covered all over the Net, but
    apparently NDS isn't covered in-depth anywhere.


    Problems we've encountered:

    - Appliance is using Bindery to connect to NDS hosts, cannot use Tree
    The appliance can contact up to 20 hosts, but no Tree.
    - Failed to log in to the NDS host using *working* admin credentials
    (any possible version (cn, uid, plain FQN, ...)
    - Client certificate configuration not working
    - ...

    I once got the software version working, using a 350-series PCMCIA card
    (802.11b),but now I have to get the same setup using the appliance and
    3Com (g-enabled) cards to work ..

    Versions/equipment:

    - Cisco ACS Appliance running ACS 3.2
    - Aironet series 1200 running 11.3T (Guess)
    - 3Com PCI 802.11g client adapters (because 6 months ago, Cisco didn't
    have g-enabled cards yet .. go figure!)

    All suggestions/links/how-to's/personal experiences are welcome!

    Many thanks!!
     
    Turrekens Jurgen, Jul 2, 2004
    #1
    1. Advertising

  2. Turrekens Jurgen

    Blank Guest

    Xps included PEAP, requires the use of MSCHAPv2 to send the user password
    information, or a certificate. I don't believe NDS supports MSCHAP to
    authenticate. You might look at Funk's client, it has more options.

    If anyone knows how to make this work with the native PEAP, and NDS, I am
    interested too.

    thanks, David ZADE
    "Turrekens Jurgen" <> wrote in message
    news:4baFc.172041$-ops.be...
    >
    > We've recently purchased a Cisco ACS appliance, but so far our vendor
    > hasn't been able to get it to work with our NDS. We would like to use
    > the ACS appliance to authenticate to eDirectory credentials, and add
    > MAC-authentication later on (when we've figured out how to administer
    > all those addresses).
    >
    > So far, authenticating to an MS Domain is covered all over the Net, but
    > apparently NDS isn't covered in-depth anywhere.
    >
    >
    > Problems we've encountered:
    >
    > - Appliance is using Bindery to connect to NDS hosts, cannot use Tree
    > The appliance can contact up to 20 hosts, but no Tree.
    > - Failed to log in to the NDS host using *working* admin credentials
    > (any possible version (cn, uid, plain FQN, ...)
    > - Client certificate configuration not working
    > - ...
    >
    > I once got the software version working, using a 350-series PCMCIA card
    > (802.11b),but now I have to get the same setup using the appliance and
    > 3Com (g-enabled) cards to work ..
    >
    > Versions/equipment:
    >
    > - Cisco ACS Appliance running ACS 3.2
    > - Aironet series 1200 running 11.3T (Guess)
    > - 3Com PCI 802.11g client adapters (because 6 months ago, Cisco didn't
    > have g-enabled cards yet .. go figure!)
    >
    > All suggestions/links/how-to's/personal experiences are welcome!
    >
    > Many thanks!!
     
    Blank, Jul 8, 2004
    #2
    1. Advertising

  3. >>
    >>All suggestions/links/how-to's/personal experiences are welcome!
    >>
    >>Many thanks!!

    >
    >
    >


    Use LDAP.

    We set up LDAP & SSL on a pair of Netware 6.x servers. Tested it using
    a Mozilla/Netscrape address book. If Netware LDAP is set up correctly
    you should be able to bind with an LDAP cient that support SSL & do a
    search on a user first or last name.

    The Cisco thinks it is a generic LDAP server. It doesn't care. It binds
    on port 636 using SSL & authenticates & searches for the user & group
    via a LDAP search per the Cisco ACS setup. It has to use SSL, or Netware
    will refuse the connection. Netware will not accept passwords via
    non-SSL LDAP.

    You can trace Netware LDAP calls with dstrace. We had to pull the
    Netware server CA cert from the Netware server by connecting with a
    Mozilla/Netscape address book, accepting the Netware cert, then
    importing the 'cert7.db' created by the browser into the Cisco ACS
    server. Otherwise the ACS would not connect to the Netware server.

    Did the whole thing in a couple of hours a few months ago, said 'Hey
    Cool! It works" and forgot to document any of it, so I may be off in the
    details.

    --Mike
     
    Michael Janke, Jul 8, 2004
    #3
  4. Michael Janke wrote:
    >>>
    >>> All suggestions/links/how-to's/personal experiences are welcome!
    >>>
    >>> Many thanks!!

    >>
    >>
    >>
    >>

    >
    > Use LDAP.
    >
    > We set up LDAP & SSL on a pair of Netware 6.x servers. Tested it using a
    > Mozilla/Netscrape address book. If Netware LDAP is set up correctly you
    > should be able to bind with an LDAP cient that support SSL & do a search
    > on a user first or last name.
    >
    > The Cisco thinks it is a generic LDAP server. It doesn't care. It binds
    > on port 636 using SSL & authenticates & searches for the user & group
    > via a LDAP search per the Cisco ACS setup. It has to use SSL, or Netware
    > will refuse the connection. Netware will not accept passwords via
    > non-SSL LDAP.
    >
    > You can trace Netware LDAP calls with dstrace. We had to pull the
    > Netware server CA cert from the Netware server by connecting with a
    > Mozilla/Netscape address book, accepting the Netware cert, then
    > importing the 'cert7.db' created by the browser into the Cisco ACS
    > server. Otherwise the ACS would not connect to the Netware server.
    >
    > Did the whole thing in a couple of hours a few months ago, said 'Hey
    > Cool! It works" and forgot to document any of it, so I may be off in the
    > details.
    >
    > --Mike


    More info - this is to authenticate Cisco dialup and VPN devices via
    RADIUS to the ACS, which forwards the requests to NDS via LDAP. Have not
    done LEAP/PEAP/wireless yet.

    --Mike
     
    Michael Janke, Jul 8, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Turrekens Jurgen
    Replies:
    0
    Views:
    478
    Turrekens Jurgen
    Jun 17, 2004
  2. jester
    Replies:
    1
    Views:
    1,846
    Vivek
    Dec 20, 2005
  3. Replies:
    1
    Views:
    787
    Thrill5
    Feb 6, 2007
  4. =?Utf-8?B?RGVsb24=?=

    How to uninstall Cisco PEAP supplicant to use XP default PEAP

    =?Utf-8?B?RGVsb24=?=, May 25, 2007, in forum: Wireless Networking
    Replies:
    0
    Views:
    1,050
    =?Utf-8?B?RGVsb24=?=
    May 25, 2007
  5. RRE
    Replies:
    0
    Views:
    621
Loading...

Share This Page