Using PEAP to authenticate to Novell NDS - Appliance

Discussion in 'Cisco' started by Turrekens Jurgen, Jul 2, 2004.

  1. We've recently purchased a Cisco ACS appliance, but so far our vendor
    hasn't been able to get it to work with our NDS. We would like to use
    the ACS appliance to authenticate to eDirectory credentials, and add
    MAC-authentication later on (when we've figured out how to administer
    all those addresses).

    So far, authenticating to an MS Domain is covered all over the Net, but
    apparently NDS isn't covered in-depth anywhere.


    Problems we've encountered:

    - Appliance is using Bindery to connect to NDS hosts, cannot use Tree
    The appliance can contact up to 20 hosts, but no Tree.
    - Failed to log in to the NDS host using *working* admin credentials
    (any possible version (cn, uid, plain FQN, ...)
    - Client certificate configuration not working
    - ...

    I once got the software version working, using a 350-series PCMCIA card
    (802.11b),but now I have to get the same setup using the appliance and
    3Com (g-enabled) cards to work ..

    Versions/equipment:

    - Cisco ACS Appliance running ACS 3.2
    - Aironet series 1200 running 11.3T (Guess)
    - 3Com PCI 802.11g client adapters (because 6 months ago, Cisco didn't
    have g-enabled cards yet .. go figure!)

    All suggestions/links/how-to's/personal experiences are welcome!

    Many thanks!!
     
    Turrekens Jurgen, Jul 2, 2004
    #1
    1. Advertisements

  2. Turrekens Jurgen

    Blank Guest

    Xps included PEAP, requires the use of MSCHAPv2 to send the user password
    information, or a certificate. I don't believe NDS supports MSCHAP to
    authenticate. You might look at Funk's client, it has more options.

    If anyone knows how to make this work with the native PEAP, and NDS, I am
    interested too.

    thanks, David ZADE
     
    Blank, Jul 8, 2004
    #2
    1. Advertisements

  3. Use LDAP.

    We set up LDAP & SSL on a pair of Netware 6.x servers. Tested it using
    a Mozilla/Netscrape address book. If Netware LDAP is set up correctly
    you should be able to bind with an LDAP cient that support SSL & do a
    search on a user first or last name.

    The Cisco thinks it is a generic LDAP server. It doesn't care. It binds
    on port 636 using SSL & authenticates & searches for the user & group
    via a LDAP search per the Cisco ACS setup. It has to use SSL, or Netware
    will refuse the connection. Netware will not accept passwords via
    non-SSL LDAP.

    You can trace Netware LDAP calls with dstrace. We had to pull the
    Netware server CA cert from the Netware server by connecting with a
    Mozilla/Netscape address book, accepting the Netware cert, then
    importing the 'cert7.db' created by the browser into the Cisco ACS
    server. Otherwise the ACS would not connect to the Netware server.

    Did the whole thing in a couple of hours a few months ago, said 'Hey
    Cool! It works" and forgot to document any of it, so I may be off in the
    details.

    --Mike
     
    Michael Janke, Jul 8, 2004
    #3
  4. More info - this is to authenticate Cisco dialup and VPN devices via
    RADIUS to the ACS, which forwards the requests to NDS via LDAP. Have not
    done LEAP/PEAP/wireless yet.

    --Mike
     
    Michael Janke, Jul 8, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.