Cisco ACS 4.1 and EDir

Hi

I contracted a company to put in a campus wide Wireless solution. They 
installed a Cisco ACS 4.1  solution only problem is that the ACS won't 
talk to EDIR through LDAP using MSchap v2 , they now feel that the only 
solution is to put in AD. I have been holding out for another way and have 
found out about EAP-TLS is there anyone out there using this as a solution 
( as the company contracted claim there is not )

thanks

I am not sure if you can put it off for some time but the new version of 
OES supports AD emulations.  Meaning that you can have a fully 
functional AD domain/forest but have your back end still be eDiretory. 
This is not DirXML or Identity Management though they might be other 
solutions for you.  Here is the links to the information from a the 
Novell connection magazine.

http://www.novell.com/connectionmagazine/2007/07/tech_talk_1.html

It looks like it should be released in a month or two.

PS Might not help you but we did set up a radius server to secure our 
WAP and it does use MSchap v2.  Here is the guide we followed.  Not sure 
it it will help you at all.

http://www.novell.com/coolsolutions/tip/15922.html



richard mason wrote:
> Hi
> 
> I contracted a company to put in a campus wide Wireless solution. They 
> installed a Cisco ACS 4.1  solution only problem is that the ACS won't 
> talk to EDIR through LDAP using MSchap v2 , they now feel that the only 
> solution is to put in AD. I have been holding out for another way and 
> have found out about EAP-TLS is there anyone out there using this as a 
> solution ( as the company contracted claim there is not )
> 
> thanks
> 

Well, just so that I don't take credit for other's work, I want to let you know
that I did not figure this out.  I did some work on figuring this out but
another colleague of mine figured out the final solution.  Since Cisco keeps
this such a secret or doesn't want to do the work to put out the supporting docs
I am posting our solution of getting ACS 4.0 working with EDIR.

We do not use MSChap. We just use Chap.  Our ACS talks just LDAP to EDIR.

After much time experimenting and looking at dstrace screens, we sniffed network
traffic and found that LDAP queries were not showing up correctly to EDIR for
authentication.  Here's what we came up with that worked for our ACS box.  We
use EDIR group membership to determine eligibility for wireless connectivity so
this is the only setup I can give info on.

Here are the settings documented by our guy who was in on figuring out the
connection that work for our system currently..... (pay attention to the
GroupObjectClass specifically as it's malformed to make it function correctly. 
Make sure to leave off the left paren.)

User Directory Subtree: o=org
Group Directory Subtree: o=org
UserObjectType: cn
UserObjectClass: inetorgperson
GroupObjectType: cn
GroupObjectClass: group)(|(cn=group#1)(cn=group#2)
Group Attribute Name: member

CiscoSecure ACS 4.0 adds "(&(objectclass=" to search where value
comes from the user configuration (see above).  For example, group search filter
becomes (&(objectclass= group)(|(cn=group#1)(cn=group#2))).  If the | (OR
statement) is not used, then LDAP never returns group info because of too many
groups.  We are filtering on specific groups (i.e. group#1, group#2,etc.) to
speed up searching.

Tim

Thanks Tim, I have passed this on to our consultant. We are currently 
looking at steel belted radius as our only option

Actually, I did further research on how this works for us.  We use ACS as a
"go-between" to talk using RADIUS to the wireless device as well as
any other RADIUS authentication that it can do.

ACS then takes the info from that device and does a lookup using LDAP to
Edirectory based on the config I showed in the last post.  It was easy to
connect the wireless device using RADIUS to ACS.  The LDAP portion was the part
we had to do all the research to figure out.

We have groups in ACS mapped to LDAP groups in Edirectory so that it gives the
correct access based on group membership.

Tim