When an external LDAP directory is unavailable, the most direct alternative that provides the same security and user experience for Local Web Authentication (LWA) is to use the internal user database of the RADIUS server, which is Cisco ISE in this scenario. This solution meets the requirement for user-based authentication, providing security comparable to LDAP (individual credentials). The user experience is identical, as the LWA captive portal presents the same username and password fields regardless of whether the back-end identity store is an external LDAP server or the ISE internal database. This is a self-contained, straightforward solution for a startup without existing directory infrastructure.

A. Use SAML: This involves redirecting the user to an external Identity Provider for authentication. While a valid authentication method, this redirection creates a different user experience than the direct login portal of LWA with LDAP.

C. Use a preshared key on the corporate WLAN: A PSK provides device-level authentication, not user-level authentication. All users share the same key, which does not meet the security requirement of authenticating individual users against a directory.

D. Use Novell eDirectory: Novell eDirectory is a directory service that is accessed using the LDAP protocol. Proposing this solution contradicts the fundamental constraint of the question that "LDAP is unavailable."

1. Cisco Identity Services Engine Administrator Guide

Release 3.1

"Identity Sources" Chapter: This guide lists the "Cisco ISE Internal User Database" as a primary type of identity source. It states

"You can create users and user groups in the internal database and use them for authentication and authorization." This confirms the viability of using the internal database as a directory for authentication.

2. Cisco Identity Services Engine Administrator Guide

Release 3.1

"Configure Guest Access" Chapter: This chapter details the configuration of web portals for guest services

including LWA. The user flow described involves a redirection to a login page where credentials are entered. This user-facing experience remains consistent whether the backend is the internal database or an external one like LDAP.

3. Cisco Identity Services Engine Administrator Guide

Release 3.1

"SAML SSO" Chapter: The guide describes the SAML flow: "When a user tries to access a protected service provider resource

the service provider redirects the user to the Cisco ISE portal for authentication. Cisco ISE

in turn

redirects the user to the configured external IdP." This confirms the different user experience involving redirection.

4. Micro Focus eDirectory 9.2.7 Administration Guide

"eDirectory and LDAP" Section: The official documentation for Novell eDirectory (now Micro Focus eDirectory) explicitly states

"eDirectory is a full-service

secure directory service that provides your network with centralized identity management... eDirectory supports LDAP." This confirms that eDirectory relies on the LDAP protocol

making it an invalid choice given the question's constraints.