06-04-2010 12:02 AM - edited 03-10-2019 05:10 PM
Hi!
I'm trying to authenticate a WinXP client with PEAP.
And since it is only possible to define only one Active Directory in ACS v5.1 ( why on earth is that???), I had to define my other AD domain through LDAP.
But when I try to authenticate, this is what happens:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
What does this mean? Is it possible that ACS *STILL* does not support PEAP authentication agains LDAP??
The other thing that bothers me, is that the matching rule is Default.
But when I go into the matching Policy to see the hit count, none of the rules (including Default) has increased its Hit Count.. very strange.
Thanks.
06-04-2010 04:29 AM
LDAP as an external database never supports PEAP with Mschap. The client should be installed with the EAP-GTC supplicant.
Peap Mschapv2 only works with Active Directory.
Its an LDAP limitation, not ACS- there is no LDAP API to do it.
Supported LDAP server and 802.1x clients:
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/de
vice_support/sdt51.html#wp71123
You may check PEAP FAQ's, please take a look under EAP TYPE comparison chart:
http://www.cisco.biz/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764fa_
ps2706_Products_Q_and_A_Item.html
Regds,
JK
Do rate helpful posts-
06-04-2010 06:57 AM
06-04-2010 07:04 AM
You must be using PEAP with LDAP but the inner method wouldn't be MSCHAPv2. Please check it must be PEAP-GTC because it does support LDAP.
Regds,
JK
06-04-2010 07:33 AM
We only use the built-in WinXP supplicant, so it does indeed use MSCHAPv2
06-04-2010 08:55 AM
Strange. I haven't seen PEAP-MSCHAPv2 working with LDAP. Could you please show me one passed authentication from your Free radius server that says database is LDAP and authentication method is PEAP-MSchapv2.
Also, please provide me the packet traces between radius server and LDAP?
I would like to see whether radius is editing the packet before sending it to LDAP or simply passing over the same authentication method in the radius -reuquest.
Regds,
JK
06-29-2010 05:34 AM
Hi again.
Sorry for taking so long, blame it on high workload.
I'm attaching 2 files; one is a debug log from Freeradius, and the other is a Wireshark packet capture.
Both files are produced during a successfull logon from a "vanilla" WinXP client to a LDAP server.
Hopefully, you'll get enough info to implement the same thing into a future (next) version of ACS v5
One other thing that should be implemented for sure is support for more than one AD.
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: