Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2708
Views
5
Helpful
6
Replies

ACS v5.1 - LDAP and PEAP

dal
Level 3
Level 3

‎06-04-2010 12:02 AM - edited ‎03-10-2019 05:10 PM

Hi!

I'm trying to authenticate a WinXP client with PEAP.

And since it is only possible to define only one Active Directory in ACS v5.1 ( why on earth is that???), I had to define my other AD domain through LDAP.

But when I try to authenticate, this is what happens:

11001  Received RADIUS  Access-Request
11017  RADIUS created a new  session
Evaluating Service Selection  Policy
15004  Matched rule
15012  Selected Access  Service - Policy-SwitchAccess-Testdomain
11507  Extracted  EAP-Response/Identity
12500  Prepared EAP-Request  proposing EAP-TLS with challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an  existing session
12301  Extracted  EAP-Response/NAK requesting to use PEAP instead
12300  Prepared EAP-Request  proposing PEAP with challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an  existing session
12302  Extracted EAP-Response  containing PEAP challenge-response and accepting PEAP as negotiated
12318  Successfully  negotiated PEAP version 0
12800  Extracted first TLS  record; TLS handshake started.
12805  Extracted TLS  ClientHello message.
12806  Prepared TLS  ServerHello message.
12807  Prepared TLS  Certificate message.
12810  Prepared TLS  ServerDone message.
12305  Prepared EAP-Request  with another PEAP challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an  existing session
12304  Extracted EAP-Response  containing PEAP challenge-response
12305  Prepared EAP-Request  with another PEAP challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an  existing session
12304  Extracted EAP-Response  containing PEAP challenge-response
12318  Successfully  negotiated PEAP version 0
12812  Extracted TLS  ClientKeyExchange message.
12804  Extracted TLS Finished  message.
12801  Prepared TLS  ChangeCipherSpec message.
12802  Prepared TLS Finished  message.
12816  TLS handshake  succeeded.
12310  PEAP full handshake  finished successfully
12305  Prepared EAP-Request  with another PEAP challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an  existing session
12304  Extracted EAP-Response  containing PEAP challenge-response
12313  PEAP inner method  started
11521  Prepared  EAP-Request/Identity for inner EAP method
12305  Prepared EAP-Request  with another PEAP challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an  existing session
12304  Extracted EAP-Response  containing PEAP challenge-response
11522  Extracted  EAP-Response/Identity for inner EAP method
11806  Prepared EAP-Request  for inner method proposing EAP-MSCHAP with challenge
12305  Prepared EAP-Request  with another PEAP challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an  existing session
12304  Extracted EAP-Response  containing PEAP challenge-response
11808  Extracted EAP-Response  containing EAP-MSCHAP challenge-response for inner method and accepting  EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006  Matched Default Rule
15013  Selected Identity  Store -
22043  Current Identity Store  does not support the authentication method; Skipping it.
22056  Subject not found in  the applicable identity store(s).
22058  The advanced option  that is configured for an unknown user is used.
22061  The 'Reject' advanced  option is configured in case of a failed authentication request.
11815  Inner EAP-MSCHAP  authentication failed
11520  Prepared EAP-Failure  for inner EAP method
22028  Authentication failed  and the advanced options are ignored.
12305  Prepared EAP-Request  with another PEAP challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an  existing session
12304  Extracted EAP-Response  containing PEAP challenge-response
12307  PEAP authentication  failed
11504  Prepared EAP-Failure
11003  Returned RADIUS  Access-Reject

What does this mean? Is it possible that ACS *STILL* does not support PEAP authentication agains LDAP??

The other thing that bothers me, is that the matching rule is Default.

But when I go into the matching Policy to see the hit count, none of the rules (including Default) has increased its Hit Count.. very strange.

Thanks.

Labels:
0 Helpful
6 Replies 6

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-04-2010 04:29 AM

LDAP as an external database never supports PEAP with  Mschap. The client should  be installed with the EAP-GTC supplicant.


Peap Mschapv2 only works with Active Directory.


Its an LDAP limitation, not ACS- there is no LDAP API to do it.

Supported LDAP server and 802.1x clients:

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/de
vice_support/sdt51.html#wp71123


You may check PEAP FAQ's, please take a look under EAP TYPE comparison chart:

http://www.cisco.biz/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764fa_
ps2706_Products_Q_and_A_Item.html


Regds,

JK


Do rate helpful posts-

~Jatin

dal
Level 3
Level 3
In response to Jatin Katyal

‎06-04-2010 06:57 AM

We are already using PEAP and LDAP with our freeradius-server.
The only prerequisite is that a NTLM-hash of the password must be stored in  ldap directory.

And especially if the LDAP catalogue already is an Active Directory catalogue (as it is in my case), this should work without further modifications.
So why isn't this possible with Cisco ACS?
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to dal

‎06-04-2010 07:04 AM

You must be using PEAP with LDAP but the inner method wouldn't be MSCHAPv2. Please check it must be PEAP-GTC because it does support LDAP.

Regds,

JK

~Jatin
0 Helpful

dal
Level 3
Level 3
In response to Jatin Katyal

‎06-04-2010 07:33 AM

We only use the built-in WinXP supplicant, so it does indeed use MSCHAPv2

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to dal

‎06-04-2010 08:55 AM

Strange. I haven't seen PEAP-MSCHAPv2 working with LDAP. Could  you please show me one passed authentication from your Free radius server that says database is LDAP and authentication method is PEAP-MSchapv2.


Also, please provide me the packet traces between radius server and LDAP?


I would like to see whether radius is editing the packet before sending it to LDAP or simply passing over  the same authentication method in the radius -reuquest.


Regds,

JK

~Jatin
0 Helpful

dal
Level 3
Level 3
In response to Jatin Katyal

‎06-29-2010 05:34 AM

Hi again.

Sorry for taking so long, blame it on high workload.

I'm attaching 2 files; one is a debug log from Freeradius, and the other is a Wireshark packet capture.

Both files are produced during  a successfull logon from a "vanilla" WinXP client to a LDAP server.

Hopefully, you'll get enough info to implement the same thing into a future (next) version of ACS v5

One other thing that should be implemented for sure is support for more than one AD.

Thanks.

68450-peap-radius-auth-filtered.pcap.zip
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents