LDAP connection fails when using PEAP Mschapv2 Authentication on ACS5.x


Wed, 02/27/2013 - 00:10
Jun 27th, 2012
User Badges:
  • Bronze, 100 points or more
Table of Contents 


Connection to LDAP fails while using PEAP Mschapv2 authentication on ACS 5.1.


Connection to LDAP fails when using PEAP Mschapv2 authentication on ACS 5.1 because LDAP doesn't support PEAP Mschapv2.

This problem can be resolved in one of the following ways:

1)Using Active Directory(AD) instead of LDAP (since AD supports PEAP Mschapv2). To perform AD integration, we need  to have the following:

-Domain name

-AD account with role "Account Operator"

-Configure ACS clock and time zone same as your AD servers

For more information on ACS integration with AD refer to Joining ACS to an AD Domain . Some screenshots are mentioned below for quick reference.

STEP 1: On ACS 5.x Web management interface find on the left panel the Users and Identity Stores sections and chose Active Directory

step 1.jpg

Important Note: While trying to join ACS to the AD domain, ACS and AD must be time-synchronized. Time in ACS is set according to the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by the same NTP server. If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error. Using the command line interface on your appliance, you must configure the NTP client to work with the same NTP server that the AD domain is synchronized with. Refer for more information: Cisco guide for integration

STEP 2: Adding Required info.

step 2.jpg

Complete the Active Directory Domain Name field with the necessary value. Then, add the username and password. This user needs to be a domain administrator and to have rights to add new machines to Active Directory. Use the Test Connection to see if everything is correct. You can save the configuration. After you save, you will notice that Connectivity Status changed  and now it’s showing the joined domain. Also on the top page additional two tabs appear. You’re done!

2)Using a connection protocol that is supported by LDAP instead of PEAP which is not supported. From the EAP Authentication Protocol and User Database Compatibility table you can find the protocols supported by LDAP and avoid this problem.




This Document

Related Content