I'm in the same boat. I have the same error on my server. I have ACS running on a Win2k member server. My client is Win2k connecting to a 2950. My supplicant is the download from MS described in Q313664. I realize that regular CHAP can't be used because it's clear text.
The same Win2k laptop is authenticating via ACS to the domain using Aironet card and AP and LEAP. It is being dynamically mapped to the specified group and everything exactly the way it's supposed to. It's got to be just one little thing we're missing whether it's on ACS, the 2950, or the client configuration. HELP!!!
BTW... We're just demoing ACS in preparation for a RADIUS implementation. Can I call TAC since I don't have support on it??
I have the same scenario. What I read in Cisco docs says that with Cisco Secure ACS 3.1, it cannot be integrated with Active directory for EAP-MD5. Since Microsoft has their own CHAP thing. This may be supported in the next version.
I haven't tried this with MS IAS in the radius front. I think youhave done this. Please answer me the following queries.
1) Can i get authenticated for 802.1x client in windows 2000 /Xp before i getting windows login window or with the windows login window.
2) With Cisco ACS I have to login to my cache first. When i login into my cache windows profile since my port is not open my login script wont work , any other way to get this thing done
3) Will i get all my domain security policy once i am logged in withn cache profile
4) After getting autheciation by 802.1x client will i get IP address form my DHCP server.
5) what difference it makes when I change radius authentication to MS IAS.
I will address your questions with the best of my ability as I haven't personally triesd this out.
1) AFAIK, this is not possible. Its the Microsoft 2000/XP client so I guess consulting with Microsoft may guide to the right direction. I think it can be an enhancement request to Microsoft but, please consult with their support first.
2) No, again, if Microsoft XP/2000 has capability to integrate the 802.1x client authentication with the machine login transparently, then only its possible. Again, consulting with Microsoft will guide to the right direction.
3) Yes, you should
5) Will not make any difference, as that piece comes later.
Regarding chap and ms-chap issue with NT/2K domain, one thing for sure is with microsoft domain controller, its not possible at all to use anything other than MS-CHAP. ACS cannot control that behavior. Now, its the client responsibility to decide to use CHAP or MS-CHAP, so I think it makes sense to have this option on XP. Again, talking to Microsoft will lead to the right direction. Could be an enhancement request for Microsoft. So, please consult with Microsoft support. Thanks,
You can have ACS work with CHAP we are using it right now. My boss has our AS5300 authenticating against ACS using chap. Don't ask me how because I am in the same process right now trying to get chap to work with proxy radius for the new VPDN we have. So I know there is someone out there that knows how to get CHAP running with ACS will that person please step forward and let us know. My boss is out for the week and I need to get this going by friday
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...