Cisco Support Community
Community Member

802.1x on 2950 + CS ACS + W2K

I'm trying to configure 802.1x MD5-challenge authentication with my catalyst 2950 switch.

The radius server is a cisco secure ACS which uses Windows 2000 domain user database.

When I try to authenticate, ACS give me this error : "CS CHAP password invalid".

When I try with a user define in ACS internal database. Everything works fine.

Any idea ?

Thanx !

Community Member

Re: 802.1x on 2950 + CS ACS + W2K

In order to use the MD5 authentication you need to use MS-CHAP and not CHAP.



Community Member

Re: 802.1x on 2950 + CS ACS + W2K

thank you for your answer but where can I define that I want to use MS-CHAP with my external user database in CS ACS ?

and why does it work without any change when I use ACS internal database ?

Community Member

Re: 802.1x on 2950 + CS ACS + W2K

I'm in the same boat. I have the same error on my server. I have ACS running on a Win2k member server. My client is Win2k connecting to a 2950. My supplicant is the download from MS described in Q313664. I realize that regular CHAP can't be used because it's clear text.

The same Win2k laptop is authenticating via ACS to the domain using Aironet card and AP and LEAP. It is being dynamically mapped to the specified group and everything exactly the way it's supposed to. It's got to be just one little thing we're missing whether it's on ACS, the 2950, or the client configuration. HELP!!!

BTW... We're just demoing ACS in preparation for a RADIUS implementation. Can I call TAC since I don't have support on it??

Tyler West

Senior Network Engineer

Dollar General Corporation

Community Member

Re: 802.1x on 2950 + CS ACS + W2K

hi Babarche

I have the same scenario. What I read in Cisco docs says that with Cisco Secure ACS 3.1, it cannot be integrated with Active directory for EAP-MD5. Since Microsoft has their own CHAP thing. This may be supported in the next version.

I haven't tried this with MS IAS in the radius front. I think youhave done this. Please answer me the following queries.

1) Can i get authenticated for 802.1x client in windows 2000 /Xp before i getting windows login window or with the windows login window.

2) With Cisco ACS I have to login to my cache first. When i login into my cache windows profile since my port is not open my login script wont work , any other way to get this thing done

3) Will i get all my domain security policy once i am logged in withn cache profile

4) After getting autheciation by 802.1x client will i get IP address form my DHCP server.

5) what difference it makes when I change radius authentication to MS IAS.

waiting for your response


Community Member

Re: 802.1x on 2950 + CS ACS + W2K

1) no, it's impossible with windows for the moment. Due to windows implementation of 802.1x. Maybe later ..... I heard that the funk software 802.1x client would allow that.

2) no.... Not possible too

3) yes you will

4) yel you will

5) there's no difference. It's just really more complicated if you want to use VLAN assignment with 802.1X.


Re: 802.1x on 2950 + CS ACS + W2K

Hi Lalit,

I will address your questions with the best of my ability as I haven't personally triesd this out.

1) AFAIK, this is not possible. Its the Microsoft 2000/XP client so I guess consulting with Microsoft may guide to the right direction. I think it can be an enhancement request to Microsoft but, please consult with their support first.

2) No, again, if Microsoft XP/2000 has capability to integrate the 802.1x client authentication with the machine login transparently, then only its possible. Again, consulting with Microsoft will guide to the right direction.

3) Yes, you should

4) Yes

5) Will not make any difference, as that piece comes later.

Regarding chap and ms-chap issue with NT/2K domain, one thing for sure is with microsoft domain controller, its not possible at all to use anything other than MS-CHAP. ACS cannot control that behavior. Now, its the client responsibility to decide to use CHAP or MS-CHAP, so I think it makes sense to have this option on XP. Again, talking to Microsoft will lead to the right direction. Could be an enhancement request for Microsoft. So, please consult with Microsoft support. Thanks,




Community Member

Re: 802.1x on 2950 + CS ACS + W2K

You can have ACS work with CHAP we are using it right now. My boss has our AS5300 authenticating against ACS using chap. Don't ask me how because I am in the same process right now trying to get chap to work with proxy radius for the new VPDN we have. So I know there is someone out there that knows how to get CHAP running with ACS will that person please step forward and let us know. My boss is out for the week and I need to get this going by friday

CreatePlease to create content