Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
983
Views
0
Helpful
2
Replies

ACS v5.3 Internal User "Password Type"

Steven Chua
Level 1
Level 1

‎03-06-2012 06:41 AM - edited ‎03-10-2019 06:52 PM

Hi,

I have deployed a pair of Cisco ACS v5.3 in my envirnoment and joined the ACS to my AD. With this, I used the new feature of "Password Type" for internal user and set the internal user password to the external database of AD; meaning to say that for example, I have an AD user of weekwang, on the ACS internal user database I created the same user name of weekwang however setting the user's password type to the AD.

Upon this, I then configure the user 802.1x authentication for the network access. I configured the Identity setting of the access policy to the internal user database. However, the user authentication fails as the ACS cannot find the user in the internal user database.

From the monitor and report log, I see that the user name that the ACS is receiving is Domain\weekwang. Thus, it cannot locate the user from then internal user database.

Thus, I would like to seek for assistance/advice to whether is there any configuration on the ACS that I need to set so that I can strip of the prefix of Domain\ from the receiving user name so that the ACS will receive the user name as just weekwang.

Thks and Rgds

Labels:
0 Helpful
2 Replies 2

Eduardo Aliaga
Level 4
Level 4

‎03-13-2012 03:31 PM

Hello . I just tested Radius with PAP and everything is working OK. Could you please post your config and logs ?

0 Helpful

Steven Chua
Level 1
Level 1
In response to Eduardo Aliaga

‎03-13-2012 05:33 PM

Hi Eduardoaliaga,

I believe that when we are using PAP as the authentication protocol, the ACS is able to strip the domian prefix. However, my side is using the PEAP MsChapv2 as the authentication protocol and I believe that the TLS tunnel is prevent the ACS from stripping the domain prefix/sufix. Thus, I have also posted another discussion on the issue of when the authentication protocol of PEAP MsChapv2 is used, ACS is not able to strip the domain prefix/sufix. Thus, would you be also able to advice on if that is correct. Please refer to the links below.

1) https://supportforums.cisco.com/thread/2061835

2) http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase_ps9911_TSD_Products_User_Guide_Chapter.html#wp1031191

3) https://supportforums.cisco.com/message/3581951#3581951

Thks and Rgds

0 Helpful
Customers Also Viewed These Support Documents