Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS v5.3 Internal User "Password Type"

Hi,

I have deployed a pair of Cisco ACS v5.3 in my envirnoment and joined the ACS to my AD. With this, I used the new feature of "Password Type" for internal user and set the internal user password to the external database of AD; meaning to say that for example, I have an AD user of weekwang, on the ACS internal user database I created the same user name of weekwang however setting the user's password type to the AD.

Upon this, I then configure the user 802.1x authentication for the network access. I configured the Identity setting of the access policy to the internal user database. However, the user authentication fails as the ACS cannot find the user in the internal user database.

From the monitor and report log, I see that the user name that the ACS is receiving is Domain\weekwang. Thus, it cannot locate the user from then internal user database.

Thus, I would like to seek for assistance/advice to whether is there any configuration on the ACS that I need to set so that I can strip of the prefix of Domain\ from the receiving user name so that the ACS will receive the user name as just weekwang.

Thks and Rgds

2 REPLIES

ACS v5.3 Internal User "Password Type"

Hello . I just tested Radius with PAP and everything is working OK. Could you please post your config and logs ?

New Member

Re: ACS v5.3 Internal User "Password Type"

Hi Eduardoaliaga,

I believe that when we are using PAP as the authentication protocol, the ACS is able to strip the domian prefix. However, my side is using the PEAP MsChapv2 as the authentication protocol and I believe that the TLS tunnel is prevent the ACS from stripping the domain prefix/sufix. Thus, I have also posted another discussion on the issue of when the authentication protocol of PEAP MsChapv2 is used, ACS is not able to strip the domain prefix/sufix. Thus, would you be also able to advice on if that is correct. Please refer to the links below.

1) https://supportforums.cisco.com/thread/2061835

2) http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase_ps9911_TSD_Products_User_Guide_Chapter.html#wp1031191

3) https://supportforums.cisco.com/message/3581951#3581951

Thks and Rgds

698
Views
0
Helpful
2
Replies