Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS5.1 <> NGS (wifi guest access)

We have a problem with the Cisco Secure ACS in combination with NAC Guest Server. We want to use the NGS as a external identity source. We've configured the following on the ACS:

- External radius identity source added

- Identity source sequence modified

- Service selection policy 'default network access' modified (allowed protocols)

After making a login request by a wireless device, the ACS does not use the NGS as external lookup source. We saw on the NGS that there isn't any request coming from the ACS.

Here are some log entry's:

Steps
11001  Received RADIUS Access-Request
11017  RADIUS created a new session
Evaluating Service Selection Policy
15004  Matched rule
15012  Selected Access Service - Default Network Access
11507  Extracted EAP-Response/Identity
12300  Prepared EAP-Request proposing PEAP with challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12319  Successfully negotiated PEAP version 1
12800  Extracted first TLS record; TLS handshake started.
12805  Extracted TLS ClientHello message.
12806  Prepared TLS ServerHello message.
12807  Prepared TLS Certificate message.
12810  Prepared TLS ServerDone message.
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12304  Extracted EAP-Response containing PEAP challenge-response
12319  Successfully negotiated PEAP version 1
12812  Extracted TLS ClientKeyExchange message.
12804  Extracted TLS Finished message.
12801  Prepared TLS ChangeCipherSpec message.
12802  Prepared TLS Finished message.
12816  TLS handshake succeeded.
12310  PEAP full handshake finished successfully
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12304  Extracted EAP-Response containing PEAP challenge-response
12313  PEAP inner method started
11521  Prepared EAP-Request/Identity for inner EAP method
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12304  Extracted EAP-Response containing PEAP challenge-response
11522  Extracted EAP-Response/Identity for inner EAP method
11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12304  Extracted EAP-Response containing PEAP challenge-response
11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006  Matched Default Rule
15013  Selected Identity Store -
22043  Current Identity Store does not support the authentication method; Skipping it.
22056  Subject not found in the applicable identity store(s).

22058  The advanced option that is configured for an unknown user is used.
22062  The 'Drop' advanced option is configured in case of a failed authentication request.
12315  PEAP inner method finished with failure
22028  Authentication failed and the advanced options are ignored.

Does anyone have a idea what's going wrong?

Regards,

Martijn.

Everyone's tags (5)
1 REPLY
Cisco Employee

Re: ACS5.1 <> NGS (wifi guest access)

Hi,

The problem is that NGS does not support PEAP-MSCHAP as authentication method.

NAC Guest Server supports only PAP in RADIUS Authentication.

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_radius.html#wp1060449.

Thanks,

Tiago

1208
Views
10
Helpful
1
Replies
CreatePlease login to create content