PEAP-MSCHAPv2 with ACS 5.3 - WLC + Strong Authentication
Hi to everyone,
We have a diagram similar to this:
User -> AP Aironet -> Cisco WLC -> Radius Server -> Cisco ACS 5.3
Now in details:
User takes a notebook to Access a wireless network that uses PEAP-MSCHAPv2 as the authentication Protocol. The user has to input (see Image 1):
Mobile Token (OTP): 312832
Image 1. You can see the format on the image below
AP Aironet forwards the SSID and other stuff to the Cisco WLC which connects to the Radius Server.
The Radius Server authenticate the Mobile Token using HOTP, made the separation of username / Mobile Token and the PEAP Challenge and delivers the information to the ACS.
Actually we use the Radius Server in the middle of WLC and Cisco ACS to mantain a strong authentication policy without breaking our PEAP-MSCHAPv2 due to the incompatibility of the Cisco ACS to handle that type of authentication protocols.
Everything here Works fine until we add the Active Directory as the Identity Source on the Network Policy we use.
We noticed that when we switch to this diagram:
User -> AP Aironet -> Cisco WLC -> Radius Server -> Cisco ACS -> Active Directory
The radius server sents the “Radius Username” attribute stripped but in the logs of the ACS we saw an attribute “ACS Username” that contains user/token and obviously this action fails when ACS try with this attribute to the Active Directory. Viewing the logs Radius User its without the /312832
After a debug at the first Radius Server we are pretty sure that there is no such attribute like “ACS Username” o “ACS::Username” at the radius communication sent form Radius Server to Cisco ACS. So the question is, in wich point the ACS get the user/token or how can we override this type o behavior?
We also think if the ACS can strip the prefix/suffix of the attribute and send the information to the Active Directory without the Mobile token “(/312832)”. We need to have the user without the token.
User: Windows XP, Windows 7 and Mac OS X
AP Aironet: Versión
Cisco WLC: Versión
Radius Server: Freeradius 2.1 – VU Security Application Server
Cisco ACS: Versión 5.3
Active Directory: Versión Windows 2003
For Host Lookup, the value will be the host MAC address. In all other cases, the value is the identity name used for authentication.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :