Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Web-auth - CHAP with Microsoft IAS

I can get web-auth using PAP to work with IAS fine but it provides no encryption.

Is web-authentication using CHAP (or MD5-CHAP) possible when the RADIUS server being used is Microsoft IAS? Has anyone gotten this scenario to work?

Thanks,

Scott

7 REPLIES
Hall of Fame Super Silver

Re: Web-auth - CHAP with Microsoft IAS

I havent' tried it, but do you have CHAP enabled on the IAS box? If not then this is how you enable it if you don't have it enabled already.

To enable authentication protocols

Open Routing and Remote Access.

Right-click the server name for which you want to enable authentication protocols, and then click Properties.

On the Security tab, click Authentication Methods.

In the Authentication Methods dialog box, select the appropriate check boxes for the authentication protocols that the remote access server will use to authenticate remote clients, and then click OK.

-Scott
*** Please rate helpful posts ***
New Member

Re: Web-auth - CHAP with Microsoft IAS

Yes I have enabled CHAP in both Routing and Remote Access AND the IAS remote access profile properties but still get a Access-Reject Msg.

Output from debug aaa all enable:

00:1d:e0:0b:c5:dd Successful transmission of Authentication Packet (id 57) to 10.2.13.134:1812, proxy state 00:1d:e0:0b:c5:dd-00:01

Tue Feb 10 08:59:21 2009: 00000000: 01 39 00 81 b4 4b 73 c1 dd c7 92 a4 31 0a c2 5a .9...Ks.....1..Z

Tue Feb 10 08:59:21 2009: 00000010: c6 25 65 37 01 0a 73 6a 6f 68 6e 73 6f 6e 3c 12 .%e7..sjohnson<.

Tue Feb 10 08:59:21 2009: 00000020: 19 30 41 07 89 3c 39 c5 eb a2 08 13 7c a0 21 cb .0A..<9.....|.!.

Tue Feb 10 08:59:21 2009: 00000030: 03 13 04 a6 7e 93 19 42 92 ae cd d8 94 1e 0d e0 ....~..B........

Tue Feb 10 08:59:21 2009: 00000040: 0b 95 d0 06 06 00 00 00 01 04 06 c0 a8 64 0a 20 .............d..

Tue Feb 10 08:59:21 2009: 00000050: 05 57 4c 43 1a 0c 00 00 37 63 01 06 00 00 00 01 .WLC....7c......

Tue Feb 10 08:59:21 2009: 00000060: 1f 11 31 39 32 2e 31 36 38 2e 31 30 30 2e 31 30 ..192.168.100.10

Tue Feb 10 08:59:21 2009: 00000070: 36 1e 10 31 39 32 2e 31 36 38 2e 31 30 30 2e 31 6..192.168.100.1

Tue Feb 10 08:59:21 2009: 00000080: 30 0

Tue Feb 10 08:59:21 2009: 00000000: 03 39 00 14 fc a7 d6 13 84 af 26 34 b4 a0 39 29 .9........&4..9)

Tue Feb 10 08:59:21 2009: 00000010: c3 d9 ed 5c ...\

Tue Feb 10 08:59:21 2009: ****Enter processIncomingMessages: response code=3

Tue Feb 10 08:59:21 2009: ****Enter processRadiusResponse: response code=3

Tue Feb 10 08:59:21 2009: 00:1d:e0:0b:c5:dd Access-Reject received from RADIUS server 10.2.13.134 for mobile 00:1d:e0:0b:c5:dd receiveId = 0

Tue Feb 10 08:59:21 2009: 00:1d:e0:0b:c5:dd Returning AAA Error 'Authentication Failed' (-4) for mobile 00:1d:e0:0b:c5:dd

Tue Feb 10 08:59:21 2009: AuthorizationResponse: 0x36bf7880

Tue Feb 10 08:59:21 2009: structureSize................................28

Tue Feb 10 08:59:21 2009: resultCode...................................-4

Tue Feb 10 08:59:21 2009: protocolUsed.................................0xffffffff

Tue Feb 10 08:59:21 2009: proxyState...................................00:1D:E0:0B:C5:DD-00:00

Tue Feb 10 08:59:21 2009: Packet contains 0 AVPs:

Tue Feb 10 08:59:21 2009: Authentication failed for sjohnson

Hall of Fame Super Silver

Re: Web-auth - CHAP with Microsoft IAS

Do you have a guest anchor wlc or a stand alone wlc?

-Scott
*** Please rate helpful posts ***
New Member

Re: Web-auth - CHAP with Microsoft IAS

This is a standalone WLC 4402.

New Member

Re: Web-auth - CHAP with Microsoft IAS

Hi

I'm trying to get WebAuth working, period, with IAS 2003. Can you provide me with an example of the policy you created on the IAS server? I have it set for 'time of day' and 'user is a member of group x' and left everything else default, yet all my web users are being rejected. Is there something else you had to do to get this working, even with PAP? (we do not care about encryption as this is a public access network). THanks very much.

J

New Member

Re: Web-auth - CHAP with Microsoft IAS

Jason,

I've gotten web-auth working with IAS 2003 using PAP following this Word document I received from TAC. I just created a policy condition for a windows group only.

Change the Service-Type from Framed to Login.

Scott

New Member

Re: Web-auth - CHAP with Microsoft IAS

Hi

So this worked great...with one small issue. The IAS server is in the root of the domain forest, and the users are in a different subdomain. In order to get the users to login via the webpage, they have to specify their account like 'username@domain.xx', otherwise it fails to login.

Is there anyway to avoid having to specify the @domain.xx part?

Thanks.

728
Views
0
Helpful
7
Replies