Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Web Auth via ACS 5.3 and AD failing

Hi All,

I am looking to create a web auth network so users with non managed devices can connect to the wireless network via their AD credentials.

I have the users authenticating correctly via a PEAP/MS-ChapV2 solution so i know there is no issue with communications between ACS 5.3 and AD.

When they user fails authentication I receive the error message "22056 Subject not found in the applicable identity store(s)" yet i know the user is in the identity store based on successful authentications on the internal WLAN given above.

Ive tried changing the Web Auth on the WLC to CHAP, PAP and MD5CHAP to no avail.

Under the Access Policy created to link ACS to AD i have PEAP, MSCHAPv1 and 2 and CHAP configured as allowed protocols.

Ive tried different username modifications to no avail. I know the user is in the identity store.. ACS just cant find them..

Cheers

Darren                  

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Re: Web Auth via ACS 5.3 and AD failing

Well by default it should work using pap.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Cisco Employee

Re: Web Auth via ACS 5.3 and AD failing

You should enable PAP on the Access service on your ACS.

Also make sure that you are using compliant L2 security measure , BTW do you have any mac filteration enabled or not?

5 REPLIES
Hall of Fame Super Silver

Web Auth via ACS 5.3 and AD failing

Darren,

Are you trying to do webauth + 802.1x on the same ssid or just use webauth for the ssid?

-Scott
*** Please rate helpful posts ***
New Member

Web Auth via ACS 5.3 and AD failing

nope.

Just Webauth and authetication via RADIUS.

Im wondering if the AD cant access CHAP/MD5 auth requests.. I only have one Identity store created for the AD.

all other attributes look correct..

I do also have a TAC case running

Hall of Fame Super Silver

Re: Web Auth via ACS 5.3 and AD failing

Well by default it should work using pap.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Cisco Employee

Re: Web Auth via ACS 5.3 and AD failing

You should enable PAP on the Access service on your ACS.

Also make sure that you are using compliant L2 security measure , BTW do you have any mac filteration enabled or not?

New Member

Re: Web Auth via ACS 5.3 and AD failing

I enabled PAP. Was trying not too but MS AD doesn't support CHAP.

No MAC or L2 security.

ISE is a future consideration, this solution is just the initial step for my client to get into shared and BYOD devices.

Cheers

887
Views
0
Helpful
5
Replies