Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
0
Helpful
1
Replies

ACS v5.5 CHAP/MD5 internal users failing to authenticate

matt.smith
Level 1
Level 1

‎02-12-2014 10:57 AM - edited ‎02-21-2020 05:06 AM

We have recently purchased some firewalls for a new environment that we configured to use in FIPS mode.  Because the firewalls are in FIPS mode, the only RADIUS authentication protocol they can use is CHAP/SHA-1.  We originally were having issues authenticating internal users in ACS v5.4 because (based off the Authentication_Trend logs), it looks like the ACS was looking for CHAP/MD5.  We upgraded to v5.5 because we saw there was the ability to put the ACS into FIPS mode, however, it looks like CHAP has to be disabled as a RADIUS authentication protocol due to MD5 not being FIPS compliant.  Just curious if there was anyway to have the ACS look for CHAP that uses a different hashing algorithm (like a SHA-*).  If not, this would be a useful enhancement for the future.

0 Helpful
1 Reply 1

edelgado
Level 1
Level 1

‎03-31-2014 08:18 PM

Hello,

ACS is FIPS compliance since version 5.4 however there are others things to consider.

 

Where is the user held? internally on the ACS or in an external DB? if External What DB are you using?

 

Regards,

 

Erdelgad

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card