topic Re: failed to authenticate user to ACS 5.1 with LDAP as external in Network Access Control

failed to authenticate user to ACS 5.1 with LDAP as external identity storage

ian_banderaz — Mon, 11 Mar 2019 00:49:08 GMT

Hi , I have an ACS and Open-LDAP server running on my company network.
Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....

then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service. but when I tried to authenticate from my computer, an error was occurred. I received :
the following error 22056 Subject not found in the applicable identity store (s)

Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?
any suggestion ?
thanks

Re: failed to authenticate user to ACS 5.1 with LDAP as external

rleivaoc — Fri, 11 Feb 2011 13:01:11 GMT

Hi Ian,

I need a bit more detail on this issue. On ther 18xx router, did you use the "test aaa.." option to see if this works? On the ACS server, did you check the ACS View > Reports > Catalog > AAA Protocol >, and see what errors you are getting based on the authentication protocol you are using? This might be a supplicate issue, but the logs should tell us more.

Thanks,

Rafael

Re: failed to authenticate user to ACS 5.1 with LDAP as external

ian_banderaz — Fri, 11 Feb 2011 17:00:18 GMT

Current configuration : 989 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default group radius
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.16.16 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clockrate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clockrate 2000000
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.110.110
!
ip http server
!
ip radius source-interface FastEthernet0/0
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key yyyyy
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
end

it's the configuration of the 1841 router. I just test it using telnet. when I'm telneting the router, it will ask the username and password from radius server.

Hey, looks like it's the logger I've been searching before. thanks vaoc. I will try and see it tommorow. while waiting, do you have any other suggestion ? have you ever met this kind of case ?

thanks

Re: failed to authenticate user to ACS 5.1 with LDAP as external

ian_banderaz — Sun, 13 Feb 2011 16:38:12 GMT

This is the log when using windows 7 as authentication client (Failed) :

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

Evaluating Service Selection Policy

15004 Matched rule

15012 Selected Access Service - Default Network Access

11507 Extracted EAP-Response/Identity

12500 Prepared EAP-Request proposing EAP-TLS with challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12301 Extracted EAP-Response/NAK requesting to use PEAP instead

12300 Prepared EAP-Request proposing PEAP with challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

12318 Successfully negotiated PEAP version 0

12800 Extracted first TLS record; TLS handshake started.

12805 Extracted TLS ClientHello message.

12806 Prepared TLS ServerHello message.

12807 Prepared TLS Certificate message.

12810 Prepared TLS ServerDone message.

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12318 Successfully negotiated PEAP version 0

12812 Extracted TLS ClientKeyExchange message.

12804 Extracted TLS Finished message.

12801 Prepared TLS ChangeCipherSpec message.

12802 Prepared TLS Finished message.

12816 TLS handshake succeeded.

12310 PEAP full handshake finished successfully

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12313 PEAP inner method started

11521 Prepared EAP-Request/Identity for inner EAP method

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

11522 Extracted EAP-Response/Identity for inner EAP method

11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store -

22043 Current Identity Store does not support the authentication method; Skipping it.

24210 Looking up User in Internal Users IDStore - xxxxx

24216 The user is not found in the internal users identity store.

22016 Identity sequence completed iterating the IDStores

22056 Subject not found in the applicable identity store(s).

22058 The advanced option that is configured for an unknown user is used.

22061 The 'Reject' advanced option is configured in case of a failed authentication request.

11815 Inner EAP-MSCHAP authentication failed

11520 Prepared EAP-Failure for inner EAP method

22028 Authentication failed and the advanced options are ignored.

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12307 PEAP authentication failed

11504 Prepared EAP-Failure

11003 Returned RADIUS Access-Reject

This is the log when using 1841 router as authentication client (succeded) :

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

11049 Settings of RADIUS default network will be used

Evaluating Service Selection Policy

15004 Matched rule

15012 Selected Access Service - Default Network Access

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store - LDAPyyyy

24031 Sending request to primary LDAP server

24015 Authenticating user against LDAP Server

24022 User authentication succeeded

22037 Authentication Passed

22023 Proceed to attribute retrieval

22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against

24210 Looking up User in Internal Users IDStore - xxxxx

24216 The user is not found in the internal users identity store.

22016 Identity sequence completed iterating the IDStores

Evaluating Group Mapping Policy

Evaluating Exception Authorization Policy

15042 No rule was matched

Evaluating Authorization Policy

15006 Matched Default Rule

15016 Selected Authorization Profile - Permit Access

11002 Returned RADIUS Access-Accept

I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.

so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?

is there anything I can do to make it work ?

Re: failed to authenticate user to ACS 5.1 with LDAP as external

rleivaoc — Mon, 14 Feb 2011 20:16:07 GMT

Thanks for the update Ian. When you move to the internal Idenity store. Does this work with your computer authenticating? I am thinking this might be a ACS 5.1 setup problem. When reading this document: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/rad_tac_phase.html

I see the following:

RADIUS-Based Flows with EAP Authentication

EAP provides an extensible framework that supports a variety of authentication types. Among them, the specific EAP methods supported by ACS are:

•Simple EAP methods that do not use certificates:

–EAP-MD5

–LEAP

•EAP methods in which the client uses the ACS server certificate to perform server authentication:

–PEAP/EAP-MSCHAPv2

–PEAP/EAP-GTC

–EAP-FAST/EAP-MSCHAPv2

–EAP-FAST/EAP-GTC

•EAP methods that use certificates for both server and client authentication

–EAP-TLS

I don't see EAP-MSCHAP only EAP-MSCHAPv2. I don't know if this make a differance, but it might be something to look at. Can you change the MSCHAP version for the EAP?

Thanks,

Rafael

Re: failed to authenticate user to ACS 5.1 with LDAP as external

andrewswanson — Tue, 15 Feb 2011 09:48:54 GMT

hello

sounds like you don't have mschap authentication enabled on the ldap server. you can use eap-gtc instead but you'd need to:

1 enable eap-gtc under Allowed Protocols on your ACS access Policy

2. install an eap-gtc supplicant on the windows box - if you have an intel wireless nic, the intel proset client supports eap-gtc

this could mean a fair bit of work depending on the number/type of wireless clients you have - might be worth enabling mschap authentication on the ldap server.

hth

andy

Re: failed to authenticate user to ACS 5.1 with LDAP as external

Bernardo Gaspar — Tue, 15 Feb 2011 10:47:07 GMT

Hi Ian,

It's not possible to use all the EAP types with LDAP as an Identity Store. You can find more info on the supported protocols for the Identity Stores in the ACS User Guide:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/eap_pap_phase.html#wp1014889

In short, any protocol using MSCHAPv2 is not supported with LDAP.

I'd suggest to either use a different authentication type (such as PEAP-GTC or PEAP-TLS), but the possible types with LDAP may not be supported by all supplicants... Or to use AD instead, should the LDAP database be on a Windows Server.

I hope this helps.

Best regards,

Bernardo

Re: failed to authenticate user to ACS 5.1 with LDAP as external

ian_banderaz — Tue, 15 Feb 2011 17:30:15 GMT

Hi all,

I don't think the AD thing is possible. the system has been running so long and the directory has been too large for us to migrate it. plus, no additional costs are allowed .

so let us go to the second option.

How can I afford either PEAP-GTC or PEAP-TLS ? I've tried that before with no success. it looks like GTC or TLS need additional signed certificate from third party. Can you give me any references about how to install it ?

Thanks.

Re: failed to authenticate user to ACS 5.1 with LDAP as external

Bernardo Gaspar — Thu, 17 Feb 2011 15:24:08 GMT

Hi Ian,

PEAP-GTC relies on token cards (such as SecureID) to generate an access code to be entered during authentication. This is probably also not what you are looking for.

PEAP-TLS will require 2 certificates: 1 server certificate and 1 client certificate. Each client will use his own certificate as authentication credentials. In order for ACS to be able to validate the certificates from the clients, CA signed certificates are required.

Best regards,

Bernardo

Re: failed to authenticate user to ACS 5.1 with LDAP as external

ian_banderaz — Sat, 19 Feb 2011 17:44:35 GMT

ok, I think I've got the answer. Thanks all.

Regards,

Cu Ian Wijaya