topic Re: dot1x with SecurID in Network Access Control

dot1x with SecurID

kai.freese — Sun, 10 Mar 2019 21:10:40 GMT

Following infrastructure:

RSA ACE/Server with SecurID token

ACS 3.2(1) with RSA ACE/Agent 5.6

Catalyst 4506 with IOS 12.2(25)EWA1

Client with WindowsXP SP1 (KB826942 loaded) connected by cable (not wireless)

I can do:

- Authenticating on Cat4506 CLI console via TACACS+ and ACS with SecurID

- Authenticating WinXP-Client on Switchport via 802.1x, (Microsoft-)PEAP and ACS with account in ACS local database

I can not:

- Authenticating WinXP-Client on Switchport via 802.1x, (Microsoft-)PEAP and ACS with SecurID

Error in failed_attempts.csv is "External DB auth failed"

There is no communication between ACE/Agent and ACE/Server in this configuration.

Can 802.1x and PEAP work with SecurID-Authentication? If yes, what is wrong?

Is there any way to trace communication between ACS and ACE/Agent to get more detailed error descriptions?

Kai

Re: dot1x with SecurID

umedryk — Thu, 09 Jun 2005 13:00:03 GMT

Yes, 802.1x and PEAP are compatible to work with SecurID Authentication. You could check the configuration guides available at www.cisco.com/techsupport under the appropriate topic.

Re: dot1x with SecurID

hwon — Wed, 15 Jun 2005 20:05:03 GMT

OTP using Microsoft PEAP (EAP-MSChapV2) is not yet supported. In order to use OTP you will have to use Cisco PEAP (EAP-GTC) supplicant and enable ACS for EAP-GTC. You can use 3rd party supplicant from Funk or Meetinghouse. To enable EAP-GTC on ACS go to 'System Configuration -> Global Authentication Setup' and check 'Allow EAP-GTC'. Check out the table in the middle of the following faq for more information.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_qanda_item09186a0080124e7c.shtml