cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1385
Views
5
Helpful
8
Replies
Highlighted
Cisco Employee

CHAP/MD5 support on ISE

Hi,

We are trying to authenticate Huawei to ISE using radius and device authentication.

It seems Huawei used CHAP/MD5 and not the usual PAP-ASCII like Cisco and Juniper.

Is this method supported by ISE as we are seeing the below error and we have enabled all auth types?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CHAP/MD5 support on ISE

I spoke with Utkarsh and to clarify the scenario is using CHAP/MD5 for TACACS+ Device Administration and not RADIUS-based MAB authentication.

They are trying to use CHAP/MD5 with RADIUS as a workaround for the lack of TACACS+ support.

8 REPLIES 8
Cisco Employee

Re: CHAP/MD5 support on ISE

If you go into ISE > Policy > Policy Elements > Results > Authentication > Allowed Protocols you can see the list of all available protocols that you may choose from.

Please try CHAP and see it works for you.

Also please note the limited set of of Identity Stores that you may use it with in the ISE 2.3 Administrators Guide on page 329:

Please let us know if you're successful!

Cisco Employee

Re: CHAP/MD5 support on ISE

Thanks Thomas, We have enabled everyone of them but its not working.

I wonder if CHAP/MD5 is different than CHAP.

Cisco Employee

Re: CHAP/MD5 support on ISE

Thank you for that, Utkarsh. Can you tell us which Huawei platform(s) and software versions you're testing with?

Cisco Employee

Re: CHAP/MD5 support on ISE

Hi Thomas,

Below is the output.

>dis ver

Huawei Versatile Routing Platform Software

VRP (R) software, Version 5.130 (S9300 V200R003C00SPC500)

Copyright (C) 2000-2013 HUAWEI TECH CO., LTD

Quidway S9303 Terabit Routing Switch uptime is 90 weeks, 1 day, 19 hours, 16 minute

Cisco Employee

Re: CHAP/MD5 support on ISE

Are there no other protocol options for MAB with Huawei?

Cisco Employee

Re: CHAP/MD5 support on ISE

This is to authenticate users logging into Huawei for device administration.

I've asked the customer to look for other protocols.

Cisco Employee

Re: CHAP/MD5 support on ISE

I spoke with Utkarsh and to clarify the scenario is using CHAP/MD5 for TACACS+ Device Administration and not RADIUS-based MAB authentication.

They are trying to use CHAP/MD5 with RADIUS as a workaround for the lack of TACACS+ support.

Cisco Employee

Re: CHAP/MD5 support on ISE

Hi Thomas,

The customer made some changes on their test switch and are now using PAP-ASCII which is working.

Not sure if they are willing to make that change in all of their Huawei switches.

I am not sure if Huawei lacks Tacacs+ but the reason why they are sticking to radius is because they don't want to make major changes in their environment as they are currently on Freeradius and only want to switch the IP to ISE.