Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5438
Views
5
Helpful
8
Replies

CHAP/MD5 support on ISE

Go to solution
umahar
Cisco Employee
Cisco Employee

‎01-25-2018 10:42 AM

Hi,

We are trying to authenticate Huawei to ISE using radius and device authentication.

It seems Huawei used CHAP/MD5 and not the usual PAP-ASCII like Cisco and Juniper.

Is this method supported by ISE as we are seeing the below error and we have enabled all auth types?

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to thomas

‎01-25-2018 01:05 PM

I spoke with Utkarsh and to clarify the scenario is using CHAP/MD5 for TACACS+ Device Administration and not RADIUS-based MAB authentication.

They are trying to use CHAP/MD5 with RADIUS as a workaround for the lack of TACACS+ support.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
thomas
Cisco Employee
Cisco Employee

‎01-25-2018 11:21 AM

If you go into ISE > Policy > Policy Elements > Results > Authentication > Allowed Protocols you can see the list of all available protocols that you may choose from.

Please try CHAP and see it works for you.

Also please note the limited set of of Identity Stores that you may use it with in the ISE 2.3 Administrators Guide on page 329:

Please let us know if you're successful!

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to thomas

‎01-25-2018 11:24 AM

Thanks Thomas, We have enabled everyone of them but its not working.

I wonder if CHAP/MD5 is different than CHAP.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to umahar

‎01-25-2018 11:29 AM

Thank you for that, Utkarsh. Can you tell us which Huawei platform(s) and software versions you're testing with?

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to thomas

‎01-25-2018 11:32 AM

Hi Thomas,

Below is the output.

>dis ver

Huawei Versatile Routing Platform Software

VRP (R) software, Version 5.130 (S9300 V200R003C00SPC500)

Copyright (C) 2000-2013 HUAWEI TECH CO., LTD

Quidway S9303 Terabit Routing Switch uptime is 90 weeks, 1 day, 19 hours, 16 minute

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to umahar

‎01-25-2018 11:38 AM

Are there no other protocol options for MAB with Huawei?

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to thomas

‎01-25-2018 11:47 AM

This is to authenticate users logging into Huawei for device administration.

I've asked the customer to look for other protocols.

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to thomas

‎01-25-2018 01:05 PM

I spoke with Utkarsh and to clarify the scenario is using CHAP/MD5 for TACACS+ Device Administration and not RADIUS-based MAB authentication.

They are trying to use CHAP/MD5 with RADIUS as a workaround for the lack of TACACS+ support.

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to thomas

‎01-29-2018 11:47 AM

Hi Thomas,

The customer made some changes on their test switch and are now using PAP-ASCII which is working.

Not sure if they are willing to make that change in all of their Huawei switches.

I am not sure if Huawei lacks Tacacs+ but the reason why they are sticking to radius is because they don't want to make major changes in their environment as they are currently on Freeradius and only want to switch the IP to ISE.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents