This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We are trying to authenticate Huawei to ISE using radius and device authentication.
It seems Huawei used CHAP/MD5 and not the usual PAP-ASCII like Cisco and Juniper.
Is this method supported by ISE as we are seeing the below error and we have enabled all auth types?
Solved! Go to Solution.
If you go into ISE > Policy > Policy Elements > Results > Authentication > Allowed Protocols you can see the list of all available protocols that you may choose from.
Please try CHAP and see it works for you.
Also please note the limited set of of Identity Stores that you may use it with in the ISE 2.3 Administrators Guide on page 329:
Please let us know if you're successful!
Below is the output.
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.130 (S9300 V200R003C00SPC500)
Copyright (C) 2000-2013 HUAWEI TECH CO., LTD
Quidway S9303 Terabit Routing Switch uptime is 90 weeks, 1 day, 19 hours, 16 minute
This is to authenticate users logging into Huawei for device administration.
I've asked the customer to look for other protocols.
The customer made some changes on their test switch and are now using PAP-ASCII which is working.
Not sure if they are willing to make that change in all of their Huawei switches.
I am not sure if Huawei lacks Tacacs+ but the reason why they are sticking to radius is because they don't want to make major changes in their environment as they are currently on Freeradius and only want to switch the IP to ISE.