ACS 5.1 CHAP authentication internal user

Lars Reidelbach · ‎06-15-2011

Hello,

I try to authenticate some android smartphones with CHAP to ACS internal user database. The problem is the password. We had try some combinations but always some result.

15004 Matched rule

15013 Selected Identity Store - Internal Users

24210 Looking up User in Internal Users IDStore - Testuser

24212 Found User in Internal Users IDStore

22063 Wrong password

22057 The advanced option that is configured for a failed authentication request is used.

22061 The 'Reject' advanced option is configured in case of a failed authentication request.

11003 Returned RADIUS Access-Reject

Password is same on phone and acs internal user. I don't kown what is wrong.

If there a option for CHAP with password ?

best regards,

Lars

andamani · ‎06-15-2011

Hi,

The shared secret between the AAA client on the ACS and the phone has to be the same.

On ACS Network Resources > network Devices and AAA client > Radius/TACACS > Shared secret value has to be the same on the Phone.

Ensure both of these are same.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Lars Reidelbach · ‎06-16-2011

Hi,

the smartphone sends the authentication request to a router in our provider network. This router is the AAA clients which builds the radius request to the acs server. The shared secret between AAA client (router) and acs is same.

So I don't need a aaa client for the smartphone. Or I am wrong?

regards,

Lars

andamani · ‎06-16-2011

Hi,

That is correct.

You can try resetting the password of the user in the ACS and try the login again. Please ensure that you do not enter space in the password wghile typing.

Can you check if the option of "Allow chap" is enabled.

Access policies > Network default access > Allowed protocol > Allow CHAP.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Lars Reidelbach · ‎06-17-2011

Hi,

I had reset password and the user has defined a new over the option "Change password on next login". All work fine, acs take the new password. After that we test the authentication again -> Failed Wrong Password

Access Service has Allow Chap enabled.

best regards,

Lars

andamani · ‎07-02-2011

Hi Lars,

Please open a TAC case. The engineer will help you resolve this

Regards,

Anisha

xiaodong liao · ‎06-28-2016

hello, I've met the same problem, have you solved it now ?

Lars Reidelbach · ‎06-29-2016

We had used EAP-TLS with certificates. This has work than. Now we are using ISE so I can't test again. Sorry.

xiaodong liao · ‎06-29-2016

Thank for you reply, and I wonder that the ISE you use now is use chap or EAP-TLS?

Lars Reidelbach · ‎06-29-2016

We are using now EAP-TLS for all mobile devices.

MarcoLazzarotto · ‎06-17-2024

@xiaodong liao I'm pretty desperate because I have the same problem with AnyConnect client authentication. Have you found a solution?