Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4130
Views
0
Helpful
9
Replies

ACS 5.1 CHAP authentication internal user

Lars Reidelbach
Level 1
Level 1

‎06-15-2011 07:58 AM - edited ‎03-10-2019 06:10 PM

Hello,

I try to authenticate some android smartphones with CHAP to ACS internal user database. The problem is the password. We had try some combinations but always some result.

15004  Matched rule

15013  Selected Identity Store - Internal Users

24210  Looking up User in Internal Users IDStore - Testuser

24212  Found User in Internal Users IDStore

22063  Wrong password

22057  The advanced option that is configured for a failed authentication request is used.

22061  The 'Reject' advanced option is configured in case of a failed authentication request.

11003  Returned RADIUS Access-Reject

Password is same on phone and acs internal user. I don't kown what is wrong.

If there a option for CHAP with password ?

best regards,

Lars

Labels:
0 Helpful
9 Replies 9

andamani
Cisco Employee
Cisco Employee

‎06-15-2011 09:43 PM

Hi,

The shared secret between the AAA client on the ACS and the phone has to be the same.

On ACS Network Resources > network Devices and AAA client > Radius/TACACS > Shared secret value has to be the same on the Phone.

Ensure both of these are same.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

Lars Reidelbach
Level 1
Level 1
In response to andamani

‎06-16-2011 12:15 AM

Hi,

the smartphone sends the authentication request to a router in our provider network. This router is the AAA clients which builds the radius request to the acs server. The shared secret between AAA client (router) and acs is same.

So I don't need a aaa client for the smartphone. Or I am wrong?

regards,

Lars

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to Lars Reidelbach

‎06-16-2011 06:55 PM

Hi,

That is correct.

You can try resetting the password of the user in the ACS and try the login again. Please ensure that you do not enter space in the password wghile typing.

Can you check if the option of "Allow chap" is enabled.

Access policies > Network default access > Allowed protocol > Allow CHAP.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as  answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

Lars Reidelbach
Level 1
Level 1
In response to andamani

‎06-17-2011 01:22 AM

Hi,

I had reset password and the user has defined a new over the option "Change password on next login". All work fine, acs take the new password. After that we test the authentication again -> Failed Wrong Password

Access Service has Allow Chap enabled.

best regards,

Lars

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to Lars Reidelbach

‎07-02-2011 08:41 PM

Hi Lars,

Please open a TAC case. The engineer will help you resolve this

Regards,

Anisha

0 Helpful

xiaodong liao
Level 1
Level 1
In response to Lars Reidelbach

‎06-28-2016 08:51 PM

hello, I've met the same problem, have you solved it now ?

0 Helpful

Lars Reidelbach
Level 1
Level 1
In response to xiaodong liao

‎06-29-2016 12:23 AM

We had used EAP-TLS with certificates. This has work than. Now we are using ISE so I can't test again. Sorry.

0 Helpful

xiaodong liao
Level 1
Level 1
In response to Lars Reidelbach

‎06-29-2016 12:58 AM

Thank for you reply, and I wonder that the ISE you use now is use chap or EAP-TLS?

0 Helpful

Lars Reidelbach
Level 1
Level 1
In response to xiaodong liao

‎06-29-2016 01:01 AM

We are using now EAP-TLS for all mobile devices.

0 Helpful
Customers Also Viewed These Support Documents