cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3252
Views
0
Helpful
9
Replies
Highlighted

ACS 5.1 CHAP authentication internal user

Hello,

I try to authenticate some android smartphones with CHAP to ACS internal user database. The problem is the password. We had try some combinations but always some result.

15004  Matched rule

15013  Selected Identity Store - Internal Users

24210  Looking up User in Internal Users IDStore - Testuser

24212  Found User in Internal Users IDStore

22063  Wrong password

22057  The advanced option that is configured for a failed authentication request is used.

22061  The 'Reject' advanced option is configured in case of a failed authentication request.

11003  Returned RADIUS Access-Reject

Password is same on phone and acs internal user. I don't kown what is wrong.

If there a option for CHAP with password ?

best regards,

Lars

9 REPLIES 9
Highlighted
Cisco Employee

Hi,

The shared secret between the AAA client on the ACS and the phone has to be the same.

On ACS Network Resources > network Devices and AAA client > Radius/TACACS > Shared secret value has to be the same on the Phone.

Ensure both of these are same.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Highlighted

Hi,

the smartphone sends the authentication request to a router in our provider network. This router is the AAA clients which builds the radius request to the acs server. The shared secret between AAA client (router) and acs is same.

So I don't need a aaa client for the smartphone. Or I am wrong?

regards,

Lars

Highlighted

Hi,

That is correct.

You can try resetting the password of the user in the ACS and try the login again. Please ensure that you do not enter space in the password wghile typing.

Can you check if the option of "Allow chap" is enabled.

Access policies > Network default access > Allowed protocol > Allow CHAP.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as  answered if you feel your query is resolved. Do rate helpful posts.

Highlighted

Hi,

I had reset password and the user has defined a new over the option "Change password on next login". All work fine, acs take the new password. After that we test the authentication again -> Failed Wrong Password

Access Service has Allow Chap enabled.

best regards,

Lars

Highlighted

Hi Lars,

Please open a TAC case. The engineer will help you resolve this

Regards,

Anisha

Highlighted

hello, I've met the same problem, have you solved it now ?

Highlighted

We had used EAP-TLS with certificates. This has work than. Now we are using ISE so I can't test again. Sorry.

Highlighted

Thank for you reply, and I wonder that the ISE you use now is use chap or EAP-TLS?

Highlighted

We are using now EAP-TLS for all mobile devices.

Content for Community-Ad