cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3615
Views
0
Helpful
9
Replies

ACS 5.1 CHAP authentication internal user

Lars Reidelbach
Beginner
Beginner

Hello,

I try to authenticate some android smartphones with CHAP to ACS internal user database. The problem is the password. We had try some combinations but always some result.

15004  Matched rule

15013  Selected Identity Store - Internal Users

24210  Looking up User in Internal Users IDStore - Testuser

24212  Found User in Internal Users IDStore

22063  Wrong password

22057  The advanced option that is configured for a failed authentication request is used.

22061  The 'Reject' advanced option is configured in case of a failed authentication request.

11003  Returned RADIUS Access-Reject

Password is same on phone and acs internal user. I don't kown what is wrong.

If there a option for CHAP with password ?

best regards,

Lars

9 Replies 9

andamani
Cisco Employee
Cisco Employee

Hi,

The shared secret between the AAA client on the ACS and the phone has to be the same.

On ACS Network Resources > network Devices and AAA client > Radius/TACACS > Shared secret value has to be the same on the Phone.

Ensure both of these are same.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Hi,

the smartphone sends the authentication request to a router in our provider network. This router is the AAA clients which builds the radius request to the acs server. The shared secret between AAA client (router) and acs is same.

So I don't need a aaa client for the smartphone. Or I am wrong?

regards,

Lars

Hi,

That is correct.

You can try resetting the password of the user in the ACS and try the login again. Please ensure that you do not enter space in the password wghile typing.

Can you check if the option of "Allow chap" is enabled.

Access policies > Network default access > Allowed protocol > Allow CHAP.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as  answered if you feel your query is resolved. Do rate helpful posts.

Hi,

I had reset password and the user has defined a new over the option "Change password on next login". All work fine, acs take the new password. After that we test the authentication again -> Failed Wrong Password

Access Service has Allow Chap enabled.

best regards,

Lars

Hi Lars,

Please open a TAC case. The engineer will help you resolve this

Regards,

Anisha

hello, I've met the same problem, have you solved it now ?

We had used EAP-TLS with certificates. This has work than. Now we are using ISE so I can't test again. Sorry.

Thank for you reply, and I wonder that the ISE you use now is use chap or EAP-TLS?

We are using now EAP-TLS for all mobile devices.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers