Hi Community,
I'm using the ACS 5.2 as the solution of authentication in my network. I configured both situations: Access Policies with Network Access and with Device Administration.
At this moment, I have some devices configured: 1 ASA (using RADIUS), 1 WLC-5508 (using RADIUS), 1 2960S (using TACACS+). And I have configured a External Identity Store, using LDAP (I can see and select all groups without problem).
Everything is working fine. My next step was configure users to use 802.1x to authenticate using ACS with my LDAP database.
Assuming all configurations are correct on all computers (when I use a Internal database works fine), these are the following logs/configurations in the ACS:
At this point, we can see the error:
| Header 1 |
|---|
11001 Received RADIUS Access-Request 11017 RADIUS created a new session Evaluating Service Selection Policy 15004 Matched rule 15012 Selected Access Service - Access Police 11507 Extracted EAP-Response/Identity 12500 Prepared EAP-Request proposing EAP-TLS with challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12301 Extracted EAP-Response/NAK requesting to use PEAP instead 12300 Prepared EAP-Request proposing PEAP with challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated 12318 Successfully negotiated PEAP version 0 12800 Extracted first TLS record; TLS handshake started. 12805 Extracted TLS ClientHello message. 12806 Prepared TLS ServerHello message. 12807 Prepared TLS Certificate message. 12810 Prepared TLS ServerDone message. 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 12318 Successfully negotiated PEAP version 0 12812 Extracted TLS ClientKeyExchange message. 12804 Extracted TLS Finished message. 12801 Prepared TLS ChangeCipherSpec message. 12802 Prepared TLS Finished message. 12816 TLS handshake succeeded. 12310 PEAP full handshake finished successfully 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 12313 PEAP inner method started 11521 Prepared EAP-Request/Identity for inner EAP method 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 11522 Extracted EAP-Response/Identity for inner EAP method 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated Evaluating Identity Policy 15006 Matched Default Rule 15013 Selected Identity Store - 22043 Current Identity Store does not support the authentication method; Skipping it. 22056 Subject not found in the applicable identity store(s). 22058 The advanced option that is configured for an unknown user is used. 22061 The 'Reject' advanced option is configured in case of a failed authentication request. 11815 Inner EAP-MSCHAP authentication failed 11520 Prepared EAP-Failure for inner EAP method 22028 Authentication failed and the advanced options are ignored. 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 12307 PEAP authentication failed 11504 Prepared EAP-Failure 11003 Returned RADIUS Access-Reject |
So, what can be the cause? Compatibility with LDAP?
Accepted Solutions
