01-25-2018 10:42 AM
Hi,
We are trying to authenticate Huawei to ISE using radius and device authentication.
It seems Huawei used CHAP/MD5 and not the usual PAP-ASCII like Cisco and Juniper.
Is this method supported by ISE as we are seeing the below error and we have enabled all auth types?
Solved! Go to Solution.
01-25-2018 01:05 PM
I spoke with Utkarsh and to clarify the scenario is using CHAP/MD5 for TACACS+ Device Administration and not RADIUS-based MAB authentication.
They are trying to use CHAP/MD5 with RADIUS as a workaround for the lack of TACACS+ support.
01-25-2018 11:21 AM
If you go into ISE > Policy > Policy Elements > Results > Authentication > Allowed Protocols you can see the list of all available protocols that you may choose from.
Please try CHAP and see it works for you.
Also please note the limited set of of Identity Stores that you may use it with in the ISE 2.3 Administrators Guide on page 329:
Please let us know if you're successful!
01-25-2018 11:24 AM
Thanks Thomas, We have enabled everyone of them but its not working.
I wonder if CHAP/MD5 is different than CHAP.
01-25-2018 11:29 AM
Thank you for that, Utkarsh. Can you tell us which Huawei platform(s) and software versions you're testing with?
01-25-2018 11:32 AM
Hi Thomas,
Below is the output.
>dis ver
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.130 (S9300 V200R003C00SPC500)
Copyright (C) 2000-2013 HUAWEI TECH CO., LTD
Quidway S9303 Terabit Routing Switch uptime is 90 weeks, 1 day, 19 hours, 16 minute
01-25-2018 11:38 AM
Are there no other protocol options for MAB with Huawei?
01-25-2018 11:47 AM
This is to authenticate users logging into Huawei for device administration.
I've asked the customer to look for other protocols.
01-25-2018 01:05 PM
I spoke with Utkarsh and to clarify the scenario is using CHAP/MD5 for TACACS+ Device Administration and not RADIUS-based MAB authentication.
They are trying to use CHAP/MD5 with RADIUS as a workaround for the lack of TACACS+ support.
01-29-2018 11:47 AM
Hi Thomas,
The customer made some changes on their test switch and are now using PAP-ASCII which is working.
Not sure if they are willing to make that change in all of their Huawei switches.
I am not sure if Huawei lacks Tacacs+ but the reason why they are sticking to radius is because they don't want to make major changes in their environment as they are currently on Freeradius and only want to switch the IP to ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide