Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1176
Views
5
Helpful
2
Replies

Cisco 2500 Radius EAP Authentication

Go to solution
rhowellpsd
Level 1
Level 1

‎01-10-2018 12:00 PM - edited ‎02-21-2020 10:43 AM

We have a Cisco 2500 controller with an external RADIUS server set up to handle authentication through WPA2/EAP-TTLS/PAP with a search against a LDAP database. 

 

When we set up the RADIUS authentication server and try to connect, Every request it sends correctly connects through EAP-TTLS but then send an authentication message with a MSCHAP challenge instead of PAP credentials that we expect.

 

We have disabled MSCHAP support completely on the RADIUS server but the controller still sends MSCHAP challenges.

 

The error from the RADIUS server is specifically that the User-Password attribute was not present in the tunneled request, and running the server in debug shows us the MS-CHAP-Challenge and MS-CHAP2-Response attributes are set in its stead. When running a local test using eapol_test with a setting called "phase2" set to "auth=PAP"we correct see User-Password in the tunneled request.

 

Is there a setting to force the controller to send PAP credentials instead of a MSCHAP challenge as the second phase of authentication after EAP-TTLS?

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ben Walters
Level 4
Level 4

‎01-10-2018 12:30 PM

Are you doing webauth on the WLC or do your clients use a supplicant?

 

If you are using a client supplicant that is where the authentication modes are specified.

 

If you are using webauth you should be able to create an EAP policy to apply to the WLAN that is using webauth. Go to the Security > Local EAP > Profiles. Here you can create a new one that only uses PAP. From there you can apply it to the WLAN of your choice by going to WLANs > Select the WLAN you want > Security > AAA Servers and there should be an option for the EAP profile.

 

Hopefully this helps.

View solution in original post

2 Replies 2

Go to solution
Ben Walters
Level 4
Level 4

‎01-10-2018 12:30 PM

Are you doing webauth on the WLC or do your clients use a supplicant?

 

If you are using a client supplicant that is where the authentication modes are specified.

 

If you are using webauth you should be able to create an EAP policy to apply to the WLAN that is using webauth. Go to the Security > Local EAP > Profiles. Here you can create a new one that only uses PAP. From there you can apply it to the WLAN of your choice by going to WLANs > Select the WLAN you want > Security > AAA Servers and there should be an option for the EAP profile.

 

Hopefully this helps.

Go to solution
rhowellpsd
Level 1
Level 1
In response to Ben Walters

‎01-10-2018 12:43 PM

Thanks Ben,

We were using webauth and the profiles solved the issue!
0 Helpful
Customers Also Viewed These Support Documents