Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1797
Views
0
Helpful
4
Replies

Cisco ACS 5.3 and ProCurve 2510 with 802.1X and Mac-auth

CSCO10235167
Beginner
Beginner

‎04-16-2012 08:55 AM - edited ‎03-10-2019 07:00 PM

Hey!

I am having difficulties implementing Mac-auth on selected ports between an HP ProCurve 2510 and Cisco ACS 5.3.The 802.1x works just fine, but for selected ports I need to implement port-access with MAC-based authentication instead of regular 802.1X (yeah, I know, but this line of ProCurve switches only support one auth-mechanism per port!).

The switch successfully forwards interesting MAC-auth requests for authentication to the ACS with CHAP/MD5, but the ACS reports this:

Logged At:

April 16,2012 1:20:48.080 PM

RADIUS Status:

Authentication failed : 22056 Subject not found in the applicable identity store(s).

NAS Failure:

Username:

002655886b3d

MAC/IP Address:

00-26-55-88-6b-3d

Network Device:

HP2510 : 192.168.0.51 : 5

Access Service:

MAB Access Service

Identity Store:

Authorization Profiles:

CTS Security Group:

Authentication Method:

CHAP/MD5

Evaluating Service Selection Policy

15004  Matched rule

15012  Selected Access Service - MAB Access Service

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store -

22043  Current Identity Store does not support the authentication method; Skipping it.

22056  Subject not found in the applicable identity store(s).

22058  The advanced option that is configured for an unknown user is used.

22061  The 'Reject' advanced option is configured in case of a failed authentication request.

11003  Returned RADIUS Access-Reject

The ACS is configured to use the Internal Hosts database, where the client computer is configured like this;

MAC-address: 00-26-55-88-6B-3D

Anyone encountered this, or has any suggestions?

Labels:
0 Helpful
4 Replies 4

jrabinow
Rising star
Rising star

‎04-16-2012 12:29 PM

I think it is as it says. CHAP/MD5 is not supported on the identity store. Can you try with PAP?

0 Helpful

Sebastian Mueller
Beginner
Beginner
In response to jrabinow

‎01-08-2015 01:15 AM

 

0 Helpful

hdussa
Beginner
Beginner
In response to Sebastian Mueller

‎01-08-2015 02:13 AM

Hi,

with MAB you need "host-lookup". Nothing else.

 

0 Helpful

Sebastian Mueller
Beginner
Beginner
In response to hdussa

‎01-08-2015 04:27 AM

Hey,

 

host-lookup ist already activated.. the Problem is the Switch.. the switch is sending CHA/MD5 pakets to the acs...

i installed a newer firmware on my hp switches and now it works

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents