cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1624
Views
0
Helpful
4
Replies
CSCO10235167
Beginner

Cisco ACS 5.3 and ProCurve 2510 with 802.1X and Mac-auth

Hey!

I am having difficulties implementing Mac-auth on selected ports between an HP ProCurve 2510 and Cisco ACS 5.3.The 802.1x works just fine, but for selected ports I need to implement port-access with MAC-based authentication instead of regular 802.1X (yeah, I know, but this line of ProCurve switches only support one auth-mechanism per port!).

The switch successfully forwards interesting MAC-auth requests for authentication to the ACS with CHAP/MD5, but the ACS reports this:

Logged At:

April 16,2012 1:20:48.080 PM

RADIUS Status:

Authentication failed : 22056 Subject not found in the applicable identity store(s).

NAS Failure:

Username:

002655886b3d

MAC/IP Address:

00-26-55-88-6b-3d

Network Device:

HP2510 : 192.168.0.51 : 5

Access Service:

MAB Access Service

Identity Store:

Authorization Profiles:

CTS Security Group:

Authentication Method:

CHAP/MD5

Evaluating Service Selection Policy

15004  Matched rule

15012  Selected Access Service - MAB Access Service

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store -

22043  Current Identity Store does not support the authentication method; Skipping it.

22056  Subject not found in the applicable identity store(s).

22058  The advanced option that is configured for an unknown user is used.

22061  The 'Reject' advanced option is configured in case of a failed authentication request.

11003  Returned RADIUS Access-Reject

The ACS is configured to use the Internal Hosts database, where the client computer is configured like this;

MAC-address: 00-26-55-88-6B-3D

Anyone encountered this, or has any suggestions?

4 REPLIES 4
jrabinow
Rising star

I think it is as it says. CHAP/MD5 is not supported on the identity store. Can you try with PAP?

 

Hi,

with MAB you need "host-lookup". Nothing else.

 

Hey,

 

host-lookup ist already activated.. the Problem is the Switch.. the switch is sending CHA/MD5 pakets to the acs...

i installed a newer firmware on my hp switches and now it works

Content for Community-Ad