cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

586
Views
0
Helpful
3
Replies
Highlighted
Beginner

Default network access and CHAP

Hi folks,

I am configuring some of my devices to use CHAP when their backup ISDN interface dials out to the 7200 concentrator node. I wan the CHAP requests to hit our ACS 5.2 appliances and be authenticated via this method. I have built a rule for 'Default netowrk access' which specifies these devices only however when I bring up the ISDN call the process fails. When I look at the logs it doesn't give an error reason but it does say that it failed on one of the rules in the 'default device admin' rule set.

I even went to the bother of specifying a single IP address of one of the ISDN backup devices but the result is always the same.

Does anyone ahve any guiance as to what I'm doing wrong here? Any help would be appreciated

Kind Regards

Ciaran

3 REPLIES 3
Highlighted
Participant

Default network access and CHAP

Hello Ciaran,

Is the device properly configured to use RADIUS for the ISDN calls? If the ACS is complaining that it hit a 'default device admin' rule then the request is getting to the server on TACACS+. Please check the default settings for Access Service Selection Rules:

As you can see, we will get assigned to the Default Device Admin only if the request comes over TACACS+. Please verify that the request is getting as RADIUS to the server for it to hit Default Network Access instead.

If this was helpful please rate.

Regards.

Highlighted
Beginner

Re: Default network access and CHAP

Hi Carlos,

thanks for your reply. My initial message was posted in haste so I didn't get time to include more information. I neglected to mention that this process is working on our ACS 3.3 with the current configuration. When I point the 7200 concentrator and the client device at the new 5.2 ACS the CHAP fails for the reasons mentioned above. Are there any configuration changes that need to be added to facilitatie CHAP authentication on the newer ACS appliances?

Regards

Ciaran

P.S I have attached a doc outlining the Dialer and ACS config on both Client and concentrator. I have changed addresses from their original for security purposes. 

Highlighted
Beginner

Re: Default network access and CHAP

Folks,

what I was seeing was the result of a bug CSCth30275 the solution to which is to upgrade to 5.3 patch 1.