Solved: dot1x/ACS3.0/RSA ACE server 5.0

orbana · ‎01-27-2005

Hi,

I tried to configure dot1x (cat6500) with ACS 3.0 and RSA ACE server. In the first step when I configured static password in ACS everything was OK, but when I changed to the external user database I got an error: "Auth type not supported by External DB"

Does anyone know why?

Thanks,

gfullage · ‎01-30-2005

The dot1x supplicant on the PC will use Extensible Authentication Protocol (EAP) authentication to send the username/password. This authentication method cannot be used with an external RSA database, RSA has to use PAP authentication which sends the password in the clear (which is OK because it's a one-time password).

See http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/acsuser/o.htm#625794 for details on the external DB's and password protocols. Notice how all the one-time password databases can only use PAP.

View solution in original post

gfullage · ‎01-30-2005

The dot1x supplicant on the PC will use Extensible Authentication Protocol (EAP) authentication to send the username/password. This authentication method cannot be used with an external RSA database, RSA has to use PAP authentication which sends the password in the clear (which is OK because it's a one-time password).

See http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/acsuser/o.htm#625794 for details on the external DB's and password protocols. Notice how all the one-time password databases can only use PAP.

orbana · ‎01-31-2005

Thanks a lot. I've left EAP completely out of consideration.