Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1007
Views
0
Helpful
2
Replies

dot1x with SecurID

Go to solution
kai.freese
Level 1
Level 1

‎06-03-2005 01:48 AM - edited ‎03-10-2019 02:10 PM

Following infrastructure:

RSA ACE/Server with SecurID token

ACS 3.2(1) with RSA ACE/Agent 5.6

Catalyst 4506 with IOS 12.2(25)EWA1

Client with WindowsXP SP1 (KB826942 loaded) connected by cable (not wireless)

I can do:

- Authenticating on Cat4506 CLI console via TACACS+ and ACS with SecurID

- Authenticating WinXP-Client on Switchport via 802.1x, (Microsoft-)PEAP and ACS with account in ACS local database

I can not:

- Authenticating WinXP-Client on Switchport via 802.1x, (Microsoft-)PEAP and ACS with SecurID

Error in failed_attempts.csv is "External DB auth failed"

There is no communication between ACE/Agent and ACE/Server in this configuration.

Can 802.1x and PEAP work with SecurID-Authentication? If yes, what is wrong?

Is there any way to trace communication between ACS and ACE/Agent to get more detailed error descriptions?

Kai

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hwon
Level 1
Level 1

‎06-15-2005 01:05 PM

OTP using Microsoft PEAP (EAP-MSChapV2) is not yet supported. In order to use OTP you will have to use Cisco PEAP (EAP-GTC) supplicant and enable ACS for EAP-GTC. You can use 3rd party supplicant from Funk or Meetinghouse. To enable EAP-GTC on ACS go to 'System Configuration -> Global Authentication Setup' and check 'Allow EAP-GTC'. Check out the table in the middle of the following faq for more information.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_qanda_item09186a0080124e7c.shtml

View solution in original post

0 Helpful
2 Replies 2

Go to solution
umedryk
Level 5
Level 5

‎06-09-2005 06:00 AM

Yes, 802.1x and PEAP are compatible to work with SecurID Authentication. You could check the configuration guides available at www.cisco.com/techsupport under the appropriate topic.

0 Helpful

Go to solution
hwon
Level 1
Level 1

‎06-15-2005 01:05 PM

OTP using Microsoft PEAP (EAP-MSChapV2) is not yet supported. In order to use OTP you will have to use Cisco PEAP (EAP-GTC) supplicant and enable ACS for EAP-GTC. You can use 3rd party supplicant from Funk or Meetinghouse. To enable EAP-GTC on ACS go to 'System Configuration -> Global Authentication Setup' and check 'Allow EAP-GTC'. Check out the table in the middle of the following faq for more information.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_qanda_item09186a0080124e7c.shtml

0 Helpful
Customers Also Viewed These Support Documents