02-11-2011 04:47 AM - edited 03-10-2019 05:49 PM
Hi , I have an ACS and Open-LDAP server running on my company network.
Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service. but when I tried to authenticate from my computer, an error was occurred. I received :
the following error 22056 Subject not found in the applicable identity store (s)
Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?
any suggestion ?
thanks
Solved! Go to Solution.
02-15-2011 01:48 AM
hello
sounds like you don't have mschap authentication enabled on the ldap server. you can use eap-gtc instead but you'd need to:
1 enable eap-gtc under Allowed Protocols on your ACS access Policy
2. install an eap-gtc supplicant on the windows box - if you have an intel wireless nic, the intel proset client supports eap-gtc
this could mean a fair bit of work depending on the number/type of wireless clients you have - might be worth enabling mschap authentication on the ldap server.
hth
andy
02-15-2011 02:47 AM
Hi Ian,
It's not possible to use all the EAP types with LDAP as an Identity Store. You can find more info on the supported protocols for the Identity Stores in the ACS User Guide:
In short, any protocol using MSCHAPv2 is not supported with LDAP.
I'd suggest to either use a different authentication type (such as PEAP-GTC or PEAP-TLS), but the possible types with LDAP may not be supported by all supplicants... Or to use AD instead, should the LDAP database be on a Windows Server.
I hope this helps.
Best regards,
Bernardo
02-11-2011 05:01 AM
Hi Ian,
I need a bit more detail on this issue. On ther 18xx router, did you use the "test aaa.." option to see if this works? On the ACS server, did you check the ACS View > Reports > Catalog > AAA Protocol >, and see what errors you are getting based on the authentication protocol you are using? This might be a supplicate issue, but the logs should tell us more.
Thanks,
Rafael
02-11-2011 09:00 AM
Current configuration : 989 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default group radius
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.16.16 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clockrate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clockrate 2000000
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.110.110
!
ip http server
!
ip radius source-interface FastEthernet0/0
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key yyyyy
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
end
it's the configuration of the 1841 router. I just test it using telnet. when I'm telneting the router, it will ask the username and password from radius server.
Hey, looks like it's the logger I've been searching before. thanks vaoc. I will try and see it tommorow. while waiting, do you have any other suggestion ? have you ever met this kind of case ?
thanks
02-13-2011 08:38 AM
This is the log when using windows 7 as authentication client (Failed) :
Steps |
---|
11001 Received RADIUS Access-Request |
11017 RADIUS created a new session |
Evaluating Service Selection Policy |
15004 Matched rule |
15012 Selected Access Service - Default Network Access |
11507 Extracted EAP-Response/Identity |
12500 Prepared EAP-Request proposing EAP-TLS with challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12301 Extracted EAP-Response/NAK requesting to use PEAP instead |
12300 Prepared EAP-Request proposing PEAP with challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated |
12318 Successfully negotiated PEAP version 0 |
12800 Extracted first TLS record; TLS handshake started. |
12805 Extracted TLS ClientHello message. |
12806 Prepared TLS ServerHello message. |
12807 Prepared TLS Certificate message. |
12810 Prepared TLS ServerDone message. |
12305 Prepared EAP-Request with another PEAP challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12304 Extracted EAP-Response containing PEAP challenge-response |
12318 Successfully negotiated PEAP version 0 |
12812 Extracted TLS ClientKeyExchange message. |
12804 Extracted TLS Finished message. |
12801 Prepared TLS ChangeCipherSpec message. |
12802 Prepared TLS Finished message. |
12816 TLS handshake succeeded. |
12310 PEAP full handshake finished successfully |
12305 Prepared EAP-Request with another PEAP challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12304 Extracted EAP-Response containing PEAP challenge-response |
12313 PEAP inner method started |
11521 Prepared EAP-Request/Identity for inner EAP method |
12305 Prepared EAP-Request with another PEAP challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12304 Extracted EAP-Response containing PEAP challenge-response |
11522 Extracted EAP-Response/Identity for inner EAP method |
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge |
12305 Prepared EAP-Request with another PEAP challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12304 Extracted EAP-Response containing PEAP challenge-response |
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated |
Evaluating Identity Policy |
15006 Matched Default Rule |
15013 Selected Identity Store - |
22043 Current Identity Store does not support the authentication method; Skipping it. |
24210 Looking up User in Internal Users IDStore - xxxxx |
24216 The user is not found in the internal users identity store. |
22016 Identity sequence completed iterating the IDStores |
22056 Subject not found in the applicable identity store(s). |
22058 The advanced option that is configured for an unknown user is used. |
22061 The 'Reject' advanced option is configured in case of a failed authentication request. |
11815 Inner EAP-MSCHAP authentication failed |
11520 Prepared EAP-Failure for inner EAP method |
22028 Authentication failed and the advanced options are ignored. |
12305 Prepared EAP-Request with another PEAP challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12304 Extracted EAP-Response containing PEAP challenge-response |
12307 PEAP authentication failed |
11504 Prepared EAP-Failure |
11003 Returned RADIUS Access-Reject |
This is the log when using 1841 router as authentication client (succeded) :
Steps |
---|
11001 Received RADIUS Access-Request |
11017 RADIUS created a new session |
11049 Settings of RADIUS default network will be used |
Evaluating Service Selection Policy |
15004 Matched rule |
15012 Selected Access Service - Default Network Access |
Evaluating Identity Policy |
15006 Matched Default Rule |
15013 Selected Identity Store - LDAPyyyy |
24031 Sending request to primary LDAP server |
24015 Authenticating user against LDAP Server |
24022 User authentication succeeded |
22037 Authentication Passed |
22023 Proceed to attribute retrieval |
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against |
24210 Looking up User in Internal Users IDStore - xxxxx |
24216 The user is not found in the internal users identity store. |
22016 Identity sequence completed iterating the IDStores |
Evaluating Group Mapping Policy |
Evaluating Exception Authorization Policy |
15042 No rule was matched |
Evaluating Authorization Policy |
15006 Matched Default Rule |
15016 Selected Authorization Profile - Permit Access |
11002 Returned RADIUS Access-Accept |
I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
is there anything I can do to make it work ?
02-14-2011 12:16 PM
Thanks for the update Ian. When you move to the internal Idenity store. Does this work with your computer authenticating? I am thinking this might be a ACS 5.1 setup problem. When reading this document: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/rad_tac_phase.html
I see the following:
EAP provides an extensible framework that supports a variety of authentication types. Among them, the specific EAP methods supported by ACS are:
•Simple EAP methods that do not use certificates:
–EAP-MD5
–LEAP
•EAP methods in which the client uses the ACS server certificate to perform server authentication:
–PEAP/EAP-MSCHAPv2
–PEAP/EAP-GTC
–EAP-FAST/EAP-MSCHAPv2
–EAP-FAST/EAP-GTC
•EAP methods that use certificates for both server and client authentication
–EAP-TLS
I don't see EAP-MSCHAP only EAP-MSCHAPv2. I don't know if this make a differance, but it might be something to look at. Can you change the MSCHAP version for the EAP?
Thanks,
Rafael
02-15-2011 01:48 AM
hello
sounds like you don't have mschap authentication enabled on the ldap server. you can use eap-gtc instead but you'd need to:
1 enable eap-gtc under Allowed Protocols on your ACS access Policy
2. install an eap-gtc supplicant on the windows box - if you have an intel wireless nic, the intel proset client supports eap-gtc
this could mean a fair bit of work depending on the number/type of wireless clients you have - might be worth enabling mschap authentication on the ldap server.
hth
andy
02-15-2011 02:47 AM
Hi Ian,
It's not possible to use all the EAP types with LDAP as an Identity Store. You can find more info on the supported protocols for the Identity Stores in the ACS User Guide:
In short, any protocol using MSCHAPv2 is not supported with LDAP.
I'd suggest to either use a different authentication type (such as PEAP-GTC or PEAP-TLS), but the possible types with LDAP may not be supported by all supplicants... Or to use AD instead, should the LDAP database be on a Windows Server.
I hope this helps.
Best regards,
Bernardo
02-15-2011 09:30 AM
Hi all,
I don't think the AD thing is possible. the system has been running so long and the directory has been too large for us to migrate it. plus, no additional costs are allowed .
so let us go to the second option.
How can I afford either PEAP-GTC or PEAP-TLS ? I've tried that before with no success. it looks like GTC or TLS need additional signed certificate from third party. Can you give me any references about how to install it ?
Thanks.
02-17-2011 07:24 AM
Hi Ian,
PEAP-GTC relies on token cards (such as SecureID) to generate an access code to be entered during authentication. This is probably also not what you are looking for.
PEAP-TLS will require 2 certificates: 1 server certificate and 1 client certificate. Each client will use his own certificate as authentication credentials. In order for ACS to be able to validate the certificates from the clients, CA signed certificates are required.
Best regards,
Bernardo
02-19-2011 09:44 AM
ok, I think I've got the answer. Thanks all.
Regards,
Cu Ian Wijaya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide