Current configuration : 989 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default group radius
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.16.16 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clockrate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clockrate 2000000
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.110.110
!
ip http server
!
ip radius source-interface FastEthernet0/0
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key yyyyy
control-plane
!
!        
line con 0
line aux 0
line vty 0 4
!
end

it's the configuration of the 1841 router. I just test it using telnet. when I'm telneting the router, it will ask the username and password from radius server.

Hey, looks like it's the logger I've been searching before.  thanks vaoc. I will try and see it tommorow. while waiting, do you have any other suggestion ? have you ever met this kind of case ?

thanks

  This is the log when using windows 7 as authentication client (Failed) :

This is the log when using 1841 router as authentication client (succeded)  :

I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.

so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?

is there anything I can do to make it work ?

Thanks for the update Ian. When you move to the internal Idenity store. Does this work with your computer authenticating? I am thinking this might be a ACS 5.1 setup problem. When reading this document: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/rad_tac_phase.html

I see the following:

RADIUS-Based Flows with EAP Authentication

EAP provides an extensible framework that supports a variety of  authentication types. Among them, the specific EAP methods supported by  ACS are:

•Simple EAP methods that do not use certificates:

–EAP-MD5

–LEAP

•EAP methods in which the client uses the ACS server certificate to perform server authentication:

–PEAP/EAP-MSCHAPv2

–PEAP/EAP-GTC

–EAP-FAST/EAP-MSCHAPv2

–EAP-FAST/EAP-GTC

•EAP methods that use certificates for both server and client authentication

–EAP-TLS

I don't see EAP-MSCHAP only EAP-MSCHAPv2. I don't know if this make a differance, but it might be something to look at. Can you change the MSCHAP version for the EAP?

Thanks,

Rafael

Hi all,

I don't think the AD thing is possible. the system has been running so long and the directory has been too large for us to migrate it. plus, no additional costs are allowed  .

so let us go to the second option.

How can I afford either PEAP-GTC  or PEAP-TLS ?  I've tried that before with no success.  it looks like GTC or TLS need additional signed certificate from third party. Can you give me any references about how to install it ?

Thanks.

Hi Ian,

PEAP-GTC relies on token cards (such as SecureID) to generate an access code to be entered during authentication. This is probably also not what you are looking for.

PEAP-TLS will require 2 certificates: 1 server certificate and 1 client certificate. Each client will use his own certificate as authentication credentials. In order for ACS to be able to validate the certificates from the clients, CA signed certificates are required.

Best regards,

Bernardo

ok, I think I've got the answer. Thanks all.

Regards,

Cu Ian Wijaya