cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
613
Views
0
Helpful
4
Replies

ACS 5.5 + Radius Identity stores

Sharin Taib
Beginner
Beginner

Hi

I have an ACS version 5.5 setup with Radius identity stores.

Currently, my wireless users login to a captive portal that sends EAP_ASCII to my ACS which then sends the credentials over to the individual radius identity stores.

I am attempting to change the login process for my wireless users by sending EAP_PEAP with no 2nd level authentication over to my ACS.

But i keep getting an error as such

22043  Current Identity Store does not support the authentication method; Skipping it.
22056  Subject not found in the applicable identity store(s).

My vendor said that ACS version 5.5 + Radius identity stores does not support EAP_PEAP and will need to re-configure as a LDAP identity store.

I'm unable to find any documentation on this and was wondering if anyone has a setup as such which is working.

Thanks.

4 Replies 4

Jatin Katyal
Cisco Employee
Cisco Employee

Well it's actually opposite. LDAP doesn't support PEAP MSCHAPv2.

What identity store are you referring to?  Can you please go to Access-policies > default network access > identity. Let me know what you see there. If you have a identity sequence store selected there then go to User & identity store > Identity store sequence and edit the one you have selected for wireless authentication. I will be able to tell you why you're seeing this error.

- Jatin

~Jatin

in my identity, i have multiple IETF for multiple authentication. so each will accept ending with ABC, ab or abc.com.sg

identity store sequence does not have anything configured.

i have a few external identity stores, some are radius servers, some are LDAP.

Ok then the one you posted initially where you see " identity store does not support the authentication" for PEAP is surely going to LDAP server. Replace LDAP with AD or configure the endpoints to either use EAP-TLS or EAP-GTC instead of PEAP-MSCHAPv2.

- Jatin

~Jatin

yeah that's what i thought. EAP-TLS and EAP-GTC takes awhile for users to configure so was trying to find default mobile setups. thanks anyway!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers