Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1648
Views
0
Helpful
2
Replies

ACS 5.1 DenyAccess Identity Source selected

Go to solution
jjwaite
Level 1
Level 1

‎08-21-2011 11:55 PM - edited ‎03-10-2019 06:20 PM

I am trying to migrate away from EAP-TLS to PEAP because my Server Certificates expired and I wasted a whole day trying to do new ones over and over again.

But also , the user base here are trying to get iPad and Andriod and 'other' on the Wireless and EAP-TLS is too trickey.

I keep getting closer and closer to my goal - but now I am stuck at:- '22017 DenyAccess Identity Source selected'

I have trawled my way thru:-  Access Policies > Access Services >  Default Network Access >  Identity , Group Mapping  trying to add 'PEAP' but it always tells me the above error !!!

I would love cream it all and only use WLC to LDAP - but I could not get that to work either and the debug showed no activity...

It there one document out there:- ACS 5.x LDAP to PEAP ???

btw:- here we have two 'forests' and the 'Active Directory' uses PEAP perfectly - so why can't I get the LDAP to be as good ?????

Many Thanks , Josh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎08-22-2011 02:44 AM

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/eap_pap_phase.html#wp1031659

Check table B-5

LDAP does not support PEAP-Mschapv2. This is not an ACS restriction but a restriction from LDAP databases returning clear-text passwords.

That's why active directory is a bit more than just "an ldap database" because it does allow mschapv2 methods.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎08-22-2011 02:44 AM

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/eap_pap_phase.html#wp1031659

Check table B-5

LDAP does not support PEAP-Mschapv2. This is not an ACS restriction but a restriction from LDAP databases returning clear-text passwords.

That's why active directory is a bit more than just "an ldap database" because it does allow mschapv2 methods.

0 Helpful

Go to solution
jjwaite
Level 1
Level 1
In response to Nicolas Darchis

‎08-23-2011 06:39 PM

Thanks for that , I have two ACS's , so looks like if i want PEAP for both Forests , they will be separate ACS's too both on pure Active Directory.

but for the time being - I got the certificates to work - curse my feeble not understanding the 'proccess' !!!

I have made an appointment in my calendar for 1-AUG-2012 to put new Certificates , with instructions , so i dont forget.

0 Helpful
Customers Also Viewed These Support Documents