Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


PEAP-MSCHAPv2 with ACS 5.3 - WLC + Strong Authentication

Hi to everyone,

We have a diagram similar to this:

User -> AP Aironet -> Cisco WLC -> Radius Server -> Cisco ACS 5.3

Now in details:

User takes a notebook to Access a wireless network that uses PEAP-MSCHAPv2 as the authentication Protocol. The user has to input (see Image 1):

  • Username: telcouser
  • Mobile Token (OTP): 312832
  • Password: ********

Image 1. You can see the format on the image below

Screen Shot 2013-12-11 at 9.40.18 PM.png

AP Aironet forwards the SSID and other stuff to the Cisco WLC which connects to the Radius Server.

The Radius Server authenticate the Mobile Token using HOTP, made the separation of username / Mobile Token and the PEAP Challenge and delivers the information to the ACS.

Actually we use the Radius Server in the middle of WLC and Cisco ACS to mantain a strong authentication policy without breaking our PEAP-MSCHAPv2 due to the incompatibility of the Cisco ACS to handle that type of authentication protocols.

Everything here Works fine until we add the Active Directory as the Identity Source on the Network Policy we use.

We noticed that when we switch to this diagram:

User -> AP Aironet -> Cisco WLC -> Radius Server -> Cisco ACS -> Active Directory

The radius server sents the “Radius Username” attribute stripped but in the logs of the ACS we saw an attribute “ACS Username” that contains user/token and obviously this action fails when ACS try with this attribute to the Active Directory. Viewing the logs Radius User its without the /312832

After a debug at the first Radius Server we are pretty sure that there is no such attribute like “ACS Username” o “ACS::Username” at the radius communication sent form Radius Server to Cisco ACS. So the question is, in wich point the ACS get the user/token or how can we override this type o behavior?

We also think if the ACS can strip the prefix/suffix of the attribute and send the information to the Active Directory without the Mobile token “(/312832)”. We need to have the user without the token.

User: Windows XP, Windows 7 and Mac OS X

AP Aironet: Versión

Cisco WLC: Versión

Radius Server: Freeradius 2.1 – VU Security Application Server

Cisco ACS: Versión 5.3

Active Directory: Versión Windows 2003




For Host   Lookup, the value will be the host MAC address. In all other cases, the value   is the identity name used for authentication.