The issue is due to the presence of Cisco bug ID CSCeg01533.
When Protected Extensible Authentication Protocol (PEAP) Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication is used with two CiscoSecure ACS for Windows servers with one server acting as a proxy server that strips the realm, the authentication can fail. This issue is first seen with CiscoSecure ACS for Windows version 3.2.3.
What is PEAP?
Protected Extensible Authentication Protocol (PEAP) belongs to the family of Extensible Authentication Protocol (EAP) protocols. PEAP uses Transport Layer Security (TLS) in order to create an encrypted channel between an authenticating PEAP client and a PEAP authenticator, such as RADIUS server.
PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as EAP-MS-CHAP v2, that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for 802.1X wireless client computers, but is not supported for virtual private network (VPN) or other remote access clients.
The workaround for this issue is to not strip the realm and configure the end server accordingly. This bug is fixed in CiscoSecure ACS for Windows version 4.0(1.27).
In order to download CiscoSecure ACS for Windows version 4.0(1.27), open a service requestwith Cisco Technical Support.
Hi all, Trying to set up FlexVPN on an ISR4431 and i've currently got it showing as not secure if i go to the web page of the router as it shows there's no HTTPS and that the certificate is invalid (this is in chrome) but if i go into the certificate it l...
Hi All, I'm after some advice on the attached setup and wondering about the ASA order of Operations here along with PBR/Encryption. I'm comfortable with the VPN itself and PBR etc. This is more to see if anyone has a better understanding of how the P...
Hello, I am adding new VPN certificate on ASA. I've received certificate with .pfx format.Could anyone please guide me with the steps required to do it.Also we have two firewalls in active/standby mode and do I have to upload certificate on both ASAs...
Hi! Is Security level conception still actual for Cisco 5516-x w/ Firepower Services latest versions? Right now I set it up via Firepower Management Center, I connected my device to it and see it in devices tab.Also, I read about basic ASA...
Hi everyone, We configured a guest portal to force users to change their password at first login. Just wondering if any way to send notification email with visible password to user registered email? I have noticed there was an o...