The issue is due to the presence of Cisco bug ID CSCeg01533.
When Protected Extensible Authentication Protocol (PEAP) Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication is used with two CiscoSecure ACS for Windows servers with one server acting as a proxy server that strips the realm, the authentication can fail. This issue is first seen with CiscoSecure ACS for Windows version 3.2.3.
What is PEAP?
Protected Extensible Authentication Protocol (PEAP) belongs to the family of Extensible Authentication Protocol (EAP) protocols. PEAP uses Transport Layer Security (TLS) in order to create an encrypted channel between an authenticating PEAP client and a PEAP authenticator, such as RADIUS server.
PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as EAP-MS-CHAP v2, that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for 802.1X wireless client computers, but is not supported for virtual private network (VPN) or other remote access clients.
The workaround for this issue is to not strip the realm and configure the end server accordingly. This bug is fixed in CiscoSecure ACS for Windows version 4.0(1.27).
In order to download CiscoSecure ACS for Windows version 4.0(1.27), open a service requestwith Cisco Technical Support.
Hi, We are planning an upgrade of ISE 2.4 to 2.7 and as I see from the documentation, the VM resources for our setup should be 16CPUs and 32GB of RAM. We currently have our VMs running the 2.4 ISE version on 12CPUs and 16GB of RAM. I have gone t...
Hi GuysCan any of the NAC experts on here give me a walkthrough of what a good implementation looks like.For example, in my head I would have 1.Define what policies you want to implement2.Discovery, how long would you leave it to discover, a few mont...
Hi everyone,I have a win 10 client using anyconnect 4.9.00086.We have configured a proxy in IE settings.If the clients tries to connect to the partner via anyconnect, the authentication prompt for our internal proxy pops up.We enter the credentials and te...
Hello folks, I wonder if there is a way to retreive a list of all installed certificates on the ISE with their expiration time points through a HTTP call to either Monitoring API or ERS API. Their documentation seem to be uncomplete (compare https://...