cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1334
Views
0
Helpful
0
Comments
TCC_2
Level 10
Level 10

Core issue

The issue is due to the presence of Cisco bug ID CSCeg01533.

When Protected Extensible Authentication Protocol (PEAP) Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication is used with two CiscoSecure ACS for Windows servers with one server acting as a proxy server that strips the realm, the authentication can fail. This issue is first seen with CiscoSecure ACS for Windows version 3.2.3.

What is PEAP?

Protected Extensible Authentication Protocol (PEAP) belongs to the family of Extensible Authentication Protocol (EAP) protocols. PEAP uses Transport Layer Security (TLS) in order to create an encrypted channel between an authenticating PEAP client and a PEAP authenticator, such as RADIUS server.

PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as EAP-MS-CHAP v2, that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for 802.1X wireless client computers, but is not supported for virtual private network (VPN) or other remote access clients.

Resolution

The workaround for this issue is to not strip the realm and configure the end server accordingly. This bug is fixed in CiscoSecure ACS for Windows version 4.0(1.27).

In order to download CiscoSecure ACS for Windows version 4.0(1.27), open a service request with Cisco Technical Support.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: