Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
708
Views
0
Helpful
4
Replies

ACS 5.5 + Radius Identity stores

Sharin Taib
Level 1
Level 1

‎01-06-2016 10:45 PM - edited ‎02-21-2020 05:40 AM

Hi

I have an ACS version 5.5 setup with Radius identity stores.

Currently, my wireless users login to a captive portal that sends EAP_ASCII to my ACS which then sends the credentials over to the individual radius identity stores.

I am attempting to change the login process for my wireless users by sending EAP_PEAP with no 2nd level authentication over to my ACS.

But i keep getting an error as such

22043  Current Identity Store does not support the authentication method; Skipping it.
22056  Subject not found in the applicable identity store(s).

My vendor said that ACS version 5.5 + Radius identity stores does not support EAP_PEAP and will need to re-configure as a LDAP identity store.

I'm unable to find any documentation on this and was wondering if anyone has a setup as such which is working.

Thanks.

0 Helpful
4 Replies 4

Jatin Katyal
Cisco Employee
Cisco Employee

‎01-16-2016 01:01 PM

Well it's actually opposite. LDAP doesn't support PEAP MSCHAPv2.

What identity store are you referring to?  Can you please go to Access-policies > default network access > identity. Let me know what you see there. If you have a identity sequence store selected there then go to User & identity store > Identity store sequence and edit the one you have selected for wireless authentication. I will be able to tell you why you're seeing this error.

- Jatin

~Jatin
0 Helpful

Sharin Taib
Level 1
Level 1
In response to Jatin Katyal

‎01-19-2016 12:44 AM

in my identity, i have multiple IETF for multiple authentication. so each will accept ending with ABC, ab or abc.com.sg

identity store sequence does not have anything configured.

i have a few external identity stores, some are radius servers, some are LDAP.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Sharin Taib

‎01-19-2016 06:18 AM

Ok then the one you posted initially where you see " identity store does not support the authentication" for PEAP is surely going to LDAP server. Replace LDAP with AD or configure the endpoints to either use EAP-TLS or EAP-GTC instead of PEAP-MSCHAPv2.

- Jatin

~Jatin
0 Helpful

Sharin Taib
Level 1
Level 1
In response to Jatin Katyal

‎01-20-2016 06:02 PM

yeah that's what i thought. EAP-TLS and EAP-GTC takes awhile for users to configure so was trying to find default mobile setups. thanks anyway!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card