ACS 5.3 Stripping Radius User Prefix

Advertisement

Hi,
I have configure my ACS 5.3 to strip the prefix of the radius username (Domain\weekwang) it received and I also configured my ACS as the External Radius Server. However, this does not seem to work. The authentication protocol that I am using is PEAP Mschap v2.
I have read inside this forum that due to the fact that the radius username and password is transited inside the TLS tunnel of the PEAP MsChap v2 thus ACS is not able to do the stripping as it is not allow to touch anything inside the TLS tunnel. Please advice if I have get the concept correctly.
Rgds

Advertisement

Hi Steven,
this is unfortunately correct. Using yourself as radius proxy is a great workaround to strip things.
However, by design if you use an external database (LDAP or proxy radius server), the mschapv2 encryption of the password makes it impossible to authenticate the user since the tunnel is ended on the first ACS. It will work with PEAP-GTC but all mschapv2 methods will fail.
Nicolas

October 11, 2015

ACS 5.3 Stripping Radius User Prefix

Hi, I have configure my ACS 5.3 to strip the prefix of the radius username (Domain\weekwang) it received and I also configured my ACS as the External Radius Server. However, this does not seem to work. The authentication protocol that I am using is P

Can i use my ACS 5.2 as Guest user athentication server

                   Hi, Is this possible? MarlonThere is no a specific feature in the ACS to automatically generate random users/password, but you can definitely create them manually yourself under Users and Identity Stores/Users. You can create the g

Cisco ACS - HOW ARE INTERNAL USER'S RESTRICTED IN THEIR ACCESS TO RESOURCES

Does anyone have any insight into this process. Please advise.Hi Eduardoaliaga, I believe that when we are using PAP as the authentication protocol, the ACS is able to strip the domian prefix. However, my side is using the PEAP MsChapv2 as the authen

ACS RADIUS Certificate Access Workflow

Hello Friends, I've been trying to deploy a ACS solution that includes Radius, connection with an AD database and Certificate-Based Access to the network but the documentation that I have found is very very vague and is getting a little bit complex f

Cisco ACS 4.2 one user in multiple local groups

Currently i have group mapping like this ACS Groups           Window Groups     Grp-A-B             Grp-1 and Grp-2     Grp-A                        Grp-1     Grp-B                        Grp-2 For example currently one user test1 is part of both gro

How to quickly delete all users in ACS for Windows 4.0

Is there a way to quickly delete all ACS for Windows 4.0 users? It is not in the GUI and I believe CSUtil would need to be utilized but CSUtil does not accept the '*' for deletion. I tried to use '*' as a catch all.csutil -n should nuke the database.

Exclude specific user from ACS logging ?

Hi, My customer and I are looking for a way to exclude actions/commands logging on AAA servers (ACS) for a single specific user, though logging still goes on for other users as AAA clients on networks devices have been configured with: aaa accounting

User Password Not Replicated during ACS Replication

I am provisioning user accounts in ACS through a provisioning system. The provisioned ACS is set to replicate user and group database to another ACS. Replication interval time is set to 15 mins. Problem is that even though the replication cycle runs

User in a windows group - mapping to acs group appears not be working

I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS. Any suggestion?Hello, I recently implemented this very thing, actually integrated it with Authentication Prox

ACS vs ISE

Hi experts, I'm looking into a network access control solution, and I have the following questions: 1- My understanding is that ACS assigns unauthorized assets to a guest vlan/zone, but what happens next if access to resources (such as internet) requ

Nexus 5K and 7K RADIUS Authorization with Steel Belted RADIUS

I am attempting to provide very basic authorization via Steel Belted RADIUS for a Nexus deployment. Here is the code from the Nexus: radius-server host [server]  key [key] radius-server host [server]  key [key] ip radius source-interface mgmt0 aaa gr

ACS 4.0 and RSA Token Server problem

Hi, We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server. Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now t

ACS with Checkpoint

Hi, We have a Checkpoint Firewall using ACS for authentication with RADIUS protocol. We have two ACS servers configured as primary and secondary on the Checkpoint. Both the ACS servers are configured to use AD as the external database. Checkpoint is

WLC radius discussion

   Hi all, I have a mixed setup of WLC and autonomous AP in my network architecture. In our setup all wireless clients passes through mac authentication and then user id/password  authentication. I want for mac authentication request should go to ACS

ACS 5.3 WLC Certificates RADUIS Active Directory

Hi, I have a wireless controller and an ACS 5.3. I would like to create a wireless network where a corporate laptop would use the certificates installed to connect to the wireless and then authentication with AD and laptop certificates to the ACS. So

Delete namespace and prefix with Seeburger X.400 receiver

Dear experts, I have a problem deleting a namespace and prefixes "ns0" from an XML output. When testing I was using an FTP receiver adapter with the AnonymizerBean which worked perfectly. I referred to: /people/stefan.grube/blog/2007/02/02/remov

Problem with Downloadable ACLs on ACS 4.1(1) for Windows

I'm currently able to logon to my internal network 192.168.4.0/24 but not able to get my incoming ACS downloadable ACL working. Combination: PIX605E 6.3(5) - ACS 4.1(1) Build 23 Patch 5. This is my list: permit ip host 192.168.4.200 any (where any ca

Cisco ACS & Nortel Equipment

Hi, I have a client who has a mostly Nortel network who requires a RADIUS and TACACS+ authentication system to work with Nortel and Cisco equipment to authenticate administrative logins. Does any one know please if an ACS appliance or the Windows ver

ACS 4.2 with Active Directory

i have a windows 2003 active directory domain setup with cisco acs 4.2 also installed on it I'm using a 2611xm router(ios 12.4 advsec) if I create users on the acs, i have no issues setting up AAA Authentication however, I have followed the online do

Unknown Radius client (frustrated!!to say the least)

I am having unknown radius user issues i have a nw65 sp2 server and installed the nmas radius from BM3.8,i followed TID 10078616 (how to install and configure radius on nmas) when i use NTRADping it times out the errors on the radius screen are Acces