Solved: Re: 22043 Current Identity Store does not support the authentication

VladimirGjurovski3697 · ‎05-13-2019

Hello,

I am trying to create Device admin policy for a Palo Alto Firewall. I want to look up the read only users in AD and admin users in the local database of the ISE.

Everything works fine when using PAP as an authentication protocol on the Palo.

When i switch to CHAP...which is preffered, the authentication and authorization from the local database is fine (the admins), but the one to the AD fails with the error: "22043 Current Identity Store does not support the authentication method; Skipping it - AD1".

In Allowed protocols all protocols are checked.

PAP/ASCII

CHAP

MSCHAPv1

Any idea why this is not working?

Regards

howon · ‎05-13-2019

Please see protocol/ID store support matrix, AD doesn't support EAP-MD5 and CHAP. Please use one of the supported protocol listed in the table for AD:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_01110.html#concept_BD3A270FEC0C411DA10FB808C14B48D5

View solution in original post

howon · ‎05-13-2019

Please see protocol/ID store support matrix, AD doesn't support EAP-MD5 and CHAP. Please use one of the supported protocol listed in the table for AD:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_01110.html#concept_BD3A270FEC0C411DA10FB808C14B48D5

VladimirGjurovski3697 · ‎05-13-2019

Thanks. I have somehow missed that.

schadracpierre · ‎04-27-2024

Could you please provide again the link? The one doesn't work anymore.

TIA