Filter
Top Products
1-13
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 1 Overview
AAA Server Functions and Concepts
• ARAP—Uses a two-way challenge-response mechanism. The AAA client
challenges the end-user client to authenticate itself, and the end-user client
challenges the AAA client to authenticate itself.
MS-CHAP
Cisco Secure ACS supports Microsoft Challenge-Handshake Authentication
Protocol (MS-CHAP) for user authentication. Differences between MS-CHAP
and standard CHAP are the following:
• The MS-CHAP Response packet is in a format compatible with Microsoft
Windows and LAN Manager 2.x. The MS-CHAP format does not require the
authenticator to store a clear-text or reversibly encrypted password.
• MS-CHAP provides an authentication-retry mechanism controlled by the
authenticator.
• MS-CHAP provides additional failure codes in the Failure packet Message
field.
For more information on MS-CHAP, refer to RFC
draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.
EAP Support
The Extensible Authentication Protocol (EAP), based on IETF 802.1x, is an
end-to-end framework that allows the creation of authentication types without
changing AAA client configurations. For more information about EAP, go to
PPP Extensible Authentication Protocol (EAP) RFC 2284.
Cisco Secure ACS supports the following varieties of EAP:
• EAP-MD5—An EAP protocol that does not support mutual authentication.
• EAP-TLS—EAP incorporating Transport Layer Security. For more
information, see EAP-TLS Deployment Guide for Wireless LAN Networks
and EAP-TLS Authentication, page 10-2.
• LEAP—An EAP protocol used by Cisco Aironet wireless equipment; it
supports mutual authentication.
• PEAP—Protected EAP, which is implemented with EAP-Generic Token
Card (GTC) and EAP-MSCHAPv2 protocols. For more information, see
PEAP Authentication, page 10-8.