Filter
Top Products
B-31
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Appendix B Authentication in ACS 5.4
EAP-MSCHAPv2
Overview of EAP-MSCHAPv2
Some of the specific members of the EAP family of authentication protocols, specifically EAP-FAST
and PEAP, support the notion of an “EAP inner method.” This means that another EAP-based protocol
performs additional authentication within the context of the first protocol, which is known as the "EAP
outer method."
One of the inner methods supported by the EAP-FAST and PEAP outer methods is EAP-MSCHAPv2,
which is an adaptation of the MSCHAPv2 protocol that complies with the general framework established
by EAP.
Using EAP-MSCHAPv2 as the inner EAP method facilitates the reuse of Microsoft directory technology
(such as Windows Active Directory), with the associated database of user credentials for wireless
authentication in the following contexts:
• MSCHAPv2 for User Authentication, page B-31
• MSCHAPv2 for Change Password, page B-31
• Windows Machine Authentication Against AD, page B-31
MSCHAPv2 for User Authentication
ACS supports the EAP-MSCHAPv2 authentication protocol as the inner method of EAP-FAST and
PEAP. The protocol is an encapsulation of MSCHAPv2 into the EAP framework. Mutual authentication
occurs against the configured credential database.
The client does not send its password, but a cryptographic function of the password. Using
EAP-MSCHAPv2 as the inner method of tunneling protocols, increases protection of secured
communication. Every protocol message is encrypted inside the tunnel and server, and client challenges
are not generated randomly but, derived from outer method cryptographic material.
EAP-MSCHAPv2 is supported for AD and the ACS internal identity store.
MSCHAPv2 for Change Password
When you use EAP-MSCHAPv2 (as an EAP inner method) to authenticate a user whose password has
expired, ACS sends a specific EAP-MSCHAPv2 failure notification to the client. The client can prompt
the user for new password and then provide it to ACS inside the same conversation.
The new password is encrypted with the help of the old one. When a user password is changed
successfully, the new user password is stored in the credential database.
EAP-MSCHAPv2 change password is supported for AD and ACS internal identity store.
Windows Machine Authentication Against AD
EAP-MSCHAPv2 can be used for machine authentication. EAP-MSCHAPv2 Windows machine
authentication is the same as user authentication. The difference is that you must use the Active
Directory of a Windows domain, since a machine password can be generated automatically on the
machine and the AD, as a function of time and other parameters. The password generated cannot be
stored in other types of credential databases.