Filter
Top Products
B-32
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
CHAP
EAP- MSCHAPv2 Flow in ACS 5.4
Components involved in the 802.1x and MSCHAPv2 authentication process are the:
• Host—The end entity, or end user’s machine.
• AAA client—The network access point.
• Authentication server—ACS.
The MSCHAPv2 protocol is described in RFC 2759.
Related Topic
• Authentication Protocol and Identity Store Compatibility, page B-36
CHAP
CHAP uses a challenge-response mechanism with one-way encryption on the response. CHAP enables
ACS to negotiate downward from the most secure to the least secure encryption mechanism, and it
protects passwords that are transmitted in the process. CHAP passwords are reusable.
If you are using the ACS internal database for authentication, you can use PAP or CHAP. CHAP does
not work with the Windows user database. Compared to RADIUS PAP, CHAP allows a higher level of
security for encrypting passwords when communicating from an end-user client to the AAA client.
LEAP
ACS currently uses LEAP only for Cisco Aironet wireless networking. If you do not enable this option,
Cisco Aironet end-user clients who are configured to perform LEAP authentication cannot access the
network. If all Cisco Aironet end-user clients use a different authentication protocol, such as EAP-TLS,
we recommend that you disable this option.
Note If users who access your network by using a AAA client that is defined in the Network Configuration
section as a RADIUS (Cisco Aironet) device, then you must enable LEAP, EAP-TLS, or both; otherwise,
Cisco Aironet users cannot authenticate.
Certificate Attributes
ACS parses the following client certificate’s attributes:
• Certificate serial-number (in binary format)
• Encoded certificate (in binary DER format)
• Subject’s CN attribute
• Subject’s O attribute (Organization)
• Subject’s OU attribute (Organization Unit)
• Subject’s L attribute (Location)
• Subject’s C attribute (Country)