8-63
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and I dentity Stores
Managing External Identity Stores
Creating and Editing RSA SecurID Token Servers, page 8-59
Configuring ACS Instance Settings, page 8-60
Editing ACS Instance Settings, page 8-61
Editing ACS Instance Settings, page 8-61
RADIUS Identity Stores
RADIUS server is a third-party server that supports the RADIUS interface. RADIUS identity store,
which is part of ACS, connects to the RADIUS server.
RADIUS servers are servers that come with a standard RADIUS interface built into them and other
servers that support the RADUIS interface. ACS 5.4 supports any RADIUS RFC 2865-compliant server
as an external identity store. ACS 5.4 supports multiple RADIUS token server identities.
For example, the RSA SecurID server and SafeWord server. RADIUS identity stores can work with any
RADIUS Token server that is used to authenticate the user. RADIUS identity stores use the UDP port
for authentication sessions. The same UDP port is used for all RADIUS communication.
Note For ACS to successfully send RADIUS messages to a RADIUS-enabled server, you must ensure that the
gateway devices between the RADIUS-enabled server and ACS allow communication over the UDP
port. You can configure the UDP port through the ACS web interface.
This section contains the following topics:
Supported Authentication Protocols, page 8-63
Failover, page8-64
Password Prompt, page 8-64
User Group Mapping, page8-64
Groups and Attributes Mapping, page 8-64
RADIUS Identity Store in Identity Sequence, page8-65
Authentication Failure Messages, page 8-65
Username Special Format with Safeword Server, page 8-65
User Attribute Cache, page 8-66
Creating, Duplicating, and Editing RADIUS Identity Servers, page8-66

Supported Authentication Protocols

ACS supports the following authentication protocols for RADIUS identity stores:
RADIUS PAP
TACACS+ ASCII/PAP
PEAP with inner EAP-GTC
EAP-FAST with inner EAP-GTC