A-8
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixA AAA Protocols
Overview of RADIUS
RADIUS Attribute Support in ACS 5.4
ACS 5.4 supports the RADIUS protocol as RFC 2865 describes.
ACS 5.4 supports the following types of RADIUS attributes:
IETF RADIUS attributes
Generic and Cisco VSAs
Other vendors’ attributes
ACS 5.4 also supports attributes defined in the following extensions to RADIUS:
Accounting-related attributes, as defined in RFC 2866.
Support for Tunnel Protocol, as defined in RFCs 2867 and 2868.
Support for EAP (via the EAP-Message attribute), as defined in RFCs 2869 and 3579.
Note When RADIUS parameters are referenced, the convention [attribute-number] [attribute name] is used.
For example, [1]User-Name, where the number and name correspond to that assigned to the parameter
in the specification.
RADIUS supports receiving, sending, and dictionary-based parsing and construction of any RADIUS
attribute regardless of whether it is a regular attribute, VSA, or Cisco attribute-value (AV) pair. The
RADIUS interface in ACS supports the attribute data types defined in RFC 2865, nam ely:
text (UTF-8)
string (binary)
address (IP)
integer
time
Data types, integer, string, and text enumerated (ENUM) specifications of allowed values ar e supported.
Attribute values are checked against these when packet parsing and construction occur.
ACS uses the RADIUS State attribute (24) to identify a specific conversation. Each conversation has a
unique ID. Every conversation is processed under a specific configuration version—t he latest available
version at the moment the conversation was initiated.
Note The RADIUS State attribute (24) is not used for PAP authentication.
All transactions between the client and RADIUS server have their message integrity protected using the
Request/Response Authenticator field inside each RADIUS packet, which makes use of a shared secret
(that is, itself, not sent over the network directly).
In addition, some forms of RADIUS packets that include all of those that contain encapsulated
EAP-Message attributes have the integrity of all of their RADIUS attributes additionally protected using
a Message-Authenticator RADIUS attribute (that also makes use of the shared secret).
Furthermore, user passwords within the RADIUS packets sent between the client and RADIUS server
are always encrypted to protect against the possibility that an unauthorized user on an insecure network
could easily determine the password.