A-9
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixA AAA Protocols
Overview of RADIUS
Authentication
ACS supports various authentication protocols transported over RADIUS. The supported protocols t hat
do not include EAP are:
PAP
CHAP
MSCHAPv1
MSCHAPv2
In addition, various EAP-based protocols can be transported over RADIUS, enc apsulated within the
RADIUS EAP-Message attribute. These can be further categorized with respect to whether or not, and
to what extent, they make use of certificates. These include:
EAP methods that do not use certificates:
EAP-MD5
LEAP
EAP methods in which the client uses the ACS server certificate to perform server authentication:
PEAP/EAP-MSCHAPv2
PEAP/EAP-GTC
EAP-FAST/EAP-MSCHAPv2
EAP-FAST/EAP-GTC
EAP methods that use certificates for both server and client authentication:
EAP-TLS
PEAP/EAP-TLS
Authorization
Authorization is permitted according to the configured access policies.
Accounting
You can use the accounting functions of the RADIUS protocol independently of the RADI US
authentication or authorization functions. You can use some of the RADIUS accounting functions to
send data at the start and end of sessions, and indicate the amount of resources (such as time, packets,
bytes, and so on) that you used during the session.
An ISP might use RADIUS access control and accounting software to meet special security and billing
needs.
RADIUS Attribute Rewrite Operation
In ACS 5.4, we have an option to define additional RADIUS attributes or update the existing ones. The
updated attributes are rewritten on the RADIUS requests before it is sent to the RADIUS proxy server.
These attribute manipulation is configured as part of the Proxy Access Services definition. The RADIUS
attributes rewrite feature is enabled only for RADIUS Access requests and not enabled for accounting
requests.
RADIUS Attributes rewrite feature allows you to add, update and delete the RADIUS INBOUND
attributes on access requests which are redirected to external servers. The attribute manipulation is
defined as the attribute operation statement and configured as part of the Proxy Access Service.