Cisco Systems OL-12180-01 TACACS+ Server Support, SDI Server Support, Authentication Methods

Chapter 12 Configuring AAA Servers and User Accounts

AAA Server and Local Database Support

This section contains the following topics:

•Authentication Methods, page 12-4

•Attribute Support, page 12-4

•RADIUS Authorization Functions, page 12-4

Authentication Methods

The security appliance supports the following authentication methods with RADIUS:

•PAP—For all connection types.

•CHAP—For L2TP-over-IPSec.

•MS-CHAPv1—For L2TP-over-IPSec.

•MS-CHAPv2—For L2TP-over-IPSec, and for regular IPSec remote access connections when the password management feature is enabled.

Attribute Support

The security appliance supports the following sets of RADIUS attributes:

•Authentication attributes defined in RFC 2138.

•Accounting attributes defined in RFC 2139.

•RADIUS attributes for tunneled protocol support, defined in RFC 2868.

•Cisco IOS VSAs, identified by RADIUS vendor ID 9.

•Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076.

•Microsoft VSAs, defined in RFC 2548.

RADIUS Authorization Functions

The security appliance can use RADIUS servers for user authorization for network access using dynamic access lists or access list names per user. To implement dynamic access lists, you must configure the RADIUS server to support it. When the user authenticates, the RADIUS server sends a downloadable access list or access list name to the security appliance. Access to a given service is either permitted or denied by the access list. The security appliance deletes the access list when the authentication session expires.

TACACS+ Server Support

The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.

SDI Server Support

The RSA SecureID servers are also known as SDI servers.

This section contains the following topics:

•SDI Version Support, page 12-5