Cisco Systems OL-24201-01 manual Microsoft AD, Supported Authentication Protocols

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

For more information on features like Event Delivery Method and Active Response, see the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1 at the following location:

http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/310/p_prof_events31.html

Troubleshooting MAB Authentication with Profiler Integration

To troubleshoot MAB authentication while integrating with NAC Profiler and to verify that the endpoint is successfully authenticated, complete the following steps:

Step 1 Run the following command on the switch which is connected to the endpoint devices:

ACCESS-Switch# show authentication sessions

The following output is displayed:

Microsoft AD

ACS uses Microsoft Active Directory (AD) as an external identity store to store resources such as, users, machines, groups, and attributes. ACS authenticates these resources against AD.

Supported Authentication Protocols

•EAP-FAST and PEAP—ACS 5.3 supports user and machine authentication and change password against AD using EAP-FAST and PEAP with an inner method of MSCHAPv2 and EAP-GTC.

•PAP—ACS 5.3 supports authenticating against AD using PAP and also allows you to change AD users password.

•MSCHAPv1—ACS 5.3 supports user and machine authentication against AD using MSCHAPv1. You can change AD users password using MSCHAPv1 version 2. ACS does not support MS-CHAP MPPE-Keys of a user, but does support MPPE-Send-Key and MPPE-Recv-Key.

Note ACS 5.3 does not support changing user password against AD using MSCHAP version 1.

•MSCHAPv2—ACS 5.3 supports user and machine authentication against AD using MSCHAPv2. ACS does not support MS-CHAP MPPE-Keys of a user, but does support MPPE-Send-Key and MPPE-Recv-Key.

•EAP-GTC—ACS 5.3 supports user and machine authentication against AD using EAP-GTC.

•EAP-TLS—ACS uses the certificate retrieval option introduced in 5.3 to support user and machine authentication against AD using EAP-TLS.

ACS 5.x supports changing the password for users who are authenticated against Active Directory in TACACS+ PAP/ASCII, EAP-MSCHAP, and EAP-GTC methods. Changing the password for EAP-FAST and PEAP with inner MSCHAPv2 is also supported.