Chapter 10 Managing Access Policies

Configuring Access Services

Related Topic

Configuring Access Service Allowed Protocols, page 10-15

Configuring Access Services Templates, page 10-19

Configuring Access Service Allowed Protocols

The allowed protocols are the second part of access service creation. Access service definitions contain general and allowed protocol information. When you duplicate and edit services, the Access Service properties page contains tabs.

Step 1 Select Access Policies > Access Services, then click:

Create to create a new access service, then click Next to go to the Allowed Protocols screen.

Duplicate to duplicate an access service, then click Next to go to the Allowed Protocols screen.

Edit to edit an access service, then click Next to go to the Allowed Protocols screen.

Step 2 Complete the fields as shown in Table 10-7:

Table 10-7 Access Service Properties—Allowed Protocols Page

Option

Description

 

 

Process Host Lookup

Check to configure ACS to process the Host Lookup field (for example, when the RADIUS

 

Service-Type equals 10) and use the System UserName attribute from the RADIUS

 

Calling-Station-ID attribute.

 

Uncheck for ACS to ignore the Host Lookup request and use the original value of the system

 

UserName attribute for authentication and authorization. When unchecked, message processing

 

is according to the protocol (for example, PAP).

 

 

Authentication Protocols

 

 

 

Allow PAP/ASCII

Enables PAP/ASCII. PAP uses clear-text passwords (that is, unencrypted passwords) and is the

 

least secure authentication protocol.

 

When you check Allow PAP/ASCII, you can check Detect PAP as Host Lookup to configure

 

ACS to detect this type of request as a Host Lookup (instead of PAP) request in the network access

 

service.

 

 

Allow CHAP

Enables CHAP authentication. CHAP uses a challenge-response mechanism with password

 

encryption. CHAP does not work with the Windows Active Directory.

 

 

Allow MS-CHAPv1

Enables MS-CHAPv1.

 

 

Allow MSCHAPv2

Enables MSCHAPv2.

 

 

Allow EAP-MD5

Enables EAP-based Message Digest 5 hashed authentication.

 

When you check Allow EAP-MD5, you can check Detect EAP-MD5 as Host Lookup to

 

configure ACS to detect this type of request as a Host Lookup (instead of EAP-MD5) request in

 

the network access service.

 

 

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

OL-24201-01

 

 

10-15

 

 

 

 

 

Page 279
Image 279
Cisco Systems OL-24201-01 Configuring Access Service Allowed Protocols, Select Access Policies Access Services, then click