Appendix A AAA Protocols

Overview of RADIUS

RADIUS Attribute Support in ACS 5.3

ACS 5.3 supports the RADIUS protocol as RFC 2865 describes.

ACS 5.3 supports the following types of RADIUS attributes:

IETF RADIUS attributes

Generic and Cisco VSAs

Other vendors’ attributes

ACS 5.3 also supports attributes defined in the following extensions to RADIUS:

Accounting-related attributes, as defined in RFC 2866.

Support for Tunnel Protocol, as defined in RFCs 2867 and 2868.

Support for EAP (via the EAP-Message attribute), as defined in RFCs 2869 and 3579.

Note When RADIUS parameters are referenced, the convention [attribute-number] [attribute name] is used. For example, [1]User-Name, where the number and name correspond to that assigned to the parameter in the specification.

RADIUS supports receiving, sending, and dictionary-based parsing and construction of any RADIUS attribute regardless of whether it is a regular attribute, VSA, or Cisco attribute-value (AV) pair. The RADIUS interface in ACS supports the attribute data types defined in RFC 2865, namely:

text (UTF-8)

string (binary)

address (IP)

integer

time

Data types, integer, string, and text enumerated (ENUM) specifications of allowed values are supported. Attribute values are checked against these when packet parsing and construction occur.

ACS uses the RADIUS State attribute (24) to identify a specific conversation. Each conversation has a unique ID. Every conversation is processed under a specific configuration version—the latest available version at the moment the conversation was initiated.

Note The RADIUS State attribute (24) is not used for PAP authentication.

All transactions between the client and RADIUS server have their message integrity protected using the Request/Response Authenticator field inside each RADIUS packet, which makes use of a shared secret (that is, itself, not sent over the network directly).

In addition, some forms of RADIUS packets that include all of those that contain encapsulated EAP-Message attributes have the integrity of all of their RADIUS attributes additionally protected using a Message-Authenticator RADIUS attribute (that also makes use of the shared secret).

Furthermore, user passwords within the RADIUS packets sent between the client and RADIUS server are always encrypted to protect against the possibility that an unauthorized user on an insecure network could easily determine the password.

User Guide for Cisco Secure Access Control System 5.3

 

A-8

OL-24201-01

 

 

 

Page 577 Page 579
Page 578
Image 578
Cisco Systems OL-24201-01 manual Radius Attribute Support in ACS, Address IP Integer Time
Page 577 Page 579
Top Page Image Contents