Cisco Systems OL-24201-01 EAP

B-3

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Appendix B Authentication in ACS 5.3

EAP

You can use different levels of security concurrently with ACS for different requirements. PAP applies

a two-way handshaking procedure. If authentication succeeds, ACS returns an acknowledgement;

otherwise, ACS terminates the connection or gives the originator another chance.

The originator is in total control of the frequency and timing of the attempts. Therefore, any server that

can use a stronger authentication method will offer to negotiate that method prior to PAP. RFC 1334

defines PAP.

Figure B-1 illustrates RADIUS with PAP authentication.

Figure B-1 RADIUS with PAP Authentication Use Case

EAP

Extensible Authentication Protocol (EAP) is an authentication framework for wireless networks and

point-to-point connections. EAP supports multiple authentication methods, and provides common

functions and rules for negotiation of the desired authentication method:

•Server authentication request

•Client authentication response

•Server success authentication result

•Server failure authentication result

•Silent discard of client packets if they do not meet integrity and security conditions

•Rules for server-initiated EAP method negotiation

•Message sequencing, and tracking responses to requests

•Retransmit

EAP is a lock-step protocol; after the initial request, ACS cannot send a new request before receiving a

valid response from the client.

1A host connects to the network. Any

communication protocol may be used

depending on the host.

3ACS uses an external identity store to validate

the user's credentials.

2The network device sends a RADIUS access

request to ACS.

4The RADIUS response (Access-Accept or

Access-Reject) is sent to the network device

that will apply the decision.

Host

Network Device

External

Identity Store

210732

ACS Server