Cisco Systems OL-24201-01 CHAP, LEAP

B-31

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Appendix B Authentication in ACS 5.3

CHAP

EAP-MSCHAPv2 can be used for machine authentication. EAP-MSCHAPv2 Windows machine

authentication is the same as user authentication. The difference is that you must use the Active

Directory of a Windows domain, since a machine password can be generated automatically on the

machine and the AD, as a function of time and other parameters. The password generated cannot be

stored in other types of credential databases.

Components involved in the 802.1x and MSCHAPv2 authentication process are the:

•Host—The end entity, or end user’s machine.

•AAA client—The network access point.

•Authentication server—ACS.

The MSCHAPv2 protocol is described in RFC 2759.

CHAP

CHAP uses a challenge-response mechanism with one-way encryption on the response. CHAP enables

ACS to negotiate downward from the most secure to the least secure encryption mechanism, and it

protects passwords that are transmitted in the process. CHAP passwords are reusable.

If you are using the ACS internal database for authentication, you can use PAP or CHAP. CHAP does

not work with the Windows user database. Compared to RADIUS PAP, CHAP allows a higher level of

security for encrypting passwords when communicating from an end-user client to the AAA client.

ACS currently uses LEAP only for Cisco Aironet wireless networking. If you do not enable this option,

Cisco Aironet end-user clients who are configured to perform LEAP authentication cannot access the

network. If all Cisco Aironet end-user clients use a different authentication protocol, such as EAP-TLS,

we recommend that you disable this option.

Note If users who access your network by using a AAA client that is defined in the Network Configuration

section as a RADIUS (Cisco Aironet) device, then you must enable LEAP, EAP-TLS, or both; otherwise,

Cisco Aironet users cannot authenticate.