Cisco Systems OL-24201-01 EAP- MSCHAPv2 Flow in ACS, Windows Machine Authentication Against AD

Appendix B Authentication in ACS 5.3

CHAP

Windows Machine Authentication Against AD

EAP-MSCHAPv2 can be used for machine authentication. EAP-MSCHAPv2 Windows machine authentication is the same as user authentication. The difference is that you must use the Active Directory of a Windows domain, since a machine password can be generated automatically on the machine and the AD, as a function of time and other parameters. The password generated cannot be stored in other types of credential databases.

EAP- MSCHAPv2 Flow in ACS 5.3

Components involved in the 802.1x and MSCHAPv2 authentication process are the:

•Host—The end entity, or end user’s machine.

•AAA client—The network access point.

•Authentication server—ACS.

The MSCHAPv2 protocol is described in RFC 2759.

Related Topic

•Authentication Protocol and Identity Store Compatibility, page B-35

CHAP

CHAP uses a challenge-response mechanism with one-way encryption on the response. CHAP enables ACS to negotiate downward from the most secure to the least secure encryption mechanism, and it protects passwords that are transmitted in the process. CHAP passwords are reusable.

If you are using the ACS internal database for authentication, you can use PAP or CHAP. CHAP does not work with the Windows user database. Compared to RADIUS PAP, CHAP allows a higher level of security for encrypting passwords when communicating from an end-user client to the AAA client.

LEAP

ACS currently uses LEAP only for Cisco Aironet wireless networking. If you do not enable this option, Cisco Aironet end-user clients who are configured to perform LEAP authentication cannot access the network. If all Cisco Aironet end-user clients use a different authentication protocol, such as EAP-TLS, we recommend that you disable this option.

Note If users who access your network by using a AAA client that is defined in the Network Configuration section as a RADIUS (Cisco Aironet) device, then you must enable LEAP, EAP-TLS, or both; otherwise, Cisco Aironet users cannot authenticate.