Appendix B Authentication in ACS 5.3

Authentication Protocol and Identity Store Compatibility

Note Microsoft PEAP clients may also initiate machine authentication whenever a user logs off. This feature prepares the network connection for the next user login. Microsoft PEAP clients may also initiate machine authentication when a user shuts down or restarts the computer rather than just logging off.

ACS supports EAP-TLS, EAP-FAST, PEAP (EAP-MSCHAPv2), and PEAP (EAP-GTC) for machine authentication. You can enable each separately on the Active Directory: General Page, which allows a mix of computers that authenticate with EAP-TLS, EAP-FAST, or PEAP (EAP-MSCHAPv2).

Microsoft operating systems that perform machine authentication might limit the user authentication protocol to the same protocol that is used for machine authentication.

Related Topics

Microsoft AD, page 8-41

Managing External Identity Stores, page 8-22

Authentication Protocol and Identity Store Compatibility

ACS supports various authentication protocols to authenticate against the supported identity stores.

Table B-4specifies non-EAP authentication protocol support.

Table B-4

Non-EAP Authentication Protocol and User Database Compatibility

 

 

 

 

 

Identity Store

 

ASCII/PAP

MSCHAPv1/MSCHAPv2

CHAP

 

 

 

 

 

ACS

 

Yes

Yes

Yes

 

 

 

 

 

Windows AD

 

Yes

Yes

No

 

 

 

 

 

LDAP

 

Yes

No

No

 

 

 

 

 

RSA Identity

 

Yes

No

No

Store

 

 

 

 

 

 

 

 

 

RADIUS

 

Yes

No

No

Identity Store

 

 

 

 

 

 

 

 

 

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

 

OL-24201-01

 

 

B-35

 

 

 

 

 

Page 615
Image 615
Cisco Systems OL-24201-01 manual Authentication Protocol and Identity Store Compatibility, MSCHAPv1/MSCHAPv2