Chapter 4 Common Scenarios Using ACS

Password-Based Network Access

Note During password-based access (or certificate-based access), the user is not only authenticated but also authorized according to the ACS configuration. And if NAS sends accounting requests, the user is also accounted.

ACS supports the following password-based authentication methods:

Plain RADIUS password authentication methods

RADIUS-PAP

RADIUS-CHAP

RADIUS-MSCHAPv1

RADIUS-MSCHAPv2

RADIUS EAP-based password authentication methods

PEAP-MSCHAPv2

PEAP-GTC

EAP-FAST-MSCHAPv2

EAP-FAST-GTC

EAP-MD5

LEAP

You must choose the authentication method based on the following factors:

The network access server—Wireless access points, 802.1X authenticating switches, VPN servers, and so on.

The client computer and software—EAP supplicant, VPN client, and so on.

The identity store that is used to authenticate the user—Internal or External (AD, LDAP, RSA token server, or RADIUS identity server).

Related Topics

Authentication in ACS 5.3, page B-1

Password-Based Network Access Configuration Flow, page 4-7

Network Devices and AAA Clients, page 7-5

Managing Access Policies, page 10-1

User Guide for Cisco Secure Access Control System 5.3

4-6

OL-24201-01

 

 

Page 70
Image 70
Cisco Systems OL-24201-01 manual Radius-Pap Radius-Chap, Peap-Gtc, EAP-FAST-GTC EAP-MD5 Leap