Chapter 4 Common Scenarios Using ACS

Password-Based Network Access

Table 4-1

Network Access Authentication Protocols

 

 

Protocol

Action

 

 

PEAP

In the Allowed Protocols Page, choose PEAP. For the PEAP inner method, choose

 

EAP-MSCHAPv2 or EAP-GTC or both.

 

 

EAP-FAST

1. In the Allowed Protocols Page, choose Allow EAP-FASTto enable the EAP-FAST settings.

2.For the EAP-FAST inner method, choose EAP-MSCHAPv2or EAP-GTCor both.

3.Select Allow Anonymous In-Band PAC Provisioning or Allow Authenticated In-Band PAC Provisioning or both.

For Windows machine authentication against Microsoft AD and for the change password feature:

1.Click the Use PACS radio button. For details about PACs, see About PACs, page B-21.

2.Check Allow Authenticated In-Band PAC Provisioning.

3.Check Allow Machine Authentication.

4.Enter the Machine PAC Time to Live.

For RADIUS, non-EAP authentication methods (RADIUS/PAP, RADIUS/CHAP, RADIUS/MS-CHAPv1, RADIUS/MSCHAPv2), and simple EAP methods (EAP-MD5 and LEAP), you need to configure only the protocol in the Allowed Protocols page as defined in Table 4-1.

Some of the complex EAP protocols require additional configuration:

For EAP-TLS, you must also configure:

The EAP-TLS settings under System Administration > Configuration > EAP-TLS Settings.

A local server certificate under System Administration > Configuration > Local Server Certificates > Local Certificates.

A CA certificate under Users and Identity Stores > Certificate Authorities.

For PEAP, you must also configure:

The inner method in the Allowed Protocols page and specify whether password change is allowed.

The PEAP settings under System Administration > Configuration > PEAP Settings.

Local server certificates under System Administration > Configuration > Local Server Certificates > Local Certificates.

For EAP-FAST, you must also configure:

The inner method in the Allowed Protocols page and specify whether password change is allowed.

Whether or not to use PACs and if you choose to use PACs, you must also specify how to allow in-band PAC provisioning.

The EAP-FAST settings under System Administration > Configuration > EAP-FAST > Settings.

A local server certificate under System Administration > Configuration > Local Server Certificates > Local Certificates (Only if you enable authenticated PAC provisioning).

User Guide for Cisco Secure Access Control System 5.3

4-8

OL-24201-01

 

 

Page 71 Page 73
Page 72
Image 72
Cisco Systems OL-24201-01 manual Peap, EAP-MSCHAPv2 or EAP-GTC or both, Eap-Fast
Page 71 Page 73
Top Page Image Contents