Chapter 4 Common Scenarios Using ACS

Agentless Network Access

Process Service-Type Call Check

You may not want to copy the CallingStationID attribute value to the System UserName attribute value. When the Process Host Lookup option is checked, ACS uses the System UserName attribute that was copied from the RADIUS User-Name attribute.

When the Process Host Lookup option is not checked, ACS ignores the HostLookup field and uses the original value of the System UserName attribute for authentication and authorization. The request processing continues according to the message protocol. For example, according to the RADIUS User-Name and User-Password attributes for PAP.

For setting the Process Host Lookup option, see Creating an Access Service for Host Lookup, page 4-18.

PAP/EAP-MD5 Authentication

When a device is configured to use PAP or EAP-MD5 for MAC address authentication, you can configure ACS to detect the request as a Host Lookup request, within the network access service. The device sends the request with the host's MAC address in the User-Name, User-Password, and Calling-Station-ID attributes.

If you do not configure ACS to detect Host Lookup, the access request is handled as a regular PAP, or EAP-MD5 authentication request.

If you check the Process HostLookup field and select PAP or EAP-MD5, ACS places the HostLookup value in the ACS::UseCase attribute. The User-Password attribute is ignored for the detection algorithm.

ACS follows the authentication process as if the request is using the call check attribute, and processes it as a Host Lookup (Service-Type=10) request. The RADIUS dictionary attribute ACS::UseCase is set to the value of HostLookup.

The Detect Host Lookup option for PAP and EAP-MD5 MAC authentication is done after the service selection policy. If a service selection rule is configured to match ACS::UseCase = Host Lookup, the request falls into the Host Lookup category.

If ACS is not configured to detect PAP or EAP-MD5 authentications as MAC authentication flows, ACS will not consider the Detect Host Lookup option. These requests are handled like a regular user request for authentication, and looks for the username and password in the selected identity store.

Related Topics

Creating an Access Service for Host Lookup, page 4-18

Managing Access Policies, page 10-1

Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 8-18

Managing Users and Identity Stores, page 8-1

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

OL-24201-01

 

 

4-15

 

 

 

 

 

Page 78 Page 80
Page 79
Image 79
Cisco Systems OL-24201-01 manual PAP/EAP-MD5 Authentication, Process Service-Type Call Check
Page 78 Page 80
Top Page Image Contents