Chapter1 Overview of Cisco Secure ACS
AAA Server Functions and Concepts
1-12
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Basic Password ConfigurationsThere are several basic password configurations:
Note These configurations are all classed as inbound authentication.
•Single password for ASCII/PAP/CHAP/MS-CHAP/ARAP—This is the
most convenient method for both the administrator when setting up accounts
and the user when obtaining authentication. However, because the CHAP
password is the same as the PAP password, and the PAP password is
transmitted in clear text during an ASCII/PAP login, there is the chance that
the CHAP password can be compromised.
•Separate passwords for ASCII/PAP and CHAP/MS-CHAP/ARAP—For a
higher level of security, users can be given two separate passwords. If the
ASCII/PAP password is compromised, the CHAP/ARAP password can
remain secure.
•External user database authentication— For authentication by an external
user database, the user does not need a password stored in the CiscoSecure
user database. Instead, Cisco Secure ACS records which external user
database it should query to authenticate the user.
Advanced Password ConfigurationsIn addition to the basic password configurations listed above, CiscoSecure ACS
supports the following:
•Inbound passwords— Passwords used by most Cisco Secure ACS users.
These are supported by both the TACA CS+ and RADIUS protocols. The y are
held internally to the CiscoSecure user database and are not usually given up
to an external source if an outbound password has been configured.
•Outbound passwords—The TACACS+ protocol supports outbound
passwords that can be used, for example, when a AAA client has to be
authenticated by another AAA client and end-user client. Passwords from the
CiscoSecure user database are then sent back to the second AAA client and
end-user client.
•Token caching—When token caching is enabled, ISDN users can connect
(for a limited time) a second B Channel using the same OTP entered during
original authentication. For greater security, the B-Channel authentication