Ms-chap, Eap support – Cisco 3.3 User Manual

Page 53

Advertising
background image

1-13

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 1 Overview

AAA Server Functions and Concepts

ARAP—Uses a two-way challenge-response mechanism. The AAA client
challenges the end-user client to authenticate itself, and the end-user client
challenges the AAA client to authenticate itself.

MS-CHAP

Cisco Secure ACS supports Microsoft Challenge-Handshake Authentication
Protocol (MS-CHAP) for user authentication. Differences between MS-CHAP
and standard CHAP are the following:

The MS-CHAP Response packet is in a format compatible with Microsoft
Windows and LAN Manager 2.x. The MS-CHAP format does not require the
authenticator to store a clear-text or reversibly encrypted password.

MS-CHAP provides an authentication-retry mechanism controlled by the
authenticator.

MS-CHAP provides additional failure codes in the Failure packet Message
field.

For more information on MS-CHAP, refer to RFC
draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.

EAP Support

The Extensible Authentication Protocol (EAP), based on IETF 802.1x, is an
end-to-end framework that allows the creation of authentication types without
changing AAA client configurations. For more information about EAP, go to

PPP Extensible Authentication Protocol (EAP) RFC 2284

.

Cisco Secure ACS supports the following varieties of EAP:

EAP-MD5—An EAP protocol that does not support mutual authentication.

EAP-TLS—EAP incorporating Transport Layer Security. For more
information, see

EAP-TLS Deployment Guide for Wireless LAN Networks

and

EAP-TLS Authentication, page 10-2

.

LEAP—An EAP protocol used by Cisco Aironet wireless equipment; it
supports mutual authentication.

PEAP—Protected EAP, which is implemented with EAP-Generic Token
Card (GTC) and EAP-MSCHAPv2 protocols. For more information, see

PEAP Authentication, page 10-8

.

Advertising