Cisco 3.3 User Manual

Page 512

Advertising
background image

Chapter 13 User Databases

Windows User Database

13-28

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Note

The check boxes under MS CHAP Settings do no affect password
aging for Microsoft PEAP, EAP-FAST, or machine authentication.

For more information about Windows password changes, see

Enabling

Password Aging for Users in Windows Databases, page 6-26

.

Enable password change inside PEAP or EAP-FAST—The Permit
password change inside PEAP or EAP-FAST check box controls whether
Cisco Secure ACS supports PEAP-based or EAP-FAST-based password
changes for Windows user accounts. PEAP password changes are supported
only when the end-user client uses PEAP(EAP-MSCHAPv2) for user
authentication. For EAP-FAST, Cisco Secure ACS supports password
changes in phase zero and phase two.

EAP-TLS Strip Domain Name—The EAP-TLS Strip Domain Name check
box controls whether Cisco Secure ACS removes the domain name from a
username derived from the Subject Alternative Name (SAN) field in an
end-user certificate.

Performing domain name stripping can speed EAP-TLS authentication when
the domain that must authenticate a user is not the domain represented in the
SAN field. For example, a user’s SAN field may contain
[email protected]” but jsmith may need to authenticate using the
domain controller for a subdomain named “engineering”. Stripping
“@corporation.com” from the username eliminates the needless attempt at
authenticating jsmith against the corporation.com domain controller. Without
stripping the domain name, only after jsmith cannot be found in
corporation.com will Cisco Secure ACS use the Domain List and find the user
in the engineering domain. The additional delay could be several seconds.

Enable PEAP machine authentication—This check box controls whether
Cisco Secure ACS performs machine authentication using machine name and
password with PEAP(EAP-MSCHAPv2). For more information about
machine authentication, see

Machine Authentication, page 13-16

.

Enable EAP-TLS machine authentication—This check box controls
whether Cisco Secure ACS performs machine authentication using machine
name and password with EAP-TLS. For more information about machine
authentication, see

Machine Authentication, page 13-16

.

Advertising
Popular Brands
Popular manuals