1-11
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 1 Overview of Cisco Secure ACS
AAA Server Functions and Concepts
In the case of token servers, Cisco Secure ACS acts as a client to the token server,
using either its proprietary API or its RADIUS interface, depending on the token
server. For more information, see
About Token Servers and Cisco Secure ACS,
page 11-57
.
Different levels of security can be concurrently used with Cisco Secure ACS for
different requirements. The basic user-to-network security level is PAP. Although
it represents the unencrypted security, PAP does offer convenience and simplicity
for the client. PAP allows authentication against the Windows NT/2000 database.
With this configuration, users need to log in only once. CHAP allows a higher
level of security for encrypting passwords when communicating from an end-user
client to the AAA client. You can use CHAP with the CiscoSecure user database.
ARAP support is included to support Apple clients.
Comparing PAP, CHAP, and ARAP
PAP, CHAP, and ARAP are authentication protocols used to encrypt passwords.
However, each protocol provides a different level of security.
•
PAP—Uses clear-text passwords (that is, unencrypted passwords) and is the
least sophisticated authentication protocol. If you are using the
Windows NT/2000 user database to authenticate users, you must use PAP
password encryption or MS-CHAP.
•
CHAP—Uses a challenge-response mechanism with one-way encryption on
the response. CHAP enables Cisco Secure ACS to negotiate downward from
the most secure to the least secure encryption mechanism, and it protects
passwords transmitted in the process. CHAP passwords are reusable. If you
are using the CiscoSecure user database for authentication, you can use either
PAP or CHAP. CHAP does not work with the Windows NT/2000 user
database.
•
ARAP—Uses a two-way challenge-response mechanism. The AAA client
challenges the end-user client to authenticate itself, and the end-user client
challenges the AAA client to authenticate itself.