Chapter 1 Overview of Cisco Secure ACS
AAA Server Functions and Concepts
1-12
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
MS-CHAP
Cisco Secure ACS supports Microsoft Challenge-Handshake Authentication
Protocol (MS-CHAP) for user authentication. Differences between MS-CHAP
and standard CHAP are the following:
•
The MS-CHAP Response packet is in a format compatible with Microsoft
Windows NT/2000, Windows 95/98/ME/XP, and LAN Manager 2.x. The
MS-CHAP format does not require the authenticator to store a clear-text or
reversibly encrypted password.
•
MS-CHAP provides an authentication-retry mechanism controlled by the
authenticator.
•
MS-CHAP provides additional failure codes in the Failure packet Message
field.
For more information on MS-CHAP, refer to RFC
draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.
EAP Support
The Extensible Authentication Protocol (EAP), based on the IETF 802.1x, is an
end-to-end framework that allows the creation of authentication types without the
necessity of changing the implementation of the AAA clients. For more
information about EAP, go to
PPP Extensible Authentication Protocol (EAP) RFC
2284
.
Cisco Secure ACS supports the following varieties of EAP:
•
EAP-MD5—An EAP protocol that does not support mutual authentication.
•
EAP-TLS—EAP incorporating Transport Layer Security. For more
information, see
EAP-TLS Deployment Guide for Wireless LAN Networks
and
About the EAP-TLS Protocol, page 8-70
.
•
LEAP—A Network-EAP protocol that supports mutual authentication.
•
PEAP—Protected EAP, which is implemented with EAP-Generic Token
Card (GTC). For more information, see
About the PEAP Protocol, page 8-72
.
The architecture of Cisco Secure ACS is extensible with regard to EAP;
additional varieties of EAP will be supported as those protocols mature.