Cisco Systems OL-24201-01 Camera Accessories User Manual


 
8-41
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
For more information on features like Event Delivery Method and Active Response, see the Cisco NAC
Profiler Installation and Configuration Guide, Release 3.1 at the following location:
http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/310/p_prof_events31.html
Troubleshooting MAB Authentication with Profiler Integration
To troubleshoot MAB authentication while integrating with NAC Profiler and to verify that the endpoint
is successfully authenticated, complete the following steps:
Step 1 Run the following command on the switch which is connected to the endpoint devices:
ACCESS-Switch# show authentication sessions
The following output is displayed:
Interface MAC Address Method Domain Status Session ID
Fa1/0/1 0014.d11b.aa36 mab DATA Authz Success 505050010000004A0B41FD15 reject
Step 2 Enable debugging for SNMP, AAA, and 802.1X on the switch.
Step 3 Verify the MAB authentication logs in Monitoring and Reports Viewer > Troubleshooting, for failure
and success authentications.
Microsoft AD
ACS uses Microsoft Active Directory (AD) as an external identity store to store resources such as, users,
machines, groups, and attributes. ACS authenticates these resources against AD.
Supported Authentication Protocols
EAP-FAST and PEAP—ACS 5.3 supports user and machine authentication and change password
against AD using EAP-FAST and PEAP with an inner method of MSCHAPv2 and EAP-GTC.
PAP—ACS 5.3 supports authenticating against AD using PAP and also allows you to change AD
users password.
MSCHAPv1—ACS 5.3 supports user and machine authentication against AD using MSCHAPv1.
You can change AD users password using MSCHAPv1 version 2. ACS does not support MS-CHAP
MPPE-Keys of a user, but does support MPPE-Send-Key and MPPE-Recv-Key.
Note ACS 5.3 does not support changing user password against AD using MSCHAP version 1.
MSCHAPv2—ACS 5.3 supports user and machine authentication against AD using MSCHAPv2.
ACS does not support MS-CHAP MPPE-Keys of a user, but does support MPPE-Send-Key and
MPPE-Recv-Key.
EAP-GTC—ACS 5.3 supports user and machine authentication against AD using EAP-GTC.
EAP-TLS—ACS uses the certificate retrieval option introduced in 5.3 to support user and machine
authentication against AD using EAP-TLS.
ACS 5.x supports changing the password for users who are authenticated against Active Directory in
TACACS+ PAP/ASCII, EAP-MSCHAP, and EAP-GTC methods. Changing the password for EAP-FAST
and PEAP with inner MSCHAPv2 is also supported.