Filter
Top Products
A-9
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix A AAA Protocols
Overview of RADIUS
Authentication
ACS supports various authentication protocols transported over RADIUS. The supported protocols that
do not include EAP are:
• PAP
• CHAP
• MSCHAPv1
• MSCHAPv2
In addition, various EAP-based protocols can be transported over RADIUS, encapsulated within the
RADIUS EAP-Message attribute. These can be further categorized with respect to whether or not, and
to what extent, they make use of certificates. These include:
• EAP methods that do not use certificates:
–
EAP-MD5
–
LEAP
• EAP methods in which the client uses the ACS server certificate to perform server authentication:
–
PEAP/EAP-MSCHAPv2
–
PEAP/EAP-GTC
–
EAP-FAST/EAP-MSCHAPv2
–
EAP-FAST/EAP-GTC
• EAP methods that use certificates for both server and authentication:
–
EAP-TLS
Authorization
Authorization is permitted according to the configured access policies.
Accounting
You can use the accounting functions of the RADIUS protocol independently of the RADIUS
authentication or authorization functions. You can use some of the RADIUS accounting functions to
send data at the start and end of sessions, and indicate the amount of resources (such as time, packets,
bytes, and so on) that you used during the session.
An ISP might use RADIUS access control and accounting software to meet special security and billing
needs.
RADIUS Access Requests
A user login contains a query (Access-Request) from the network access device to the RADIUS server
and a corresponding response (Access-Accept or Access-Reject) from the server. The Access-Request
packet contains the username, password, NAD IP address, and NAD port, and other relevant attributes.
When the RADIUS server receives the access-request from the NAD, it searches a database for the
username. Depending on the result of the database query, an accept or reject is sent. A text message can
accompany the access-reject message to indicate the reason for the refusal.