Filter
Top Products
B-2
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
PAP
This appendix describes the following:
• RADIUS-based authentication that does not include EAP:
–
PAP, page B-2
–
CHAP, page B-31
–
MSCHAPv1
–
EAP-MSCHAPv2, page B-30
• EAP family of protocols transported over RADIUS, which can be further classified as:
–
Simple EAP protocols that do not use certificates:
EAP-MD5—For more information, see EAP-MD5, page B-5.
LEAP—For more information, see LEAP, page B-31.
–
EAP protocols that involve a TLS-handshake and in which the client uses the ACS server
certificate to perform server authentication:
PEAP, using one of the following inner methods: PEAP/EAP-MSCHAPv2 and
PEAP/EAP-GTC—For more information, see PEAPv0/1, page B-14.
EAP-FAST, using one of the following inner methods: EAP-FAST/EAP-MSCHAPv2 and
EAP-FAST/EAP-GTC—For more information, see EAP-FAST, page B-18.
–
EAP protocols that are fully certificate-based, in which the TLS handshake uses certificates for
both server and client authentication:
EAP-TLS—For more information, see EAP-TLS, page B-5.
• Certificate Attributes, page B-32
• Machine Authentication, page B-34
• Authentication Protocol and Identity Store Compatibility, page B-35
For a list of known supplicant issues, refer to
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/
acs_53_rn.html.
PAP
The Password Authentication Protocol (PAP) provides a simple method for a user to establish its identity
by using a two-way handshake. The PAP password is encrypted with the shared secret and is the least
sophisticated authentication protocol.
ACS checks the ID-Password pair against the external database, Identity Store, until ACS acknowledges
the authentication or terminates the connection.
PAP is not a strong authentication method since it offers little protection from repeated trial-and-error
attacks.
Note The RADIUS with PAP authentication flow includes logging of passed and failed attempts.