Support User Manuals

Cisco Systems OL-24201-01 Camera Accessories User Manual

Open as PDF

of 650

B-4

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Appendix B Authentication in ACS 5.3

EAP

In ACS 5.3, EAP is encapsulated in the RADIUS protocol. Incoming and outgoing EAP messages are

stored in a RADIUS EAP-Message attribute (79). A single RADIUS packet can contain multiple

EAP-Message attributes when the size of a particular EAP message is greater than the maximum

RADIUS attribute data size (253 bytes).

The RADIUS State attribute (24) stores the current EAP session reference information, and ACS stores

the actual EAP session data.

The EAP standard is described in:

• RFC 3748—Extensible Authentication Protocol (EAP).

• RFC 3579—RADIUS Support For Extensible Authentication Protocol (EAP).

In the EAP process:

1. The network device sends an EAP Request to a host when the host connects to the network.

2. The host sends an EAP Response to the network device; the network device embeds the EAP packet

that it received from the host into a RADIUS request and sends it to ACS, which is acting as the EAP

server.

3. ACS negotiates the EAP method for authentication. The client can acknowledge the EAP method

that the EAP server suggests or, it can respond with a negative acknowledgment (NAK) and suggest

a list of alternative EAP methods. The server and client must reach agreement about the EAP method

to use to instantiate authentication.

Table B-1 lists the EAP codes for each type of EAP message.

Table B-2 describes the EAP methods that ACS 5.3 supports.

Table B-1 EAP Codes

EAP message type EAP code

Accept-request 1

Response 2

Success 3

Failure 4

Table B-2 Supported EAP methods

EAP Method Description

EAP-MD5 Message Digest 5 Protocol. For more information see EAP-MD5, page B-5.

LEAP Lightweight Extensible Authentication Protocol.

PEAPv0v1 Protected Extensible Authentication Protocol version 0 and version 1. For

more information see PEAPv0/1, page B-14.

EAP-FAST EAP Flexible Authentication via Secured Tunnel (EAP-FAST) protocol. For

more information see EAP-FAST, page B-18.

EAP-MSCHAPv2 Microsoft Challenge Handshake Authentication Protocol version 2. For more

information see EAP-MSCHAPv2, page B-30.

EAP-GTC EAP Generic Token Card.

EAP-TLS Extensible Authentication Protocol-Transport Layer Security. For more

information, see Exporting Credentials, page B-11.

previous next