Filter
Top Products
B-30
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
EAP-MSCHAPv2
EAP-MSCHAPv2
Microsoft Challenge Handshake Authentication Protocol (MSCHAP v2) provides two-way
authentication, also known as mutual authentication. The remote access client receives verification that
the remote access server that it is dialing in to has access to the user's password.
This section contains the following topics:
• Overview of EAP-MSCHAPv2, page B-30
• EAP- MSCHAPv2 Flow in ACS 5.3, page B-31
Overview of EAP-MSCHAPv2
Some of the specific members of the EAP family of authentication protocols, specifically EAP-FAST
and PEAP, support the notion of an “EAP inner method.” This means that another EAP-based protocol
performs additional authentication within the context of the first protocol, which is known as the "EAP
outer method."
One of the inner methods supported by the EAP-FAST and PEAP outer methods is EAP-MSCHAPv2,
which is an adaptation of the MSCHAPv2 protocol that complies with the general framework established
by EAP.
Using EAP-MSCHAPv2 as the inner EAP method facilitates the reuse of Microsoft directory technology
(such as Windows Active Directory), with the associated database of user credentials for wireless
authentication in the following contexts:
• MSCHAPv2 for User Authentication, page B-30
• MSCHAPv2 for Change Password, page B-30
• Windows Machine Authentication Against AD, page B-31
MSCHAPv2 for User Authentication
ACS supports the EAP-MSCHAPv2 authentication protocol as the inner method of EAP-FAST and
PEAP. The protocol is an encapsulation of MSCHAPv2 into the EAP framework. Mutual authentication
occurs against the configured credential database.
The client does not send its password, but a cryptographic function of the password. Using
EAP-MSCHAPv2 as the inner method of tunneling protocols, increases protection of secured
communication. Every protocol message is encrypted inside the tunnel and server, and client challenges
are not generated randomly but, derived from outer method cryptographic material.
EAP-MSCHAPv2 is supported for AD and the ACS internal identity store.
MSCHAPv2 for Change Password
When you use EAP-MSCHAPv2 (as an EAP inner method) to authenticate a user whose password has
expired, ACS sends a specific EAP-MSCHAPv2 failure notification to the client. The client can prompt
the user for new password and then provide it to ACS inside the same conversation.
The new password is encrypted with the help of the old one. When a user password is changed
successfully, the new user password is stored in the credential database.
EAP-MSCHAPv2 change password is supported for AD and ACS internal identity store.