4-6
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
Password-Based Network Access
Note During password-based access (or certificate-based access), the user is not only authenticated but also
authorized according to the ACS configuration. And if NAS sends accounting requests, the user is also
accounted.
ACS supports the following password-based authentication methods:
• Plain RADIUS password authentication methods
–
RADIUS-PAP
–
RADIUS-CHAP
–
RADIUS-MSCHAPv1
–
RADIUS-MSCHAPv2
• RADIUS EAP-based password authentication methods
–
PEAP-MSCHAPv2
–
PEAP-GTC
–
EAP-FAST-MSCHAPv2
–
EAP-FAST-GTC
–
EAP-MD5
–
LEAP
You must choose the authentication method based on the following factors:
• The network access server—Wireless access points, 802.1X authenticating switches, VPN servers,
and so on.
• The client computer and software—EAP supplicant, VPN client, and so on.
• The identity store that is used to authenticate the user—Internal or External (AD, LDAP, RSA token
server, or RADIUS identity server).
Related Topics
• Authentication in ACS 5.3, page B-1
• Password-Based Network Access Configuration Flow, page 4-7
• Network Devices and AAA Clients, page 7-5
• Managing Access Policies, page 10-1