Support User Manuals

Cisco Systems OL-24201-01 Camera Accessories User Manual

Open as PDF

of 650

4-8

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Chapter 4 Common Scenarios Using ACS

Password-Based Network Access

For RADIUS, non-EAP authentication methods (RADIUS/PAP, RADIUS/CHAP,

RADIUS/MS-CHAPv1, RADIUS/MSCHAPv2), and simple EAP methods (EAP-MD5 and LEAP), you

need to configure only the protocol in the Allowed Protocols page as defined in Table 4-1.

Some of the complex EAP protocols require additional configuration:

• For EAP-TLS, you must also configure:

–

The EAP-TLS settings under System Administration > Configuration > EAP-TLS Settings.

–

A local server certificate under System Administration > Configuration > Local Server

Certificates > Local Certificates.

–

A CA certificate under Users and Identity Stores > Certificate Authorities.

• For PEAP, you must also configure:

–

The inner method in the Allowed Protocols page and specify whether password change is

allowed.

–

The PEAP settings under System Administration > Configuration > PEAP Settings.

–

Local server certificates under System Administration > Configuration > Local Server

Certificates > Local Certificates.

• For EAP-FAST, you must also configure:

–

The inner method in the Allowed Protocols page and specify whether password change is

allowed.

–

Whether or not to use PACs and if you choose to use PACs, you must also specify how to allow

in-band PAC provisioning.

–

The EAP-FAST settings under System Administration > Configuration > EAP-FAST >

Settings.

–

A local server certificate under System Administration > Configuration > Local Server

Certificates > Local Certificates (Only if you enable authenticated PAC provisioning).

PEAP In the Allowed Protocols Page, choose PEAP. For the PEAP inner method, choose

EAP-MSCHAPv2 or EAP-GTC or both.

EAP-FAST

1. In the Allowed Protocols Page, choose Allow EAP-FAST to enable the EAP-FAST settings.

2. For the EAP-FAST inner method, choose EAP-MSCHAPv2 or EAP-GTC or both.

3. Select Allow Anonymous In-Band PAC Provisioning or Allow Authenticated In-Band PAC

Provisioning or both.

For Windows machine authentication against Microsoft AD and for the change password feature:

1. Click the Use PACS radio button. For details about PACs, see About PACs, page B-21.

2. Check Allow Authenticated In-Band PAC Provisioning.

3. Check Allow Machine Authentication.

4. Enter the Machine PAC Time to Live.

Table 4-1 Network Access Authentication Protocols

Protocol Action

previous next