4-8
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
Password-Based Network Access
For RADIUS, non-EAP authentication methods (RADIUS/PAP, RADIUS/CHAP,
RADIUS/MS-CHAPv1, RADIUS/MSCHAPv2), and simple EAP methods (EAP-MD5 and LEAP), you
need to configure only the protocol in the Allowed Protocols page as defined in Table 4-1.
Some of the complex EAP protocols require additional configuration:
• For EAP-TLS, you must also configure:
–
The EAP-TLS settings under System Administration > Configuration > EAP-TLS Settings.
–
A local server certificate under System Administration > Configuration > Local Server
Certificates > Local Certificates.
–
A CA certificate under Users and Identity Stores > Certificate Authorities.
• For PEAP, you must also configure:
–
The inner method in the Allowed Protocols page and specify whether password change is
allowed.
–
The PEAP settings under System Administration > Configuration > PEAP Settings.
–
Local server certificates under System Administration > Configuration > Local Server
Certificates > Local Certificates.
• For EAP-FAST, you must also configure:
–
The inner method in the Allowed Protocols page and specify whether password change is
allowed.
–
Whether or not to use PACs and if you choose to use PACs, you must also specify how to allow
in-band PAC provisioning.
–
The EAP-FAST settings under System Administration > Configuration > EAP-FAST >
Settings.
–
A local server certificate under System Administration > Configuration > Local Server
Certificates > Local Certificates (Only if you enable authenticated PAC provisioning).
PEAP In the Allowed Protocols Page, choose PEAP. For the PEAP inner method, choose
EAP-MSCHAPv2 or EAP-GTC or both.
EAP-FAST
1. In the Allowed Protocols Page, choose Allow EAP-FAST to enable the EAP-FAST settings.
2. For the EAP-FAST inner method, choose EAP-MSCHAPv2 or EAP-GTC or both.
3. Select Allow Anonymous In-Band PAC Provisioning or Allow Authenticated In-Band PAC
Provisioning or both.
For Windows machine authentication against Microsoft AD and for the change password feature:
1. Click the Use PACS radio button. For details about PACs, see About PACs, page B-21.
2. Check Allow Authenticated In-Band PAC Provisioning.
3. Check Allow Machine Authentication.
4. Enter the Machine PAC Time to Live.
Table 4-1 Network Access Authentication Protocols
Protocol Action