4-21
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
VPN Remote Network Access
Supported Authentication Protocols
ACS 5.3 supports the following protocols for inner authentication inside the VPN tunnel:
• RADIUS/PAP
• RADIUS/CHAP
• RADIUS/MS-CHAPv1
• RADIUS/MS-CHAPv2
With the use of MS-CHAPv1 or MS-CHAPv2 protocols, ACS can generate MPPE keys that is used for
encryption of the tunnel that is created.
Related Topics
• VPN Remote Network Access, page 4-20
• Supported Identity Stores, page 4-21
• Supported VPN Network Access Servers, page 4-22
• Supported VPN Clients, page 4-22
• Configuring VPN Remote Access Service, page 4-22
Supported Identity Stores
ACS can perform VPN authentication against the following identity stores:
• ACS internal identity store—RADIUS/PAP, RADIUS/CHAP, RADIUS/MS-CHAP-v1, and
RADIUS/MS-CHAP-v2
• Active Directory—RADIUS/PAP, RADIUS/MS-CHAP-v1, and RADIUS/MS-CHAP-v2
• LDAP—RADIUS/PAP
• RSA SecurID Server—RADIUS/PAP
• RADIUS Token Server—RADIUS/PAP (dynamic OTP)
Related Topics
• VPN Remote Network Access, page 4-20
• Supported Authentication Protocols, page 4-21
• Supported VPN Network Access Servers, page 4-22
• Supported VPN Clients, page 4-22
• Configuring VPN Remote Access Service, page 4-22