Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 541

    Page 541 5 AAA Protocols Overview of TACACS+ Overview of TACACS+ TACACS+ must be used if the network device is a Cisco device-management application, access server, router, or firewall. ACS 5.7 supports IPv6 addresses in TACACS+ protocols. ACS 5.7 supports Cisco device-management applications by providing command authorization for network users who are using the management application to configure managed network devices. You provide support for command authorization for management application users by... 
    5   
AAA Protocols
Overview of TACACS+
Overview of TACACS+ 
TACACS+ must be used if the network device is a Cisco device-management application, access server, router, or 
firewall. ACS 5.7 supports IPv6 addresses in TACACS+ protocols. ACS 5.7 supports Cisco device-management 
applications by providing command authorization for network users who are using the management application to 
configure managed network devices.
You provide support for command authorization for management application users by...

    Page 542

    Page 542 6 AAA Protocols Overview of RADIUS To support the older and newer RFCs, ACS 5.7 accepts authentication requests on port 1645 and port 1812. For accounting, ACS accepts accounting packets on ports 1646 and 1813. RADIUS IETF ACS 5.7 provides a set of standard IETF RADIUS attributes with a set of predefined sub-attributes and values. You can not edit these RADIUS IETF attributes. You can use them in policy conditions. You can identify RADIUS IETF attributes that are currently unused by their names.... 
    6
AAA Protocols
 
Overview of RADIUS
To support the older and newer RFCs, ACS 5.7 accepts authentication requests on port 1645 and port 1812. For 
accounting, ACS accepts accounting packets on ports 1646 and 1813.
RADIUS IETF
ACS 5.7 provides a set of standard IETF RADIUS attributes with a set of predefined sub-attributes and values. You can 
not edit these RADIUS IETF attributes. You can use them in policy conditions. You can identify RADIUS IETF attributes 
that are currently unused by their names....

    Page 543

    Page 543 7 AAA Protocols Overview of RADIUS RA D I U S i s u n i ver sa l l y u se d t o s ec u re t he a c c ess o f e n d - u s er s t o n e t wo r k re s ou rc es. A R A D I U S se r ve r c a n ac t as a p rox y to other RADIUS servers or other kinds of authentication servers. The NAD serves as the network gatekeeper and sends an Access-Request to ACS on behalf of the user. ACS verifies the username, password, and possibly other data by using either the internal identity store, or an... 
    7   
AAA Protocols
Overview of RADIUS
RA D I U S  i s  u n i ver sa l l y  u se d  t o  s ec u re  t he  a c c ess  o f  e n d - u s er s t o  n e t wo r k  re s ou rc es.  A R A D I U S se r ve r  c a n  ac t  as  a p rox y  
to other RADIUS servers or other kinds of authentication servers.
The NAD serves as the network gatekeeper and sends an Access-Request to ACS on behalf of the user. ACS verifies 
the username, password, and possibly other data by using either the internal identity store, or an...

    Page 544

    Page 544 8 AAA Protocols Overview of RADIUS Generic and Cisco VSAs Other vendors’ attributes ACS 5.7 also supports attributes defined in the following extensions to RADIUS: Accounting-related attributes, as defined in RFC 2866. Support for Tunnel Protocol, as defined in RFCs 2867 and 2868. Support for EAP (via the EAP-Message attribute), as defined in RFCs 2869 and 3579. Note: When RADIUS parameters are referenced, the convention [attribute-number] [attribute name] is used. For example, [1]User-Name,... 
    8
AAA Protocols
 
Overview of RADIUS
Generic and Cisco VSAs 
Other vendors’ attributes
ACS 5.7 also supports attributes defined in the following extensions to RADIUS:
Accounting-related attributes, as defined in RFC 2866.
Support for Tunnel Protocol, as defined in RFCs 2867 and 2868.
Support for EAP (via the EAP-Message attribute), as defined in RFCs 2869 and 3579.
Note: When RADIUS parameters are referenced, the convention [attribute-number] [attribute name] is used. For 
example, [1]User-Name,...

    Page 545

    Page 545 9 AAA Protocols Overview of RADIUS In addition, various EAP-based protocols can be transported over RADIUS, encapsulated within the RADIUS EAP-Message attribute. These can be further categorized with respect to whether or not, and to what extent, they make use of certificates. These include: EAP methods that do not use certificates: —EAP-MD5 —LEAP EAP methods in which the client uses the ACS server certificate to perform server authentication: —PEAP/EAP-MSCHAPv2 —PEAP/EAP-GTC... 
    9   
AAA Protocols
Overview of RADIUS
In addition, various EAP-based protocols can be transported over RADIUS, encapsulated within the RADIUS 
EAP-Message attribute. These can be further categorized with respect to whether or not, and to what extent, they make 
use of certificates. These include:
EAP methods that do not use certificates:
—EAP-MD5
—LEAP
EAP methods in which the client uses the ACS server certificate to perform server authentication:
—PEAP/EAP-MSCHAPv2
—PEAP/EAP-GTC...

    Page 546

    Page 546 10 AAA Protocols Overview of RADIUS Access list to apply A static route to install in the NAD routing table The configuration information in the RADIUS server defines which parameters to set on the NAD during installation. 
    10
AAA Protocols
 
Overview of RADIUS
Access list to apply
A static route to install in the NAD routing table
The configuration information in the RADIUS server defines which parameters to set on the NAD during installation.

    Page 547

    Page 547 1 Cisco Systems, Inc.www.cisco.com Authentication in ACS 5.7 Authentication verifies user information to confirm the user's identity. Traditional authentication uses a name and a fixed password. More secure methods use cryptographic techniques, such as those used inside the Challenge Authentication Handshake Protocol (CHAP), OTP, and advanced EAP-based protocols. ACS supports a variety of these authentication methods. A fundamental implicit relationship exists between authentication and... 
    1
Cisco Systems, Inc.www.cisco.com
 
Authentication in ACS 5.7
Authentication verifies user information to confirm the user's identity. Traditional authentication uses a name and a fixed 
password. More secure methods use cryptographic techniques, such as those used inside the Challenge Authentication 
Handshake Protocol (CHAP), OTP, and advanced EAP-based protocols. ACS supports a variety of these authentication 
methods. 
A fundamental implicit relationship exists between authentication and...

    Page 548

    Page 548 2 Authentication in ACS 5.7 PA P —EAP-MSCHAPv2, page 27 EAP family of protocols transported over RADIUS, which can be further classified as: —Simple EAP protocols that do not use certificates: EAP-MD5—For more information, see EAP-MD5, page 4. LEAP—For more information, see LEAP, page 29. —EAP protocols that involve a TLS-handshake and in which the client uses the ACS server certificate to perform server authentication: PEAP, using one of the following inner methods: PEAP/EAP-MSCHAPv2 and... 
    2
Authentication in ACS 5.7
 
PA P
—EAP-MSCHAPv2, page 27
EAP family of protocols transported over RADIUS, which can be further classified as:
—Simple EAP protocols that do not use certificates:
EAP-MD5—For more information, see EAP-MD5, page 4.
LEAP—For more information, see LEAP, page 29.
—EAP protocols that involve a TLS-handshake and in which the client uses the ACS server certificate to perform 
server authentication:
PEAP, using one of the following inner methods: PEAP/EAP-MSCHAPv2 and...

    Page 549

    Page 549 3 Authentication in ACS 5.7 EAP Figure 6 RADIUS with PAP Authentication Use Case EAP Extensible Authentication Protocol (EAP) is an authentication framework for wireless networks and point-to-point connections. EAP supports multiple authentication methods, and provides common functions and rules for negotiation of the desired authentication method: Server authentication request Client authentication response Server success authentication result Server failure authentication result Silent... 
    3   
Authentication in ACS 5.7
EAP
Figure 6 RADIUS with PAP Authentication Use Case
EAP 
Extensible Authentication Protocol (EAP) is an authentication framework for wireless networks and point-to-point 
connections. EAP supports multiple authentication methods, and provides common functions and rules for negotiation 
of the desired authentication method: 
Server authentication request
Client authentication response
Server success authentication result
Server failure authentication result
Silent...

    Page 550

    Page 550 4 Authentication in ACS 5.7 EAP-MD5 2.The host sends an EAP Response to the network device; the network device embeds the EAP packet that it received from the host into a RADIUS request and sends it to ACS, which is acting as the EAP server. 3.ACS negotiates the EAP method for authentication. The client can acknowledge the EAP method that the EAP server suggests or, it can respond with a negative acknowledgment (NAK) and suggest a list of alternative EAP methods. The server and client must reach... 
    4
Authentication in ACS 5.7
 
EAP-MD5
2.The host sends an EAP Response to the network device; the network device embeds the EAP packet that it received 
from the host into a RADIUS request and sends it to ACS, which is acting as the EAP server.
3.ACS negotiates the EAP method for authentication. The client can acknowledge the EAP method that the EAP server 
suggests or, it can respond with a negative acknowledgment (NAK) and suggest a list of alternative EAP methods. 
The server and client must reach...
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals