Cisco Acs 5x User Guide

A-1
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
APPENDIXA
AAA Protocols
This section contains the following topics:
Typical Use Cases, page A-1
Access Protocols—TACACS+ and RADIUS, page A-5
Overview of TACACS+, page A-5
Overview of RADIUS, page A-6
Typical Use Cases
This section contains the following topics:
Device Administration (TACACS+), page A-1
Network Access (RADIUS With and Without EAP), page A-2
Device Administration (TACACS+)
Figure A-1 shows the flows associated with...

A-2
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix A      AAA Protocols
  Typical Use Cases
Session Access Requests (Device Administration [TACACS+])
NoteThe numbers refer to Figure A-1 on page A-1.
For session request:
1.An administrator logs into a network device.
2.The network device sends a TACACS+ access request to ACS. 
3.ACS uses an identity store to validate the users credentials.
4.ACS sends a TACACS+ response to the network device that applies the decision. The...

A-3
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix A      AAA Protocols
  Typical Use Cases
–EAP protocols that involve a TLS handshake and in which the client uses the ACS server 
certificate to perform server authentication:
PEAP, using one of the following inner methods: PEAP/EAP-MSCHAPv2 and 
PEAP/EAP-GTC
EAP-FAST, using one of the following inner methods: EAP-FAST/EAP-MSCHAPv2 and 
EAP-FAST/EAP-GTC
–EAP protocols that are fully certificate-based, in which the TLS...

A-4
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix A      AAA Protocols
  Typical Use Cases
–EAP-FAST/EAP-MSCHAPv2
–EAP-FAST/EAP-GTC
EAP methods that use certificates for both server and client authentication
–EAP-TLS
Whenever EAP is involved in the authentication process, it is preceded by an EAP negotiation phase to 
determine which specific EAP method (and inner method, if applicable) should be used.
For all EAP authentications:
1.A host connects to a network device.
2.The...

A-5
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix A      AAA Protocols
  Access Protocols—TACACS+ and RADIUS
Access Protocols—TACACS+ and RADIUS
This section contains the following topics:
Overview of TACACS+, page A-5
Overview of RADIUS, page A-6
ACS 5.3 can use the TACACS+ and RADIUS access protocols. Ta b l e A - 1 compares the two protocols.
Overview of TACACS+ 
TACACS+ must be used if the network device is a Cisco device-management application, access server, 
router, or...

A-6
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix A      AAA Protocols
  Overview of RADIUS
Overview of RADIUS
This section contains the following topics:
RADIUS VSAs, page A-6
ACS 5.3 as the AAA Server, page A-7
RADIUS Attribute Support in ACS 5.3, page A-8
RADIUS Access Requests, page A-9
RADIUS is a client/server protocol through which remote access servers communicate with a central 
server to authenticate dial-in users, and authorize their access to the requested system...

A-7
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix A      AAA Protocols
  Overview of RADIUS
ACS 5.3 as the AAA Server
A AAA server is a server program that handles user requests for access to computer resources, and for 
an enterprise, provides AAA services. The AAA server typically interacts with network access and 
gateway servers, and databases and directories that contain user information. The current standard by 
which devices or applications communicate with an AAA...

A-8
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix A      AAA Protocols
  Overview of RADIUS
RADIUS Attribute Support in ACS 5.3
ACS 5.3 supports the RADIUS protocol as RFC 2865 describes. 
ACS 5.3 supports the following types of RADIUS attributes:
IETF RADIUS attributes 
Generic and Cisco VSAs 
Other vendors’ attributes
ACS 5.3 also supports attributes defined in the following extensions to RADIUS:
Accounting-related attributes, as defined in RFC 2866.
Support for Tunnel...

A-9
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix A      AAA Protocols
  Overview of RADIUS
Authentication
ACS supports various authentication protocols transported over RADIUS. The supported protocols that 
do not include EAP are:
PA P
CHAP
MSCHAPv1
MSCHAPv2
In addition, various EAP-based protocols can be transported over RADIUS, encapsulated within the 
RADIUS EAP-Message attribute. These can be further categorized with respect to whether or not, and 
to what extent, they...

A-10
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix A      AAA Protocols
  Overview of RADIUS
In RADIUS, authentication and authorization are coupled. If the RADIUS server finds the username and 
the password is correct, the RADIUS server returns an access-accept response, including a list of 
attribute-value pairs that describe the parameters to use for this session. This list of parameters sets the 
authorization rights for the user. 
Typical parameters include:
Service...