Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 5x User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 581

    Page 581 B-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIXB Authentication in ACS 5.3 Authentication verifies user information to confirm the users identity. Traditional authentication uses a name and a fixed password. More secure methods use cryptographic techniques, such as those used inside the Challenge Authentication Handshake Protocol (CHAP), OTP, and advanced EAP-based protocols. ACS supports a variety of these authentication methods. A fundamental implicit relationship... 
    B-1
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
APPENDIXB
Authentication in ACS 5.3
Authentication verifies user information to confirm the users identity. Traditional authentication uses a 
name and a fixed password. More secure methods use cryptographic techniques, such as those used 
inside the Challenge Authentication Handshake Protocol (CHAP), OTP, and advanced EAP-based 
protocols. ACS supports a variety of these authentication methods. 
A fundamental implicit relationship...

    Page 582

    Page 582 B-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PAP This appendix describes the following: RADIUS-based authentication that does not include EAP: –PA P, p a g e B - 2 –CHAP, page B-31 –MSCHAPv1 –EAP-MSCHAPv2, page B-30 EAP family of protocols transported over RADIUS, which can be further classified as: –Simple EAP protocols that do not use certificates: EAP-MD5—For more information, see EAP-MD5, page B-5. LEAP—For more information, see... 
    B-2
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  PAP
This appendix describes the following:
RADIUS-based authentication that does not include EAP:
–PA P,  p a g e B - 2
–CHAP, page B-31
–MSCHAPv1
–EAP-MSCHAPv2, page B-30
EAP family of protocols transported over RADIUS, which can be further classified as:
–Simple EAP protocols that do not use certificates:
EAP-MD5—For more information, see EAP-MD5, page B-5.
LEAP—For more information, see...

    Page 583

    Page 583 B-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP RADIUS PAP Authentication You can use different levels of security concurrently with ACS for different requirements. PAP applies a two-way handshaking procedure. If authentication succeeds, ACS returns an acknowledgement; otherwise, ACS terminates the connection or gives the originator another chance. The originator is in total control of the frequency and timing of the attempts.... 
    B-3
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP
RADIUS PAP Authentication 
You can use different levels of security concurrently with ACS for different requirements. PAP applies 
a two-way handshaking procedure. If authentication succeeds, ACS returns an acknowledgement; 
otherwise, ACS terminates the connection or gives the originator another chance.
The originator is in total control of the frequency and timing of the attempts....

    Page 584

    Page 584 B-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP In ACS 5.3, EAP is encapsulated in the RADIUS protocol. Incoming and outgoing EAP messages are stored in a RADIUS EAP-Message attribute (79). A single RADIUS packet can contain multiple EAP-Message attributes when the size of a particular EAP message is greater than the maximum RADIUS attribute data size (253 bytes). The RADIUS State attribute (24) stores the current EAP session... 
    B-4
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP
In ACS 5.3, EAP is encapsulated in the RADIUS protocol. Incoming and outgoing EAP messages are 
stored in a RADIUS EAP-Message attribute (79). A single RADIUS packet can contain multiple 
EAP-Message attributes when the size of a particular EAP message is greater than the maximum 
RADIUS attribute data size (253 bytes). 
The RADIUS State attribute (24) stores the current EAP session...

    Page 585

    Page 585 B-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-MD5 ACS supports full EAP infrastructure, including EAP type negotiation, message sequencing and message retransmission. All protocols support fragmentation of big messages. In ACS 5.3, you configure EAP methods for authentication as part of access service configuration. For more information about access services, see Chapter 3, “ACS 5.x Policy Model.” EAP-MD5 This section contains the... 
    B-5
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-MD5
ACS supports full EAP infrastructure, including EAP type negotiation, message sequencing and 
message retransmission. All protocols support fragmentation of big messages.
In ACS 5.3, you configure EAP methods for authentication as part of access service configuration. For 
more information about access services, see Chapter 3, “ACS 5.x Policy Model.”
EAP-MD5
This section contains the...

    Page 586

    Page 586 B-6 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Overview of EAP-TLS EAP-TLS is one of the methods in the EAP authentication framework, and is based on the 802.1x and EAP architecture. Components involved in the 802.1x and EAP authentication process are the: Host—The end entity, or end user’s machine. AAA client—The network access point. Authentication server—ACS. The EAP-TLS standard is described in: RFC 2716—PPP EAP-TLS... 
    B-6
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-TLS
Overview of EAP-TLS
EAP-TLS is one of the methods in the EAP authentication framework, and is based on the 802.1x and 
EAP architecture. Components involved in the 802.1x and EAP authentication process are the: 
Host—The end entity, or end user’s machine.
AAA client—The network access point.
Authentication server—ACS. 
The EAP-TLS standard is described in:
RFC 2716—PPP EAP-TLS...

    Page 587

    Page 587 B-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Using a third-party signature, usually from a CA, that verifies the information in a certificate. This third-party binding is similar to the real-world equivalent of the stamp on a passport. You trust the passport because you trust the preparation and identity-checking that the particular country’s passport office made when creating that passport. You trust digital certificates by... 
    B-7
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-TLS
Using a third-party signature, usually from a CA, that verifies the information in a certificate. This 
third-party binding is similar to the real-world equivalent of the stamp on a passport.
You trust the passport because you trust the preparation and identity-checking that the particular 
country’s passport office made when creating that passport. You trust digital certificates by...

    Page 588

    Page 588 B-8 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS An anonymous Diffie-Hellman tunnel relates to the establishment of a completely anonymous tunnel between a client and a server for cases where none of the peers authenticates itself. ACS runtime supports anonymous Diffie-Hellman tunnels for EAP-FAST with a predefined prime and a predefined generator of two. There is no server authentication conducted within anonymous Diffie-Hellman... 
    B-8
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-TLS
An anonymous Diffie-Hellman tunnel relates to the establishment of a completely anonymous tunnel 
between a client and a server for cases where none of the peers authenticates itself. ACS runtime 
supports anonymous Diffie-Hellman tunnels for EAP-FAST with a predefined prime and a predefined 
generator of two. There is no server authentication conducted within anonymous Diffie-Hellman...

    Page 589

    Page 589 B-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Fixed Management Certificates ACS generates and uses self-signed certificates to identify various management protocols such as the Web browser, HTTPS, ActiveMQ SSH, and SFTP. Self-signed certificates are generated when ACS is installed and are maintained locally in files outside of the ACS database. You cannot modify or export these certificates. You can, however, assign imported... 
    B-9
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-TLS
Fixed Management Certificates
ACS generates and uses self-signed certificates to identify various management protocols such as the 
Web browser, HTTPS, ActiveMQ SSH, and SFTP.
Self-signed certificates are generated when ACS is installed and are maintained locally in files outside 
of the ACS database. You cannot modify or export these certificates. You can, however, assign imported...

    Page 590

    Page 590 B-10 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Importing the ACS Server Certificate When you manually import and ACS server certificate you must supply the certificate file, the private key file, and the private key password used to decrypt the PKCS#12 private key. The certificate along with its private-key and private-key-password, is added to the Local Certificate store. For non-encrypted private-keys, the user supplied... 
    B-10
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-TLS
Importing the ACS Server Certificate
When you manually import and ACS server certificate you must supply the certificate file, the private 
key file, and the private key password used to decrypt the PKCS#12 private key. The certificate along 
with its private-key and private-key-password, is added to the Local Certificate store. For non-encrypted 
private-keys, the user supplied...
    Start reading Cisco Acs 5x User Guide

    Related Manuals for Cisco Acs 5x User Guide

    All Cisco manuals