Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 5x User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 611

    Page 611 B-31 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 CHAP Windows Machine Authentication Against AD EAP-MSCHAPv2 can be used for machine authentication. EAP-MSCHAPv2 Windows machine authentication is the same as user authentication. The difference is that you must use the Active Directory of a Windows domain, since a machine password can be generated automatically on the machine and the AD, as a function of time and other parameters. The... 
    B-31
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  CHAP
Windows Machine Authentication Against AD
EAP-MSCHAPv2 can be used for machine authentication. EAP-MSCHAPv2 Windows machine 
authentication is the same as user authentication. The difference is that you must use the Active 
Directory of a Windows domain, since a machine password can be generated automatically on the 
machine and the AD, as a function of time and other parameters. The...

    Page 612

    Page 612 B-32 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Certificate Attributes Certificate Attributes ACS parses the following client certificate’s attributes: Certificate serial-number (in binary format) Encoded certificate (in binary DER format) Subject’s CN attribute Subject’s O attribute (Organization) Subject’s OU attribute (Organization Unit) Subject’s L attribute (Location) Subject’s C attribute (Country) Subject’s ST attribute (State... 
    B-32
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  Certificate Attributes
Certificate Attributes
ACS parses the following client certificate’s attributes:
Certificate serial-number (in binary format)
Encoded certificate (in binary DER format)
Subject’s CN attribute
Subject’s O attribute (Organization)
Subject’s OU attribute (Organization Unit)
Subject’s L attribute (Location)
Subject’s C attribute (Country)
Subject’s ST attribute (State...

    Page 613

    Page 613 B-33 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Certificate Attributes Rules Relating to Textual Attributes ACS collects client certificate textual attributes and places them in the ACS context dictionary. ACS can apply any rule based policy on these attributes as with any rule attributes in ACS. The attribute that can be used for rule verification are: Subjects CN attribute Subjects O attribute (Organization) Subjects OU attribute... 
    B-33
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  Certificate Attributes
Rules Relating to Textual Attributes
ACS collects client certificate textual attributes and places them in the ACS context dictionary. ACS can 
apply any rule based policy on these attributes as with any rule attributes in ACS.
The attribute that can be used for rule verification are:
Subjects CN attribute
Subjects O attribute (Organization)
Subjects OU attribute...

    Page 614

    Page 614 B-34 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Machine Authentication For automatic downloading, you define the amount of time before the CRL file expires, should ACS download it. The CRL expiration time is taken from the CRL nextUpdate field. For both modes, if the download somehow fails, you can define the amount of time that ACS will wait before trying to redownload the CRL file. ACS verifies that the downloaded CRL file is signed... 
    B-34
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  Machine Authentication
For automatic downloading, you define the amount of time before the CRL file expires, should ACS 
download it. The CRL expiration time is taken from the CRL nextUpdate field. 
For both modes, if the download somehow fails, you can define the amount of time that ACS will wait 
before trying to redownload the CRL file.
ACS verifies that the downloaded CRL file is signed...

    Page 615

    Page 615 B-35 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Authentication Protocol and Identity Store Compatibility NoteMicrosoft PEAP clients may also initiate machine authentication whenever a user logs off. This feature prepares the network connection for the next user login. Microsoft PEAP clients may also initiate machine authentication when a user shuts down or restarts the computer rather than just logging off. ACS supports EAP-TLS,... 
    B-35
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  Authentication Protocol and Identity Store Compatibility
NoteMicrosoft PEAP clients may also initiate machine authentication whenever a user logs off. This feature 
prepares the network connection for the next user login. Microsoft PEAP clients may also initiate 
machine authentication when a user shuts down or restarts the computer rather than just logging off.
ACS supports EAP-TLS,...

    Page 616

    Page 616 B-36 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Authentication Protocol and Identity Store Compatibility Ta b l e B - 5 specifies EAP authentication protocol support. Table B-5 EAP Authentication Protocol and User Database Compatibility Identity Store EAP-MD5 EAP-TLS1 1. In EAP-TLS authentication, the user is authenticated by cryptographic validation of the certificate. Additionally, ACS 5.3 optionally allows a binary comparison of the... 
    B-36
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  Authentication Protocol and Identity Store Compatibility
Ta b l e B - 5 specifies EAP authentication protocol support.
Table B-5 EAP Authentication Protocol and User Database Compatibility
Identity Store EAP-MD5 EAP-TLS1
1. In EAP-TLS authentication, the user is authenticated by cryptographic validation of the certificate. Additionally, ACS 5.3 
optionally allows a binary comparison of the...

    Page 617

    Page 617 C-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIXC Open Source License Acknowledgments See http://www.cisco.com/en/US/products/ps9911/products_licensing_information_listing.html for all the Open Source and Third Party Licenses used in Cisco Secure Access Control System, 5.3. Notices The following notices pertain to this software license. OpenSSL/Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit... 
    C-1
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
APPENDIXC
Open Source License Acknowledgments
See http://www.cisco.com/en/US/products/ps9911/products_licensing_information_listing.html for all 
the Open Source and Third Party Licenses used in Cisco Secure Access Control System, 5.3.
Notices
The following notices pertain to this software license.
OpenSSL/Open SSL Project
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit...

    Page 618

    Page 618 C-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix C Open Source License Acknowledgments Notices 4.The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5.Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the... 
    C-2
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix C      Open Source License Acknowledgments
  Notices
4.The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote 
products derived from this software without prior written permission. For written permission, please 
contact [email protected].
5.Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in 
their names without prior written permission of the...

    Page 619

    Page 619 C-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix C Open Source License Acknowledgments 4.If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF... 
    C-3
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix C      Open Source License Acknowledgments
  
4.If you include any Windows specific code (or a derivative thereof) from the apps directory 
(application code) you must include an acknowledgement: “This product includes software written 
by Tim Hudson ([email protected])”.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED 
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF...

    Page 620

    Page 620 C-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix C Open Source License Acknowledgments 
    C-4
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix C      Open Source License Acknowledgments
    Start reading Cisco Acs 5x User Guide

    Related Manuals for Cisco Acs 5x User Guide

    All Cisco manuals