beautypg.com

Cisco 3.3 User Manual

Page 412

background image

Chapter 10 System Configuration: Authentication and Certificates

Global Authentication Setup

10-32

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

LEAP—The Allow LEAP (For Aironet only) check box controls whether
Cisco Secure ACS performs LEAP authentication. LEAP is currently used
only for Cisco Aironet wireless networking. If you disable this option, Cisco
Aironet end-user clients configured to perform LEAP authentication cannot
access the network. If all Cisco Aironet end-user clients use a different
authentication protocol, such as EAP-TLS, we recommend that you disable
this option.

Note

If users access your network using a AAA client defined in the
Network Configuration section as a RADIUS (Cisco Aironet) device,
either LEAP, EAP-TLS, or both must be enabled on the Global
Authentication Setup page; otherwise, Cisco Aironet users cannot
authenticate.

EAP-MD5—The Allow EAP-MD5 check box controls whether Cisco Secure
ACS performs EAP-MD5 authentication. If you disable this option, end-user
clients configured to perform EAP-MD5 authentication cannot access the
network. If no end-user clients use EAP-MD5, we recommend that you
disable this option.

AP EAP request timeout (seconds)—Whether Cisco Secure ACS instructs
Cisco Aironet Access Points (APs) to use the specified timeout value during
EAP conversations. The value specified must be the number of seconds after
which Cisco Aironet APs should assume that an EAP transaction with
Cisco Secure ACS has been lost and should be restarted. A value of 0 (zero)
disables this feature.

During EAP conversations, Cisco Secure ACS sends the value defined in the
AP EAP request timeout box using the IETF RADIUS Session-Timeout (27)
attribute; however, in the RADIUS Access-Accept packet at the end of the
conversation, the value that Cisco Secure ACS sends in the IETF RADIUS
Session-Timeout (27) attribute is the value specified in the Cisco Aironet
RADIUS VSA Cisco-Aironet-Session-Timeout (01) or, if that attribute is not
enabled, the IETF RADIUS Session-Timeout (27) attribute.