beautypg.com

Configuring authentication options, S, see, Configuring authentication – Cisco 3.3 User Manual

Page 413

background image

10-33

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 10 System Configuration: Authentication and Certificates

Global Authentication Setup

Note

Cisco Aironet RADIUS VSA Cisco-Aironet-Session-Timeout (01) is
not a true RADIUS VSA; instead, it represents the value that
Cisco Secure ACS sends in the IETF RADIUS Session-Timeout
attribute when the AAA client sending the RADIUS request is
defined in the Network Configuration as authenticating with
RADIUS (Cisco Aironet).

MS-CHAP Configuration—The Allow MS-CHAP Version 1 Authentication
and Allow MS-CHAP Version 2 Authentication check boxes control whether
Cisco Secure ACS performs MS-CHAP authentication for RADIUS requests.
The two check boxes allow you to further control which versions of
MS-CHAP are permitted in RADIUS requests. If you disable a particular
version of MS-CHAP, end-user clients configured to authenticate with that
version using RADIUS cannot access the network. If no end-user clients are
configured to use a specific version of MS-CHAP with RADIUS, we
recommend that you disable that version of MS-CHAP.

Note

For TACACS+, Cisco Secure ACS supports only MS-CHAP version
1. TACACS+ support for MS-CHAP version 1 is always enabled and
is not configurable.

Configuring Authentication Options

Use this procedure to select and configure how Cisco Secure ACS handles options
for authentication. In particular, use this procedure to specify and configure the
varieties of EAP that you allow, and to specify whether you allow either
MS-CHAP Version 1 or MS-CHAP Version 2, or both.

For more information on the EAP-TLS Protocol, see

EAP-TLS Authentication,

page 10-2

. For more information on the PEAP protocol, see

PEAP

Authentication, page 10-8

. For more information on the PEAP protocol, see

EAP-FAST Authentication, page 10-13

. For details regarding how various

password protocols are supported by the various databases, see

Authentication

Protocol-Database Compatibility, page 1-10

.