Configuring authentication options, S, see, Configuring authentication – Cisco 3.3 User Manual
Page 413
10-33
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 10 System Configuration: Authentication and Certificates
Global Authentication Setup
Note
Cisco Aironet RADIUS VSA Cisco-Aironet-Session-Timeout (01) is
not a true RADIUS VSA; instead, it represents the value that
Cisco Secure ACS sends in the IETF RADIUS Session-Timeout
attribute when the AAA client sending the RADIUS request is
defined in the Network Configuration as authenticating with
RADIUS (Cisco Aironet).
•
MS-CHAP Configuration—The Allow MS-CHAP Version 1 Authentication
and Allow MS-CHAP Version 2 Authentication check boxes control whether
Cisco Secure ACS performs MS-CHAP authentication for RADIUS requests.
The two check boxes allow you to further control which versions of
MS-CHAP are permitted in RADIUS requests. If you disable a particular
version of MS-CHAP, end-user clients configured to authenticate with that
version using RADIUS cannot access the network. If no end-user clients are
configured to use a specific version of MS-CHAP with RADIUS, we
recommend that you disable that version of MS-CHAP.
Note
For TACACS+, Cisco Secure ACS supports only MS-CHAP version
1. TACACS+ support for MS-CHAP version 1 is always enabled and
is not configurable.
Configuring Authentication Options
Use this procedure to select and configure how Cisco Secure ACS handles options
for authentication. In particular, use this procedure to specify and configure the
varieties of EAP that you allow, and to specify whether you allow either
MS-CHAP Version 1 or MS-CHAP Version 2, or both.
For more information on the EAP-TLS Protocol, see
. For more information on the PEAP protocol, see
. For more information on the PEAP protocol, see
EAP-FAST Authentication, page 10-13
. For details regarding how various
password protocols are supported by the various databases, see