Comparing pap, chap, and arap – Cisco 3.3 User Manual
Page 52
Chapter 1 Overview
AAA Server Functions and Concepts
1-12
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
•
PEAP(EAP-GTC)
•
PEAP(EAP-MSCHAPv2)
•
EAP-FAST
•
ARAP
Passwords can be processed using these password authentication protocols based
on the version and type of security control protocol used (for example, RADIUS
or TACACS+) and the configuration of the AAA client and end-user client. The
following sections outline the different conditions and functions of password
handling.
In the case of token servers, Cisco Secure ACS acts as a client to the token server,
using either its proprietary API or its RADIUS interface, depending on the token
server. For more information, see
About Token Servers and Cisco Secure ACS,
Different levels of security can be concurrently used with Cisco Secure ACS for
different requirements. The basic user-to-network security level is PAP. Although
it represents the unencrypted security, PAP does offer convenience and simplicity
for the client. PAP allows authentication against the Windows database. With this
configuration, users need to log in only once. CHAP allows a higher level of
security for encrypting passwords when communicating from an end-user client
to the AAA client. You can use CHAP with the CiscoSecure user database. ARAP
support is included to support Apple clients.
Comparing PAP, CHAP, and ARAP
PAP, CHAP, and ARAP are authentication protocols used to encrypt passwords.
However, each protocol provides a different level of security.
•
PAP—Uses clear-text passwords (that is, unencrypted passwords) and is the
least sophisticated authentication protocol. If you are using the Windows user
database to authenticate users, you must use PAP password encryption or
MS-CHAP.
•
CHAP—Uses a challenge-response mechanism with one-way encryption on
the response. CHAP enables Cisco Secure ACS to negotiate downward from
the most secure to the least secure encryption mechanism, and it protects
passwords transmitted in the process. CHAP passwords are reusable. If you
are using the CiscoSecure user database for authentication, you can use either
PAP or CHAP. CHAP does not work with the Windows user database.