Ms-chap, Eap support – Cisco 3.3 User Manual
Page 53
1-13
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 1 Overview
AAA Server Functions and Concepts
•
ARAP—Uses a two-way challenge-response mechanism. The AAA client
challenges the end-user client to authenticate itself, and the end-user client
challenges the AAA client to authenticate itself.
MS-CHAP
Cisco Secure ACS supports Microsoft Challenge-Handshake Authentication
Protocol (MS-CHAP) for user authentication. Differences between MS-CHAP
and standard CHAP are the following:
•
The MS-CHAP Response packet is in a format compatible with Microsoft
Windows and LAN Manager 2.x. The MS-CHAP format does not require the
authenticator to store a clear-text or reversibly encrypted password.
•
MS-CHAP provides an authentication-retry mechanism controlled by the
authenticator.
•
MS-CHAP provides additional failure codes in the Failure packet Message
field.
For more information on MS-CHAP, refer to RFC
draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.
EAP Support
The Extensible Authentication Protocol (EAP), based on IETF 802.1x, is an
end-to-end framework that allows the creation of authentication types without
changing AAA client configurations. For more information about EAP, go to
Cisco Secure ACS supports the following varieties of EAP:
•
EAP-MD5—An EAP protocol that does not support mutual authentication.
•
EAP-TLS—EAP incorporating Transport Layer Security. For more
information, see
and
EAP-TLS Authentication, page 10-2
•
LEAP—An EAP protocol used by Cisco Aironet wireless equipment; it
supports mutual authentication.
•
PEAP—Protected EAP, which is implemented with EAP-Generic Token
Card (GTC) and EAP-MSCHAPv2 protocols. For more information, see