beautypg.com

Basic password configurations, Advanced password configurations – Cisco 3.3 User Manual

Page 54

background image

Chapter 1 Overview

AAA Server Functions and Concepts

1-14

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

EAP-FAST—EAP Flexible Authentication via Secured Tunnel
(EAP-FAST), a faster means of encrypting EAP authentication, supports
EAP-GTC authentication. For more information, see

EAP-FAST

Authentication, page 10-13

.

The architecture of Cisco Secure ACS is extensible with regard to EAP; additional
varieties of EAP will be supported as those protocols mature.

Basic Password Configurations

There are several basic password configurations:

Note

These configurations are all classed as inbound authentication.

Single password for ASCII/PAP/CHAP/MS-CHAP/ARAP—This is the
most convenient method for both the administrator when setting up accounts
and the user when obtaining authentication. However, because the CHAP
password is the same as the PAP password, and the PAP password is
transmitted in clear text during an ASCII/PAP login, there is the chance that
the CHAP password can be compromised.

Separate passwords for ASCII/PAP and CHAP/MS-CHAP/ARAP—For a
higher level of security, users can be given two separate passwords. If the
ASCII/PAP password is compromised, the CHAP/ARAP password can
remain secure.

External user database authentication—For authentication by an external
user database, the user does not need a password stored in the CiscoSecure
user database. Instead, Cisco Secure ACS records which external user
database it should query to authenticate the user.

Advanced Password Configurations

Cisco Secure ACS supports the following advanced password configurations:

Inbound passwords—Passwords used by most Cisco Secure ACS users.
These are supported by both the TACACS+ and RADIUS protocols. They are
held internally to the CiscoSecure user database and are not usually given up
to an external source if an outbound password has been configured.