Basic password configurations, Advanced password configurations – Cisco 3.3 User Manual
Page 54
Chapter 1 Overview
AAA Server Functions and Concepts
1-14
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
•
EAP-FAST—EAP Flexible Authentication via Secured Tunnel
(EAP-FAST), a faster means of encrypting EAP authentication, supports
EAP-GTC authentication. For more information, see
.
The architecture of Cisco Secure ACS is extensible with regard to EAP; additional
varieties of EAP will be supported as those protocols mature.
Basic Password Configurations
There are several basic password configurations:
Note
These configurations are all classed as inbound authentication.
•
Single password for ASCII/PAP/CHAP/MS-CHAP/ARAP—This is the
most convenient method for both the administrator when setting up accounts
and the user when obtaining authentication. However, because the CHAP
password is the same as the PAP password, and the PAP password is
transmitted in clear text during an ASCII/PAP login, there is the chance that
the CHAP password can be compromised.
•
Separate passwords for ASCII/PAP and CHAP/MS-CHAP/ARAP—For a
higher level of security, users can be given two separate passwords. If the
ASCII/PAP password is compromised, the CHAP/ARAP password can
remain secure.
•
External user database authentication—For authentication by an external
user database, the user does not need a password stored in the CiscoSecure
user database. Instead, Cisco Secure ACS records which external user
database it should query to authenticate the user.
Advanced Password Configurations
Cisco Secure ACS supports the following advanced password configurations:
•
Inbound passwords—Passwords used by most Cisco Secure ACS users.
These are supported by both the TACACS+ and RADIUS protocols. They are
held internally to the CiscoSecure user database and are not usually given up
to an external source if an outbound password has been configured.