Leap proxy radius server database, Leap proxy – Cisco 3.3 User Manual
Page 559
13-75
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 13 User Databases
LEAP Proxy RADIUS Server Database
LEAP Proxy RADIUS Server Database
For Cisco Secure ACS-authenticated users accessing your network via Cisco
Aironet devices, Cisco Secure ACS supports ASCII, PAP, MS-CHAP (versions 1
and 2), LEAP, and EAP-FAST (phase zero and phase two) authentication with a
proxy RADIUS server. Other authentication protocols are not supported with
LEAP Proxy RADIUS Server databases.
Note
Authentication protocols not supported with LEAP Proxy RADIUS Server
databases may be supported by another type of external user database. For more
information about authentication protocols and the external database types that
support them, see
Authentication Protocol-Database Compatibility, page 1-10
Cisco Secure ACS uses MS-CHAP version 1 for LEAP Proxy RADIUS Server
authentication. To manage your proxy RADIUS database, refer to your RADIUS
database documentation.
Lightweight extensible authentication protocol (LEAP) proxy RADIUS server
authentication allows you to authenticate users against existing Kerberos
databases that support MS-CHAP authentication. You can use the LEAP Proxy
RADIUS Server database to authenticate users with any third-party RADIUS
server that supports MS-CHAP authentication.
Note
The third-party RADIUS server must return Microsoft Point-to-Point Encryption
(MPPE) keys in the Microsoft RADIUS vendor-specific attribute (VSA)
MSCHAP-MPPE-Keys (VSA 12). If the third-party RADIUS server does not
return the MPPE keys, the authentication fails and is logged in the Failed
Attempts log.
Cisco Secure ACS supports RADIUS-based group specification for users
authenticated by LEAP Proxy RADIUS Server databases. RADIUS-based group
specification overrides group mapping. For more information, see
RADIUS-Based Group Specification, page 16-14
.
Cisco Secure ACS supports group mapping for unknown users authenticated by
LEAP Proxy RADIUS Server databases. Group mapping is only applied to an
unknown user if RADIUS-based group specification did not occur. For more
information about group mapping users authenticated by a LEAP Proxy RADIUS
Server database, see