AAA Server Functions and Concepts
MS-CHAP
EAP Support
User Guide for Cisco Secure ACS for Windows Server
1-12
Cisco Secure ACS supports Microsoft Challenge-Handshake Authentication
Protocol (MS-CHAP) for user authentication. Differences between MS-CHAP
and standard CHAP are the following:
The MS-CHAP Response packet is in a format compatible with Microsoft
•
Windows NT/2000, Windows 95/98/ME/XP, and LAN Manager 2.x. The
MS-CHAP format does not require the authenticator to store a clear-text or
reversibly encrypted password.
MS-CHAP provides an authentication-retry mechanism controlled by the
•
authenticator.
MS-CHAP provides additional failure codes in the Failure packet Message
•
field.
For more information on MS-CHAP, refer to RFC
draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.
The Extensible Authentication Protocol (EAP), based on the IETF 802.1x, is an
end-to-end framework that allows the creation of authentication types without the
necessity of changing the implementation of the AAA clients. For more
information about EAP, go to
2284.
Cisco Secure ACS supports the following varieties of EAP:
EAP-MD5—An EAP protocol that does not support mutual authentication.
•
EAP-TLS—EAP incorporating Transport Layer Security. For more
•
information, see
EAP-TLS Deployment Guide for Wireless LAN Networks
and
About the EAP-TLS Protocol, page
LEAP—A Network-EAP protocol that supports mutual authentication.
•
PEAP—Protected EAP, which is implemented with EAP-Generic Token
•
Card (GTC). For more information, see
The architecture of Cisco Secure ACS is extensible with regard to EAP;
additional varieties of EAP will be supported as those protocols mature.
Chapter 1
PPP Extensible Authentication Protocol (EAP) RFC
8-70.
About the PEAP Protocol, page
Overview of Cisco Secure ACS
8-72.
78-14696-01, Version 3.1