Note

Whereas authentication may be determined via external sources, authorization privileges are only granted via the Cisco Secure ACS group to which the user is assigned.

The databases supported by Cisco Secure ACS support multiple password protocols. Tables 9-2 and

9-3 list the database types and the Extensible Authentication Protocol (EAP) and non-EAP password protocols each database supports.

Table 9-2. Non-EAP Authentication Protocol and User Database

Compatibility

Table 9-2. Non-EAP Authentication Protocol and User Database

Compatibility

Database

ASCII/PAP

CHAP

ARAP

MS-CHAP v.1

MS-CHAP v.2

Cisco Secure ACS

Yes

Yes

Yes

Yes

Yes

Windows SAM

Yes

No

No

Yes

Yes

Windows AD

Yes

No

No

Yes

Yes

LDAP

Yes

No

No

No

No

Novell NDS

Yes

No

No

No

No

ODBC

Yes

Yes

Yes

Yes

Yes

LEAP proxy RADIUS server

Yes

No

No

Yes

Yes

All token servers

Yes

No

No

No

No

Table 9-3. EAP Authentication Protocol and User Database Compatibility

Database

LEAP

EAP-MD5

(EAP-MS

CHAPv2)

PEAP (EAP-GTC)

EAP-FAST Phase Zero

EAP-FAST Phase Two

Cisco Secure ACS

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Windows SAM

Yes

No

No

Yes

Yes

Yes

Yes

Windows AD

Yes

No

Yes

Yes

Yes

Yes

Yes

LDAP

No

No

Yes

No

Yes

No

Yes

Novell NDS

No

No

No

No

Yes

No

Yes

ODBC

Yes

Yes

Yes

Yes

Yes

Yes

Yes

LEAP proxy RADIUS server

Yes

No

No

Yes

Yes

Yes

Yes

All token servers

No

No

No

No

Yes

No

No

The following sections describe the user authentication process using Cisco Secure internal and external database mechanisms using the internal Cisco Secure user database, Windows NT/2000, generic LDAP, and third-party token server. For information regarding other ACS user database capabilities, such as ODBC and NDS, visit Cisco.com.

0 0

Post a comment