Configuring Authentication Options - Cisco 3.3 User Manual

Chapter 10 System Configuration: Authentication and Certificates

Configuring Authentication Options

78-16592-01
Cisco Aironet RADIUS VSA Cisco-Aironet-Session-Timeout (01) is
Note
not a true RADIUS VSA; instead, it represents the value that
Cisco Secure ACS sends in the IETF RADIUS Session-Timeout
attribute when the AAA client sending the RADIUS request is
defined in the Network Configuration as authenticating with
RADIUS (Cisco Aironet).
MS-CHAP Configuration—The Allow MS-CHAP Version 1 Authentication
•
and Allow MS-CHAP Version 2 Authentication check boxes control whether
Cisco Secure ACS performs MS-CHAP authentication for RADIUS requests.
The two check boxes allow you to further control which versions of
MS-CHAP are permitted in RADIUS requests. If you disable a particular
version of MS-CHAP, end-user clients configured to authenticate with that
version using RADIUS cannot access the network. If no end-user clients are
configured to use a specific version of MS-CHAP with RADIUS, we
recommend that you disable that version of MS-CHAP.
For TACACS+, Cisco Secure ACS supports only MS-CHAP version
Note
1. TACACS+ support for MS-CHAP version 1 is always enabled and
is not configurable.
Use this procedure to select and configure how Cisco Secure ACS handles options
for authentication. In particular, use this procedure to specify and configure the
varieties of EAP that you allow, and to specify whether you allow either
MS-CHAP Version 1 or MS-CHAP Version 2, or both.
For more information on the EAP-TLS Protocol, see
page 10-2. For more information on the PEAP protocol, see
Authentication, page 10-8. For more information on the PEAP protocol, see
EAP-FAST Authentication, page
password protocols are supported by the various databases, see
Protocol-Database Compatibility, page
10-13. For details regarding how various
1-10.
User Guide for Cisco Secure ACS for Windows Server
Global Authentication Setup
EAP-TLS Authentication,
PEAP
Authentication
10-33