For network access, a host connects to the network device and requests to use network resources. The network device identifies the newly connected host, and, using the RADIUS protocol as a transport mechanism, requests ACS to authenticate and authorize the user.
ACS 5.1 supports the following categories of network access flows, depending on the protocol that is transported over the RADIUS protocol:
•
RADIUS-based protocols that do not include EAP:
RADIUS-based protocols that do not include EAP:
–PAP
PAP
–CHAP
CHAP
–MSCHAPv1
MSCHAPv1
–MSCHAPv2
MSCHAPv2
For more information on RADIUS-based protocols that do not include EAP, see RADIUS-Based Flow Without EAP Authentication.
•EAP family of protocols transported over RADIUS, which can be further classified as:
EAP family of protocols transported over RADIUS, which can be further classified as:
–Simple EAP protocols that do not use certificates:
Simple EAP protocols that do not use certificates:
EAP-MD5
LEAP
–EAP protocols that involve a TLS handshake and in which the client uses the ACS server certificate to perform server authentication:
EAP protocols that involve a TLS handshake and in which the client uses the ACS server certificate to perform server authentication:
PEAP, using one of the following inner methods: PEAP/EAP-MSCHAPv2 and PEAP/EAP-GTC
EAP-FAST, using one of the following inner methods: EAP-FAST/EAP-MSCHAPv2 and EAP-FAST/EAP-GTC
–EAP protocols that are fully certificate-based, in which the TLS handshake uses certificates for both server and client authentication:
EAP protocols that are fully certificate-based, in which the TLS handshake uses certificates for both server and client authentication:
EAP-TLS
For more information on RADIUS-based flows with EAP authentication, see RADIUS-Based Flows with EAP Authentication.
RADIUS-Based Flow Without EAP Authentication
This section describes RADIUS-based workflow without EAP authentication.
For RADIUS with PAP authentication:
1. A host connects to a network device.
A host connects to a network device.
2. The network device sends a RADIUS Access-Request to ACS, containing RADIUS attributes appropriate to the specific protocol that is being used (PAP, CHAP, MSCHAPv1, or MSCHAPv2).
The network device sends a RADIUS Access-Request to ACS, containing RADIUS attributes appropriate to the specific protocol that is being used (PAP, CHAP, MSCHAPv1, or MSCHAPv2).
3. ACS uses an identity store to validate the user's credentials.
ACS uses an identity store to validate the user's credentials.
4. The RADIUS response (Access-Accept or Access-Reject) is sent to the network device that will apply the decision.
The RADIUS response (Access-Accept or Access-Reject) is sent to the network device that will apply the decision. |
| Figure A-2 RADIUS-Based Flow Without EAP Authentication |
RADIUS-Based Flows with EAP Authentication
EAP provides an extensible framework that supports a variety of authentication types. Among them, the specific EAP methods supported by ACS are:
•Simple EAP methods that do not use certificates:
Simple EAP methods that do not use certificates:
–EAP-MD5
EAP-MD5
–LEAP
LEAP
•EAP methods in which the client uses the ACS server certificate to perform server authentication:
EAP methods in which the client uses the ACS server certificate to perform server authentication:
–PEAP/EAP-MSCHAPv2
PEAP/EAP-MSCHAPv2
–PEAP/EAP-GTC
PEAP/EAP-GTC
–EAP-FAST/EAP-MSCHAPv2
EAP-FAST/EAP-MSCHAPv2
–EAP-FAST/EAP-GTC
EAP-FAST/EAP-GTC
•EAP methods that use certificates for both server and client authentication
EAP methods that use certificates for both server and client authentication
–EAP-TLS
EAP-TLS
Whenever EAP is involved in the authentication process, it is preceded by an EAP negotiation phase to determine which specific EAP method (and inner method, if applicable) should be used.
For all EAP authentications:
1. A host connects to a network device.
A host connects to a network device.
2. The network device sends an EAP Request to the host.
The network device sends an EAP Request to the host.
3. The host replies with an EAP Response to the network device.
The host replies with an EAP Response to the network device.
4. The network device encapsulates the EAP Response that it received from the host into a RADIUS Access-Request (using the EAP-Message RADIUS attribute) and sends the RADIUS Access-Request to ACS.
The network device encapsulates the EAP Response that it received from the host into a RADIUS Access-Request (using the EAP-Message RADIUS attribute) and sends the RADIUS Access-Request to ACS.
5. ACS extracts the EAP Response from the RADIUS packet and creates a new EAP Request, encapsulates it into a RADIUS Access-Challenge (again, using the EAP-Message RADIUS attribute), and sends it to the network device.
ACS extracts the EAP Response from the RADIUS packet and creates a new EAP Request, encapsulates it into a RADIUS Access-Challenge (again, using the EAP-Message RADIUS attribute), and sends it to the network device.
6. The network device extracts the EAP Request and sends it to the host.
The network device extracts the EAP Request and sends it to the host.
In this way, the host and ACS indirectly exchange EAP messages (transported over RADIUS and passed through the network device). The initial set of EAP messages that are exchanged in this manner negotiate the specific EAP method that will subsequently be used to perform the authentication.
The EAP messages that are subsequently exchanged are then used to carry the data needed to perform the actual authentication. If required by the specific EAP authentication method that is negotiated, ACS uses an identity store to validate the user's credentials.
After ACS determines whether the authentication should pass or fail, it sends either an EAP-Success or EAP-Failure message, encapsulated into a RADIUS Access-Accept or Access-Reject message to the network device (and ultimately also to the host).
|
| Figure A-3 RADIUS-Based Authentication with EAP |
No comments:
Post a Comment