You can use this table (http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/o.html#wp824733) to check compatibility with the authentication method and the external database. It's important to remember that not all authentication types are supported on all external databases, generally due to how the password is sent within the authentication method and the way it's stored in the external DB (nothing ACS can do about it). You can't for example use CHAP against an Windows back-end as the two are stored differently and can't be compared.
Thanks for the answer;I'm just thinking about use PEAP(eap-gtc)that should be compatible ,instead of PEAP(MSCHAP),and doesn't request any CA server.
Do you know anything about this kind of authentication?I read about it,I know that probably I can use a static password that reside in Novell database;probably the problem is about the password change. I don't know if the password can change manually or in automatically when expire in novell database...and what about the security?the encryption is ensured from the wap?I know...a lot of doubts, but at the start of the project Novell didn't exist and all working fine with Windows!!!
The trouble with LDAP is the password is stored in the clear and therefore has to be sent in the clear. Note from the previous table that the only authentication methods that LDAP support all send the password in the clear (albeit some of them within an encrypted tunnel).
EAP-GTC is generally used for token (one-time) passwords, which are OK to send in the clear since they're only valid one-time. GTC stands for Generic Token Card. I'm not actually sure if you cna just use it for non-token authentication, never even thought about it.
PEAP(EAP-TLS) might be better, but will require certs, or EAP-FASTv1a (Phase two in the table) which comes with ACS v4.0 by default.
So, If I use EAP-GTC, all the password will be send in clear??I can't do it!!
And what about EAP-TLS with EAP-FAST?This is the actual situation but the problem is about the automatic PAC privisioning (phase zero).LDAP support only manual PAC, it's true?
And so, I have to create a PAC for every single user that should be have the access to the wireless lan, and install them on every pc of the lan?and what about the password aging?every time I have to replace manualy the pac key?sorry for the very many question, and thank a lot for the help...
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...