A digest authentication scheme reads an encrypted user attribute string that is stored in a directory. The scheme then compares the string to the encrypted string it receives from the user. If the encrypted strings match, the Policy Server authenticates the user. The comparison of the encrypted strings occurs without using an encrypted transmission.
The following digest authentication schemes are available:
The Password Authentication Protocol (PAP) provides a simple method for a user to authenticate using a two-way handshake. PAP only executes this process during the initial link to the authenticating server. A user’s machine repeatedly sends an Id/Password pair to the authenticating server until authentication is acknowledged or the connection is terminated.
This authentication method is most appropriately used where a plain text password must be available to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host.
CHAP (Challenge-Handshake Authentication Protocol) is a more secure authentication scheme than PAP. In a CHAP scheme, the following process occurs to establish a user’s identity:
At any time, the server can request the connected party to send a new challenge message. CHAP identifiers are changed frequently and the server can make an authentication request at any time, CHAP provides more security than PAP.
The RADIUS CHAP/PAP scheme authenticates users by computing the digest of a user's password. The Policy Server then compares the digest to the CHAP password in the RADIUS packet. The digest consists of the hashed password, which is calculated using a directory attribute. This attribute is specified during the configuration of the RADIUS CHAP/PAP authentication scheme.
Meet the following prerequisites before configuring a RADIUS CHAP/PAP authentication scheme:
Use a RADIUS CHAP/PAP authentication scheme when you are using the RADIUS protocol.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
Follow these steps:
Verify that the Create a new object of type Authentication Scheme is selected.
Click OK
The authentication scheme is saved and may be assigned to a realm.
The RADIUS protocol is supported by letting the Policy Server act as the RADIUS server. A NAS client acts as the RADIUS client. RADIUS Agents let the Policy Server communicate with the NAS client devices. In the RADIUS server authentication scheme, the Policy Server is attached to the protected network.
This scheme accepts user name and password as credentials. Multiple instances of this scheme can be defined. This scheme does not interpret RADIUS attributes that may be returned by the RADIUS server in the authentication response.
For more information on RADIUS Server authentication, see the Policy Server Administration Guide.
Complete following prerequisites before configuring a RADIUS server authentication scheme:
Use a RADIUS Server authentication scheme when you are using the Policy Server as the RADIUS Server and a NAS client as a RADIUS client.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
Follow these steps:
Verify that the Create a new object of type Authentication Scheme is selected.
Click OK
The authentication scheme is saved. You can assign it to a realm.
Copyright © 2014 CA.
All rights reserved.
|
|