Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 551

    Page 551 5 Authentication in ACS 5.7 EAP-TLS Overview of EAP-MD5 EAP Message Digest 5-(EAP-MD5) provides one-way client authentication. The server sends the client a random challenge. The client proves its identity by hashing the challenge and its password with MD5. EAP-MD5 is vulnerable to dictionary attacks when it is used over an open medium. This is because hackers are able to see the challenge and response. Since no server authentication occurs, it is also vulnerable to falsification. Related Topics... 
    5   
Authentication in ACS 5.7
EAP-TLS
Overview of EAP-MD5
EAP Message Digest 5-(EAP-MD5) provides one-way client authentication. The server sends the client a random 
challenge. The client proves its identity by hashing the challenge and its password with MD5. EAP-MD5 is vulnerable to 
dictionary attacks when it is used over an open medium. 
This is because hackers are able to see the challenge and response. Since no server authentication occurs, it is also 
vulnerable to falsification.
Related Topics...

    Page 552

    Page 552 6 Authentication in ACS 5.7 EAP-TLS Related Topics Configuring CA Certificates, page 83 Certificate-Based Network Access, page 8 ACS and Cisco Security Group Access, page 21 EAP-TLS Flow in ACS 5.7, page 12 User Certificate Authentication EAP-TLS is a mutual authentication method for certificate-based authentication; the client and server authenticate each other by using digital certificates. Certificates must meet specific requirements on the server and client for successful authentication. EAP... 
    6
Authentication in ACS 5.7
 
EAP-TLS
Related Topics
Configuring CA Certificates, page 83
Certificate-Based Network Access, page 8
ACS and Cisco Security Group Access, page 21
EAP-TLS Flow in ACS 5.7, page 12
User Certificate Authentication
EAP-TLS is a mutual authentication method for certificate-based authentication; the client and server authenticate each 
other by using digital certificates. Certificates must meet specific requirements on the server and client for successful 
authentication. EAP...

    Page 553

    Page 553 7 Authentication in ACS 5.7 EAP-TLS name and the subject alternative name. These restrictions are applicable only when the specified name form is present in the client certificate. The ACS authentication fails if the client certificate is excluded or not permitted by the namespace. Related Topics Configuring CA Certificates, page 83 Certificate-Based Network Access, page 8 PKI Authentication EAP-TLS uses public key infrastructures (PKI) concepts: A host requires a valid certificate to... 
    7   
Authentication in ACS 5.7
EAP-TLS
name and the subject alternative name. These restrictions are applicable only when the specified name form is present 
in the client certificate. The ACS authentication fails if the client certificate is excluded or not permitted by the 
namespace.
Related Topics
Configuring CA Certificates, page 83
Certificate-Based Network Access, page 8
PKI Authentication
EAP-TLS uses public key infrastructures (PKI) concepts: 
A host requires a valid certificate to...

    Page 554

    Page 554 8 Authentication in ACS 5.7 EAP-TLS PKI Credentials This section contains the following topics: PKI Usage, page 8 Fixed Management Certificates, page 8 Importing Trust Certificates, page 8 Exporting Credentials, page 10 PKI Usage ACS supports using certificates for various PKI use cases. The main use case is the EAP-TLS protocol, where the PKI is used to authenticate not only the server, but also the client (PEAP and EAP-FAST also make use of certificates for server authentication, but do not... 
    8
Authentication in ACS 5.7
 
EAP-TLS
PKI Credentials
This section contains the following topics:
PKI Usage, page 8
Fixed Management Certificates, page 8
Importing Trust Certificates, page 8
Exporting Credentials, page 10
PKI Usage
ACS supports using certificates for various PKI use cases. The main use case is the EAP-TLS protocol, where the PKI is 
used to authenticate not only the server, but also the client (PEAP and EAP-FAST also make use of certificates for server 
authentication, but do not...

    Page 555

    Page 555 9 Authentication in ACS 5.7 EAP-TLS The ACS domain may have more than a single ACS server; each domain should have its own set of PKI key pairs to identify itself through the appropriate interfaces. Some interfaces may require that the certificate that identifies ACS, contain the IP or FQDN of the ACS server, in its Common Name (CN) for better binding of the certificate to the IP of the server, for example, the HTTPS ACS server certificate which is used for the Web interface. For other... 
    9   
Authentication in ACS 5.7
EAP-TLS
The ACS domain may have more than a single ACS server; each domain should have its own set of PKI key pairs to 
identify itself through the appropriate interfaces. 
Some interfaces may require that the certificate that identifies ACS, contain the IP or FQDN of the ACS server, in its 
Common Name (CN) for better binding of the certificate to the IP of the server, for example, the HTTPS ACS server 
certificate which is used for the Web interface. 
For other...

    Page 556

    Page 556 10 Authentication in ACS 5.7 EAP-TLS Certificate Generation You can generate ACS server certificates through the Web interface. The output of this process is a certificate or a certificate request and it’s corresponding private-key and password. The generated private-key is structured as PKCS#12 encrypted, by using a relatively strong automatically generated password based on at least 128 bit of randomness. You can select any of these generated private-key lengths: 512, 1024, 2048 or 4096 bit. The... 
    10
Authentication in ACS 5.7
 
EAP-TLS
Certificate Generation
You can generate ACS server certificates through the Web interface. The output of this process is a certificate or a 
certificate request and it’s corresponding private-key and password. The generated private-key is structured as 
PKCS#12 encrypted, by using a relatively strong automatically generated password based on at least 128 bit of 
randomness.
You can select any of these generated private-key lengths: 512, 1024, 2048 or 4096 bit. The...

    Page 557

    Page 557 11 Authentication in ACS 5.7 EAP-TLS Credentials Distribution All certificates are kept in the ACS database which is distributed and shared between all ACS nodes. The ACS server certificates are associated and designated for a specific node, which uses that specific certificate. Public certificates are distributed along with the private keys and the protected private key passwords by using the ACS distributed mechanism. ACS implements a method of protection to prevent a private-key to be used by... 
    11   
Authentication in ACS 5.7
EAP-TLS
Credentials Distribution
All certificates are kept in the ACS database which is distributed and shared between all ACS nodes. The ACS server 
certificates are associated and designated for a specific node, which uses that specific certificate.
Public certificates are distributed along with the private keys and the protected private key passwords by using the ACS 
distributed mechanism. ACS implements a method of protection to prevent a private-key to be used by...

    Page 558

    Page 558 12 Authentication in ACS 5.7 EAP-TLS EAP-TLS Flow in ACS 5.7 An EAP-TLS server exchanges data with a client by using packets based on the EAP Request and response packets; the packets are extended by specific EAP-TLS data. ACS acts as the EAP-TLS server and uses the Open Secure Sockets Layer (OpenSSL/CiscoSSL) library to process the TLS conversation. The ACS EAP-TLS server produces 128-bit MPPE send and receive keys that are used for encrypted communication between the client and server. The ACS... 
    12
Authentication in ACS 5.7
 
EAP-TLS
EAP-TLS Flow in ACS 5.7
An EAP-TLS server exchanges data with a client by using packets based on the EAP Request and response packets; the 
packets are extended by specific EAP-TLS data. ACS acts as the EAP-TLS server and uses the Open Secure Sockets 
Layer (OpenSSL/CiscoSSL) library to process the TLS conversation. The ACS EAP-TLS server produces 128-bit MPPE 
send and receive keys that are used for encrypted communication between the client and server. 
The ACS...

    Page 559

    Page 559 13 Authentication in ACS 5.7 PEAPv0/1 —Signature check failed. The client dropped cases resulting in malformed EAP packets. EAP-TLS also supports the Session Resume feature. ACS supports the EAP-TLS session resume feature for fast reauthentication of a user who has already passed full EAP-TLS authentication. If the EAP-TLS configuration includes a session timeout period, ACS caches each TLS session for the duration of the timeout period. When a user reconnects within the configured EAP-TLS... 
    13   
Authentication in ACS 5.7
PEAPv0/1
—Signature check failed.
The client dropped cases resulting in malformed EAP packets. 
EAP-TLS also supports the Session Resume feature. ACS supports the EAP-TLS session resume feature for fast 
reauthentication of a user who has already passed full EAP-TLS authentication. If the EAP-TLS configuration includes a 
session timeout period, ACS caches each TLS session for the duration of the timeout period. 
When a user reconnects within the configured EAP-TLS...

    Page 560

    Page 560 14 Authentication in ACS 5.7 PEAPv0/1 It then creates an encrypted SSL/TLS tunnel between the client and the authentication server. The ensuing exchange of authentication information to authenticate the client is then encrypted and user credentials are safe from eavesdropping. PEAP is similar to EAP-TLS but uses a different client authentication method. PEAP provides authentication, by using server certificates, a TLS tunnel and client authentication through that encrypted tunnel. Unlike EAP-TLS,... 
    14
Authentication in ACS 5.7
 
PEAPv0/1
It then creates an encrypted SSL/TLS tunnel between the client and the authentication server. The ensuing exchange of 
authentication information to authenticate the client is then encrypted and user credentials are safe from eavesdropping.
PEAP is similar to EAP-TLS but uses a different client authentication method. PEAP provides authentication, by using 
server certificates, a TLS tunnel and client authentication through that encrypted tunnel. Unlike EAP-TLS,...
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals