Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 561

    Page 561 15 Authentication in ACS 5.7 PEAPv0/1 Fast Reconnect When a session resumes, another method of decreasing the authentication time is to skip the inner method, also known as fast reconnect. After a tunnel is built, the authentication flow goes directly to exchange authentication information with a Result TLV Success (v0)/tunneled EAP Success message for successful authentication and an EAP Failure message in case of unsuccessful authentication. You can configure ACS to enable the fast reconnect... 
    15   
Authentication in ACS 5.7
PEAPv0/1
Fast Reconnect
When a session resumes, another method of decreasing the authentication time is to skip the inner method, also known 
as fast reconnect. After a tunnel is built, the authentication flow goes directly to exchange authentication information with 
a Result TLV Success (v0)/tunneled EAP Success message for successful authentication and an EAP Failure message in 
case of unsuccessful authentication. 
You can configure ACS to enable the fast reconnect...

    Page 562

    Page 562 16 Authentication in ACS 5.7 PEAPv0/1 PEAP Flow in ACS 5.7 The PEAP protocol allows authentication between ACS and the peer by using the PKI-based secure tunnel establishment and the EAP-MSCHAPv2 protocol as the inner method inside the tunnel. The local certificate can be validated by the peer (server-authenticated mode) or not validated (server-unauthenticated mode). This section contains: Creating the TLS Tunnel, page 16 Authenticating with MSCHAPv2, page 17 Figure 8PEAP Processing Flow, page 16... 
    16
Authentication in ACS 5.7
 
PEAPv0/1
PEAP Flow in ACS 5.7
The PEAP protocol allows authentication between ACS and the peer by using the PKI-based secure tunnel establishment 
and the EAP-MSCHAPv2 protocol as the inner method inside the tunnel. The local certificate can be validated by the 
peer (server-authenticated mode) or not validated (server-unauthenticated mode).
This section contains:
Creating the TLS Tunnel, page 16
Authenticating with MSCHAPv2, page 17
Figure 8PEAP Processing Flow, page 16...

    Page 563

    Page 563 17 Authentication in ACS 5.7 EAP-FAST Authenticating with MSCHAPv2 After the TLS tunnel is created, follow these steps to authenticate the wireless client credentials with MSCHAPv2: At the end of this mutual authentication exchange, the wireless client has provided proof of knowledge of the correct password (the response to the ACS challenge string), and ACS has provided proof of knowledge of the correct password (the response to the wireless client challenge string). The entire exchange is... 
    17   
Authentication in ACS 5.7
EAP-FAST
Authenticating with MSCHAPv2
After the TLS tunnel is created, follow these steps to authenticate the wireless client credentials with MSCHAPv2: 
At the end of this mutual authentication exchange, the wireless client has provided proof of knowledge of the correct 
password (the response to the ACS challenge string), and ACS has provided proof of knowledge of the correct password 
(the response to the wireless client challenge string). The entire exchange is...

    Page 564

    Page 564 18 Authentication in ACS 5.7 EAP-FAST These secrets are called Protected Access Credentials (PACs), which ACS generates by using a master key known only to ACS. Because handshakes based on shared secrets are intrinsically faster than handshakes based on PKI, EAP-FAST is the fastest of the advanced EAP protocols (including EAP-TLS and PEAP) that establish a TLS connection to encrypt the traffic between the supplicant and ACS. No certificate management is required to implement EAP-FAST. EAP-FAST... 
    18
Authentication in ACS 5.7
 
EAP-FAST
These secrets are called Protected Access Credentials (PACs), which ACS generates by using a master key known only 
to ACS. Because handshakes based on shared secrets are intrinsically faster than handshakes based on PKI, EAP-FAST 
is the fastest of the advanced EAP protocols (including EAP-TLS and PEAP) that establish a TLS connection to encrypt 
the traffic between the supplicant and ACS. No certificate management is required to implement EAP-FAST.
EAP-FAST...

    Page 565

    Page 565 19 Authentication in ACS 5.7 EAP-FAST Mutual Authentication—The EAP server must be able to verify the identity and authenticity of the peer and the peer must be able to verify the authenticity of the EAP server. Immunity to passive dictionary attacks—Many authentication protocols require a password to be explicitly provided, either as clear text or hashed, by the peer to the EAP server. Immunity to man-in-the-middle (MitM) attacks—In establishing a mutually authenticated protected tunnel, the... 
    19   
Authentication in ACS 5.7
EAP-FAST
Mutual Authentication—The EAP server must be able to verify the identity and authenticity of the peer and the peer 
must be able to verify the authenticity of the EAP server.
Immunity to passive dictionary attacks—Many authentication protocols require a password to be explicitly provided, 
either as clear text or hashed, by the peer to the EAP server.
Immunity to man-in-the-middle (MitM) attacks—In establishing a mutually authenticated protected tunnel, the...

    Page 566

    Page 566 20 Authentication in ACS 5.7 EAP-FAST An active master-key is the master-key used by ACS to generate PACs. The Master Key Generation Period setting determines the duration that a master-key remains active. At any time, only one master-key is active. For more information about how TTL values determine whether PAC refreshing or provisioning is required, see Master Key Generation and PAC TTLs, page 24. About PACs PACs are strong shared secrets that enable ACS and an EAP-FAST end-user client to... 
    20
Authentication in ACS 5.7
 
EAP-FAST
An active master-key is the master-key used by ACS to generate PACs. The Master Key Generation Period setting 
determines the duration that a master-key remains active. At any time, only one master-key is active. For more 
information about how TTL values determine whether PAC refreshing or provisioning is required, see Master Key 
Generation and PAC TTLs, page 24.
About PACs
PACs are strong shared secrets that enable ACS and an EAP-FAST end-user client to...

    Page 567

    Page 567 21 Authentication in ACS 5.7 EAP-FAST ACS supports issuing an out-of-band PAC file that allows you to generate a PAC that can be downloaded to ACS. Types of PACs ACS supports the following types of PACs: Tunnel v1 and v1a SGA Machine Authorization ACS provisions supplicants with a PAC that contains a shared secret that is used in building a TLS tunnel between the supplicant and ACS. ACS provisions supplicants with PACs that have a wider contextual use. The following types of PACs are provisioned... 
    21   
Authentication in ACS 5.7
EAP-FAST
ACS supports issuing an out-of-band PAC file that allows you to generate a PAC that can be downloaded to ACS.
Types of PACs
ACS supports the following types of PACs: 
Tunnel v1 and v1a
SGA
Machine
Authorization
ACS provisions supplicants with a PAC that contains a shared secret that is used in building a TLS tunnel between the 
supplicant and ACS. ACS provisions supplicants with PACs that have a wider contextual use.
The following types of PACs are provisioned...

    Page 568

    Page 568 22 Authentication in ACS 5.7 EAP-FAST Identity Store Compatibility, page 32. In general, phase zero of EAP-FAST does not authorize network access. In this general case, after the client has successfully performed phase zero PAC provisioning, the client must send a new EAP-FAST request in order to begin a new round of phase one tunnel establishment, followed by phase two authentication. However, if you choose the Accept Client on Authenticated Provisioning option, ACS sends a RADIUS Access-Accept... 
    22
Authentication in ACS 5.7
 
EAP-FAST
Identity Store Compatibility, page 32.
In general, phase zero of EAP-FAST does not authorize network access. In this general case, after the client has 
successfully performed phase zero PAC provisioning, the client must send a new EAP-FAST request in order to begin a 
new round of phase one tunnel establishment, followed by phase two authentication.
However, if you choose the Accept Client on Authenticated Provisioning option, ACS sends a RADIUS Access-Accept...

    Page 569

    Page 569 23 Authentication in ACS 5.7 EAP-FAST ACS-Supported Features for PACs ACS 5.7 support these features for PACs. Machine PAC Authentication Machine PAC-based authentication allows the machine to gain restricted network access before user authentication. Proactive PAC Update ACS proactively provides a new PAC to the client after successful authentication when a configured percentage of the PAC TTL remains. The tunnel PAC update is initiated by the server after the first successful authentication that... 
    23   
Authentication in ACS 5.7
EAP-FAST
ACS-Supported Features for PACs
ACS 5.7 support these features for PACs.
Machine PAC Authentication
Machine PAC-based authentication allows the machine to gain restricted network access before user authentication.
Proactive PAC Update 
ACS proactively provides a new PAC to the client after successful authentication when a configured percentage of the 
PAC TTL remains. The tunnel PAC update is initiated by the server after the first successful authentication that...

    Page 570

    Page 570 24 Authentication in ACS 5.7 EAP-FAST Related Topics About PACs, page 20 Provisioning Modes, page 20 Types of PACs, page 21 Master Key Generation and PAC TTLs, page 24 Master Key Generation and PAC TTLs The values for master key generation and PAC TTLs determine their states, as described in About Master-Keys, page 19 and Types of PACs, page 21. Master key and PAC states determine whether someone requesting network access with EAP-FAST requires PAC provisioning or PAC refreshing. Related Topics... 
    24
Authentication in ACS 5.7
 
EAP-FAST
Related Topics
About PACs, page 20
Provisioning Modes, page 20
Types of PACs, page 21
Master Key Generation and PAC TTLs, page 24
Master Key Generation and PAC TTLs
The values for master key generation and PAC TTLs determine their states, as described in About Master-Keys, page 19 
and Types of PACs, page 21. Master key and PAC states determine whether someone requesting network access with 
EAP-FAST requires PAC provisioning or PAC refreshing. 
Related Topics...
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals